Junos Release Notes 10

Junos OS 10.
4 Release Notes
Release 10.4R8 28 November 2011 Revision 18
These release notes accompany Release 10.4R8 of the Junos operating system (Junos OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches. For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch. You can also find these release notes on the Juniper Networks Junos OS Documentation Web page, which is located at http://www.juniper.net/techpubs/software/junos.
Contents
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers . . . . . . . . . . 7 New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 MX Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Copyright 2011, Juniper Networks, Inc.
Junos OS 10.4 Release Notes
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 10.4R8 Software Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . 136 Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 136 Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Basic Procedure for Upgrading to Release 10.4 . . . . . . . . . . . . . . . . . . . . 145 Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 148 Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . 150 Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 152 Downgrade from Release 10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Release 10.4R4 Chassis Cluster Improvements . . . . . . . . . . . . . . . . . . . 155 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Hardware FeaturesSRX210, SRX220, and SRX240 Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Hardware FeaturesSRX1400 Services Gateway . . . . . . . . . . . . . . . . . 182 Hardware FeaturesSRX3400 and SRX3600 Services Gateways . . . . 185 Advertising Bandwidth for Neighbors on a Broadcast Link Support . . . . . . . 186 Group VPN Interoperability with Ciscos GET VPN . . . . . . . . . . . . . . . . . . . . 186 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 187 Application Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Class of Servcice (COS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 198 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Multilink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Wireless LAN (WLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 IPv6 and MVPN CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 213 Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 AX411 Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 216 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Enhanced Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 In-Service Software Upgrade (ISSU) . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 221
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Management and Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Memory Requirements for J Series Devices . . . . . . . . . . . . . . . . . . . . . . 224 NetScreen-Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Point-to-Point Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . 225 Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 USB Modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Virtual LANs (VLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Outstanding Issues In Junos OS Release 10.4R8 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 228 Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . 235 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 254 Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 254 Errata for the Junos OS Documentation . . . . . . . . . . . . . . . . . . . . . . . . . 254 Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 263 Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 267 Transceiver Compatibility for SRX Series and J Series Devices . . . . . . . 267 Power and Heat Dissipation Requirements for J Series PIMs . . . . . . . . . 267 Supported Third-Party Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 J Series CompactFlash and Memory Requirements . . . . . . . . . . . . . . . 268 Maximizing ALG Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Integrated Convergence Services Not Supported . . . . . . . . . . . . . . . . . . . . . 270 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers . . . . . . . . . . . . 270 Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 270 Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . 272 New Features in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . 272 Resilient Dual-Root Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . 279 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . 281 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Limitations in Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . 281 Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . 282 Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . 287 Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . 287 Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Resolved Issues in Junos OS Release 10.4 for EX Series Switches . . . . . . . . 294 Issues Resolved in Release 10.4R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Issues Resolved in Release 10.4R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Issues Resolved in Release 10.4R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Issues Resolved in Release 10.4R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Issues Resolved in Release 10.4R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Issues Resolved in Release 10.4R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Issues Resolved in Release 10.4R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Issues Resolved in Release 10.4R8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Layer 2 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Upgrading from Junos OS Release 10.4R3 or Later . . . . . . . . . . . . . . . . . 313 Upgrading from Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . . . . 314 Downgrading Software to Release 10.4R2 or Earlier . . . . . . . . . . . . . . . 323 Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 324 Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers
Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 7 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 44 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 136 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.
Class of Service
Hierarchical policer functionality extended to Modular Interface Cards (MICs) (MX Series routers)Provides hierarchical policer feature parity with Enhanced Intelligent Queuing (IQE) PICs. This is useful in provider edge applications using aggregate policing for general traffic and when applying a separate policer for premium traffic on a logical or physical interface. Hierarchical policing on MICs supports the following features:
Ingress traffic is first classified into premium and non-premium traffic before a policer is applied. The hierarchical policer contains two policers: premium and aggregate.
Premium traffic is policed by both the premium policer and the aggregate policer. While the premium policer rate-limits premium traffic, the aggregate policer only decrements the credits but does not drop packets. Non-premium traffic is rate-limited by the aggregate policer only, resulting in the following behavior:

Premium traffic is assured to have the bandwidth configured for the premium policer. Non-premium traffic is policed to the specified rate limit.
For a list of supported MICs, refer to:

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/ general/mic-mx-series-supported.html.
The logical-interface-policer and physical-interface-policer statements provide additional hierarchical policer parameters beyond those of the IQE PICs. You can apply the policer at the inet, inet6, or mpls family level, as follows:
[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)] input-hierarchical-policer Test-HP;
By configuring a hierarchical policer as a logical-interface-policer, you can achieve aggregation within a logical interface. A hierarchical policer configured as a physical-interface-policer supports aggregation within a physical interface. Note that you still apply the hierarchical policer at the interface and traffic of the families that do not have the hierarchical policer. This is different from IQE PICs, where you apply a hierarchical policer at the logical or physical interface. For hierarchical policing of all traffic through a logical interface, a hierarchical policer can be configured as a logical-interface-policer and applied to all families in the logical interface. Similarly, you can achieve aggregation at the physical interface level. [Network Interfaces, Class of Service, Policy]
DSCP classification for VPLS at the ingress PE router (M320 routers with Enhanced Type III FPC and M120 routers)Enables you to configure DSCP classification for VPLS at an ingress PE router for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ether-vpls-over-atm-llc (ATM II IQ PIC). To configure, define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name] hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port unit-logical-unit-number classifiers] hierarchy level. The ATM interface must be included in the routing instance. [Class of Service]
Traffic control profile support at the FRF.16 physical interface levelFRF.16 bundle interfaces support multiple data-link connection identifiers (DLCIs). The bandwidth of each of these DLCIs was previously limited to one of the following:

An aggregate value based on the number of DLCIs under the FRF.16 interface A specific percentage through a traffic control profile configuration applied at the logical interface level
When there is a small proportion of traffic or no traffic on an individual DLCI, the respective member link interface bandwidth is underutilized. Support for TCP features on the FRF.16 bundle (physical) interface level in Junos OS Release 10.4R2 addresses this limitation. The supported features include:

Peak information rate (PIR) Scheduler map Delay buffer
To enable traffic control profiles to be applied at FRF.16 bundle (physical) interface level, disable the per-unit scheduler, which is enabled by default, by including the no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level. To specify traffic control profile features applicable to FRF.16 bundle physical interfaces, include the shaping-rate, delay-buffer-rate, and scheduler-map statements at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level. The shaping-rate and delay-buffer-rate must be specified as a percentage. To apply the traffic control profile configuration to an FRF.16 bundle (physical) interface, include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name] hierarchy level.
To view the traffic control profile configuration for an FRF.16 bundle, enter the show class-of-service traffic-control-profile command.
user@host> show class-of-service traffic-control-profile
Traffic control profile: lsq-2/1/0:0, Index: 35757 Shaping rate: 30 percent Scheduler map: sched_0 Delay Buffer rate: 30 percent
The following is a complete configuration example:

interfaces { lsq-0/2/0:0 { no-per-unit-scheduler; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 100; family inet { address 18.18.18.2/24; } } } class-of-service { traffic-control-profiles { rlsq_tc { scheduler-map rlsq; shaping-rate percent 60; delay-buffer-rate percent 10; } } interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc; } } } scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler; forwarding-class expedited-forwarding scheduler rlsq_scheduler1; } } schedulers { rlsq_scheduler { transmit-rate percent 20; priority low; } rlsq_scheduler1 { transmit-rate percent 40; priority high; } }
[Class of Service]
Interfaces and Chassis
Extend support for 64-bit Junos OS to include RE-1800 Series Routing Engines (M120, M320, MX960, MX480, and MX240 routers)Supported Routing Engines include:

RE-A-1800x2Supports 64-bit Junos OS on M120 and M320 routers. RE-S-1800x2Supports 64-bit Junos OS on MX240, MX480, and MX960 routers. RE-S-1800x4Supports 64-bit Junos OS on MX240, MX480, and MX960 routers.
[System Basics]
Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with Enhanced III FPC] routers)Enables support for the configuration of an ATM scheduler map on an Ethernet VPLS over a bridged ATM interface. [Network Interfaces]
Synchronous Ethernet on MX80 routers and MX Series routers with MPCsSupports the Ethernet synchronization messaging channel (ESMC), G.8264-like clock selection mechanism, and external clocking on MX80 routers and MX Series routers with MPCs. Wireless backhaul and wireline transport services are the primary applications for these features. The following features are supported:
On MX80 routers and MX Series routers with MPCs based on G.8261 and G.8262. This feature does not work on the fixed configuration version of the MX80 routers. All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs. ESMC support as per G.8264. CLI command selection of clock sources. Monitoring clock sources (maximum of two clock sources can be monitored simultaneously). Revertive and nonrevertive modes.
To configure Synchronous Ethernet, include the synchronization statement and its substatements at the [edit chassis] hierarchy level. [Network Interfaces, Interfaces Command Reference]
Enhanced container interface allows ATM children for containersM Series and T Series routers with ATM2 PICs automatically copy the parent container interface configuration to the child interfaces. Container interfaces do not go down during APS switchovers, thereby shielding upper layers. This feature allows the various ATM features to work over the container ATM for APS.
10
To specify ATM child interfaces within a container interface, use the container-list cin statement and the (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy level. To configure a container interface, including its child interfaces, use the cin statement and its options at the [edit interface cin] hierarchy level. Container ATM APS does not support interchassis APS. MLPPP over ATM CI is also not supported. [Network Interfaces]
Fabric down signaling to neighboring routers (T1600 and T640 routers)The signaling of neighboring routers is supported when a T640 or T1600 router is unable to carry traffic due to all fabric planes being taken offline for one of the following reasons:

CLI or offline button pressed. Automatically taken offline by the SPMB due to high temperature. PIO errors and voltage errors detected by the SPMB CPU to the SIBs.
The following scenarios are not supported by this feature:
All PFEs get destination errors on all planes to all destinations, even with the SIBs staying online. Complete fabric loss caused by destination timeouts, with the SIBs still online.
When chassisd detects that all fabric planes are down, the router reboots all FPCs in the system. When the FPCs come back up, the interfaces are not created again, because all fabric planes are down. After you diagnose and fix the cause of all fabric planes going down, you must then bring the SIBs back online. Bringing the SIBs back online brings up the interfaces. Fabric down signaling to neighboring routers offers the following benefits:

FPCs reboot when the control plane connection to the Routing Engine times out. Extends a simple approach to reboot FPCs when the data plane fails.
When the router transitions from a state where SIBs are online or spare to a state where there are no SIBs are online, all the FPCs in the system are rebooted. An ERRMSG message indicates that all fabric planes are down, and the FPCs will reboot if any fabric planes do not come up in 2 minutes. An ERRMSG message indicates the reason for FPC reboot on fabric connectivity loss. The chassisd daemon traces when an FPC comes online, but a PIC attach is not done because no fabric plane is present. A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken offline.
11
You will need to bring the SIBs online after determining why the SIBs were not online. When the first SIB goes online, and link training with the FPCs completes, the interfaces are created. Fabric down signaling to neighboring routers functionality is available by default, and no user configuration is required to enable it. No new CLI commands or alarms are introduced for this feature. Alarms are already implemented for when the SIBs are not online. [Network Interfaces, System Basics]
New enterprise-specific MIB to support digital optical monitoring (MX960, MX480, and MX240 routers, and T640 and T1600 routers with 10-Gigabit Ethernet LAN/WAN PIC with XFP))Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new enterprise-specific MIB to extend MIB support for digital optical monitoring. JUNIPER-DOM-MIB supports the SNMP Get request for statistics and SNMP Trap notifications for alarms.
JUNIPER-DOM-MIB is part of the JUNIPER-SMI MIB hierarchy level.
The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical monitoring:

jnxDomCurrentTable jnxDomAlarmSet jnxDomAlarmCleared
[SNMP MIBs and Traps Reference]
Logging improvementsYou can now control logging speed at the interface level. To rate-limit the system log messages generated from a service PIC, include the message-rate-limit statement at the [edit interfaces interface-name services-options syslog] hierarchy level. This option configures the maximum number of system log messages per second that can be formatted and sent from the PIC to either the Routing Engine (local) or to an external server (remote). The default rates are 10,000 for the Routing Engine and 200,000 for an external server. [Network Interfaces]
Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320, MX240, MX480, MX960, T640, and T1600 routers)Supports a 4-port SONET/SDH OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI) queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3. Class of service (CoS) enables enhanced egress queuing, buffering, and traffic shaping. CoS supports eight queues per logical interface, a per-unit scheduler, and two shaping rates: a committed information rate (CIR) and a peak information rate (PIR) per data-link connection identifier (DLCI). Other CoS features include, but are not restricted to, sharing of excess bandwidth among logical interfaces, five levels of priorities (including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per DLCI.
12
The SONET/SDH OC48/STM16 PIC supports CoS features similar to those in IQ2E PICs, in terms of behavior and configuration statements. This PIC supports the following Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations. For more information, see the PC-4OC48-STM16-IQE-SFP documentation for your router:

SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600 Router) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640 Router) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers) SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320 Router)
[PIC Guide, Network Interfaces, Class of Service]
IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routersSupport statistical accounting for IPv6 traffic traversing the IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers. For IQ2 and IQ2E PIC interfaces, the IPv6 traffic that is reported is the total statistics (sum of local and transit IPv6 traffic) in the ingress and egress directions. The IPv6 traffic in the ingress direction is accounted separately only if the IPv6 family is configured for the logical interface. Statistics are maintained for routed IPv6 packets in the egress direction. Byte and packet counters are maintained in the ingress and egress direction. Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:
IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other interfaces, the transit statistics are reported. IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface. For all other interfaces, only the routed traffic is accounted. IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all other interfaces, the Layer 3 packet size is accounted.
The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or by using the CLI. Local statistics are not accounted separately. To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive command.
NOTE: The reported IPv6 statistics do not account for the traffic manager drops in egress direction or the Packet Forwarding Engine/traffic manager drops in the ingress direction. Transit statistics are not accounted separately because the IQ2 and IQ2E PICs cannot differentiate between transit and local statistics.
13
[Network Interfaces]
100-Gigabit Ethernet PIC interoperability with VLAN steeringSupports interoperability with similar PICs from other vendors using a VLAN steering forwarding option. Previously, the PICs required interconnection to the same model PIC. Interoperability with interfaces from other vendors was not supported. Junos OS Release 10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC interoperation with similar interfaces from other vendors. Two packet forwarding modes exist under the forwarding-mode statement. SA multicast mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate Packet Forwarding Engine. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment. On ingress, the PIC compares the outer VLAN ID against a user-defined VLAN ID and VLAN mask combination and steers the packet accordingly. Modifying the forwarding mode configuration reboots the PIC. VLAN steering overview:

In VLAN steering mode, the SA multicast bit is not used for packet steering. In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used for packet steering. Configuration of packet forwarding mode and VLAN steering mode uses CLI commands that result in a PIC reboot. There are three tag types for ingress packets:

Untagged ingress packetThe packet is sent to PFE1. Ingress packet with one VLANThe packet is forwarded based on the VLAN ID. Ingress packet with two VLANsThe packet is forwarded based on the outer VLAN ID.
VLAN rules describe how the router forwards packets. For VLAN steering, you must use one of the two rules available in the CLI:
Odd-even ruleOdd number VLAN IDs go to PFE1; even number VLAN IDs go to PFE0. High-low rule1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN IDs go to PFE1.
When configured in VLAN steering mode, the PIC can be configured in two physical interface mode or in aggregated Ethernet mode (AE mode):
Two physical interface modeWhen the PIC is in two physical interface mode, it creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can configure its own logical interface and VLAN. The CLI enforces the following restrictions on commit:
The VLAN ID configuration must comply with the selected VLAN rule.
14
The previous restriction implies that the same VLAN ID cannot be configured on both physical interfaces.
AE modeIn AE mode, the two physical interfaces on the same PIC are aggregated into one aggregated Ethernet physical interface. PIC egress traffic is based on the aggregated Ethernet internal hash algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI enforces the following restrictions on commit:
The aggregated Ethernet PIC working in VLAN steering mode includes both links of that PIC, and only the links of that PIC. The aggregated Ethernet PIC working in SA multicast steering mode can include more than one PIC to achieve more than 100-gigabit capacity.
To configure the PIC forwarding mode, include the forwarding-mode statement and its options at the [edit chassis fpc number pic number] hierarchy level. [Network Interfaces]
New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC with oversubscription)Provides a new CLI statement for disabling the control queue feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control queue, use the no-pre-classifier statement at the [chassis] hierarchy level. When the no-pre-classifier statement is set, the control queue feature will be disabled for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this configuration results in the control queue feature being re-enabled on all the ports of that PIC.
[edit chassis] fpc 2 { pic 0 { no-pre-classifier; } }
NOTE: 1. This feature is applicable in both oversubscribed and line-rate modes.

2. The control queue feature is enabled by default in both oversubscribed
and line-rate modes, which can be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is
disabled, various show queue commands continue to show the control queue in the output. However, all control queue counters are reported as zeros.
4. Enabling or disabling the control queue feature results in the PIC being
bounced (offline/online).
15
When the control queue feature is disabled, the Layer 2 and Layer 3 control packets are subject to queue selection based on the BA classification. However, the following control protocol packets are not classified using BA classification, as they might not have a VLAN, MPLS, or IP header:

Untagged ARP packets Untagged Layer 2 control packets such as LACP or Ethernet OAM Untagged IS-IS packets
When the control queue feature is disabled, untagged ARP/IS-IS and other untagged Layer 2 control packets go to the restricted queue corresponding to the forwarding class associated with queue 0. [Network Interfaces]
Microcode remap (M320 and M120 routers)M320 routers with E3 type-1 FPCs and M120 routers with a single type-1 FPC mapped to an FEB support a new microcode map to resolve microcode overflow resulting in bad PIC combinations. On M320 routers, the new microcode map is enabled by default and is the only option available. On M120 routers, you can enable the new microcode map by using the ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On M120 routers, the default microcode map remains configured if the ucode-imem-remap statement is not configured.
[edit chassis] feb slot number ucode-imem-remap { }
NOTE: On M120 routers, the FEB is automatically restarted after the ucode-imem-remap statement is configured and committed.
[System Basics]
Junos OS XML API and Scripting

New Junos OS XML API operational request tag elementsTable 1 on page 17 shows the Junos OS Extensible Markup Language (XML) operational request tag elements that are new in Junos OS Release 10.4 along with the corresponding CLI command and response tag element for each one.
16
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4
Request Tag Element
<requestdhcpv6-serverreconfigure-information>request_dhcpv6_ server_reconfigure_information <request-license-update> request_license_update <request-package-nonstop-upgrade> request_package_nonstop_upgrade <get-amt-statistics> get_amt_statistics <get-amt-summary> get_amt_summary <get-amt-tunnel-information> get_amt_tunnel_information <get-rps-chassis-information> get_rps_chassis_information <get-bios-version-information> get_bios_version_information <get-coscongestionnotificationinformation> get_cos_congestion_notification_information <get-firewall-log-information> get_firewall_log_information <get-interface-information> get_interface_information <get-isis-contextidentifier-origininformation> get_isis_context_ identifier_origin_information <get-isis-database-information> get_isis_database_information <get-mpls-cspf-information> get_mpls_cspf_information <get-authentication-pending-table> get_authentication_pending_table
CLI Command
request dhcpv6 server reconfigure
Response Tag Element

NONE
request system license update
NONE
request system software nonstop-upgrade
NONE
show amt statistics show amt summary show amt tunnel
<amt-instance-statistics> <amt-summary> <amt-tunnel-information>
show chassis redundant-power-supply
<rps-chassis-information>
show chassis routing-engine bios
NONE
show class-of-service congestion-notification
<cos-congestion-notification-information>
show firewall filter version
<firewall-information>
show ingress-replication
<ingress-replication-information>
show isis context-identifier
<isis-context-identifier- information>
show isis context-identifier identifier
<isis-context-identifier-origin-information>
show mpls context-identifier
<mpls-context-identifier- information>
show network-access domain- map statistics
<domain-map-statistics>
17
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4 (continued)
Request Tag Element
<get-ospf-database-information> get_ospf_database_information <get-rps-power-supply-information> get_rps_power_supply_information <get-rps-status-information> get_rps_status_information <get-rps-version-information> get_rps_version_information <get-rip-general-statistics-information> get_rip_general_statistics_information <get-idp-policy-template- information> get_idp_policy_template_information <get-service-border-signalinggateway-charging-status> get_service_border_signaling_ gateway_charging_status <get-service-bsg-denied-messages> get_service_bsg_denied_messages <get-services-l2tp-radiusaccounting-statistics-information> get_services_l2tp_radius_acco unting_statistics_information <get-service-softwire-statistics-information> get_service_softwire_statistics _information <get_service_sfw_ conversation_ information> get_service_sfw_conversation _information <get_service_ sfw_flow_analysis_ information> get_service_sfw_flow_analysi s_information <get_service_sfw_ flow_table_information> get_service_sfw_flow_table_i nformation
CLI Command
show ospf context-identifier

<ospf-context-id-information>
show redundant-power-supply led
<rps-led-information>
show redundant-power-supply power-supply
<rps-power-supply-information>
show redundant-power-supply status
<rps-status-information>
show redundant-power-supply version
<rps-version-information>
show security idp policy-commit-status
<idp-policy-commit-status>
show services border-signaling-gateway charging statistics
<bsg-charging-statistics>
show services border-signaling-gateway charging status show services l2tp destination
<bsg-charging-status>
<service-l2tp-destination- information>
show services sessions
<msp-session-table>
show services softwire
<service-softwire-tableinformation>
show services softwire flows
<service-fwnat-flow-tableinformation>
show services softwire statistics
<service-softwire-statistics-information>
18
Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4 (continued)
Request Tag Element
<get_service_sfw_sip_registerinformation> get_service_sfw_sip_register_i nformation <get_synchronous_ethernet_esmc-statistics> get_synchronous_ethernet_esmc-statistics <get_synchronous_ethernet_esmc_transmit> get_synchronous_ethernet_esmc_transmit <get_synchronous_ethernet_global_information> get_-synchronous_ethernet_global_information <get_system_resource_cleanup_ processes_information> get_system_resource_cleanup_ processes_information <get_rollback_information> get_rollback_information <get_dhcp_binding_information> get_dhcp_binding_information <clear_synchronous_ ethernet_esmc_ statistics>clear_synchronous_ ethernet_e smc_ statistics
CLI Command
show services stateful-firewall flow-analysis

<service-sfw-flow-analysis-information>
show synchronous-ethernet esmc statistics
<clock-synchronization- statistics>
show synchronous-ethernet esmc transmit
<clock-synchronizationesmc-transmit> NONE
show synchronous-ethernet global-information show system relay group
<relay-group-information>
show system relay member
<relay-group-member>
show system relay summary
<relay-summary>
clear synchronousethernet esmc statistics
<clock-synchronizationclear-output>
Layer 2 Ethernet Services
Feature support for Trio MPCs and MICs (MX Series 3D Universal Edge Routers)Enables you to configure the following features through Junos OS Release 9.1: load balancing, Ethernet OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding. [Layer 2 Configuration]
Ethernet CFM support on Trio MPCs and MICs (MX Series 3D Universal Edge Routers)Enables support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag for family bridge interfaces. However, MEP configuration is not supported on aggregated Ethernet interfaces. [Layer 2 Configuration]
19
MPLS Applications
MPLS support on services PICsAdds MPLS label pop support for services PICs on Junos OS routers. Previously, all MPLS traffic would be dropped at the services PIC. No changes are required to CLI configurations for this enhancement. In-service software upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic, but no support is provided for tags over IPv6 packets or labels on multiple gateways. [MPLS]
Adding descriptions for bypass LSPYou can now add a text describing a bypass LSP using the description option at the [edit protocols rsvp interface interface-name link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text that includes spaces in quotation marks (" "). Any descriptive text you include is displayed in the output of the show rsvp session bypass command and has no effect on the operation of the bypass LSP. [MPLS]
Multicast
Nonstop active routing PIM support for IPv6Starting with Release 10.4, Junos OS extends the nonstop active routing support for Protocol Independent Multicast (PIM), which is already supported on IPv4, to include the IPv6 address families. The extension of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain self-generation IDs, multicast session states, dynamic interface states, list of neighbors, and RP sets across Routing Engine switchovers. The nonstop active routing support for PIM on IPv6 is similar to the nonstop active routing PIM support on IPv4 except for the following:
Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous point (RP) on non-RP routers. Nonstop active routing support for PIM on IPv6 does not support auto-RP, because auto-RP is not supported on IPv6.
For more information about nonstop active routing PIM support on IPv4 and IPv6, see the Junos OS High Availability Configuration Guide. [High Availability, Multicast]
MX Series
Support for MX Series routersWhile these features have been available on the MX Series routers in the past, the following features are now qualified on the Trio chipset. For MPLS, RSVP, and LDP:

BFD session failure action for LDP LSPs (including ECMP) RSVP Graceful Restart interop with Cisco using Nodal Hello support Failure action on BFD session down of RSVP LSPs in JUNOS
20
RSVP transit L3VPN testing using RSVP NSR: RSVP ingress BFD via LDP
For Multicast:

OSPF OSPF Database Protection RFC 4136 OSPF Refresh and Flooding Reduction in Stable Topologies PIM SSM in provider space (Draft-Rosen 7) NG MVPN - PIM-SSM I-PMSI and deployment scenario testing MVPN C-PIM in plain ASM mode NGEN MVPN hub and spoke support with GRE S-PMSI transport PIM Join suppression support Translating PIM states to IGMP/MLD messages Disable PIM for IPv6 via CLI IPv6 multicast support over L3VPNs PIM neighbor should be maintained wherever possible Data MDT SAFI (draft-rosen-l3vpn-mvpn-profiles) Inter-provider Option A support with Rosen 7 Rosen 7 interoperability with Cisco IOS
For VPNs:

VPLS: Configurable label block size (min 2) Interoperate LDP-VPLS and BGP-VPLS with FEC 128 LDP-VPLS Interprovider VPLS Option "E": EBGP redistribution of labeled routes
Miscellaneous:

Support to commit configuration from op/event scripts Per PFE per packet load balancing Next Hop Handling Enhancements (Phase 3)
21
Support local-as alias hidden command MIB Enhancements for Manual Bypass Tunnel Management ISIS LFA Improve IGMPv3 performance using bulk updates Improve IGMPv3 performance using bulk updates - with snooping Allow ASM group override of SSM ranges
Routing Policy and Firewall Filters
Point-to-multipoint LSP load balancing across aggregated Ethernet links (M Series routers except M320)Enables you to load-balance VPLS multicast and point-to-multipoint multicast traffic again over link aggregation. This feature also load-balances traffic after a change in the next-hop topology. Next-hop topology changes might include but are not limited to:

Layer 2 membership change in the link aggregation Indirect next-hop change Composite next-hop change
No new configuration is required to configure this feature. The load balancing over aggregated links is automatically enabled with Junos OS Release 10.4. For a sample topology and configuration example, see the Junos OS Policy Framework Configuration Guide. [Policy]
New routing policy system log messageJunos OS Release 10.3 supports a new routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log message provides information about ignored netmasks. If you have a policy statement with a term that contains a next-hop address with a netmask, the netmask is ignored. The following sample shows the new system log message (depending on your network configuration, the type of message you see might be different):
Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for next hop: 10.0.0.1/24.
[System Log Messages Reference]
Support for displaying the firewall filter version informationYou can display the version number of the firewall filter installed in the Routing Engine. The initial version number is 1, which increments by one when you modify the firewall filter settings or an associated prefix action. To show the version number of the installed firewall filter, use the show firewall filter version operational mode command. [Routing Protocols and Policies Command Reference]
22
Routing Protocols
Support for disabling traps for passive OSPFv2 interfacesYou can now disable interface state change traps for passive OSPF interfaces. Passive OSPF interfaces advertise address information as an internal OSPF route, but do not run the actual protocol. If you are only interested in receiving notifications for active OSPF interfaces, disabling traps for passive OSPF interfaces reduces the number of notifications received and processed by the SNMP server. This allows you to more quickly and easily scan the logs for potential issues on active OSPF interfaces. To disable and stop receiving notifications for state changes in a passive OSPF interface, include the no-interface-state-traps statement at the following hierarchy levels:
[edit logical-systems logical-system-name protocols ospf area area-id interface interface-name] [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id interface interface-name] [edit protocols ospf area area-id interface interface-name] [edit routing-instances routing-instance-name protocols ospf area area-id interface interface-name]
[Routing Protocols]
Behavior change for BGP-independent autonomous system (AS) domainsIndependent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domains BGP attributes through the internal BGP (IBGP) core. In Junos OS Release 10.3 and later, if you have not configured an independent domain in any routing instance, BGP treats the received attribute 128 message as an unknown attribute. The autonomous system (AS) path field in the show route command has been updated to display an unrecognized attribute and associated hexadecimal value if you have not configured an independent domain. The following is a sample output of the AS path field (depending on your network configuration, the output might be different):
AS path: [12345] I Unrecognized Attributes: 40 bytes AS path: Attr flags e0 code 80: 00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01 2d 40 05 04 00 00 00 64 c0
[Routing Protocols]
Support for disabling the attribute set messages on independent AS domains for BGP loop detectionBGP loop detection for a specific route uses the local autonomous system (AS) domain for the routing instance. By default, all routing instances belong to a single primary routing instance domain. Therefore, BGP loop detection uses the local ASs configured on all of the routing instances. Depending on your network configuration, this default behavior can cause routes to be looped and hidden. To limit the local ASs in the primary routing instance, configure an independent AS domain for a routing instance. Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domains BGP attributes through the internal BGP (IBGP) core. If you want to configure independent domains
23
to maintain the independence of local ASs in the routing instance and perform BGP loop detection only for the specified local ASs in the routing instance, disable attribute set messages on the independent domain. To disable attribute set messages, include the independent-domain no-attrset statement at the following hierarchy levels:
[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options autonomous-system autonomous-system] [edit routing-instances routing-instance-name routing-options autonomous-system autonomous-system]
[Routing Protocols]
Services Applications
NAT-PT with DNS ALG support (M Series and T Series routers)You can configure Domain Name Service (DNS) application-level gateways (ALGs) using Network Address TranslationProtocol Translation (NATPT) for IPv6 to IPv4. The implementation is described in RFC 2766 and RFC 2694. When you configure NAT-PT with DNS ALG support, you must configure two NAT rules. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG application.
To configure the correct translation of the DNS query and response packets, include the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. To configure the DNS ALG application, include the application application-name statement at the [edit applications] hierarchy level, then reference it at the [edit services nat rule rule-name term term-name from] hierarchy level. To configure destination translation with the DNS ALG address map, use the use-dns-map-for-destination-translation statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. This statement correlates the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule.
You can also control the translation of IPv6 and IPv4 DNS queries in the following ways:
For translation control of IPv6 DNS queries, use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level. For translation control of IPv4 queries, use the do-not-translate-A-query-to-AAAA-query statement at the [edit applications application application-name] hierarchy level.
24
NOTE: The two statements above cannot be configured together. You can configure only one at a time, but not both.
To check that the flows are established properly, use the show services stateful-firewall flows command or the show services stateful-firewall conversations command. [Services Interfaces]
Enhancements to active flow monitoringAdd support for extraction of bandwidth usage information for billing purposes in PIC-based sampling configurations. This capability is supported on M Series, MX Series, and T Series routers and applies only to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is not available for per Packet Forwarding Engine instances. To configure the sampling of traffic for billing purposes, include the template as-peer-billing-template-name statement at the [edit forwarding-options sampling family (inet | inet6) output flow-server server-name version version-number] hierarchy level. To define the peer-AS billing functionality, include the peer-as-billing-template statement at the [edit services flow-monitoring version9 template template-name] hierarchy level. For a list of the template fields, see the Junos OS Services Interfaces Configuration Guide. You can apply the existing destination class usage (DCU) policy option configuration for use with this feature. In addition, the MPLS top label IP address is added as a new field in the existing MPLS-IPv4 flow template. You can use this field to gather MPLS forwarding equivalence class (FEC)-based traffic information for MPLS network capacity planning. These ALGs that use Junos OS Services Framework (JSF) (M Series routers) are a PIC-only feature applied on sampled traffic and collected by the services PIC or DPC. You can define it for either global or per Packet Forwarding Engine instances for MPLS traffic. The show services accounting aggregation template operational command has been updated to include new output fields that reflect the additional functionality. [Services Interfaces, System Basics and Services Command Reference]
Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T Series routers)Real-time performance monitoring (RPM), which has been supported on the Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is supported on all platforms and service PICs that support the Services SDK. RPM timestamping is needed to account for any latency in packet communications. You can apply timestamps on the client, on the server, or on both client and server. RPM timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types. To specify the Services SDK interface, include the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:
destination-interface ms-fpc/pic/port.logical-unit-number;
To specify the RPM client router and the RPM server router, include the rpm statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:
25
rpm (client | server);
To enable RPM on the Services SDK on the AS interface, configure the object-cache-size, policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the Services SDK, package-name in the package package-name statement is jservices-rpm.
user@host# show chassis fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 1; object-cache-size 512; policy-db-size 64; package jservices-rpm; syslog daemon any; } } } } }
[Services Interfaces]
ALGs using Junos Services Framework (JSF) (M Series routers with Multiservices PICs and MX Series routers with Multiservices DPCs)Application-level gateways (ALGs) intercept and analyze specified traffic, allocate resources, and define dynamic policies to permit traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the specified routers, you can use JSF ALGs with the following services:

Stateful firewall Network Address Translation (NAT)
To use JSF to run ALGs, you must configure the jservices-alg package at the [edit
chassis fpc slot pic slot adaptive-services service-package extension-provider package]
hierarchy level. In addition, you must configure the ALG application at the [edit applications application application-name] hierarchy level, and reference the application in the stateful firewall rule or the NAT rule in those respective configurations. [Services Interfaces]
Enhancements to port mirroring with next-hop groups (MX Series routers only)Add support for binding up to two port-mirroring instances to the same MX Series Packet Fowarding Engine. This enables you to choose multiple mirror destinations by specifying different port-mirroring instances in the filters. Filters must include the port-mirror-instance instance-name statement at the [edit firewall filter filter-name term term-name then] hierarchy level. You must also include the port-mirror-instance instance-name statement at the [edit chassis fpc number] hierarchy level to specify the FPC to be used.
26
Inline port mirroring allows you to configure instances that are not bound to the FPC specified in the firewall filter then port-mirror-instance instance-name action. Instead, you can define the then next-hop-group action. Inline port mirroring aims to decouple the port-mirror destination from the input parameters, such as rate. While the input parameters are programmed in the Switch Interface Board (SIB), the next-hop destination for the mirrored packet is available in the packet itself. A port-mirroring instance can now inherit input parameters from another instance that specifies it. To configure this option, include the input-parameters-instance instance-name statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level. You can also now configure port mirroring to next-hop groups using a tunnel interface. [Services Interfaces]
Multiple IDP detector support (MX Series routers, M120 routers, and M320 routers with Enhanced III FPCs)The IDP detector provides information about services, contexts, and anomalies that are supported by the associated protocol decoder. The specified routers now support loading multiple IDP detectors simultaneously. When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already being used by the existing policy, the new detector is not loaded and both policies use a single associated detector. However, if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection. Note that with the specified routers, a maximum of four detectors can be loaded at any given time. Multiple IDP detector support for the specified routers functions in a similar way to the existing IDP detector support on J Series and SRX Series devices, except for the maximum number of decoder binary instances that are loaded into the process space. To view the current policy and the corresponding detector version, use the show security idp status detail command. For more information, see the Junos OS Security Configuration Guide. [Services Interfaces]
NAT using Junos OS Services Framework (JSF) (M Series and T Series routers with Multiservices PICs and MX Series routers with Multiservices DPCs)Junos OS Services Framework (JSF) is a unified framework for Junos OS services integration. JSF services integration allows the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run NAT on the specified routers. To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure NAT rules and a service set with a Multiservices interface. To check the configuration, use the show configuration services nat command. To show the run-time (dynamic state) information about the interface, use the show services sessions and show services nat pool commands. [Services Interfaces]
27
Stateful firewall using Junos Services Framework (JSF) (M Series routers with Multiservices PICs, MX Series routers with Multiservices DPCs, and T Series routers)Junos Services Framework (JSF) is a unified framework for Junos OS services integration. JSF services integration allows the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers. To use JSF to run stateful firewall, you must configure the jservices-sfw package at the
[edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure stateful firewall rules and a
service set with a Multiservices interface. To check the configuration, use the show configuration services stateful-firewall command. To show the run-time (dynamic state) information about the interface, use the show services sessions command. [Services Interfaces]
Transition of IPv4 traffic to IPv6 addresses using Dual-Stack Lite (DS-Lite)Adds support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This transition will become necessary as the supply of unique IPv4 addresses nears exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6 equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them. [Services Interfaces, System Basics and Services Command Reference]
Round-robin allocation for NAPT addressesYou can now specify round-robin address allocation from NAT pools when you use NAPT. In the default method of address allocation, NAT addresses are allocated sequentially. All of the addresses in a given range must be allocated before addresses from a different range are allocated. The following example illustrates the sequential (legacy) implementation, which is still available to provide backward compatibility.
pool napt { address-range low 9.9.99.1 high 9.9.99.3; address-range low 9.9.99.4 high 9.9.99.6; address-range low 9.9.99.8 high 9.9.99.10; address-range low 9.9.99.12 high 9.9.99.13; port { range low 3333 high 3334; } }
In this example, for each unique source address, a new address range is used for allocation only when there are no ports available in the previous address range. Address 9.9.99.4:3333 is picked only when all ports for addresses in the first range are exhausted.

The first connection is allocated NAT address 9.9.99.1:3333. The second connection is allocated 9.9.99.1:3334.
28
The third connection is allocated 9.9.99.2:3333. The fourth connection is allocated 9.9.99.2:3334, and so on.
To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.

The first connection is allocated NAT address 9.9.99.1:3333. The second connection is allocated 9.9.99.2:3333. The third connection is allocated 9.9.99.3:3333. The fourth connection is allocated 9.9.99.4:3333. The fifth connection is allocated address 9.9.99.5:3333. The sixth connection is allocated address 9.9.99.6:3333. The seventh connection is allocated address 9.9.99.7:3333. The eighth connection is allocated address 9.9.99.8:3333. The ninth connection is allocated address 9.9.99.9:3333. The tenth connection is allocated address 9.9.99.10:3333. The eleventh connection is allocated address 9.9.99.11:3333. The twelfth connection is allocated address 9.9.99.12:3333. Wraparound occurs and the thirteenth connection is allocated address 9.9.99.1:3334.
[Services Interfaces]
Subscriber Access Management
Enhancement to the show services l2tp destination commandThe show services l2tp destination command has been extended to display the lockout state of the destination from the L2TP access concentrator (LAC). A destination that is reachable is not locked. An unreachable destination is locked out. L2TP makes no further attempts to connect to this destination until the timeout period (300 seconds) expires, unless the unreachable destination is the only destination in the tunnel configuration list. In that case, L2TP ignores the lockout and continues trying to connect to the destination. [Subscriber Access]
Support for Diameter transport layer source address (MX Series 3D Universal Edge Routers)You can now define transport layer connections to be used for establishing active connections to Diameter peers. Include the transport transport-name statement at the [edit diameter] hierarchy level. Then specify the source (local) address of the
29
transport connection at the [edit diameter transport transport-name] hierarchy level. You can optionally configure a logical system or a routing instance, or both, for the connection. By default, Diameter uses the default logical system and master routing instance. The logical system and routing instance for the connection must match those for the peer, otherwise a configuration error is reported. When you configure Diameter peers, you can now specify the transport layer connection for establishing active connections to the peers. Include the transport transport-name statement at the [edit diameter peer peer-name connect-actively] hierarchy level. Multiple peers can share the same transport layer connection. You can display information about the transport connection by issuing the show diameter and show diameter peer detail commands. [Subscriber Access]
Redirecting HTTP redirect requests (MX Series routers)Enables support for HTTP traffic requests from subscribers to be aggregated from access networks onto a BRAS router, where HTTP traffic can be intercepted and redirected to a captive portal. A captive portal provides authentication and authorization services for redirected subscribers before granting access to protected servers outside of a walled garden. A walled garden defines a group of servers where access is provided to subscribers without reauthorization through a captive portal. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources. An HTTP redirect remote server that resides in a walled garden behind Junos OS routers processes HTTP requests redirected to it and responds with a redirect URL to a captive portal. To configure HTTP redirect, include the captive-portal-content-delivery statement at the [edit services] hierarchy level. [Subscriber Access]
Filter support for service packet countingYou can count service packets, applying them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS. To enable service packet accounting, specify the service-accounting action at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level. [Policy Framework, Subscriber Access]
Support for domain maps that apply configuration options based on subscriber domain names (MX Series and M Series routers)You use domain maps to apply access options and session-specific parameters to subscribers whose domain name corresponds to the domain map name. You can also create a default domain map that the router uses for subscribers whose username does not include a domain name or has a non-matching domain name. Domain maps apply subscriber-related characteristics such as profiles (access, dynamic, and tunnel), target and AAA logical system mapping, address pool usage, and PADN routing information. You configure domain maps at the [edit access domain] hierarchy level. [Subscriber Access]
30
L2TP LAC support for subscriber management (MX Series routers)You can now configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers. As part of the new L2TP LAC support, you can configure how the router selects a tunnel for a PPP subscriber from among a set of available tunnels. The default tunnel selection method is to fail over between tunnel preference levels. When a PPP user tries to log in to a domain, the router attempts to connect to a destination in that domain by means of the associated tunnel with the highest preference level. If the destination is unreachable, the router then moves to the next lower preference level and repeats the process. No configuration is required for this tunnel selection method. You can include the fail-over-within-preference statement at the [edit services l2tp] hierarchy level to configure tunnel selection failover within a preference level. With this method, when the router tries to connect to a destination and is unsuccessful, it selects a new destination at the same preference level. If all destinations at a preference level are marked as unreachable, the router does not attempt to connect to a destination at that level. It drops to the next lower preference level to select a destination. If all destinations at all preference levels are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. If the connection fails, the router rejects the PPP user session without attempting to contact the remote router. By default, the router uses a round-robin selection process among tunnels at the same preference level. Include the weighted-load-balancing statement at the statement at the [edit services l2tp] hierarchy level to specify that the tunnel with the highest weight within a preference is selected until its maximum sessions limit is reached. Then the tunnel with the next highest weight is selected until its limit is reached, and so on. The tunnel with the highest configured maximum sessions value has the greatest weight. Another feature of L2TP LACs on MX Series routers is the ability to control whether the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from the Calling-Station-Id and identifies the interface that is connected to the customer in the access network. By default, the LAC includes this AVP in ICRQ packets it sends to the LNS. In some networks you may wish to conceal your network access information. To prevent the LAC from sending the Calling Number AVP to the LNS, include the disable-calling-number-avp statement at the [edit services l2tp] hierarchy level. [Subscriber Access]
Support for dynamic interface sets (M120, M320, and MX Series routers)Enables you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are used for providing hierarchical scheduling. Previously, interface sets were supported for interfaces configured in the static hierarchies only. Supported subscriber interfaces include static and dynamic demux, static and dynamic PPPoE, and static and dynamic VLAN interfaces. To configure an interface set in a dynamic profile, include the interface-set interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level. To add a subscriber interface to the set, include the interface interface-name unit logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set interface-set-name] hierarchy level. You apply traffic shaping and scheduling parameters to the interface-set by including the interface-set interface-set-name and
31
output-traffic-control-profile profile-name statements at the static [edit class-of-service interfaces] hierarchy level.
A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, $junos-interface-set-name. The VSA is supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported. [Subscriber Access]
Support for service session accounting statistics (MX Series routers)You can now capture accounting statistics for subscriber service sessions. Subscriber management supports service session accounting based on service activation and deactivation, as well as interim accounting. Time-based accounting is supported for all service sessions. Time and volume-based accounting is supported for classic firewall filter and fast update firewall filter service sessions only. To provide volume service accounting, the well-known accounting counter junos-dyn-service-counter must also be configured for the classic firewall filter and fast update firewall filter service. You define the counter at the [edit firewall family family filter filter term term then] hierarchy level. The following VSAs (vendor ID 4874) are used for service accounting:
Attribute Number
26-69
Attribute Name
Service-Statistics
Description
Enable or disable statistics for the service.
Value

0 = disable 1 = enable time statistics 2 = enable time and volume statistics
26-83
Acct-Service-Session
Name of the service. Amount of time between interim accounting updates for this service.
string: service-name
26-140
Service-Interim-Acct-Interval
range = 60086400 seconds 0 = disabled
[Subscriber Access]
Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC (MX Series routers)The L2TP access concentrator (LAC) implementation supports RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation. The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes the complete HDLC frame sent to the LNS. [Subscriber Access]
32
Support for static and dynamic CoS on L2TP LAC subscriber interfaces (M120, M320, and MX Series routers)Enables you to configure static and dynamic CoS for L2TP access concentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer 3 of the network. IP and L2TP headers are added to packets arriving at the LAC from a subscriber before being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable you to properly transfer the type-of-service (ToS) value or the 802.1p value from the inner IP header to the outer IP header of the L2TP packet. For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3 classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist for a PPP subscriber. For example, to classify incoming packets for a PPP subscriber, include the classifier type classifier-name statement at the [edit class-of-service interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level. On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the outer header. For example, to configure a rewrite-rule definition for an interface with 802.1p encapsulation, include the [rewrite-rule ieee-802.1 (rewrite-name | default) statement at the edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level or the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level. Rewrite rules are applied accordingly to the forwarding class, packet loss priority (PLP), and code point. The proper transfer of the inner IP header to the outer IP header of the L2TP packet depends on the classifier and rewrite rule configurations. The following table shows how the classifier and rewrite-rule values transfer from the inner IP header to the outer IP header. The inner IP header (ob001) is classified with assured-forwarding and low loss priority at the ingress interface. Based on the assured-forwarding class and low loss priority in the rewrite rule, the outer IP header is set to ob001 at the egress interface.
Inner IP Header
ob001
Forwarding Class
assured-forwarding
Loss Priority
low
Code Point
001
Outer IP Header
ob001
[Subscriber Access, Class of Service]
L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX Series routers)You can configure a set of attributes to define an L2TP tunnel for PPP subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles are applied by a domain map before RADIUS authentication. When the RADIUS Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel profile (group) overrides a tunnel profile specified by the domain map. The tunnel is then configured according to RADIUS tunnel attributes and VSAs.
33
To configure a tunnel profile, include the tunnel-profile profile-name statement at the [edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id statement at the [edit access tunnel-profile profile-name] hierarchy level. Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP address of the LNS tunnel endpoint; all other attributes are optional. Include the preference number statement to configure the preference. Include the remote-gateway address server-ip-address statement to configure the LNS address. You can optionally configure the remaining tunnel attributes. Include the remote-gateway name server-name statement to configure the LNS hostname. Include the source -gateway address client-ip-address statement and the source-gateway name client-name statements to configure the local (LAC) tunnel endpoint. Although you can configure a medium type (medium type) and protocol type (tunnel tunnel-type) for the tunnel, only the default values of ipv4 and l2tp are supported in this release. Include the identification name statement to configure an assignment ID for the tunnel. Include the max-sessions number statement to configure the maximum number of sessions permitted for the tunnel. Include the secret password statement to configure a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally, you can configure a logical system and routing instance for the tunnel by including the logical-system logical-system-name and routing-instance routing-instance-name statements. The following table shows the RADIUS attributes that are now supported for defining a tunnel.
Attribute Number
64
Attribute Name
Tunnel-Type
Description
The tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator). Only L2TP tunnels are currently supported. Transport medium to use when creating a tunnel for protocols that can operate over multiple transports. Only IPv4 is currently supported.
65
Tunnel-Medium-Type
66 67 69 82
Tunnel-Client-Endpoint Tunnel-Server-Endpoint Tunnel-Password Tunnel-Assignment -Id
Address of the initiator end of the tunnel. Address of the server end of the tunnel. Password used to authenticate to a remote server. Indicates to the tunnel initiator the particular tunnel to which a session is assigned.
34
Attribute Number
83
Attribute Name
Tunnel-Preference
Description
If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel. Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).
90
Tunnel-Client-Auth-Id
Name used by the tunnel initiator during the authentication phase of tunnel establishment. Name used by the tunnel terminator during the authentication phase of tunnel establishment.
91
Tunnel-Server-Auth-Id
The following table shows the RADIUS VSAs that are now supported for defining a tunnel.
Attribute Number
26-8
Attribute Name
Tunnel-Virtual-Router
Description
Virtual router name for tunnel connection. Tunnel password in clear text.
Value
string: tunnel-virtual-router string: tunnel-password integer: 4-octet
26-9
Tunnel-Password
26-33
Tunnel-Max-Sessions
Maximum number of sessions allowed in a tunnel. Name of the tunnel group (profile) assigned to a domain map.
26-64
Tunnel-Group
string: tunnel-group-name
[Subscriber Access]
Dynamic reconfiguration of extended DHCPv6 local server clients (MX Series routers)You can enable dynamic reconfiguration of DHCPv6 clients to enable the extended DHCPv6 local server to initiate a client update without waiting for the client to initiate a request. In subscriber management scenarios, a client may need to be quickly updated with its network address and configuration in the event of server changes, such as a restructuring of the service providers addressing scheme or a change in the local server IP addresses that were provided to the clients. Include the reconfigure statement to enable dynamic reconfiguration with default values for all DHCPv6 clients at the [edit system services dhcp-local-server dhcpv6] hierarchy level, and for DHCPv6 clients serviced by a specified group of interfaces at the [edit system services dhcp-local-server dhcpv6 group group-name] hierarchy level. Optional statements enable you to modify default reconfiguration values: The number of reconfiguration attempts, the interval between the first and second attempts, what happens to the client if all reconfiguration attempts fail, what happens to the client in the event of a RADIUS-initiated disconnect, whether to bind clients that do not support
35
reconfiguration, and whether to send an authentication token. Issue the request dhcpv6 server reconfigure command to initiate reconfiguration. Use the show dhcpv6 server binding and show dhcpv6 server statistics commands to monitor client-server interactions. [Subscriber Access]
Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters (MX Series routers)You can now configure subscriber management to use ascend data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF creates a rule that specifies match conditions on the source and destination IP address, the protocol, and the source and destination port, and also specifies the action to perform (such as accept or discard). The ADF rule also specifies the filter direction, and can optionally provide traffic class and policer information. The router supports ADF rules for family types inet and inet6. Subscriber management uses dynamic profiles to obtain the ADF rules from the RADIUS server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for family inet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality, or you can statically create ADF rules. To configure ADF support, use the following stanza at the [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number family family] hierarchy level:
filter { adf { counter; input-precedence precedence; output-precedence precedence; rule rule-value; } }
[Subscriber Access, System Basics and Services Command Reference]
Per-interface DHCP tracing operations (MX Series routers)In addition to the existing global DHCP tracing operation, you can now trace DHCP operations for a specific interface or a range of interfaces. Configuring interface-based tracing is a two-step procedure. First configure the tracing options that you want to use, such as the file used for the trace operation and the trace flags. In the second step, enable the tracing operation on the specific interface or range of interfaces.
To configure the per-interface tracing options, use the interface-traceoptions statement at the [edit system services dhcp-local-server] hierarchy level for the DHCP local server or at the [edit forwarding-options dhcp-relay] hierarchy level for the DHCP relay agent. To enable tracing on an interface or interface range, use the trace statement at the
[edit system services dhcp-local-server group group-name interface interface-name]
hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay group group-name interface interface-name] hierarchy level for the DHCP relay agent.
36
You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server dhcpv6 group group-name interface interface-name] hierarchy level. [Subscriber Access]
Automatic binding of stray DHCP requests (MX Series routers)The default behavior has changed for handling DHCP requests that are received but which have no entry in the database (stray requests). Beginning with Junos OS Release 10.4, automatic binding of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases, automatic binding of stray requests is disabled by default. By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured. In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay attempts to bind the requesting client. In those releases, DHCP relay proxy always drops stray requests and forwards a NAK to the client, regardless of the authentication configuration. You can override the new default configuration to cause DHCP relay and DHCP relay proxy to drop all stray requests instead of attempting to bind the clients. To disable automatic binding behavior globally, include the no-bind-on-request statement at the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic binding behavior for a group, include the statement at the [edit forwarding-options dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding behavior for a specific interface in a group, include the statement at the [edit
forwarding-options dhcp-relay overrides group group-name interface interface-name]
hierarchy level. [Subscriber Access]
Support for VPLS Layer 2 wholesale configuration in a subscriber access networkEnables you to configure Layer 2 wholesaling within a subscriber access network. Wholesale access is the process by which an access network provider (wholesaler) partitions the access network into separately manageable and accountable subscriber segments for resale to other network providers. An access network provider may elect to wholesale all or part of its network to one or more service providers (retailers).
NOTE: In Junos OS Release 10.4, Layer 2 wholesaling supports the use of only the default logical system using multiple routing instances.
37
The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2 wholesale solution, keep the following in mind:
No Layer 3 components (address assignment, Layer 3 interfaces, and so on) are involved. S-VLANs must be unique to any Gigabit Ethernet or Aggregated Ethernet interfaces within the entire network (not just unique to one router). Layer 2 wholesale supports only CoA disconnect and variable modification; CoA service activation is not supported.
NOTE: For general information about configuring dynamic wholesale for your subscriber access network, see the Broadband Subscriber Management Solutions Guide.
To configure Layer 2 wholesale for a subscriber access network:
Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide for details. Include the routing-instances statement along with the $junos-routing-instance dynamic variable at the [edit dynamic-profiles profile-name interface $junos-interface-name] hierarchy level. Include the interfaces statement along with the $junos-interface-name dynamic variable at the [edit dynamic-profiles profile-name interface $junos-interface-name routing-instances $junos-routing-instance] hierarchy level. Include the interfaces statement along with the $junos-interface-ifd-name dynamic variable at the [edit dynamic-profiles profile-name] hierarchy level. Include the unit statement along with the $junos-interface-unit dynamic variable at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name] hierarchy level. (Optional) Include the encapsulation statement at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level and specify the unit encapsulation as vlan-vpls or vlan-ccc.
NOTE: If you choose not to specify an encapsulation for the logical interface, you must specify encapsulation for the physical interface.
Include the vlan-tags statement and define the outer VLAN tag using the $junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the $junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
38
Include the input-vlan-map statement at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level and define the map settings as follows:
NOTE: You configure the input-vlan-map statement only when there is a need to either push an outer tag on a single-tagged subscriber packet or modify the outer tag in a subscriber dual-tagged packet.
Specify the action that you want the input VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure input-vlan-map statement options. Include the vlan-id statement along with the $junos-vlan-map-id dynamic variable.
Include the output-vlan-map statement at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level and specify the action that you want the output VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure output-vlan-map statement options.
NOTE: You configure the output-vlan-map statement only when there is a need to either pop or modify the outer tag found in a dual-tagged packet meant for the subscriber.
Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit family] hierarchy level. Include the flexible-vlan-tagging statement for any interfaces you plan to use at the [edit interfaces interface-name] hierarchy level. Include the encapsulation statement for any interfaces you plan to use at the [edit interfaces interface-name] hierarchy level and specify the encapsulation as follows: flexible-ethernet-services.
Use the vlan-vpls or flexible-ethernet-services options if you specified the vlan-vpls option for the encapsulation statement at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
NOTE: Using the vlan-vpls encapsulation option in both the dynamic profile and when configuring the physical interface limits the VLAN ID value to a number greater than or equal to 512. Using the flexible-ethernet-services encapsulation option does not result in a limitation to the VLAN ID value.
39
Use the flexible-ethernet-services option if you plan to configure logical interfaces with different encapsulations at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
NOTE: This encapsulation type does not have a VLAN ID limitation.
Use the extended-vlan-vpls option if you chose not to specify an option for the encapsulation statement at the [edit dynamic-profiles profile-name interface $junos-interface-ifd-name unit $junos-interface-unit] hierarchy level.
NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation.
Specify the vpls option for the instance-type statement for any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level. Include the qualified-bum-pruning-mode statement in any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level. Specify the permanent option for the connectivity-type statement at the [edit routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the routing instance (pseudo-wire) remains operational. Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access Configuration Guide for details. Define access to your RADIUS server and specify the access profile at the [edit access] hierarchy level.
To view the logical system and routing instance for each subscriber, use the show subscriber operational command. [Subscriber Access]
System Logging
New and deprecated system log tagsThe following system log messages are new in Junos OS Release 10.4:

ASP_SFW_DELETE_FLOW CHASSISD_FM_FABRIC_DOWN CHASSISD_FPC_FABRIC_DOWN_REBOOT CHASSISD_FRU_INTEROP_UNSUPPORTED CHASSISD_RE_CONSOLE_FE_STORM
40
RPD_AMT_CFG_ADDR_FMLY_INVALID RPD_AMT_CFG_ANYCAST_INVALID RPD_AMT_CFG_ANYCAST_MCAST RPD_AMT_CFG_LOC_ADDR_INVALID RPD_AMT_CFG_LOC_ADDR_MCAST RPD_AMT_CFG_PREFIX_LEN_SHORT RPD_AMT_CFG_RELAY_INVALID RPD_BGP_CFG_ADDR_INVALID RPD_BGP_CFG_LOCAL_ASNUM_WARN RPD_CFG_TRACE_FILE_MISSING RPD_LDP_GR_CFG_IGNORED RPD_MC_CFG_FWDCACHE_CONFLICT RPD_MC_CFG_PREFIX_LEN_SHORT RPD_MSDP_CFG_SA_LIMITS_CONFLICT RPD_MSDP_CFG_SRC_INVALID RPD_MVPN_CFG_PREFIX_LEN_SHORT RPD_PLCY_CFG_COMMUNITY_FAIL RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN RPD_PLCY_CFG_IFALL_NOMATCH RPD_PLCY_CFG_PARSE_GEN_FAIL RPD_PLCY_CFG_PREFIX_LEN_SHORT RPD_RSVP_COS_CFG_WARN RPD_RT_INST_IMPORT_PLCY_WARNING RPD_OSPF_IF_COST_CHANGE RPD_OSPF_TOPO_IF_COST_CHANGE RPD_VPLS_INTF_NOT_IN_SITE
[System Log]
Added interface information to BFD session up/down system log tagsAdded peer address information for BFDD_TRAP_MHOP_STATE_DOWN and BFDD_TRAP_MHOP_STATE_UP.
41
[System Log]
VPNs
Disable TTL propagation behavior for the routes in a VRF routing instanceEnables you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled control of TTL behavior only at the router level for all LDP-signaled and all RSVP-signaled label-switched paths. With this feature, you can control the behavior on individual VPN routes. To configure, include the vrf-propagate-ttl or no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy level. The instance-specific behavior overrides the router behavior configured at the [edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show route extensive and show route detail commands display the TTL action for each VRF routing instance. [VPNs]
BGP autodiscovery for LDP VPLS (FEC 129)Enables you to use BGP autodiscovery to convey endpoint information, so you do not need to manually configure pseudowires. To configure a PE router to be a route reflector in the IBGP group, include the cluster statement at the [edit protocols bgp group group-name] hierarchy level. To allow the router to process autodiscovery network layer reachability information (NLRI) update messages for LDP-based Layer 2 VPN and VPLS update messages, include the auto-discovery-only statement at the [edit protocols bgp family family] hierarchy level. This enables the PE routers to automatically establish BGP sessions. You can configure this statement at the global, group, and neighbor levels for BGP. The auto-discovery-only statement must be configured on all PE routers in the VPLS. To specify a globally unique Layer 2 VPN community identifier for the instance, include the l2vpn-id statement at the [edit routing-instances instance-name] hierarchy level. This statement is configurable for routing instances of type vpls or l2vpn. [Network Interfaces Configuration]
Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN labels on T Series routersLayer 3 VPN composite next hops can now be enabled on T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] or [edit logical-systems logical-system-name routing options] hierarchy levels. This statement enables BGP to accept larger numbers of Layer 3 VPN BGP updates with unique inner VPN labels. Including the l3vpn-composite-nexthop statement in the configuration enhances scaling and convergence performance of PE routers participating in a Layer 3 VPN in a multivendor environment. The Junos OS provides the configuration statement memory-enhanced to reallocate the jtree memory for routes and Layer 3 VPNs. This statement has the following options:
routeInclude this statement when you want to support larger routing tables (with
more routes) over firewall filters. For example, you can enable this option when you want to support a large number of routes for Layer 3 VPNs implemented using MPLS. However, we recommend enabling this option only if you do not have a very large firewall configuration.
42
To allocate more memory for routing tables, include the route statement at the [edit chassis memory-enhanced] hierarchy level:
[edit chassis memory-enhanced] route;
vpn-labelInclude this statement when you want to enhance memory to support a
larger number of Layer 3 VPN labels accepted by the l3vpn-composite-nexhop statement. To allocate more memory for Layer 3 VPN labels, include the vpn-label statement at the [edit chassis memory-enhanced] hierarchy level:
[edit chassis memory-enhanced] vpn-label;
NOTE: With Junos Release 10.4, the memory-enhanced route statement at the [edit chassis] hierarchy level replaces the route-memory-enhanced statement at the [edit chassis] hierarchy level. [VPNs, System Basics]
Egress protection LSPsIf there is a link or node failure in the core network, a protection mechanism such as MPLS fast reroute can be triggered on the transport LSPs between the PE routers to repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device). To enable an egress protection LSP, you need to configure the following statements:
context-identifierSpecifies an IPv4 address used to define the pair of PE routers
participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router. Configure the context-identifier statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name egress-protection protector-pe] and the [edit protocols mpls egress-protection] hierarchy levels.
egress-protectionConfigures the protector information for the protected Layer 2
circuit and also configures the protector Layer 2 circuit itself at the [edit protocols l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the context identifier at the [edit protocols mpls] hierarchy level.
protected-l2circuitSpecifies which Layer 2 circuit is to be protected by the egress
protect LSP. This statement includes the following sub-statements: ingress-pe, egress-pe, and virtual-circuit-id. These sub-statements specify the address of the PE router at the ingress of the Layer 2 circuit, the address of the PE router at the egress of the Layer 2 circuit, and the Layer 2 circuits identifier respectively. Configure
43
the protected-l2circuit statement at the [edit protocols l2circuit neighbor address interface interface-name] hierarchy level.
protector-peSpecify the IPv4 address of the protector PE router. The protector PE
router must have a connection to the same CE device as the protected PE router for the egress protect LSP to function. This statement includes the following sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to be used as the actual egress protection LSP. Configure the protector-pe statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name egress-protection] hierarchy level. [VPNs]
Local switching support for the ignore-encapsulation-mismatch statementThe ignore-encapsulation-mismatch statement has been extended to support local switching. You can now configure this statement at the [edit protocols l2circuit local-switching interface interface-name] hierarchy level. This statement allows a Layer 2 circuit to be established even though the encapsulation configured on the CE device interface does not match the encapsulation configured on the Layer 2 circuit interface. Local switching allows you to configure a Layer 2 circuit entirely on the local router, terminating the circuit on a local interface. [VPNs]
Related Documentation
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 44 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 136
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Class of Service
Changes to the output of the show interfaces queue commandPreviously, the output of the show interfaces queue interface-name displayed the max-queues-per-interface hardware-supported queues, as shown below:
Egress queues: 4 supported, 4 in use
The first value indicates either the default or the value specified through the max-queues-per-interface statement. Now this is changed to hardware-supported queues. The first value does not change with respect to the changes to max-queues-per-interface as before. [Class of Service]
44
Forwarding and Sampling
APR packet policing on TCC Ethernet interfacesIn Junos OS Release 10.4, the APR packet policing is effective on the TCC Ethernet interfaces. High CPU utilization of the DFWD processYou might notice a high CPU utilization by the DFWD process if the interface lo0 is configured as part of the interface group 0. Bridge domain naming (Layer 2 platforms)You cannot include the slash mark (/) in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy level. [Layer 2]
SFC and LCC Routing Engine (RE) name changesThe SFC Routing Engine name is changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is changed from RE-TXP-LCC to RE-DUO-1800. [Software Installation and Upgrade]
Enhancement to show oam ethernet link-fault-management detail commandThe output of the show oam ethernet link-fault-management detail command now includes the following two new fields: OAM total symbol error event information and OAM total frame error event information. These fields display the total number of errored symbols and errored frames, respectively, and are updated at every interval regardless of whether the threshold for sending event TLVs has been crossed. Previously, the show oam ethernet link-fault management detail command displayed only the number of errored symbols reported in TLV events transmitted since the OAM layer was reset and the number of errored frames detected since the OAM layer was reset. [Interfaces Command Reference]
Enhancement to show oam ethernet connectivity-fault-management commandsThe output of the show oam ethernet connectivity-fault-management mep-statistics, show oam ethernet connectivity-fault-management interfaces, and show oam ethernet connectivity-fault-management mep-database commands includes the following three new fields: Out of sync 1DMs received, which displays the number of out-of-sync one-way delay measurement packets received; Valid DMMs received, which displays the number of valid two-way delay measurement request packets received, and Invalid DMMs received, which displays the number of invalid two-way delay measurement request packets received. [Interfaces Command Reference]
New command to clear ETH-DM delay statistics (MX Series routers)A new command, clear oam ethernet connectivity-fault-management delay-statistics, enables you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay statistics and ETH-DM frame counts. Use the maintenance-association maintenance-association-name and maintenance-domain maintenance-domain-name options to clear delay statistics and frame counts for specific maintenance associations
45
and maintenance domains. You can also use the one-way and two-way options to clear only one-way delay statistics or two-way delay statistics, respectively. [Interfaces Command Reference]
Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i, M40e, M120, and M320 routersProvides a Firmware mismatch system log message and a show interface command output message in the IMA Group state and IMA Link state if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.
NOTE: CE PICs require firmware version rom-ce-9.3.pbin or rom-ce-10.0.pbin for ATM IMA functionality on M7i, M10i, M40e, M120, and M320 routers with Junos OS Release 10.0R1 or later.
CE PICs manufactured with the 560-028081.pbin firmware will produce the following entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or later releases:
Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.
If you configure IMA with this combination of Junos OS and CE PIC firmware, the following entry will be seen.
Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.
The show interfaces ce-fpc/pic/port command output will show the following:
Physical link is Down IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error
The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA. [Interfaces Command Reference, System Log Messages Reference]
Support for configuring shaping overheadSupport for CLI-based configuration of shaping overhead has been added to the PD-5-10XGE-SFPP Type 4 PIC. Set bandwidth value on aggregated Ethernet interfacesYou can now set the bandwidth value by using the bandwidth value statement at the [edit interfaces aggregate-interface unit number] hierarchy level. Additionally, the show interfaces aggregate-inteface extensive and the show interfaces aggregate.logical-interface commands now show the bandwidth of the aggregate when it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical interface shows the corresponding bandwidth, when it is configured. When it is not configured, the command shows it as the sum of the bandwidths of the member links of the aggregate, as before.
Network interfaces show command output (All platforms)The output of the show interfaces detail/extensive command now adds a table that shows complete (not truncated) names of the forwarding classes associated with queues. [Network Interfaces]
46
Negotiate IP address option removedThe negotiate IP address option is no longer allowed in the MLFR and MFR encapsulations. Hardware restrictions in the output of the show interfaces extensive commandWhen using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the Filter statistics section will not be displayed because the hardware does not include those counters. New command to clear Link Aggregation Control Protocol statisticsA new command, clear lacp statistics, enables you to clear Link Aggregation Control Protocol (LACP) statistics. Use the interfaces option to clear interface statistics. You can also clear interface statistics for a specific interface only by using the interfaces interface-name option. [Interfaces Command Reference]
Change to the show interfaces aenumber extensive commandThe output of the show interfaces aenumber extensive command no longer displays Link Aggregation Control Protocol (LACP) statistics. To display LACP statistics, use the show lacp statistics interfaces command. [Interfaces Command Reference]
Increase in unit numbering for demux0 and pp0 interfacesThe unit numbering for demux0 and pp0 interfaces has been increased to 1,073,741,823. Support for Diffie-Hellman 2048-bit encryptionYou can now configure Diffie-Hellman 2048-bit encryption (group14) for IPsec communications on Multiservices PICs. To use Diffie-Hellman 2048-bit encryption, include the dhgroup group14 statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level. To configure 2048-bit encryption for an IPsec policy, include the keys group14 option at the [edit services ipsec-vpn ipsec policy policy-name perfect-forward-secrecy] hierarchy level. [Services Interfaces]
Show chassis environment cb command on MX80 routersThe show chassis environment cb command is now available for the MX80 routers.
Support for VLAN demux interfaces on the RE-1800 Routing EnginesVLAN demux interfaces are now supported on the following RE-1800 Routing Engines on MX240, MX480, and MX960 3D Universal Edge Routers:

RE-S-1800x2-8G RE-S-1800x2-16G RE-S-1800x4-8G RE-S-1800x4-16G
47
Junos OS XML API and Scripting
The jcs:load-configuration template now accepts the $commit-options parameterThe jcs:load-configuration template, included in the import file junos.xsl, now accepts the $commit-options parameter to customize the commit operation. The parameter must be passed to the jcs:load-configuration template as a node-set. The default value for $commit-options is null. Supported options are:
checkCheck the correctness of the candidate configuration syntax, but do not
commit the changes.
force-synchronizeForce the commit on the other Routing Engine (ignore any
warnings).
logWrite the specified message to the commit log. This is identical to the CLI
configuration mode command commit comment.
synchronizeSynchronize the commit on both Routing Engines.
To specify commit options, include the desired options within the <commit-options> tag. Use the := operator to create a node-set and assign it to a variable. Pass this variable as the argument for the $commit-options parameter when you call the jcs:load-configuration template. For example, to commit the configuration with the synchronize and log options, use the following syntax for the node-set:
var $options := { <commit-options> { <synchronize>; <log> "synchronizing commit"; } }
[Configuration and Operations Automation Guide]
Junos XML management protocol support for the interface-ranges attribute of the <get-configuration> operationBy default, the Junos XML protocol operation <get-configuration> parallels the default behavior of the CLI configuration mode show command, which displays the [edit interfaces interface-range] hierarchy as a separate hierarchy in the configuration. To display the inherited tag elements of each interface range as children of the interface elements that are members of that range, a client application combines the interface-ranges="interface-ranges" attribute with the inherit="inherit" attribute in the <get-configuration> tag of a remote procedure call (RPC). If the inherit and interface-ranges attributes are included in the <get-configuration> tag and the client application requests Junos XML-tagged output (the format="xml" attribute is included or the format attribute is omitted), the Junos XML protocol server includes the junos:interface-range="source-interface-range" attribute in the opening tags of configuration elements that are inherited from an interface range. The attribute does not appear if the client application requests formatted ASCII output by including the format="text" attribute in the <get-configuration> tag.
48
[XML Management Protocol]
MPLS Application
Disable RSVP local revertive modeConfigure the no-local-reversion statement at the [edit protocols rsvp] hierarchy level to disable RSVP local revertive mode (local revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead. You might need to disable RSVP local revertive mode on Juniper Networks routers if your network includes equipment that does not support this mode. [MPLS]
Enhancement to the show mpls lsp extensive commandIn Junos OS Release 10.3 and later, the show mpls lsp extensive command displays more detailed Constrained Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF path computation and rejection. The following list shows some of the enhanced CSPF messages (depending on your network configuration, the type of messages you see might be different):
17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3 times] 16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]
[Routing Protocols and Policies Command Reference]
Enhancement to CSPF traceoptionsIn Junos OS Release 10.3 and later, the Constrained Shortest Path First (CSPF) trace messages have been updated to provide more detailed information about CSPF path computation and rejection. You configure the CSPF traceoptions by including the cspf flag at the [edit protocols mpls traceoptions flag] hierarchy level. The following list shows some of the enhanced CSPF trace messages (depending on your network configuration, the type of messages you see might be different):
Aug 3 13:26:06.844628 New avail bw 0.91% 100.00% 100.00% 100.00% without rounding Aug 3 13:26:06.844676 Old avail bw 0.91% 100.00% 100.00% 100.00% without rounding Aug 3 13:26:06.844697 CSPF reoptimize: Avail bw gain on new path 0 (without rounding 0.00%) Aug 3 13:26:06.844714 CSPF reoptimize: new path is safe but no benefit Aug 3 13:26:06.844731 CSPF reoptimize: result rejected, new path no benefit Aug 3 13:26:06.844765 mpls lsp blue-to-green primary CSPF: computation result ignored, new path no benefit
[MPLS]
49
Platform and Infrastructure
Enhancement to show interfaces commandThe show interfaces command includes a new field, INET6 Address flags, that displays a flag for any IPv6 address that is in a state other than permanent or ready-to-use. [Interfaces Command Reference]
Routing Protocols
New community-count routing policy match condition for BGP routesYou can now configure the number of BGP community entries required for an incoming route to match. This allows you to accept BGP routes based on a specific number of or range of BGP community entries. To configure the number of community entries, specify the from statement and include the community-count value (equal | orhigher | orlower) match condition statement at the following hierarchy levels:

[edit policy-options policy-statement policy-name term term-name] [edit logical-systems logical-system-name policy-options policy-statement policy-name term term-name]
If you configure multiple community-count match condition statements, the matching is effectively a logical AND operation. The following example accepts BGP routes with two, three, or four communities. If a route contains three communities, it is considered a match and is accepted. If a route contains one community, it is not considered a match and is rejected.
[edit] policy-options { policy-statement import-bgp { term community { from { community-count 2 orhigher; community-count 4 orlower; } then { accept; } } } }
[Routing Policy]
Enhancement to the PIM system log messagesThe RPD_PIM_NBRDOWN and the RPD_PIM_NBRUP system log messages have been updated to include the name of the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4, 10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log messages (depending on your network configuration, the type of messages you see might be different):
Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2 (so-0/1/3.0) removed due to: the interface is purged
50
Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2 interface so-0/1/3.0
[System Log Messages Reference]
New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and MX960 routers)When the Multiservices PIC or DPC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level and (for TCP traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name services-options] hierarchy level. When you configure these statements, the affected packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining, as though interface-style services were not configured. This issue applies only to M120, M320, and MX Series routers. [Services Interfaces]
Enhancements to the show services pgcp statistics extensive commandTwo new fields have been added to the output of the show services pgcp statistics extensive command: the number of Add commands received that have emergency status, and the number of inactivity notifications (it/ito) on the root termination. The following is a sample of the section of the output showing Add commands with emergency status:
Received Commands Total Wildcard 0 0 0 0 0 0 Success 0 0 1 1 0 0 Error 0 0 0 0 0 0
Add 0 Add (emergency) 0 AuditValue Modify ServiceChange Subtract 1 1 0 0
The following is a sample of the section of the output showing inactivity notifications on the root termination:
ROOT Notify ocp/mg_overloaded it/ito Total 0 1404 Wildcard 0 0 Success 0 1404 Error 0 0
[Border Gateway Function (BGF), System Basics and Services Command Reference]
Support for softwire rulesThe match direction output command is now supported for
softwire rules. [Services Interfaces]
51
Summary option for the show services nat mapping commandYou can now display summary statistics for Network Address Translation (NAT) mapping by using the show services nat mapping summary command. The following example shows the new output.
Total number of address mappings: Total number of endpoint independent port mappings: Total number of endpoint independent filters: 500000 500000 0
[System Basics and Services Command Reference]
Command to manage the behavior for reserved ports allocation and port parityPort allocation in a NAT pool can now be controlled with the preserve-parity and preserve-range commands. Preserve-parity allocates even ports for packets with even destination ports, and odd ports for packets with odd destination ports. Preserve-range allocates ports within a range of 0 through 1023 assuming the original packet contains a destination port in the reserved range. This behavior is applicable to control sessions and not to data sessions. [Services Interfaces]
Increase in address-only source dynamic pool addressesThe number of address ranges in a NAT pool has increased to 32. The total number of addresses in an address-only source dynamic NAT has increased to 16,777,216. [Services Interfaces]
Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate is created.By default, latching of gates is done by explicit latch requests. You can configure implicit latching of gates by entering the set implicit-tcp-latch and set implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway gateway-name h248-options] hierarchy level. The new configuration statements result in the following actions:
implicit-tcp-latchIf explicit latching has been applied (using using ipnapt/latch)
on either gate of a gate pair, implicit latching is not applied. If explicit latching has not been applied on either gate:

Latching is applied to both gates of the gate pair. When either of the gates latches, latching is automatically disabled on the other gate.
implicit-tcp-source-filterApplies source address (but not source port) filtering on
incoming packets, using the current remote destination address under the following conditions:

Explicit source filtering has not been applied by use of gm/saf. Explicit latching has not been applied by use of ipnapt/latch.
[Border Gateway Function (BGF), Services Interfaces]
52
Software Installation and Upgrade
Repartitioning system storage to increase the swap partition (M Series, MX Series, and T Series Routers)In Junos OS Release 10.4 and later, you can increase the size of the swap partition by repartitioning the drive (hard drive or SSD) on the Routing Engine. In earlier Junos OS releases, the swap partition is not increased by the methods described here. This behavior applies only to Routing Engines with more than 2 GB of RAM. The new size of the swap partition depends on the size of the drive and the amount of Routing Engine RAM.

When the drive is 32 GB or less, the swap partition is limited to 8 GB. When the drive is larger than 32 GB, the swap partition matches the size of the Routing Engine RAM.
To repartition the drive, perform one of the following actions:
During the installation of a Junos OS software package (jinstall*), issue the request system reboot media disk command to boot from the drive instead of issuing the request system reboot command. The drive is automatically repartitioned. The request system reboot media disk command repartitions the drive only during a software upgrade. Manually partition the drive by issuing the request system partition hard-disk command, and then reboot the router when the command completes.
CAUTION: Repartitioning the drive re-creates the /config and /var directories in the router file system. Although the contents of /config and /var/db are preserved, the remaining contents of /var are lost. For this reason, we recommend that you back up the /var directory before you repartition the SSD on a router with this configuration.
[Installation and Upgrade]
Modification to the interface-description-format statementThe interface-description-format statement has been modified for Junos OS Release 10.4. As in previous releases, the router includes both the adapter and subinterface as part of the interface description by default. You can now optionally exclude either or both the adapter and subinterface from the description. [Subscriber Access]
Modification to the show pppoe interfaces command (M120, M320, MX Series, and J Series routers)In Junos OS Release 9.5 and later, the extensive option for the show pppoe interfaces command is supported only for J Series routers, which can be configured as Point-to-Point Protocol over Ethernet (PPPoE) clients. The show pppoe interfaces command no longer supports the extensive option for M120, M320, and MX
53
Series routers in Junos OS Release 9.5 and later. When an M120, M320, or MX Series router is configured as an access concentrator server, the statistics for the PPPoE server interfaces do not increment. As a result, when you issue the show pppoe interfaces extensive command on an M120, M320, or MX Series router, the statistics are always displayed as zeros. [Interfaces Command Reference]
Enhancement to the clear pppoe statistics command (M120, M320, MX Series, and J Series routers)The clear pppoe statistics command includes a new option, underlying-interface-name, for M120, M320, and MX Series routers in Junos OS Release 9.5 and later. The option enables you to reset the statistics of the underlying PPPoE interface for static and dynamic PPPoE interfaces. In Junos OS Release 9.5 and later, the interface interface-name option for the clear pppoe statistics command is supported only for J Series routers. The clear pppoe statistics command no longer supports the interface interface-name option for the M120, M320 and MX Series routers in Junos OS Release 9.5 and later. [Interfaces Command Reference]
Support for DSL Forum VSAs (MX Series routers)Digital Subscriber Line (DSL) attributes are RADIUS VSAs that are defined by the DSL Forum. The attributes transport DSL information that is not supported by standard RADIUS attributes and which convey information about the associated DSL subscriber and data rate. The attributes are defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA), for the DSL Forum VSAs. Subscriber management supports DSL Forum VSAs in pass-through mode. In pass-through mode, the router does not process DSL values, but rather passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation. [Subscriber Access]
Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces (M120, M320, and MX Series routers)When you configure a static or dynamic pp0 (PPPoE) logical interface, you must include the pppoe-options subhierarchy in the configuration. Failure to include the pppoe-options subhierarchy causes the commit operation to fail. This requirement is in effect for configuration of static PPPoE logical interfaces as of Junos OS Release 10.2 and later, and has always been in effect for configuration of dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the following configuration now causes the commit operation to fail for both static and dynamic PPPoE logical interfaces:
pp0 { unit 0 { }
To configure a static PPPoE logical interface in Junos OS Release 10.2 and higher-numbered releases, you must include the pppoe-options subhierarchy at the [edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit
54
logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy
level. At a minimum, the pppoe-options subhierarchy must include the name of the PPPoE underlying interface and the server statement, which configures the router to act as a PPPoE server. For example:
[edit interfaces] ... pp0 { unit 0 { pppoe-options { underlying-interface ge-1/0/0.0; server; } ... } }
To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the underlying Ethernet interface, represented by the $junos-underlying-interface predefined dynamic variable, and the server statement. For example:
[edit] dynamic-profiles { pppoe-profile { interfaces { pp0 { unit "$junos-interface-unit" { pppoe-options { underlying-interface "$junos-underlying-interface"; server; } ... } } } } }
[Network Interfaces, Subscriber Access]
Subscriber access statisticsRADIUS reports subscriber statistics as an aggregate of both IPv4 statistics and IPv6 statistics.
For an IPv4-only configuration, the standard RADIUS attributes report the IPv4 statistics and the IPv6 VSA results are all reported as 0. For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA statistics are identical, both reporting the IPv6 statistics. When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.
[Subscriber Access]
55
Change to operation of RADIUS attribute Framed-IPv6-Prefix [97] (M120, M320, MX Series routers)The operation of the standard RADIUS attribute Framed-IPv6-Prefix [97] has been modified in Junos OS Release 10.4 and later. In these releases, the Framed-IPv6-Prefix attribute communicates the router advertisement prefix from RADIUS to the network access server (NAS). In Junos OS Release 10.3 and earlier, the Framed-IPv6-Prefix attribute communicated the DHCPv6 delegated prefix from RADIUS to the NAS. [Subscriber Access]
Change to the output of the show network-access aaa subscribers commandThe output of the show network-access aaa subscribers command now displays the name of the routing instance that the subscriber is in. In previous Junos OS releases, the output displayed the name of the routing instance in which the subscriber came in on. [Subscriber Access]
User Interface and Configuration
Change in the commit | display detail optionIf the number of commit messages exceeds a page when the commit command is used with the | display detail pipe option, the more pagination option on the screen is no longer available. Instead, the messages roll up on the screen by default, just like using the commit command with the | no more pipe option. [CLI User Guide]
New configuration statement to configure retry attempts for checking the keepalive status of a Point-to-Point (PPP) protocol sessionJunos OS introduces the keepalive-retries number-of-retries statement at the [edit access profile profile-name client client-name ppp] hierarchy level. Include this statement in the configuration to reduce the detection time for PPP client session timeouts or failures if you have configured the keepalive timeout interval (using the keepalive statement). [System Basics]
New configuration statement to enable the processing of IPv4-mapped IPv6 addressesJunos OS introduces the allow-v4mapped-packets configuration statement at the [edit system] hierarchy level. By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the allow-v4mapped-packets statement in the CLI configuration. [System Basics]
New option introduced for the show | display inheritance operational mode commandJunos OS now provides the no-comments option for the show | display inheritance command. This option enables you to view CLI configuration details without inline comments marked with ##. [CLI User Guide]
Enhancement to the show chassis sibs commandThe show chassis sibs command now displays an appropriate reason when a SIB transitions to the Offline state. For
56
instance, if the SIB is taken offline using the request chassis sib command, the show chassis sibs command generates the following output: --- Offlined by cli command ---. [System Basics and Services Command Reference]
New option for the ping mpls l2vpn and ping mpls l2circuit commandsThe ping mpls l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables you to specify the reply mode for the ping request. The reply-mode option provides the application-level-control-channel, ip-udp, and no-reply options. [System Basics and Services Command Reference]
Enhancement to the output of the show chassis hardware detail commandThe show chassis hardware detail command now displays DIMM information for the following Routing Engines:
Table 2: Routing Engines Displaying DIMM Information

Routing Engines
RE-S-1800x2 and RE-S-1800x4 RE-A-1800x2
Routers
MX240, MX480, and MX960 routers M120 and M320 routers
[System Basics and Services Command Reference]
Enhancement to the show chassis fpc commandThe show chassis fpc command now displays accurate temperature readings for the FPC. [System Basics and Services Command Reference]
VPNs
SCU support for VRF routing instances with vrf-table-label configuredYou can now configure source class usage (SCU) to count packets on Layer 3 VPNs configured with the vrf-table-label statement. Include the source-class-usage statement at the [edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The source-class-usage statement at this hierarchy level is supported only for the virtual routing and forward (VRF) instance type. Previously, you could not enable SCU when the vrf-table-label statement was configured. Destination class usage (DCU) is not supported when the vrf-table-label is configured. [VPNs, Network Interfaces]
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 7 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 136 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145
57
Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
The current software release is Release 10.4R8. For information about obtaining the software packages, see Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145. For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch.

10.4R8 Software Release on page 58 Previous Releases on page 79
10.4R8 Software Release

Outstanding Issues in Junos OS Release 10.4R8 for M Series, MX Series, and T Series Routers Application Layer Gateways
Hot-standby redundant Multiservices PIC (RMS) is stateless, and existing flows/state are not replicated to the backup PIC. [PR/535597]
Class of Service
The message COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason: File exists appears in the system log file when the VLAN ID is changed. [PR/564660] On MX-Series and M-Series using I-chip ASIC, EXP rewrites are not performed on the egress interface at the penultimate-hop after popping the outer label. [PR/546660] On MX Series routers, a graceful Routing Engine switchover can generate numerous "GENCFG write failed" messages for dynamic logical interfaces that had 802.1p classifiers applied at login. The messages can be ignored because there is no loss of functionality. [PR/610674] Class of service configuration on IQE LSQ member links is not supported configuration and can result in packet loss and link flaps. [PR/612551] In the M320, in the case of the ingress is I-chip based FPC (E3-FPC) and egress is LMNR(Gimlet) based FPC:
If the incoming IP packet's ECT bit is set to 1, then the outgoing packet's DSCP value will be set to 0 This issue also happens when the M320 act as egress PE, if the ECT bit in the incoming MPLS packet's IP payload is set to 1, the outgoing packet's DSCP value will also be set to 0
This issue happens after JUNOS 8.0 or later. [PR/662769]
Display bug in XML output in COS red/dropped packets for "show interfaces extensive [interface]| display xml".
58
The <queue-counters-red-packets> tag should be <queue-counters-tail-drop-packets>, as visible when running the following command, which retrieves more detailed information about CoS queues: show interfaces queue [interface]| display xml [PR/683410]
With wild-card interface name, the output-traffic-control profile is configured( on DPC without EQ), the commit went fine and the cosd is still running. After this, some of CLIs though cosd allow to commit, but it does not applied. At this point if we restart the cosd, it does not. [PR/693650]
A high CPU utilization by the DFWD process might occur if the interface lo0 is configured as part of the interface group 0. [PR/497242] When a VPLS MAC table is cleared by interface name, the operation halts with the error message "error: Unrecognized command". [PR/544324] Due to implementation flaw , l2ald cores in the following combination of events :

Interface is configured with "vlan-id-range x-y" Routing-instance associated to interface has "vlan-id all " configured "show bridge mac-table interface <interface name> vlan-id <vlan-id> is executed
[PR/679551]

Certain mis-configuration causes check-out fail w/o proper reason. [PR/597801] Enable "log" in a firewall filter term and deploy it on lo0 interface to provent specific packets sending to RE. When "specific" packets' pps is high, such configuration cannot prevent "specific" packets sending to RE. For example: admin@T1600-re0# show firewall family inet filter PROTECT_RE_FILTER term allow-telnet { from { protocol tcp; destination-port telnet; } then accept; } term DENY_LOG_OTHERS { <-use this term to prevent other packets. then { count deny-others; log; <-log action enabled. discard; } }. [PR/707146]
High Availability
The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062] After a unified in-service software upgrade (unified ISSU) of M Series routers with XFP on cFPC, the output of the show chassis pic and show interfaces diagnostics optics commands provide an invalid information for XFP. [PR/567490] With GRES enabled, the management interfaces (eg. fxp0) if configured under a non default routing instance (say, an LSYS) have some known issues. Though it is allowed
59
via configuration, GRES may not work and thus doesn't support the said config. [PR/592125]
The live core dump happened during ISSU upgrade: when ksyncd started on RE0, it ran into a replication error and crashed. It was for informational purpose and didn't impact services. [PR/603146]
Infrastructure
Issue was related to PING response and code modification related to that has solved the purpose. [PR/677603]
When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771] If a firewall show command is followed by the clear command in quick succession, there is a possibility that the show command will time out. If the show command is issued after a few seconds (5 seconds ideally), this issue is not seen. [PR/479497] Discrepancies exist in MAC and filter statistics between Trio MPC and Enhanced DPCs. [PR/517926] The multipoint-destination configuration statement is not supported on IQE PICs. While the configuration of this statement is accepted without problems initially, subsequent reconfiguration of the interface might cause the FPC and Packet Forwarding Engine to reboot. [PR/529423] On a 20-port Gigabit Ethernet Enhanced Queuing IP Services DPC and a 2-port 10-Gigabit Ethernet Enhanced DPC with XFP, the link status of the interface goes down when the TX Matrix router towards the peer is removed. [PR/542668] On MX Series routers, the following system log error messages appear when a configuration change is made and committed:
UI_DBASE_LOGIN_EVENT: User 'regress' entering configuration mode UI_COMMIT: User 'regress' requested 'commit synchronize' operation (comment: none) Shared memory release vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 5123 vcdb_extract_db_from_file reading file /config/vchassis/vc.tlv.db vcdb_extract_db_from_file Error opening file. errno = 2 vcdb_extract_db_from_file reading file /config/vchassis/vc.db vcdb_extract_db_from_file: DB Files couldn't be read. vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 7171 Shared memory release sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of
60
paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param
[PR/548853]
On MX240, MX480, and MX960 routers, the ATA driver tries to enable the advanced power management (APM) feature on the CompactFlash card of the RE-S-1800x4 Routing Engine. This is a cosmetic issue. [PR/593219] On M40e routers and on M10i, and M7i routers without enhanced CFEB, the IPv6 network control protocol is not established for PPP sessions running over SONET-based container interfaces. This results in a non-establishment of IPv6 connectivity. [PR/601930] A faulty PIC might cause the FPC to restart after dumping core files. [PR/605690] When an SIB is taken offline, the SIB does not display the reason "Offlined by cli command" in the output of the show chassis environment sib command. [PR/610931] On M40e routers, the chassisd process dumps core files when the fan tray is removed. [PR/660031] On Trio-chip-based platforms, if the ingress Layer 2 size of a frame is larger than the egress MTU of an interface, the PFE will attempt to fragment the packet. If however the resulting Layer 3 packet with egress encapsulation is still smaller than the egress MTU size, the PFE makes an incorrect calculation resulting in the MQCHIP wedge condition. The affected PFE will need to be restarted in order to recover. [PR/662160] When a MIC is inserted into a freshly booted modular Mx80 router, it does not get detected and when an attempt is done to bring it online using CLI command "request chassis mic fpc-slot <> mic-slot <>" it shows the slot is empty. Following workarounds have been identified which resolves this issue:

Restarting chassisd using "restart chassis-control" command Rebooting the Mx80 router
[PR/668742]
On "4x CHOC3/CHSTM1 SONET CE SFP" PIC, if SONET APS (Automatic Protection Switch) is configured on COC3/CSTM1 interfaces and IMA group is created, APS will not work for IMA groups. And there is no workaround. [PR/513343] Error message seen on MX80 "fru_is_present: out of range slot -1 for CB" continuously. [PR/540868] RPD_DYN_CFG_GET_SES_STATE_FAILED and demux interfaces not created. [PR/696370] Interface not defined in logical router takes part in a VPLS instance configured under the Logical router. [PR/603130] In certain interworking scenarios between JNPR and other vendor's equipment, when a RE switchover event occurs (with NSR configured on JNPR), frame relay LMI hello sequence number continuity may break causing the frame relay to bounce. Even though the standard allows the LMI hello sequence number to change to indicate an event
61
occured, but due to differences in vendor implementation, such a interworking complication can happen. [PR/675750]
MIC-3D-20GE-SFP may display "Invalid Link Speed :mic_an_set_link_speed" upon any interface change using a SFP-T. This issue is cosmetic except with ISSU. When affects ISSU, it is fixed under PR/701726. [PR/685180] On the MX-Series routers, the output of 'show snmp mib walk jnxContentsSerialNo' is incorrectly displaying a serial number for the pic on a built-in MIC. The correct output for the serial number should be 'BUILTIN'. [PR/694336] This MS-DPC core happens due to a race condition between setting IPSEC SA bundle ptr to NULL from control thread as a result of SA delete msg from kmd-re, while a data thread(s) is trying to access the same SA ptr after it checked that the ptr is not NULL. The fix is to always save a copy of the non NULL SA bundle ptr in a local param and access only the local param. That way the data thread will avoid running into such race condition. It is also safe to access that local param given that the bundle SA ptr will be valid for 1sec after setting it to NULL in its parent policy array. [PR/698788] Traffic will get tail dropped under below condition. - When we have more than 4 forwarding-classes configured. - Egress interface is on IQ PIC, and is only configured for 4 queues (default). - When we classify traffic on ingress interface in a particular FC and map that FC to either queue 4, 5, 6, or 7. [PR/699538] The issues happens only when the Fan Tray are replaced with the Enhanced Fan tray and while doing so the enhanced fan tray was added/removed/added in a short period of time causing the counter value to set incorrectly. The alarm is a warning alarm to check if proper Fan Trays are installed. If the required fan trays are installed and they are working fine then this should not affect the functionality of the cards. [PR/700112] When some mlppp t1 interfaces kept flapping very quickly, the MS-pic memory usage keeps increasing and at last the memory usage may be up to 99%. [PR/705577]
show chassis power command is issued "Fan tray max consumption 320W in zone 0" and is logged in chassisd. [PR/699269]
MPLS Applications
On M Series and T Series routers, the MPLS label-switched path (LSP) log messages are not logged for nonstandby secondary MPLS LSPs. [PR/560069] During a label-switched path optimization, if the label-switched path takes a different path (due to a change in the Explicit Route Object (ERO)), an RPD_MPLS_LSP_CHANGE message is logged. The message shows the new ERO and the old bandwidth. This message is misleading because it does not show the new bandwidth. [PR/602836] On MX960 routers, the label-switched paths flap every 15 minutes when routes are configured to resolve over auto-mesh RSVP dynamic tunnels with link protection enabled. [PR/608118] Issue is caused by the unnumbered-address configuration on lo0. [PR/690951]
62
Under certain circumstances, the bandwidth usage sample used to compute average bandwidth can be incorrect. This results in incorrect average bandwidth and will result in excess bandwidth reservation and unnecessary LSP re-optimization. [PR/692972] When LSP switches from primary->secondary-primary path, the Max Avg counter might show up incorrect higher value when compared to actual LSP bandwidth. As the result of this, on the next adjust interval, LSP would be signalled with incorrect high last Max avg counter value. This issue will be seen only with secondary LSP configured. [PR/695154] When family mpls is removed but family inet remains on an interface, the aggregate nexthop may go into discard state on the PFE. The aggregate nexthop in discard state will cause packet loss for any routes associated with that nexthop. Here are the two ways to remove family mpls but not family inet from an interface: - deactivate interfaces <interface> unit <unit> family mpls - set interfaces <interface> unit <unit> family mpls maximum-labels <count>. [PR/698169]
Network Management
The value of IfHighSpeed for the current bandwidth of an interface is in units of 1,000,000 bits per second. According to RFC 2863, the ifHighSpeed must be rounded to the nearest whole value on both the physical interfaces and logical interfaces. [PR/507004]
The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074] On a TXP, when disable em0 interface, em1 interface will also be disabled. This will cause lost of communication to LCCs. [PR/596113] On interfaces using the Junos Trio chipset, the clear interfaces mac-database statistics and clear interfaces mac-database commands do not work. [PR/512766] On MX240 and MX960, an interface configured for OAM and carrying VPLS traffic is flapped, which generates a series of jt_mem_free errors. No known workaround. [PR/688088] In ISSU scenario when backup RE running higher version attempts connection to master running a lower version, there is a mismatch in the length of a particular message sent by replication daemon, it is more than what master expects. The result or symptom caused by the triggering actions ISSU failure is seen between master and backup. Workaround The solution is to dynamically increase the buffer to avoid ISSU failure. [PR/680415] MPC Core was seen on router running 10.2S6.4. Issue was observed when the irb interface called under the routing instance vpls was deleted. [PR/693470] There is an issue with the interworking of 'chassis route-memory-enhanced' knob and 'protocols rsvp interface x/y/z.l link-protection' or 'protocols mpls label-switched-path <lsp name> node-link-protection'. This will cause failure of the installation of routes that are destined to go to segment 1 (due to the route-memory-enhanced) configuration. [PR/695336]
63
Under some condition, we will report "HALP-trinity_nh_indirect_get_irb_fwd_nhIndirect NH(xxxxxxx), IRB egress set to discard:0xyy...yy" in certain circumstance of VPLS, IRB, VT/LSI over MPC environment. The error occurs because we didn't get the IRB forwarding NH when installing an IRB entry. This can occur when the target ifl is either zero or the target ifl not a LSI/VT interface. Even if this appears to be traffic affecting, not side impact has been reported in the customer where this message has appeared. [PR/698776] MPC might crash when aggregate interface configured due to invalid child members installed at PFE side. [PR/695225]
Routing Protocols
When aggregate interfaces are used for VPN applications, load balancing may not occur with a Layer 2 circuit configuration. [PR/471935] The automatic complete option is not available for the show route table name command in the CLI. [PR/503523] When an interface is added to a routing instance with rpf-check enabled, the routing protocol process might crash if a route-distinguisher is also changed at the same time. [PR/539321] The configuration of DSCP ReWrite rules on a 10-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ might overwrite the DSCP value coming from the Routing Engine for a host-generated traffic. [PR/575259] The routing protocol process on a standby Routing Engine might crash during an unified in-service software upgrade (ISSU) if the BGP peers flap. [PR/575569] When IGMP is enabled on an fxp0 interface, a discard next hop might get installed for 224/4 routes. [PR/601619] When sham-link is activated the exported static route is erroneously treated as vpn route received via BGP. It resulted in that exported static route shows up in the database with DN bit set. [PR/686947] When sham-link is activated the exported static route is erroneously treated as vpn route received via BGP. It resulted in that exported static route shows up in the database with DN bit set. [PR/686947] get-next for pimRPSetHoldTime or pimRPSetExpiryTime may list output of same OID mentioned in the get-next command. Instead it should list the output for next OID. [PR/700079] In a BGP peer group, if it is the case that either peers have only previously sent the default route-target filter (0:0:0/0) or family route-target was not negotiated, when a peer comes up that does send non-default route-target filter routes the router will not send its matching VPN routes to that peer. [PR/703054]
64
The output of the show services ids destination-table command might not display any flow and related statistics in the IDS anomaly table for a certain period of time after the flows are activated. [PR/490584] The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server, but the corresponding data application junos:system:ftp-data is not in any group. [PR/507865] When unit 0 of the Multiservices PIC interface is not specified, the monitor interface traffic command does not display the input packets number properly for that particular ms-I/F interface. [PR/544318] The NAT64 to ICMP time expire packet might not be translated correctly for packets sourced from the intermediate node in traceroute. [PR/597036] MacOS and WindowsXP VLC media player clients streaming of MPEG-4 sample using version 1.1.12 on MacOS were verified accurately detected on Juniper Tapped setup running AppID+AACL+LLPDF on MX router, MSDPC MSPIC. Further verifications will be done in our accuracy lab for more extended/continuous testing. [PR/573127] fpc0 PFEMAN_SVC_JFLOW:Failed to connect to RE messages are seen indicating a socket connection failure between packet forwarding engine and routing engine. [PR/696725] When running MS-PIC or MS-DPC configured for Stateful-Firewall NAT service with Address-Pooling Paired (APP) and Endpoint-Indipendent Mapping (EIM) enabled, if the pattern of the traffic causes the PIC to report "AP port allocation errors", upon expiring of some flows the PIC might dump a core and restart. [PR/699662] When the bypass-traffic-on-pic-failure configuration knob is used, and following a crash of the MSPMAND daemon on the MS400 pic, on which the IDP package is installed, the bypass is not triggered immediately because there is generation of a core file. This causes black-holing of traffic. The fix for this issue is to let the traffic bypass start immediately when MSPMAND cores, and the PIC is considered in a failure state. [PR/702591] When running a service-set with stateful-NAT configured that includes address-pooling paired and endpoint-indipendent mapping, NAT ports and/or NAT address/port mappings might not get released when corresponding flows are removed and mapping timeout timers are expired. [PR/702934]
The accounting attribute 41 (acct-delay-time) is missing from the accounting starts, interim, and stop messages as the VSA does not exist in the RADIUS accounting requests from MX Series routers to the RADIUS server. [PR/607520] Memory leak occurs when accounting is configured and the accounting servers are not available or do not respond to accounting. [PR/675136]
65
The pop-up window for logging out of the J-Web interface is hidden when the logout button is used from the Diagnose> CLI terminal page on both Internet Explorer and Mozilla Firefox browsers. [PR/401772] CLI "show interface as0 extensive " does not show the sonet child member links stats part of aggregated bundle. This effects the monitoring & management of bandwidth concerns on the as bundle links. [PR/677553] In the J-Web interface , the Generate Report option under Monitor Event and Alarms opens the report in the same web page. [PR/433883] In the J-Web interface, if you discard any available MIB profile, file or predefined object from "accounting-options" on the Point and Click CLI Configuration page (Configure > CLI Tools > Point and Click CLI), the J-Web session times out. As a workaround, perform the same operation from the CLI. [PR/689261] Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890] On MX Series routers, the J-Web interface does not display the USB-related information under the Monitor> System View> System Information> Storage page. [PR/465147] The link up/down hold time cannot be configured on a coc12 interface. However, it can inherit the configuration by means of an apply group. When a router is reloaded, the coc12 interface does not come back up because the link up/down hold time configuration is inherited with the help of the apply group. [PR/468598] From 2011 daylight saving is not being used for Africa/Cairo timezone, but Junos is using daylight saving so if we set timezone to Africa/Cairo, we will see time difference between router and actual Cairo time. [PR/670234] Login failed events(WEB_AUTH_FAIL) of JWEB are not logged by M10i device where are cli based events(SSHD_LOGIN_FAILED) are logged on the device. Work Around :Restart Event processing process after installing the jweb package, cmd :- restart event-processing. [PR/687628] When a new-line character (\n) is used within the op script argument descriptions, the help output might display incorrectly, and could result in extra output being displayed when the op script executes. [PR/485253] In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451] The J-Web interface does not display the drop-profile-map, excess-priority, excess-rate, and rate-limit (transmit rate) parameters which are supported for the schedulers configuration. Use these parameters using the CLI. [PR/495947] Under certain circumstances, the event script time intervals might be overridden by too many events because of a small eventd process buffer size. Specifically, in the case of Service Automation (AIS) event scripts in the AI-script bundle pushed from Servicenow. This might cause the same type of Juniper Message Bundle (JMB) event to be generated more than once an hour. When this issue occurs continuously, it could
66
lead to a permanent increase in the routing engine memory and CPU consumption, depending on the number of scripts running concurrently (maximum is 15). [PR/505359]
Warning messages related to pending commits are not triggered when the following operations are performed:

Software->Upload Software->Install Package Maintain->Reboot
As a workaround, commit all pending commits before performing the operations listed above. [PR/514853]
The master LED might stay in the color blue, even when the Routing Engine is offline. [PR/515076] The annotate option does not appear when it is used with the edit private command for class of service. [PR/535574] While accessing the J-Web pages, the httpd process dumps core at irregular intervals. [PR/535768] When a HTTPS connection is used for the J-Web interface in the Internet Explorer to save a report from the View Events page (Monitor->Events and Alarms->View events), the following error message is displayed Internet Explorer was not able to open the Internet site. This issue also appears in the following places on the J-Web interface:

maintain->config management->history maintain->customer support->support information->Generate Reports Troubleshoot port->Generate Reports maintain->files Monitor->Routing->Route Information->Generate Reports
[PR/542887]
The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the Internet Explorer and Firefox Web browsers. [PR/543607] When a J-Web session is opened and the login credentials are provided, the J-Web interface takes 20 seconds longer to load the Dashboard page on an HTTPS connection than it does when an HTTP connection is used. [PR/549934] After the "delete:" action is performed, the "replace" actions do not take effect in the "load replace terminal" operation. [PR/556971] The time displayed in the Monitor>Events And Alarms> View Events page does not match the switch's time when the J-Web interface is launched through a HTTPS connection. As a workaround, reset the correct time after the J-Web interface is launched through the HTTPS connection. [PR/558556]
67
The javascript error, "Object Expected" occurs when J-Web pages are navigated before the page loads completely. [PR/567756] When a host name is changed using the CLI during an active J-Web session, the information is not updated on the General Information tab under the Monitor> System View> System Information and Header page of the J-Web interface. As a workaround, close the J-Web session and login again. [PR/569697] The J-Web interface permits creation of duplicate term names on the Configure> Security> Filters> IPV4 Firewall Filters page. However, these duplicate entries are not shown in the grid. This is a cosmetic issue only. [PR/574525] In the J-Web interface, when a user is deleted on the Configure> System Properties> User Management> Users page using the Internet Explorer version 7 Web browser, no warning messages are displayed. However, the warning message appears when the Firefox Web browser is used. [PR/595932] The J-Web interface does not come up even after the J-Web package is installed and the HTTP process is enabled. Reinstall the image and add the J-Web package to resolve this issue. [PR/609623] Multiple entries are listed for a few processes on the Process details page (Monitor> System View> Process details) of the J-Web interface. This issue does not have any functionality impact. [PR/661704] In the J-Web interface, the report generated using the Events page (Monitor> Events and Alarms> View Events) do not show the description for the first four to five events. As a workaround, view the description from the Junos OS CLI. [PR/661752] The jptspd process requires the PPR to have policies set to update only the username. [PR/665181] On the J-Web interface, the delete operation for a forwarding class in the Configure> Class Of Service> Forwarding Classes page does not work. As a workaround, use the Junos OS CLI for this operation. [PR/684846]
VPNs
The BGP community 0xFF04 (65284) is incorrectly displayed as "mvpn-mcast-rpt" in the output of the show route command. [PR/479156] In an NSR environment, the routing protocol process crashes when a virtual LAN ID is removed from the VPLS instance. [PR/512499] When two new logical interfaces are added to a non-DF router in a BGP-VPLS multihoming setup, a Layer 2 loop might be formed for a short period of time (less than one second) before the logical interfaces go into a CCC-DOWN state. As a workaround, add the logical interfaces to the non-DF router first before adding the logical interfaces on the CE side. [PR/610082] kernel:"clear pim join" make the device busy while deleting the MT tunnel sub-interface. [PR/683438] bootstrap-import filters BSR packets from lsi/vt intf wrongly. [PR/702198]
68
Resolved Issues in Junos OS Release 10.4R8 for M Series, MX Series, and T Series Routers Class of Service
On Ichip based platforms when 802.1p or 802.1ad classifier definition is changed the classifier might not be correctly updated in the forwarding path. [PR/669871: This issue has been resolved.] Class of Service configurations using ae* may cause cosd to crash. [PR/682223: This issue has been resolved.] This issue can be seen on the following Junos routers: MX routers equipped with DPC line cards, M320 routers with E3-FPC Type FPCs PICs, M120 routers and M7i/M10i routers with Enhanced CFEB. Packet drops (CoS RED packet drops) can be seen during traffic burst period on an interface queue which was left without CoS scheduling resources. This can happen either on non-EQ DPC and non-IQ/IQ2 PICs (depending on scheduler-map applied on an interface) or EQ DPC and IQ/IQ2 PICs (depending on scheduler-map-chassis applied on an interface), like in the following cases:
No scheduler-map is applied on an interface (non-EQ DPC and non-IQ/IQ2 PICs) in which case the default-scheduler map would be implicitly applied leaving effectively all queues (except Q0 and Q3) without CoS scheduling resources No scheduler-map-chassis is applied on an interface (EQ DPC and IQ/IQ2 PICs) in which case the scheduler-map-chassis map would be implicitly applied leaving effectively all queues (except Q0,Q1,Q2 and Q3) without CoS scheduling resources There is scheduler-map (scheduler-map-chassis in case of EQ DPC and IQ/IQ2 PICs) applied to an interface but no explicit scheduler applied/configured for a particular queue There is a CoS scheduler configured for a queue but with "transmit-rate" and "buffer-size" are explicitly configured with ? percent 0"
[PR/690685: This issue has been resolved.]
Service PIC reboots because Service PIC keepalives use the same HNQ as certain Host inbound traffic causing the queue to starve and drop packets randomly. [PR/690653: This issue has been resolved.]
When firewall filters exist on the GRE tunnels, packet drop might occur in the tunnels if a tunnel is added or deleted, the Packet Forwarding Engine restarts (FPC or FEB restarts), or a cold graceful Routing Engine switchover occurs. [PR/671902: This issue has been resolved.] The problem would happen in a corner case where the logical system config is removed in which BDs are created dynamically through MVRP protocol and not added to kernel yet. [PR/682794: This issue has been resolved.] Any sampling related config changes, once committed when sampled is running, would result in deleting the old sampling instance tree and creates a new tree and as a part
69
of deleting the old instance tree the core is encountered. [PR/688417: This issue has been resolved.] General Routing
The RE(s) will crash with a trap with the backtrace bcopy/if_pfe_ttp_output/if_pfe_ae_ttp_output. if_pfe_ttp_output may not appear in the backtrace. The configuration includes dhcp, pppoe/vlan, or demux/ae. [PR/682735: This issue has been resolved.] A panic occurs in rnh_index_alloc on the backup RE because the index is already allocated. In the syslog or kernel message buffer, a message similar to the following may be seen: "<3>rnh_cont_request: demux0.14 (3353) Got nhid=120882 but already have child nhid=118652 for cifl ge-0/1/5.32767 (3349)". [PR/682967: This issue has been resolved.] Backup RE may go to db prompt if AE configured with multiple FastEthernet members. [PR/692664: This issue has been resolved.] If aggregate bundle goes down due to minimum-links configured, member links of the aggregate bundles might not join the bundle anymore upon interface link flap. To recover from this condition disable/enable the affected member link with configuration changes. The following JUNOS versions are exposed. 10.4R6.5; 10.4R7.5 and 11.2R3.3. [PR/695895: This issue has been resolved.] With IPv6 and PPPoE, DHCP, or other demux configured, an assertion panic can occur in in6_ether_iffconfig(). [PR/686350: This issue has been resolved.] Very few times a user privileges intermittently changing for super user account. [PR/677916: This issue has been resolved.] This PR applies to MX routers running PPPoE subscriber management software in Junos 11.1 and earlier releases. It is not an issue in 11.2 and later releases. When the IP MTU for a PPPoE session requires that the MX PPPoE server fragments an IP packet, the PPPoE header length in the outgoing fragment is not set to the fragmented length. As a result, the PPPoE client receiver drops these fragments causing packet loss. [PR/705578: This issue has been resolved.] If you have an ingress interface with larger MTU than an egress interfaces, fragmenting packets on a Trio-based MPC may lead to interfaces on the egress MPC to stop transmitting. The necessary conditions which have to be met are:
1.
An ingress interface with MTU value larger than that of an egress interface
2. The egress interface is a TRIO-based MPC 3. An ingress packet is larger than the MTU of the egress interface
A system which has all of the above conditions is susceptible to egress interface being locked up. [PR/692417: This issue has been resolved.]
When if-route-exists policy is configured and the policy has not been evaluated even once yet. Under rare circumstances, if the concerned route is just added to the table and at the same time, the policy that utilizes this if-route-exists condition also triggers the initialization, rpd may core. [PR/691542: This issue has been resolved]
70
High Availability
After a unified In-service software upgrade (unified ISSU) from Junos OS Release 10.0 to 10.4, the sampling feature does not function. The sampled process responsible for sampling no longer receives the data from the Packet Forwarding Engine. [PR/681271: This issue has been resolved.] A replication error might occur when a user route with a local next hop is propagated to the backup Routing Engine before the corresponding IFA is replicated. [PR/559458: This issue has been resolved.] Conversion-FPGA initialization is done during PIC discovery. In this PR the initialization failed due to Rx-link lock errors. But the software held on to a stale pointer. The FPC crashes when attempted to decode that pointer. The fix in PR429895 is to avoid the FPC crash, and does NOT fix the Rx-link lock error. [PR/429895: This issue has been resolved.]
Infrastructure
On the ATM PIC cbr shaping rate configuration, specify a value in cells per second by entering a decimal number followed by the abbreviation c; values expressed in cells per second are converted to bits per second by means of the formula 1 cps = 384 bps. The cell rate configuration was removed from JUNOS releases from 10.1R1 and later which built between 23-Jan-2010 and 15-Sep-2011. As workaround, use bits per second (bps) configuration to specify the ATM cbr shaping rate. The cell rate configuration has been added back from below JUNOS releases and later: 10.4R8, 10.4S7, 11.1R6, 11.2R3, 11.3R3 and 11.4R1. [PR/685558: This issue has been resolved.]
Interfaces
For configurations with more than 32,000 PPP subscribers, it is recommended to configure the keepalive interval to no less than 75 seconds to avoid subscriber termination due to "no keepalive" errors. [PR/661837: This issue has been resolved.] Some demux interfaces do not carry traffic on associated member links after an inservice-software-upgrade (ISSU). [PR/570599: This issue has been resolved.]
When an interface enabled for OAM goes down, the message "first cells dropped at cif" is added to the system log file. [PR559492: This issue has been resolved.] There is a window during ISSU where chassisd on the new master can get out of sync with the kernel. If a pic is offlined by ISSU because it is unsupported, then chassisd fails in pic_add_to_kernel on the new master. To fix this, reset the pic_in_kernel flag and return the error. This results in a timer to attempt the add pic at a later time. [PR/558036: This issue has been resolved.] The backup routing engine can reboot due to a kernel panic when graceful Routing Engine switchover is enabled and a large number of IPv6 or dual-stack (IPv4/IPv6) clients are being logged in on PPPoE over aggregated Ethernet interfaces. Consequently, client login time may take longer or fail due to timeouts. [PR/610253: This issue has been resolved.]
71
Cosmetic message "No handle for i2c_id 0x" will appear in chassisd log when issued "show chassis hardware" on MX80 with MIC. [PR/672496: This issue has been resolved.] Backup RE will show EPD value as '0' for vc if EPD specified in percentage for atm scheduler forwarding class. And if GRES switchover happens the wrong EPD value is seen on the new master RE. But even if EPD shows up as '0' in CLI output, the correct value is programmed into ATM2 PIC and it functions as configured. This is a cosmetic issue. [PR/677531: This issue has been resolved.] After the PPPoE sessions are torn down the resources are not freed from the IQ2 PIC resulting in high memory consumption. When the heap memory gets exhausted it cannot allocate more memory for the new PPPoE requests and therefore the new sessions cannot be established. [PR/684100: This issue has been resolved.] The output of the show interfaces diagnostics optics et-fpc-slot-number/0/0:0 command for an FPC hosting a 100-Gigabit Ethernet PIC shows incorrect (much smaller then real) values of the laser receiver power. [PR/684665: This issue has been resolved.] Latency during the initialization of the xge-pic driver may cause BFD to flap. [PR/503403: This issue has been resolved.] When GRES is enabled RLSQ bundle MTU needs to be also available on the backup-RE since configured MTU may not reflect the negotiated MTU and in the event of GRES switchover RLSQ bundles may flap due to MTU re-negotiation. [PR/612577: This issue has been resolved.] Classification of RE outbound traffic using host-outbound-traffic keyword under [edit class-of-service] hierarchy does not work for IPsec packets. On Junos versions without the fix of this PR all host generated outbound traffic that needs to go through the IPSEC tunnel will get classified to the default best effort queue only. [PR/694878: This issue has been resolved.] After flap one of the members of AE link Juniper can start sending wrong "Oampdu max size" in OAMPDU (5 reserved bits are not set to zero) as result Huawei does not accept the OAMPDUs. [PR/701853: This issue has been resolved.] A change in the code for processing the keepalives impacted the default HDLC keepalive timer. HDLC keepalives were no longer sent at the default timer of 10 seconds but at a timer greater than 30 seconds and this was triggering a temporary loss of keepalives on the peer routers. The 10.4R6 release of Junos software is not affected by this issue. [PR/707244: This issue has been resolved.] On routers with Enhanced IQ PICs, when a commit is issued, the following system log message might be seen:
/kernel: %KERN-3: PPP ioctl on (so-0/3/1.0) - flags 0xc011 inx=0 msk=1 idx=0 msk=1 /kernel: %KERN-3: PPP ioctl on (e1-0/3/0:5.0) - flags 0xc011 inx=0 msk=1 idx=0 msk=1
72
When a Layer 2 physical interface changes from tagged to untagged, its link level header length is not recalculated. As a result, the older value is used and, as a result, the IRB interface's MTU calculates a wrong value. [PR/677065: This issue has been resolved.] When a configured IRB interface is deactivated and activated again, configuration changes might not get applied resulting in the DHCP packets being discarded. As a workaround, restart the DHCP service. [PR/681871: This issue has been resolved.] A cosmetic message "fpc_atlas_show_hw: fpc X mic Y state 5" will appear in chassisd log when MX chassis equipped with MIC and issued "show chassisd hardware" This is not service impacting. [PR/672358: This issue has been resolved.] In a configuration with Multic-Chassis LAG it is possible, in a link failure condition, for the client sourced packets and the server sourced packets to take different paths through the network. Since the DHCP relay function needs to process the flow in both directions to maintain state, clients would experience difficulty when their lease T1 timer expired and they attempted to refresh their lease (and consequently the state maintained by the DHCP relay function). To address this issue the DHCP relay function will now allow ACK packets for which it has not seen the associated REQUEST to pass transparently to the client state maintained by the relay. This change will allow a client to renew or to establish a lease in a failure condition, but not to maintain that lease with respect to any subscriber services managed through the DHCP relay function. [PR/680779: This issue has been resolved.]
MPLS Applications
The MPLS statistics file might not be updated after a configuration related to the routing protocol process is committed. [PR/680856: This issue has been resolved.] When an IP route directly resolves over an LSP or the LSP route is also installed in inet.0 table, then the LSP statistics may incorrectly contribute to the bypass LSP statistics, even when packets are not being forwarded on the bypass LSP. [PR/682966: This issue has been resolved.] The malformed packet is due to inconsistent handling of internal flag of the MX 3D platform when performing L2VPN switching of packets that have MPLS with 2 or more labels as layer3 inside ethernet (e.g. switching L3VPN over L2VPN). In this situation EOS bit is erroneously not getting set on the imposed label, resulting in the receiver interpreting the start of payload as one more label. [PR/684256: This issue has been resolved.] After an auto-bandwidth adjustment occurs, where the bandwidth of an LSP is increased, the warning message "RPD_RSVP_INCORRECT_FLOWSPEC: Bandwidth in PATH Tspec greater than RESV flowspec" might be erroneously logged. This problem is cosmetic, and does not affect traffic forwarding or auto-bandwidth functionality. [PR/684361: This issue has been resolved.] With the MPLS traceoption flag 'all' or hidden flag 'autobw-state' enabled, the RPD might core during auto bandwidth adjustments and make-before-break (MBB). [PR/689513: This issue has been resolved.]
73
With JUNOS Version 10.4R7 MPLS packets received on L2 Circuit via LT tunnel interfaces doe not perform label swap operations but only strip the L2 Circuit Tunnel label. The nexthop node will drop the mpls packets due to unknown label information. With JUNOS Version 11.1R6 explicit NULL packets with IPv4/IPv6 payload that go though a path that pushes MPLS labels (LSP stitching) will come out corrupted, with the top 4 bytes of the IP portion missing. At the same time, explicit NULL packets with MPLS payload (e.g. L2VPN packets with the outer label replaced by explicit NULL on the PHP node) will fail label lookup on the inner (VPN) label and will get punted to the CPU (based on lookup done for the outer (NULL) label), instead of forwarded. [PR/692838: This issue has been resolved.] Issue was seen when the router has TE-FRR config as given below: protocols mpls { label-switched-path pe1-pe3-7 { from X.X.X.X; to Y.Y.Y.Y; fast-reroute; } } With this config, rpd is getting crashed. Issue is seen on the Platforms: m320 and mx960. [PR/700092: This issue has been resolved.]
Network Management
Mib2d may core when interfaces are created and deleted at very fast rate on scaled setup. [PR/602812: This issue has been resolved.]
On MX Series routers, the following error messages appear when the chassisd process is restarted:
rubles fpc2 PFEMAN: ipc error 6 in pfeman_queue_event rubles fpc2 PFEMAN: ipc error 6 in pfeman_queue_event rubles fpc2 PFEMAN: ipc error 6 in pfeman_queue_event rubles fpc2 ICHIP(0): New microcode errors in WO HDRF stream_id 1, iwo_hdrf_poll_stream_stats rubles fpc2 CMALARM: Error (code: 1208, type:Minor) encountered, cmalarm_passive_alarm_signal rubles fpc2 Packet error 3 bad header refcounts last error caller pc 0x40052e34 rubles fpc2 ICHIP(1): New microcode errors in WO HDRF stream_id 1, iwo_hdrf_poll_stream_stats rubles fpc2 CMALARM: Error (code: 1208, type:Minor) encountered, cmalarm_passive_alarm_signal
In VPLS Setup with ADPC card, where CE facing and core facing is AE where the child link consist of Trio/ADPC/Hyperion, when AE link flaps (by disabling the AE interface), sometimes ADPC logged an PFE Error message: [May 11 22:56:32.245 LOG: Err] NH id: 976, child_nh 978 does not exist. [PR/609047: This issue has been resolved.] The following system log message might be reported on MX routers with MPC: fpc8 MQ(2): %PFE-3: pio_handle(0x414e0908); pio_read_u64() failed: 1(generic failure)! addr=0000000002244298 fpc8 trinity_pio: %PFE-3: 1 PIO errors occurred fpc8 trinity_pio: %PFE-3: Last error: 11 MQ-2 Trinity PCI 0xfe6dfbfe Read PCIe. [PR/613139: This issue has been resolved.] Route flapping might cause a high utilization of the routing protocol process under the sampling function. [PR/571292: This issue has been resolved.]
74
When a routing instance is configured with a "#" character in the name and encrypted BGP peer connections are established, the keyadmnd process crashes when every commit attempts fail. [PR/682632: This issue has been resolved.] The time stamp of the messages in firewall log is showing incorrect values. The system time and time stamp in log messages are not affected. If NTP server is configured, the issue does not happen. [PR/661768: This issue has been resolved.] The first two IPv6 ping requests do not follow the specified ping interval and are sent within the same second. [PR/669065: This issue has been resolved.] When script sends pfe vty commands at line rate, pfe cores. [PR/676050: This issue has been resolved.] This change hardens firewall filter update handling code for Trio-based platforms by adding relevant checks while freeing memory on filter changes or filter deletion. [PR/680145: This issue has been resolved.] On MX chassis, an ADPC fpc may crash if an IGMP interface's link bounces while it is running multicast traffic, causing a change to the multicast route. This will cause the ADPC fpc to reboot and produce a core file. There are no known work-arounds. [PR/682774: This issue has been resolved.] If there is a dsc.0 (discard) interface configured with an output filter statement attached, to forward discarded traffic to a routing-instance where we have no active route installed, all discarded traffic will trigger a lookup loop. This loop will get interrupted after certain time and a thread timeout error message will be reported. Any combination of the following messages might be reported in the syslog. PPE Thread Timeout Trap: Count 4, PC 3eb, 0x03eb: KTree_Term_With_Mult_Result LUCHIP(1) PPE_0 Errors thread timeout error LUCHIP(1) PPE_2 Errors thread timeout error LUCHIP(1) PPE_3 Errors thread timeout error LUCHIP(1) PPE_4 Errors thread timeout error LUCHIP(1) PPE_5 Errors thread timeout error LUCHIP(1) PPE_6 Errors thread timeout error LUCHIP(1) PPE_8 Errors thread timeout error LUCHIP(1) PPE_12 Errors thread timeout error LUCHIP(1) PPE_14 Errors thread timeout error PPE Thread Timeout Trap: Count 22, PC 18e, 0x018e: nh_ret_simple_last LUCHIP(0) PPE_1 Errors thread timeout error PPE Thread Timeout Trap: Count 5, PC 23, 0x0023: entry_index_nh LUCHIP(1) Wedge Detected. As a workaround, change the output filter of the dsc interface not to divert traffic into a routing-instance. [PR/682911: This issue has been resolved.] pre-service filter not working when configured to match destination address of the packet traversing the interface on CFEB and E-CFEB based platforms. [PR/684843: This issue has been resolved.] Reject exceptions are using host bound queue 0 instead of 6. [PR/685947: This issue has been resolved.] If you have the configured bfd-liveness-detection with authentication just one side and not on the remote peer PFE packet memory will be leaked. Once we run out of packet memory the FPC will trigger a restart. As a workaround configure local and remote side with authentication. [PR/687159: This issue has been resolved.] Inline port-mirroring with multiple next-hops stops working for all next-hops if one of the next-hops flaps. [PR/688163: This issue has been resolved.]
75
With the following FPC types on T-series, suboptimal load sharing result might be observed under a cascaded route topology. T640-FPC1-ES T640-FPC2-ES T640-FPC3-ES T640-FPC4-ES T640-FPC4-1P-ES T1600-FPC4-ES The cascaded route topology is constructed by a combination of multiple features including indirect-next-hop, BGP multipath and aggregated Ethernet. [PR/688420: This issue has been resolved.] Hash manipulation algorithm is enhanced to provide a better load-balancing result between the member links within the Aggregated Ethernet bundle when per-packet load sharing configuration is not applied. [PR/690026: This issue has been resolved.] This PR occurred to due changes made for another PR; The issue happens when a input-cli-filter and an output-service-filter are applied to a media-interface and traffic is originated from RE that goes over the media-interface. The code doesn't consider the input-cli-filter in the filter-list and therefore doesn't find the output-service-filter at the expected position. The packet goes out as though the service-filter didn't exist. The problem doesn't happen if there is no input-cli-filter configured or an output-cli-filter is configured in addition to the input-filter. [PR/692450: This issue has been resolved.] With M120, M7i/M10i with enhanced CFEB, M320 with E3 FPCs, Mx DPCs, While pushing 3 or more MPLS labels, The TTL of the innermost label could be incorrectly set to zero. [PR/694163: This issue has been resolved.] "commit at" with commit scripts sometimes may lockup CLI. [PR/537074: This issue has been resolved.] On an MX series router acting as DHCP relay in VPLS environment, forwarding towards certain DHCP subscribers may stop due to incorrect programming of the LSI indirect NH on the PFE. [PR/691055: This issue has been resolved.] In scenarios where LDP traffic is tunneled over ECMP, MPLS LSPs that are single-hop, or share a common egress interface, the LSP traffic statistics may be reported incorrectly. [PR/700154: This issue has been resolved.]
Routing Protocols
If a router acting both as an autonomous system boundary router (ASBR) and an area border router (ABR) is reachable by means of a backbone area and a stub area, and if the advertisement through the stub area has a higher metric, then the external routes get incorrectly installed in the routing table with a next hop through the stub area. [PR/610813: This issue has been resolved.] BGP sometimes uses the wrong martian table to verify that the protocol next hop is not a martian address. As a result, some BGP routes are hidden while the others are active in the inet.0 interface. [PR/682323: This issue has been resolved.] RPD crashes when configuring "default-lsa" in nssa area under a routing instance which is also receiving a default route from another VPN instance. [PR/606075: This issue has been resolved.] An SNMP query on "ipMRouteInterfaceTable" object may not report all the multicast interfaces configured with PIM-SM. The workaround is to use the command 'show pim interfaces'. [PR/678051: This issue has been resolved.]
76
If "forwarding-options sampling" or "routing-options route-record" is configured, stale routes may appear and persist in the routing table in holddown state. Those routes are not active and do not affect forwarding, but they do consume memory and if left will lead to the memory footprint of RPD increasing over time. For mpls routes it will also effect PFE and Kernel memory since the next-hops are not deleted till the route is deleted within RPD. JUNOS version 10.4R7 and 11.2R3 are effected. [PR/688820: This issue has been resolved.] The output of the show pim statistics inet6 command includes fields that are not necessary for IPv6 multicast. [PR/682938: This issue has been resolved.] When using PIM between downstream PEs in MVPN environment, non-DR PE receives multicast traffic from DR on downstream port. The RPF will performed and return a fault results, during which router always attempting to build up the local the multicast route table from the RPD perspective, causing the memory leak of the RPD. When the memory leakage is large enough, the RPD may get crash and core-dump generated. [PR/685111: This issue has been resolved.] RPD may crash with BGP multipath configured if the route list includes BGP multipath routes along with non BGP routes for same destinations. [PR/688763: This issue has been resolved.] If bgp "keep all" is configured, and "multipath" is enabled under "routing-options" of a vrf, and there exists multiple equal cost bgp vpn routes for the same destination in bgp.l3vpn table, when this new vrf is added to the config, rpd may core due to a delayed bgp reconfig job in a scaled config. [PR/691170: This issue has been resolved.] When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd) core file might be created. [PR/692126: This issue has been resolved.] RPD might take long time to bring up an OSPF neighbor to FULL state when there are large number of OSPF neighbors with large size of OSPF LSA database. [PR/692239: This issue has been resolved.] Under some circumstances where a BGP router that has been configured with family route-target the router may fail to send some VPN routes. This will most typically happen for a PE router in a scaled configured that has received the default RT-Constrain route, 0:0:0/0. [PR/692940: This issue has been resolved.] After a nsr ospf sham links may go down. Restart routing to reactivate. [PR/693719: This issue has been resolved.] When family route-target is used on a PE and one or more peers that it is configured on do not negotiate RT-Constrain (RFC 4684), the PE will generate a default RTC route of 0:0:0/96. This default route is not appropriate for non-transit BGP hosts. By default, a BGP non-transit PE will discard VPN routes that do not have matching local route-target communities. If at a later time a VRF is configured with a route-target that it had previously discarded VPN routes for, the attached BGP neighbors will not re-send the appropriate VPN routes. This is due to the fact that the attached BGP neighbor
77
had a matching default RTC route and thinks it has already sent the associated VPN routes. [PR/695918: This issue has been resolved.]
Changes to martian addresses (RFC5735 that obsoletes RFC3330), that are not present in Junos martians default settings. PSN-2011-10-393. [PR/698121: This issue has been resolved.]
Certain COS configuration on IRB interface that has MS-DPC results in such errors which has no functionality issues. [PR/680944: This issue has been resolved.] When an rsp interface is using sp-0/0/0 as its primary service NPU, the MS-DPC generated syslogs are incorrectly sourced from 0.0.0.0 instead of rspX.0's IPv4 address. [PR/680981: This issue has been resolved.] SNMP polling fails on the Mx960 router running 10.4R7 when the stateful-firewall rule has a match condition for the default snmp application. [PR/690830: This issue has been resolved.] The IPSec throughput was dropped suddenly and hard to recover when the throughput was more than ~6,7Gbps. [PR/697529: This issue has been resolved.] A duplicate SPI from the peer might get rejected during the Internet Key Exchange negotiation. [PR/667178: This issue has been resolved.] When in a service-set IDS service for syncookies protection is configured in chain with SFW/NAT services, performances of the Service-PIC/DPC might get reducing over time to eventually reach a point that new flows cannot be established until others are removed. To temporarely recover all the resources (memory) available, restart the Service-PIC/DPC. Frequency of restarts and degradation of performances depends upon the amount of traffic received and processed for IDS syncookies protection. [PR/678632: This issue has been resolved.]
BRAS features do not work in 10.4R6 unless lpdfd is configured to run. [PR/681421: This issue has been resolved.]
Adding a configuration from the load set terminal for a restricted user might not be allowed even when the configuration hierarchies are authorized. However, this issue does not occur in the load merge terminal. [PR/678664: This issue has been resolved.] The output of command "show | display set relative" is not working as expected at certain hierarchy levels. [PR/545073: This issue has been resolved.] Jweb does not work on the multi-core Routing Engines which have 64-bit JUNOS. [PR/692444: This issue has been resolved.]
78
VPLS
During local switching at mesh group level, the split horizon on pseudowire interfaces does not work. This causes the packets to loop back to the same pseudowire interface. [PR/678306: This issue has been resolved.] If a labeled IPv4 or IPv6 route is entered into the forwarding table when no MPLS family is configured in the interface. This may cause KRT to get stuck. [PR/679270: This issue has been resolved.] VPLS routing table reference count have to be decremented on removal. [PR/674009]
VPNs
Multicast routes without a PIM join state are not updated when the upstream interface goes down. [PR/603600: This issue has been resolved.] In NG-MVPN, if 'protocol pim join-load-balance' knob is configured, the load-balance will not work and multicast traffic will be lost. [PR/677042: This issue has been resolved.]
Previous Releases
Release 10.4R7 The following issues have been resolved in Junos OS Release 10.4R7. The identifier following the description is the tracking number in our bug database. Forwarding and Sampling
In Junos OS Release 10.1 and later, the SNMP MIB walk for jnxFWCounter does not work. [PR/551857: This issue has been resolved.] While BGP is active, the sampled memory increases when interfaces bounce. [PR/594509: This issue has been resolved.] Filter class configurations might fail for aggregate Ethernet interfaces on Trio MPCs/MICs. [PR/609985: This issue has been resolved.] A Trio MPC on an MX Series router might crash when the instance-type option is configured with a virtual switch, and IRB is configured under a bridge domain in VPLS. This issue might also occur when the IRB is configured over a VPLS virtual tunnel. [PR/610808: This issue has been resolved.] On MX480 routers, the l2ald process dumps core files during an SNMP walk. [PR/669977: This issue has been resolved.] When firewall filters exist on the GRE tunnels, packet drop might occur in the tunnels if a tunnel is added or deleted, the Packet Forwarding Engine restarts (FPC or FEB restarts), or a cold graceful Routing Engine switchover occurs. [PR/671902: This issue has been resolved.]
79
General Routing
When the RD value of a routing instance is changed, the if-route-exists condition that matches a specific route within a routing table in that routing instance within a policy might get stuck with a false evaluation. This might lead to the main policy failing, resulting in an incorrect behavior of that policy. [PR/674616: This issue has been resolved.]
High Availability
On MX Series routers, the error message /kernel: Unlist request: unilist(nh index = 1048575) found on the rnhlist_deleted_root patnode appears continuously. [PR/667046: This issue has been resolved.]
The error messages attributesif_pfe_mfr_copy_options_to_ifl: IFD rlsq0:38: Couldn't get the multilink PIC attributes are logged during an RLSQ hot-standby. [PR/516109: This issue has been resolved.] With Junos OS Release 10.0 or later, when a unified in-service software upgrade is performed, the multicast resolve routes function for IPv6 or IPv6 routes might not be installed properly on all FPCs. As a result, multicast traffic is not forwarded anymore. The following system log message indicates this issue:
RT: Failed prefix change IPv4:0 - 224/4 (unknown prefix) RT: Failed prefix change IPv6:0 - ff00::/8 (change failed)
Restart the FPC mentioned in the system log message to recover from this condition. [PR/559108: This issue has been resolved.]
When one of the uplink FPCs is taken offline and brought back online, the IBGP sessions might flap. [PR/574412: This issue has been resolved.] The backup Routing Engine might crash during a label-switched path flap scenario when the old indexed next hop has not been deleted yet and a new indexed next hop with the same properties is received. [PR/589555: This issue has been resolved.] On MX Series 3D Universal Edge Routers, if a logical interface is part of an logical interface set that has scheduler-map configured, and the logical interface has no output traffic control profile, the scheduler-map field in the output of the show class-of-service interface command will be incorrect. [PR/591801: This issue has been resolved.] When an fxp0 interface is configured to use 100 Mbps speed on a full duplex link mode, the interface appears as administratively down after a reboot. [PR/606703: This issue has been resolved.] On MX Series routers, when an RX fiber is taken offline, it might take up to 7.5 seconds for the router to report the link fault through remote fault detection to its link neighbor. [PR/607424: This issue has been resolved.] If a graceful Routing Engine switchover (GRES) is performed while subscribers are logging in to the router, some subscriber sessions can remain in the initialization state. Even though the erroneous sessions cannot be removed, the subscribers can properly log in to the network. [PR/610641: This issue has been resolved.]
80
When an MPC reboots, the message "Allocation at interrupt level from Kernel heap" is added to the system log file. [PR/612034: This issue has been resolved.] On a 64-bit kernel running processes in 32-bit mode, the select system call in the kernel does not handle descriptor set sizes in multiples of 4 byte words. [PR/613721: This issue has been resolved.] A file system leak in /mfs causes the /mfs file system to fill up gradually. This in turn leads to the RAM getting fully utilized. Due to this, the software uses up the swap space causing a slowdown. [PR/614576: This issue has been resolved.] A 4-port 10-Gigabit Ethernet PIC with XFP might flap when a failover occurs on the transmission side. For example, if a failover in transmission takes 10 ms and interface damping is configured as 50 ms, the interface flaps. [PR/662124: This issue has been resolved.] When an SNMP MIB walk is performed on MX80, MX240, and MX480 routers, the jnxOperatingState variable displays the "unknown" state if the fan speed is set to intermediate. [PR/666852: This issue has been resolved.] DCD_CONFIG_WRITE_FAILED and "group exceeded" errors appear on MLFR interfaces after a configuration change due to improper cleanup of counters. [PR/668087: This issue has been resolved.] The MTU on the logical interaface of an MLFR member link displays 0 on a T1 interface. [PR/668710: This issue has been resolved.] During a graceful Routing Engine switchover (GRES), the new master Routing Engine might send flood next hops to Packet Forwarding Engines in static mode, resulting in the Packet Forwarding Engine dumping core files, under the following conditions:
1.
GRES and the enhanced-ip option are configured on the router and the router has created flood next hops.
2. A new configuration that disables both GRES and the enhanced-ip option is
committed on the master Routing Engine.

3. The master Routing Engine is rebooted. 4. GRES is performed.
To prevent this issue from occurring, reboot both Routing Engines after the configuration is committed. [PR/668766: This issue has been resolved.]
On routers with Enhanced IQ PICs, when a commit is issued, the following system log message might be seen:
/kernel: %KERN-3: PPP ioctl on (so-0/3/1.0) - flags 0xc011 inx=0 msk=1 idx=0 msk=1 /kernel: %KERN-3: PPP ioctl on (e1-0/3/0:5.0) - flags 0xc011 inx=0 msk=1 idx=0 msk=1
Traffic sent from the Routing Engine on PPPoE sessions are malformed after a graceful Routing Engine switchover. This leads to a failure of control traffic such as routing
81
protocols between the subscribers and the Routing Engine. [PR/671034: This issue has been resolved.]
When both inverse-arp and frame-relay-ether-type options are configured on the same interface, the router fails to pass the configuration check and the configuration is not committed. [PR/674774: This issue has been resolved.] If the value of the maximum packet length (max-packet-length option) supported on an MPC is set to be more than 255 bytes and the incoming packet is more than 255 bytes, the received mirror copy is malformed. As a workaround, set the value of the max-packet-length option from a nonzero value to zero, and restart the MPC. [PR/675891: This issue has been resolved.] On an MX960 router, the FPC might not come back up after an upgrade to Junos OS Release 10.4R6, 11.1R3, and 11.2R1 with an error message "No power. This issue occurs due to a power miscalculation and is observed when all the following conditions are met:

The MX960 router is used with high capacity AC PEMs. One of the high capacity AC PEMs in a zone has only one feed connected. The router boots up to the Junos OS release mentioned above.
On MX Series routers with the Junos Trio chipset, the MPC or TFEB (on MX80 router) might wedge in the hostbound direction and stop forwarding traffic between the Routing Engine and the Packet Forwarding Engine. This affects all the Routing Engine-bound as well as Routing Engine-originated Layer 2 and Layer 3 dynamic protocols, and also the traffic from the interfaces of the affected MPC. The transit traffic that does not use dynamic routing or traversing the wedged MPC is not affected and continues to work. Restart the MPC to recover the MPC from this wedged state. There is no workaround. [PR/676729: This issue has been resolved.] On routers running 64-bit Junos OS, connections to the FPCs might get closed and reopened, and the FPC might restart depending on which connection is reset. This is caused when the current system uptime is incorrectly compared to the time when the last TCP segment is received on the socket. The issue might first occur after 24 days and 20 hours of system uptime, and then at intervals of 49 days and 16 hours. The following message logs are added:
fpc1 PPMAN disconnected; Remote side closed fpc1 L2ALM: %PFE-3: Master closed connection fpc1 L2ALM: %PFE-3: Master socket closed, 0x435e6330 fpc1 L2ALM disconnected; L2ALM socket closed abruptly fpc1 CLKSYNC: %PFE-3: Master closed connection fpc1 CLKSYNC: %PFE-3: Master socket closed, 0x42e82a30 fpc1 CLKSYNC disconnected; CLKSYNC socket closed abruptly fpc1 CMLC: %PFE-3: Master closed connection chassisd[1387]: %DAEMON-3-CHASSISD_IPC_CONNECTION_DROPPED: Dropped IPC connection for FPC 1 chassisd[1387]: %DAEMON-5-CHASSISD_IFDEV_DETACH_FPC: ifdev_detach_fpc(1)
82
A timing dependency between an interface configuration and client restoration might cause the client restoration to fail for clients on an IRB interface. [PR/679437: This issue has been resolved.] When a configured IRB interface is deactivated and activated again, configuration changes might not get applied resulting in the DHCP packets being discarded. As a workaround, restart the DHCP service. [PR/681871: This issue has been resolved.]
MPLS Applications
With Junos OS Release 10.4 and later, if a failure occurs on the current active path while waiting to switch over to an MBB path, the MBB timer is canceled and the MBB path is used immediately. [PR/586079: This issue has been resolved.] When a router acting as a transit node for a node-link protected label-switched path sends RESV messages on a restored link without receiving a PATH message from the ingress router, the ingress router might set RSVPErr messages that causes a label-switched path teardown and traffic drops. [PR/591301: This issue has been resolved.] During MBB, when the sender traffic speculation (Tspec) and the reservation flow speculation do not match, the output of the show RSVP interface command might not reflect the correct reserved bandwidth. [PR/601036: This issue has been resolved.] When the MPLS protocol is not configured and an interface is configured for the MPLS family, even after the interface is deactivated or the MPLS family is removed, the interface is displayed instead of a valid interface in the output of the show mpls interface command. [PR/658877: This issue has been resolved.] Junos OS does not handle the MPLS echo-reply packet correctly with multipath type 0. [PR/662814: This issue has been resolved.] On MX960 routers, the output of the show rsvp neighbor command displays negative values in the MsgRcvd field. [PR/666224: This issue has been resolved.] When LDP signaling for VPLS is used, the U bit does not follow RFC 4762 in the MAC Address Withdrawal MAC list TLV (0x0404). [PR/669275: This issue has been resolved.] The MPLS automatic bandwidth does not update the maxbw variable correctly during a switchover process. [PR/671734: This issue has been resolved.] When a link that carries a large number of label-switched paths on a router acting as the point of local repair (PLR) goes down, the backup label-switched paths on the PLR might also go down as a result of the backup label-switched paths timing out. [PR/672511: This issue has been resolved.] The MPLS statistics file might not be updated after a configuration related to the routing protocol process is committed. [PR/680856: This issue has been resolved.]
83
Network Management
The monitor traffic interface command configured to match an ARP, does not match any ARP information. [PR/585728: This issue has been resolved.] When an SNMP MIB walk is performed for ipv6IfNetToMediaState without any IPv6 configuration on the router, the error message "MIB2D_SYSCTL_FAILURE: ipv6_n2m_update_sysctl_info: sysctl getting kernel MD6 data failed: Bad address" appears. [PR/612585: This issue has been resolved.] When SNMPv3 is used and the notify type is set to inform instead of trap, the response messages from the trap collector causes the error log message validate_interface_access: socket failure: interface index not found (0) to be displayed. [PR/660989: This issue has been resolved.] The eventd process dumps core files under certain policy configurations. [PR/663871: This issue has been resolved.] The SNMP optical diagnostics returns a wrong scale value of 0.1 dBm instead of 0.01 dBm. [PR/667980: This issue has been resolved.]
Within a bridge or VPLS interface, there is an inter-Packet Forwarding Engine control packet to propagate MAC learning data from one Packet Forwarding Engine to another. Under certain circumstances, this control packet might be parsed incorrectly and discarded by the receiving Packet Forwarding Engine. The message ICHIP(x)_REG_ERR:xx Wi seg ucode discards in fabric stream xx pfe_id x is displayed. When this issue occurs, certain MAC addresses cannot be propagated to the other Packet Forwarding Engine. As a result, traffic destined to this MAC address might be flooded. [PR/527288: This issue has been resolved.] On MX Series routers with DPCs, M320 routers with Enhanced 3 FPCs, and M7i, M10i, and M120 routers with enhanced CFEBs, the IMQ might get stuck in a state that causes traffic drops in the queue. [PR/594606: This issue has been resolved.] On MX80 routers, the jnxMac SNMP query has an incorrect MAC OID. [PR/608029: This issue has been resolved.] On M320 routers with l3vpn-composite-nexthop option enabled along with two uplinks on the same FPC-E3 (SFPC) , the egress traffic do not get load balanced properly. [PR/612431: This issue has been resolved.] A transient error in one of the PPE memories might result in an LMEM data error. When this issue occurs, the following messages are logged:
fpc4 LU 0 PPE_0 Errors lmem data error 0x00000042 fpc4 PPE PPE HW Fault Trap: Count 757685325, PC 6115, 0x6115: handle_gauge_init_qsys_mq1_mq2
Although this issue does not indicate that a hard fault exists in the system, packets with this error are dropped. To recover from this issue, reboot the MPC. [PR/614054: This issue has been resolved.]
84
An error condition in the routing socket message might lead to memory corruption, possible memory leak, and/or a router crash. [PR/659752: This issue has been resolved.] On TX Matrix Plus routers, if an LCC's master Routing Engine panics, the backup Routing Engine gains mastership and the FPCs that belong to the LCC might not be able to reconnect to the new master Routing Engine in time. This might cause the FPCs to reset and not restart properly for a long time until the live kernel core dump on the SFC master Routing Engine is finished. The system log message lcc0-fpc0 PFEMAN: %PFE-3: trying master connection, attempt 1200 to 0x1000001 is reported on the LCC. [PR/659782: This issue has been resolved.] The first two IPv6 ping requests do not follow the specified ping interval and are sent within the same second. [PR/669065: This issue has been resolved.] The dynamically allocated memory gets corrupted when the Layer 2 data length changes in the receiving next hop. [PR/670710: This issue has been resolved.] In a rare condition where an SRAM parity error stays uncorrected on an FPC, the FPC might crash when a cprod command is used. [PR/670754: This issue has been resolved.] A jtree memory corruption might occur because of a memory double free issue on MLFR interfaces. [PR/671123: This issue has been resolved.] On platforms that support the Junos Trio chipset, the MPC might crash and restart if the interface policer bind makes it to the Packet Forwarding Engine before the interface policer consistent message. This issue might occur in the following scenarios:
During boot time, if only one interface is configured and the default ARP policer (17000) is bound to this interface. When an interface policer is configured and attached to an interface in the same commit.
As a workaround, bring all the MPCs online without configuring any interfaces and enable the interfaces after the MPC is online. [PR/676725: This issue has been resolved.] Routing Policy and Firewall Filters
When firewall filters with a match clause (prefix-list, source-prefix-list, or destination-prefix-list) refer to more than two prefix lists where all the prefix lists referred to in the match clause are empty, the firewall filters gets incorrectly added to the Packet Forwarding Engine. [PR/678398: This issue has been resolved.]
Routing Protocols
When PIM auto-RP is configured under logical systems, the routing protocol process and the kernel might crash. [PR/595564: This issue has been resolved.] The routing protocol process crashes a few minutes after some of the iBGP neighbors are deleted from the configuration. [PR/606952: This issue has been resolved.] BGP PMTU does not work correctly and causes session flaps as very high values of MSS are negotiated. [PR/608970: This issue has been resolved.]
85
The OSPF process begins the OSPF database exchange process with multiple adjacencies at the same time that might require a longer time to synchronize the OSPF database. [PR/614357: This issue has been resolved.] When the accept-remote-nexthop option is enabled and the import policy to change next hop to self is used for EBGP sessions, the routing protocol process might crash. [PR/660194: This issue has been resolved.] The Routing Engine might crash when multiple VRRP groups are configured on an interface. [PR/668657: This issue has been resolved.] In a scaled environment, the restart routing command might cause the KRT queue (the internal communications within the system) to stall due to Device busy errors. This might result in system instability that can only be cleared by rebooting the system. [PR/670808: This issue has been resolved.] After a graceful Routing Engine switchover, the output of the show bgp summary command does not display the number of "Active routes" correctly for VPN routing instances. [PR/673830: This issue has been resolved.] If a routing protocol process is configured such that there are more than 2048 internal routing tables, the SNMP query for jnxBgpM2PrefixCounters causes the routing protocol process to crash. As a workaround, scale the configuration to limit the number of internal routing tables, or avoid any queries to the prefix counters. [PR/678859: This issue has been resolved.] The output of the show pim statistics inet6 command includes fields that are not necessary for IPv6 multicast. [PR/682938: This issue has been resolved.]
When the Layer 2 Tunneling Protocol process restarts, the corresponding kernel data structures are not removed. When a restarted process finds these configuration-related kernel entries, the process considers this to be an error. [PR/441395: This issue has been resolved.] Established IPsec and IKE SAs get deleted when an IPsec service set is added or removed. [PR/665912: This issue has been resolved.] A duplicate SPI from the peer might get rejected during the Internet Key Exchange negotiation. [PR/667178: This issue has been resolved.] When endpoint-independent mapping and paired address pooling features are enabled independently on the same NAT pool, but in different NAT rules, the Multiservices DPC might crash. As a workaround, do not enable these two features separately in multiple rules. [PR/678962: This issue has been resolved.]
For configurations with more than 32,000 PPP subscribers, it is recommended to configure the keepalive interval to no less than 75 seconds to avoid subscriber termination due to "no keepalive" errors. [PR/661837: This issue has been resolved.] When a framed-ip-mask attribute is passed from the RADIUS server using local address pools, the address protection during a master switch and/or a graceful Routing Engine
86
switchover fails to protect the addresses in use. [PR/673252: This issue has been resolved.]
The pppoed process might crash and dump core files after a graceful Routing Engine switchover. [PR/675937: This issue has been resolved.]
When a user logs in to the user console during a high system log rate, the eventd process might fork the child process when it cannot send the messages. If the number of child process exceeds the threshold, the kernel crashes eventually. [PR/603706: This issue has been resolved.] The write access for logical system users is restricted. [PR/678679: This issue has been resolved.]
VPNs
Under certain circumstances, adding and deleting an extranet instance in an MVPN might result in a KRT queue buildup. [PR/422765: This issue has been resolved.] When a large configuration consisting of hundreds or more pseudowires is merged to a router that is running, or when a large configuration consisting of hundreds of pseudowires is loaded on the router, the MIB information of some logical interfaces might be missing. [PR/513585: This issue has been resolved.] The routing protocol process might crash in an NG-MVPN environment when a p-tunnel next hop is an IPv6 address. [PR/581634: This issue has been resolved.] The routing protocol process might crash when ingress replication is used as a provider tunnel with multicast VPNs. [PR/661154: This issue has been resolved.] In an NG-MVPN environment with multiple families configured in BGP, the SRC-AS router (type-5) and VRF route import extended community is added to unrelated families. [PR/665554: This issue has been resolved.] When family route-target is configured and configuration for protocol BGP is removed and configured repeatedly, the BGP might fail to generate and advertise the local VRF RT-Constrain NLRI to the peers that have negotiated family route-target. This might lead to a VPN connection loss as the remote BGP peer do not receive the expected RT-Constrain routes and hence do not respond to those associated VPN routes that have matching route-target extended communities. [PR/666819: This issue has been resolved.] The routing protocol process dumps core files during a P-PIM process after the default MDT switches to a data MDT. [PR/669365: This issue has been resolved.] With draft-rosen multicast VPNs and the default-vpn-source option configured, the routing protocol process might crash when the configuration of the lo0.0 interface is changed. The issue occurs when the primary keyword on one of the interface's addresses is added or removed. [PR/670566: This issue has been resolved.] When host sampling is configured, the multicast packets that go through host sampling might cause an error log "RE generated packet output not supported for p2mp multicast composite nexthop". [PR/672744: This issue has been resolved.]
87
On MX80 routers, the octets of the multicast group of an MBGP MVPN route is printed in reverse order on the output of the show route table VPN-A.mvpn.0 command. [PR/670194: This issue has been resolved.] When the mplsVpnVrf MIB is polled and a large number of interfaces exist on the device under test, high CPU usage, schedule slips, and bounced peers might occur. As a workaround, avoid polling the tables containing the mplsVpnScalars and mplsVpnVrfTable interface counters. [PR/673186: This issue has been resolved.]
Release 10.4R6 The following issues have been resolved in Junos OS Release 10.4R6. The identifier following the description is the tracking number in our bug database. Access Control and Port Security
In some cases, MX Series routers might not send the Link Layer Discovery Protocol (LLDP) notification trap when the LLDP is disabled on the remote neighbor. [PR/560855: This issue has been resolved.]
Class of Service
The packets received by the IQE PIC might be classified incorrectly. This issue occurs when logical interfaces on the same IQE PIC that have two families (out of family inet, inet6, or mpls) is configured. When one of the families is deleted from a logical interface or set of logical interfaces with a particular Layer 2 encapsulation, the incoming packets are classified incorrectly the next time a family is deleted from a logical interface with a different Layer 2 encapsulation on the same PIC. [PR/605040: This issue has been resolved.] On a warm-standby configuration, fragments from the rlsq interface towards the link are sent to wrong egress queues of the link interface after a graceful Routing Engine switchover. A fixed classifier configuration on a different rlsq interface gets applied to the incoming fragments resulting the fragments being sent to the wrong queues on the link side. [PR/606313: This issue has been resolved.]
From Junos OS Release 10.1 and later, the SNMP MIB walk for jnxFWCounter does not work. [PR/551857: This issue has been resolved.] In very rare situations, the deletion of a VPLS IFF configuration might lead to panic on the backup Routing Engine. [PR/552240: This issue has been resolved.] An unexpected load balancing on VPLS traffic might occur when MPLS payload hash is disabled in the enhanced-hash-key configuration. [PR/600071: This issue has been resolved.] Memory leaks occur in the l2alm module when IFBD parameters are removed and created again. [PR/605315: This issue has been resolved.] A forwarding (Packet Forwarding Engine) next hop for a bypass label-switched path in a IPv6 provider edge routers scenario that requires 4 (or 5) MPLS labels to be pushed fails and the error message "fpc0 NH: invalid nh (1687) for bulk statistics" appears in the system log. [PR/606264: This issue has been resolved.]
88
When a neighbor frequently fails to answer IPv6 neighbor solicitation messages or does so with delay, there is a potential race condition where the neighbor entry can be marked reachable in the cache but have no MAC address. As a consequence, the transit traffic going to this neighbor will be sent with a random destination MAC and be flooded by any switch in the middle to all devices on the LAN for a duration equal to the reachability timeout (30 seconds approximately). [PR/608439: This issue has been resolved.] Filter class configurations might fail for aggregate Ethernet interfaces on Trio MPCs/MICs. [PR/609985: This issue has been resolved.] The pfed process crashes when a memory that has been freed is accessed. This freed memory is accessed while some debug counters are updated during a status response processing code. The crash occurs only if this freed memory is set to NULL or reused. [PR/612271: This issue has been resolved.] The firewall does not block an SSH activity that is performed using an IPv6 address. [PR/613501: This issue has been resolved.] Memory leaks occur in the Packet Forwarding Engine request allocation for a few kernel drivers. [PR/614599: This issue has been resolved. ] When a firewall filter configuration is removed from interfaces that contain port mirroring, the system log entry jtree memory free using incorrect value 4 correct 0 or a combination of "Multiple Free :jt_mem_free" entries might be reported from the DPCs or FEBs. This issue occurs only if the mirror-once option is configured under the port-mirroring statement. As a workaround, remove the mirror-once option and use different port mirroring instances when ingress and egress port mirroring is performed. [PR/659316: This issue has been resolved.]
High Availability
A unified in-service software upgrade (unified ISSU) with host-bound traffic greater than 5 Kbps causes the host path to be stuck. The IQ2 PIC and Enhanced IQ2 PICs remain offline after an unified ISSU under such traffic conditions. [PR/559882: This issue has been resolved.] The show interfaces interface extensive command might not be able to collect the statistics from the Packet Forwarding Engine and the following system log messages are reported:
/kernel: Process (84954,ifinfo) attempted to exceed RLIMIT_DATA: attempted 131888 KB Max 131072 KB init: database-replication (PID 86084) exited with status=1 /kernel: Process (86084,bdbrepd) attempted to exceed RLIMIT_DATA: attempted 132048 KB Max 131072 KB
There are no log messages that indicate high levels of utilization of the /mfs file system. [PR/658588: This issue has been resolved.]
89
The TCP throughput is poor on MPCs when a policer configuration is applied. [PR/567232: This issue has been resolved.] The jpppoed process starts tearing down the PPPoE logical interfaces even before all information has been retrieved. [PR/586847: This issue has been resolved.] The backup Routing Engine might crash during an LSP flap scenario when the old indexed next hop has not been deleted yet and a new indexed next hop with the same properties is received. [PR/589555: This issue has been resolved.] The output of the show interface interface-set queue command does not display the results for Enhanced IQ2 interfaces. Additionally, the command times out without any output on M320 routers. [PR/595991: This issue has been resolved.] On a Trio MPC/MIC, a label swap over GRE tunnels does not work. [PR/603671: This issue has been resolved.] When the rlsq redundancy-options option is configured, the MLPFE interface might not forward traffic properly. This is due to the delay in the secondary interface coming up later than the primary link. As a workaround, reboot the PIC where the secondary interface resides. [PR/604648: This issue has been resolved.] Memory used for logical interface messages are not freed on IDL interfaces. [PR/606645: This issue has been resolved.] The control plane pause frames might cause traffic drops. [PR/608192: This issue has been resolved.] When a 1-port 10-Gigabit Ethernet PIC is taken offline and back online continuously, the FPC crashes due to memory issues. [PR/608214: This issue has been resolved.] If a graceful Routing Engine switchover (GRES) is performed while subscribers are logging in to the router, some subscriber sessions can remain in the initialization state. Even though the erroneous sessions cannot be removed, the subscribers can properly log in to the network. [PR/610641: This issue has been resolved.] An incorrect header parsing on the Authentication Header length field results in an invalid memory read, and the following log messages appear:
atuin fpc1 LU 0 PPE_5 Errors lmem addr error Apr 29 05:30:14 PPE PPE HW Fault Trap: Count 1, PC 56, 0x0056: ipv4_input_set_proto_and_ports atuin fpc1
On MX Series routers with PPPoE subscriber configured, when a RADIUS server is not reachable, the PPP interface might get stuck in a disabled state. [PR/613405: This issue has been resolved.] When a router acts as a transit router (not LAC or LNS) and port mirroring is enabled on the ports sending and receiving this L2TP transit traffic, the traffic received from the access side port is not mirrored properly. However, the L2TP transit traffic exiting the router on egress either toward the core or access side is mirrored properly. [PR/614155: This issue has been resolved.]
90
A file system leak in /mfs causes /mfs to fill up gradually. This in turn leads to the RAM getting fully utilized. Due to this, the software uses up the swap space causing a slowdown. [PR/614576: This issue has been resolved.] The autonomous system field for SRC and DST address are interchanged when the origin or peer is specified. [PR/659129: This issue has been resolved.] The MPC card might crash when transient errors in a particular memory block are detected by interrupt handlers before they are cleared. [PR/661509: This issue has been resolved.] On MX Series routers with a gigabit module and auto-negotiation enabled, the output of the show interface command have the "Speed:" field displaying the real-time link speed instead of the maximum speed of 1 Gbps. This is an expected behavior like the other auto-negotiation capable modules. [PR/662605: This issue has been resolved.]
When autosensed VLANs are removed using the clear auto-config interface x/x command, not all of the VLANs are removed. [PR/597339: This issue has been resolved.] When the clear arp command is used in environments with MPLS next hops, some static ARP entries are cleared, which causes the traffic to drop. [PR/599681: This issue has been resolved.] The DHCPv6 local server creates entries in the neighbor cache using the LL address to the client DUID. This creates an issue with clients that use multiple network interfaces. The DHCPv6 client might request an IA_NA address using a DUID based on the MAC address of its primary interface. Later, if the client uses another interface (different from the interface used to request the IA_NA address) for IPv6 traffic, the traffic will not be received. As a workaround, ensure that the client uses the same interface to request an address as it uses for traffic. [PR/608980: This issue has been resolved.] When all 4x standard AC Power Entry Modules (PEMs) are upgraded on an MX960 router to a high capacity AC PEM with the feeds still plugged into the chassis, the chassis is powered off, and each standard PEM is upgraded one at a time, the power calculations in the output of the show chassis power command appears incorrectly because there is no Zone 1 power summary. [PR/609443: This issue has been resolved.] When a server identifier is configured for an address pool and a client includes the server identifier in the Parameter Request list (option 55), any DHCP offers generated by the server on MX Series routers include duplicate copies of that option record. This might cause issues for downstream equipments that do not ignore or supersede the duplicate record. [PR/610854: This issue has been resolved.] The jdhcpd process might crash when the dhcp-relay configuration includes traceoptions for the database flag (or the all flag, which also includes the database flag) and the general configuration involves bridge domains with IRB interfaces. Any other dhcp-relay traceoptions flag can be used safely. [PR/661778: This issue has been resolved.]
91
MPLS Applications
When a router acting as a transit node for a node-link protected label-switched path (LSP) sends RESV messages on a restored link without receiving a PATH message from the ingress router, the ingress router might set RSVPErr messages that causes an LSP teardown and traffic drops. [PR/591301: This issue has been resolved.] The MPLS filter does not work on an interface configured under the virtual router type routing instance. As a workaround, configure LDP in the instance and disable it on all interfaces when it is not used. [PR/601989: This issue has been resolved.] Under certain situations, the automatic bandwidth timer smearing algorithm does not space out the timers evenly. [PR/606051: This issue has been resolved.] When the no-cspf option under the [edit protocols mpls] hierarchy level is activated or deactivated, the routing protocol process crashes. [PR/608219: This issue has been resolved.] When an RSVP MTU signaling is added or removed to a Junos OS router configuration, and a LSP flap occurs, the routing protocol process might dump core files. This is applicable only to the ingress router with circuit cross-connect (CCC) when the MTU changes the transmit LSP due to RSVP MTU signaling. [PR/610434: This issue has been resolved.] The routing protocol process dumps core files during automatic bandwidth adjustment of LSPs that went down and are in a process of coming up. [PR/665584: This issue has been resolved.]
Network Management
In some cases where SNMP bulk packets are handled, and the backend handler times out, the snmpd process might crash. [PR/607704: This issue has been resolved.] In Junos OS Release 10.2 and later, when SNMP queries on statistics-related OIDs associated with JUNIPER-DOM-MIB occur, the mib2d process size increases and ultimately reaches the maximum size permitted becaues of a memory leak in the MIB. When the maximum process size permitted is reached, a system log message /kernel: Process (pid,mib2d) attempted to exceed RLIMIT_DATA: attempted 512016 KB Max 512000 KB is added. [PR/608206: This issue has been resolved.]
Under certain circumstances, the control packet between Packet Forwarding Engines might be parsed incorrectly and discarded by the receiving Packet Forwarding Engine. The message ICHIP(x)_REG_ERR:xx Wi seg ucode discards in fabric stream xx pfe_id x appears. When this issue occurs, a certain MAC address cannot be propagated to the other Packet Forwarding Engine, and the traffic destined to this MAC address can be flooded. [PR/527288: This issue has been resolved.] When an interface with IPv6 address has the rpf-check option enabled, and any IPv6 address is configured on a management interface, the IPv6 link local connectivity gets affected on the interface that has the rpf-check option enabled. Also, all protocols that use the link local address go down or get stuck. There is no workaround. [PR/546115: This issue has been resolved.]
92
Under certain circumstances, packets that exit the child links of an aggregate interface configured for VPLS (PE to CE link) might get corrupted and dropped by the receiving router due to checksum errors. [PR/552224: This issue has been resolved.] When configuration changes (for example, enabling a subinterface on an aggregated Ethernet interface) are made, the following error messages are generated:
edge9.dal1 edge9.dal1 edge9.dal1 edge9.dal1 mib2d[99053]: mib2d[99053]: mib2d[99053]: mib2d[99053]: cleared lacp info not found for ifl:201 lacp info not found for ifl:202 cleared lacp info not found for ifl:202 lacp info not found for ifl:203
When traffic engineering shortcuts for IPv6 are enabled, the traceroutes issued for any IPv6 destination that picks IPv4 label-switched path next hop do not show the intermediate label-switching router that performs the label swap operation. There is no workaround. [PR/583705: This issue has been resolved.] On T Series routers running Junos OS Release 10.0 and later where aggregated Ethernet-based multicast routes exist, after an unified in-service software upgrade (unified ISSU), the backup Routing Engine dumps core files when it comes online. [PR/589035: This issue has been resolved.] Under certain circumstances where multicast VRF is configured, when a change such as activating or deactivating a new routing instance is performed, logs related to jtree might get freed multiple times. This might result in the DPCs crashing without generating a core file. [PR/603821: This issue has been resolved.] The IRB MTU calculation is incorrect for IPv4 traffic when the IRB interface uses VPLS on the MPCs. [PR/606555: This issue has been resolved.] In Junos OS Release 10.2 and later, the Type 4 ES FPCs might crash when a PIC is taken offline and brought back online, or when a configuration change is made to the PIC that automatically causes the PIC to reset (for example setting 'framing sdh' for the PIC). [PR/609143: This issue has been resolved.]
Routing Protocols
The nonstop active routing option is not applicable for logical systems. However this option is currently enabled based on the default value for logical systems. [PR/569731: This issue has been resolved.] The message "cannot perform nh operation ADDANDGET" is logged after each unilist flap. This is a cosmetic error and does not affect functionality. [PR/591773: This issue has been resolved.] In scenarios involving back-to-back events where a next hop is added and deleted for which an acknowledgment is requested, if the delete operation is performed before the acknowledgment is received, there is a chance that the kernel ends up with a stale data structure. When the routing protocol process exits (as a result of restarting the Routing Engine, or a graceful Routing Engine switchover event), the stale data might be accessed causing a two-byte memory corruption. This might result in a kernel panic. [PR/599234: This issue has been resolved.]
93
The routing protocol process crashes a few minutes after some of the iBGP neighbors are deleted from the configuration. [PR/606952: This issue has been resolved.] The bfd process might restart with a core dump because of a memory leak when the bfd sessions come up or go down. [PR/608346: This issue has been resolved.] The routing protocol process (RPD) might crash when different family neighbors are configured in one BGP group. [PR/611644: This issue has been resolved.] On multihop BFD with nonstop active routing scenarios, the BFD session might eventually flap during graceful Routing Engine switchover events. [PR/613612: This issue has been resolved.]
On MX240 routers, huge interleaved RSTP length packets might be discarded. [PR/660644: This issue has been resolved.] Established IPsec and IKE SAs get deleted when an IPsec service set is added or removed. [PR/665912: This issue has been resolved.
The DSL Forum VSA, Access-Loop-Encapsulation (26-144), is improperly encoded and incorrectly reported in the RADIUS messages. [PR/598467: This issue has been resolved.] The RADIUS accounting start, interim, and stop messages do not display the RADIUS Acct-Authentic attribute (RADIUS attribute 45). [PR/602446: This issue has been resolved.] Certain configurations of DHCP for subscriber access running on a dynamic demultiplexing interface might leave the router in a bad state. [PR/610978: This issue has been resolved.] The ATM2 PIC stops forwarding traffic after a unified in-service software upgrade. [PR/613881: This issue has been resolved.] On M120 routers, when an FEB switches over because of an FEB software crash, the control connection between the Routing Engine and the IQ2/IQ2E PIC might be lost. This might result in a traffic blackhole on the logical interfaces added on the PIC after the FEB switchover. [PR/658689: This issue has been resolved.] Under certain conditions where a 100-Gigabit Ethernet PIC is reset, the PIC reverts from a configured vlan-steering mode to the default sa-multicast mode. [PR/659681: This issue has been resolved.] An IP fragmentation in the PPPoE subscriber interfaces might cause the output queue to be stuck. [PR/661302: This issue has been resolved.] Attempting to remove a large numbers of L2TP-tunneled PPP subscribers by bringing down the connection between the L2TP access concentrator and L2TP network server can result in some subscribers remaining in the active state. [PR/665572: This issue has been resolved.]
94
When a long interface description (greater than 1000 characters) is configured, the XML output for the interface might get corrupted. This causes the interface output to be displayed incorrectly and the XML output to be unusable by a Junos OS script. [PR/497363: This issue has been resolved.]
VPNs
When a large configuration consisting of hundreds or more pseudowires is merged to a router that is running, or when a large configuration consisting of hundreds of pseudowires is loaded on the router, the MIB information of some logical interfaces might be missing. [PR/513585: This issue has been resolved.] When draft-rosen MVPN is configured for IPv4 and NG-MVPN is configured for IPv6, the routing protocol process might crash in scenarios where the NG-MVPN configured mode is RPT-SPT. [PR/605770: This issue has been resolved.] With nonstop active routing and a large number of LDP-based virtual private LAN services configured, the routing protocol process might crash during a graceful Routing Engine switchover event. [PR/610594: This issue has been resolved.] The routing protocol process might dump core files when VPLS is configured and active while VPLS traces are enabled. As a workaround, disable VPLS traces. [PR/610744: This issue has been resolved.] The Packet Forwarding Engine parses a non-first fragmented IPv4 packet as a Layer 2 Tunneling Protocol packet and drops it incorrectly. There is no workaround. [PR/611029: This issue has been resolved.] In a multicast VPN enviroment, the routing protocol process dumps core files when the default-vpn-source option is configured and the CLI command mtrace is executed. [PR/613754: This issue has been resolved.]
Release 10.4R5 The following issues have been resolved in Junos OS Release 10.4R5. The identifier following the description is the tracking number in our bug database. Class of Service
Drop profiles might sometimes come out of order in ISSU scenarios. The Trio MPC asserts under this condition. [PR/548840: This issue has been resolved.] Upon a graceful Routing Engine switchover and a cosd process restart, the error " GENCFG write failed for Scheduling Policy 48541. Reason: File exists" appears in the logs for an RLSQ interface with per unit scheduler configured. [PR/589206: This issue has been resolved.] Cflow does not work when different autonomous system types are configured in two flow servers. [PR/595943: This issue has been resolved.] When a label-switched path automatic bandwidth adjustment is configured with traffic sampling, the message /usr/sbin/sampled[3401]: read_mpls_fec_record: HIT is continuously added to the system log file. [PR/600226: This issue has been resolved.]
95
The output of the show interfaces queue command displays incorrect values for the interface queue statistics in the the header RL-dropped packets. This column displays the count of tail-dropped packets instead of the count of packets dropped due to rate-limit. [PR/600570: This issue has been resolved.] When an IQ PIC or Enhanced IQ PIC is replaced with an Enhanced IQ2 PIC and the configuration change is committed on the RED drop profile, the FPC might crash. [PR/602197: This issue has been resolved.] On a warm-standby configuration, fragments from the rlsq interface towards the link are sent to wrong egress queues of the link interface after a graceful Routing Engine switchover. A fixed classifier configuration on a different rlsq interface gets applied to the incoming fragments resulting the fragments being sent to the wrong queues on the link side. [PR/606313: This issue has been resolved.] DHCP subscribers might not be able to connect on an MX Series router after the authentication is disabled within the DHCP local server configuration. [PR/607094: This issue has been resolved.]
In an inet6 firewall filter, the choices for the next-header include icmp, icmp6, and icmpv6. The icmp6 option should not exist as configuring this option results in a commit failure because it is not a valid keyword. Use the icmpv6 option instead. [PR/523363: This issue has been resolved.] The firewall policer does not police traffic correctly on interfaces with Junos Trio chipsets. [PR/545234: This issue has been resolved.] When the routing protocol process writes routes to the route record file and the file reaches its maximum file size, the routing protocol process rotates the file releasing the lock. However, when sampled acquires the lock, it reads the invalid data from the old file causing the routing protocol process to crash. [PR/570303: This issue has been resolved.] On an all static (static logical interfaces, static class of service, and filters) over an AE configuration, a large configuration change might result in a high CPU usage and a long period of time for the change to be propagated. [PR/595509: This issue has been resolved.] When a policer is configured in a PTSP dynamic profile, the actual policing rate is 8 times that of the configured rate. As a workaround, configure the policing rate to be 8 times smaller than the desired rate. [PR/598406: This issue has been resolved.] The router might experience a kernel crash due to a memory leak when a member link of an aggregated Ethernet bundle repeatedly leaves and rejoins the bundle. [PR/598450: This issue has been resolved.] A forwarding (Packet Forwarding Engine) next hop for a bypass label-switched path in a 6PE scenario that requires 4 (or 5) MPLS labels to be pushed fails and the error message "fpc0 NH: invalid nh (1687) for bulk statistics" appears in the system log. [PR/606264: This issue has been resolved.]
96
Memory leaks occur in the l2alm module when IFBD parameters are removed and created again. [PR/605315: This issue has been resolved.] Filter class configurations might fail for aggregate Ethernet interfaces on Trio MPCs/MICs. [PR/609985: This issue has been resolved.]
High Availability
A unified in-service software upgrade (unified ISSU) with host-bound traffic greater than 5 Kbps causes the host path to be stuck. The IQ2 and Enhanced IQ2 PICs remain offline after an unified ISSU under such traffic conditions. [PR/559882: This issue has been resolved.] When a Tri-rate Enhanced DPC (model number DPCE-R-40GE-TX) interface is configured at a nondefault speed (10m or 100m), and a unified in-service software upgrade (unified ISSU) is performed, packets are lost for 60 seconds. [PR/573353: This issue has been resolved.] DPC and FPC interfaces on MX Series routers might crash during a unified in-service software upgrade (unified ISSU). [PR/573686: This issue has been resolved.] The master Routing Engine of an MX Series router with more than 64,000 DHCP subscribers distributed across multiple Gigabit Ethernet links and aggregated Ethernet bundles on multiple slots might experience a vmcore when a graceful Routing Engine switchover is initiated using the CLI. [PR/590552: This issue has been resolved.]
A native-vlan-id option with the value of 0 does not permit untagged packets to be accepted on the interface. [PR/525875: This issue has been resolved.] On M120 routers with a redundant FEB configuration, when an FEB switchover occurs while traffic is being sent to an ATM2 PIC, the interfaces on that ATM2 PIC might stop forwarding traffic. [PR/549679: This issue has been resolved.] The unicast MAC statistics might show incorrect values when multicast traffic is forwarded. [PR/551791: This issue has been resolved.] When approximately more than four logical interfaces exist on a SONET interface with Frame Relay encapsulation, and when the logical interfaces are deleted one by one and added back again without deleting the logical interface 0, the logical interfaces do not get created. [PR/555335: This issue has been resolved.] Under certain circumstances, the input LACP statistics might not be shown, including tagged and untagged aggregated Ethernet interfaces in T Series routers. [PR/558774: This issue has been resolved.] On the same PIC slot of a 20-port 1-Gigabit Ethernet Enhanced DPC and 2-port 10-Gigabit Ethernet Enhanced DPC, any Tri-Rate Copper SFP transceiver with the auto-negotiation statement configured under the [show interfaces interface-name gigether-options] hierarchy level bounces when an SFP-SX fiber is plugged or unplugged. [PR/564121: This issue has been resolved.] A master-only IFA configuration works only for the master node. When the backup node tries to use this configuration, the configuration and the entire parsing fail. This
97
results in none of the interfaces coming back up and the chassisd process failing. [PR/575244: This issue has been resolved.]
Routers with Junos Trio chipsets do not report ARP control packets as policed discards in the interface statistics. [PR/575945: This issue has been resolved.] The Packet Forwarding Engine might run out of memory if multicast upstream and downstream are on different FPCs and a multicast next-hop change occurs. [PR/577319: This issue has been resolved.] Symmetrical hashing on Trio MPCs does not work. [PR/579790: This issue has been resolved.] The MPCs on an MX Series router might crash when the maximum number of BGP ECMP is more than 16. [PR/580213: This issue has been resolved.] On Enhanced IQ2 PICs, low priority schedules that add to 100% cannot be committed. [PR/581778: This issue has been resolved.] Under rare circumstances, the Routing Engine might crash when aggregate interfaces are deleted from the configuration. [PR/583757: This issue has been resolved.] On M120 and M320 routers, the Routing Engine might show nonmeaningful characters in the DIMM field when the show chassis hardware detail command is used. This is a cosmetic issue. [PR/585069: This issue has been resolved.] The interface-control process might dump core files under heavy stress that includes addition or deletion of logical interfaces. [PR/585767: This issue has been resolved.] No error messages are displayed when incorrect values are passed to the show oam ethernet connectivity-fault-management interfaces value extensive command. [PR/589689: This issue has been resolved.] When a load merge operation is performed on a large configuration with routing instances and interfaces, a few demultiplexing logical interfaces might not get created. [PR/589985: This issue has been resolved.] On an M320 router, when a Switch Interface Board (SIB) is removed without taking it offline and reinserted, the SIB goes into the check state when it is brought back online. To clear this condition, take the SIB offline and bring it back online. [PR/596402: This issue has been resolved.] On an MX80 router and MX Series routers with MX-MPC1-3D, MX-MPC2-3D-EQ, MX-MPC2-3D, MPC-3D-x MPCs, the host-bound packets to an interface might get dropped when the adjacent IP address of this interface is configured on either the same or a different interface in the router. This issue occurs only when the adjacent IPv4 addresses have the same first 30 bits and the bit 9 set (that is, the highest order bit of the second octet is set, for example 169.254.x.y or 192.128.x.y). To resolve this issue, deactivate and again activate the affected interface. [PR/596446: This issue has been resolved.] Input framing errors might occur on a 10-Gigabit Ethernet port when the sending port is a 10-port 10-Gigabit Ethernet PIC port. This occurs only when the port is configured for wan-phy framing. [PR/598618: This issue has been resolved.]
98
UDP packets are mistakenly treated as RTP packets causing the CRTP engine of the LSQ PIC to crash. [PR/598773: This issue has been resolved.] On an IQ2 PIC or Enhanced IQ2 PIC, the log message pic_copy_port_info:Got cable_type for FPC 7 PIC 0 port 4 cable num=32, str=GIGE 1000T appears continuously. [PR/601476: This issue has been resolved.] A crash in "ifinfo" might occur when some interfaces slide through the controller interface (for example, channelized OC3/12/48) checks in the ifinfo API when these interfaces are not of controller types. [PR/601632: This issue has been resolved.] The unit-level MTU configuration change on an FRF.16 interface might result in a link bounce. [PR/602390: This issue has been resolved.] When a configuration statement is enabled using the set chassis route-memory-enhanced command and rpf-check is enabled under an interface, traffic forwarding is affected. As a workaround, disable the route-memory-enhanced option. [PR/603661: This issue has been resolved.] On a Trio MPC/MIC, a label swap over GRE tunnels does not work. [PR/603671: This issue has been resolved.] The MX80 routers might not detect XFP-10G-SR in a built-in 4-port 10-Gigabit Ethernet MIC. [PR/604336: This issue has been resolved.] When the rlsq redundancy-options option is configured, the MLPFE interface might not forward traffic properly. This is due to the delay in the secondary interface coming up later than the primary link. As a workaround, reboot the PIC where the secondary interface resides. [PR/604648: This issue has been resolved.] When the 802.3ah link-oam feature is enabled, the interface does not go down during Dying Gasp or Critical Event conditions. [PR/605335: This issue has been resolved.] The jpppd process might restart after PPPoE and L2TP access concentrator (LAC) subscribers log in and subsequently log out. [PR/606824: This issue has been resolved.] The control plane pause frames might cause traffic drops. [PR/608192: This issue has been resolved.]
An MX Series router terminating DHCP Relay subscribers experiences a problem when an MPC terminating the users is taken offline and brought back online using the CLI. A number of the DHCP users on that card go into a Releasing state after the MPC is toggled. [PR/576835: This issue has been resolved.] On an MX Series router, the MPC does not program the fabric plane mapping correctly. [PR/592023: This issue has been resolved.] The fabric active LED does not switch on when the following steps are performed:
1.
The fabric-mode option is set to Increased Bandwidth.
2. The fabric active LED is switched off using the request chassis fabric mode
redundant-fabric command.
3. The fabric-mode option is set to Increased Bandwidth again.
99
As a workaround, remove the SCB and reinsert it to switch the LED back on again. [PR/594736: This issue has been resolved.]
DHCP subscriber login and logout tests show that a small number of clients remain blocked in the RELAY_STATE_WAIT_SUBSCR_DELETE state on the router, even after the client has disconnected. [PR/598790: This issue has been resolved.] When the clear arp command is used in environments with MPLS next hops, some static ARP entries are cleared, which causes the traffic to drop. [PR/599681: This issue has been resolved.] When the rate of logging in of DHCP clients is high, a client may time out and try again. When this occurs, the IP Demux0 interface is already created and it might not get torn down. Instead, a new IP Demux0 interface is created. This results in the existence of a stale IP Demux0 interface. [PR/603511: This issue has been resolved.] When a server identifier is configured for an address pool and a client includes the server identifier in the Parameter Request list (Option 55), any DHCP offers generated by the server on MX Series routers include duplicate copies of that option record. This might cause issues for downstream equipments that do not ignore or supersede the duplicate record. [PR/610854: This issue has been resolved.]
MPLS Applications
When large configurations are parsed, the routing protocol process might cause the Pseudowire LDP sessions to go down. [PR/569076: This issue has been resolved.] The routing protocol process crashes when an MVPN routing instance is activated and deactivated. [PR/571131: This issue has been resolved.] During a network failure that causes sub-label-switched paths (sub-LSPs) of a point-to-multipoint LSP to go down, the CSPF is triggered for the point-to-multipoint LSP on behalf of the sub-LSP. If the traffic-engineering database has not been converged, the CSPF attempt might fail. There might be several attempts to bring up the sub-LSP at different periods, which causes the CSPF to be triggered for the point-to-multipoint LSP again before the traffic-engineering database is converged. For a point-to-multipoint LSP with a large number of sub-LSPs, this might trigger the CSPF repeatedly, causing a high CPU utilization. [PR/581276: This issue has been resolved.] The status of task replication for LDP does not change from the "In progress" state. [PR/582966: This issue has been resolved.] When the RSVP label-switched paths (LSPs) are recovered from a graceful Routing Engine switchover restart, the automatic bandwidth timer smearing function does not work. [PR/592478: This issue has been resolved.] While upgrading Junos OS from Release 10.3 to Release 10.4, certain MPLS features cause a memory corruption that causes the routing protocol process to crash. [PR/595166: This issue has been resolved.] On SRX Series Services Gateways and MX Series routers, the output of the monitor label-switched-path displays a mirror image of the IP address of the ingress and egress routers of the label-switched path. [PR/598156: This issue has been resolved.]
100
When Junos OS receives an empty address type, length, and value (TLV) for LDP, the TLV is treated as malformed instead of an empty address TLV, and the session is closed. [PR/599922: This issue has been resolved.] Packet loss on local traffic occurs inside a VRF when composite next hops and per-packet load balancing are configured. [PR/600951: This issue has been resolved.] During MBB, when the sender traffic speculation (Tspec) and the reservation flow speculation does not match, the output of the show RSVP interface command might not reflect the correct reserved bandwidth. [PR/601036: This issue has been resolved.] The MPLS filter does not work on an interface configured under the virtual router type routing instance. As a workaround, configure LDP in the instance and disable it on all interfaces when it is not used. [PR/601989: This issue has been resolved.] If the LDP Internal Routing Socket (IRS) between the standby and master Routing Engines is closed for any error (such as socket write error) and established again, all the sessions that are already in the In-Sync state remain in the Not-In-Sync state on the master Routing Engine and in the In-Sync state on the standby Routing Engine. Also, the status of task replication of LDP protocol remains in progress forever. [PR/609149: This issue has been resolved.] When an RSVP MTU signaling is added or removed to a Junos OS router configuration, and a labeled-switched path (LSP) flap occurs, the routing protocol process might dump core files. This is applicable only to the ingress router with circuit cross-connect (CCC) when the MTU changes the transmit LSP due to RSVP MTU signaling. [PR/610434: This issue has been resolved.]
Network Management
In Junos OS Release 10.2 and later, when SNMP queries on statistics-related OIDs associated with JUNIPER-DOM-MIB occur, the mib2d process size increases and ultimately reaches the maximum size permitted due to a memory leak in the MIB. When the maximum process size permitted is reached, a system log message /kernel: Process (pid,mib2d) attempted to exceed RLIMIT_DATA: attempted 512016 KB Max 512000 KB is added. [PR/608206: This issue has been resolved.]
A ping originated from a VRF has the RPM prints: "wrong data byte #8 should be 0x8 but was 0x4b", and the packets are corrupted. [PR/527128: This issue has been resolved.] The output of the show route forwarding-table interface-name command displays the information for all the interfaces. [PR/553145: This issue has been resolved.] When the l3vpn-composite-nexthop option is used in combination with ipv6-tunnel, the tunnel label might be pushed only when the VPN traffic is forwarded at the ingress PE router. As a workaround, configure the inet6 family on the egress interface, or do not use ipv6-tunnel or enable the l3vpn-composite-nexthop option. [PR/564076: This issue has been resolved.] The following error messages kept appearing on a PE router (T1600 router) when AE/AS interfaces flap:
101
earthquake earthquake 0 earthquake earthquake earthquake earthquake earthquake 0
fpc4 jtree memory free using incorrect value 2 correct 0 fpc4 JTREE: (jt_mem_free) size 0 for addr 172654, seg 1, inst fpc4 fpc4 fpc4 fpc3 fpc3 Multiple Free :jt_mem_free Version 11.2I1 by jyan on 2010-12-23 18:12:21 UTC Frame 00: sp = 0x447e7aa0, pc = 0x40036720 jtree memory free using incorrect value 2 correct 0 JTREE: (jt_mem_free) size 0 for addr 172562, seg 1, inst
IRB routes fail to install on Packet Forwarding Engines (both DPC and MPC) when uRPC check is enabled on the IRB interface. [PR/588615: This issue has been resolved.] When snooping bridge-domain or VPLS instance with snooping enabled is deleted, or a change is made to the virtual LAN ID of the VPLS instance where snooping is enabled, the following system log error entries is reported by the Packet Forwarding Engine:
RT: Failed prefix delete IPv4 - 0.83.0.1.0.82.224/52 (invalid prefix for IGMP snooping) on FE 0 RT: Failed prefix delete IPv4:86 - 0.83.0.1.0.82.224/52 (jt delete failed) RT: Failed prefix delete IPv4:86 - 0.83.0.1.0.82.224/52 (rt delete failed) rt_jtree_topo_handler, route topo (pfx 0.101.0.1.0.99.224/52) getting disconnected, installing discard RT(rt_entry_snoop_find_prefixes): No bd structure found for bd_index = 101 rt_jtree_change: prefix is not correct
In scenarios involving back-to-back events where a next hop is added and deleted for which an acknowledgement is requested, if the delete operation is performed before the acknowledgement is received, there is a chance that the kernel ends up with a stale data structure. When the routing protocol process exits (as a result of restarting the Routing Engine, or a graceful Routing Engine switchover event), the stale data might be accessed causing a two-byte memory corruption. This might result in a kernel panic. [PR/593047 and 599234: This issue has been resolved.] When an MLFR (FRF.16) is under a race condition that involves the MLFR bundle member link flap combined with the events that could keep the Packet Forwarding Engine busy (many routes and next-hop addition, deletion, or change), the routing lookup chip (on the FPC that hosts the CE1 member links) might stop forwarding all traffic. During this period, the message fpc5 RCHIP(1): RKME int_status 0x10000000 is logged as an indication to this issue. [PR/594544: This issue has been resolved.]
Jtree memory leaks occur when the route-memory-enhanced option or the l3vpn-composite-nexthop option is enabled. As a workaround, disable the route-memory-enhanced option. [PR/594835: This issue has been resolved.] The line card might crash when an IRB interface (configured in a bridge domain) is used as the core interface of a VPLS instance by establishing an MPLS pseudowire over the IRB interface. [PR/596077: This issue has been resolved.] The VLAN range is incorrectly added to the outer VLAN instead of the inner VLAN causing the validation to fail. [PR/596977: This issue has been resolved.]
102
When a protocol-independent multipath is configured (using the set routing instance xxx routing-options multipath command), the output of the show route command might display non-existent routes. This route is displayed as created by the multipath protocol, but will have a path identical to the active route for that prefix. This issue is cosmetic. [PR/600199: This issue has been resolved.] On an M10i router with Enhanced Compact Forwarding Engine Board (CFEB-E), when a multiport (4 port) PIC is installed in slot 1 of 3 and there is no PIC in the chassis, the upper ports of the PIC of slot 1 of 3 stop forwarding traffic. This issue also occurs on the M120 router when two Type 1 FPCs are mapped to one FEB and a multiport PIC is installed alone in the last (8th) slot of the Packet Forwarding Engine. [PR/601342: This issue has been resolved.] When a VPLS node peers with more than 64 VPLS peers under a single VPLS domain, the Packet Forwarding Engine might crash due to corruption. [PR/603401: This issue has been resolved.] An NPC core file might be generated after PPP subscribers log in and log out for several hours. [PR/604620: This issue has been resolved.] Traffic going out of CCC interfaces configured with a native VLAN ID might be forwarded without removing the VLAN tag. This might cause the traffic to be discarded at the receiving end. [PR/606696: This issue has been resolved.] In Junos OS Release 10.2 and later, the Type 4 ES FPCs might crash when a PIC is taken offline and brought back online, or when a configuration change is made to the PIC that automatically causes the PIC reset (for example setting 'framing sdh' for the PIC). [PR/609143: This issue has been resolved.]
Routing Protocols
Dead entries are not removed from the forwarding table when the IP address of an interface that is directly connected is configured locally. [PR/490907: This issue has been resolved.] In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label allocation failure: Need a nexthop address on LAN." [PR/552377: This issue has been resolved.] The routing protocol process crashes when the following three events occur:

Flow routes are configured. Both dfwd and the routing protocol process shut down due to a reboot. The dfwd process takes the libdfwd connection down before the routing protocol process cleans up.
After a router reboots, the label-switched paths on one of the interfaces do not come back up. [PR/576809: This issue has been resolved.]
103
On very large configuration files, the RPD_SCHED_SLIP messages might be logged due to suboptimal configuration parsing and interpretation. [PR/581918: This issue has been resolved.] When a BGP configuration that contains a large number of peers (approximately 3000 peers) is removed, the backup Routing Engine might dump core files. [PR/587495: This issue has been resolved.] The standby Routing Engine might erroneously treat a spooled-write on an rsync session as an error and bounce the rsync session. [PR/595286: This issue has been resolved.] When eiBGP is configured (using the set routing-instances foo multipath vpn-unequal-cost equal-external-internal command) by either configuring graceful Routing Engine switchover or non-stop routing, or by restarting the routing protocol process (using the restart routing immediately command), the routing protocol process might not be able to restart on the active Routing Engine, or might subsequently crash and not be able to restart. [PR/596999 and 604462: This issue has been resolved.] When the accept-remote-source option is enabled for all interfaces, unexpected traffic might be accepted on the vt- interface. This option should be enabled only on the desired PIM interface where the remote source traffic might arrive. [PR/597481: This issue has been resolved.] Under certain circumstances, PIM might sent a (S,G,rpt) prune message to the rendezvous point (RP) even before the corresponding (* G) is sent to the rendezvous , point. This results in the multicast traffic flowing through the RPT for a minute until it sends a periodic J/P message. [PR/598735: This issue has been resolved.] When an automatic rendezvous point (auto-RP) is used in a Cisco and Juniper Networks topology with negative and positive prefixes announced by the rendezvous point, no PIM state for the sparse positive prefixes exist on the downstream Juniper Networks routers. As a workaround, configure all positive sparse prefixes under the pim dense-group protocol statement as reject. [PR/599257: This issue has been resolved.] When a PIM RP interface (pe or pd) is removed, the associated timer is not cleared. This leads to the routing protocol process dumping core files. [PR/599823: This issue has been resolved.] When the no-delegate-processing option is removed using the set routing-options ppm <> command, not all Routing Engine-based sessions might be delegated. [PR/605254: This issue has been resolved.] The bfd process might restart with a core dump due to a memory leak when the bfd sessions come up or go down. [PR/608346: This issue has been resolved.]
A services PIC interface goes down permanently when Layer 2 Tunneling Protocol services are configured with system log. [PR/570054: This issue has been resolved.] On MX80 routers, an SNMP walk on jnxOperatingTemp does not return the FEB operating temperatures. [PR/592752: This issue has been resolved.]
104
The output of the show services stateful-firewall statistics summary command returns the system log message Unknown svc_set_id: 0 is logged. [PR/602617: This issue has been resolved.] When a router receives fragmented IPsec packets, the packets might be considered as an ESP authentication failure and might get dropped if the total length of the ESP is less than 12 bytes. [PR/603444: This issue has been resolved.]
Duplicate subscriber addresses exist after a graceful Routing Engine switchover due to an authd issue. [PR/595156: This issue has been resolved.] RADIUS packets are corrupted when DSL forum VSA are transmitted by the MX Series router using the radius access request and accounting. [PR/598460: This issue has been resolved.] The authd process might restart on an MX Series router when the router is configured as an L2TP access concentrator and PPP subscribers try to connect. This issue occurs due to unavailable or overloaded RADIUS servers. As a workaround, reduce the load on the RADIUS server and configure the revert-interval value to 0 (using the set radius options revert-interval 0 command) to increase the availability of the RADIUS server. [PR/601045: This issue has been resolved.]
When a long interface description (greater than 1000 characters) is configured, the XML output for the interface might get corrupted. This causes the interface output to be displayed incorrectly and the XML output to be unusable by a Junos OS script. [PR/497363: This issue has been resolved.] The delete interfaces | display set | match command deletes the entire interface configuration. [PR/512821: This issue has been resolved.] When the delete policy-options as-path command is used, an empty as-path might exist in the configuration that causes commit to fail. In some cases, only the commit synchronize command fails with a syntax error on the backup Routing Engine. This issue occurs only when the edit private command is used. As a workaround, use the edit command instead of the edit private command or use the delete policy-options as-path path-name command instead of the delete policy-options as-path path-name path-value command. [PR/542902: This issue has been resolved.] When the time zone is set to Europe/Moscow on a router with a dual Routing Engine, the commit command at "time-string" fails and the following error messages appear:
root@Mx240-2-RE0# commit at "2011-04-07 08:26" re0: configuration check succeeds re1: error: unrecognizable time string '2011-04-07 08:26:00 MSD' re0: error: remote commit-configuration failed on re1
105
VPNs
An snmpwalk on JUNIPER-VPN-MIB::jnxVpnPwRowStatus might return the message Error: OID not increasing. [PR/591247: This issue has been resolved.] When draft-rosen MVPN is configured for IPv4 and NG-MVPN is configured for IPv6, the routing protocol process might crash in scenarios where the NG-MVPN configured mode is RPT-SPT. [PR/605770: This issue has been resolved.] When a PIC with multicast tunnel service is disabled in a draft-rosen MVPN setup, the routing protocol process might crash. This issue occurs only when data-mdt is enabled. [PR/607550: This issue has been resolved.] The routing protocol process might dump core files when VPLS is configured and active while VPLS traces are enabled. As a workaround, disable VPLS traces. [PR/610744: This issue has been resolved.]
Release 10.4R4 The following issues have been resolved in Junos OS Release 10.4R4. The identifier following the description is the tracking number in our bug database. Class of Service
The MIB entries for a logical interface on an IQE PIC for the MIB table jnxCosQstatTable are not created. Additionally, no data can be retrieved through the SNMP. [PR/589832: This issue has been resolved.]
The interface accounting profile does not count the input bytes correctly for a logical interface. [PR/562964: This issue has been resolved.] When the routing protocol process writes routes to the route record file and the file reaches its maximum file size, the routing protocol process rotates the file releasing the lock. However, when sampled acquires the lock, it reads the invalid data from the old file causing the routing protocol process to crash. [PR/570303: This issue has been resolved.] On M Series, T Series, and J Series routers, when the installation of a filter that contains a logical interface policer or a physical interface policer fails (for example, due to insufficient jtree memory), the FPC might crash. [PR/579271: This issue has been resolved.]
106
High Availability
A replication error might occur when a user route with a local next hop is propagated to the backup Routing Engine before the corresponding IFA is replicated. [PR/559458: This issue has been resolved.]
Upon a link-up event, old packets from the previous link-down are still dequeued. This leads to huge latency reports. [PR/515842: This issue has been resolved.] When a configuration contains a large number of logical interfaces, and graceful Routing Engine switchover is not configured, the restart chassis-control command might result in some of the FPCs staying offline. As a workaround, enable graceful Routing Engine switchover (set chassis redundancy graceful-switchover). [PR/532030: This issue has been resolved.] When an IFF maximum transmission unit (MTU) size is configured less than the current MTU size, the message "MTU for address reduced to mtu" is added to the log file. [PR/544026: This issue has been resolved.] When approximately more than four logical interfaces exist on a SONET interface with Frame Relay encapsulation, and when the logical interfaces are deleted one by one and added back again without deleting the logical interface 0, the logical interfaces do not get created. [PR/555335: This issue has been resolved.] After an MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm Indicators" LEDs do not show any status in the output of the show chassis craft-interface command, even when there is chassis alarm set on the router. [PR/558046: This issue has been resolved.] When MAC address filters are configured on an aggregated Ethernet interface, the MAC filters might not be programmed on the child link of the aggregated Ethernet interface if and only if the following sequence of events occur:
1.
The aggregated Ethernet interface is disabled through a configuration change.
2. A graceful Routing Engine switchover occurs and the aggregated Ethernet interface
is subsequently enabled on the new master Routing Engine. [PR/561106: This issue has been resolved.]
The show interface description command does not select interfaces according to routing instances. [PR/575096: This issue has been resolved.] When a cable is disconnected and connected between Ethernet OAM MEPs, incorrect flaps occur on an interface with only one MEP. [PR/576481: This issue has been resolved.] The maintenance association intermediate point (MIP) might not function after a system reboot. [PR/584070: This issue has been resolved.] The maintenance association intermediate points (MIPs) might not respond to 802.1ag link traces that are destined to reach the MIPs. [PR/584331: This issue has been resolved.]
107
On MX Series MPCs, host packets might be dropped due to traffic congestion. [PR/584521: This issue has been resolved.] When certain configuration changes are made and the FPC is restarted, the SFP optics does not appear in the output of the show chassis hardware command. [PR/584705: This issue has been resolved.] On a 10-Gigabit Ethernet MPC with SFP+, the configuration for the interface to go down when the low Rx power threshold is reached does not work. [PR/585030: This issue has been resolved.] On Trio MPCs, the log message "fpcX MQCHIP(0) LI Packet length error, pt entry 11 might appear when the maximum-packet-length option is configured under port mirroring. [PR/587266: This issue has been resolved.] An interface with Ethernet OAM configured keeps flapping due to an adjacency timer issue. [PR/588032: This issue has been resolved.] When the excess-rate statement at the [edit class-of-service schedulers] hierarchy level is configured on a queue of a Multilink Point-to-Point Protocol and Multilink Frame Relay bundle, packet drops occur. [PR/588734: This issue has been resolved.] The output of the show chassis power command displays the DC output value even when PEM is switched off. [PR/589866: This issue has been resolved.] On MX80 and MX Series routers with MX-MPC1-3D, MX-MPC2-3D-EQ, MX-MPC2-3D MPCs, with Tri-Rate Copper SFP (SFP-1GE-T), the interface might stop forwarding traffic when the traffic is flowing through the interface and the interface is disabled and enabled again, or a link flap event occurs. There is no workaround to prevent this issue. Ensure that there is no traffic through the interface when the interface is disabled and enabled again. If the issue is encountered, do the following:
For nonaggregated interfaces, ensure that no traffic is being routed to the failed interface. Use the ping count 5 rapid size 1 remote-interface-ip-address command to recover the interface and enable traffic to flow through the interface again. For aggregated interfaces, remove the affected interface from the aggregate interface configuration at both ends and assign an IP address to both the endpoints. Use the ping count 5 rapid size 1 remote-interface-ip-address command to recover the interface and enable traffic to flow through the interface again. After the interface recovers, add it back to the aggregate interface configuration at both the ends.
On MX80, MX240, and MX480 routers, jnxFruState shows an unknown state if the fan speed is set as intermediate. [PR/593703: This issue has been resolved.] On MX80 and MX Series rouers with MX-MPC1-3D, MX-MPC2-3D-EQ, MX-MPC2-3D, MPC-3D-x MPCs, the host-bound packets to an interface might get dropped when the adjacent IP address of this interface is configured on either the same or a different interface in the router. This issue occurs only when the adjacent IPv4 addresses have the same first 30 bits and the bit 9 set (that is, the highest order bit of the second octet
108
is set, for example 169.254.x.y or 192.128.x.y). To resolve this issue, deactivate and again activate the affected interface. [PR/596446: This issue has been resolved.]
When a port is configured for wan-phy framing, input framing errors occur when the sending port is a 10-port 10-Gigabit Ethernet PIC. [PR/598618: This issue has been resolved.] On an MX960 router, the MPC reboots at regular intervals. [PR/601080: This issue has been resolved.] On an IQ2 or Enhanced IQ2 PIC, the log message pic_copy_port_info:Got cable_type for FPC 7 PIC 0 port 4 cable num=32, str=GIGE 1000T appears continuously. [PR/601476: This issue has been resolved.]
MPLS Applications
The routing protocol process might dump core due to corrupted data in the equal-cost multipath (ECMP) indirect next-hop memory location. [PR/561031: This issue has been resolved.] In the event where the first label-switched path (LSP) displayed in the output of the show mpls lsp command is down, the following LSP that is up is used for a sufficient number of routes. The LSP that is down might be duplicated in the output from time to time. This is a cosmetic issue. [PR/588714: This issue has been resolved.] On MX80 routers, an SNMP walk operation for LDP tables might cause the routing protocol process to crash. [PR/589923: This issue has been resolved.] When the RSVP label-switched paths (LSPs) are recovered form a graceful Routing Engine switchover restart, the autobw timer smearing function does not work. [PR/592478: This issue has been resolved.] While upgrading Junos OS from Release 10.3 to Release 10.4, certain MPLS features cause a memory corruption that results in the routing protocol process crashing. [PR/595166: This issue has been resolved.]
Multicast
The Packet Forwarding Engine might run out of memory when multicast upstream and downstream are on different FPCs, and a multicast next-hop change occurs. [PR/577319: This issue has been resolved.]
Network Management
The mib2d process leaks memory during SNMP walks. [PR/586074: This issue has been resolved.]
When the route-memory-enhanced configuration statement is used, the BFD peers might go down and not come back up. [PR/559933: This issue has been resolved.] With two MICs on the same MPC, taking one MIC offline resets the IS-IS and BFD session on the other MIC. [PR/577873: This issue has been resolved.]
109
The class-of-service configuration on an sp interface might not take effect after the router or the FPC hosting the sp interfaces is rebooted. This might occur when the Lin table on the SLCHIP is initialized to a specific format. [PR/580740: This issue has been resolved.] In Junos OS Release 9.4 and later, Layer 2 and Layer 3 must explicitly be configured for the M7i router's Adaptive Services Module (ASM) to support the mode. [PR/581153: This issue has been resolved.] On MX240, MX480, and MX960 routers, the MPCs might crash when the protocols rsvp load-balance bandwidth statement is configured. [PR/586323: This issue has been resolved.] In rare cases, the kernel thread might get blocked in the middle of a kernel routing protocol process acknowledgment processing. This might result in the corruption of the kernel state and a kernel crash. [PR/586693: This issue has been resolved.] When a loopback firewall filter is deployed on a T Series router with ES FPCs installed, a mixture of some of the following messages is displayed:
routername routername routername routername fpc0 SRCHIP(1): %PFE-6: 512 Multicast list discard route entries fpc0 SRCHIP(1): %PFE-3: RKME int_status1 0x100 fpc2 SRCHIP(0): %PFE-6: 1 Multicast list discard route entries fpc2 SRCHIP(0): %PFE-3: RKME int_status1 0x100 (illegal link) in DESRD type:Minor) encountered, (illegal link) in DESRD type:Minor) encountered,
routername fpc3 SLCHIP(0): %PFE-3: 2 new errors last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, cmalarm_passive_alarm_signal routername fpc3 SLCHIP(0): %PFE-3: 2 new errors last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, cmalarm_passive_alarm_signal
This occurrence of RKME errors does not affect the transit traffic. [PR/588212: This issue has been resolved.]
When nonstop active routing is enabled after a graceful Routing Engine switchover, the protocol session might go down because the ppmd tcp session from the Routing Engine to the Packet Forwarding Engine is at an unknown state. [PR/588405: This issue has been resolved.] Some host-bound packets may get dropped on E2 FPCs when there is a heavy host-bound traffic. [PR/588414: This issue has been resolved.] When l3vpn-composite-nexthop option is enabled on an aggregate interface, the FPC might crash. [PR/590371: This issue has been resolved.] During a neighbor advertisement, the router responds to any neighbor where the target address exists in the v6 neighbor cache. [PR/593849: This issue has been resolved.] When a Multilink Frame Relay (MLFR) (FRF.16) is under a race condition that involves the MLFR bundle member link flap combined with the events that could keep the Packet Forwarding Engine busy (many routes and next-hop addition, deletion, or change), the routing lookup chip (on the FPC that hosts the CE1 member links) might stop forwarding all traffic.
110
During this period, the message fpc5 RCHIP(1): RKME int_status 0x10000000 is logged as an indication to this issue. [PR/594544: This issue has been resolved.]
Dual tagged interfaces configured with inner VLAN range might not be programmed in the HW properly. [PR/596977: This issue has been resolved.]
Routing Protocols
Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233: This issue has been resolved.] When an EX Series switch with Layer 2, Layer 3, and multicast protocols configured is rebooted, the Bidirectional Forwarding Detection protocol (BFD) might start and stop while multiple duplicate PPM entries are created on the Routing Engine. [PR/551267: This issue has been resolved.] The routing protocol process crashes when the following three events occur:

When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves the interfaces from bridge domains to VPLS instances. To clear this issue, restart multicast snooping. [PR/576058: This issue has been resolved.] On Trio MPCs, when an IRB interface and a VT interface exist in VPLS, the MPC might crash after the protocol, link, or route flaps. [PR/579767: This issue has been resolved.] RPD_SCHED_SLIP messages might be logged due to suboptimal configuration parsing and interpretation on large configuration files. [PR/581918: This issue has been resolved.] The routing protocol process might dump core files when the Distance Vector Multicast Routing Protocol (DVMRP) prune lifetime expires. [PR/584752: This issue has been resolved.] With NSR enabled, the MPLS label of the routes might incorrectly be allocated when a virtual loopback tunnel (VT) interface exists in the routing instance. [PR/584915: This issue has been resolved.] The configured label-switched path metric in IS-IS might not get updated with the new metric in route, when the metric changes to a higher value while LDP tunneling is turned on. [PR/587554: This issue has been resolved.] The routing protocol process dumps core files when OSPF causes a memory corruption. [PR/588018: This issue has been resolved.] The PIMv2 packets do not get forwarded over an integrated routing and bridging (IRB) on MPCs. [PR/589360: This issue has been resolved.]
111
The show bgp replication command on the master Routing Engine might sometimes get struck at the "InProgress" state. [PR/589783: This issue has been resolved.] The CPU utilization of the routing protocol process might increase if BGP is completely disabled and then reenabled while many SNMP queries are in progress. [PR/590030: This issue has been resolved.] The routing protocol process might dump core files when the traceoptions statement is included at the [edit routing-options] hierarchy level. As a workaround, disable the traceoptions statement. [PR/596007: This issue has been resolved.]
When an Snmpwalk operation is performed on the jnxSpSvcSetSvcType object or any of its subobjects, the SPD_DB_SVC_SET_ADD_FAILURE log message appears. [PR/546808: This issue has been resolved.] A NAT configuration with blobs greater than 32,000 might result in a 100 percent utilization of the CPU resources. [PR/578678: This issue has been resolved.]
The accounting-port statement at the [edit access-profile profile-name radius-server server-address] hierarchy level is not supported in Junos OS Release 10.4. To specify a nondefault accounting port, do not configure the RADIUS server at the [edit access profile profile-name radius-server server-address] hierarchy level. Instead, use the accounting-port statement at the [edit access radius-server server-address] hierarchy level to specify the port. [PR/590912: This issue has been resolved.] RADIUS packets are malformed when DSL forum vendor-specific attributes (VSAs) are transmitted by MX Series routers in a RADIUS access request and accounting. [PR/598460: This issue has been resolved.]
If several get-configuration rpcs are requested to the router frequently, the mgd process may crash. [PR/586416: This issue has been resolved.] A rollback command followed by the commit command sends notifications to all the processes leading, to a high CPU utilization. [PR/591903: This issue has been resolved.]
VPNs
In a VPLS multihoming scenario, the routing protocol process might crash when a VPLS instance is deleted from the configuration. [PR/585113: This issue has been resolved.] Fragmenting IPsec packets between the originator and the end tunnel might cause an Encapsulating Security Payload (ESP) authentication failure at the end tunnel. [PR/603444: This issue has been resolved.]
Release 10.4R3 The following issues have been resolved in Junos OS Release 10.4R3. The identifier following the description is the tracking number in our bug database.
112
Class of Service
When a valid rate limit is configured on an interface from a DPCE-R-Q-20GE-2XGE card, the router might log a message incorrectly that the configuration is not supported. The rate-limit functionality is, however, correctly implemented in the hardware. [PR/574764: This issue has been resolved.]
When a Routing Engine sampling is configured, and each flow server corresponds to a different autonomous system type, the packet size of the exported cflowd v5/8/500 packets might increase. [PR/530008: This issue has been resolved.] When a VPN routing and forwarding table (VRF table) is configured in a logical system, and there is no loopback filter configured in the VRF table while it is configured on the logical system and the default router, the packets destined for VRF table reach the filter configured in the logical system. However, they are expected to reach the filter configured in the default route table. [PR/575060: This issue has been resolved.]
Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842: This issue has been resolved.] On M320 routers with E3-based FPCs, the MAS value of the queue on Fast Ethernet interfaces do not match the buffer size configuration when a low temporal value is used in the configuration. [PR/553909: This issue has been resolved.] Under certain conditions, both the primary and the secondary sections of the interface might get disabled. To recover from this condition, deactivate and activate the interface configuration. [PR/559656: This issue has been resolved.] When MAC address filters are configured on an aggregated Ethernet interface, the MAC filters might not be programmed on the child link of the aggregated Ethernet interface if and only if the following sequence of events occur:
1.
The aggregated Ethernet interface is disabled through a configuration change.
2. A graceful Routing Engine switchover occurs and the aggregated Ethernet interface
is subsequently enabled on the new master Routing Engine. [PR/561106: This issue has been resolved.]
When graceful Routing Engine switchover is configured on the backup Routing Engine, some situations might lead to the next-hop cleanup not being performed properly. [PR/566885: This issue has been resolved.] On a 10-Gigabit Ethernet MPC with SFP+, the following IDMEM parity error messages appear:
MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0 MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3 Offset 0x00014899 IDMEM[0x00052274]
113
These messages repeat as long as the software encounters the error. These error messages occur within uninitialized memory locations. [PR/569887: This issue has been resolved.]
Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the apsd process. [PR/569903: This issue has been resolved.] When the maximum transmission unit (MTU) is set on an AE interface, the AE logical interfaces inherit an MTU value that is equal to the Ethernets MTU value excluding the Ethernet header. When a VLAN demultiplexing (demux) logical interface is created with an underlying AE interface, the VLAN demux logical interface inherits an MTU value equal to the full Ethernet MTU. This is because the MTU on demux interfaces is not set correctly. As a workaround, set the proper MTU value when the family is configured on these interfaces. [PR/579957: This issue has been resolved.]
MPLS Applications
VPLS frames might be dropped on the MPLS core routers that are equipped with Trio MPCs. [PR/578190: This issue has been resolved.] When a label-switched path (LSP) reoptimization event (due to an automatic bandwidth adjustment or an optimization timer expiry) occurs during a sampling event, the sample is skipped. Due to this, the LSPs bandwidth calculation might be inaccurate during the next sampling event. This inaccuracy might lead to an overestimation of the bandwidth value, thereby causing the affected LSPs to be resignaled with a higher bandwidth value at the next automatic autobandwidth adjustment. [PR/580919: This issue has been resolved.] In Junos OS Release 10.0 and later, with the adaptive parameter configured, when a class-of-servicebased forwarding (CBF) RSVP label-switched path (LSP) is deleted, an allocated port ID might not be released. Deleting an RSVP LSP deletes its paths automatically. Even if no path is configured explicitly, the implicit primary path is automatically deleted. Because of this, when LSP paths are added and deleted repeatedly over time, the port ID space is exhausted and the routing protocol process might crash when an LSP or path is configured after that. [PR/584032: This issue has been resolved.] Under certain circumstances when automatic bandwidth is enabled for an LSP, the statistics record for the LSP is carried over to the new session after an LSP optimization. Therefore, the estimated bandwidth for the LSP is higher than expected. [PR/585250: This issue has been resolved.]
114
Network Management
The mib2d process leaks memory during SNMP walks. [PR/586074: This issue has been resolved.]
The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376: This issue has been resolved.] No ICMP host redirect messages are generated when there are multiple VLANs configured on an interface (multiple logical interfaces on a single physical interface). [PR/559317: This issue has been resolved.] When the same local link address is configured on two interfaces, the message "/kernel: ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079: This issue has been resolved.] When IPv6 packets have a size greater than 1232 bytes, the packets get fragmented. [PR/571596: This issue has been resolved.] After an upgrade to Junos OS Release 10.1 or later, load sharing does not work with Ethernet Layer 2 Virtual Private Networks and circuit cross-connect (CCC) traffic. [PR/573934: This issue has been resolved.] On standalone platforms with graceful Routing Engine switchover enabled (using the set chassis redundancy graceful-switchover command), or on multichassis platforms (TX Matrix and TX Matrix Plus routers), when a unilist changes rapidly, the backup Routing Engine kernel might crash. On single-chassis systems when the kernel crashes on the backup Routing Engine, no loss of forwarding is seen. However, on multichassis systems, both the master and backup Routing Engines on a line card chassis, as well as the switch card chassis backup Routing Engines, crash. This causes a severe impact and loss of forwarding. The following log is recorded at the time of the kernel crash:
savecore: %DAEMON-1: reboot after panic: nhlist_free unable to add unilist(index = xxxxxxx)to treernhlist_deleted_root.
After a few graceful Routing Engine switchover, the firewall filter applied on the loopback interface might affect the internal control packets from the PICs to the Routing Engine. The PICs might fail to come back online if the packets are blocked. [PR/578049: This issue has been resolved.] In Junos OS Release 9.4 and later, Layer 2 and Layer 3 must explicitly be configured for the M7i router's Adaptive Services Module (ASM) to support the mode. [PR/581153: This issue has been resolved.] When a loopback firewall filter is deployed on a T Series router with ES FPCs installed, a mixture of some of the following messages is displayed:
routername fpc0 SRCHIP(1): %PFE-6: 512 Multicast list discard route entries routername fpc0 SRCHIP(1): %PFE-3: RKME int_status1 0x100
115
routername fpc2 SRCHIP(0): %PFE-6: 1 Multicast list discard route entries routername fpc2 SRCHIP(0): %PFE-3: RKME int_status1 0x100 routername fpc3 SLCHIP(0): %PFE-3: 2 new errors last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, cmalarm_passive_alarm_signal routername fpc3 SLCHIP(0): %PFE-3: 2 new errors last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, cmalarm_passive_alarm_signal (illegal link) in DESRD type:Minor) encountered, (illegal link) in DESRD type:Minor) encountered,
This occurrence of RKME errors does not affect the transit traffic. [PR/588212: This issue has been resolved.] Routing Protocols
Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233: This issue has been resolved.] A rare race condition might cause the routing protocol process to crash when an (s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.] When a routing protocol process is restarted after a crash or a mastership switch, the kernel and the reference counters for the routing protocol process flood branch next hop might not be in sync anymore. The exposure is high in NGEN-MVPN with many local receivers and constant churn of joins and prunes of multicast groups. The routing protocol process might assert and restart while deleting a flooded next hop. As a workaround, restart the system, or deactivate all MVPN instances to get the kernel and the routing protocol process to be in sync upon a routing protocol process restart. [PR/561127: This issue has been resolved.] The 3D Packet Forwarding Engines might experience a rare transient error that temporarily corrupts one of the lookup engines, resulting in packet loss. A set of messages similar to the following is displayed:
fpc0 LU 0 PPE_7 Errors ucode data error 0x00000184 fpc0 PPE Thread Timeout Trap: Count 3, PC 20, 0x0020: entry_index_nh 0x0020: entry_index_nh PPE PPE HW Fault Trap: Count 10831395, PC 2c, 0x002c: entry_policer_nh
Restart the Packet Forwarding Engine to clear this error state. [PR/564998: This issue has been resolved.]
In an LDP nonstop active routing configuration, the LDP replicate session between the master and the backup Routing Engine might be stuck. This might result in incorrect updates to the backup LDP database. As a workaround, deactivate and activate the nonstop active routing configuration again when the router gets into this state. [PR/567148: This issue has been resolved.] On MX80 routers, when IPv6 Virtual Router Redundancy Protocol (VRRP) is configured on the Packet Forwarding Engine, the virtual MAC address for the VIP address is not programmed into the Packet Forwarding Engine. As a result, the traffic that passes through the VIP address (both of transit and host-bound) is discarded as destination address reject on the interface. [PR/576211: This issue has been resolved.]
116
When local AS and auto-export are configured in a hub-spoke environment, hidden routes might exist. [PR/578833: This issue has been resolved.] The configured label-switched path metric in IS-IS might not get updated with the new metric in route, when the metric changes to a higher value while LDP tunneling is turned on. [PR/587554: This issue has been resolved.]
FTP sessions that last long periods (several minutes or hours) are suddenly disconnected when traffic is still flowing on the data channel. [PR/579475: This issue has been resolved.]
A commit script that activates an apply group might fail to pass the commit check logic. [PR/576384: This issue has been resolved.]
VPNs
IP packets with certain sizes (around 287 bytes of total IP packet size) are corrupted while traversing the Layer 2 circuit or Layer 2 Virtual Private Network and the IP packets terminate on MX Series routers with Trio MPC installed. This corruption of IP packets happens in either of the following two cases:
Layer 2 circuit or Layer 2 Virtual Private Network is terminated (CCC interface is) on the Trio MPC card. In this case, packets with a total IP packet size equal to 284, 285, or 286 bytes are corrupted. Uplink (PE-P link) is on the Trio MPC card. In this case, packets with a total IP packet size equal to 288, 289, or 290 bytes are corrupted.
[PR/566761: This issue has been resolved.] Release 10.4R2 The following issues have been resolved in Junos OS Release 10.4R2. The identifier following the description is the tracking number in our bug database. Class of Service
On T Series routers, when the class of service scheduling or queueing parameters on an interface with a high traffic utilization (close to the line rate or oversubscribed) is changed, the FPC which hosts the interface might restart. This issue is specific to non-ES type FPCs. [PR/565307: This issue has been resolved.] When a firewall filter containing the packet loss priority (PLP) rewrite references a policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP bits of the packets matching the filter condition set on the PLP set action in the policer, and later the PLP set action is set on the firewall filter. [PR/566896: This issue has been resolved.]
117
When a Routing Engine sampling is configured, and each flow server corresponds to a different autonomous system type, the packet size of the exported cflowd v5/8/500 packets might increase. [PR/530008: This issue has been resolved.] On a sampled traffic on a multi services PIC, the multicast convergence slows down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space available." [PR/554363: This issue has been resolved.] Making any circuit cross-connect (CCC) filter changes might render the Packet Forwarding Engine busy which might cause a slow statistics response. [PR/554722: This issue has been resolved.] When a loopback filter is configured, packets sent by the ASIC to the Packet Forwarding Engines CPU for generation of TTL expiry notification are dropped. [PR/555028: This issue has been resolved.] The mib2d process might crash when a race condition exists between the mib2d process and the dfwd process. [PR/563419: This issue has been resolved.] When a firewall filter with multiple terms references the same three color policer and has the same count variable configured, any IP packets that match the second or later terms might get corrupted. Use different count variables in each term to prevent this issue. [PR/567546: This issue has been resolved.] The Radius Accounting Interim message might not be sent immediately after a Change of Authorization (CoA), even if the CoA is successfully processed and the coa-immediate-update option is present in the configuration. [PR/570058: This issue has been resolved.]
High Availability
When a container interface (used in AE interfaces) is freed in the memory, the child nexthop (member link) on the master Routing Engine is also freed. However, in some cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash. [PR/562295: This issue has been resolved.]
On TX Matrix Plus routers, the message "fru_is_present: out of range slot 1 for CIP" is continuously sent on all the LCCs. [PR/48311: This issue has been resolved.] During initialization, some garbage data can flow into the unused SONET interface. This data is small in size and does not contain any SOP or EOP information. This data consumes some D4P buffer memory. The D4P buffer does not remove this data until more data comes into the buffer. Periodic health check reports the following status: D4P-10/1: FROML tx48 stream 1 data path stuck. To resolve this issue, purge the D4P buffer. [PR/424326: This issue has been resolved.] The queue counter of the aggregated Ethernet is counted up after the statistics are cleared and the FPC is restarted. [PR/528027: This issue has been resolved.] On an MX Series router with a mixed MPC and DPC environment, the first and subsequent cell drops occur at the DPC. [PR/540283: This issue has been resolved.]
118
When a large OID registration traffic exists from the subagent to the master agent, the registration packets encounter random errors during transmission. This affects the registration process. [PR/555345: This issue has been resolved.] When a member link is added to an existing aggregated interface, a multicast distribution tree (MDT) mismatch might occur among the FPCs. This issue occurs only when graceful Routing Engine switchover (GRES) is enabled. [PR/558745: This issue has been resolved.] A Layer 2 instability and rapid VRRP mastership change might cause MPC-3D-16XGE-SFPP to restart. [PR/560716: This issue has been resolved.] When a MAC address list is moved, the resulting flush process might be interrupted when the list is processed. [PR/560730: This issue has been resolved.] If the cable of a TX router is removed from the interface on an MIC-3D-20GE-SFP, the state of the interface remains in the "up up" state. [PR/561254: This issue has been resolved.] When multiple physical interfaces exist in a 4x Channelized DS3 IQ PIC, errors might occur when each controller physical interface is deleted while the PIC is taken offline. [PR/561841: This issue has been resolved.] In some cases, when a DPC or MPC is restarted, a wrong physical interface index is assigned to the interface which might cause the MPC to crash. [PR/563056: This issue has been resolved.] When a change in the bridge domain membership occurs, and the bridge domain has an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not have any local interfaces on that bridge domain might restart. [PR/566878: This issue has been resolved.] When the chassisd process receives a temporary error code (such as Device Busy, Try Again, No Buffer Space, or No Memory), while trying to add both the PIC and physical interfaces present in the PIC to the kernel, the chassisd process may not retry adding the physical interface back to the kernel until it succeeds. The device or physical interface will not recover. It is recommended to restart the router or the FPC when this issue is encountered. [PR/570206: This issue has been resolved.] On TX Matrix Plus routers, the set craft-lockout command might cause an FPM interrupt flooding. [PR/571270: This issue has been resolved.] On any Junos OS device that supports Ethernet OAM, the cfmd process might crash when a malformed delay measurement message (DMM) is received. [PR/571673: This issue has been resolved.]
119
The PIM neighborship does not appear over the IRB interface after the dense port concentrator (DPC) is restarted. [PR/559101: This issue has been resolved.]
MPLS Applications
Under certain circumstances, the routing protocol process might crash when configuration changes are made to label-switched paths at the [edit protocol mpls] hierarchy level. [PR/550699: This issue has been resolved.] When the no-decrement-ttl statement is included at the [edit protocols mpls] or the [edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label TTL action field in the output of the show route extensive command displays vrf-propagate-ttl as the action. This is a display issue only and has no operational impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not configured at the [edit protocols mpls] hierarchy level. [PR/563505: This issue has been resolved.] A point-to-multipoint LSP with bandwidth requirement might fail to retrace the original path after a graceful restart, and might not come up until the end of the recovery period. [PR/574308: This issue has been resolved.]
Network Management
SNMP might stop working after a router, a DPC, an FPC, or an MPC is restarted, or after a graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]
Under certain circumstances, the message NH: Failed to find nh (xxxx) for deletion appears for the child links of an aggregate interface. However, this message should appear only when the child next hop is not found. This message is only cosmetic. [PR/494528: This issue has been resolved.] In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the core, and the control-word option is enabled, a ping between two CE interfaces fails. As a workaround, use the no-control-word option. [PR/551207: This issue has been resolved.] A DPC or an MPC may reset when Aggregate Ethernet (AE) interfaces are provisioned with IRB. In some case, a DPC may also reset when a member link of an AE interface flaps. [PR/559887: This issue has been resolved.] With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared from the Packet Forwarding Engines when they are updated. This causes the Packet Forwarding Engine to crash when that nexthop is later referenced. [PR/560813: This issue has been resolved.] On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is displayed for all DPCs. [PR/562719: This issue has been resolved.]
120
On standalone routers with GRES enabled (using the set chassis redundancy graceful-switchover command), or on multichassis platforms (TX and TXP routers), FPCs can crash creating a core file when interfaces are moved from one aggregate bundle to another aggregate bundle in a single configuration commit operation. As a workaround, split the operation into two commits. Remove the interface from one bundle and perform a commit, and later add it to another bundle and perform another commit. [PR/563473: This issue has been resolved.] The MPC might crash when multicast traffic is forwarded and interfaces are deactivated. [PR/565454: This issue has been resolved.] In Junos OS Release 10.2 and later, the Packet Forwarding Engine process tracing is enabled by default. This results in the MIB2D process not being able to communicate with the Packet Forwarding Engine process. [PR/566681: This issue has been resolved.] On MX Series routers running Junos OS Release 10.2 and later, when a new link from a newly inserted FPC is configured to an existing aggregate configuration, the newly added link information might not appear in the Link:, LACP info:, LACP Statistics:, and Marker Statistics: fields in the output of the show interface aex extensive command. Deactivate and then activate the aggregate interface to resolve this issue. [PR/571245: This issue has been resolved.]
Routing Protocols
In rare situations, the routing protocol process might restart due to a software validation failure. [PR/476143: This issue has been resolved.] With a large number of peers in a single BGP group, continuous large route churn may trigger scheduler slips in the routing protocol process. [PR/544573: This issue has been resolved.] In instances with scaled LACP configurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.] When a policy matching an extended community using a 4-byte AS and a wildcard is configured, the match condition might fail to match the relevant communities. As a workaround, configure exact matches. [PR/550539: This issue has been resolved.] A rare race condition might cause the routing protocol process to crash when an (s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.] On an NSR LDP, an LDP database entry mismatch exists between the master and the backup Routing Engines. The backup Routing Engine does not replicate the LDP socket with the error "jsr_sdrl_set_data: No space dlen." [PR/552945: This issue has been resolved.] When a default route target is sent by a BGP peer, th eBGP does not track the VPN routes covered by this route target. When the default route target goes away, the BGP does not withdraw the VPN routes that were previously covered by that default route target. [PR/556432: This issue has been resolved.] On a 3D MPC, the load balance might be broken when a BGP multipath is configured. [PR/557099: This issue has been resolved.]
121
On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol (VRRP) process might become unresponsive when processing is delegated to the Packet Forwarding Engine. As a workaround, remove the delegate-processing option from the [protocols vrrp] hierarchy level. [PR/559033: This issue has been resolved.] When the advertise-default option is used with the route-target family, and a new VPN is added, the necessary route refresh is not sent. [PR/561211: This issue has been resolved.] When the Link Layer Discovery Protocol (LLDP) advertisement interval value is changed from 30 seconds to 60 seconds, and the show lldp detail command is executed, the output shows 60 seconds. However, the Routing Engine forwards the LLDP packet every 30 seconds. When the interface is deactivated and activated again, the LLDP packets are forwarded every 60 seconds correctly. [PR/560857: This issue has been resolved.] Under certain circumstances, the routing protocol process crashes while receiving the IGMP SNMP GetNext request. [PR/561842: This issue has been resolved.] The multicast snooping process might crash and prevent a commit when the apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776: This issue has been resolved.] The routing protocol process might crash in the following environments:

Auto-export is configured for route leaking between VRFs. Communities are added in the import policy of the second VPN routing and forwarding (VRF) table.
Packets might not be correctly evaluated by a filter in an MPC that contains noncontiguous prefixes. As a workaround, replace the noncontiguous prefixes with equivalent sets of contiguous prefixes. [PR/564286: This issue has been resolved.] On M10i and M7i routers, the distributed PPMD process is disabled by default. However, it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E). [PR/565957: This issue has been resolved.] IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the label-switched paths are similar in the first 32 characters. [PR/568093: This issue has been resolved.] If the always-compare-med option is configured when a route change occurs, the routing protocol process might occasionally crash due to a soft assertion. However, the soft assertion does not impact the user traffic. [PR/568725: This issue has been resolved.] During a nonstop active routing (NSR) switchover with a large number of remote Layer 3 VPN prefixes, and a local eBGP session with short hold timers, routing protocol process scheduler slips might occur, which causes the BGP session to flap. [PR/568756: This issue has been resolved.] Under certain circumstances, processing of links with maximum metric set by IS-IS shortest path first (SPF) computation algorithm might lead to suboptimal routing decisions. [PR/569649: This issue has been resolved.]
122
In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run too long. This causes the PIC or DPC to crash. [PR/494457: This issue has been resolved.] On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records does not get installed. [PR/545422: This issue has been resolved.] The Multiservice 400 PIC crashes due to a memory allocation failure when the PIC tries to respond to a Routing Engine CLI request. [PR/558237: This issue has been resolved.] The Multiservices PIC might crash when traffic is received on a Layer 2 Tunneling Protocol (L2TP) session (MLPPP bundle), and a teardown request is also received at the same time. [PR/561039: This issue has been resolved.] If Bidirectional Forwarding Detection protocol (BFD) protection for BGP sessions is configured on a BGP session in a nonmaster routing instance, the BFD might start for that session before the kernel ID of the routing instance is set. This might cause the BFD session to freeze. As a workaround, if the BFD session has the routing table value of 4294967295, use the clear bfd session command to start a new session that will address the issue as long as the routing instance's kernel table is allocated. [PR/563161: This issue has been resolved.] If a class-of-service rule is applied to a service set, the inactive timeout under the user-configured application does not take effect. As a workaround, match the application in the class-of-service rule. [PR/571304: This issue has been resolved.]
Under certain circumstances, a nested Junos OS configuration group with a wildcard match might not have the desired effect. [PR/556379: This issue has been resolved.] When a "validate" RPC is executed using a NETCONF session, some essential information about the session is not populated in the configuration database. [PR/570778: This issue has been resolved.]
VPNs
In MVPN routing-instances with local receivers, a flood next hop is created for each S,G entry for multicast traffic received from the CE. After the local receivers are joined or pruned, a new flood next hop is created. However, old flood nexthops are not deleted. This leads to a memory leak within the routing protocol process. When this routing protocol process reaches a size of 2 GB, it triggers an assertion and a restart. [PR/569621: This issue has been resolved.] In local-switched Layer 2 Virtual Circuit scenario, the control and forwarding plane might not be properly updated by the routing protocol process when one of the logical interfaces forming an Layer 2 Virtual Circuit is taken down. [PR/572780: This issue has been resolved.]
123
Release 10.4R1 The following issues have been resolved since Junos OS Release 10.3R4. The identifier following the description is the tracking number in our bug database. Class of Service
On MX Series routers with Enhanced Queuing DPCs and IQ2 or IQ2E PICs with scheduler map and rate limit applied to an interface or interface set, when one of the logical interfaces is deleted, the DPC or PIC might crash. [PR/572245: This issue has been resolved.]
When a Routing Engine sampling is configured, and each flow server corresponds to a different autonomous system type, the packet size of the exported cflowd v5/8/500 packets might increase. [PR/530008: This issue has been resolved.] On a sampled traffic on Multiservices PIC, the multicast convergence slows down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space available." [PR/554363: : This issue has been resolved.] The mib2d process might crash when a race condition exists between the mib2d process and the dfwd process. [PR/563419: This issue has been resolved.] When a VPN routing and forwarding table (VRF table) is configured in a logical system, and there is no loopback filter configured in the VRF table but configured in the logical system and the default router, the packets destined for the VRF table reach the filter configured in the logical system instead of the filter configured in the default routing table. [PR/575060: This issue has been resolved.] A VLAN spanning tree protocol (VSTP) might leak memory, which might lead to memory exhaustion and impact on traffic. [PR/580153: This issue has been resolved.] In situations where scripts are running on the router, when SNMP walks and the show statistics command is executed for interfaces running at a high frequency, the Packet Forwarding Engine might leak memory. This issue can also be triggered when a filter-profile is configured under the accounting-options statement for a nonexistent filter. [PR/590623: This issue has been resolved.]
High Availability
A replication error might occur when a user route with a local next hop is propagated to the backup Routing Engine before the corresponding IFA is replicated. [PR/559458: This issue has been resolved.] When DPCE-R-40GE-TX interfaces are configured at a nondefault speed (10m or 100m), and a unified in-service software upgrade is performed, packets are lost for 60 seconds. [PR/573353: This issue has been resolved.]
124
A native-vlan-id option with the value of 0 does not permit untagged packets to be accepted on the interface. [PR/525875: This issue has been resolved.] Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842: This issue has been resolved.] When Automatic Protection Switching (APS) is configured on a 4x STM-1 SDH, SMIR PIC, the transmitted value of the K2 byte shows 0x00 for both unidirectional and bidirectional instead of 0x04 and 0x05, respectively. [PR/531030: This issue has been resolved.] When an IFF maximum transmission unit (MTU) size is configured less than the current MTU size, the message "MTU for address reduced to mtu" is added to the log file. [PR/544026: This issue has been resolved.] When a large OID registration traffic exists from the subagent to the master agent, the registration packets encounter random errors during transmission. This affects the registration process. [PR/555345: This issue has been resolved.] After an MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm Indicators" LEDs do not show any status in the output of the show chassis craft-interface command, even when there is chassis alarm set on the router. [PR/558046: This issue has been resolved.] Under certain conditions, both the primary and the secondary circuits might get disabled. To recover from this condition, deactivate and activate the interface configuration. [PR/559656: This issue has been resolved.] The interface on an MIC-3D 20-Gigabit Ethernet SFP remains in the up state even after the Tx cable is removed. [PR/561254: This issue has been resolved.] A Tri-Rate Copper SFP transceiver intf bounces when an SFP transceiver is plugged or unplugged to an SFP-SX transceiver with the same DPC and PIC slot combo. [PR/564121: This issue has been resolved.] When graceful Routing Engine switchover is configured on the backup Routing Engine, some situations might lead to the next-hop cleanup not being performed properly. [PR/566885: This issue has been resolved.] On MPC-3D-x FPCs, the following IDMEM parity error messages appear:
MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0 MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3 Offset 0x00014899 IDMEM[0x00052274]
These messages repeat as long as the software encounters the error. These error messages occur within uninitialized memory locations. [PR/569887: This issue has been resolved.]
Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the apsd process. [PR/569903: This issue has been resolved.] On TX Matrix Plus routers, the set craft-lockout command might cause an FPM interrupt flooding. [PR/571270: This issue has been resolved.]
125
OSPFv3 gets stuck in the exchange state on the ae0 interface with a dual tag configuration. The state becomes full only after the interface is disabled and enabled again. [PR/572864: This issue has been resolved.] The DPC or FPC might crash when composite next hop is used. [PR/573197: This issue has been resolved.] When a cable is disconnected and connected between Ethernet OAM MEPs, incorrect flaps occur on an interface with only one MEP. [PR/576481: This issue has been resolved.] On a 100Gigabit Etherenet interface (PD-1CE-CFP-FPC4) packet corruption might occur in both the egress and ingress traffic. The following message might be logged:
fpc3 SLCHIP(0): 1 Giant packet errors Also refer to PSN-2011-02-163
On a 16-port 10-Gigabit Ethernet card, packets with checksum error might cause a wedge condition that affects the host traffic. [PR/579340: This issue has been resolved.] The maintenance association intermediate point (MIP) might not function after a system reboot. [PR/584070: This issue has been resolved.] The maintenance association intermediate points (MIPs) might not respond to 802.1ag link traces that are destined to reach the MIPs. [PR/584331: This issue has been resolved.] On MX Series MPCs, host packets might be dropped due to traffic congestion. [PR/584521: This issue has been resolved.] When certain configuration changes are made and the FPC is restarted, the SFP optics information does not appear in the output of the show chassis hardware command. [PR/584705: This issue has been resolved.] Under some rare conditions, the Trio-based MPC might fail to forward host-bound packets to the Routing Engine. [PR/584957: This issue has been resolved.] On a 10-Gigabit Ethernet MPC with SFP+, the configuration for the interface to go down when the low RX power threshold is reached does not work. [PR/585030: This issue has been resolved.] On M120 and M320 routers, the Routing Engine might show non-meaningful characters at DIMM field when the show chassis hardware detail command is used. This is a cosmetic issue. [PR/585069: This issue has been resolved.] On Trio MPCs, the log message "fpcX MQCHIP(0) LI Packet length error, pt entry 11 might appear when the maximum-packet-length option is configured under port mirroring. [PR/587266: This issue has been resolved.] An interface with Ethernet OAM configured keeps flapping due to an adjacency timer issue. [PR/588032: This issue has been resolved.] On MX80 and MX Series routers with MX-MPC1-3D, MX-MPC2-3D-EQ, MX-MPC2-3D MPCs and with use of Tri-Rate Copper SFP (SFP-1GE-T), the interface might stop
126
forwarding traffic when the traffic is flowing through the interface and the interface is disabled and enabled again, or a link flap event occurs. There is no workaround to prevent this issue. Ensure that there is no traffic through the interface when the interface is disabled and enabled again. If the issue is encountered, do the following:
For non-aggregated interfaces, ensure that no traffic is being routed to the failed interface. Use the ping count 5 rapid size 1 remote-interface-ip-address command to recover the interface and enable traffic to flow through the interface again. For aggregated interfaces, remove the affected interface from the aggregate interface configuration at both ends and assign an IP address to both the endpoints. Use the ping count 5 rapid size 1 remote-interface-ip-address command to recover the interface and enable traffic to flow through the interface again. Upon recovering, add the interface back to the aggregate interface configuration at both the ends.
The data carrier detect (DCD) crashes on MX Series routers when a dynamic demultiplexer (demux) interface is created using DHCP on aggregate interface. [PR/593489: This issue has been resolved.] On MX80, MX240, and MX480 routers, when the fan speed is intermediate, an SNMP walk for jnxFruState reports the fan speed as unknown. [PR/593703: This issue has been resolved.] On MX80 and MX Series rouers with MX-MPC1-3D, MX-MPC2-3D-EQ, MX-MPC2-3D, MPC-3D-x MPCs, the host-bound packets to an interface might get dropped when the adjacent IP address of this interface is configured on either the same or a different interface in the router. This issue occurs only when the adjacent IPv4 addresses have the same first 30 bits, and has the bit 9 set (that is, the highest order bit of the second octet is set, for example 169.254.x.y or 192.128.x.y). To resolve this issue, deactivate and again activate the affected interface. [PR/596446: This issue has been resolved.] On an MX960 router, the MPC reboots at regular intervals. [PR/601080: This issue has been resolved.]
When DHCP clients log in at a high rate, the client might time out and try again. When this occurs, the IP Demux0 interface is already created and it might not get torn down. Instead, a new IP Demux0 interface is created. This results in the existence of a stale IP Demux0 interface. [PR/603511: This issue has been resolved.]
MPLS Applications
The routing protocol process might dump core due to corrupted data in the equal-cost multipath (ECMP) indirect next-hop memory location. [PR/561031: This issue has been resolved.] When large configurations are parsed, the routing protocol process might cause the PW LDP sessions to go down as the holdtime expires. [PR/569076: This issue has been resolved.]
127
A few prefixes get stuck in the bypass LSP, even after the primary LSP is back in the up state after a link failover. [PR/572658: This issue has been resolved.] When a configuration is changed from a CCC tunnel to a Layer 2 circuit, and committed, and the configuration is changed back to CCC tunnel, and committed, the CCC tunnel configuration does not work. The logical interface stays down. To recover, deactivate and again activate the relevant logical interface. [PR/573672: This issue has been resolved.] In some cases where RSVP-signaled label-switched paths (LSPs) and automatic bandwidth adjustment are enabled, the routing protocol process might dump core during a switchover to a bypass LSP. [PR/575284: This issue has been resolved.] VPLS frames might be dropped on the MPLS core routers that are equipped with Trio MPCs. [PR/578190: This issue has been resolved.] When a label-switched path reoptimization event (due to autobw adjustment or optimization timer expiry) occurs during a sampling event, the sample is skipped. Due to this, the label-switched paths bandwidth calculation might be inaccurate during the next sampling event. This inaccuracy might lead to an overestimation of the bandwidth value and causes the affected label-switched paths to be resignaled with a higher bandwidth value at the next automatic autobandwidth adjustment. [PR/580919: This issue has been resolved.] The status of task replication for LDP protocol does not change from the "in progress" state. [PR/582966: This issue has been resolved.] When dynamic point-to-multipoint LSP template is used in an NG-VPN environment, the routing protocol process crashes. [PR/583231: This issue has been resolved.] In Junos OS 10.0 and later, with adaptive parameter configured, when a Class Based Forwarding (CBF) RSVP label-switched path (LSP) is deleted, an allocated port ID might not be released. Deleting an RSVP LSP deletes its paths automatically. Even if no path is configured explicitly, the implicit primary path is automatically deleted. Because of this, when LSP paths are added and deleted repeatedly over time, the port ID space is exhausted and the routing protocol process might crash when an LSP or path is configured after that. [PR/584032: This issue has been resolved.] Under certain circumstances when automatic bandwidth adjustment is enabled for a label-switched path (LSP), the statistics record for the LSP is carried over to the new session after an LSP optimization. Therefore, the estimated bandwidth for the LSP is higher than expected. [PR/585250: This issue has been resolved.] In the event where the first label-switched path (LSP) displayed in the output of the show mpls lsp command is down, the following LSP that is up is used for a sufficient number of routes. The LSP that is down might be duplicated in the output from time to time. This is a cosmetic issue. [PR/588714: This issue has been resolved.] An issue with the timer initialization during graceful restart might cause the MPLS automatic bandwidth timer smearing to fail. [PR/592478: This issue has been resolved.] On SRX Series Services Gateways and MX Series routers, the output of the monitor label-switched-path command displays a mirror image of the IP address of the ingress
128
and egress routers of the label-switched path. [PR/598156: This issue has been resolved.]
Packet loss on local traffic occurs inside a VRF when composite next-hops and per-packet load-balancing are configured. [PR/600951: This issue has been resolved.]
Multicast
The Packet Forwarding Engine might run out of memory when multicast upstream and downstream are on different FPCs, and a multicast next-hop change occurs. [PR/577319: This issue has been resolved.]
Under certain circumstances, the message NH: Failed to find nh (xxxx) for deletion appears for the child links of an aggregate interface. However, this message should appear only when the child next hop is not found. This message is only cosmetic. [PR/494528: This issue has been resolved.] ADPC might crash when autosensed virtual LAN and DHCP relay bindings are cleared. [PR/507408: This issue has been resolved.] Using reassemble packets on an ADPC interface might cause non-fragmented packets to be sent to the servics PIC. [PR/530367: This issue has been resolved.] Bouncing DHCP subscribers on demultiplexer interfaces can result in subsequent login failures. [PR/550211: This issue has been resolved.] In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) interface in the core, and the control-word option enabled, a ping between two CE interfaces fails. As a workaround, use the no-control-word option. [PR/551207: This issue has been resolved.] The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376: This issue has been resolved.] No ICMP host redirect messages are generated when there are multiple VLANs configured on an interface (multiple logical interfaces on a single physical interface). [PR/559317: This issue has been resolved.] When the route-memory-enhanced configuration statement is used, the BFD peers might go down and not come back up. [PR/559933: This issue has been resolved.] When a routing entry is created, the memory in the Packet Forwarding Engine is allocated to store the statistics of the routing entry. However, this allocated memory might not be freed when the routing entry is deleted. This issue might lead to the Packet Forwarding Engine causing memory-allocation failure issues in a scaled environment. [PR/559960: This issue has been resolved.] When the same local link address is configured on two interfaces, the message "/kernel: ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079: This issue has been resolved.] On standalone platforms with graceful Routing Engine switchover enabled (using the set chassis redundancy graceful-switchover), or on multichassis platforms (TX Matrix
129
and TX Matrix Plus routers), when a unilist changes rapidly, the backup Routing Engine kernel might crash. On single-chassis systems when the kernel crashes on the backup Routing Engine, no loss of forwarding is seen. However, on multichassis systems, both the master and backup Routing Engines on a line card chassis, as well as the switch card chassis backup Routing Engines, crash. This causes a severe impact and loss of forwarding. The following log is recorded at the time of the kernel crash:
savecore: %DAEMON-1: reboot after panic: nhlist_free unable to add unilist(index = xxxxxxx)to treernhlist_deleted_root.
With two MICs on the same MPC, taking one MIC offline resets the IS-IS and BFD session on the other MIC. [PR/577873: This issue has been resolved.] After a few graceful Routing Engine switchover, the firewall filter applied on the loopback interface might affect the internal control packets from the PICs to the Routing Engine. The PICs might fail to come back online if the packets are blocked. [PR/578049: This issue has been resolved.] The class-of-service configuration on an sp interface might not take effect after the router or the FPC hosting the sp interfaces is rebooted. This might occur when the Lin table on the SLCHIP is initialized to a specific format. [PR/580470: This issue has been resolved.] The class-of-service configuration on an sp interface might not take effect after the router or the FPC hosting the sp interfaces is rebooted. This might occur when the Lin table on the SLCHIP is initialized to a specific format. [PR/580740: This issue has been resolved.] In Junos OS Release 9.4 and later, Layer 2 and Layer 3 must explicitly be configured for the M7i router's Adaptive Services Module (ASM) to support the mode. [PR/581153: This issue has been resolved.] On MX80 routers with Tri-Rate Copper SFP (SFP-1GE-T) and on other MX Series routers that support MX-MPC2-3D MPCs with Tri-Rate Copper SFP, any state transitions on the MPCfor example, a rebootmight result in a Layer 3 connectivity loss. Disable and enable the interface to recover from this state. [PR/582790: This issue has been resolved.] The FPCs on the T640 routers might crash when the routers jtree memory runs out. [PR/584739: This issue has been resolved.] On MX240, MX480, and MX960 routers, the MPCs might crash when the protocols rsvp load-balance bandwidth statement is configured. [PR/586323: This issue has been resolved.] In rare cases, the kernel thread might get blocked in the middle of a kernel routing protocol process acknowledgment processing. This might result in the corruption of the kernel state and a kernel crash. [PR/586693: This issue has been resolved.] When a loopback firewall filter is deployed on a T Series router with ES FPCs installed, a mixture of some of the following messages is displayed:
130
routername fpc0 SRCHIP(1): %PFE-6: 512 Multicast list discard route entries routername fpc0 SRCHIP(1): %PFE-3: RKME int_status1 0x100 routername fpc2 SRCHIP(0): %PFE-6: 1 Multicast list discard route entries routername fpc2 SRCHIP(0): %PFE-3: RKME int_status1 0x100 routername fpc3 SLCHIP(0): %PFE-3: 2 new errors (illegal link) in DESRD last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, type:Minor) encountered, cmalarm_passive_alarm_signal routername fpc3 SLCHIP(0): %PFE-3: 2 new errors (illegal link) in DESRD last stream 32 last lout_key 0xfa routername fpc3 CMALARM: %PFE-3: Error (code: 6, type:Minor) encountered, cmalarm_passive_alarm_signal
This occurrence of RKME errors does not affect the transit traffic. [PR/588212: This issue has been resolved.]
When nonstop active routing is enabled, the protocol session might go down after a graceful Routing Engine switchover because the PPMD TCP session between the Routing Engine and the packet forwarding engine is in an unknown state. [PR/588405: This issue has been resolved.] Some host-bound packets may get dropped on E2 FPCs when there is a heavy host-bound traffic. [PR/588414: This issue has been resolved.] When a MLFR (FRF.16) is under a race condition that involves the MLFR bundle member link flap combined with the events that could keep the Packet Forwarding Engine busy (many routes and next-hop addition, deletion, or change), the routing lookup chip (on the FPC that hosts the CE1 member links) might stop forwarding all traffic. During this period, the message fpc5 RCHIP(1): RKME int_status 0x10000000 is logged as an indication to this issue. [PR/594544: This issue has been resolved.]
On an M10i router with Enhanced Compact Forwarding Engine Board (CFEB-E), when a multiport (4 port) PIC is installed in slot 1 of 3 and there is no PIC in the chassis, the upper ports of the PIC of slot 1 of 3 stop forwarding traffic. This issue also occurs on the M120 router when two Type 1 FPCs are mapped to one FEB and a multiport PIC is installed alone in the last (8th) slot of the Packet Forwarding Engine. [PR/601342: This issue has been resolved.]
131
Routing Policy and Firewall Filters
On Trio-MPCs, warning system log messages appear when a firewall filter with large prefix lists is modified or deleted. These messages are cosmetic. [PR/561515: This issue has been resolved.]
Routing Protocols
The link local next hops are improperly propagated to the iBGP peers when the iBGP peers are attached directly. Additionally, the link local next hops are sent to the iBGP peers that are directly attached, when the global address is a loopback address. [PR/544962: This issue has been resolved.] When an EX Series switch on which Layer 2, Layer 3, and multicast protocols are configured is rebooted, the Bidirectional Forwarding Detection (BFD) might start and stop as multiple duplicate PPM entries are created on the Routing Engine. [PR/551267] The PIM <S, G> entries on are missing on the provider core router. [PR/555269: This issue has been resolved.] When a graceful Routing Engine switchover occurs and the router moves to the master mode, there is a small possibility that messages intended for the standby Routing Engine are still being flushed. There are a few issues in the way messages intended for the standby Routing Engine are handled, when the Routing Engine has already switched to the master mode. [PR/555656: This issue has been resolved.] On M Series, MX Series, and T Series rotuters, the VRRP process might become unresponsive when the process is delegated to the packet forwarding engine. As a workaround, remove the delegate-processing option from the [protocols vrrp] configuration. [PR/559033: This issue has been resolved.] When a routing protocol process is restarted after a crash or a mastership switch, the kernel and the reference counters for the routing protocol process flood branch next hop might not be in sync anymore. The exposure is high in NGEN-MVPN with many local receivers and constant churn of joins and prunes of multicast groups. The routing protocol process might assert and restart while deleting a flooded next hop. As a workaround, restart the system, or deactivate all MVPN instances to get the kernel and the routing protocol process to be in sync upon a routing protocol process restart. [PR/561127: This issue has been resolved.] If a new VPN is added when advertise-default is used with the route-target family, the necessary route refresh is not sent. [PR/561211: This issue has been resolved.] In an LDP nonstop active routing configuration, the LDP replicate session between the master and the backup Routing Engine might be stuck. This might result in incorrect updates to the backup LDP database. As a workaround, deactivate and activate the nonstop active routing configuration again when the router gets into this state. [PR/567148: This issue has been resolved.] If the always-compare-med option is configured when a route change occurs, the routing protocol process might occasionally crash due to a soft assertion. However, the soft assertion does not impact the user traffic. [PR/568725: This issue has been resolved.]
132
Two instances of the peer port modulation (PPM) packet exist under the same logical interface. [PR/572526: This issue has been resolved.] On a router configured with IS-IS link protection, the routing protocol process might dump core when there are many prefix updates following an interface flap. [PR/572878: This issue has been resolved.] The routing protocol process crashes when the following three events occur:

When a DPC with core-facing interfaces is restarted, the message "mcsn: cannot perform nh operation ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves the interfaces from bridge domains to VPLS instances. To clear this issue, restart multicast snooping. [PR/576058: This issue has been resolved.] The BGP maintains a BGP RIB-OUT database that tracks every advertisement sent to every BGP peer and also makes decision on what advertisements still need to be sent. An error in this RIB-OUT database causes the routing protocol process to crash. [577061: This issue has been resolved.] In a race condition where a route flaps in a short time interval, the routing protocol process might crash. [PR/578339: This issue has been resolved.] When a local AS and auto-export are configured in a hub-spoke environment, hidden routes might exist. [PR/578833: This issue has been resolved.] On Trio MPCs, when an IRB interface and a VT interface exist in VPLS , the MPC might crash after the protocol, link, or route flaps. [PR/579767: This issue has been resolved.] When an rlsq interface is used, a graceful Routing Engine switchover might result in the continuous failure of the next-hop delete operation on the new active Routing Engine. [PR/579963: This issue has been resolved.] The routing protocol process might use all the available CPU resources, and have a scheduler slip when an off-route XML ot text request for a BGP neighbor statistics fails to read the results, and SNMP requests for the same information are concurrently serviced. [PR/581203: This issue has been resolved.] The routing protocol process might dump core files when the Distance Vector Multicast Routing Protocol (DVMRP) prune lifetime expires. [PR/584752: This issue has been resolved.] When a BGP peering session with a confederation peer has not negotiated the 4-byte AS, and IPv6 reachability requires to be advertised, the routing protocol process might crash with an assert. [PR/584787: This issue has been resolved.] With NSR enabled, the MPLS label of the routes might incorrectly be allocated when a vt interface exists in the routing instance. [PR/584915: This issue has been resolved.]
133
The routing protocol process dumps core files when OSPF causes a memory corruption. [PR/588018: This issue has been resolved.] The PIMv2 packets does not get forwarded over an IRB on MPC cards. [PR/589360: This issue has been resolved.] The show bgp replication command on the master Routing Engine might sometimes get stuck at the "InProgress" state. [PR/589783: This issue has been resolved.] The CPU utilization of the routing protocol process might increase if BGP is completely disabled and then reenabled while many SNMP queries are in progress. [PR/590030: This issue has been resolved.] The routing protocol process might crash when the condition option is applied to the OSPF in the routing instance. [PR/592684: This issue has been resolved.]
If Bidirectional Forwarding Detection protocol (BFD) protection for BGP sessions is configured on a BGP session in a nonmaster routing instance, the BFD might start for that session before the kernel ID of the routing instance is set. This might cause the BFD session to freeze. As a workaround, if the BFD session has the routing table value of 4294967295, use the clear bfd session command to start a new session that will address the issue as long as the routing instance's kernel table has been allocated. [PR/563161: This issue has been resolved.] If a class-of-service rule is applied to a service set , the inactive timeout under the user-configured application does not take effect. As a workaround, match the application in the class-of-service rule. [PR/571304: This issue has been resolved.] A NAT configuration with blobs greater than 32,000 might result in a 100 percent utilization of the CPU resources. [PR/578678: This issue has been resolved.]
After a Routing Engine switchover occurs, the interim accounting packets might not be sent. [PR/582404: This issue has been resolved.]
A commit script that activates an apply group might fail to pass the commit check logic. [PR/576384: This issue has been resolved.] When SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, OpenSSL does not properly prevent the modification of the ciphersuite in the session cache. This allows remote attackers to force the downgrade to an unintended cipher through vectors that involves network traffic sniffing to discover a session identifier. On OpenSSL before version 1.0.0c, when J-PAKE is enabled, OpenSSL does not properly validate the public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. [PR/580380: This issue has been resolved.]
134
If several get-configuration remote procedure calls (RPCs) are requested to the router frequently, the mgd process might crash. [PR/586416: This issue has been resolved.] A rollback command followed by the commit command sends notifications to all the processes. This leads to a high CPU utilization. [PR/591903: This issue has been resolved.] When the time zone is set to Europe/Moscow on a router with a dual Routing Engine, the command commit at "time-string" fails and the following error messages appear:
root@Mx240-2-RE0# commit at "2011-04-07 08:26" re0: configuration check succeeds re1: error: unrecognizable time string '2011-04-07 08:26:00 MSD' re0: error: remote commit-configuration failed on re1
[PR/598562: This issue has been resolved.] VPNs
IP packets with certain sizes (around 287 bytes of total IP packet size) are corrupted while traversing the Layer 2 circuit or Layer 2 Virtual Private Network and the IP packets terminate on MX Series routers with Trio MPC installed. This corruption of IP packets happens in either of the following two cases:
Layer 2 circuit or Layer 2 Virtual Private Network is terminated (CCC interface is on the Trio MPC). In this case, packets with a total IP packet size equal to 284, 285, or 286 bytes are corrupted. Uplink (PE-P link) is on the Trio MPC. In this case, packets with a total IP packet size equal to 288, 289, or 290 bytes are corrupted.
In MVPN routing instances with local receivers, a flood next hop is created for each (s,g) entry for multicast traffic received from the CE router. After the local receivers are joined or pruned, a new flood next hop is created. However, old flood next hops are not deleted. This leads to a memory leak within the routing protocol process. When this routing protocol process reaches a size of 2 GB, it triggers an assertion and a restart. [PR/569621: This issue has been resolved.] On M320 routers with non-E3 FPCs and T Series routers with the non-ES FPCs, and with the route-memory-enhanced option enabled (using the edit chassis route-memory-enhanced command), multicast VPN might experience traffic loss. [PR/573215: This issue has been resolved.] In a Layer 2 Virtual Private Network setup where both the local and remote sites are configured on the same router, the local and remote interfaces are listed incorrectly in the output of the show l2vpn connections command. [PR/574014: This issue has been resolved.]
135
On MX Series routers with Trio MPC, and LACP or STP packets encapsulated in a Layer 2 circuit, the Layer 2 Virtual Private Network or VPLS might not be forwarded correctly. [PR/578402: This issue has been resolved.] In a multihoming VPLS scenario with VPLS traceoptions enabled, the routing protocol process might crash. As a workaround, disable VPLS traceoptions. [PR/579747: This issue has been resolved.] In a VPLS multihoming scenario, the routing protocol process might crash when a VPLS instance is deleted from the configuration. [PR/585113: This issue has been resolved.] New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 7 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 44 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 136 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145
Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Changes to the Junos OS Documentation Set
The following are the changes made to the Junos OS documentation set:
The new index pages launched for Junos OS technical documentation present documentation links in categories and include brief descriptions of the content of each link. Related links to platform documentation pages are included in the right-hand navigation. The new pages contain all of the content on previous versions of the pages, only the formatting has changed. Here are the URLs:
Software documentation for Junos M, MX, and T Series: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/ pathway-pages/product/m-t-mx/10.4/index.html Hardware documentation for M Series Multiservice Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/m-series/ Hardware documentation for MX Series 3D Universal Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/mx-series/ Hardware documentation for T Series Core Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/
136
pathway-pages/t-series/
Hardware documentation for the JCS 1200 platform: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/jcs/
The term Multiplay has been replaced with Session Border Control in the Junos OS Release Notes. The Integrated Multi-Service Gateway (IMSG) pathway page now includes three complete configuration examples:

IMSGBasic Configuration IMSGDual BGFs IMSGServer Clusters
The configuration examples are applicable to Junos OS Release 10.2 and later.
The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications. This material was formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2 Configuration Guide. Documentation for the extended DHCP relay agent feature is no longer included in the Policy Framework Configuration Guide. For DHCP relay agent documentation, see the Subscriber Access Configuration Guide or the documentation for subscriber access management. In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML pages in the Junos OS documentation set. PDF files are available for the complete Junos OS Release 10.3 configuration guides at http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the complete hardware guides are accessible at the following URLs:
For M Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/m-series/
For MX Series routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/mx-series/
For T Series and TX Matrix routers:

http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/t-series/
In addition, individual HTML pages have a Print link in the upper left corner of the text area on the page.
137
Errata
This section lists outstanding issues with the documentation. Class of Service
The Junos OS Class of Service Configuration Guide does not show the correct syntax for the guaranteed-rate and shaping-rate statements available at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level. As of Junos OS Release 9.4, both of these statements support a burst-size option for Enhanced Queuing (EQ) DPCs. Specifying the burst-size option can help to make sure higher priority services do not starve lower priority services. To configure these statements, use the following syntax:
guaranteed-rate (percent percentage | rate) <burst-size bytes>; [edit class-of-service traffic-control-profiles profile-name]
[Junos OS Class of Service Configuration Guide] High Availability
TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix do not currently support nonstop active routing. [High Availability]
The Junos OS Network Interfaces Configuration Guide does not include the correct values for the number of aggregate interfaces on MX Series router configurations on the following pages:

http:/ /www.juniper.net/techpubs/ en_US/junos10.4/topics/task/ configuration/802-3ad-ethernet-devices.html http:/ /www.juniper.net/techpubs/en_US/junos10.4/topics/task/configuration/802-3ad-interface.html
It states the following, which applies only to M Series and T Series routers:
The maximum number of aggregated devices you can configure is 128. The aggregated interfaces are numbered from ae0 through ae127.
For MX Series routers, the parameters in the following statement apply:
On MX Series routers, the maximum number of aggregated devices you can configure is 480. The aggregated interfaces are numbered from ae1 through ae480.
For similar parameters for EX Series switches, refer to the EX Series documentation. [Network Interfaces]
For the T320, T640, and T1600 routers, external clock synchronization is not supported on sonic clock generators (SCG) with DB-9 external clock interfaces. [System Basics, Hardware Guides]
The Configuring Aggregated Ethernet Interfaces chapter in the Network Interfaces Configuration Guide contains references to the term multi-chassis. As per the Juniper
138
Networks Corporate Style Guide, multi-chassis should be replaced with multichassis, without a hyphen. [Network Interfaces]
The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces Configuration Guide states the following:
For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name] hierarchy level.
This configuration is correct and interoperates with routers running all versions of Junos OS. However, the chapter does not mention that you can also include the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. when you include the statement at the [edit interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following points in mind:
This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier. This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same use-null-cw statement. For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the router running Junos OS Release 8.3 or later, include the use-null-cw statement at the [edit interfaces interface-name atm-options] hierarchy level. The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic) an extra null control word in the MPLS packet. The use-null-cw statement is not supported on a router running Junos OS Release 8.2 or earlier.
[Network Interfaces]
With Junos OS Release 10.1 and later, you need not include the tunnel option or the clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel. [Services Interfaces]
J-Web Interface
To access the J-Web interface, your management device requires the following software:
Supported browsersMicrosoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0 Language supportEnglish-version browsers
139
Supported OSMicrosoft Windows XP Service Pack 3
On MX Series routers, the Link Layer Discovery Protocol (LLDP) organization specific Type Length Value (TLV), medium attachment unit (MAU) information always propagates as "Unknown". This Feature is supported on all MX Series Routers from Release 10.4 onwards.
Multicast
The listings for the following RFCs incorrectly state that Junos OS supports only SSM include mode. Both include mode and exclude mode are supported in Junos OS Release 9.3 and later.

RFC 3376, Internet Group Management Protocol, Version 3 RFC 3590, Source Address Selection for the Multicast Listener Discovery (MLD) Protocol
[Hierarchy and Standards Reference] MX Series 3D Universal Edge Routers
Some features marked as supported on MX Series 3D Universal Edge Routers are not currently supported on MX80 routers. For a complete list of available features on MX80 routers please contact your sales engineer or the Juniper Technical Assistance Center. The MX Series 3D Universal Edge Routers are sometimes referred to as MX Series Ethernet Services Routers. Both names refer to the same MX Series routers. This will be standardized to MX Series 3D Universal Edge Routers in the documentation in later releases.
The rate statement for packet sampling is now configured at the following hierarchy level: [edit forwarding options sampling input family family]. [Services Interfaces]
Subscriber Access Management The Subscriber Access Configuration Guide contains the following errors:
The topic titled Subscriber Access Operation Flow in the Junos OS Subscriber Access Configuration Guide incorrectly describes the flow of operations for DHCP relay. The correct general sequence of events is shown in the following list:
1.
The client issues a DHCP discover message.
2. The router issues an authorization request to the RADIUS server. 3. The RADIUS server issues an authorization response to the router. 4. The router passes the DHCP discover message through to the DHCP server.
140
5. The DHCP server issues an IP address for the client. 6. The routers DHCP component sends an acknowledgment back to the client.
[Subscriber Access]
The Configuring a Dynamic Profile for Client Access topic erroneously uses the $junos-underlying-interface variable when a IGMP interface is configured in the client access dynamic profile. The following example provides the appropriate use of the $junos-interface-name variable:
[edit dynamic-profiles access-profile] user@host# set protocols igmp interface $junos-interface-name
Table 25 in the Dynamic Variables Overview topic neglects to define the $junos-igmp-version predefined dynamic variable. This variable is defined as follows:
$junos-igmp-versionIGMP version configured in a client access profile. The Junos OS
obtains this information from the RADIUS server when a subscriber accesses the router. The version is applied to the accessing subscriber when the profile is instantiated. You specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy level for the interface statement. In addition, the Subscriber Access Configuration Guide erroneously specifies the use of a colon (:) when you configure the dynamic profile to define the IGMP version for client interfaces. The following example provides the appropriate syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version
The Subscriber Access Configuration Guide and the System Basics Configuration Guide contain information about the override-nas-information statement. This statement does not appear in the CLI and is not supported. [Subscriber Access, System Basics]
When you modify dynamic CoS parameters with a RADIUS change of authorization (CoA) message, the Junos OS accepts invalid configurations. For example, if you specify that a transmit rate that exceeds the allowed 100 percent, the system does not reject the configuration and returns unexpected shaping behavior. [Subscriber Access]
We do not support multicast RIF mapping and ANCP when configured simultaneously on the same logical interface. For example, we do not support when a multicast VLAN and ANCP are configured on the same logical interface, and the subscriber VLANs are the same for both ANCP and multicast. [Subscriber Access]
The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erroneously states that dynamic CoS is supported for dynamic VLANs on the Trio MPC/MIC family of products. In the current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces. [Subscriber Access]
141
The Subscriber Access Configuration Guide incorrectly describes the authentication-order statement as it is used for subscriber access management. When configuring the authentication-order statement for subscriber access management, you must always specify the radius method. Subscriber access management does not support the password keyword (the default), and authentication fails when you do not specify an authentication method. [Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber management does not support this VSA. [Subscriber Access]
In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table incorrectly describe VSA 26-59. The correct description is as follows:
Attribute Name
Med-Dev-Handle
Attribute Number
26-59
Description
Identifier that associates mirrored traffic to a specific subscriber.
[Subscriber Access]
In the Subscriber Access Configuration Guide, the table titled "Supported Juniper Networks VSAs" in the "Juniper Networks VSAs Supported by the AAA Service Framework" topic lists RADIUS VSA 26-42 (Input-Gigapackets) and VSA 26-43 (Output-Gigapackets). These two VSAs are not supported. [Subscriber Access]
In the Junos OS Subscriber Access Configuration Guide, the "Qualifications for Change of Authorization" section in the topic titled RADIUS-initiated Change of Authorization (CoA) Overview, has been rewritten as follows to clarify how CoA uses the RADIUS attributes and VSAs.
142
Qualifications for Change of Authorization To complete the change of authorization for a user, you specify identification attributes and session attributes. The identification attributes identify the subscriber. Session attributes specify the operation (activation or deactivation) to perform on the subscribers session and also include any client attributes for the session (for example, QoS attributes). The AAA Service Framework handles the actual request. Table 3 on page 143 shows the identification attributes for CoA operations.
NOTE: Using the Acct-Session-ID attribute to identify the subscriber session is more explicit than using the User-Name attribute. When you use the Acct-Session-ID, the attribute identifies the specific subscriber and session. When you use the User-Name as the identifier, the CoA operation is applied to the first session that was logged in with the specified username. However, because a subscriber might have multiple sessions associated with the same username, the first session might not be the correct session for the CoA operation.
Table 3: Identification Attributes

Attribute
User-Name [RADIUS attribute 1] Acct-Session-ID [RADIUS attribute 44]
Description
Subscriber username. Specific subscriber and session.
Table 4 on page 143 shows the session attributes for CoA operations. Any additional client attributes that you include depend on your particular session requirements.
Table 4: Session Attributes

Attribute
Activate-Service [Juniper Networks VSA 2665] Deactivate-Service [Juniper Networks VSA 2666]
Description
Service to activate for the subscriber. Service to deactivate for the subscriber.
[Subscriber Access]
In the Configuring Per-Subscriber Session Accounting topic in the Subscriber Access Configuration Guide, the behavior of the update-interval statement incorrectly states that an interval of 10 through 15 minutes are rounded up to 15. The actual behavior is that all configured values are rounded up to the next higher multiple of 10. For example, the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820. [Subscriber Access]
143
The show system statistics bridge command displays system statistics on MX Series routers. [System Basics Command Reference]
VPNs
Junos OS Release 11.2 and earlier do not support point-to-multipoint LSPs with next-generation multicast VPNs on MX80 routers. [VPNs]
In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement that caused contradictory information about which platforms support LDP BGP interworking has been removed. The M7i router was also omitted from the list of supported platforms. The M7i router does support LDP BGP interworking. [VPNs]
The following clarifications have been made to the documentation for the l3vpn-composite-nexthop statement located in the VPNs Configuration Guide. By configuring the l3vpn-composite-nexthop statement, a Juniper Networks router is able to accept larger numbers of Layer 3 VPN BGP updates with unique inner VPN labels. Juniper Networks recommends as a best practice to configure the l3vpn-composite-nexthop statement in both multi-vendor networks and Juniper Networks-only networks. The performance of the Juniper Networks routers can be enhanced in both cases. You can configure the l3vpn-composite-nexthop statement on the following platforms:

MX Series M120 M320 with an Enhanced III FPC T Series (for Junos OS Release 10.4 and later)
This statement is supported on indirectly connected PE routers only. Although you can configure this statement on a router which is directly connected to a PE router, there is no benefit to doing so. However, there is no problem with configuring the l3vpn-composite-nexthop statement on a router with a mix of links to both directly connected and indirectly connected PE routers. [VPNs] Related Documentation
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 7 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 44 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58
144
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 145
This section discusses the following topics:

Basic Procedure for Upgrading to Release 10.4 on page 145 Upgrading a Router with Redundant Routing Engines on page 148 Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 on page 148 Upgrading the Software for a Routing Matrix on page 150 Upgrading Using ISSU on page 151 Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 151 Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 152 Downgrade from Release 10.4 on page 153
Basic Procedure for Upgrading to Release 10.4

In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1, 9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate option on the request system software install command. When upgrading or downgrading the Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.
NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber= PSN-2007-10-001&actionBtn=Search.
145
NOTE: Before upgrading, back up the file system and the currently active Junos configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstalls the Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide.
146
The download and installation process for Junos OS Release 10.4 is the same as for previous Junos OS releases. If you are not familiar with the download and installation process, follow these steps:
1.
Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. Choose either Canada and U.S. Version or Worldwide Version:
https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United
States and Canada)
https://www.juniper.net/support/csc/swdist-ww/ (all other customers)
2. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.

3. Download the software to a local host. 4. Copy the software to the routing platform or to your internal software distribution
site.
5. Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.
Customers in the United States and Canada use the following command:
user@host> request system software add validate reboot source/jinstall-10.4R8.5-domestic-signed.tgz
All other customers use the following command:

user@host> request system software add validate reboot source/jinstall-10.4R8.5-export-signed.tgz
Replace source with one of the following values:
/pathnameFor a software package that is installed from a local directory on the
router.
For software packages that are downloaded and installed from a remote location:

ftp://hostname/pathname http://hostname/pathname scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.
147
Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software.
NOTE: Before you upgrade a router that you are using for voice traffic, you should monitor call traffic on each virtual BGF. Confirm that no emergency calls are active. When you have determined that no emergency calls are active, you can wait for nonemergency call traffic to drain as a result of graceful shutdown, or you can force a shutdown. For detailed information on how to monitor call traffic before upgrading, see the Junos OS Multiplay Solutions Guide.
Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on the backup
Routing Engine, switch over to the backup Routing Engine to activate the new software.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine. For the detailed procedure, see the Junos OS Installation and Upgrade Guide.
Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1
In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature implements the unicast lo0.x address configured within that instance as the source address used to establish PIM neighbors and create the multicast tunnel. In this mode, the multicast VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages.
148
In Junos OS Release 10.1 and later, you can use the routers main instance loopback (lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM state for the multicast VPN. We strongly recommend that you perform the following procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN network includes both Juniper Network routers and other vendors routers functioning as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout the upgrade process. Because Junos OS Release 10.1 supports using the routers main instance loopback (lo0.0) address, it is no longer necessary for the multicast VPN loopback address to match the main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: You might want to maintain a multicast VPN instance lo0.x address to use for protocol peering (such as IBGP sessions), or as a stable router identifier, or to support the PIM bootstrap server function within the VPN instance.
Complete the following steps when upgrading routers in your draft-rosen multicast VPN network to Junos OS Release 10.1 if you want to configure the routerss main instance loopback address for draft-rosen multicast VPN:
1.
Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the loopback address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all the M7i and M10i routers in the network have been upgraded to Junos OS Release 10.1.
2. After you have upgraded all routers, configure each routers main instance loopback
address as the source address for multicast interfaces. Include the default-vpn-source interface-name loopback-interface-name] statement at the [edit protocols pim] hierarchy level.
3. After you have configured the routers main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers. We also recommend that you remove the multicast VPN loopback address from all PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure interoperability with other vendors routers in a draft-rosen multicast VPN network, you had to perform additional configuration. Remove that configuration from both the Juniper Networks routers and the other vendors routers. This configuration should be on Juniper Networks routers and on the other vendors routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address. This configuration is not required when you upgrade to Junos OS Release 10.1 and use the main loopback address as the source address for multicast interfaces.
149
NOTE: To maintain a loopback address for a specific instance, configure a loopback address value that does not match the main instance address (lo0.0).
For more information about configuring the draft-rosen Multicast VPN feature, see the Junos OS Multicast Configuration Guide.
Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix (specified in the Junos OS CLI by using the lcc option). To avoid network disruption during the upgrade, ensure the following conditions before beginning the upgrade process:
A minimum of free disk space and DRAM on each Routing Engine. The software upgrade will fail on any Routing Engine without the required amount of free disk space and DRAM. To determine the amount of disk space currently available on all Routing Engines of the routing matrix, use the CLI show system storage command. To determine the amount of DRAM currently available on all the Routing Engines in the routing matrix, use the CLI show chassis routing-engine command. The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1. The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0. All master Routing Engines in all routers run the same version of software. This is necessary for the routing matrix to operate. All master and backup Routing Engines run the same version of software before beginning the upgrade procedure. Different versions of the Junos OS can have incompatible message formats especially if you turn on GRES. Because the steps in the process include changing mastership, running the same version of software is recommended. For a routing matrix with a TX Matrix router, the same Routing Engine model is used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix. For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using two RE-1600s is supported. However, an SCC or an LCC with two different Routing Engine models is not supported. We suggest that all Routing Engines be the same model throughout all routers in the routing matrix. To determine the Routing Engine type, use the CLI show chassis hardware | match routing command. For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines.
150
NOTE: It is considered best practice to make sure that all master Routing Engines are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of this document, the master Routing Engine is re0 and the backup Routing Engine is re1.
To upgrade the software for a routing matrix, perform the following steps:
1.
Disable graceful Routing Engine switchover (GRES) on the master Routing Engine (re0) and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping
the currently running software version on the master Routing Engine (re0).
3. Load the new Junos OS on the backup Routing Engine. After making sure that the new
software version is running correctly on the backup Routing Engine (re1), switch mastership back to the original master Routing Engine (re0) to activate the new software.
4. Install the new software on the new backup Routing Engine (re0).
For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the Routing Matrix with a TX Matrix Plus Feature Guide.
Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the Junos High Availability Configuration Guide.
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR
Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features:

Anycast RP Draft-Rosen multicast VPNs (MVPNs) Local RP Next-generation MVPNs with PIM provider tunnels PIM join load balancing
Junos OS 9.3 Release introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit
151
protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features,
not only incompatible features.) If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions. Because the nonstop-routing disable statement was not available in Junos OS Release 9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable PIM before the upgrade and reenable it after the router is running the upgraded Junos OS and you have entered the nonstop-routing disable statement. If your router is running Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIMsimply use the standard reboot or ISSU procedures described in the other sections of these instructions. To disable and reenable PIM:
1.
On the router running Junos OS Release 9.2 or earlier, enter configuration mode and disable PIM:
[edit] user@host# deactivate protocols pim user@host# commit
2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate
for the router type. You can either use the standard procedure with reboot or use ISSU.
3. After the router reboots and is running the upgraded Junos OS, enter configuration
mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable PIM:
[edit] user@host# set protocols pim nonstop-routing disable user@host# activate protocols pim user@host# commit
Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases. You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases. For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS release 9.3 or 10.0, and then upgrade a second
152
time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html.
Downgrade from Release 10.4

To downgrade from Release 10.4 to another supported release, follow the procedure for upgrading, but replace the 10.4 jinstall package with one that corresponds to the appropriate release. For more information, see the Junos OS Installation and Upgrade Guide. Related Documentation
New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 7 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 44 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 136
153
Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers
Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms. The SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650, SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and efficient IP routing, WAN and LAN connectivity, and management services for small to medium-sized enterprise networks. These routers also provide network security features, including a stateful firewall with access control policies and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320, J2350, J4350, and J6350 devices.
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 186 Group VPN Interoperability with Ciscos GET VPN on page 186 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 187 Unsupported CLI on page 204 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 213 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254 Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 267 Maximizing ALG Sessions on page 269 Integrated Convergence Services Not Supported on page 270 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 270
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

Release 10.4R4 Chassis Cluster Improvements on page 155 Software Features on page 157
154
Hardware FeaturesSRX210, SRX220, and SRX240 Services Gateways on page 177 Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet on page 179 Hardware FeaturesSRX1400 Services Gateway on page 182 Hardware FeaturesSRX3400 and SRX3600 Services Gateways on page 185
Release 10.4R4 Chassis Cluster Improvements
NOTE: See also Chassis Cluster in Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 187.
Hardware Monitoring For SRX3400, SRX3600, SRX5600, and SRX5800 devices, hardware monitoring has been improved as follows:
Failure handlingHardware failure handling is systematically whitebox tested so that hardware defects can be promptly detected and clearly reported, ensuring that network resilience is achieved in chassis cluster deployments. Failure detectionThe failure detection method is more stringent. Now potential failures can be detected, which improves the chassis cluster protection coverage for hardware defects. As a side effect, some marginally faulty hardware in the field might be discovered. Such a discovery ensures that customer networks will not experience nondeterministic behavior due to faulty hardware. Failure reportingAny hardware failure is clearly reported as an alarm and triggers the proper SNMP trap. The show chassis alarms command reports which card has defects and provides a timestamp for when the failure is detected. The system log that corresponds to the timestamp now has more detailed failure description at the hardware component level. Key events in the failure handling are logged to measure the recovery time. Failure recoveryA failure in the primary node of the chassis cluster triggers a corresponding redundancy group failover, depending on whether the failure affects the control plane or data plane. A failure in the secondary node marks the node as chassis cluster ineligible, which prevents traffic failover to the faulty node. Note that faulty hardware should be physically replaced as early as possible to restore the health of chassis cluster redundancy. Failure recover timeThe time performance for failure detection and chassis recovery has been improved, which minimizes traffic impact caused by hardware defects. In most cases, the impact is less than one second and affects only one unit of the many units that are part of the distributed processing for SRX Series devices. Traffic is normally recovered without noticeable loss.
SPU Monitoring For SRX3400, SRX3600, SRX5600, and SRX5800 devices, Service Processing Unit (SPU) monitoring has been improved as follows:
155
Leakage detectionSPU memory and packet buffer are critical resources that contribute to longevity and performance. Resource leakage over a long period of time degrades traffic throughput. A new leakage detection method has been added to SPU monitoring. This leakage detection method logs buffer leakage and triggers recovery action when the leakage accumulates to exhaustion level. Resource leakage is automatically recovered as a result of the following actions:
1.
Chassis cluster failover is triggered to minimize the network impact.
2. The affected SPU generates a core file to be used for further engineering root cause
investigation.
3. The SPU is rebooted to restore the health of the chassis cluster.
FPGA For SRX3400 and SRX3600 devices, field-programmable gate array (FPGA) logic has been improved as follows:
156
Detection and recoveryThe Services Processing Card (SPC), Network Processing Card (NPC), and I/O Card (IOC) each have an FPGA to facilitate packet forwarding, QoS, flow control, and switch fabric forwarding along the data path. In rare cases (potentially, in the presence of other hardware defects), the FPGA can run into a corner case, causing traffic in one stream channel to lock up. A detection and recovery method has been added in both the FPGA logic and its driver software. This detection and recovery method produces an FPGA self-recovery, without a chassis-wise alarm or high-level chassis cluster action being involved. The traffic impact is less than one second and affects only one stream channel. The recovery event is logged in the system log. Because this improvement involves a new FPGA binary image, the new FPGA binary is automatically programmed into the on-board flash ROM. This FPGA upgrade occurs only with the first time that Release 10.4R4 is installed. The programming adds about 60 seconds of system startup time for each card in the chassis.
Software Features
Application Layer Gateways (ALGs)
Rewrite rule for DSCP at VoIP ALGsThis feature is supported on all SRX Series and J Series devices. Differentiated Services Code Point (DSCP) is a modification of the type-of-service byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP field, where each DSCP specifies a particular per-hop behavior that is applied to a packet. A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the requirements of the targeted peer. Each rewrite rule reads the current CosS value that is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every packet that hits the VoIP ALG is marked by this CoS value. You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control Protocol (RTP/RTCP) traffic gets a different rewrite marker. [Junos OS CLI Reference]
Chassis Cluster Increasing the number of zones and virtual routersThis feature is supported on SRX5600 and SRX5800 devices. The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster mode) that can be configured on an SRX5800 device has been increased to 2000. In a chassis cluster environment, as the number of logical interfaces is scaled upward, the time before triggering a failover needs to be increased accordingly. At maximum capacity on an SRX5600 or SRX5800 device, we recommend that you increase the configured time for failover detection to at least 5 seconds.
157
[Junos OS CLI Reference] Configuration Wizards This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices. The J-Web interface now has a set of wizards that simplify the basic configuration of the SRX Series devices. The Setup wizard automatically appears when you first start the device or when it is in factory default mode and you point to the Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings. Flow and Processing
J-Flow V9 support This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices. J-Flow Services Export Version 9 (J-Flow V9) provides an extensible and flexible method for using templates to observe packets on a router. Each template indicates the format in which the device exports data. In Junos OS Release 10.4, PIC-based J-Flow V9 is introduced along with J-Flow V5 and V8, which were disabled in Junos OS Release 9.4. [Junos OS CLI User Guide] [Junos OS Interfaces Configuration Guide for Security Devices]
Packet captureThis feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. Packet capture is a datapath-debugging feature that helps you effectively create a filter for specific traffic and apply an action profile to the traffic. The action profile specifies a variety of actions at different processing units. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in propriety form. You can view the packets by entering the show security datapath-debug capture command. The performance of packet capture is improved and is comparable to the trace performance. [Junos OS Security Configuration Guide]
Screen logsScreen log enhancement is supported on all SRX Series and J Series devices. The new log format captures all required information in the screen log. This allows you to view all log information for a device instead of having to search through device-specific logs. The new log structure is as follows:<67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS
- RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"]
[Junos OS Security Configuration Guide]
158
Interfaces and Routing
1-Port Gigabit Ethernet SFP Mini-PIMThis feature is supported on SRX210, SRX220, and SRX240 devices. Small form-factor pluggables (SFPs) are hot-pluggable modular interface transceivers for Gigabit and Fast Ethernet connections. Gigabit Ethernet SFP Mini-PIMs can be used in copper and optical environments. The 1-Port Gigabit Ethernet SFP Mini-PIM interfaces a single Gigabit Ethernet device or a network. It supports a variety of transceivers with data speeds of 10 Mbps/100 Mbps/1 Gbps with extended LAN or WAN connectivity. The 1-Port SFP Gigabit Ethernet mini-PIM supports the following features:

10 Mbps/100 Mbps/1 Gbps link speed Half-duplex/full-duplex support Autonegotiation Encapsulations MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames) Loopback Online insertion and removal of transceivers
[Junos OS Interfaces Configuration Guide for Security Devices] IPsec
Virtual router support for route-based VPNsThis feature is supported on all SRX Series and J Series devices. This feature includes routing-instance support for route-based VPNs. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:
NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway external interface must reside in the default virtual router (inet.0).
Manual key management Transit traffic Self-traffic VPN monitoring Hub-and-spoke VPNs Encapsulating Security Payload (ESP) protocol
159
Authentication Header (AH) protocol Aggressive mode or main mode st0 anchored on the loopback (lo0) interface Maximum number of virtual routers supported on an SRX Series device Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Unified Threat Management (UTM) Dead peer detection (DPD) Chassis cluster active/backup OSPF over st0 RIP over st0
[Junos OS Administration Guide for Security Devices] [Junos OS CLI Reference] [Junos OS Security Configuration Guide] IPv6 Support
Active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive (failover) chassis cluster configurations. [Junos OS Security Configuration Guide]
Address books and address sets in active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. This feature is supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations. SRX Series and J Series devices running IP version 6 (IPv6) deployed in active/active (failover) chassis cluster configurations, the address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names. To configure IPv6 address entries, specify an IPv6 address when you use the address statement at the [edit security zones security-zone name address-book] hierarchy level. The address set configuration considers names of the address book entries, and not the IP addresses, so there are no additional considerations related to IPv6 traffic. [Junos OS Security Configuration Guide]
Advanced flowThis feature is supported on all SRX Series and J Series devices.
160
IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link and transit), IDP, Junos framework, TCP proxy, and session manager on SRX Series and J Series devices. MIBs are not used in the IPv6 flow. IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and gates are used to store the index of extended sessions or gates. If IPv6 security is disabled, the IPv6 security related resources are not allocated. New logs are used for IPv6 flow traffic to prevent impact on performance in the existing IPv4 system. The behavior and implementation of the IPv6 advanced flow are the same as those of the IPv4 flow. Some of the differences are as follows:
Header parseIPv6 advanced flow stops parsing the headers and interprets the packet as the corresponding protocol packet if it encounters the following extension headers:

TCP/UDP ESP/AH ICMPv6
IPv6 advanced flow continues parsing headers if it encounters the following extension headers:

Hop-by-Hop Routing and Destination, Fragment
IPv6 advanced flow interprets the packets as an unknown protocol packet if it encounters the extension header No Next Header.
Sanity checksIPv6 advanced flow supports the following sanity checks:

TCP Length UDP Length Hop-by-Hop IP data length error Layer 3 sanity checks (for example, IP version and IP length) ICMPv6 packetsIn IPv6 advanced flow, the ICMPv6 packets share the same behavior as normal IPv6 traffic with the following exceptions:
Embedded ICMPv6 Packet
161
Path MTU message
Host inbound and outbound trafficIPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow.
DNS ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series and J Series devices. Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT. When the DNS ALG receives a DNS query from the DNS client, a security check is done on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a similar security check is done, and then the session for the DNS traffic closes. When the DNS traffic works in NAT mode, the DNS ALG translates the public address in a DNS reply to a private address when the DNS client is on a private network, and similarly translates a private address to a public address when the DNS client is on a public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the IP address in a DNS reply packet between the IPv4 address and the IPv6 address when the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa. To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT. [Junos OS Security Configuration Guide]
Dual-stack liteThis feature is supported on SRX650, SRX3400, SRX3600, SRX5600, and SRX5800 devices. IPv6 dual-stack lite (DS Lite) is a technology for maintaining connectivity between legacy IPv4 devices and networks despite a depleted IPv4 address pool and as a service provider networks transition to IPv6-only deployments. DS Lite allows IPv4 customers to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 customers to access IPv6 content. The DS Lite deployment model consists of the following components:
Softwire Initiator (SI) in the DS Lite home router (SI is not available in Junos release 10.4) Softwire Concentrator (SC) in the DS Lite carrier-grade Network Address Translation (NAT)
A softwire is a tunnel-over-IPv6 network. The SI finds the SC address, encapsulates an IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires.
162
The DS Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple subscribers through a single global IPv4 address. Overlapping address spaces used by subscribers are disambiguated through the identification of tunnel endpoints. A new command for displaying information on softwires, show security softwires, is available in Junos OS Release 10.4. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
Firewall security policy in active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. This feature is now supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations. The matching criteria for security policy rules is based on zones, address objects, and applications. To support security policy rules for IPv6 traffic, you have to configure zone and address objects with IPv6 values. You can also select IPv6 applications. Note that in security policy rules, the meaning of the wildcard any has changed. When flow support is enabled for IPv6 traffic, the wildcard any matches any IPv4 or IPv6 address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or any IPv6 address: any-ipv4 and any-ipv6 in active/active chassis cluster. When flow support is not enabled for IPv6 traffic, any matches IPv4 addresses. IPv6 support for IDP and UTM are not included in Junos OS Release 10.4. If your current security policy uses rules with any IP address wildcards and IDP and UTM features enabled, you will encounter configuration commit errors because IDP and UTM features do not support IPv6 addresses. To resolve these errors, modify the rule returning the error so that it uses the any-ipv4 wildcard, and create separate rules for IPv6 traffic that do not include IDP or UTM features. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
Flow-based processing in active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations. IPv6 flow support enables processing of IPv6 traffic by the security features of SRX Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets are dropped. To enable flow-based processing for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level. The [show security flow session source-prefix] and [show security flow session destination-prefix] commands you use to monitor session statistics now take IPv6 address arguments. In addition, the [show security flow session family (inet|inet6)] option is added to filter session statistics by protocol family.
163
[Junos OS CLI Reference] [Junos OS Interfaces Configuration Guide for Security Devices] [Junos OS Security Configuration Guide]
FTP ALG for routingThis feature is supported on all SRX Series and J Series devices. File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection. EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses. In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both IPv4 and IPv6 addresses. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
ICMP ALG for routing, NAT, and NAT-PTThis feature is supported on all SRX Series and J Series devices. ALGs support Internet Control Message Protocol version 6 (ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node. The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then performing the following actions:

Closes the session Modifies the payload
In routing mode, the ICMP ALG closes a session if it receives one of the following message types:

Echo reply (type 129) message Destination unreachable (type 1) error message
In Network Address Translation (NAT mode), the ICMP ALG performs the following actions:
Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message Modifies the identifier or sequence number of the echo request Retains the original identifier and sequence number for the echo reply Translates the embedded IPv6 packet for the ICMPv6 error message
In a Network Address Translation-Protocol Translation (NAT-PT) environment, the ALG performs the following actions:
Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message Translates an ICMPv4 ping message to an ICMPv6 ping message
164
Translates an ICMPv6 ping message to an ICMPv4 ping message Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet
ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note that ICMP ALG is always enabled and cannot be disabled by means of the command-line interface (CLI). [Junos OS Security Configuration Guide]
Interfaces in active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. A logical interface can be configured with an IPv4 address, IPv6 address, or both in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations. To configure an IPv6 address for a logical interface, use the inet6 statement at the [edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS Interfaces Configuration Guide for Security Devices]
Multicast flowThis feature is supported on all SRX Series and J Series devices. The IPv6 multicast flow adds or enhances the following features:
IPv6 transit multicast, which includes the following packet functions:
Normal packet handling
Fragment handling
Packet reordering
Protocol-Independent Multicast version 6 (PIMv6) flow handling Other multicast routing protocols such as Multicast Listener Discover (MLD)
The structure and processing of IPv6 multicast data session are the same as that of IPv4. Each data session has the following:

One template session Several sessions
The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4. Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for multicast protocol packets have a default timeout value of 300 seconds. This value cannot be configured. The null register packet is sent to the rendezvous point. In IPv6 multicast flow, a mulitcast router has the following three roles:
165
Designated router Intermediate router Rendezvous point
[Junos OS Class of Service Configuration Guide]
NATThis feature is supported on all SRX Series and J Series devices. IPv6 Network Address Translation (IPv6 NAT) provides address translation between IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and for similar purposes as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:

Source NAT Destination NAT Static NAT
NAT-PTThis feature is supported on all SRX Series and J Series devices. IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address and protocol translation between IPv4 and IPv6 addressed network devices. IPv6 NAT-PT supports both traditional NAT-PT and bidirectional NAT-PT. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP), TCP, and UDP protocol packets. [Junos OS Security Configuration Guide]
Packet filteringThis feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. The packet-filtering options for IPv6 addresses and IPv6 style source prefix, destination prefix, and interface is supported in addition to the existing functionality of IPv4 datapath-debug. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
ScreensThis feature is now supported on all SRX Series and J Series devices. IPv6 support is extended for the following screen features:

Syn-flood/syn-proxy/syn-cookie Syn-ack-ack-proxy Ip-spoofing
Zone configuration in active/active chassis clusterThis feature is supported on all SRX Series and J Series devices. In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active chassis cluster configurations with security zone
166
configuration in addition to the existing support of active/passive chassis cluster configurations. The security zone configuration considers names of the interfaces, and not the IP addresses, hence there are no additional considerations related to the zone interface configuration. You can also use the zone configuration to explictly permit inbound traffic from network system services and system protocols. Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide]
167
J-Web
IPv6 addressing support for J-WebThis feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices. J-Web now supports IPv6 addressing configuring security features such as policies, zones, screens, address books, host inbound system services, protocols, and flow-forwarding options. The following pages have been enhanced:

Zones/Screens Configuration page Security Policy Configuration page Security Policy Element Configuration page Security Flow Element Configuration page
J-Web Chassis ViewThe changes and enhancements to the J-Web Chassis View apply to SRX1400 devices. The following enhancements have been made to the J-Web Chassis View on the Dashboard:
Displays the front or rear panel view of the device and shows which slots are occupied. When you insert or remove a card, the Chassis View reflects the change immediately. Port colors change to indicate the port link status. For example, the ge port lights steadily green when the port is up and red when the port is down. Displays Help tips when your hover the mouse over a port.
168
MAC limiting
MAC limitingThis feature is supported on SRX100, SRX210, SRX220, and SRX650 devices. MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on access interfaces. You enable this feature on VLANs. MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces on the switch. You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses are treated as specified by the configuration. You can choose to have one of the following actions performed when the limit of MAC addresses or the limit of MAC moves is exceeded:
dropDrop the packet and generate an alarm, an SNMP trap, or a system log entry.
This is the default.
logDo not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.

noneTake no action. shutdownDisable the interface and generate an alarm. If you have configured the
switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.
NOTE: MAC limiting only applied to new MAC learning requests. If you already have 10 MACs learned and you configure the limit as 5, all the MACs will remain in the FDB table. Once the MACs are cleared by the user (using the clear ethernet-switching table command), or they age out, they will not be relearned. MAC limiting does not apply to static MACs. Users can configure any number of static MACs independent of the MAC limit, and all of them will be added to FDB.
[Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices]
169
R2CP radio-to-router protocol support
R2CP radio-to-router protocol supportThis feature is supported on all SRX Series and
J Series devices. Junos OS Release 10.4 supports the Network Centric Waveform (NCW) radio-specific radio-to-router control protocol (R2CP), which is similar to the PPPoE radio-to-router protocol. Both of these protocols exchange dynamic metric changes in the network that the routers use to update the OSPF topologies. In radio-router topologies, the router connects to the radio over a Gigabit Ethernet link and the radio transmits packets over the radio frequency (RF) link. The radio periodically sends metrics to the router, which uses RF link characteristics and other data to inform the router on the shaping and OSPF link capacity. The router uses this information to shape the data traffic and provide the OSPF link cost for its SPF calculations. The radio functions like a Layer 2 switch and can only identify remote radio-router pairs using Layer 2 MAC addresses. With R2CP the router receives metrics for each neighboring router, identified by the MAC address of the remote router. The R2CP daemon translates the MAC addresses to link the local IPv6 addresses and sends the metrics for each neighbor to OSPF. Processing these metrics is similar to the handling of PPPoE PADQ metrics. Unlike PPPoE, which is a point-to-point link, these R2CP neighbors are treated as nodes in a broadcast LAN. You must configure each neighbor node with a per-unit scheduler for CoS. The scheduler context defines the attributes of Junos class-of-service(CoS). To define CoS for each radio, you can configure virtual channels to limit traffic. You need to configure virtual channels for as many remote radio-router pairs as there are in the network. You configure virtual channels on a logical interface. You can configure each virtual channel to have a set of eight queues with a scheduler and an optional shaper. When the radio initiates the session with a peer radio-router pair, a new session is created with the remote MAC address of the router and the VLAN over which the traffic flows. Junos OS chooses from the list of free virtual channels and assigns the remote MAC and the eight CoS queues and the scheduler to this remote MAC address. All traffic destined to this remote MAC address is subjected to the CoS that is defined in the virtual channel. A virtual channel group is a collection of virtual channels. Each radio can have only one virtual channel group assigned uniquely. If you have more than one radio connected to the router, you must have one virtual channel group for each local radio-to-router pair. Although a virtual channel group is assigned to a logical interface, a virtual channel is not the same as a logical interface. The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface. [LN1000 Mobile Secure Router User Guide]
170
Security
Display multiple policy matchesThis feature is supported on all SRX Series and J Series devices. The addition of the result-count option in Junos OS Release 10.4 extends the functionality of the show security match-policies command and lets you display up to 16 policy matches for the given set of criteria. The first policy in the list is the policy applied to all matching traffic. All policies after the first one are shadow policies (shadowed by the first one) and are not encountered. [Junos OS Security Configuration Guide]
DHCPv6 serverThis feature is supported on all SRX Series and J Series devices. Dynamic Host Configuration Protocol version 6 (DHCPv6) local server is now supported on all SRX Series and J Series devices to provide addressing for IPv6 clients. Some features include:

Configuration for a specific interface or a group of interfaces Stateless Address Autoconfiguration (SLAAC) Prefix delegation, including access-internal route installation DHCPv6 server groups
To configure DHCPv6 local server on a device, you include the DHCPv6 statement at the [edit system services dhcp-local-server] hierarchy level. The DHCPv6 address pool is configured in the [edit access address-assignment pool] hierarchy level using the family inet6 statement.
NOTE: Existing DHCPv4 configurations in the [edit system services dchp] hierarchy will not be impacted when upgrading to 10.4, or by adding a DCHPv6 configuration.
[Junos OS Administration Guide for Security Devices] [Junos OS CLI Reference]
On-box reportingThis feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices. On-box reporting offers a comprehensive reporting facility where your security management team can spot a security event when it occurs, immediately access and review pertinent details about the event, and quickly decide appropriate remedial action. J-Web reports provide summary graphics of current security events, Web traffic, and resource utilization. When event activity occurs, you can quickly drill down to detailed information about the specific item. In Junos OS Release 10.4, on-box reporting capabilities include:
171
Real-time threat event monitoring Dynamic visuals for quick threat identification, tracking, and analysis Event-specific drill-down to determine traffic characteristics and policy rule matches Composite reports of recent threats or traffic
[Junos OS Administration Guide for Security Devices]
Optional CP Session Capacity Expansion on Fully Configured DevicesThis feature is supported on SRX3400, SRX3600, and SRX5800 devices. The session capacity for the central point (CP) for fully configured SRX3400, SRX3600, and SRX5800 devices can be expanded as shown in the following list.
Maximum Concurrent CP Sessions on a Fully Loaded System SRX Series Devices
SRX3400 SRX3600 SRX5800
Default
2.25 million 2.25 million 12.5 million
With Expanded Capacity

3 million 6 million 14.0 million
On an SRX3400 or SRX3600 device, you expand the maximum CP session capacity by installing the SRX3K-EXTREME-LTU license. On an SRX5800 device, you expand the maximum CP session capacity by specifying the maximize-cp-sessions optimization option in the edit security forwarding-process application-services command. Using this optimization technique precludes other optimization methods, disables advanced GTP processing, and reduces routing capacity to 100K prefixes. [Junos OS Security Configuration Guide] SNMP
SNMP enterprise-specific MIBsThis feature is supported on all SRX Series and J Series devices. Junos OS Release 10.4 adds support for enterprise-specific MIBs for the SRX1400 device. [SRX1400, SRX3400, and SRX3600 Services Gateways MIB Reference]
SRX Series Image Upgrade Using a USB Device
This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices. The SRX Series Image Upgrade using a USB device feature simplifies the upgrading of Junos OS images in cases where there is no console access to an SRX Series device located at a remote site. This feature allows you to upgrade the Junos OS image with
172
minimum configuration effort by simply inserting a USB flash drive into the USB port of the SRX Series device and performing a few simple steps.
NOTE: USB upgrades are not supported on chassis clusters.
Before you begin the installation, ensure the following prerequisites are met:

Junos OS upgrade image and autoinstall.conf file are copied to the USB device. Adequate space is available on the SRX Series device to install the software image.
To use a USB flash drive to install the Junos OS image on an SRX Series device:
1.
Insert the USB flash drive into the USB port of the SRX Series device and wait for the LEDs to blink amber, indicating that the SRX Series device detects the Junos OS image. If the LEDs do not turn amber, press the Power button or power-cycle the device and wait for the LEDs to light amber.
2. Press the Reset Config button on the SRX Series device and wait for the LEDs to
turn green, indicating that the Junos OS upgrade image has successfully installed. If the USB device is plugged in, the Reset Config button always performs as an image upgrade button. Any other functionality of this button is overridden until you remove the USB flash drive.
3. Remove the USB flash drive. The SRX Series device restarts automatically and
loads the new Junos OS version.
NOTE: If an installation error occurs, the LEDs light red, which might indicate that the Junos OS image on the USB flash drive is corrupted. An installation error can also occur if the current configuration on the SRX Series device is not compatible with the new Junos OS version on the USB. You must have console access to the SRX Series device to troubleshoot an installation error.
[Junos OS Administration Guide for Security Devices] TCP Session
TCP Session Check Per PolicyThis feature is supported on all SRX Series devices. By default, TCP SYN check and TCP sequence check options are enabled on all TCP sessions. The Junos operating system (Junos OS) performs the following operations during TCP sessions:
Checks for SYN flags in the first packet of a session and rejects any TCP segments with non- SYN flags attempting to initiate a session. Validates the TCP sequence numbers during stateful inspection.
173
The TCP session check per-policy feature enables you to configure SYN checks and sequence checks for each policy. Currently, the TCP options flags, no-sequence-check and no-syn-check, are available at a global level to control the behavior of services gateways. To support per-policy TCP options, the following two options are available:
sequence-check-required: The sequence-check-required value will override the global value no-sequence-check. syn-check-required: The syn-check-required value will override the global value no-syn-check.
To configure per-policy TCP options, the respective global options must be turned off; otherwise, the commit check will fail. If global TCP options are disabled and SYN flood protection permits the first packet, then the per-policy TCP options will control whether SYN check and/or sequence check are performed.
NOTE:
The per-policy SYN check required option will not override the behavior of the set security flow tcp-session no-syn-check-in-tunnel CLI command. Disabling the global SYN check reduces the effectiveness of the device In defending against packet flooding.
VPNs
IKE and IPsec predefined proposals for dynamic VPNThis feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices. In earlier releases, the administrators had to configure individual Internet Key Exchange (IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This procedure was tedious and time consuming when the administrators had to configure many VPN policies because they had to configure custom proposals for all IKE and IPsec configurations. Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the administrator can select basic, compatible, or standard proposal sets for dynamic VPN clients. Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set configured and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection. The default values for IKE and IPsec security association (SA) rekey timeout are as follows:

For IKE SA, the rekey timeout is 28800 seconds. For IPsec SA, the rekey timeout is 3600 seconds.
The basic use cases of proposals are as follows:
IKE and IPsec both use proposal sets.
174
The server selects a predefined proposal from the proposal set and sends it to the client, along with the default rekey timeout value.
IKE uses a proposal set, and IPsec uses a custom proposal. The server sends a predefined IKE proposal from the configured IKE proposal set to the client, along with the default rekey timeout value. For IPsec, the server sends the setting that is configured in the IPsec proposal.
IKE uses a custom proposal, and IPsec uses a proposal set. The server sends a predefined IPsec proposal from the configured IPsec proposal set to the client, along with the default rekey timeout value. For IKE, the server sends the setting that is configured in the IKE proposal.
NOTE: If IPsec uses the standard proposal set and perfect forward secrecy (PFS) is not configured, then the default PFS is set as group2. For other proposal sets, PFS will not be set because it is not configured.
[Junos OS CLI Reference] [Junos OS Security Configuration Guide]
Local authentication and IP address assignment for dynamic VPNThis feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices. A client application sends an authentication request and a request for an IP address on behalf of an unauthenticated client at the same time. The communication between the client and AUTHD is minimized because the IP address request is not sent as a separate message. After successful local authentication, AUTHD performs the following tasks:
Assigns the address from the predefined (or statically assigned) address pools if the address matches the criteria specified by the client application. Assigns attributes such as wins server and name-server address. Updates the associated client entry in the session database.
Note: For client applications that rely on a RADIUS or other external server for authentication, AUTHD might not assign IP addresses. This feature is used to perform the following:

Assign an IP address to the client after successful authentication. Provide a mechanism in AUTHD for linking an address pool to a client profile and assigning an IP address to the client from the pool. Provide a mechanism in AUTHD for assigning IP version 4 (IPv4) addresses to the users.
175
Provide different IP addresses for multiple logins by the same user. Allow configuration changes in the address pool after address assignment.
Address pools are defined at the [edit access address-assignment] hierarchy. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
Local IP address management for VPN XAuth supportThis feature is supported on SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices. When you configure extended authentication (XAuth), you must enter the username and password, after the Internet Key Exchange (IKE) phase 1 security association (SA) is established. AUTHD verifies the credentials received from you. After successful authentication, AUTHD sends the following network parameters to IKE or XAuth:

IP address Domain Name System (DNS) Windows Internet Naming Service (WINS)
The IP address can be drawn from a locally configured IP address pool. AUTHD requires IKE or XAuth to release the IP address when it is no longer in use. IKE provides a mechanism for establishing IP Security (IPsec) tunnels. [Junos OS CLI User Guide] [Junos OS Security Configuration Guide]
Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices. The existing design of the dynamic virtual private network (VPN) uses unique Internet Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be configured with an individual IKE gateway, an IPsec VPN, and a security policy using the IPsec VPN. This is cumbersome when there are a large number of users. The design is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy configuration) using shared-ike-id or group-ike-id. This reduces the number of times the VPN needs to be configured. The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users. All users connecting through a shared-ike-id configuration use the same IKE ID and preshared key. The user credentials are verified in the extended authentication (XAuth) phase of AUTHD. The credential of a user is configured either in Radius or in the access database of AUTHD. When using group-ike-id or shared-ike-id for user connection management and licensing, the users on the client PC must use the same user credentials for both WebAuth and XAuth login (that is, the two client login windows) to prevent undesirable behavior and incorrect CLI output on the server.
176
NOTE: We recommend that you use group-ike-id whenever possible.
For group-ike-id, a part of the configuration for a user IKE ID is common to the group. The IKE ID is the concatenation of an individual part and the common part of IKE ID. For example, a user can use a group-ike-id configuration with a common part ".juniper.net" and the individual part X. The IKE ID can be "X.juniper.net". Httpd-gk generates the individual part of the IKE ID. The group-ike-id does not require extended authentication (XAuth). However, for dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator uses the IKE gateway in a dynamic VPN client, a warning message appears. This feature introduces new commands for ike sa and dynamic-vpn and new options in the IKE Gateway Add/Edit page of J-Web. [Junos OS CLI Reference] [Junos OS Security Configuration Guide]
Dynamic VPN access through the Junos Pulse clientThis feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices. Junos Pulse enables secure authenticated network connections to protected resources and services over LANs and WANs. Junos Pulse is a remote access client developed to replace the earlier access client called Juniper Networks Access Manager. You must uninstall Access Manager before you install the Junos Pulse client. Junos Pulse supports remote virtual private network tunnel connectivity to SRX Series Services Gateways that are running Junos OS. To configure a firewall access environment for Junos Pulse clients, you must configure the VPN settings on the SRX Series device and create and deploy a firewall connection on the Junos Pulse client. For SRX Series devices running Junos OS Releases 10.2 through 10.4, Junos Pulse is supported but must be deployed separately. In Junos OS Release 11.1 and later releases, if the Pulse client does not exist on the client machine, the Pulse client is automatically downloaded and installed when you log in to an SRX Series device. If the Pulse client exists on the client machine, you must launch the Pulse client. [Junos OS Security Configuration Guide]
Hardware FeaturesSRX210, SRX220, and SRX240 Services Gateways

AX411 Access Point Support on SRX220 Services Gateways SRX220 Services Gateways running Junos OS Release 10.4R1 or later releases support the AX411 Access Point in the same manner as do the SRX210, SRX240, and SRX650 Services Gateways. Support for the SRX220 Services Gateway is not documented in the AX411 Access Point Hardware Guide or in the WLAN Configuration and Administration Guide, but wherever those guides indicate support for the SRX210 Services Gateway, that support applies to the SRX220 Services Gateway as well.
177
1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM) The 1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM) complements the on-board 10/100/1000 Mbps Ethernet interfaces with extended LAN or WAN connectivity. It offers support for a variety of transceivers. This Mini-PIM can be used in copper and optical environments to provide maximum flexibility when upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM is supported on the following devices:

SRX210 Services Gateway SRX220 Services Gateway SRX240 Services Gateway
The following key features are supported on the 1-Port SFP Gigabit Ethernet Mini-PIM:

Online insertion and removal of transceivers Real-time visual status of connectivity and traffic flows Link Up/Down status Half/full duplex support Autonegotiation
For more information on the 1-Port SFP Gigabit Ethernet Mini-PIM, see the SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide. For information on configuring the 1-Port SFP Gigabit Ethernet Mini-PIM, see the Junos OS Interfaces Configuration Guide for Security Devices.
178
3G ExpressCard Support on the SRX210 Services Gateway
This release of Junos OS supports the Sierra Wireless AirCard 503 (AC503) ExpressCard for GSM, HSPA, and UMTS networks on SRX210 devices, to provide wireless WAN connectivity as backup to primary WAN links. The AC503 ExpressCard is not available from Juniper Networks.
3G USB Modem Support on the SRX210 Services Gateway
This release of Junos OS supports the Sierra Wireless USB modem (U319, HSPA+ quad-band) on the SRX210 device (on USB port 1). To use the 3G USB modem on the SRX210 device:
1.
Upgrade the BIOS software packaged inside the Junos OS image. For detailed information about BIOS upgrade procedures, see the Junos OS Initial Configuration Guide for Security Devices.
NOTE: You need the BIOS version of 2.1 or higher to use the 3G USB modems on the SRX210 device.
2. Configure the WAN port using the CLI command set chassis routing-engine usb-wwan
port 1 to enable the USB port to use the U319 USB modem. See Junos OS CLI
Reference.
3. Plug the 3G USB modem in to the appropriate USB slot (USB port 1) on the device.
NOTE: You can use the USB modem with a standard USB extension cable of 1.8288 meters (6 ft) or longer.
4. Reboot the device to start using the 3G USB modem.
Junos OS Interfaces Configuration Guide for Security Devices
Hardware FeaturesSRX220 Services Gateway with Power Over Ethernet

Overview The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers complete functionality and flexibility for delivering secure, reliable data over IP, along with multiple interfaces that support WAN and LAN connectivity. The device provides Internet Protocol Security (IPsec), virtual private network (VPN), and firewall services for small-sized and medium-sized companies and enterprise branch and remote offices.
179
Accessing the SRX220 Services Gateway Two user interfaces are available for monitoring, configuring, troubleshooting, and managing the SRX220 Services Gateway:
J-Web interface: Web-based graphical interface that allows you to operate a services gateway without commands. The J-Web interface provides access to all Junos OS functionality and features. Junos OS command-line interface (CLI): Juniper Networks command shell that runs on top of a UNIX-based operating system kernel. The CLI is a straightforward command interface. On a single line, you type commands that are executed when you press the Enter key. The CLI provides command Help and command completion.
Hardware Features Table 5 on page 180 lists the hardware features supported on the SRX220 Services Gateway.
Table 5: SRX220 Services Gateway Hardware Features

Feature
DDR memory SIP/analog voice support PoE support
SRX220 Services Gateway (SRX220H)

1 GB No No
SRX220 Services Gateway with PoE (SRX220H-POE)

1 GB No 120 watts supported across eight ports (0/0 through 0/7) 100 to 240 VAC input 200 W, 54V DC output 35 W
Power supply adapter
100 to 240 VAC input 60 W, 12V DC output
Average power consumption (no Mini-PIMs installed, no PoE power draw) Gigabit Ethernet ports Console port USB ports Mini-PIM slots LEDs
28 W
8 1 2 2 Status, Alarm, HA, Power, Mini-PIMs, Port (TX/RX) 1 externally accessible
8 1 2 2 Status, Alarm, HA, Power, Mini-PIMs, Port (TX/RX and PoE) 1 externally accessible
CompactFlash
180
NOTE: The PoE LED is enabled only on the SRX220H-POE model of the SRX220 Services Gateway. For the SRX220H model, the PoE LED remains off.
[Junos OS Administration Guide for Security Devices] Hardware Interfaces Table 6 on page 181 summarizes the interface ports supported on the SRX220 Services Gateway.
Table 6: SRX220 Services Gateway Built-In Hardware Interfaces

Interface Type
Gigabit Ethernet
Specifications
Eight ports that:
Description
The Gigabit Ethernet ports can be used as follows:
Are labeled 0/0 through 0/7 on the front panel Use RJ-45 connectors Provide link speeds of 10/100/1000 Mbps Operate in full-duplex and half-duplex modes Support flow control Support autonegotiation and autosensing
To function as front-end network ports To provide LAN and WAN connectivity to hubs, switches, local servers, and workstations To forward incoming data packets to the device To receive outgoing data packets from the device To connect power devices to receive network connectivity and electric power (PoE functionality) (For the PoE and media gateway model of the SRX220 Services Gateway)
All Gigabit Ethernet ports support Power over Ethernet on the PoE and media gateway model of the SRX220 Services Gateway. Universal Serial Bus (USB) Two ports that:

The USB ports can be used as follows:
Function in full speed and high speed Comply with USB revision 2.0
To support a USB storage device that functions as a secondary boot device in case of CompactFlash failure on startup (if the USB storage device is installed and configured).
NOTE: You must install and configure the USB storage device on the USB port to use it as secondary boot device. Additionally, the USB device must have Junos OS installed.
To provide the USB interfaces that are used to communicate with many types of USB storage devices supported by Juniper Networks.
Contact your Juniper Networks customer service representative for more information.
181
Table 6: SRX220 Services Gateway Built-In Hardware Interfaces (continued)

Interface Type
Console
Specifications
One port that:

Description
The console port can be used as follows:

Uses an RJ-45 serial cable connector Supports the RS-232 (EIA-232) standard
To provide the console interface To function as a management port to log into a device directly To configure the device using the CLI
Mini-Physical Interface Module (Mini-PIM)
Two slots for Mini-PIMs
The Mini-PIM slots can be used to provide LAN and WAN functionality along with connectivity to various media types. For more information about the supported Mini-PIMs, see the SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide.
NOTE: We strongly recommend that only transceivers provided by Juniper Networks be used on an SRX220 Services Gateway. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Contact Juniper Networks for the correct transceiver part number for your device.
Hardware FeaturesSRX1400 Services Gateway

Introduction on page 182 Supported Models on page 183 Hardware Features on page 183 Physical Specifications on page 184
Introduction This release supports the SRX1400 Services Gateway. Juniper Networks SRX1400 Services Gateway expands the SRX Series family of next-generation security platforms, delivering market-leading performance and extensive service integration to 10 gigabits per second (10 Gbps) environments that require the features without the massive scalability and aggregated throughput provided by Juniper Networks SRX3000 line and SRX5000 line. The SRX1400 Services Gateway provides firewall support with key features such as IP Security (IPsec), virtual private network (VPN), and high-speed deep packet inspection features such as intrusion detection and prevention (IDP). The SRX1400 is ideally suited for small to medium-size data centers, enterprise, and service provider network security deployments where consolidation of security
182
functionality, uncompromised 10 Gbps performance, compact environmental footprint, and affordability are key requirements. The SRX1400 Services Gateway is three rack units (U) tall. Sixteen devices can be stacked in a single floor-to-ceiling rack, for increased port density per unit of floor space. The device provides common form-factor module (CFM) slots that can be populated with Network and Services Processing Card (NSPC), and I/O cards (IOCs). The device also has one dedicated slot for System I/O card (SYSIOC), one dedicated slot for the Routing Engine, two slots for power supplies, and one slot for the fan tray and air filter. The SRX1400 Services Gateway runs Junos OS. You can use the Junos OS command-line interface (CLI) or J-Web (Web-based graphical interface) to monitor, configure, troubleshoot, and manage the SRX1400 Services Gateway. Supported Models The SRX1400 Services Gateway is available in four models, which are listed in Table 7 on page 183.
Table 7: SRX1400 Services Gateway Models

Model Number
SRX1400BASE-GE-AC
Device Type
SRX1400 Services Gateway with 1-Gigabit Ethernet SYSIOC and AC power supply SRX1400 Services Gateway with 1-Gigabit Ethernet SYSIOC and DC power supply SRX1400 Services Gateway with 10-Gigabit Ethernet SYSIOC and AC power supply SRX1400 Services Gateway with 10-Gigabit Ethernet SYSIOC and DC power supply
SRX1400BASE-GE-DC
SRX1400BASE-XGE-AC
SRX1400BASE-XGE-DC
Hardware Features Table 8 on page 183 lists the hardware features supported on the SRX1400 Services Gateway.
Table 8: SRX1400 Services Gateway Hardware Features

Feature
Input voltage
Description

100 to 240 V AC -40 to -72 V DC
Power supplies
2 The SRX1400 Services Gateway allows two power supplies for redundancy. The following types of power supplies are supported:

AC power supply (for AC-powered devices) DC power supply (for DC-powered devices)
183
Table 8: SRX1400 Services Gateway Hardware Features (continued)

Feature
Ethernet port (10/100/1000 Mbps) Console port Universal Serial Bus (USB) ports Auxiliary port Fans Fan tray Air filter
Description
1 1 2 1 2 1 1
Physical Specifications Table 9 on page 184 summarizes the physical specifications of the SRX1400 Services Gateway chassis.
Table 9: SRX1400 Services Gateway Physical Specifications

Specification
Chassis height Chassis width Chassis depth Chassis weight (base chassis [Chassis with Routing Engine, SYSIOC, and power supply] ) Routing Engine weight NSPC weight SYSIOC weight IOC weight Fan tray weight Air filter weight DC power supply weight AC power supply weight
Value
5.25 in. (13.3 cm), 3 rack units (3 U) 17.5 in. (44.5 cm) 13.8 in. (35.05 cm) 29.3 lb (13.3 kg)
2.9 lb (1.3 kg) 7.71 lb (3.5 kg) 2.42 lb (1.102 kg) 2.4 lb (1.1 kg) 2.93 lb (1.33 kg) 0.11 lb (0.054 kg) 2.9 lb (1.3 kg) 3.1 lb (1.4 kg)
184
Hardware FeaturesSRX3400 and SRX3600 Services Gateways

Enhanced DC Power Supply The enhanced DC power supply for the SRX3400 and SRX3600 Services Gateways is an alternative to the standard DC power supply. The enhanced DC power supply helps your services gateway meet the following NEBS and ETSI standards:

GR-63-CORE ETSI 300019-2-1 ETSI 300019-2-2 ETSI 300019-2-3 GR-1089-CORE
Each enhanced DC power supply provides up to 1200 watts of power. In the SRX3400 Services Gateway, the enhanced DC power supply lets you configure your device with more Services Processing Cards (SPCs), Network Processing Cards (NPCs), or I/O cards (IOCs) than is possible with the standard 850-watt DC power supply.
NOTE: Mixing of standard and enhanced DC power supplies within the same chassis is not supported. All installed DC power supplies must be either of standard or enhanced types.
Table 10 on page 185 shows the different SPC, NPC, and IOC configurations applicable to the standard and enhanced DC power supplies in the SRX3400 Services Gateway.
Table 10: Supported Combinations of SPCs, NPCs, and IOCs for Standard and Enhanced DC Power Supplies
Enhanced DC Power Supplies (SKU SRX3K-PWR-DC2) or AC Power Supplies (SKU SRX3K-PWR-AC)
NPCs 1 SPCs 1 2 3 4 4 IOCs 4 IOCs 3 IOCs 2 IOCs 2 4 IOCs 3 IOCs 2 IOCs 1 IOC SPCs 1 2 3 4
Standard DC Power Supplies (SKU SRX3K-PWR-DC)

NPCs 1 4 IOCs 4 IOCs 2 IOCs 0 IOCs 2 4 IOCs 3 IOCs 1 IOCs Not supported
In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are the same for both the standard and the enhanced DC power supply.
185
[SRX3400 Services Gateway Hardware Guide] [SRX3600 Services Gateway Hardware Guide] Related Documentation
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 213 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254
Advertising Bandwidth for Neighbors on a Broadcast Link Support

This feature is supported on all SRX Series and J Series devices. You can now advertise bandwidth for neighbors on a broadcast link. The network link is a point-to-multipoint (P2MP) link in the OSPFv3 link state database. This feature uses existing OSPF neighbor discovery to provide automatic discovery without configuration. It allows each node to advertise a different metric to every other node in the network to accurately represent the cost of communication. To support this feature, a new interface-type under the OSPFv3 interface configuration has been added to configure the interface as p2mp-over-lan. OSPFv3 then uses LAN procedures for neighbor discovery and flooding, but represents the interface as P2MP in the link state database. The interface type and router LSA are available under the following hierarchies:

[protocols ospf3 area area-id interface interface-name] [routing-instances routing-instances-name protocols ospf3 area area-id interface interface-name]
[LN1000 Mobile Secure Router User Guide]
Group VPN Interoperability with Ciscos GET VPN

Ciscos implementation of GDOI is called Group Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are both based on RFC 3547, The Group Domain of Interpretation, there are some implementation differences that you need to be aware of when deploying GDOI in a networking environment that includes both Juniper Networks security devices and Cisco routers. This topic discusses important items to note when using Cisco routers with GET VPN and Juniper Networks security devices with group VPN. Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members, and with the following caveats: The group VPN in Release 10.4 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.
186
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group includes a Juniper Networks security device. The Cisco GET VPN server implements a proprietary ACK for unicast rekey messages. If a group member does not respond to the unicast rekey messages, the group member is removed from the group and is not able to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as bad SPIs. The Juniper Networks security device can recover from this situation by reregistering with the server to download the new key. Antireplay must be disabled on the Cisco server when a VPN group of more than two members includes a Juniper security device. The Cisco server supports time-based antireplay by default. A Juniper Networks security device will not be able to interoperate with a Cisco group member if time-based antireplay is used since the timestamp in the IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize time with the Cisco GET VPN server and Cisco GET VPN members as the sync payload is also proprietary. Counter-based antireplay can be enabled if there are only two group members. According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member would match Cisco behavior. A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies associated with the keys are dynamically installed. A policy does not have to be configured on a Cisco GET VPN member locally, but a deny policy can optionally be configured to prevent certain traffic from passing through the security policies set by the server. For example, the server can set a policy to have traffic between subnet A and subnet B be encrypted by key 1. The member can set a deny policy to allow OSPF traffic between subnet A and subnet B not be encrypted by key 1. However, the member cannot set a permit policy to allow more traffic to be protected by the key. The centralized security policy configuration does not apply to the Juniper Networks security device. On a Juniper Networks security device, the ipsec-group-vpn configuration statement in the permit tunnel rule in a scope policy references the group VPN. This allows multiple policies referencing a VPN to share an SA. This configuration is required to interoperate with Cisco GET VPN servers. Logical key hierarchy (LKH), a method for adding and removing group members, is not supported with group VPN on Juniper Networks security devices. GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered list of servers with which the member can register or reregister. Multiple group servers cannot be configured on group VPN members.
The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:
187
Application Identification
Improved uninstall options for predefined and custom application objectsThis feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. The following options have been added to the request services applciation-identificaiton uninstall command to uninstall the predefined application definition package, all custom application definitions, or both at one time.
allUninstall from your configuration both the predefined application definition package
and all custom application definitions that you have created.

customer-definedUninstall from your configuration all custom application definitions
that you created, but maintain the predefined application definition package.
predefined(Default) Uninstall from your configuration the predefined application
definition package, but maintain all custom application definitions that you have created.
188
The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are <node-id | all | local | primary>.
AppSecure
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application-matching priority of the application signature.
NOTE: The order value range for predefined signatures is 1 through 32,767. We recommend that you use an order range higher than 32,767 for custom signatures.
The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.
Chassis Cluster
NOTE: See also Release 10.4R4 Chassis Cluster Improvements in New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154.
On SRX100, SRX210, SRX240, SRX650, and J Series devices, the speed mode configuration and link mode configurations is available for AE and RETH interfaces. For SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), The values for default cluster heartbeat interval and threshold were changed to 1000ms and 3 respectively from R10.4 branch platforms. In the prior releases the values for cluster heartbeat interval and threshold defaulted to 2000ms and 8 respectively. On SRX3400, SRX3600, SRX5600, and SRX5800 devices, fabric monitoring is disabled by default.
189
Class of Servcice (COS)
The q-pic-large-buffer can now be used for all interfaces (channelized and non-channelized) on J Series devices. This command will be in effect when the interface speed is less than 2 Mbps. For example, on a Gigabit Ethernet interface with shaping rate of 512 kbps, if q-pic-large-buffer parameter is configured, then the available buffering will be increased similar to the buffer available for channelized PIMs. If you enable MPLS for packet-based processing by using the command set security forward-option family mpls mode packet, the mode will not change immediately and the system will display the following messages:
NOTE: warning: Reboot may required when try reset flow inet mode warning: Reboot may required when try reset mpls flow mode please check security flow status for detail. You must reboot your device for the configuration to take effect. Similarly, if you disable MPLS and switch back to using the security services (flow-based processing), the mode will not change immediately and the system will display warning messages instructing you to restart your device. You must reboot your device for the configuration to take effect.
190
Command-Line Interface (CLI)
On AX411 Access Points, the possible completions available for the CLI command set
wlan access-point < ap_name > radio < radio_num > radio-options channel number ?
have changed from previous implementations. Now this CLI command displays the following possible completions: Example 1:
user@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible completions: 36 Channel 36 40 Channel 40 44 Channel 44 48 Channel 48 52 Channel 52 56 Channel 56 60 Channel 60 64 Channel 64 100 Channel 100 108 Channel 108 112 Channel 112 116 Channel 116 120 Channel 120 124 Channel 124 128 Channel 128 132 Channel 132 136 Channel 136 140 Channel 140 149 Channel 149 153 Channel 153 157 Channel 157 161 Channel 161 165 Channel 165 auto Automatically selected
Example 2:
user@host# set wlan access-point ap6 radio 2 radio-options channel number ? 1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Channel 9 10 Channel 10 11 Channel 11 12 Channel 12
191
13 Channel 13 14 Channel 14 auto Automatically selected
On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy command has been changed to set security datapath-debug On AX411 Access Points, the possible completions available for the CLI command set wlan access-point mav0 radio 1 radio-options mode? have changed from previous implementations. Now this CLI command displays the following possible completions:
Example 1: user@host# set wlan access-point mav0 radio 1 radio-options mode ? Possible completions:
5GHz Radio Frequency -5GHz-n a Radio Frequency -a an Radio Frequency -an [edit]
Example 2: user@host# set wlan access-point mav0 radio 2 radio-options mode ? Possible completions:
2.4GHz Radio Frequency --2.4GHz-n bg Radio Frequency -bg bgn Radio Frequency -bgn
192
On SRX Series devices, the show system storage partitions command now displays the partitioning scheme details on SRX Series devices.
Example 1:
show system storage partitions (dual root partitioning)
user@host# show system storage partitions

Boot Media: internal (da0) Active Partition: da0s2a Backup Partition: da0s1a Currently booted from: active (da0s2a) Partitions Information: Partition Size Mountpoint s1a 293M altroot s2a 293M / s3e 24M /config s3f 342M /var s4a 30M recovery
Example 2:
show system storage partitions (single root partitioning)

Boot Media: internal (da0) Partitions Information: Partition Size Mountpoint s1a 898M / s1e 24M /config s1f 61M /var show system storage partitions (USB)
Example 3:
show system storage partitions (usb)

Boot Media: usb (da1) Active Partition: da1s1a Backup Partition: da1s2a Currently booted from: active (da1s1a) Partitions Information: Partition Size Mountpoint s1a 293M / s2a 293M altroot s3e 24M /config s3f 342M /var s4a 30M recovery
Configuration
J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interfaces address.
193
On SRX100, SRX210, SRX240, and SRX650 devices, the current Junos OS default configuration is inconsistent with the one in Secure Services Gateways, thus causing problems when users migrate to SRX Series devices. As a workaround, users should ensure the following steps are taken:
The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP client enabled). The rest of the on-board ports should be bridged together, with a VLAN IFL and DHCP server enabled (where applicable). Default policies should allow trust->untrust traffic. Default NAT rules should apply interface-nat for all trust->untrust traffic. DNS/Wins parameters should be passed from server to client and, if not available, users should preconfigure a DNS server (required for download of security packages).
Dynamic VPN
Working with the Pulse client Junos Pulse enables secure authenticated network connections to protected resources and services over LANs and WANs. Junos Pulse is a remote access client developed to replace the earlier access client called Juniper Networks Access Manager. You must uninstall Access Manager before you install the Junos Pulse client. For SRX100, SRX210, SRX220, SRX240, and SRX650 devices running Junos OS Release 10.2 and later, Junos Pulse is supported but must be deployed separately. Users can download and install the pulse client manually from Juniper support site.
Flow and Processing
Perfect Forward Secrecy setting in IPsec policy overrides the settings in proposal-sets in 10.4 and later releases. For the flow session log on all SRX Series devices, policy configuration has been enhanced. Information on the packet incoming interface parameter in the session log for session-init and session-close and when a session is denied by a policy or by the application firewall is provided to meet Common Criteria (CC) Medium Robustness Protection Profiles (MRPP) compliance: Policy configurationTo configure the policy for the session for which you want to log matches as log session-init or session-close and to record sessions in syslog:
set security policies from-zone untrustZone to-zone trustZone policy policy13 match source-address extHost1
set security policies from-zone untrustZone to-zone trustZone policy policy13 match destination-address intHost1
set security policies from-zone untrustZone to-zone trustZone policy policy13 match application junos-ping
194
set security policies from-zone untrustZone to-zone trustZone policy policy13 then permit
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log session-init
set security policies from-zone untrustZone to-zone trustZone policy policy13 then log session-close
flow match policy13 will record the following information in the log: <14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.40 source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2" destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] session created 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 ge-0/0/1.0 <14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx650-dut01 RT_FLOW RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.40 reason="response received" source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2" destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] session closed response received: 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 1(84) 1(84) 0 ge-0/0/1.0
On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time. To modify the factory defaults, use the following commands:
root@host# set system max-configurations-on-flash number root@host# set system max-configuration-rollbacks number
where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.
195
On J Series devices, the following configuration changes must be done after rollback or upgrade from Junos OS Release 10.4 to 9.6 and earlier releases.

Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences. Remove fragmentation-map from the [class-of-service] hierarchy level and from [class-of-service interfaces lsq-0/0/0], if configured. Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured. Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured. If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and the configuration hierarchy is enabled on lsq-0/0/0 in Junos OS Release 10.4, then

Add interleave-fragments under [ls-0/0/0 unit 0] Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify packets to Q2
If the aforementioned instructions are not followed, the bundle will be incorrectly processed.
On SRX Series devices, as per the new behavior, on configuring identical IPs on a single interface users no longer see a warning message; instead, a syslog message appears. On SRX210 Low Memory devices, ICMP messages generated in flow mode are now rate-limited to 20 messages every 10 seconds. This rate limit is calculated on a per-CPU basis.
196
General Packet Radio Service (GPRS)
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices in active/active chassis cluster mode with GPRS enabled, the seq-number-validated command is disabled in GTP profile and no more available for configuration.
Hardware
This release supports 3G USB modems on the SRX210 device. To enable the 3G USB modems support on the SRX210 device, you need to configure the WAN port using the new CLI command set chassis routing-engine usb-wwan port 1 from edit prompt as described in the following procedure:
1.
Ensure that the U-boot version is compatible.

user@host> show system firmware
Part
Type
Tag Current Available Status version version 0 1.9 1.7 2.1 1.9 OK OK
Routing Engine 0 RE BIOS
Routing Engine 0 RE BIOS Backup 1
2. If the BIOS version is not 2.1 or higher, upgrade the U-boot. user@host> request system firmware upgrade re bios
Part
Type
Tag Current version 1.9
Available Status version 2.1 OK
Routing Engine 0 RE BIOS 0
Perform indicated firmware upgrade [yes,no] (no) yes
Select yes and on successful completion of the upgrade, the new BIOS will take effect after you reboot the device.
3. Configure the wwan port using set chassis routing-engine usb-wwan port 1 and plug
in the 3G USB modem to the appropriate USB slot on the device.
NOTE: For the SRX210 devices, use the port number 1.
4. Reboot the device to start using the 3G USB modem.
Installation
197
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB auto-installation is added. This feature simplifies the upgrading of Junos OS images in cases where there is no console access to an SRX Series device located at a remote site. This feature allows you to upgrade the Junos OS image with minimum configuration effort by simply inserting a USB flash drive into the USB port of the SRX Series device and performing a few simple steps. This feature can also be used for reformatting boot devices and recovering SRX Series devices after a boot media corruption.
On SRX Series devices, to minimize the size of system logs, the default logging level in the factory configuration has been changed from any any to any critical. On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices. On SRX100, SRX210, SRX220, and SRX240 devices, the autoinstallation functionality acts in DHCP client mode unlike J Series devices. On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping simple filter rules and policing rules has been changed. For SRX3000 line devices, the number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type. For SRX5000 line devices, the number of simple filter and policing rules is 2000 for each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is not achievable because of a hardware limitation. On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices, the Loopback LED is turned ON based on the Loopback configuration as well as when the FDL loopback commands are executed from the remote-end. The Loopback LED remains OFF when no FDL Loopback commands are executed from the remote-end, even though remote-loopback-respond is configured on the HOST. On J4350 devices, ping does not go through even if the ISDN call is connected and the dialer watch is configured. This issue occurs only when media MTU on Cisco devices is bigger than the MTU configured on J Series devices. As a workaround, keep MTU configured on the J Series device equal to or greater than the one set on the Cisco device. On SRX and J Series devices, the help description for the set <int> interface arp-resp command incorrectly states the default value as unrestricted. The default value is actually restricted.
Intrusion Detection and Prevention (IDP)
On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue class for FTP control connections. All other traffic like http, telnet and ping goes through expedited-forwarding queue class as expected. On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification CLI commands have been moved from the [security idp sensor-configuration
198
application-identification] hierarchy to the [edit services application-identification]
hierarchy.
On SRX Series and J Series devices, for brute force and time-binding-related attacks, the logging is to be done only when the match count is equal to the threshold. That is, only one log is generated within the 60-second period in which the threshold is measured. This process prevents repetitive logs from being generated and ensures consistency with other IDP platforms like IDP-standalone. When no attack is seen within the 60-second period and the BFQ entry is flushed out, the match count starts afresh, and the new attack match shows up in the attack table, and the log is generated as explained above.
J-Web
On SRX100, SRX210, SRX220, and SRX240 devices, the commit fails when you configure an interface under security zone - junos-global. In Junos OS Release 10.4, the junos-global CLI option is deprecated and is therefore not supported.
NOTE: Junos OS Release 10.3 and earlier releases still support the junos-global CLI option.
The J-Web login page has been updated with the new Juniper Logo and Trademark. URL separation for J-Web and dynamic VPNThis feature prevents the dynamic VPN users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and dynamic VPN add support to the webserver for parsing all the HTTP requests it receives. The webserver also provides access permission based on the interfaces enabled for J-Web and dynamic VPN.
CLI changes: A new configuration attribute management-url is introduced at the [edit system services web-management] hierarchy level to control J-Web access when both J-Web and dynamic VPN are enabled on the same interface. The following example describes the configuration of the new attribute:
web-management { traceoptions { level all; flag dynamic-vpn; flag all; } management-url my-jweb; http; https { system-generated-certificate; } limits { debug-level 9; } session { session-limit 7; } }
199
Enabling only Dynamic VPN: Dynamic VPN must have the configured HTTPS certificate and the webserver to communicate with the client. Therefore, the configuration at the [edit system services web-management] hierarchy level required to start the appweb webserver cannot be deleted or deactivated. To disable J-Web, the administrator must configure a loopback interface of lo0 for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests.
web-management { traceoptions { level all; flag dynamic-vpn; flag all; } management-url my-jweb; http { interface lo0.0; } https { system-generated-certificate; } limits { debug-level 9; } session { session-limit 7; } }
Changes in the Web access behavior: The following section illustrates the changes in the Web access behavior when J-Web and dynamic VPN do not share and do share the same interface. Case 1: J-Web and dynamic VPN do not share the same interface.
Scenario
http(s)://server host
http(s)://server host//configured attribute

Navigates to the J-Web login page if the J-Web attribute is configured; otherwise, navigates to the Page Not Found page
http(s)://server host//dynamic-vpn
J-Web is enabled, and dynamic VPN is configured.
Navigates to the J-Web login page on the J-Web enabled interface or to the dynamic VPN login page on the dynamic VPN enabled interface depending on the server host chosen Navigates to the Page Not Found page
Navigates to the dynamic VPN login page
J-Web is not enabled, and dynamic VPN is not configured.
Navigates to the Page Not Found page
200
J-Web is enabled, and dynamic VPN is not configured.
Navigates to the J-Web login page
Navigates to the J-Web login page if the J-Web attribute is configured; otherwise, navigates to the Page Not Found page Navigates to the Page Not Found page
J-Web is not enabled, and dynamic VPN is configured.
Case 2: J-Web and dynamic VPN do share the same interface.

Scenario
http(s)://server host
http(s)://server host//configured attribute

Navigates to the J-Web login page if the attribute is configured; otherwise, navigates to the Page Not Found page Navigates to the Page Not Found page
http(s)://server host//dynamic-vpn
J-Web is enabled, and dynamic VPN is configured.
J-Web is not enabled, and dynamic VPN is not configured. J-Web is enabled, and dynamic VPN is not configured.
Navigates to the J-Web login page
Navigates to the J-Web login page if the J-Web attribute is configured; otherwise, navigates to the Page Not Found page Navigates to the Page Not Found page
J-Web is not enabled, and dynamic VPN is configured.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined Attacks and Predefined Attack Groups, users do not need to type the attack names. Instead, users can select attacks from the Predefined Attacks and Predefined Attack Group lists and click the left arrow to add them. The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic Attack Groups are disabled because they cannot be configured from J-Web.
Management and Administration
On SRX5600 and SRX5800 devices running a previous release of Junos OS, security logs were always timestamped using the UTC time zone. In Junos OS Release 10.4, you can use the set system time-zone CLI command to specify the local time zone that the system should use when timestamping the security logs. If you want to timestamp
201
logs using the UTC time zone, use the set system time-zone utc and set security log utc-timestamp CLI statements.
Configuring the external CompactFlash card on SRX650 Services Gateways: The SRX650 Services Gateway includes 2-GB CompactFlash storage devices:
The Services and Routing Engine (SRE) contains a hot-pluggable CompactFlash (external CompactFlash) storage device used to upload and download files. The chassis contains an internal CompactFlash used to store the operating system.
By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device. To take a snapshot on the external CompactFlash:
1.
Take a snapshot from the internal CompactFlash to the USB storage device by using the request system snapshot media usb CLI command.
2. Reboot the device from the USB storage device by using the request system reboot
media usb command.

3. Go to the U-boot prompt. For more information, see the Accessing the U-Boot
Prompt section in the Junos OS Administration guide.

4. At the U-boot prompt, set the following variables:
set ext.cf.pref 1 save reset

5. Once the system is booted from the USB storage device, take a snapshot on the
external CompactFlash by using the request system snapshot media external command.
NOTE: Once the snapshot has been taken on the external CompactFlash, we recommend you set the ext.cf.pref to 0 at the U-boot prompt.
Multilink
When data and LFI streams are present, we recommend the following configuration to get less latency for LFI traffic and to avoid out-of-range transmission of data traffic: Configure the following schedulers

set class-of-service schedulers S0 buffer-size temporal 20K set class-of-service schedulers S0 priority low set class-of-service schedulers S2 priority high set class-of-service schedulers S3 priority high
202
Configure the following scheduler map
set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler S0 set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding scheduler S2 set class-of-service scheduler-maps lsqlink_map forwarding-class network-control scheduler S3
Attach scheduler map to all member links
set class-of-service interfaces t1-2/0/0 unit 0 scheduler-map lsqlink_map
Even after this configuration, if Out-of-range sequence number drops are observed on reassembly side, please increase drop-timeout of the bundle to 200ms
Network Address Translation (NAT)
On all SRX and J Series devices, if the routing-instance for static NAT rule's prefix is not configured, it is same as the routinginstance that is configured for rule-sets context.
Power over Ethernet (PoE)
On SRX210-PoE devices, SDK packages might not work.
Security
Any change in the Unified Access Controls (UAC) contact interval and timeout values in the SRX Series or J Series device will be effective only after the next reconnection of the SRX Series or J Series device with the Infranet Controller. The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is restricted to 1407 bytes (excluding a few HTTP headers). If a user accesses a destination URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload, the exact length of the redirect URL is calculated, and the destination URL is trimmed such that it can fit into the redirect URL. The destination URL can be fewer than 1407 bytes based on what else is present in the redirect URL, for example, policy ID. The destination URL in the default redirect URL is trimmed such that the redirect packet payload size is limited to 1450 bytes, and if the length of the payload is larger than 1450 bytes, the excess length is trimmed and the user is directed to the destination URL that has been resized to 1450 bytes.
203
Virtual LANs (VLANs)
Native-vlan-id can be configured only when either flexible-vlan-tagging mode or interface-mode trunk is configured. The commit error has been corrected, which was
previously indicating vlan-tagging mode instead of flexible-vlan-tagging mode.
Wireless LAN (WLAN)
While configuring the AX411 Access Point on your SRX Series devices, you must enter the WLAN admin password using the set wlan admin-authentication password command. This command prompts for the password and the password entered is stored in encrypted form.
NOTE: Without wlan config option enabled, the AX411 Access Points will be managed with the default password.
Changing the wlan admin-authentication password when the wlan subsystem option is disabled might result in mismanagement of Access Points . You might have to power cycle the Access Points manually to avoid this issue. The SRX Series devices that are not using the AX411 Access Point can optionally delete the wlan config option.
Accessing the AX411 Access Point through SSH is disabled by default. You can enable the SSH access using the set wlan access-point < name > external system services enable-ssh command.
Unsupported CLI
This section lists unsupported CLI statements and commands.
Accounting-Options Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.
AX411 Access Point Hierarchy
On SRX100 devices, there are CLI commands for wireless LAN configurations related to the AX411 Access Point. However, at this time the SRX100 devices do not support the AX411 Access Point.
Chassis Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following chassis hierarchy CLI commands are not supported. However, if you enter these
204
Unsupported CLI
commands in the CLI editor, they appear to succeed and do not display an error message.
set chassis craft-lockout set chassis routing-engine on-disk-failure
Class-of-Service Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following class-of-service hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set class-of-service classifiers ieee-802.1ad set class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following ethernet-switching hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set ethernet-switching-options bpdu-block disable-timeout set ethernet-switching-options bpdu-block interface set ethernet-switching-options mac-notification set ethernet-switching-options voip interface access-ports set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall Hierarchy
On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following Firewall hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set firewall family vpls filter set firewall family mpls dialer-filter d1 term
Interfaces CLI Hierarchy

On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following interface hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
205
Aggregated Interface CLI on page 206 ATM Interface CLI on page 206 Ethernet Interfaces on page 207 GRE Interface CLI on page 208 IP Interface CLI on page 208 LSQ Interface CLI on page 208 PT Interface CLI on page 208 T1 Interface CLI on page 209 VLAN Interface CLI on page 209
Aggregated Interface CLI
The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
request lacp link-switchover ae0 set interfaces ae0 aggregated-ether-options lacp link-protection set interfaces ae0 aggregated-ether-options link-protection
ATM Interface CLI
set interfaces at-1/0/0 container-options set interfaces at-1/0/0 atm-options ilmi set interfaces at-1/0/0 atm-options linear-red-profiles set interfaces at-1/0/0 atm-options no-payload-scrambler set interfaces at-1/0/0 atm-options payload-scrambler set interfaces at-1/0/0 atm-options plp-to-clp set interfaces at-1/0/0 atm-options scheduler-maps set interfaces at-1/0/0 unit 0 atm-l2circuit-mode set interfaces at-1/0/0 unit 0 atm-scheduler-map set interfaces at-1/0/0 unit 0 cell-bundle-size set interfaces at-1/0/0 unit 0 compression-device
206
Unsupported CLI
set interfaces at-1/0/0 unit 0 epd-threshold set interfaces at-1/0/0 unit 0 inverse-arp set interfaces at-1/0/0 unit 0 layer2-policer set interfaces at-1/0/0 unit 0 multicast-vci set interfaces at-1/0/0 unit 0 multipoint set interfaces at-1/0/0 unit 0 plp-to-clp set interfaces at-1/0/0 unit 0 point-to-point set interfaces at-1/0/0 unit 0 radio-router set interfaces at-1/0/0 unit 0 transmit-weight set interfaces at-1/0/0 unit 0 trunk-bandwidth
Ethernet Interfaces
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes set interfaces ge-0/0/1 gigether-options mpls set interfaces ge-0/0/0 stacked-vlan-tagging set interfaces ge-0/0/0 native-vlan-id set interfaces ge-0/0/0 radio-router set interfaces ge-0/0/0 unit 0 interface-shared-with set interfaces ge-0/0/0 unit 0 input-vlan-map set interfaces ge-0/0/0 unit 0 output-vlan-map set interfaces ge-0/0/0 unit 0 layer2-policer set interfaces ge-0/0/0 unit 0 accept-source-mac set interfaces fe-0/0/2 fastether-options source-address-filter set interfaces fe-0/0/2 fastether-options source-filtering set interfaces ge-0/0/1 passive-monitor-mode
207
GRE Interface CLI
set interfaces gr-0/0/0 unit 0 ppp-options set interfaces gr-0/0/0 unit 0 layer2-policer
IP Interface CLI
set interfaces ip-0/0/0 unit 0 layer2-policer set interfaces ip-0/0/0 unit 0 ppp-options set interfaces ip-0/0/0 unit 0 radio-router
LSQ Interface CLI
set interfaces lsq-0/0/0 unit 0 layer2-policer set interfaces lsq-0/0/0 unit 0 family ccc set interfaces lsq-0/0/0 unit 0 family tcc set interfaces lsq-0/0/0 unit 0 family vpls set interfaces lsq-0/0/0 unit 0 multipoint set interfaces lsq-0/0/0 unit 0 point-to-point set interfaces lsq-0/0/0 unit 0 radio-router
PT Interface CLI
set interfaces pt-1/0/0 gratuitous-arp-reply set interfaces pt-1/0/0 link-mode set interfaces pt-1/0/0 no-gratuitous-arp-reply set interfaces pt-1/0/0 no-gratuitous-arp-request set interfaces pt-1/0/0 vlan-tagging
208
Unsupported CLI
set interfaces pt-1/0/0 unit 0 radio-router set interfaces pt-1/0/0 unit 0 vlan-id
T1 Interface CLI
set interfaces t1-1/0/0 receive-bucket set interfaces t1-1/0/0 transmit-bucket set interfaces t1-1/0/0 encapsulation ether-vpls-ppp set interfaces t1-1/0/0 encapsulation extended-frame-relay set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc set interfaces t1-1/0/0 encapsulation satop set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp set interfaces t1-1/0/0 unit 0 layer2-policer set interfaces t1-1/0/0 unit 0 radio-router set interfaces t1-1/0/0 unit 0 family inet dhcp set interfaces t1-1/0/0 unit 0 inverse-arp set interfaces t1-1/0/0 unit 0 multicast-dlci
VLAN Interface CLI
set interfaces vlan unit 0 family tcc set interfaces vlan unit 0 family vpls set interfaces vlan unit 0 accounting-profile set interfaces vlan unit 0 layer2-policer set interfaces vlan unit 0 ppp-options
209
set interfaces vlan unit 0 radio-router
Protocols Hierarchy
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.
set protocols bfd no-issu-timer-negotiation set protocols bgp idle-after-switch-over set protocols l2iw set protocols bgp family inet flow set protocols bgp family inet-vpn flow set protocols igmp-snooping vlan all proxy
Routing Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following routing hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set routing-instances p1 services set routing-instances p1 multicast-snooping-options set routing-instances p1 protocols amt set routing-options bmp set routing-options flow
Services Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following services hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set services service-interface-pools
SNMP Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following SNMP hierarchy CLI commands are not supported. However, if you enter these
210
Unsupported CLI
commands in the CLI editor, they appear to succeed and do not display an error message.
set snmp community 90 logical-system set snmp logical-system-trap-filter set snmp trap-options logical-system set snmp trap-group d1 logical-system
System Hierarchy
On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.
set system diag-port-authentication
IPv6 and MVPN CLI
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicast IPv6 and MVPN CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.

show pim interfaces inet6 show pim neighbors inet6 show pim source inet6 show pim rps inet6 show pim join inet6 show pim mvpn show multicast next-hops inet6 show multicast rpf inet6 show multicast route inet6 show multicast scope inet6 show multicast pim-to-mld-proxy show multicast statistics inet6 show multicast usage inet6 show msdp sa group group set protocols pim interface interface family inet6
211
set protocols pim disable interface interface family inet6 set protocols pim family inet6 set protocols pim disable family inet6 set protocols pim apply-groups group disable family inet6 set protocols pim apply-groups group family inet6 set protocols pim apply-groups-except group disable family inet6 set protocols pim apply-groups group interface interface family inet6 set protocols pim apply-groups group apply-groups-except group family inet6 set protocols pim apply-groups group apply-groups-except group disable family inet6 set protocols pim assert-timeout timeout-value family inet6 set protocols pim disable apply-groups group family inet6 set protocols pim disable apply-groups-except group family inet6 set protocols pim disable export export-join-policy family inet6 set protocols pim disable dr-election-on-p2p family inet6 set protocols pim dr-election-on-p2p family inet6 set protocols pim export export-join-policy family inet6 set protocols pim import export-join-policy family inet6 set protocols pim disable import export-join-policy family inet6
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254
212
Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
On SRX5600 devices, if you run the show security alg sip counters command while doing a bulk call generation, it might bring down the SPU with a flowd core file error.
AppSecure
Junos OS application identificationWhen you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature. The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.
Authentication
On J Series devices, after the user is authenticated, if the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior will not cause a security breach.
AX411 Access Point
On SRX650 devices, when an access point is part of the default cluster and you change the default cluster after the access point is connected to it, the changes might not be reflected. As a workaround, restart the wireless LAN service. On SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can be configured and managed.
NOTE: The number of licensed access points can exceed the maximum number of supported access points. However, you can only configure and manage the maximum number of access points.
Chassis Cluster
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, only four QoS queues are supported per reth/ae interface. On SRX650 devices in a chassis cluster, ping packets sent from the forward node to the active node are dropped intermittently.
213
On SRX5800 devices, SNMP traps might not be generated for the ineligible-primary state. On SRX3400, SRX3600, SRX5600, and SRX5800 devices, LACP does not work in Layer 2 transparent mode. On SRX650 devices, when the primary node is synchronizing heavy routes to the secondary node and the secondary node is rebooted, FPCs on the secondary node come up very slowly. PICs will not come up until all the routes are synchronized to the secondary node. On SRX240 Low Memory and High Memory devices, binding the same IKE policy to a dynamic gateway and a site-to-site gateway is not allowed. On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in some call leaks in active resource manager groups and gates on the backup router. On an SRX210 device in a chassis cluster, the restart forwarding method is not recommended because restart forwarding on primary node will cause all RGs failover to other node. On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionality is not supported for aggregated interfaces like reth. On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come online. In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to increase the wait time before triggering failover. In a full-capacity implementation, we recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and heartbeat-interval values in the [edit chassis cluster] hierarchy. The product of the heartbeat-threshold and heartbeat-interval values defines the time before failover. The default values (heartbeat-threshold of 3 beats and heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds. To change the wait time, modify the option values so that the product equals the desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the default value for the heartbeat-interval (1000 milliseconds) yields a wait time of 8 seconds. Similarly, setting the heartbeat-threshold to 4 and the heartbeat-interval to 2000 milliseconds also yields a wait time of 8 seconds.
SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:

Virtual Router Redundancy Protocol (VRRP) is not supported. In-service software upgrade (ISSU) is not supported. The 3G dialer interface is not supported. On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes. On VDSL mini-PIM, chassis cluster is not supported for VDSL mode.
214
Queuing on aggregated Ethernet (ae) interface is not supported. Group VPN is not supported. Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported. IDP is not supported for active/active chassis cluster. IDP is supported for active/backup chassis cluster in Junos OS Release 10.2R2 and later. Switching is not supported in chassis cluster mode. Any packet-based services like MPLS and CLNS are not supported. lsq-0/0/0Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not supported. gr-0/0/0Generic routing encapsulation (GRE) and tunneling are not supported. ip-0/0/0IP-over-IP (IP-IP) encapsulation is not supported. lt-0/0/0CoS for real-time performance monitoring (RPM) is not supported. PP0: PPPoE, PPPoEoA is not supported. ISDN and WXC are not supported in chassis cluster mode.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IP address monitoring is not permitted if a redundant Ethernet interface is configured for a VPN routing and forwarding (VRF) instance. On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, UTM is supported only for active/backup chassis cluster configuration with both RG0 and RG1 active on the same node. It is not supported for active/active chassis cluster configuration.
For other limitations in chassis cluster, see Limitations of Chassis Clustering in the Junos OS Security Configuration Guide.
Class of Service (CoS)
J4350 and J6350 devices might not have the requisite data buffers needed to meet expected delay-bandwidth requirements. Lack of data buffers might degrade CoS performance with smaller (500 bytes or less) packets.
On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:

For SRX210 devices: four CLI users and three J-Web users For SRX240 devices: six CLI users and five J-Web users
215
On SRX210 devices, packet drop might be seen while prioritizing multiple data streams configured with the same multilink class on single-member-link ML bundles that are configured between SRX Series and J Series devices and other types of devices. As a workaround, ensure that each forwarding class is configured with one multilink class on multilink bundles on SRX Series and J Series devices. This will avoid out-of-order transmission of multilink fragments for a given multilink class. This is not applicable to LFI traffic; also, when Q is marked for LFI, do not change the Q configuration. On SRX100 devices in chassis cluster mode, after first RG0 failover, the CLI response might be slow for few minutes.
DOCSIS Mini-PIM
On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100 Mbps throughput in each direction.
Dynamic Host Configuration Protocol (DHCP)
SRX Series and J Series devices do not support DHCPv6 client authentication.
NOTE: Existing DHCPv4 configurations in the [edit system services dhcp] hierarchy are not affected when you upgrade to Junos OS Release 10.4 from an earlier version or enable DHCPv6 server.
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
The IKE configuration for the dynamic VPN client does not support the hexadecimal preshared key. The dynamic VPN client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication. When you log in through the Web browser (instead of logging in through the dynamic VPN client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the dynamic VPN client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).
216
Enhanced Switching
On J Series devices, if the access port is tagged with the same VLAN that is configured at the port, the access port accepts tagged packets and determines the MAC.
Flow and Processing
On Branch SRX100, SRx210, SRX220, SRX240, and SRX650 devices, due to a limit on the number of large packet buffers, RE based sampling might run out of buffers for packet sizes greater than or equal to 1500 bytes and hence those packets will not be sampled (We could run out of buffers when the rate of the traffic stream is high). On J Series devices, outbound filters will be applied twice for host-generated IPv4 traffic. On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at times for fragmented UDP traffic. On SRX Series devices, data plane logs generated in event mode (under set security log mode options) or logs sent via NSM (under set system syslog) can increase CPU utilization dramatically, impacting the system stability, especially in chassis cluster mode. On SRX100 devices, multicast data traffic is not supported on IRB interfaces. The service-point zone parameter for the SRX Series MGW configuration is not supported in Junos OS Release 10.4. You cannot configure route policies and route patterns in the same dial plan. You can configure no more than four members in a station group. Station groups are used for hunt groups and ring groups. On J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets. On SRX Series and J Series devices, high CPU utilization triggered due to various reasons like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing large BGP updates. On SRX650 devices, when front panel ports on the device are linked in 10M and 100M, jumbo frames do not go through. Linking the port in 1000M allows jumbo frames to be received/transmitted through the device. On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451] On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, if the Infranet Controller auth table mapping action is configured as provision auth table as needed, UAC terminates the existing sessions after Routing Engine failover. You might have to initiate new sessions. Existing sessions are not affected after Routing Engine failover if the Infranet Controller auth table mapping action is configured as always provision auth table. [PR/416843]
217
For other limitations in flow and processing, see Limitations of Flow and Processing in the Junos OS Security Configuration Guide.
Hardware
This section covers filter and policing limitations.
On J Series devices, when you upgrade the device from Junos Release 10.0/10.1/10.2/10.3 to 10.4 or later the device which has 512M DRAM and 512 CF memory cannot upgrade to 10.4 or later. You must upgrade the DRAM and/or CF memory to 1G DRAM and 1G CF respectively. For more information see:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber= PSN-2011-06-283&viewMode=view
On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported by a simple filter:
Forwarding class as match condition
On SRX1400, SRX3400 and SRX3600 devices, the following features are not supported by a policer or a three-color-policer:

Color-aware mode of a three-color-policer Filter-specific policer Forwarding class as action of a policer Logical interface policer Logical interface three-color policer Logical interface bandwidth policer Packet loss priority as action of a policer Packet loss priority as action of a three-color-policer
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features are not supported by a firewall filter:

Policer action Egress FBF FTF
SRX1400, SRX3400, and SRX3600 devices have the following limitations of a simple filter:
In the packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters. In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000.
218
In the packet processor on an IOC, the maximum number of policers is 4000. In the packet processor on an IOC, the maximum number of three-color-policers is 2000. The maximum burst size of a policer or three-color-policer is 16 MB.
1G half-duplex mode of operation is not supported in the autonegotiation mode for the following devices:

SRX650 Services Gateway 16-port GPIM 24-port GPIMs
On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP Mini-PIM. On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when the device is powered on. On SRX240 devices, the file installation fails on the right USB slot when both of the USB slots have USB storage devices installed. The SRX220 Services Gateway does not support the 1-port SFP Mini-PIM.
In-Service Software Upgrade (ISSU)
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the no-old-master-upgrade option is not supported in the command that you use to start the ISSU.
On SRX240 High Memory devices, when system login deny-sources statement is used to restrict the access, it blocks a remote copy (rcp) between nodes which is used to copy the configuration during commit routine. Use a firewall filter on the lo0.0 interface to restrict the RE access, however if you choose to use the [system login deny-sources] statement check the private addresses that auto-assigned on lo0.x and sp-0/0/0.x and exclude them from denied list. The SRX210, SRX220, SRX240, and SRX650 devices cannot send logs to the NSM when logging is configured in the stream mode. This is because, the security log does not support configuring of the source IP address for the fxp0 interface and the security log destination in stream mode cannot be routed through the fxp0 interface. This implies that you cannot configure the security log server in the same subnet as the fxp0 interface and the route the log server through the fxp0 interface. On SRX210 devices, the link goes down after an FPGA upgrade is performed. As a workaround, run the restart fpc command. On SRX240 High Memory devices, traffic might stop between SRX240 device and CISCO switch due to link mode mismatch. As a workaround, Juniper Networks recommends setting auto-negotiation parameters on both ends to the same value.
219
On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the restart fpc command and restart the FPC. On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested because of lack of support from the vendor. On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an IRB interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces. On J Series devices, the DS3 interface do not have an option to configure multilink-frame-relay-uni-nni (MFR). On SRX210, SRX220 and SRX240 devices, every time the VDSL2 PIM is restarted in the ADSL mode, the first packet passing through the PIM is dropped. On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server operation does not work when the probe is configured with the option destination-interface. Link Layer Discovery Protocol (LLDP)The following are the LLDP limitations:

On J Series devices, LLDP is not supported on routed ports. On SRX Series and J Series devices, LLDP over ae interfaces is not supported. On SRX Series and J Series devices, LLDP is supported only on interface unit 0.
In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper matching the ATM CoS rate must be configured to avoid congestion drops in SAR. Example:
set interfaces at-5/0/0 unit 0 vci 1.110 set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP Mini-PIM does not support switching in Junos OS Release 10.4. On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces. On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3. On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range. On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45 medium is active and an SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.
220
On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down. On SRX3400 and SRX3600 devices, BGP based VPLS over aggregated ethernet (ae) interfaces does not work because it is not supported. It works on child ports and physical interfaces. On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 ae interface, the following features are not supported:

Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 ae interfaces J-Web Level 3 ae for 10-Gigabit Ethernet
The number of IP addresses supported on vp-x/0/0 interface is limited to one.
On SRX100, SRX110, SRX210, SRX220, SRX240, SRX630, SRX650, and SRX680 devices, the confirmed commit option is not supported in IDP. If you issue a commit command while policy compilation is in progress, the CLI commit fails and the following message appears: idpd busy in commit. Please try again later. Because the listed devices have limited access to system resources, multiple IDP processes cannot be run at the same time on these devices. After policy compilation completes, a fresh commit can be issued successfully through the CLI. On other SRX Series and J Series devices, if a policy compilation is in progress when a commit is issued, the new commit is deferred until the ongoing policy compilation is complete. If the active policy is changed, then recompilation takes places once the ongoing policy compilation is complete.
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you want to change to maximize-idp-sessions mode, you should configure the security forwarding-process application-services maximize-idp-sessions command before you reboot the device to avoid recompiling IDP policies during every commit. If SRX series device that are configured for IDP and are upgraded to Junos OS Release 10.4, administrators must install the new security database as old IDP detector might not be compatible. Administrators must update the detector by using the request security idp security-package download full-update command followed by request security idp security-package install command.
IDP does not allow header checks for nonpacket contexts. On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, maximum supported entries in ASC table for is 100,000 entries. However, since the user land buffer has fix size of 1MB as a limitation, therefore it displays maximum 38837 cache entries. On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long time because:
221
Software DFA is now used for attack signature compilation IDPD daemon gets lesser CPU time slice during compilation
On SRX100 Low Memory devices, the grace period for idp-sig license is not supported.
For all other limitations in IDP, see Limitations of IDP in the Junos OS Security Configuration Guide.
Infrastructure
On J Series devices, you cannot use a USB device that provides U3 features (such as the U3 Titanium device from SanDisk Corporation) as the media device during system boot. You must remove the U3 support before using the device as a boot medium. For the U3 Titanium device, you can follow the instructions to remove the U3 Launchpad from a Windows-based system at http://kb.sandisk.com/app/answers/detail/a_id/2550/kw/remove%20u3%20launchpad. (To restore the U3 features, follow the instructions to install the U3 Launchpad on a Windows-based system at http://kb.sandisk.com/app/answers/detail/a_id/240/~/installing-u3-launchpad). On J Series devices, when you press the F10 key to save and exit from BIOS configuration mode, the operation might not work as expected. As a workaround, use the Save and Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 devices with BIOS Version 080011 and on the J2320 and J2350 devices with BIOS Version 080012. On J Series devices, the Clear NVRAM option in the BIOS configuration mode does not work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To help mitigate this issue, note any changes you make to the BIOS configuration so that you can revert to the default BIOS configuration as needed. It is not possible to upgrade Acadia client if you use a non administrator user credentials for Win 7 client machine. You need Administrator user privileges to upgrade it.
IPv6
NOTE: Concerning NSM support, do not follow the information presented in the Junos OS Security Configuration Guide. Please consult the NSM release notes for version compatibility, required schema updates, and up-to-date support information.
Tunnel trafficIPv6 advanced flow does not support the following tunnel types:

IPv4 IPIP IPv4 GRE IPv4 IPsec Dual-stack lite
222
For other limitations in IPv6, see Limitations of IPv6 in the Junos OS Security Configuration Guide.
On SRX Series devices, when you enable VPN, overlapping of the IP addresses across virtual routers (VRs) is supported partially with following limitations:

An IKE external interface address cannot overlap with any other VR. An internal/trust interface address can overlap across VRs. An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnel such as NHTB. An st0 interface address can overlap in route-based VPN in point-to-point tunnel.
J-Web
J-Web browser support for Dell PowerConnect SRX Series and J Series devicesTo access J-Web for all platforms, your device requires the following supported browsers and OS:
Browser: Microsoft Internet Explorer version 6.0, 7.0, and Mozilla Firefox version above 3.0 and below 3.5.
NOTE: Other browser versions might not provide access to J-Web and only English-version browsers are supported.
OS: Microsoft Windows XP Service Pack 3
SRX Series and J Series browser compatibility To access J-Web interface, your management device requires following software
Supported browsers - Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0 Language support - English version browsers Supported OS - Microsoft Windows XP service pack 3. If the device is running the worldwide version of the Junos OS and you are using the Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device. To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable it using options in the Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.
On SRX Series devices, in the J-Web interface, there is no support to change the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from T1 to E1 and vice versa.
223
On SRX Series and J Series devices, users cannot differentiate between Active and Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages. On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips are not displayed in the J-Web Chassis View. As a workaround, drag the Chassis View image down to see the complete ToolTip. On SRX210 devices, there is no maximum length when the user commits the hostname in CLI mode; however, only 58 characters maximum are displayed in the J-Web System Identification panel. On J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page. On SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently supported to be used as IKE external-interfaces.
On SRX5600 and SRX5800 devices, data path debug trace messages are dropped at above 1000 packets per second (pps). On J2350, J4350, and J6350 devices, extended bit error rate test (BERT) takes an additional 3 hours to complete even though a BERT period of 24 hours is set.
Memory Requirements for J Series Devices
J Series devices require 1 GB RAM to run 10.4 software.
NetScreen-Remote
On SRX Series devices, NetScreen-Remote is not supported in Junos OS Release 10.4.
NAT rule capacity changeTo support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed. The number of destination and static NAT rules has been incremented as shown in Table 11 on page 225. The limitation on the number of destination-rule-set and static-rule-set has been increased. Table 11 on page 225 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device.
224
Table 11: Number of Rules on SRX Series and J Series Devices

NAT Rule Type
Source NAT rule Destination NAT rule Static NAT rule
SRX100
512
SRX210
512
SRX2 40
1024
SRX650
1024
SRX3400 SRX3600
8192
SRX5600 SRX5800
8192
J Series
512
512
512
1024
1024
8192
8192
512
512
512
1024
1024
8192
8192
512
The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.
IKE negotiations involving NAT-TOn SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.
Point-to-Point Protocol over Ethernet (PPPoE)
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices in a chassis cluster, the reth interface cannot be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE).
Power over Ethernet (PoE)
On SRX210 devices, the fourth access point connected to the services gateway fails to boot with the default PoE configuration. As a workaround, configure all the PoE ports to a maximum power of 12.4 watts. Use the following command to configure the ports: root# set poe interface all maximum-power 12.4 On SRX210 PoE devices, high latencies might be observed for the Internet Control Message Protocol (ICMP) pings between two wireless clients when 32 virtual access points (VAPs) are configured. [PR/472131]
Security

On all J Series devices, RADIUS accounting is not supported. J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use order radius password or ldap password.
225
For all other limitations in security, see Addresses and Address Sets in the Junos OS Security Configuration Guide.
SNMP
On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release 10.4.
Switching

On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x. On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported:

IPv6 (family inet6) ISIS (family ISO) Class-of-service Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces CLNS PIM DVMRP VLAN interface MAC change Gratuitous ARP Change VLAN-Id for VLAN interface
Upgrade and Downgrade
On J Series devices, when you try to install new builds, the upgrade might fail if the CompactFlash is small in size due to insufficient disk space. We recommend using a 1-GB CompactFlash for Release 10.0 and later releases.
USB Modem
On SRX210 High Memory devices, IPV6 is not supported on dialer interfaces with a USB modem. [PR/489960] On SRX210 High Memory devices, HTTP traffic is very slow through the umd0 interface. [PR/489961]
226
System
On SRX650 devices, if one of the four Gigabit Ethernet ports is linked up at 10 or 100 Mbps, it will not support jumbo frames. Frames greater than 1500 bytes are dropped. Linking the ports up at 1000M allows jumbo frames to be received or transmitted through the device.
Unified Threat Management (UTM)
UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM. On SRX210 High Memory devices, content filtering provides the ability to block protocol commands. In some cases, blocking these commands interferes with protocol continuity, causing the session to hang. For instance, blocking the FETCH command for the IMAP protocol causes the client to hang without receiving any response. On SRX210 High Memory devices, when the content filtering message type is set to protocol-only, customized messages appear in the log file. On SRX240 High Memory devices, FTP download for large files (> 4 MB) does not work in a two-device topology.
On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following VLAN IDs are reserved for internal use and cannot be used on customer-facing interfaces:
Table 12: VLAN IDs Reserved for Internal Use

VLAN IDs Reservations SRX100 3968-4047 4093 4094 Reserved Reserved* SRX210 Reserved Reserved* SRX220 Reserved Reserved* SRX240 Reserved Reserved Reserved* SRX650 Reserved Reserved Reserved*
This default TAG reservation can be configured to use an alternative tag number or not to use VLAN tagging at all
On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210 High Memory, SRX240 High Memory, and SRX650 devices, the Link Layer Discovery Protocol (LLDP) organization-specific Type Length Value (TLV), medium attachment unit (MAU) information always propagates as Unknown.
VPNs
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels scaling and sustaining issues are as follows:
227
For a given private IP address, the NAT device should translate both 500 and 4500 private ports to the same public IP address. The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.
On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN using PULSE client, when you select the authentication-algorithm as sha-256 in IKE proposal, IPsec session might not get established.
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254
Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
NOTE: For the latest, most complete information about outstanding and resolved issues with the Junos OS software, see the Juniper Networks online software defect search application at http://www.juniper.net/prsearch.
Outstanding Issues In Junos OS Release 10.4R8 for SRX Series Services Gateways and J Series Services Routers on page 228 Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 235
Outstanding Issues In Junos OS Release 10.4R8 for SRX Series Services Gateways and J Series Services Routers
The following problems currently exist in SRX Series and J Series devices. The identifier following the description is the tracking number in our bug database. Application Layer Gateways (ALGs)
On SRX Series devices, SIP server protection does not work. The set security alg sip application-screen protect deny command does not work. [PR/512202] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, after 2 days of NAT/ALG traffic and with some failovers, the SIP RM groups leaks observed when all calls and sessions are dropped. [PR/584215]
228
AX411 Access Point
The access point reboots when 100 clients are associated simultaneously and each one is transmitting 512-byte packets at 100 pps. [PR/469418]
Chassis Cluster
During a manual failover, a system crash might occur if the nodes have not completely recovered from a previous failover. To determine if a device is ready for repeated failovers, perform these recommended best-practice steps before doing a manual failover. The best-practice steps we recommend to ensure a proper failover are as follows:
Use the show chassis cluster status command to verify the following for all redundancy groups:

One node is primary; the other node is secondary. Both nodes have nonzero priority values unless a monitored interface is down.
Use the show chassis fpc pic-status command to verify that the PIC status is Online. Use the show pfe terse command to verify that the Packet Forwarding Engine status is Ready and to verify the following:

All slots on the RG0 primary node have the status Online. All slots on the RG0 secondary node, except the Routing Engine slots, have the status Valid.
[PR/503389]
On SRX210 devices, IPv4 and IPv6 ICMP redirect messages are not generated from chassis cluster setup. [PR/516739] In case of fxp0 interface flap on the RG0 primary cluster node, the networks reachable through configured backup router (set system backup-router destination) might be unreachable on the secondary cluster node. [PR/589839] On J Series devices, the output of restart forwarding gracefully command in chassis cluster mode should allow all the FPCs to restart successfully and come up online, but all FPCs do not come up online, they go offline. Workaround: Restart the device to recover from this state and for the PIC to be online. [PR/605657]
Command-line Interface (CLI)
On SRX Series devices, the maximum supported sessions count is not displayed as part of the CLI command output show security flow session idp summary. [PR/503721] On SRX Series devices, IDP commands become unresponsive during the following scenarios:
The device is operating under heavy traffic conditions for a long time.
229
There are thousands of ip-action entries. Users have executed the ip-action show command from the CLI.
As a workaround, do not issue the show security flow ip-action | count command from the CLI. [PR/510250] Flow and Processing
On SRX100, SRX210, SRX240, and SRX650 (16-Port Gigabit Ethernet XPIM and 24-Port Gigabit Ethernet XPIM ), input DA errors are not updated when packets are dropped due to MAC filtering. [PR/423777] On SRX240 PoE and J4350 devices, the first packet on each multilink class is dropped on reassembly. [PR/455023] On SRX5800 devices, the GPRS tunneling protocol (GTP) application is supported only on some ports. Customized application on other ports is not supported. [PR/464357] On SRX Series devices, the software upload and install package does not show a warning message when there are pending changes to be committed. [PR/514853] On SRX5600 and SRX5800 devices, disable node does not reboot automatically with control-link-recovery enabled. [PR/451852] On SRX and J Series devices, high CPU utilization (triggered due to various reasons such as CPU intensive commands, SNMP walks and so on ) can cause BFD to flap. [PR/505541] On SRX240 devices, the session flow logs in rtlogd are being truncated at 510 characters. [PR/538249] On SRX5800 devices, on configuration knob set security pki ca-profile <profile> revocation-check crl disable on-download-failure does not prevent revocation check when PKI server is unreachable. [PR/605042] The on-board ports of SRX650 may not forward BPDUs , because of the internal architecture of SRX650 with respect to the on-board ports. [PR/659679] On SRX5800 devices, certificate revocation list file size is limited to 2 MB. [PR/669722] On SRX650 devices, memory corruption issue is observed when a data structure is accessed across threads. [PR/683339]
Hardware
On J Sereies devices, 100M based BIDI/BX SFPs are not supported on Physical Interface Modules (PIMs). [PR/472931] On SRX3600 devices, the syslog was incorrectly printing XFP warning messages regarding temperature, even though it was not reaching the threshold. [PR/576900]
Installation
On SRX100, SRX210, SRX240, or SRX650 devices with 1-GB storage flash, when you use the file copy command to copy the Junos OS package from ftp://<path> to a local
230
directory, you might get a message saying that the file system is full. Do not use the file copy command to get the Junos OS package for software upgrade. The file copy command copies the Junos OS package as a temporary file in/cf/var/tmp and then copies the file with a package name in a local directory under the /cf/var partition. This means that a Junos OS package of size X needs 2X space in the /cf/var partition. For example, a Junos OS package of 197 MB will need 394 MB, whereas the /cf/var partition is less than 350 MB on a 1-GB storage flash. Thus, the file copy command will fail. [PR/526030]
In case both IDP and UTM are used, it is possible for installation to fail due to lack of disk space problems while installing Junos OS versions earlier than Junos OS 11.1. The following IDP files can be deleted using file delete command in CLI without any issues to free up space:
cli> file delete /var/db/idpd/sec-download/*
This will delete the downloaded security-package files. This doesn't affect the installed database. But if the security-package has been downloaded and not installed as yet, a fresh download would need to be done after deleting these files.
cli> file delete /var/db/idpd/db/dfa_cache.* cli> file delete /var/db/idpd/db/dfa_group_cache.* cli>file delete /var/db/idpd/db/pcre_cache.* cli>file delete /var/db/idpd/db/dfacache.dbd cli>file delete /var/db/idpd/db/dfa* cli>file delete /var/db/idpd/db/pcre* cli>file delete /var/db/idpd/db/cache.dbd
The cache files are used for policy compilation optimization. So the drawback of deleting these files is that the first policy compilation after deleting these files will take longer. Also, it is important to note that after deleting these files, reboot is required for IDP to regenerate the files properly. (if image upgrade is done and device rebooted after that, a separate reboot is not required). [PR/606108] Interfaces and Routing
On J Series devices, one member link goes down in a Multilink (ML) bundle during bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679] On SRX210 PoE devices, the ATM interface on the G.SHDSL interface does not go down when the interface is disabled through the disable command. [PR/453896] On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (three to four) are seen during long-duration traffic testing with the ALU 7302 DSLAM. There is no impact on traffic except for the packet loss after long-duration traffic testing, which is also seen in the vendor CPE. [PR/467912]
231
On SRX210 devices with VDSL2, the remote end ping operation fails to go above the packet size of 1480 because the packets are dropped for the default MTU, which is 1496 on an interface, and because the default MTU of the remote host Ethernet interface is 1514. [PR/469651] For Junos OS releases 10.4R.5 onwards, the MTU size supported for ATM (ADSL Mini-PIM) with PPPOE enabled (PPPOEOA) is 1472. In order to interop with CISCO access concentrator (AC) (SRX client and CISCO AC with link PPPOE over ATM [PPPOEOA]), you must confirm that CISCO AC supports MRU value of 1472. If it does not support, then you must set MRU of 1472 on CISCO AC, because default value on CISCO AC is 1492 and any other MRU requests from the clients might get rejected. [PR/607774] The ISIS protocol is not working on the VDSL2 interfaces when operating in backward compatible ADSL mode, because of insufficient MTU values. The ISIS protocol needs a minimum of 1492 as ISIS MTU. [PR/470888]
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application-level distributed denial-of-service (application-level DDoS) rulebase (rulebase-ddos) does not support port mapping. If you configure an application other than default, and if the application is from either predefined Junos OS applications or a custom application that maps an application service to a nonstandard port, application-level DDoS detection will not work. When you configure the application setting as default, IDP uses application identification to detect applications running on standard and nonstandard ports, hence the application-level DDoS detection works properly. [PR/472522] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when packet-logging functionality is configured with an improved pre-attack configuration parameter value, the resource usage increases proportionally and might affect the performance. [PR/526155] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, policy push fails when the configured rulebase-exempt does not have any attacks configured. [PR/670592]
IPv6
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, ICMPV6 redirect messages are not initiated in the flow mode. [PR/477181] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and bytes counter shows random values both in traffic statistics and IPv6 transit statistics, when VLAN tagging is added or removed from the IPv6 address configured interface. [PR/477181]
J-Web
On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis View is not in sync with the LED status on the device. [PR/397392] On SRX210 and J4350 devices, avoid logging out of the device on the Troubleshoot>CLI Terminal page, because the logout option on the page is hidden in the CLI. [PR/401772]
232
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, the Generate Report option under Monitor Event and Alarms opens the report in the same webpage. [PR/433883] In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration page, the Global Information table in the BGP Configuration page, or the Add Interface window in the LACP Configuration page, if you try to change the position of columns using the drag-and-drop method, only the column header moves to the new position instead of the entire column. [PR/465030] When a large number of static routes is configured and you have navigated to pages other than page 1 in the Route Information table in the J-Web interface Monitor > Routing > Route Information, changing the Route Table to query other routes refreshes the page but does not return to page 1. For example, if you run a query from page 3 and the new query returns very few results, the Results table continues to display page 3 and shows no results. To view the results, navigate to page 1 manually. [PR/476338] In J-Web interface, if you open configuration pages for class-of-service (CoS) classifiers and drop profiles (Configure > Class of Service > Classifiers and Configure > Class of Service > Drop Profile) and then exit the pages without editing the configuration, no validation messages are displayed and the configuration of the switch proceeds. [PR/495603] On SRX Series devices, performing software upload is not possible when using J-Web interface with Mozilla Firefox browser of version 3.5 and above. As a workaround, use Internet Explorer (IE) or Mozilla Firefox version 3. [PR/500039] For SRX100, SRX210, SRX240 and SRX650 devices, J-Web shows switching pages in chassis cluster mode but switching is not supported in chassis cluster mode. [PR/515909] On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, in J-Web, when you click Point and click CLI and navigate to any page, after the page loads, when you click the Back button of the browser, the web page has expired error will be displayed. [PR/608761] On SRX650 devices, if the password is removed from the authentication-order statement and the external authentication server (TACACS+ or RADIUS) is down, you might not be able to log in to the J-Web interface. [PR/599613] On SRX5800 devices, J-Web interface does not work after a CodeNomicon test done on FXP0 interface. As a workaround, restart the device. [PR/671203] On SRX210, SRX220, SRX240, and SRX650 devices, in J-Web interface, if you discard any available MIB profile, file or predefined object from accounting-options on the Point and Click CLI Configuration page (Configure > CLI Tools > Point and Click CLI), the J-Web session times outs. As a workaround, perform the same operation from the CLI. [PR/689261]
233
On SRX240 devices, if a timeout occurs during the TFTP installation, booting the existing kernel using the boot command might crash the kernel. Workaround: use the reboot command from the loader prompt. [PR/431955]
Source NAT pool (support port translation) with 2000 IP addresses can not be created successfully on SRX100, SRX210, SRX220, and SRX240 devices. [PR/562353] In chassis cluster environment, for nat source with port no-translation, the configured source-pool IP addresses are divided into half exclusively used on each node. However, when multiple groups of source-pool IP addresses are configured, the half-divided logic does not work properly, and it results to unexpectedly insufficient IP address (from source-pool) for a node. Workaround: Assign equal number of IP address in each group with even number of source-pool group. [PR/538769]
In J-Web, drag and drop reverse functionality is not available for UTM pages. [PR/613238] On SRX100, SRX210, and SRX240 High Memory devices, and SRX650 devices, antispam sessions-per-client over-limit is not supported. [PR/514562]
Virtual Private Network (VPN)
On SRX240 High Memory devices, during UTM web traffic stress test, some leak of AV scanner contexts is observed in some error pages. [PR/538470] On SRX5800 devices, SNMP trap is not being generated in when policy-based VPN is down. You must use event-options to generate the log. [PR/674195]
234
Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
The following are the issues that have been resolved in Junos OS Release 10.4R for Juniper Networks SRX Series Services Gateways and J Series Services Routers. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Resolved Issues in Junos OS Release 10.4R8 on page 235 Resolved Issues in Junos OS Release 10.4R7 on page 237 Resolved Issues in Junos OS Release 10.4R6 on page 240 Resolved Issues in Junos OS Release 10.4R5 on page 241 Resolved Issues in Junos OS Release 10.4R4 on page 244 Resolved Issues in Junos OS Release 10.4R3 on page 247 Resolved Issues in Junos OS Release 10.4R2 on page 248 Resolved Issues in Junos OS Release 10.4R1 on page 251
Resolved Issues in Junos OS Release 10.4R8 Chassis Cluster
SRX650 Chassis cluster takes more than 5 seconds to failover when the monitored interface flaps. The switch link scan was originally set for 4 seconds, which is now set for 0.5 seconds and would help speed up the link detection process. [PR/664851: This issue has been resolved.] On SRX650 devices, when a second node is not present in a cluster configuration, any new provision of redundancy group gets stuck in secondary state. [PR/685322: This issue has been resolved.]
The output of the show | display set relative command is not working properly at certain hierarchy levels. [PR/545073: This issue has been resolved.]
Flow and Processing
When the security flow traceoption debug session log is executed, it displays irrelevant logs as output as shown in the following sample output:
Jan SZ Jan SZ Jan SZ 25 16:20:52 16:34:08.1231871:CID-02:FPC-05:PIC-01:THREAD_ID-10:RT:Set flag for event 25 16:20:52 16:34:08.1232776:CID-02:FPC-05:PIC-01:THREAD_ID-10:RT:Set flag for event 25 16:20:52 16:34:08.1233485:CID-02:FPC-05:PIC-01:THREAD_ID-10:RT:Set flag for event
This is because, the SZ flag means that the packet need be serialized to process and the thread is busy to process other packets. [PR/593666: This issue has been resolved.]
On SRX3400 devices, incoming fragmented UDP packets into specific ports is causing a core dump in flowd. [PR/597883: This issue has been resolved.]
235
On J6350 devices, when there is no valid positive/negative ingress or egress jitter present within the moving average minimum jitter calculation, an incorrect value (example: 4294967295) was displayed instead of 0. The is cosmetic issue and does not cause any functional issue. [PR/665477: This issue has been resolved.] On SRX650 devices, a Auto-negotiation is mandatory for 1G message is displayed in the output logs even when auto-negotiation is already enabled. This is non-service impacting message but is misleading. [PR/679293: This issue has been resolved.] On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, an RPD core might happen when secure tunnel interface variable does not initialize properly. [PR/685847: This issue has been resolved.] On SRX3400 and SRX3600 devices, over 4 Gbps EF(TOS 101) queue traffic causes SPU crash. [PR/686133: This issue has been resolved.] On SRX240 devices, while processing an interface state change, NSD encountered an error and proceeded to print out a log message indicating the error type and the interface in question. However, it was not able to handle that error condition properly and followed a null pointer. This resulted in a crash and a core dump generation. [PR/687465: This issue has been resolved.] On SRX Series devices, when the syn-cookie feature is enabled along with syn-flood screen with a low timeout value, high latency TCP sessions may fail to establish successfully. The clients sessions receive unresponsive connections because the SRX Series device has timed out the flow for this session. The device will also drop subsequent packets from the client due to no state found. The workaround is to increase the timeout value to at least 6 seconds or more. [PR/692484: This issue has been resolved.]
On SRX5600, issues with support for GTPv2 and GTP ISSU failure between Junos OS release 11.2 and later. [PR/664202: This issue has been resolved.] On J Series devices, when a certain number of lt-0/0/0 logical units are configured with encapsulation VLAN, all lt logical interfaces may not get activated. This is due to a problem with default system interface MAC allocation. [PR/680885: This issue has been resolved.] On SRX3400 devices, the TX lockup of the em0 interface causes the em0 interface down and also causes all field replaceable units (FRU) to go offline. [PR/685451: This issue has been resolved.]
236
J-Web
In J-Web interface, on Configure page, Security -> UTM > Web filtering > Global options window, when option is selected from drop down menu and committed, we get a popup saying that the option selected is invalid. [PR/613888: This issue has been resolved.]
Hardware
On SRX5800 devices, a hardware error in an SPC card is causing failure to trigger an alarm and is resulting in packet drops. [PR/683212: This issue has been resolved.]
On SRX210 and SRX240 devices, the dynamic policy insertion is not happening in GVPN; because of which IPSec SA are not getting activated. [PR/591860: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the VPN dead peer detection (DPD) feature is not supported in this release. [PR/683263: This issue has been resolved.]
Resolved Issues in Junos OS Release 10.4R7 Application Layer Gateways (ALG)
On SRX3400, SRX3600, SRX5600, and SRX5800 devices, CPS of RTSP ALG traffic is dropped per SPU. [PR/676053: This issue has been resolved.]
Chassis Cluster
On SRX210, SRX220, SRX240, and SRX650 devices in chassis cluster, traffic destined to lo0 interface might be dropped under following conditions:
Firewall filter that contains port matching is applied in inbound direction on interface
lo0
Packets destined to lo0 interface cross the fabric link
237
[PR/596009: This issue has been resolved.] Command-Line Interface (CLI)
On SRX220 devices, the policy name is not displayed in the show security policies from-zone trust to-zone trust policy-name command output even when the policy exists. [PR/608664: This issue has been resolved.]
Dynamic Host Configuration Protocol (DHCP)
On J4350 devices, DHCP client lease does not contain expected attributes at the time of renew of the static lease by DHCP server to client. [PR/665084: This issue has been resolved.]
Flow and Processing
If OSPF is used over IPsec, a core dump might be generated after restarting the routing process. [PR/606272: This issue has been resolved.] On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5000 devices, an SPU might generate core dump when executing the vty command show xlr pkt_mbuf use. This command is part of the request support information command. [PR/661284: This issue has been resolved.]
On SRX650 devices, memory leak might be observed if both sides start negotiation at the same time. [PR/662736: This issue has been resolved.] On SRX240 devices, when the memory is updated with the software multicast next hop index, the state of logical aggregate child interface is not taken into account. [PR/668676: This issue has been resolved.] On SRX210 devices, in case of packet mode, multicast flows on a single egress interface, reordering was not happening in multi-threaded platforms. When changes are made to copy original POT context to egressing mbuf so that POT is applied and packets proceed in order. [PR/669046: This issue has been resolved.] On SRX3400 devices, small packets might be dropped when enable preserve-trace-order or record-packet-history in datapath debug. [PR/671900: This issue has been resolved.] On SRX210 devices, the console displays the following error message:
kern.maxfiles limit exceeded by uid 65534, please see tuning(7).
[PR/674511: This issue has been resolved.] Interfaces and Routing
On SRX210, SRX240, and J6350 devices, OSPF gets stuck at the init state over the E1/T1 link when interface configurations are continuously changed. [PR/660264: This issue has been resolved.] On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, VLAN to interface disassociation does not work properly. [PR/662942: This issue has been resolved.]
238
On SRX240 devices, no optical diagnostics available for ge interface on 1x GE High-Performance SFP Mini-PIM PIC. [PR/666315: This issue has been resolved.] On J2350 devices, the vrf-table-label can not be used when using encapsulation type flexible-ethernet-services. [PR/671286: This issue has been resolved.]
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the drop and close actions are not working for SSL sessions in integrated mode. [PR/582317: This issue has been resolved.]
J-Web
On SRX Series and J Series devices, in J-Web interfaces, deleting configuration using Configure->CLI Tools->Point and Click option might lead to session expiry. Workaround : Use CLI to configure the device instead of CLI Point and click Option. [PR/684532: This issue has been resolved.]
On SRX3600 devices, during a failover, source NAT allocations using interface-nat option are higher than before failover condition. This happens when using Source NAT rules with source-nat off option as in Junos OS 10.4R5. [PR/662450: This issue has been resolved.]
On SRX650 devices, the antivirus feature might cause forwarding slowness at traffic peaks due to a memory issue related to scanning of SMTP traffic. [PR/610336: This issue has been resolved.] On SRX210 High Memory devices, HTTP downloading connection drops when the file exceeding 2GB bytes when antivirus is enabled. [PR/668818: This issue has been resolved.]
On SRX3600 devices, using groups for VPN configuration causes all VPNs to re-establish when a change occurs to any individual VPN. [PR/595173: This issue has been resolved.] On SRX210 devices, when @ character is included on dynamic hostname, the clear security dynamic-vpn user command output returns following error:
Invalid username or ike id for user xxxx. No entry was cleared.
239
Resolved Issues in Junos OS Release 10.4R6 Application Layer Gateways (ALGs)
When MGCP ALG is enabled and MGCP traffic traverses the device, the device might sometimes crash and generate core-dumps. [PR/602694: This issue has been resolved.]
Flow and Processing
On J2320 and J6350 devices, port numbers might be displayed incorrectly in syslog session logging. [PR/571259: This issue has been resolved.] When the anchor interface of GRE tunnel interface is configured to get IP by CX111 and we restart CX111, the GRE tunnel may fail to create. [PR/605529: This issue has been resolved.] On SRX3600 devices, the SCTP packets are getting dropped and the following message is displayed in flow traces:
CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: ge-0/0/0.0:10.222.61.2->10.219.107.228, 132 CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: find flow: table 0x5686b908, hash 46343(0x7ffff), sa 10.222.61.2, da 10.219.107.228, sp 11010, dp 3566, proto 132, tok 6 CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 2048 CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: flow_first_create_session CID-00:FPC-07:PIC-00:THREAD_ID-30:RT:flow_first_create_session: Found invalid sess. Start first path CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: Allocating plugin info block for 12 plugin(s) from OL CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: After jsf gate hit. sid 0x4d, pid 8, cookie 0x5b083, jbuf 0xa. rc = 77 CID-00:FPC-07:PIC-00:THREAD_ID-30:RT: packet dropped, denied by gate_hit callback
[PR/601552: This issue has been resolved.] Hardware
On SRX210 Services Gateway (enhanced) and SRX240 Services Gateway with DC Power Supply devices, the default licenses are not working. [PR/667526: This issue has been resolved.]
Interfaces
On SRX210, SRX220, and SRX240 devices, an at-x/x/x interface (ADSL, VDSL operating in at mode, and SHDSL) the difference between the MTU values on the logical interface and the MTU values on the physical interface had to be exactly 40 bytes. If this was not the case, the IP information will not be displayed by the show interfaces command output. [PR/591585: This issue has been resolved.]
240
E1 LCP links can not go up after BERT test. [PR/600846: This issue has been resolved.] When downloading a large size CRL file, it might fail and cause memory leak. [PR/614043: This issue has been resolved.]
IPV6
On SRX3600 devices, the self IPv6 traffic is causing flowd_xlr core dump. [PR/667592: This issue has been resolved.]
Under certain specific circumstances, interface-based source NAT resources would leak. [PR/613300: This issue has been resolved.]
Unified Access Control (UAC)
When authentication-order is set to [radius password], fallback to local authentication fails if two conditions are met: 1. no route to the radius server(s) exists, and 2. non-default value for the number of retries is configured. [PR/598323: This issue has been resolved.]
DSCP tagged packets coming in from a VPN tunnel are not classified and end up in the default best-effort queue on the egress interface. [PR/664820: This issue has been resolved.] The SRX210, SRX220, SRX240, and SRX650 devices have two free dynamic VPN user licenses, but the LICENSE_EXPIRED alarm is generated if less than two users connect to the VPN on SRX devices. [PR/661417: This issue has been resolved.]
Resolved Issues in Junos OS Release 10.4R5 Application Layer Gateway (ALGs)
If the TNS packet is very big and fragmented, SQL ALG might treat the second fragment as an valid TNS packet and might cause process error. [PR/587126: This issue has been resolved.] DNS return packets may be dropped by DNS ALG processing if return DNS reply data is truncated between multiple reply packets. [PR/602425: This issue has been resolved.]
Chassis Cluster
After a failover in a chassis cluster, some IPsec tunnels may be lost. [PR/554066: This issue has been resolved.] HSL2 link CRC error; HSL link failure affected all traffic and redundancy. This is hardware related issue. [PR/606594: This issue has been resolved.]
241
Command-line Interface (CLI)
The show security monitoring fpc N command is resulting is incorrect output. [PR/578240: This issue has been resolved.]
Interfaces
On SRX650 devices, sometimes quad T1/E1 generates a core file while the user is configuring it in T1 mode with the traffic sent continuously over the quad T1/E1. [PR/556716: This issue has been resolved.] On SRX650 devices, pinging for packet size more than 26000 is failing for E1 interface, without setting do-not-fragment option, even if q-pic-large-buffer is configured and the interface is up. [PR/584254: This issue has been resolved.] SRX device loses DHCP IP address provided from CX111. This issue might be observed when CX111 gives a /30 IP address where the host comes out to be 0. Hence a temporary fix is provided to internally convert the subnet mask to /31 and apply it on the interface. [PR/586704: This issue has been resolved.] When configuring more than eight-member interfaces as interface reth members, kernel crash may occur. [PR/602342: This issue has been resolved.] The master-only option might delete backup Routing engines fxp0 address [PR/607837: This issue has been resolved.] When you configure the set interfaces se-x/y/z serial-options transmit-clock invert command on a J Series Serial PIC or on a Serial Mini-PIM on SRX device, you might see that the transmit-clock is not inverted as configured. [PR/608333: This issue has been resolved.]
IPv6
On J6350 devices, IPv6 address is not learning if MT IS-IS if interface is joined and removed dynamically by V6 topology. [PR/593320: This issue has been resolved.]
Flow and Processing
On J Series devices, sometimes, we see ISDN crashing/coring if we do frequent reboots/restart FPC <slot_isdn>. [PR/580830: This issue has been resolved.] When an SRX100 non-trunk interface is configured to accept voice VLAN tagged frames, the tagged frames are dropped instead of being processed. [PR/584954: This issue has been resolved.] On SRX3400 and SRX3600 devices, when the external radius server is down or terminated, the mass of authentication requests could cause authd to generate a core file. [PR/568659: This issue has been resolved.] If DHCP client and DHCP server are located in two different routing-instances and SRX device is performing DHCP relay function, DHCPOFFER message is not properly relayed. [PR/571662: This issue has been resolved.] The high latency may result when using COS queue with MLPPP, if the ML outq scheduler is handling large volume of traffic. [PR/588041: This issue has been resolved.]
242
On SRX devices, when changing a filter from non-simple filter to simple filter (or vice versa) but keeping the filter name unchanged, dfwd might crash. [PR/582454: This issue has been resolved.] With the security flow tcp-session rst-sequence-check option enabled, a TCP reset will be dropped in case it arrives from the client side directly after the TCP SYN, while no SYN-ACK arrived from the server side yet. [PR/585989: This issue has been resolved.] On SRX650 devices, too many OLC messages causing all nodes to become inaccessible. [PR/590739: This issue has been resolved.] Commit warning may appear if configuring a security policy with application-services using a UTM policy for a UTM feature that you don not have a license for. [PR/592594: This issue has been resolved.] On SRX5600 devices, hostbound traffic BFD session state is not changing from init state [PR/601310: This issue has been resolved.] On SRX devices, FTP control syn/ack retransmission from server to client is getting dropped. [PR/605312: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 device, when you configure Transparent mode and there are multiple SPU, the last fragment of multicast packet could be dropped. [PR/60884: This issue has been resolved.]
When performing source NAT, destination address is acquired from session but destination port from the packet and at this stage of the flow, the packet had not been modified with translation performed by destination NAT. This is done at later stage. The code has been modified to fetch destination port from appropriate location. [PR/594001: This issue has been resolved.] On SRX1400 devices, you had to increase the destination NAT pool from 256 to 4096. [PR/598474: This issue has been resolved.] On a source NAT implementation that uses a pool defined with two or more IP addresses, FTP ALG may fail to translate the PORT command correctly. This resulted in FTP sessions hanging on commands that used the ftp-data connection such as ls, get, put, and so on. The problem did not occur with FTP in passive mode. [PR/606648: This issue has been resolved.]
On SRX650 devices, a drop in UTM Web filter Websense performance occurred. [PR/590031: This issue has been resolved.] On SRX650 devices, idpd and eventd are getting core-dumped due to fd leak caused by UTM. [PR/608984: This issue has been resolved.]
243
Virtual Private Networks (VPNs)
An IKE was established based upon tunnel endpoints identified by digital certificates that did not match the configuration of the security association. [PR/593848: This issue has been resolved.] A KMD file might be generated when SNMP query being performed on IPsec statistics. [PR/598823: This issue has been resolved.] Manually clearing the group VPN (GVPN) member IPsec SAs will lead to re-creating the same IPsec SA by contacting group VPN server. This functionality is broken. [PR/603076: This issue has been resolved.] IPsec tunnel ID mapping to VPN name on chassis cluster may go out of sync if one of the nodes alone is rebooted after deleting or deactivating IPSec VPN configuration. [PR/606838: This issue has been resolved.]
On SRX5800 devices, if a PPTP server used Call ID 0 and the SRX Series device was not using NAT, then the Call ID for the GRE packets was not translated correctly and was ignored by the server. [PR/586702: This issue has been resolved.]
Chassis Cluster
On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, when a single node worked, and the interface failed, the LAG on the reth interface did not work. [PR/560485: This issue has been resolved.] On SRX5600 devices, ISSU took additional time when network traffic was heavy. If the ISSU process duration was longer than one hour, it aborted automatically without completing the upgrade. [PR/585873: This issue has been resolved.] On SRX650 devices, the data plane CPU might reach 100 percent when operating in full-duplex mode. This is because 100 percent of the interface bandwidth is sent over the device. [PR/587128: This issue has been resolved.]
On SRX210 High Memory devices, the request and deny CLI commands were seen. [PR/585837: This issue has been resolved.]
Flow and Processing
On SRX Series devices, the show security flow session command did not display aggregate session information. Instead, it displayed sessions on a per-SPU basis. [PR/264439: This issue has been resolved.] On J Series devices, OSPF over a multipoint interface connected as a hub-and-spoke network did not restart when a new path was found to the same destination. [PR/280771: This issue has been resolved.]
244
On SRX Series devices, configuring the flow filter with the all flag sometimes resulted in traces that were not related to the configured filter. [PR/304083: This issue has been resolved.] On an SRX210 onboard Ethernet port, an IPv6 multicast packet received was duplicated at the ingress. This happened only for IPv6 multicast traffic in ingress. [PR/432834: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-end debugging with the jexec event, packet summary trace messages had unknown IP addresses in the packet summary field. [PR/463534: This issue has been resolved.] On SRX650 devices using policy-based VPN, packet drops were seen with an error "pack dropped, since re-route failed," which caused VPN latency. [PR/578654: This issue has been resolved.] On SRX240 devices, Junos OS did not respond to Arp-Probe packets to indicate conflict IP or MAC location of IP. [PR/583664: This issue has been resolved.] On SRX3600 devices, high CPU utilization was observed with network security process (NSD) when dns-name entries were used in security policies. [PR/585154: This issue has been resolved.] On SRX650 devices, when the source-address for syslog host traffic was used, device management including access was seen with the error kern.maxfiles limit until the device was rebooted or restarted with the event-daemon. [PR/587133: This issue has been resolved.] On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when users ran data collection scripts on the UNIX shell prompt, IOC on SRX5000 line devices, or CPP on SRX3000 line devices generated core files if the file format was Windows (only the UNIX file format is supported). This error could be seen by opening the file with "vi" and noting "^M" in the end of each line. [PR/587195: This issue has been resolved.] On J4350 devices, in case of VPLS, when a large amount of bidirectional traffic was sent into the router, clearing of routing protocol sessions and LSP sessions at the same time led to a forwarding daemon crash. [PR/588211: This issue has been resolved.] On J4350 devices, the "Packets forwarded:" counter from the show security flow statistics command did not increment. [PR/588335: This issue has been resolved.] On SRX5800 devices, when persistent NAT with any remote host and address-mapping through a custom routing-instance were used, the return session was dropped. [PR/589093: This issue has been resolved.] On SRX210 Low Memory devices, the authd crashed when the client static xauth IP address was configured between x.x.x.128 and x.x.x.255. [PR/589823: This issue has been resolved.]
245
SRX-210 with VDSL Mini-PIM failed to synchronise with Nokia 24-port MSAG. [PR/578803: This issue has been resolved.]
On SRX3400 devices, on high memory usage IDP environment, when larger policy was updated, it caused a coredump in flowd. [PR/587103: This issue has been resolved.]
J-Web
On SRX100, SRX210, SRX220, SRX240, SRX650, and J4350 devices, the exact and exact-percent options of transmit-rate and shaping-rate were mutually exclusive options in CLI whereas J-Web allowed to configure these options which resulted in commit failure. [PR/590153: This issue has been resolved.]
On SRX650 devices, when users modified the static NAT configurations, the traffic failed to match the modified static NAT rule. [PR/576647: This issue has been resolved.] SRX1400 Series devices supported only 256 destination NAT pool, this did not match the specification sheet of 4096. [PR/598474: This issue has been resolved.] SRX650 Series devices supported only 256 destination NAT pool, this did not match the specification sheet of 1024. [PR/599425: This issue has been resolved.]
246
Security
On SRX Series devices, FTP commands that end in \n instead of \r\n (carriage return, followed by line feed) were dropped by the FTP ALG. [PR/582714: This issue has been resolved.]
VPNs
On SRX5600 devices, an IKE was established based on tunnel endpoints identified by digital certificates that did not match the configuration of the security association. [PR/593848: This issue has been resolved.]
Resolved Issues in Junos OS Release 10.4R3 Chassis Cluster
On SRX650 devices, in chassis cluster configuration mode, the Web management session limit feature did not work. [PR/573638: This issue has been resolved.]
Dynamic VPN
On SRX650 devices, dynamic VPN access through the Junos Pulse client prompted for the xauth credential multiple times in the NAT environment. [PR/ 580920: This issue has been resolved.]
Flow and Processing
On SRX3400 devices, because of a memory leak in the SPU, packets were dropped. [PR/ 574089: This issue has been resolved.] On SRX3600 devices, dead peer detection (DPD) did not work. [PR/ 577249: This issue has been resolved.]
On SRX5600 devices, when users defined an application-set without a defined application, the commit error was not descriptive. It displayed only "configuration check-out failed". [PR/536774: This issue has been resolved.] On SRX220 devices, on multiple reboot or restart forwarding, a link might remain in a hard down state. [PR/556389: This issue has been resolved.] On SRX220 devices, when oversubscribed traffic was sent through the gr interface (after tunnel queuing had been enabled and the shaper had been configured), there was an increase in tail-dropped packets at the egress of the gr interface. As a result, the output packet rate at the egress of the gr interface was much lower compared to that of the shaper. [PR/559378: This issue has been resolved.] On SRX1400 devices, the alarm indication was not available if a power supply was not functioning normally. The system created log messages in /var/log/chassisd to indicate the power supply failure conditions. [PR/566210: This issue has been resolved.]
247
On SRX3600 devices, mounting a destination without NFS caused incorrect RPC port mapping and the new sessions mapped to that destination failed. [PR/ 581933: This issue has been resolved.] On SRX650 devices, when a 2-Port 10-Gigabit Ethernet XPIM was used, the 10-Gigabit Ethernet interface did not initiate. [PR/ 582199: This issue has been resolved.]
License
On SRX650 devices, licenses were not released due to a sudden loss of connection, for example, a clientpc reboot. [PR/576138: This issue has been resolved.]
On SRX220 High Memory devices, when you used proxy-arp on the VLAN.X interface, the device did not respond to the arp request. [PR/ 576428: This issue has been resolved.]
On J4350 devices in a NAT-PT environment, when the client was in an IPv6 environment and the DNS server was in an IPv4 environment, the DNS server had only the IPv4 address record. When the client looked up the IPv6 address of the record in the DNS server, DUT performed NAT-PT on the DNS ALG. When the client executed the lookup action several times, a core file error was returned. [PR/533345: This issue has been resolved.]
Chassis Cluster
On SRX5600 and SRX5800 devices, the IOC card reset unexpectedly when the monitored IP addresses under the chassis cluster IP-monitoring configuration was deleted. In addition, the monitored IP was not deleted from the data plane when it was specified without the secondary interface. [PR/557687: This issue has been resolved.] On SRX3600 devices, RG failover to Node0 failed because the FPCs went offline during the failover. [PR/563391: This issue has been resolved.] On SRX3600 devices, RG0 failovers caused interface flapping when LACP was used on reth interfaces. [PR/565617: This issue has been resolved.] On SRX100, SRX210, SRX650 devices in a chassis cluster, when the control link goes down, it clears the fabric link status resulting in nodes getting into Primary-Primary situation. [PR/571440]
248
Dual-Stack Lite
On SRX5600 devices, with heavy DS Lite traffic, flowd stopped responding with flow table corruption because of a function related to flow table operation (for example, flow_table_find_flow_v6). [PR/548790: This issue has been resolved.]
Flow and Processing
On SRX210 High Memory devices, the error message JMDX: Thread timed out waiting for smi write was continuously displayed. [PR/ 536586: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices under high traffic load, some part of FTP and TFTP control sessions did not get timed out even after two hours of stopping the traffic. [PR/548250: This issue has been resolved.] On SRX5800 devices, TCP out-of-order packets occurred with the SRX Series device acting as a GRE pass-through device. [PR/558923: This issue has been resolved.]
Integrated Convergence Services
On SRX240 devices with Integrated Convergence Services running in survivable mode, if two SIP stations were in a call and if either of the SIP stations made an attempt to park the call by dialing the parking number 7000, the call was not parked. [PR/505240: This issue has been resolved.]
On SRX210 devices, the modem moved to the dial-out pending state while connecting or disconnecting the call. [PR/454996: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gave error messages from the secondary node. [PR/477017: This issue has been resolved.] On all SRX Series devices, the destination and destination-profile options for address and unnumbered-address within family inet and inet6 were allowed to be specified within a dynamic profile but were not supported. [PR/493279: This issue has been resolved.] On SRX240 and SRX650 devices, IGMP reports were flooded on all ports that were part of the same multicast group instead of being sent on only the router interface. [PR/546444: This issue has been resolved.] On SRX650 devices, IGMP snooping did not work in q-in-q mode on a trunk port when the Ethernet type was set to any value other than 0x8100. [PR/554992: This issue has been resolved.] On SRX100 devices, the maximum number of MTUs that could be configured on the Fast Ethernet interface was 1624. Also, MTU configuration from J-Web was not recommended if you were running Junos OS Release 10.1 or 10.2. [PR/566592: This issue has been resolved.] On SRX5800 devices, under certain circumstances, zone screening setting was not applied properly. [PR/569678: this issue has been resolved.]
249
On SRX210 High Memory and SRX240 High Memory devices, IDP scaling drop occurred. [PR/525732: This issue has been resolved.] On SRX240 High Memory devices, with IDP policy template, policy load failed while changing the active policy from the recommended option to the IDP_Default policy. This was because there was not enough memory for IDP to load the IDP_Default policy. [PR/539486: This issue has been resolved.]
J-Web
On SRX100 devices, in J-Web, users could configure the scheduler without entering any stop date. The device submitted the scheduler successfully, but the submitted value was not displayed on the screen or saved in the device. [PR/439636: This issue has been resolved.] On J2350 and SRX210 High Memory devices, you could not use the Move/edit button for moving the IPS rule in IDP policy page. [PR/499499: This issue has been resolved.] On SRX Series and J Series devices, in the J-Web interface, the Move/edit button did not work for the exempt rulebase on the IDP Policy configuration page. [PR/503451: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, when you tried to commit a candidate configuration in the CLI using the Point and Click CLI, an error was displayed on the configuration page. [PR/514771: This issue has been resolved.] On SRX220 devices, you could not edit the physical properties of a LAN interface in J-Web without entering the MAC address. [PR/519818: This issue has been resolved.] On SRX and J Series devices, the user was unable to configure the IPS-Exempt rule only with attacks. J-Web forced the user to select the address and zones. [PR/ 522197: This issue has been resolved.] On SRX100, SRX210, and SRX240 devices, in J-Web, the resource utilization did not load any data in the dashboard page using Firefox 3.0. [PR/564165: This issue has been resolved.]
250
On SRX100 High Memory devices, when you used antispam and antivirus in the same UTM-policy, spam were not tagged correctly. [PR/575296: This issue has been resolved.]
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the IRB (VLAN) interface could not be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE). [PR/528624: This issue has been resolved.]
VPNs
SRX5800 devices in Layer 2 transparent mode, did not allow the IPsec pass-through VPNs to build. [PR/566160: This issue has been resolved.]
On J4350 devices in a NAT-PT environment, when the client was in an IPv6 environment and the DNS server was in an IPv4 environment, the DNS server had only the IPv4 address record. When the client looked up the IPv6 address of the record in the DNS server, DUT performed NAT-PT on the DNS ALG. When the client executed the lookup action several times, a core file error was returned. [PR/533345: This issue has been resolved.]
Chassis Cluster
On SRX5600 and SRX5800 devices, the IOC card reset unexpectedly when the monitored IP addresses under chassis cluster IP-monitoring configuration was deleted. In addition, the monitored IP was not deleted from the data plane when it was specified without secondary interface. [PR/557687: This issue has been resolved.] On SRX3600 devices, RG failover to Node0 failed because the FPCs went offline during the failover. [PR/563391: This issue has been resolved.] On SRX3600 devices, RG0 failovers caused interface flapping when LACP was used on reth interfaces. [PR/565617: This issue has been resolved.]
Dual-Stack Lite
On SRX5600 devices, with heavy DS Lite traffic, flowd stopped responding with flow table corruption because of a function related to flow table operation (for example, flow_table_find_flow_v6). [PR/548790: This issue has been resolved.]
Flow and Processing
On SRX210 High Memory devices, error message JMDX: Thread timed out waiting for smi write was continuously displayed. [PR/ 536586: This issue has been resolved.]
251
On SRX3400, SRX3600, SRX5600, and SRX5800 devices under high traffic load, some part of FTP and TFTP control sessions did not get timed out even after two hours of stopping the traffic. [PR/548250: This issue has been resolved.] On SRX5800 devices, TCP out of order packets occurred with the SRX acting as a GRE pass-through device. [PR/558923: This issue has been resolved.]
Integrated Convergence Services
On SRX240 devices with Integrated Convergence Services running in survivable mode, if two SIP stations were in a call and if either of the SIP stations made an attempt to park the call by dialing the parking number 7000, the call was not parked. [PR/505240: This issue has been resolved.]
On SRX210 devices, the modem moved to the dial-out pending state while connecting or disconnecting the call. [PR/454996: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gave error messages from the secondary node. [PR/477017: This issue has been resolved.] On all SRX Series devices, the destination and destination-profile options for address and unnumbered-address within family inet and inet6 were allowed to be specified within a dynamic profile but were not supported. [PR/493279: This issue has been resolved.] On SRX240 and SRX650 devices, IGMP reports were flooded on all ports that were part of the same multicast group instead of being sent on only the router interface. [PR/546444: This issue has been resolved.] On SRX650 devices, IGMP snooping did not work in q-in-q mode on a trunk port when the Ethernet type was set to any value other than 0x8100. [PR/554992: This issue has been resolved.] On SRX100 devices, the maximum number of MTU that can be configured on FE interface was 1624. Also, MTU configuration from J-Web was not recommended if you were running Junos Release 10.1 and 10.2. [PR/566592: This issue has been resolved.] On SRX5800 devices, under certain circumstances, zone screening setting was not applied properly. [PR/569678: this issue has been resolved.]
On SRX210 High Memory and SRX240 High Memory devices, IDP scaling drop occurred. [PR/525732: This issue has been resolved.] On SRX240 High Memory devices, with IDP policy template, policy load failed while changing the active policy from the recommended option to the IDP_Default policy. This was because there was not enough memory for IDP to load the IDP_Default policy. [PR/539486: This issue has been resolved.]
252
J-Web
On SRX100 devices, in J-Web, users could configure the scheduler without entering any stop date. The device submitted the scheduler successfully, but the submitted value was not displayed on the screen or saved in the device. [PR/439636: This issue has been resolved.] On J2350 and SRX210 High Memory devices, you could not use the Move/edit button for moving the IPS rule in IDP policy page. [PR/499499: This issue has been resolved.] On SRX Series and J Series devices, in the J-Web interface, the Move/edit button did not work for the exempt rulebase on the IDP Policy configuration page. [PR/503451: This issue has been resolved.] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web interface, when you tried to commit a candidate configuration in the CLI using the Point and Click CLI, an error was displayed on the configuration page. [PR/514771: This issue has been resolved.] On SRX220 devices, you could not edit the physical properties of a LAN interface in J-Web without entering the MAC address. [PR/519818: This issue has been resolved.] On SRX and J Series devices, the user was unable to configure IPS-Exempt rule only with attacks. J-Web forced the user to select the address and zones. [PR/ 522197: This issue has been resolved.] On SRX100, SRX210, and SRX240 devices, in J-Web the resource utilization did not load any data in the dashboard page using Firefox 3.0. [PR/564165: This issue has been resolved.]
On SRX100 High Memory devices, when using anti-spam and anti-virus in same UTM-policy, spam emails were not tagged correctly. [PR/575296: This issue has been resolved.]
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the IRB (VLAN) interface could not be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE). [PR/528624: This issue has been resolved.]
VPNs
SRX5800 devices in Layer 2 transparent mode, were not allowing IPsec pass-through VPN to build. [PR/566160: This issue has been resolved.] New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 213
253
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254
Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
Changes to the Junos OS Documentation Set
This section lists changes in the documentation. Single Commit on J-Web The following information pertains to SRX Series devices:
For all J-Web procedures, follow these instructions to commit a configuration:

If Commit Preference is Validate and commit configuration changes, click OK. If Commit Preference is Validate configuration changes, click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
J-Web Online Help
Previously, J-Web online Help instructions were available both in the Help and in the administration and configuration guides. These topics have been removed from the guides and are now available only in the online Help.
Errata for the Junos OS Documentation

This section lists outstanding issues with the software documentation. Various Guide
Various user documents contain information about Integrated Convergence Services, but this feature is no longer supported.
Feature Support Reference
Row three of Table 17: Ethernet Link Aggregation Support in the Junos OS Feature Support Reference for SRX Series and J Series Devices incorrectly indicates that link aggregation in chassis cluster mode is not supported on the SRX650 device. Link aggregation in chassis cluster mode is supported on the SRX650 device as of Junos OS Release 10.3. For SRX200 devices, the following support information is missing from the Junos OS Feature Support Reference for SRX Series and J Series Devices:
Table 13: Chassis Cluster Support

Feature
Active/active chassis cluster (that is, cross-box data forwarding over the fabric interface)
SRX220 Support
Yes
254
Table 13: Chassis Cluster Support (continued)

Feature
Application Layer Gateways (ALGs) Chassis cluster formation Control plane failover Dampening time between back-to-back redundancy group failovers Data plane failover Dual control links Dual fabric links Junos OS flow-based routing functionality Low-impact cluster upgrade (ISSU light) Multicast routing Redundancy group 0 (backup for Routing Engine) Redundancy groups 1 through 128 Redundant Ethernet interfaces Redundant Ethernet interface link aggregation groups (LAGs) Upstream device IP address monitoring Upstream device IP address monitoring on a backup interface
SRX220 Support
Yes Yes Yes Yes Yes No Yes Yes No Yes Yes Yes Yes No No No
Table 14: IPv6 Support

Feature
Security policy (IDP)
SRX220 Support
Yes
Table 15: PoE Support

Feature
IEEE 802.3 AT standard IEEE legacy SRX210 and SRX240 only (pre-standards)
SRX220 Support
Yes Yes
255
Table 16: Routing Support

Feature
Internet Group Management Protocol (IGMP)
SRX220 Support
Yes
Table 17: Wireless LAN Support

Feature
Wireless LAN AX411 Access Point clustering
SRX220 Support
Yes Yes
Enterprise-Specific MIBs and Traps Guides
The SRX100, SRX210, SRX220, SRX240, and SRX650 Services Gateways MIB Reference, the SRX1400, SRX3400, and the SRX3600 Services Gateways MIB Reference, and SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the downloadable version of the Real-Time Media (RTM) and SIP Common MIBs. The correct URLs are as follows:
RTM MIBhttp://www.juniper.net/techpubs/en_US/junos10.4/topics/
reference/mibs/mib-jnx-rtm.txt
SIP Common MIBhttp://www.juniper.net/techpubs/en_US/

junos10.4/topics/reference/mibs/mib-jnx-sipcommon.txt
JUNOS OS Administration Guide for Security Devices
In Chapter 13, Performing Software Upgrades and Reboots for the SRX Series Services Gateways, of the Junos OS Administration Guide for Security Devices, the word "install" was duplicated. It has been corrected. In Chapter 14, Performing Software Upgrades and Reboots for the J Series Services Routers of the Junos OS Administration Guide for Security Devices incorrectly states that the request system snapshot option is supported on device with 256 MB compact flash. The request system snapshot option requires minimum 512 MB compact flash.
Junos OS CLI Reference
The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in proposal-set (IPsec) section. The IPsec proposals should be as follows:

basicnopfs-esp-des-sha and nopfs-esp-des-md5 compatiblenopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5
256
standardg2-esp-3des-sha and g2-esp-aes128-sha
The request system software in-service-upgrade section of the Junos OS CLI Reference incorrectly describes support for the no-old-master-upgrade option. The no-old-master-upgrade option is not supported. The Junos OS CLI Reference is missing information about the operational CLI command, show security resource-manager summary, which is used to display summary information about active resources, clients, groups, and sessions created through the resource manager.
user@host>show security Active resource-manager Active resource-manager Active resource-manager Active resource-manager resource-manager summary clients : 15 groups : 1 resources : 1 sessions : 0
The Junos OS CLI Reference incorrectly shows the show security idp status and clear security idp status logs. The logs should be as follows:
Correct show security idp status log

user@host> show security idp status State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago) Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTC KBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC] UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0] Policy Name : sample Running Detector Version : 10.4.160091104
Correct clear security idp status log

user@host> clear security idp status State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago) Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC KBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name: sample Running Detector Version: 10.4.160091104
257
The Junos OS CLI Reference states that the maximum timeout range for IDP policy is 0 through 65,535 seconds, whereas the ip-action timeout range has been modified to 0 through 64,800 seconds. The Junos OS CLI Reference has missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout value to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the automatic signature update is aborted.
user@host# set security idp security-package automatic download-timeout ? Possible completions: <download-timeout> Maximum time for download to complete (1 - 60 minutes) [edit] user@host# set security idp security-package automatic download-timeout Range: 1 60 minutes Default: 1 minute
On SRX Series devices, the request service application-identification download status command output has changed. The output now includes more information on download status as well as the install status of the package.
user@host> request services application-identifications download status Start to download application package: 1608. Downloading application package: 1608. Parsing /var/db/appid/sec-download/manifest.xml. Fetching/Uncompressing the application package files succeed. Commit /var/db/appid/sec-download/predefined.xml. Application package 1608 is installed successfully.
request services application-identification download status
On SRX Series devices, the show chassis cluster control-plane statistics and show chassis cluster statistics command outputs have changed. The outputs now include the number of heartbeat and probe errors.
user@host> show chassis cluster control-plane statistics Control link statistics: Control link 0: Heartbeat packets sent: 11646 Heartbeat packets received: 8343 Heartbeat packet errors: 0 Fabric link statistics: Probes sent: 11644 Probes received: 8266 Probe errors: 0 Switch fabric link statistics: Probe state : DOWN Probes sent: 8145 Probes received: 8013
show chassis cluster control-plane statistics
258
Probe recv errors: 0 Probe send errors: 0
show chassis cluster statistics
user@host> show chassis cluster statistics
Control link statistics: Control link 0: Heartbeat packets sent: 798 Heartbeat packets received: 784 Heartbeat packets errors: 0 Fabric link statistics: Probes sent: 793 Probes received: 0 Probe errors: 0 Services Synchronized: Service name Translation context Incoming NAT Resource manager Session create Session close Session change Gate create Session ageout refresh requests Session ageout refresh replies IPsec VPN Firewall user authentication MGCP ALG H323 ALG SIP ALG SCCP ALG PPTP ALG RTSP ALG MAC address learning
RTOs sent 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
RTOs received 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
259
Junos OS Routing Protocols and Policies Configuration Guide for Security Devices
The Junos OS Routing Protocols and Policies Configuration Guide is missing information on the behavior of policy match for "tag/tag2" for matching against the OSPF area ID for the route.
Junos OS Interfaces Configuration Guide for Security Devices
The ADSL2+ and ADSL2+ Annex M upstream values given in the Junos OS Interfaces Configuration Guide for Security Devices are displayed incorrectly. The correct values are as follows:
Table 18: Standard Bandwidths of DSL Operating Modes

Operating Modes
ADSL2+ ADSL2+ Annex M
Upstream Values
11.5 Mbps 2.53 Mbps
Junos Software Migration Guide for J Series Services Routers
The "Renaming and Uploading the New JUNOS Software with Enhanced Services Configuration File" section of the Junos Software Migration Guide incorrectly states that the new backup directory to move the existing configuration files to is root@host% mv /config/backup/juniper.conf* /config/backup. The correct new backup directory to move the existing configuration files to is root@host% mv /config/juniper.conf* /config/backup.
J-Web
J-Web security package update Help pageThe J-Web Security Package Update Help page does not contain information about download status. J-Web pages for stateless firewall filtersThere is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to Interfaces to assign your configured filters to interfaces. There is no documentation describing the J-Web pages for media gateways. To find these pages in J-Web, go to Monitor>Media Gateway.
J-Web Configuration Instructions Because of ongoing J-Web interface enhancements,
some of the J-Web configuration example instructions in the Junos administration and configuration guides became obsolete and thus were removed. For examples that are missing J-Web instructions, use the provided CLI instructions.
260
Junos OS Security Configuration Guide
The Guarding Against Service Failure in a Chassis Cluster ISSU section of the Junos OS Security Configuration Guide incorrectly describes support for the no-old-master-upgrade option with the ISSU command. The no-old-master-upgrade option is not supported. The Junos OS Security Configuration Guide incorrectly states that the release supports security chains, which validates a certificate path upward through eight levels of CA authorities in the PKI hierarchy. The release does not support security chains. The Example: Manually Generating Self-Signed Certificates (CLI) section of the Junos OS Security Configuration Guide, published with Junos OS Release 10.1, contains an incorrect character. In the example, the # character preceding the request command should be a > character. The Junos OS Security Configuration Guide contains outdated information about NSM support for IPv6. Please consult the NSM release notes for version compatibility, required schema updates, and up-to-date support information. The Junos OS Security Configuration Guide in the Limitations of Chassis Clustering section erroneously includes the following item in the list of features not supported when chassis clustering is enabled on the device for any function that depends on the configurable interfaces: pd-0/0/0, pe/0/0/0, and mt-0/0/0All multicast protocols Multicast protocols are supported in chassis clustering for all SRX Series and J Series devices. J Series devices support pd and pe interfaces and SRX Series devices support ppd and ppe interfaces. For all devices, the mt interface is not relevant to chassis cluster deployments.
ALG configuration examples in the Junos OS Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based. The Junos OS Security Configuration Guide does not state that custom attacks and custom attack groups in IDP policies can now be configured and installed even when a valid license and signature database are not installed on the device. The Verifying the Policy Compilation and Load Status section of the Junos OS Security Configuration Guide has a missing empty/new line before the IDPD Trace file heading, in the second sample output. The Junos OS Security Configuration Guide states that the following aggressive aging statements are supported on all SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices:

[edit security flow aging early-ageout] [edit security flow aging high-watermark] [edit security flow aging low-watermark
The Junos OS Security Configuration Guide states that the maximum acceptable timeout range for an IDP policy is 0 through 65,535 seconds, whereas the ipaction timeout range has been modified to 0 through 64,800 seconds.
261
The Junos OS Security Configuration Guide is missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout < value > to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the auto signature update is aborted.
user@host# set security idp security-package automatic download-timeout ? Possible completions: < download-timeout > Maximum time for download to complete (1 - 60 minutes) [edit] user@host# set security idp security-package automatic download-timeout Range: 1 60 seconds Default: 1 second
The Junos OS Security Configuration Guide states the following limitations in the Limitations of IDP section: On SRX Series and J Series devices, IP actions do not work when you select a timeout value greater than 65,535 in the IDP policy. This issue has been fixed and is no longer a limitation.
The Junos OS Security Configuration Guide incorrectly states the following limitations in the Limtations of IDP section: On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000. The correct information is as follows: The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000 on SRX240 devices, and 128,000 on SRX650 devices.
When specifying a forwarding target after authentication on a captive portal, use the ?target= option followed by either the %dest-url% variable or a specific URL. The %dest-url% variable forwards authenticated users to the protected resource they originally specified. A URL forwards authenticated users to a specific site. Note that when entering a URL with the ?target= option, you must substitute escape characters for any special characters in the URL. Use the following escape characters for these common special characters:

Replace : with %3A Replace / with %2F Replace - with %2D Replace . with %2E
In the section Example: Configuring a Redirect URL for Captive Portal (CLI) in the Junos OS Security Configuration Guide, the procedure description states that, after authentication, users will be forwarded to the specified URL. Step 2 of the configuration
262
procedure, however, is incorrect. This command would forward users to my-website.com before authentication, not after. To redirect users after authentication, the command must include:

The IP address of the Infranet Controller to be used for authentication The ?target= option and URL to distinguish a forwarding address to be used after authentication Escape characters substituted for any special characters in the URL name
The following text in Step 2 is incorrect:

[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://my-website.com
The correct text for Step 2 is as follows:

[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://192.168.0.100/?target=my%2Dwebsite%2Ecom
In Chapter 9, "Understanding ALG Types," of the Junos OS Security Configuration Guide, an incorrect statement for configuring FTP_NO_GET and FTP_NO_PUT in the FTP ALG has been removed. In Chapter 38, "Reconnaissance Deterrence," of the Junos OS Security Configuration Guide, the graphics showed the sync check as being done after policy checking, which is incorrect. The graphics have been corrected.
Junos OS System Basics Configuration Guide
In Chapter 19: Router Chassis Configuration Guidelines for J Series, of the Junos OS System Basics Configuration Guide, the word management was missing. It has been corrected and the updated content To disable power management on the J Series chassis, include the disable-power-management statement at the [edit chassis] hierarchy level is given in the updated Junos OS System Basics Configuration Guide.
WLAN
The Junos OS WLAN Configuration and Administration Guide provides information on AX411 access point clustering. Access point clustering is no longer supported.
Errata for the Junos OS Hardware Documentation

This section lists outstanding issues with the hardware documentation. J Series Services Routers Hardware Guide
In the J Series Services Routers Hardware Guide, the procedure Installing a DRAM Module omit the following condition: All DRAM modules installed in the router must be the same size (in megabytes), type, and manufacturer. The router might not work properly when DRAM modules of different sizes, types, or manufacturer are installed.
263
The J Series Services Routers Hardware Guide incorrectly states that only the J2350 Services Router complies with Network Equipment Building System (NEBS) criteria. The document should state that the J2350, J4350, and J6350 routers comply with NEBS criteria. The J Series Services Routers Hardware Guide is missing adding information about 100Base-LX connector support for 1-port and 6-port Gigabit Ethernet uPIMs.
SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide
In the SRX Series Services Gateway Interfaces Power and Heat requirements section, the PIM Power Consumption Values table contains the power consumption value for the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM value as: 3:18 W The correct power consumption value for the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM is 4:4 W
SRX1400 Services Gateway Hardware Guide
The SRX1400 Services Gateway Hardware Guide includes the following caution: CAUTION: To comply with intrabuilding lightning/surge requirements, intrabuilding wiring must be shielded, and the shield for the wiring must be grounded at both ends. This caution is not applicable.
The SRX1400 Services Gateway Hardware Guide includes information about the following DC-powered SRX1400 Services Gateways:

SRX1400BASE-XGE-DC SRX1400BASE-GE-DC
These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models.
Fan tray LED table in the Replacing the Fan Tray on the SRX1400 Services Gateway section of the SRX1400 Services Gateway Hardware Guide erroneously documents that: The Amber (On Steadily): Fan tray LED cannot detect fan failure. The correct information for this section is as follows: Amber LED (on steadily): Fan tray LED does not indicate fan failure .
Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the grounding lug attached to the front panel of the device. However, the SRX1400 Services Gateway is not shipped with grounding lug attached to it. In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously document "RE ETHERNET" port as "ETHERNET" port.
Connecting the SRX1400 Services Gateway to a Network for Out-of-Band Management
264
SRX1400 Services Gateway Software Configuration Overview
The SRX1400 Services Gateway Hardware Guide and the SRX1400 Services Gateway Getting Started Guide are missing the following note:
NOTE: AC and DC power supply units are not interoperable between the SRX1400 Services Gateway and the SRX3000 and SRX5000 lines.
SRX1400 Services Gateway Getting Started Guide
The SRX1400 Services Gateway Getting Started Guide includes information about the following DC-powered SRX1400 Services Gateways:

SRX1400BASE-GE-DC SRX1400BASE-XGE-DC
In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown with grounding lug attached on the front panel of the device. However, the SRX1400 Services Gateway is not shipped with grounding lug attached to it. Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show graphics with the grounding lug attached to the device front panel. The grounding lug is not attached to the device at the time of shipment. The SRX1400 Services Gateway Getting Started Guide should document the following statement: You can replace the Network and Services Processing Card (NSPC) with the SRX3000 line Services Gateway Network Processing Card (NPC) and Services Processing Card (SPC). To install the NPC and SPC on the SRX1400 Services Gateway, you must order the Twin CFM holder tray (SRX1K3K-2CFM-TRAY) to hold two single-wide CFMs (NPC and SPC) separately. Contact your Juniper Networks customer service representative for more information.
In the SRX1400 Services Gateway Getting Started Guide, the following sections erroneously documents "RE ETHERNET" port as "ETHERNET" port.
Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services Gateway Step 7: Perform the Initial Software Configuration on the SRX1400 Services Gateway
265
Quick Start Guides
The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick Start incorrectly document the specified order of the default set of codecs as 711-, G711-A, G729AB in the Peer Call Server section. The correct values are G711-, G711-A, G729AB. The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick Start are missing the following warning in the Powering Off the Device section:
WARNING: Use the graceful shutdown method to halt, power off, or reboot the services gateway. Use the forced shutdown method as a last resort to recover the services gateway if the services gateway operating system is not responding to the graceful shutdown method.
In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in the wrong order. Task 6: Connect the External Antenna should appear before Task 3: Check the 3G ExpressCard Status, because the user needs to connect the antenna before checking the status of the 3G ExpressCard. The correct order of the tasks is as follows:

Before You Begin Install the 3G ExpressCard Connect the External Antenna Check the 3G ExpressCard Status Configure the 3G ExpressCard Activate the 3G ExpressCard Options
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in Task 6: Connect the External Antenna, the following sentence is incorrect and redundant: "The antenna has a magnetic mount, so it must be placed far away from radio frequency noise sources including network components."
In the SRX210 Services Gateway 3G ExpressCard Quick Start, in the Frequently Asked Questions section, the answer to the following question contains an inaccurate and redundant statement: Q: Is an antenna required? How much does it cost? A: The required antenna is packaged with the ExpressCard in the SRX210 Services Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic mount with ceiling and wall mount kits within the package. In the answer, the sentence "The antenna will have a magnetic mount with ceiling and wall mount kits within the package" is incorrect and redundant.
266
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
AX411 Access Point Hardware Guide
The AX411 Access Point Hardware Guide incorrectly documents the maximum number of supported access points on the SRX devices. The document should state that on SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can be configured and managed. New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 213 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228
Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Transceiver Compatibility for SRX Series and J Series Devices on page 267 Power and Heat Dissipation Requirements for J Series PIMs on page 267 Supported Third-Party Hardware on page 268 J Series CompactFlash and Memory Requirements on page 268
Transceiver Compatibility for SRX Series and J Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used on SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Please contact Juniper Networks for the correct transceiver part number for your device.
Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs fall within the power and heat dissipation capacity of the chassis. If power management is enabled and the capacity is exceeded, the system prevents one or more of the PIMs from becoming active.
CAUTION: Disabling the power management can result in hardware damage if you overload the chassis capacities.
You can also use CLI commands to choose which PIMs are disabled. For details about calculating the power and heat dissipation capacity of each PIM and for troubleshooting procedures, see the J Series Services Routers Hardware Guide.
267
Supported Third-Party Hardware

The following third-party hardware is supported for use with J Series Services Routers running Junos OS.
USB Modem We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.
Storage Devices The USB slots on J Series Services Routers accept a USB storage device or USB storage device adapter with a CompactFlash card installed, as defined in the CompactFlash Specification published by the CompactFlash Association. When the USB device is installed and configured, it automatically acts as a secondary boot device if the primary CompactFlash card fails on startup. Depending on the size of the USB storage device, you can also configure it to receive any core files generated during a router failure. The USB device must have a storage capacity of at least 256 MB. Table 19 on page 268 lists the USB and CompactFlash card devices supported for use with the J Series Services Routers.
Table 19: Supported Storage Devices on the J Series Services Routers

Manufacturer
SanDiskCruzer Mini 2.0 SanDisk SanDisk Kingston Kingston SanDiskImageMate USB 2.0 Reader/Writer for CompactFlash Type I and II SanDisk CompactFlash SanDisk CompactFlash
Storage Capacity
256 MB 512 MB 1024 MB 512 MB 1024 MB N/A
Third-Party Part Number

SDCZ2-256-A10 SDCZ3-512-A10 SDCZ7-1024-A10 DTI/512KR DTI/1GBKR SDDR-91-A15
512 MB 1 GB
SDCFB-512-455 SDCFB-1000.A10
J Series CompactFlash and Memory Requirements

Table 20 on page 269 lists the CompactFlash card and DRAM requirements for J Series Services Routers.
268
Maximizing ALG Sessions
Table 20: J Series CompactFlash Card and DRAM Requirements

Model
J2320 J2350 J4350 J6350
Minimum CompactFlash Card Required

1 GB 1 GB 1 GB 1 GB
Minimum DRAM Required

1 GB 1 GB 1 GB 1 GB
Maximum DRAM Supported

1 GB 1 GB 2 GB 2 GB
New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 154 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 213 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 187 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 228 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 270 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 254
Maximizing ALG Sessions

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default, the session capacity number for RTSP, FTP, and TFTP ALG sessions is 10,000 per flow SPU. The maximize-alg-sessions option enables you to increase defaults as follows:

RTSP, FTP, and TFTP ALG session capacity: 25,000 sessions per flow SPU TCP Proxy connection capacity: 40,000 sessions per flow SPU
NOTE: Flow session capacity will be reduced to half per flow SPU and the above capacity numbers will not change on the central point SPU.
269
You can configure maximum ALG sessions as follows:

security { forwarding-process { application-services { maximize-alg-sessions; } } }
You must reboot the device (and its peer in the chassis cluster) for the configuration to take effect.
Integrated Convergence Services Not Supported

Integrated Convergence Services is no longer supported. The Media-Gateway (MGW) versions of SRX Series low-end devices have been discontinued and are no longer supported. If you have a SKU supporting Integrated Convergence Services, please contact Juniper Networks for further guidance.
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
In order to upgrade to Junos OS Release 10.4 or later, your device must be running one of the following Junos OS Releases:

9.1S1 9.2R4 9.3R3 9.4R3 9.5R1 or later
If your device is running an earlier release, upgrade to one of these releases and then to the 10.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release 9.2R4 and then to Release 10.4. For additional upgrade and download information, see the Junos OS Security Configuration Guide and the Junos OS Migration Guide.
Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 270

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases. You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases. For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either
270
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html .
271
Junos OS Release Notes for EX Series Switches

New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
New Features in Junos OS Release 10.4 for EX Series Switches

New features in Release 10.4 of the Junos operating system (Junos OS) for EX Series switches are described in this section.
NOTE: If you are upgrading from Release 10.4R2 or earlier, the addition of the new resilient dual-root partitions feature requires that you install new loader software as part of the upgrade process. This special software upgrade takes a little more time to complete than a standard upgrade. See Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313 for information about how to upgrade to Release 10.4R3.
Not all EX Series software features are supported on all EX Series switches in the current release. For a list of all EX Series software features and their platform support, see EX Series Switch Software Features Overview. New features are described on the following pages:

Resilient Dual-Root Partitions on page 273 Hardware on page 278 Class of Service (CoS) on page 279 Ethernet Switching and Spanning Trees on page 279 Fibre Channel over Ethernet on page 279 High Availability on page 279 Infrastructure on page 279 Management and RMON on page 279 Packet Filters on page 280 Virtual Chassis on page 280
272
Resilient Dual-Root Partitions

Junos OS Release 10.4R3 introduced resilient dual-root partitioning. If you are upgrading to Release 10.4R3 or later from Release 10.4R2 or earlier, you must follow a special upgrade procedure. See the following section for information about this feature. See Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313 for information about how to upgrade to a resilient dual-root partition release. This feature provides additional resiliency to switches in the following ways:
Allows the switch to boot transparently from the second root partition if the system fails to boot from the primary root partition. Provides separation of the root Junos OS file system from the /var file system. If corruption occurs in the /var file system (which is more likely than corruption occurring in the root file system because of the greater frequency in /var of reads and writes), the root file system is insulated from the corruption.
The resilient dual-root partitioning feature is described on the following pages:

Resilient Dual-Root Partition Scheme (Junos OS Release 10.4R3 and Later) on page 273 Earlier Partition Scheme (Junos OS Release 10.4R2 and Earlier) on page 274 Understanding Upgrading or Downgrading Between Resilient Dual-Root Partition Releases and Earlier Releases on page 274 Resilient Dual-Root Partitions Frequently Asked Questions on page 274
Resilient Dual-Root Partition Scheme (Junos OS Release 10.4R3 and Later) EX Series switches that ship with Junos OS Release 10.4R3 or later are configured with a root partition scheme that is optimized for resiliency, as shown in Table 21 on page 273.
Table 21: Resilient Dual-Root Partition Scheme

Slice 1 s1a
/
Slice 2 s2a
/
Slice 3 s3e
/var
Slice 4 s3d
/var/tmp
s4d
/config
(root Junos OS )
(root Junos OS )
In the resilient dual-root partition scheme, the /var file system is contained in a separate slice from the root file systems, the /config directory is contained in its own slice, and switches ship from the factory with identical Junos OS images in slice 1 and slice 2. The /var file system, which has a greater frequency of reads and writes than the root file systems and is therefore more likely to have corruption issues, is isolated from the root directories and the /config directory. If the switch fails to boot, the system automatically boots from the alternate root partition. (If the switch fails to boot from the active root partition and instead boots from the alternate root partition, an alarm is triggered.)
273
Earlier Partition Scheme (Junos OS Release 10.4R2 and Earlier) The earlier partition scheme is shown in Table 22 on page 274.
Table 22: Earlier Partition Scheme

Slice 1 s1a
/
Slice 2 s1f
/var
Slice 3 s2f
(empty until initial software upgrade)
s2a
(empty until initial software upgrade)
s3d
/var/tmp
s3e
/config
(root Junos OS)
This is the partitioning scheme for a switch shipped with Release 10.4R2 or earlier (or after you reformat the disk during a downgrade from Release 10.4R3 or later to Release 10.4R2 or earlier). In this partitioning scheme, the switch comes from the factory with only one Junos OS image installed in the root Junos OS partition of slice 1. The first time that you perform a software upgrade, the new Junos OS image is installed in slice 2. If the switch fails to boot, you must manually trigger it to boot from the alternate partition (rebooting from the alternate partition does not occur automatically). Understanding Upgrading or Downgrading Between Resilient Dual-Root Partition Releases and Earlier Releases Upgrading from Release 10.4R2 or earlier to Release 10.4R3 or later differs from other upgrades in two important ways:
You must install a new loader software package in addition to installing the new Junos OS image. Rebooting after the upgrade reformats the disk from three partitions to four partitions.
You can perform all operations for this special software upgrade from the CLI.
CAUTION: Back up any important log files because the /var/log files are not saved or restored during an upgrade from a nonresilient dual-root partitions release to a release that supports resilient dual-root partitions. We recommend that you also save your /config files and any important log files to an external medium because if there is a power interruption during the upgrade process, they could be lost.
Resilient Dual-Root Partitions Frequently Asked Questions This FAQ addresses questions regarding resilient dual-root partitions on EX Series switches and upgrading to resilient dual-root partition releases.
How Does Upgrading to Junos OS Release 10.4R3 and Later Differ from Normal Upgrades?
274
Upgrading from Junos OS Release 10.4R2 or earlier to Release 10.4R3 or later differs from other upgrades in these ways:
You must upgrade the loader software in addition to installing the new Junos OS image. Rebooting after the upgrade reformats the disk from three partitions to four partitions. The upgrade process and the reboot take longer due to the additional time required to upgrade the loader software and additional time for the first reboot after the Junos OS installation (longer than normal because it reformats the disk from three partitions to four). Also, EX8200 switches require an additional reboot per Routing Engine as part of the loader software upgrade.
What Happens If I Do Not Upgrade Both the Loader Software and Junos OS at the Same Time? You must install a new loader software package if you are upgrading to a release that supports resilient dual-root partitions (Release 10.4R3 and later) from an earlier release (Release 10.4R2 and earlier). Table 23 on page 275 describes the combinations of Junos OS and loader software versions.
Table 23: Combinations of Junos OS Versions and Loader Software Versions

Junos OS Release
Release 10.4R3 and later
Loader Software
New loader software For all EX Series switches except EX8200 switches:
U-Boot 1.1.6 (Mar 11 2011 - 04:39:06) 1.0.0
Notes
Recommended
(Contains version 1.0.0 after the timestamp.) For EX8200 switches:

U-Boot 1.1.6 (Jan 11 2008 - 05:24:35) 3.5.0
(Contains version 3.5.0.) Release 10.4R2 and earlier Old loader software If you downgrade to Release 10.4R2 or earlier after having upgraded to the new loader software version, you do not need to downgrade the loader software. The switch will function normally. The switch will come up and function normally. However, in the event that the switch cannot boot from the active root partition, it will not transparently boot up from the alternate root partition.
Release 10.4R3 and later
Old loader software For all EX Series switches except EX8200 switches:
U-Boot 1.1.6 (Jan 11 2008 - 05:24:35)
(Does not contain a version number after the timestamp) For EX8200 switches:
U-Boot 1.1.6 (Jan 11 2008 - 05:24:35) 2.3.0
(Contains a version earlier than 3.5.0.)
275
Table 23: Combinations of Junos OS Versions and Loader Software Versions (continued)
Junos OS Release
Release 10.4R2 and earlier
Loader Software
New loader software NOTE: For EX Series switches except EX8200 switches, in Release 10.4R2 and earlier the version number after the timestamp (shown in the previous row) is not displayed, and you cannot verify whether the old or the new loader software version is installed.
Notes
The switch will come up and function normally.
Can I Downgrade Junos OS Without Downgrading the Loader Software? Yes, when you downgrade from most releases, the new loader software runs seamlessly with the earlier Junos OS version.
NOTE: If you downgrade specifically from Release 10.4R3 or Release 11.1R1 to a nonresilient root partition release (10.4R2 and earlier), you must disable the boot-sequencing function. If you do not take this action, the switch will boot on each subsequent reboot from the alternate root partition rather than from the active partition. Disable the boot-sequencing function in one of two ways:
From the shell as the root user:

% nvram setenv boot.btsq.disable 1
From a console connection, reboot and stop at the u-boot prompt (Ctrl+c):
=> setenv boot.btsq.disable 1 => savenv
If you are downgrading from Release 10.4R4 (or from 11.1R2 or later) to Release 10.4R2 or earlier, you do not need to disable the boot-sequencing functionthe software does it automatically.
Can I Upgrade to a Resilient Dual-Root Partition Release by Using the CLI? Yes, you can perform the entire upgrade to resilient dual-root partitions from the CLI. You download both the new loader software and Junos OS packages and install them from the CLI. During the final reboot, the disk is automatically reformatted from three partitions to four partitions.
Will I Lose My Configuration During an Upgrade? Configuration files are preserved and restored during the reformatting of the disk. We recommend that you save your configuration because if there is a power interruption during the installation process, files might be lost.
How Long Will the Upgrade Process Take?
276
The process of upgrading to a resilient dual-root partitions release takes longer due to the additional step of upgrading the loader software and a longer reboot time while the disk is reformatted to four partitions during the reboot of the switch that completes the Junos OS upgrade. The reformat increases the reboot time for EX2200, EX3200, EX4200, and EX4500 switches by 5 to 10 minutes. For EX8200 switches, the reboot time increases by 10 to 25 minutes per Routing Engine, and additional reboots are required.
What Happens to My Files If the System Detects a File System Corruption? During a reboot, the system checks each file system partition for corruption. Table 24 on page 277 shows the action the system takes if corruption is detected and the corrective action that you can take.
Table 24: Actions If Corrupt Files Are Found

Slice 1 s1a
/
Slice 2 s2a
/
Slice 3 s3e
/var
Slice 4 s3d
/var/tmp
s4d
/config
(root Junos OS)
(root Junos OS) During early boot, the integrity of /var, /var/tmp, and /config files are verified. If they are corrupted, the corrupted slice is reformatted and the file directory in that slice is lost. Corrective action: Restore the /var or /config files from the external backup.
If a root directory (/) is corrupted, the corrupted file system is not mounted and the switch boots from the alternate slice. Corrective action: Issue a snapshot internal command from the good root directory to the corrupted slice.
How Will I Be Informed If My Switch Boots from the Alternate Slice Due to Corruption in the Root File System? If the switch detects corruption in the primary root file system, it boots from the alternate root partition. When this occurs, you are notified in two ways:
If you are logged in through the console port or the management port:
WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE It is possible that the primary copy of JUNOS failed to boot up properly, and so this device has booted from the backup copy. Please re-install JUNOS to recover the primary copy in case it has been corrupted.
The following alarm message is generated:

user@switch> show chassis alarms 1 alarms currently active Alarm time Class 2011-02-17 05:48:49 PST Minor
Description Host 0 Boot from backup root
Can I Use Automatic Software Update and Download to Upgrade to a Resilient Dual-Root Partition Release?
277
Automatic software update and automatic software download are both supported with upgrading to resilient dual-root partition releases. However, after an upgrade using automatic installation, you must take the extra step of upgrading the loader software. Automatic software update is for new members added to a Virtual Chassis that do not have the same software as the master. Once this feature is configured on the Virtual Chassis, any new member added with a different software version will be upgraded automatically. Automatic software download uses the DHCP message exchange process to download and install software packages.
Why Is the Message "At least one package installed on this device has limited support" Displayed When Users Log In? The following message might be displayed when a user logs in:
Logging to master ..Password: --- JUNOS 10.4R3.4 built 2011-03-19 22:06:32 UTC At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details.
This message can be safely ignored or you can permanently remove it. It appears because of the jloader package file detected on the system, and it only appears when Junos OS is installed before the loader software is upgraded (required only for EX8200 switches). You can permanently remove this message by removing the jloader package and rebooting the system:
user@switch> request system software delete jloader-ex-8200-11.3-date-domestic-signed.tgz user@switch> request system reboot
Hardware
XRE200 External Routing EngineThe XRE200 External Routing Engine is used to create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop-prevention protocols such as Spanning Tree Protocol (STP). New optical transceiver support on EX4500 switchesThe SFP+ uplink module in EX4500 switches now supports one new optical transceiver: EX-SFP-10GE-LRM (10GBase-LRM, 220 m).
278
Class of Service (CoS)
IPv6 CoS support on EX8200 switchesClassification of IPv6 packets is now supported on EX8200 switches. You can configure rewrite rules for IPv6 packets.
Ethernet Switching and Spanning Trees
PVLAN configuration on multiple switchesA private VLAN (PVLAN) can be configured to span multiple switches.
Fibre Channel over Ethernet
FIP snoopingFIP snooping is supported on EX4500 switches. FIP snooping is a security feature that can be used to prevent man-in-the-middle attacks when the switch is being used as a Fibre Channel over Ethernet (FCoE) transit switch. Priority-based flow controlPriority-based flow control (PFC) is supported on EX4500 switches. PFC, IEEE standard 802.1Qbb, is a link-level flow-control mechanism that allows you to selectively pause traffic according to its class. PFC must be used for Fibre Channel over Ethernet (FCoE) traffic.
High Availability
Nonstop active routing (NSR)Nonstop active routing (NSR) is now supported on EX8200 switches that have multiple Routing Engines installed. You can configure nonstop active routing to enable the transparent switchover of the Routing Engines without restart of supported routing protocols. In this Junos OS release, NSR supports only the OSPFv2 protocol. Other protocols might also work but are not supported. Nonstop software upgrade (NSSU)Nonstop software upgrade (NSSU) is a new high availability feature supported on EX8200 switches with redundant Routing Engines. An NSSU upgrades the software running on both Routing Engines with a single command and with minimal traffic disruption.
Infrastructure
Distributed PPM support for BFDDistributed periodic packet management (PPM) processing of Bidirectional Forwarding Detection (BFD) protocol traffic is now supported on EX3200, EX4200, and EX8200 switches. IPv6 support on EX4500 switchesEX4500 switches support IPv6 addresses for in-band management on the management interface and on network interfaces. Multicast storm controlOn EX Series switches, storm control, when enabled on an interface, applies to multicast traffic in addition to broadcast and unknown unicast traffic. On EX8200 switches, you can selectively disable storm control on registered multicast traffic, unregistered multicast traffic, or both types of multicast traffic.
Management and RMON
J-Web interface support for the 40-port SFP+ line card for EX8200 switchesJ-Web interface support has been added for the 40-port SFP+ line card for EX8200 switches.
279
sFlow technology enhancementsYou can now specify an egress or ingress rate at which packets can be sampled.
Packet Filters
Firewall filters on a management interfaceYou can now configure a firewall filter on a management interface on an EX Series switch to filter ingress or egress traffic on the interface. Support for VLAN and router (Layer 3) firewall filters on EX4500 switchesOn EX4500 switches, VLAN and router (Layer 3) firewall filters are supported for IPv4 traffic.
Virtual Chassis
EX8200 Virtual ChassisEX8200 switches can now be connected to form a Virtual Chassis. The EX8200 Virtual Chassis is formed by connecting EX8200 switches to an XRE200 External Routing Engine. An EX8200 Virtual Chassis is multiple EX8200 switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop-prevention protocols such as Spanning Tree Protocol (STP). Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches
The following changes in system behavior, configuration statement usage, or operational mode command usage have occurred since the previous release and might not yet be documented in the Junos OS for EX Series switches documentation:
280
Limitations in Junos OS Release 10.4 for EX Series Switches
Class of Service
When you upgrade Junos OS to Release 10.2 or a later release, you must define custom rewrite rules and assign them to an interface or assign the system-defined rewrite rules to an interface for rewrites to occur.
Layer 2 protocol tunneling (L2PT) on EX Series switches now supports the Unidirectional Link Detection (UDLD) protocol.
Hardware
The output of the show chassis power-budget-statistics command now shows the power supply capacity in watts. If the power supply is offline, the capacity is shown as 0 W. If you configure an SFP uplink module to operate in 1-gigabit mode by including the sfpplus statement at the [edit chassis fpc slotpic pic-number] hierarchy of the configuration, the configuration has no effect and no warning or error message is displayed. The sfpplus statement configures the operating mode for SFP+ uplink modules only, in Junos OS Releases 10.4R2 and later.
Management and RMON
For port mirroring, you can now specify a no-tag option for an output VLAN so that mirrored packets that are exiting from the output VLAN do not contain an additional VLAN tag (of the output VLAN). Specify that option with the set
ethernet-switching-options analyzer name output vlan vlan-id-or-name no-tag
configuration mode command. Related Documentation

New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313

This section lists the limitations in Junos OS Release 10.4R8 for EX Series switches. If the limitation is associated with an item in our bug database, the description is followed by the bug tracking number.
281
For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application at http://www.juniper.net/prsearch.
NOTE: Other software issues that are common to both EX Series switches and M, MX, and T Series routers are listed in Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 58.
Access Control and Port Security
On EX4200 switches, if you have used the EAP-TTLS authentication protocol to authenticate 802.1X supplicants when configuring the RADIUS server, and if the supplicant sends invalid credentials, the host never starts because the RADIUS server does not send a failure message to the switch. [PR/506918: This is a known software limitation.]
Class of Service
On EX4200 switches, traffic is shaped at rates above 500 Kbps, even when the shaping rate configured is less than 500 Kbps. [This is a known software limitation.]
If you modify the MSTP configuration and VLAN membership for an interface, that modification could result in an inconsistent MSTP membership for that interface. As a workaround, restart the Ethernet switching process (eswd) after making the configuration changes. [PR/525507: This is a known software limitation.]
Firewall Filters
On EX3200 and EX4200 switches, when a very large number of firewall filters are included in the configuration, it might take a long time, possibly as long as a few minutes, for the egress filter rules to be installed. [PR/468806: This is a known software limitation.] On EX3200 and EX4200 switches, IGMP packets are not matched by user-configured firewall filters. [PR/482194: This is a known software limitation.] When you enable the filter-id attribute on the RADIUS server for a particular client, one of the required 802.1X authentication rules is not inserted in the IPv6 database. IPv6 traffic on the authenticated interface is not filtered; only IPv4 traffic is filtered on that interface. [PR/560381: This is a known software limitation.] On EX8200 switches and the XRE200 External Routing Engine, if you apply different firewall filters to different VLANs, only the filter applied to the first VLAN is applied correctly. For example, if you issue commands to apply filter f1 to VLAN1, filter f2 to VLAN2, and filter f3 to VLAN3, filter f1 is applied correctly, but filters f2 and f3 are not applied to any VLANs. As a workaround, merge all the VLAN filters into one single filter and apply that filter to all the VLANs. You can use the vlan match condition in the
282
firewall filter terms to differentiate the rules for each of the VLANs. [PR/568721: This is a known software limitation.]
Hardware
On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network ports do not blink to indicate that there is link activity if you set the speed of the network ports to 10/100/1000 Mbps. However, if you set the speed to 10 Gbps, the LEDs blink. [PR/502178: This is a known limitation.] On 40-port SFP+ line cards installed in EX8200 switches, it takes about 10 seconds for the network ports to come up after you reboot the switch or restart a line card. [PR/515766: This is a known limitation.] On EX4500 switches, the maintenance menu of the LCD panel is not disabled even if you include the lcd maintenance-menu disable statement in the [edit chassis] hierarchy of the configuration. [PR/551546: This is a known limitation.] On EX Series switches, logical interface statistics are not supported because of a hardware limitation. [PR/613658: This is a known limitation.] On standalone EX4500 switches, in the Maintenance menu, the option Request VC Port with the further option Set FPC 0? is not supported even though these options are displayed on the LCD panel. [This is a known limitation.]
High Availability
On EX8216 switches on which nonstop active routing (NSR) is configured, after a graceful Routing Engine switchover (GRES), the routing protocol process (rpd) might be delayed until state replication finishes. The duration of the delay depends on the scale of the setup. During this delay, operational mode commands for the rpd process do not provide current information. [PR/517848: This is a known software limitation.]
Infrastructure
On EX Series switches, an SNMP query fails when the SNMP index size of a table is greater than 128 bytes, because the Net SNMP tool does not support SNMP index sizes greater than 128 bytes. [PR/441789: This is a known software limitation.] On EX Series switches, the show snmp mib walk etherMIB command does not display any output, even though the etherMIB is supported. This occurs because the values are not populated at the module levelthey are populated at the table level only. You can issue show snmp mib walk dot3StatsTable, show snmp mib walk dot3PauseTable, and show snmp mib walk dot3ControlTable commands to display the output at the table level. [This is a known software limitation.] On EX8200 switches, if IS-IS is enabled on routed VLAN interfaces (RVIs), IS-IS adjacency states go down and come up after a graceful Routing Engine switchover (GRES). [PR/442373: This is a known software limitation.] Momentary loss of an inter-Routing Engine IPC message might trigger the alarm that displays the message Loss of communication with Backup RE. However, no functionality is affected. [PR/477943: This is a known software limitation.]
283
If you perform a graceful Routing Engine switchover (GRES) on an EX Series switch that has a large number (on the order of 1000 or more) of unresolved ARP entries, core files are created on the backup Routing Engine. [PR/552488: This is a known software limitation.] Distributed periodic packet management (PPM) of Bidirectional Forwarding Detection protocol (BFD) traffic is not supported for virtual routing instances. As a workaround, use the centralized PPM model by disabling distributed PPM with the command set routing-options ppm no-delegate-processing. [PR/580774: This is a known software limitation.] On EX8208 and EX8216 switches that have two Routing Engines, one Routing Engine cannot be running Junos OS Release 10.4 or later while the other one is running Release 10.3 or earlier. Ensure that both Routing Engines in a single switch are running either Release 10.4 or later or Release 10.3 or earlier. [PR/604378: This is a known software limitation.]
Interfaces
On EX3200 and EX4200 switches, when port mirroring is configured on any interface, the mirrored packets leaving a tagged interface might contain an incorrect VLAN ID. [PR/431101: This is a known software limitation.] On EX8200 switches, port mirroring configuration is not supported on a Layer 3 interface with the output configured to a VLAN. [PR/439150: This is a known software limitation.] EX Series switches do not support IPv6 interface statistics. Therefore, all values in the output of the show snmp mib walk ipv6IfStatsTable command always display a count of 0. [PR/480651: This is a known software limitation.] On EX Series switches, when a firewall filter is applied on the loopback (lo0) interface, the switch stops generating local ARP requests for transit traffic. [PR/486443: This is a known software limitation.] When MVRP is configured on a trunk interface, you cannot configure connectivity fault management (CFM) on that interface. [PR/540218: This is a known software limitation.] On EX Series switches, if you clear LAG interface statistics while the LAG is down, then bring up the LAG and pass traffic without checking for statistics, and finally bring the LAG interface down and check interface statistics again, the statistics might be inaccurate. As a workaround, use the show interfaces interface-name command to check LAG interface statistics before bringing down the interface. [PR/542018: This is a known software limitation.]
J-Web Interface
In the J-Web interface, the Ethernet Switching Monitor page might not display monitoring details if the switch has more than 13,000 MAC entries. [PR/425693: This is a known software limitation.] When you use the Microsoft Internet Explorer browser to open reports from the following pages in the J-Web interface, the reports open in the same browser session:
284
Files page (Maintain > Files) History page (Maintain > Config Management > History) Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port) Static Routing page (Monitor > Routing > Route Information) Support Information page (Maintain > Customer Support > Support Information) View Events page (Monitor > Events and Alarms > View Events)
As a workaround, save the reports and then open them. [PR/433883: This is a known software limitation.]
If four or more EX8200-40XS line cards are inserted in an EX8208 or EX8216 switch, the Support Information page (Maintain > Customer Support > Support Information) in the J-Web interface might fail to load because the configuration might be larger than the maximum size of 5 MB. The error message "Configuration too large to handle" is displayed. [PR/552549: This is a known software limitation.] If you navigate to a new page before all the components of a page in the J-Web interface are loaded, a pop-up window with the error message Object Expected is displayed. [PR/567756: This is a known software limitation.] In the J-Web interface, you cannot configure interface ranges and interface groups. [PR/600559: This is a known software limitation.] The J-Web interface does not support role-based access controlit supports only users in the super-user authorization class. So a user who is not in the super-user class, such as a user with view-only permission, is able to launch the J-Web interface and is allowed to configure everything, but the configuration fails on the switch, and the switch displays access permission errors. [PR/604595: This is a known software limitation.]
285
Layer 2 and Layer 3 Protocols
On an EX4200 Virtual Chassis, when you configure the RPM hardware timestamp with the hardware-timestamp configuration statement, the show services rpm probe-results command displays the hardware timestamp status as "No hardware timestamps". As a workaround, do not configure a source address for RPM probes. Packets are sent and received on the same interface. This problem does not occur if both egress and ingress interfaces are on the same Virtual Chassis member. [PR/578734: This is a known software limitation.]
Management and RMON
On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for a port mirroring analyzer, the analyzer appends an incorrect 802.1Q (dot1q) header to the mirrored packets on the routed traffic or does not mirror any packets on the routed traffic. As a workaround, configure a port mirroring analyzer with each port of the VLAN as egress input. [PR/445393: This is a known software limitation.]
Multicast
The following limitations apply to multicast traffic and virtual routing and forwarding (VRF):
Routed multicast traffic is supported only on the default virtual routing instance. On nondefault virtual routing instances, routed multicast traffic is flooded on Layer 3 interfaces, but aggregated Ethernet interfaces and routed VLAN interfaces (RVIs) are not supported. MLD snooping of IPv6 multicast traffic is not supported. Layer 2 multicast traffic is always flooded on the VLAN.
IGMP snooping is not supported on a VLAN that includes a routed VLAN interface (RVI) that is configured as part of a virtual routing instance. [PR/556363: This is a known software limitation.] New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
286
Outstanding Issues in Junos OS Release 10.4 for EX Series Switches

The following are outstanding issues in Junos OS Release 10.4R8 for EX Series switches. The identifier following the description is the tracking number in our bug database. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application at http://www.juniper.net/prsearch.
When an EX Series switch receives an LLDP PDU with a 0-byte TLV information string, it treats the PDU as an error and discards all information received on that interface, although a TLV information string can be 0 bytes, as per the IEEE standard. [PR/572818] EX Series switches send EAP packets on interfaces on which 802.1X (dot1x) is not enabled. [PR/594644] In LLDP-MED packets, the LCI Length for Civic Addresses is not present. [PR/600233] The show lldp neighbors command displays the interface description instead of the interface names. [PR/602442]
On EX4200 switches, if you have configured bridge protocol data unit (BPDU) protection on all interfaces and disabled the spanning-tree protocol, BPDU protection might not work. [PR/544461] VSTP virtual bridges are not supported. [PR/605973]
Firewall Filters
On EX4200 switches, if you configure a firewall filter with the match condition tcp-established, the error message "not supported" is displayed although the match condition is actually supported. [PR/543316] On EX Series switches on which the last term in a loopback firewall filter is either an implicit deny-all or explicit deny-all, received packets whose TTL is exceeded are dropped instead of being processed by the CPU. Thus, for example, traceroute packets received with a TTL of 0 are dropped, and ICMP unreachable packets are not sent back. [PR/573170] When you configure a firewall filter for the ethernet-switching family, a pfem core file might be created. [PR/580454]
287
Hardware
If no intraconnect module is installed in an EX4500 switch, the switch boots but is not fully functional. Traffic loss can occur during packet forwarding. [PR/544628]
Infrastructure
On EX3200 and EX4200 switches that are configured with the factory default configuration, if you use the command set date to change the date, the switches accept the date but display the following error message: date: connect: Can't assign requested address. [PR/499641] The request system zeroize command does not erase the log files and delete the existing configuration. [PR/511216] On EX8200 switches, when you perform a graceful Routing Engine switchover (GRES) or when you restart Ethernet switching on any spanning-tree protocol domain, a loop might occur. [PR/516611] The system log (syslog) files contain the message "Juniper syscall not available". These messages are harmless, and you can ignore them. [PR/519153] On EX4500 switches, the show chassis environment power-supply-unit command does not display values for the input voltage, the output voltage, and the output current. [PR/534958] If you perform graceful Routing Engine switchover (GRES) on an EX4200 or an EX8200 switch, the Ethernet switching table might not refresh because the Packet Forwarding Engine retains the forwarding database (FDB) entries. The result is that traffic is flooded to the affected MAC addresses. As a workaround, refresh the Ethernet switching table by issuing the clear ethernet-switching table command. [PR/541311] On EX8208 switches, when a line card that has no interface configurations and is not connected to any device is taken offline using the command request chassis fpc-slot slot-number offline, the Bidirectional Forwarding Detection process (bfd) starts and stops repeatedly. The same bfd process behavior occurs on a line card that is connected to a Layer 3 domain when another line card that is on the same switch and is connected to a Layer 2 domain is taken offline. [PR/548225] The number of users reported by the show system users command does not include Web users. [PR/572822] If you set a custom chassis display message with the set chassis display message message command, the message might remain on the LCD panel indefinitely even though you did not include the permanent option in your command. [PR/579234] The system log (syslog) file might contain the following message: "/var: filesystem full". [PR/600145] Packet loss of about 2 percent to 5 percent might occur for traffic destined to MAC addresses starting with 03: or 09:. [PR/658631]
288
If you apply a large number of VLAN tags (approximately 1000 tags) and commit the configuration after applying each individual tag, an mgd core file might be created. [PR/680841] The /var/log/wtmp file might become excessively large, and thus the switch might run out of disk space on the /var partition. As a workaround, use the request system storage cleanup command, or manually delete and re-create the /var/log/wtmp file from the shell. [PR/681369] When the switch is performing 802.1X (dot1x) authentication using MAC RADIUS, you might see the following message in the system log (syslog) file: "kmem type temp using 57344K, exceeding limit 57344K". [PR/697815]
Interfaces
When you are configuring the switch in private mode and delete an interface from an interface-range configuration and then reconfigure the interface, the configuration commit fails. [PR/565620] On EX2200, EX3200, EX4200, and EX4500 switches, although an interface is not created if you do not install any transceiver in a fiber port, the show chassis lcd or show chassis led command might show that an interface exists and show its LED status as Off. For 10-Gigabit Ethernet interfaces on EX4500 switches, the output of these commands might show the interface prefix as ge- instead of xe-. As a workaround, issue the show interfaces terse command to check whether a transceiver is actually installed and to display the xe- interface prefix to verify the interface's 10-Gigabit Ethernet capability. [PR/568301] On EX4500 switches, the system-generated MAC addresses for all interfaces in PIC slot 2 (that is, interfaces in the right-hand uplink module) are identical. [PR/590922]
J-Web Interface
In the J-Web interface, you cannot commit some configuration changes in the Port Configuration page or the VLAN Configuration page because of the following limitations for port mirroring ports and port mirroring VLANs:
A port configured as the output port for an analyzer cannot be a member of any VLAN other than the default VLAN. A VLAN configured to receive analyzer output can be associated with only one port.
[PR/400814]
In the J-Web interface, in the Port Security Configuration page, you are required to configure action when you configure MAC limit even though configuring an action value is not mandatory in the CLI. [PR/434836] In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration page, the Global Information table in the BGP Configuration page, or the Add Interface window in the LACP Configuration page, if you try to change the position of columns using the drag-and-drop method, only the column header moves to the new position instead of the entire column. [PR/465030]
289
If a large number of static routes are configured and if you have navigated to pages other than page 1 in the Route Information table in the J-Web interface (Monitor > Routing > Route Information), changing the Route Table to query other routes refreshes the page but does not return to page 1. For example, if you run a query from page 3 and the new query returns very few results, the Results table continues to display page 3 and shows no results. To view the results, navigate to page 1 manually. [PR/476338] In the J-Web interface, the dashboard does not display the uplink ports or uplink module ports unless transceivers are plugged into the ports. [PR/477549] If you open configuration pages for class-of-service (CoS) classifiers and drop profiles (Configure > Class of Service > Classifiers and Configure > Class of Service > Drop Profile) and then exit the pages without editing the configuration, no validation messages are displayed and the configuration of the switch proceeds. [PR/495603] In the J-Web interface, the software Upload and Install option and the software Fetch and Install option (Maintain > Software > Upload Package and Maintain > Software > Install Package) might not display a warning message that there are pending changes to be committed when you click those options. [PR/514853] On EX4500 switches, the J-Web interface might display the following as valid options although these options are not supported on EX4500 switches:

DHCP snooping in the Edit Port Role window in the Port Configuration page Input filter association in the VLAN Configuration page
[PR/525671]
When you use an HTTPS connection in the Microsoft Internet Explorer browser to save a report from the following pages in the J-Web interface, the error message Internet Explorer was not able to open the Internet site is displayed:

Files page (Maintain > Files) History page (Maintain > Config Management > History) Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port) Static Routing page (Monitor > Routing > Route Information) Support Information page (Maintain > Customer Support > Support Information) View Events page (Monitor > Events and Alarms > View Events)
[PR/542887]
When you open a J-Web session using HTTPS, then enter a username and password and click on the Login button, the J-Web interface takes 20 seconds longer to launch and load the Dashboard page than it does if you use HTTP. [PR/549934] In the J-Web interface, the link status might not be displayed correctly on the Port Configuration page or the LACP (Link Aggregation Control Protocol) Configuration page if the Commit Options preference is set to "single commit" (the Validate configuration changes option). [PR/566462]
290
If you have accessed the J-Web interface using an HTTPS connection through the Microsoft Internet Explorer Web browser, you might not be able to download and save reports from some pages on the Monitor, Maintain, and Troubleshoot tabs. Some affected pages are at these locations:

Maintain > Config Management > History Maintain > Customer Support > Support Information > Generate Report Maintain > Files > Log Files > Download Monitor > Events and Alarms > View Events > Generate Report Monitor > Routing > Route Information > Generate Report Troubleshoot > Troubleshoot Port > Generate Report
As a workaround, you can use the Mozilla Firefox Web browser to download and save reports using an HTTPS connection. [PR/566581]
In the J-Web interface, aggregated Ethernet interfaces are not populated in the Port associations table in the Filters Configuration page (Configure > Security > Filters). [PR/579555] In the J-Web interface, after you make any configuration changes in the System Identity page (Configure > System Properties > System Identity), the device model is displayed under the Host label for all Virtual Chassis members. [PR/582354] In the J-Web interface, the Configure Schedulers page (Configure > Class of Service > Schedulers) shows the exact, exact-percent, and exact-remainder options in the Add/Edit window in the Transmit Rate list, even though these options are not supported on EX Series switches. [PR/590490] In the J-Web interface, if the switch is configured as a Virtual Chassis and has more than one uplink module connection, the total number of ports that the dashboard lists as being underutilized is incorrect. [PR/591080] In the J-Web interface on EX8216 switches, the FPC number of an inserted line card might not be listed under Ports for FPC on the Port Monitoring page (Monitor > Interface). As a workaround, select the all option on this page to display all the interfaces, including those for line cards. [PR/593623] If the password has been removed from the authentication-order statement and the external authentication server (TACACS+ or RADIUS) is down, you might not be able to log in to the J-Web interface. [PR/599613] In the J-Web interface, in the Link Layer Discovery Protocol (LLDP) Configuration page (Configure > Switching > LLDP), the Details of Port field does not show the proper values for the Neighbor list and Neighbor count. [PR/600232] If you have accessed the J-Web interface through the Microsoft Internet Web browser version 7, then on the BGP Configuration page (Configure > Routing > BGP), all flags might be shown in the Configured Flags list (in the Edit Global Settings window, on the Trace Options tab) even though the flags are not configured. As a workaround, use the Mozilla Firefox Web browser. [PR/603669]
291
In the J-Web interface, the report generated from the Events page (Monitor > Events and Alarms > View Events) does not show the description for the first four to five events. As a workaround, view the description from the Events page or from the Junos OS CLI. [PR/661752] If you have created dynamic VLANs by enabling MVRP from the CLI, in the J-Web interface, the following features do not work with dynamic VLANs and static VLANs:
On the Port Configuration page (Configure > Interface > Ports)---Port profile (select the interface, click Edit, and select Port Role) or the VLAN option (select the interface, click Edit, and select VLAN Options). VLAN option on the Link Aggregation page (Configure > Interface > Link Aggregation)---Select the aggregated interface, click Edit, and click VLAN). On the 802.1X Configuration page (Configure > Security > 802.1x)---VLAN assignment in the exclusion list (click Exclusion List and select VLAN Assignment) or the move to guest VLAN option (select the port, click Edit, select 802.1X Configuration, and click the Authentication" tab. Port security configuration (Configure > Security > Port Security). On the Port Mirroring Configuration page (Configure > Security > Port Mirroring)---Analyzer VLAN or ingress or egress VLAN (click Addor Edit and then add or edit the VLAN).
[PR/669188]
In the J-Web interface, you cannot associate a filter name that contains spaces to a VLAN on the VLAN Configuration page (Configure > Switching > VLAN) . As a workaround, go to the Filters Configuration page (Configure > Security > Filters), click the filter name to be associated, and then click Edit. In the popup window, use the Association tab to associate a VLAN to the filter. [PR/677145] In the J-Web interface, if you discard any available MIB profile, file or predefined object from accounting-options on the Point and Click CLI Configuration page (Configure > CLI Tools > Point and Click CLI), the J-Web session times out. As a workaround, perform the same operation from the CLI. [PR/689261] In the J-Web interface, HTTPS access might work with an invalid certificate. As a workaround, after you change the certificate issue the restart web-management command to restart the J-Web interface. [PR/700135]
On EX8200 switches, if you take a line card offline when GRES and IGMP snooping are enabled, existing multicast traffic might be affected because indexes are not updated correctly. [PR/569637] When a BGP interface is flapping quickly, BGP might unnecessarily withdraw prefixes even when a good route to that prefix still exists. [PR/677191]
292
Management and RMON
sFlow technology might not work when you apply a firewall filter to the loopback (lo0) interface. [PR/546432] The dot1qVlanStaticUntaggedPorts MIB reports incorrect values for voice VLANs. [PR/658559] sFlow technology does not support IPv6 collectors, source IP addresses, or agent IDs. In Junos OS releases earlier than this release, configuration of these features was not blocked. If your configuration includes any of these features, you must remove them before upgrading to this Junos OS release. [PR/659922] The description of the jnxVccpPortDown MIB object in the Juniper Virtual Chassis MIB is incorrect. [PR/686888: This issue has been resolved.]
Multicast Protocols
Multicast source registration might fail if the same (S,G) packet is received from different VLANs on the same interface. [PR/579924]
Virtual Chassis
On EX8200 Virtual Chassis, ECMP might not work for links present between Virtual Chassis. [PR/531342] On EX8200 Virtual Chassis, if you issue the request system reboot slice alternate command, the Routing Engine might not load the expected Junos OS version when it reboots. [PR/535401] On an EX8200 Virtual Chassis with a single hard disk, the hard disk might not boot. The error message is "TIMEOUT - WRITE_DMA retrying". [PR/537685] After you reboot or upgrade the software on members of an EX8200 Virtual Chassis, the FPCs might not come up for more than eight minutes when the Virtual Chassis has a square topology. (This is a topology in which the Routing Engines of member 0 connect to those of member 8, the Routing Engines of member 1 connect to those of member 9, member 8 connects to member 9, and a VCP LAG forms between members 0 and 1.) [PR/537963] When the backup member in a Virtual Chassis is rebooted, a redundant trunk group (RTG) failover might occur incorrectly, with the RTG from the Virtual Chassis master primary link erroneously switching to the secondary link of the Virtual Chassis backup. [PR/562398] New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294
293
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
Resolved Issues in Junos OS Release 10.4 for EX Series Switches

The following are the issues that have been resolved in Junos OS Release 10.4 for EX Series switches. The identifier following the descriptions is the tracking number in our bug database. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application at http://www.juniper.net/prsearch.
Issues Resolved in Release 10.4R1 on page 294 Issues Resolved in Release 10.4R2 on page 298 Issues Resolved in Release 10.4R3 on page 299 Issues Resolved in Release 10.4R4 on page 300 Issues Resolved in Release 10.4R5 on page 302 Issues Resolved in Release 10.4R6 on page 307 Issues Resolved in Release 10.4R7 on page 308 Issues Resolved in Release 10.4R8 on page 309
Issues Resolved in Release 10.4R1

The following issues have been resolved since Junos OS Release 10.3. The identifier following the description is the tracking number in our bug database.
294
If you connect a computer to a phone that is connected to an interface supporting multiple supplicants on an EX Series switch, the Telecommunications Industry Association (TIA) network policy in the LLDP-MED packets from the EX2200 switch reports an incorrect VLAN and the phone might lose connectivity. [PR/542810: This issue has been resolved.]
A LAG between an EX4200 Virtual Chassis and a Cisco 6500 switch might not recover when the Virtual Chassis master switch is power-cycled. [PR/505069: This issue has been resolved.]
Hardware
On EX4200 switches, the uplink port status LED on the 4-port Gigabit Ethernet SFP uplink module does not properly indicate the status of the uplink port. [PR/528070: This issue has been resolved.] EX8200 switches might not detect the front-panel LCD display. [PR/553144: This issue has been resolved.] After you have disabled an interface on an EX2200 switch, the LED is still lit on that interface. [PR/553219: This issue has been resolved.]
Infrastructure
On EX Series switches, MAC addresses not present in the forwarding database (FDB) because of hash collision are not removed from the Ethernet switching process (eswd). These MAC addresses do not age out of the Ethernet switching table even if traffic is stopped completely and are never relearned when traffic is sent to these MAC addresses, even when there is no hash collision. As a workaround, clear those MAC addresses from the Ethernet switching table. [PR/451431: This issue has been resolved.] When multicast packets are transmitted from interfaces on which PIM is not enabled, VRRP might flap. [PR/520194: This issue has been resolved.] When the forwarding process (pfem) restarts, EX Series switches cannot receive any Q-in-Q tunneling frames and drop them all. [PR/527117: This issue has been resolved.] On EX8200 switches, packets with unregistered Layer 2 multicast MAC addresses are not dropped on interfaces in the STP blocked state, resulting in some traffic loops that might impact network performance. [PR/541123: This issue has been resolved.] On EX2200, EX3200, EX4200, and EX4500 switches, if you configure a large number of VLANs and aggregated Ethernet interfaces and commit the configuration, the forwarding process (pfem) utilization stays at 80 percent for more than 60 minutes. As a result, the aggregated Ethernet interfaces cannot be used until the pfem usage reduces to normal limits. [PR/544433: This issue has been resolved.] On EX4200 switches, spurious packets (packets with unsupported fields) arriving at the backup Routing Engine while a GRES operation is in progress can cause a kernel crash (vmcore). [PR/546314: This issue has been resolved.]
295
When the configured DNS server is not reachable, name resolution for localhost takes a long time and the output of the show ntp association command takes a long time to appear. [PR/551739: This issue has been resolved.] During a nonstop software upgrade (NSSU) on EX8200 switches, if the number of routes is greater than about 100,000, the graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) synchronization might take longer than two minutes. The result is that the NSSU timers expire and the NSSU operation aborts. [PR/559223: This issue has been resolved.] If a Routing Engine fails over to the backup Routing Engine, not all multicast groups that were active on the switch recover. [PR/563030: This issue has been resolved.] During the TFTP transfer portion of an automatic software download procedure, the software package might be truncated or corrupted. [PR/570901: This issue has been resolved.] The Ethernet switching process (eswd) might crash and then recover when the following change is made in the CLI (either in a single commit or in separate commits):

First, you remove an interface from the interface range on which VoIP is configured. Then, you either delete the removed interface or change its address family to a family other than ethernet-switching.
[PR/571863: This issue has been resolved.] Interfaces
On EX Series switches, the configured interface hold time does not work. [PR/537477: This issue has been resolved.] On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the command-line interface (CLI), automatic command completion does not work. [PR/561565: This issue has been resolved.] On EX4200 switches, autonegotiation bypass, which allows a link in a Gigabit Ethernet SFP uplink port to begin operation even if autonegotiation on the link partner is disabled, fails to bring up the link. [PR/571198: This issue has been resolved.]
J-Web Interface
If an SRE module, RE module, SF module, line card, or Virtual Chassis member is in offline mode, the J-Web interface might not update the dashboard image accordingly. [PR/431441: This issue has been resolved.] In the J-Web interface, changing the port role from Desktop, Desktop and Phone, or Layer 2 Uplink to another port role might not remove the configurations for enabling dynamic ARP inspection and DHCP snooping. [PR/445080: This issue has been resolved.] In the J-Web interface, the automatic command-completion feature might not be disabled in the password field. As a workaround, you can disable the automatic command-completion feature in the browser. [PR/508425: This issue has been resolved.]
296
If you have a candidate configuration in the CLI and you try to commit configuration changes using the Point and Click CLI in the J-Web interface, the Configuration page displays an error. [PR/514771: This issue has been resolved.] In the J-Web interface, when you select the Ethernet Switching Monitor page (Monitor > Switching > Ethernet Switching), the MAC learning log might not display information. [PR/535200: This issue has been resolved.] In the J-Web interface, after you have associated the system default scheduler maps to an interface on the Configure Interface Association page (Configure > Class of Service > Assign To Interface), the Edit window does not close. As a workaround, click the Cancel button in the Edit window to go to the landing page. [PR/541188: This issue has been resolved.] In the LACP (Link Aggregation Control Protocol) Configuration page in the J-Web interface (Configure > Interfaces > Link Aggregation), the Delete button is disabled even when you select an aggregated Ethernet interface configured with a physical interface, VLAN, and IP option. As a workaround, delete the physical interface, VLAN, and IP option from the aggregated Ethernet interface using the CLI. [PR/546411: This issue has been resolved.] In the J-Web interface, when you use an HTTPS connection in the Microsoft Internet Explorer browser, you cannot upload (Maintain > Config Management > Upload) or download (Maintain > Config Management > History > Configuration History) a configuration file. As a workaround, use an HTTP connection. [PR/551200: This issue has been resolved.] If you install a large configuration (more than 5 MB)for example, if you install more than four 40-port SFP+ line cardsin an EX8200 switch, the error message Configuration on the Switch is too large for JWeb to handle. Please use the CLI to manipulate the configuration" is displayed in the Support Information page (Maintain > Customer Support > Support Information) in the J-Web interface. [PR/552549: This issue has been resolved.] If you insert Gigabit Ethernet transceivers in 40-port SFP+ line cards installed in EX8200 switches, the transceivers are incorrectly shown as copper transceivers in the image of the switch in the Dashboard page in the J-Web interface. [PR/561695: This issue has been resolved.] When no line card is installed in an EX8208 switch:
If you navigate to the Port Monitoring page (Monitor > Interfaces) in the J-Web interface, a pop-up window with the error message 'gridData.0' is null or not an object is displayed. If you select the displayed interface and click the Show Graph button, a pop-up window with the error message 'selected FpcName' is undefined is displayed.
The dashboard in the J-Web interface might not refresh automatically if you navigate back and forth between the Dashboard page and other pages. [PR/566359: This issue has been resolved.]
297
If many PIM joins are associated with a neighbor and that neighbor goes down, when it comes back up, those joins might be stranded in an unresolved state until you issue the clear pim join command. [PR/539962: This issue has been resolved.] PIM join messages sent from an EX8208 switch to a Cisco RP using Auto-RP show the upstream neighbor as being the EX8208 switch itself and not the Cisco RP. [PR/557130: This issue has been resolved.]
Management and RMON
On EX4200 switches, the LACP process (lacpd) creates core files when an SNMP MIB lookup is performed. [PR/533226: This issue has been resolved.]
Multicast Protocols
On EX8200 switches, when you enable IGMP snooping on a VLAN but do not configure a Layer 3 interface on the VLAN, PIM or VRRP packets might not be forwarded correctly. [PR/537480: This issue has been resolved.]
Virtual Chassis
On an EX4200 Virtual Chassis, a forwarding process pfem core file might be created if all the 802.1X (dot1x) interfaces are in the held state or the connecting state. [PR/571865: This issue has been resolved.] On an EX4200 Virtual Chassis, if you run the request system reboot member member-id command with the masters member ID, the master Virtual Chassis member fails to reboot. That is, you cannot reboot only the master switch on the Virtual Chassis. [PR/572936: This issue has been resolved.] On an EX4200 Virtual Chassis, a large number of awk processes and defunct processes might be running. [PR/576621: This issue has been resolved.]

The following issues have been resolved since Junos OS Release 10.4R1. The identifier following the description is the tracking number in our bug database. Interfaces
On a 40-port SFP+ line card in an EX8200 switch, if you assign different shaping rates to different ports in a port group, you do not receive an error message when you commit the configuration, and no error is logged in the system log. As a workaround, configure the same shaping rate on all ports in a port group. [PR/524073: This issue has been resolved.] In a Q-in-Q tunneling configuration that includes aggregated Ethernet interfaces (LAGs), after a pfem process restart, the member interfaces in the VLAN might be incorrectly set. [PR/527117: This issue has been resolved.]
298

The following issues have been resolved since Junos OS Release 10.4R2. The identifier following the description is the tracking number in our bug database. Access Control and Port Security
An 802.1X supplicant that is in the connecting or held state might obtain a DHCP address before the authentication process completes. [PR/526884: This issue has been resolved.] When you configure 802.1X static MAC bypass, the client becomes unreachable each time the MAC age time interval increments. [PR/536316: This issue has been resolved.] On EX Series switches, configuring 802.1X (dot1x) might generate a core file when VLANs are being configured. [PR/553166: This issue has been resolved.] When the primary redundant trunk group (RTG) interface is disabled, causing an RTG switchover, MAC entries on the upstream switches are refreshed. However, when the primary RTG link is enabled, the MAC entries are not refreshed on the upstream switches. [PR/555158: This issue has been resolved.]
On EX4500 switches, if you activate and then deactivate a firewall filter configuration, VSTP convergence might not occur properly. As a workaround, restart the Ethernet switching process (eswd). [PR/548446: This issue has been resolved] If you change the VLAN ID on the switch using VSTP, the show spanning-tree bridge command lists an incorrect root bridge. [PR/512715: This issue has been resolved.] When an interface is entering the spanning-tree protocol BLK DIS state, an Ethernet switching process (eswd) core file might be created. [PR/538161: This issue has been resolved.] When you change the VSTP configuration so that VLANs are numbered rather than named, or the reverse, the Ethernet switching process (eswd) might stop. [PR/541272: This issue has been resolved.] On an interface that is receiving storm traffic, if you use the set ethernet-switching-options storm-control action-shutdown command to disable the interface, it can take up to 30 seconds for the interface to shut down. [PR/556107: This issue has been resolved.]
Infrastructure
On EX8200 switches, when IGMP snooping is enabled on an interface, the IPv6 multicast Layer 2 control frame is not forwarded to other interfaces in the same VLAN. The result is that IPv6 and VRRP for IPv6 neighbor solicitation fails. [PR/456700: This issue has been resolved.] On EX4200 switches, the uplink port status LED on the 4-port Gigabit Ethernet SFP uplink module does not properly indicate the status of the uplink port. [PR/528070: This issue has been resolved.]
299
On EX8200 switches, the LACP process (lacpd) might start and stop repeatedly when traffic to the Routing Engine is heavy. [PR/542897: This issue has been resolved.] On EX8200 switches, after routing and traffic recover from a graceful Routing Engine switchover (GRES) operation, a core file might be created after the Ethernet switching process (eswd) is restarted or after a line card is taken offline. [PR/570645: This issue has been resolved.] On EX Series switches, DHCP relay does not add the proper prefixes for priority-tagged frames, so these packets are dropped on interfaces on which LLDP-MED is not enabled. [PR/572454: This issue has been resolved.] On EX4200 switches, when the mode on an SFP+ uplink module is changed from 10g to 1g, or from 1g to 10g, the switch does not learn MAC addresses until it is rebooted. [PR/573857: This issue has been resolved.] When you upgrade EX4200 and EX8200 switches from Junos OS Release 10.0 to Junos OS Release 10.3R2, interfaces might not start if they are configured with the no-auto-negotiation configuration statement and are configured to operate at 1 Gbps. [PR/580453: This issue has been resolved.] On EX8200 switches, when you are upgrading the line cards, the nonstop software upgrade (NSSU) process might abort. The system generates a core file when this happens. [PR/580494: This issue has been resolved.]
J-Web Interface
If you configure 802.1X authentication on an EX Series switch, the J-Web interface performance slows. [PR/543298: This issue has been resolved.] On EX4500 switches and on EX4200-24F switches, the total number of ports displayed in the dashboard (Dashboard > Capacity Utilization > Total number of ports) in the J-Web interface increases every 2 seconds, each time an automatic refresh occurs. [PR/543913: This issued has been resolved.]
Virtual Chassis
On an EX4200 Virtual Chassis, an automatic software update fails if you have configured preprovisioning or mastership priority. [PR/557981: This issue has been resolved.] Upgrading the Junos OS image on an individual member of an EX8200 Virtual Chassis does not work. As a workaround, upgrade the Junos OS image for the entire Virtual Chassis. In addition, upgrading the Junos OS image on an EX8200 Virtual Chassis from an XRE200 External Routing Engine that is in the linecard role or the backup role does not work. As a workaround, upgrade the software image from the master external Routing Engine. [PR/574137: This issue has been resolved.]

The following issues have been resolved since Junos OS Release 10.4R3. The identifier following the description is the tracking number in our bug database.
300
When DHCP snooping is enabled, after an IP address is dynamically assigned to a device, when the device sends DHCPINFORM packets to obtain other DHCP parameters, the switch blocks these packets. [PR/580068: This issue has been resolved.] The 802.1X process (dot1xd) might crash, making it impossible for switch users to connect to the network. [PR/587531: This issue has been resolved.]
If you enable all VRRP sessions simultaneously on a switch with a large number (on the order of 200 or more) of VRRP configurations, RSTP convergence might not occur. As a workaround, do not enable all VRRP sessions simultaneously if the switchs VRRP configuration is large. [PR/556114: This issue has been resolved.]
Firewall Filters
On EX4500 switches, you cannot commit an inbound firewall filter configuration if a counter is also configured. [PR/597899: This issue has been resolved.]
Infrastructure
The show chassis routing-engine command might erroneously show an uptime of 14,700 days. [PR/537224: This issue has been resolved.] When you include wildcards in a routing policy filter that also includes Classless Interdomain Routing (CIDR) addresses or that maps IPv4 addresses to IPv6 addresses, the forwarding process (pfem) might stop operating. [PR/544518: This issue has been resolved.] On EX4500 switches, if you activate and then deactivate a firewall filter configuration, VSTP convergence might not occur properly. As a workaround, restart the Ethernet switching process (eswd). [PR/548446: This issue has been resolved.] On EX4500 switches, if more than 14 ports in the switch are subscribed to a 10-gigabit full-duplex rate of traffic, the switch might not be able to achieve a 10-gigabit wire rate for 64-byte and 128-byte packets. There is no impact on performance if the number of ports actively involved in 10-gigabit wire-rate traffic is 14 or fewer or if the packet size is greater than 150 bytes. [PR/573319: This issue has been resolved.] When an interfaces status changes, the message "KERN-1-GENCFG: op 8 (CoS) failed; err 5 (Invalid)" might appear in the system log (syslog) file. [PR/576027: This issue has been resolved.] When the switch is running under a high load, it might stop operating and you might see a Packet Forwarding Engine (pfem) core file. [PR/576409: This issue has been resolved.] On EX2200 switches, the software forwarding process (sfid) might deadlock, with the result that traffic is blocked and MAC addresses cannot be learned. As a workaround, reboot the switch. [PR/579725: This issue has been resolved.] On EX4200 switches, VRRPv3 advertisements are not forwarded on a Layer 2 VLAN on which IGMP snooping is enabled. [PR/588712: This issue has been resolved.]
301
When you reboot an EX Series switch running Junos OS Release 10.4R3 or later, the switch might take up to 6 minutes to become operational. [PR/589457: This issue has been resolved.] If the switch receives three or more soft resets within 30 seconds, Junos OS shuts down the switch. [PR/590977: This issue has been resolved.] The boot sequencing environment (boot.btsq.disable) variable enables transparent rebooting for resilient dual-root partitions. It is disabled by default in the newer loader software packages. In Release 10.4R3, this environment variable must be reset manually. In Release 10.4R4, Junos OS automatically sets this variable according to whether the Junos OS version supports resilient dual-root partitions. [PR/592913: This issue has been resolved.] When you upgrade an EX Series switch whose configuration contains a firewall filter that includes only noncontiguous masks in the term's match condition, the switch might fail to start and you might see a Packet Forwarding Engine (pfem) core file. As a workaround, do not configure only noncontiguous masks. [PR/598333: This issue has been resolved.]
If you reboot an EX Series switch on which Layer 2, Layer 3, and multicast protocols are configured, Bidirectional Forwarding Detection (BFD) might start and stop when multiple duplicate PPM entries are created on the Routing Engine. [PR/551267: This issue has been resolved.] The routing protocol process (rpd) might create a core file when you include the traceoptions statement at the [edit routing-options] hierarchy level. As a workaround, disable the traceoptions, for example, by configuring flag normal. [PR/596007: This issue has been resolved.]
Virtual Chassis
EX4200 Virtual Chassis members might not reboot and might create a Virtual Chassis control process (vccpd) core file. [PR/588466: This issue has been resolved.]

The following issues have been resolved since Junos OS Release 10.4R4. The identifier following the description is the tracking number in our bug database. Access Control
On EX4200 or EX8200 switches that are connected to a Dell PowerConnect switch, if you enable LLDP between the switches, the output of the show lldp neighbor command does not display remote interface information for the PowerConnect switch. [PR/533399: This issue has been resolved.] In 802.1X authentication, voice traffic might be dropped after a VLAN expires. [PR/579804: This issue has been resolved.]
302
On EX2200 switches, the authentication process (authd) and the 802.1X process (dot1x) might use excessive amounts of memory, and authd and dot1x core files might be created. [PR/602450: This issue has been resolved.] If you configure MAC RADIUS authentication by including the mac-radius statement at the [edit protocols dot1x authenticator interface interface-name] hierarchy level, and if user or MAC addresses continuously fail authentication, an 802.1X (dot1x) core file might be created. [PR/602468: This issue has been resolved.]
When you are upgrading to Junos OS Release 10.4R3, if you have enabled VSTP for all VLANs, an Ethernet switching process (eswd) core file might be created. [PR/602341: This issue has been resolved.]
Firewall Filters
When the filter name, term name, and counter name in an 802.1X firewall filter are long, a Packet Forwarding Engine (pfem) core file might be created when you activate the filter. [PR/592709: This issue has been resolved.] On EX4500 switches, you might not be able to clear firewall counters. [PR/604479: This issue has been resolved.]
Hardware
On aggregated Ethernet interfaces, the values for the actual and calculated packet load-balancing performance differ. [PR/587223: This issue has been resolved.] On EX8200 switches, if you change the power line input for a 2000 W AC power supply from high voltage to low voltage, or the reverse, power management might not correctly reflect the changed power supply capacity in its power budget. To avoid this problem, follow this procedure when you change the power supply input voltage:
1.
Disconnect the power supply from the existing power source.
2. Wait until the output of the show chassis environment psu command shows the
power supply to be offline.

3. Connect the power supply to the new power source.
The Junos OS kernel does not support the Freescale MPC8544 PCI host controller, which is present on EX2200, EX3200, and EX4200 switches. [PR/594880: This issue has been resolved.]
303
Infrastructure
When a nonstop software upgrade (NSSU) operation is performed using FTP, the software image remains in the /var/tmp/...transferring.file......... directory and is not removed after the upgrade completes. [PR/546543: This issue has been resolved.] During BGP route updates and withdrawals, the IGMP snooping process (mcsnoopd) might consume up to 20 percent of the CPU even if IGMP is not configured. [PR/560760: This issue has been resolved.] During a graceful Routing Engine switchover (GRES) operation, the kernel synchronization process (ksyncd) and the kernel (vmcore) might create core files. [PR/562379: This issue has been resolved.] After you configure STP and then unconfigure it, switch operation might slow significantly, with the software forwarding process (sfid) consuming more than 90 percent of the CPU. [PR/574285: This issue has been resolved.] On EX8200 switches, all FPCs might go offline after a graceful Routing Engine switchover (GRES) operation, and the switch would then display the message "Chassis connection dropped." [PR/584491: This issue has been resolved.] Previously, it was not possible to debug the Junos OS kernel during the bootup process. The boot -d option has been added to the loader software to allow you to debug the kernel during bootup. [PR/587428: This issue has been resolved.] On EX8200 switches, if a jloader-ex package earlier than version 3.5.0 is mounted on the switch and then version 3.5.0 of the package is mounted during an installation, the earlier jloader-ex package is used to select the uboot and loader binaries, and the existing binaries instead of the new binaries are burned to the boot flash memory. As a result, the new jloader-ex package, version 3.5.0, is not installed. [PR/595514: This issue has been resolved.] The Junos XML management protocol RPC <request-package-add/> command creates two copies of packages in the /var/tmp directory but does not remove the master copy after it copies it to incoming-package.tgz. [PR/598827: This issue has been resolved.] On EX8200 switches, after the switching table has been cleared multiple times and after the routed VLAN interfaces (RVIs) go down and come back up multiple times, the switch stops learning ARP replies on some of the RVIs. [PR/598889: This issue has been resolved.] When a backup router is configured and you initiate a graceful Routing Engine switchover (GRES) operation from the master router, the master router reboots and a vmcore file might be created. [PR/599351: This issue has been resolved.] When virtual routing and forwarding (VRF) and multicast are configured on a switch, but IGMP snooping is not enabled, an IGMP snooping core file might be created. [PR/601034: This issue has been resolved.] On EX2200, EX3200, EX4200, and EX4500 switches, if the switch has been up for more than 25 days, the show chassis routing-engine command displays the wrong uptime. [PR/602211: This issue has been resolved.]
304
The switch might create a software forwarding process (sfid) core file for no apparent reason. [PR/603926: This issue has been resolved.] During a graceful Routing Engine switchover (GRES) operation on a switch on which PIM is configured, a routing protocol process (rpd) core file might be created. [PR/604475: This issue has been resolved.] On EX2200 switches, if parity errors occur, the switch might stop forwarding traffic. [PR/604808: This issue has been resolved.] On EX4500 switches, a cfmd core file might be created. [PR/607188: This issue has been resolved.] On EX8200 Virtual Chassis running a Junos OS image with resilient dual-root partitioning, when the kernel synchronization process (ksyncd) on the backup Routing Engines fails or when the master and backup Routing Engines are out of sync, both conditions that create a ksyncd core file, it might take more than 12 minutes for the core file to be created. During this time, the Virtual Chassis is highly unstable: the Routing Engine CPU is at 100 percent; all control protocols, such as BFD, IS-IS, and OSPF, are constantly stopping and restarting; and the CLI prompt is not displayed after you type a CLI command. This issue does not occur with nonresilient dual-root partitioning Junos OS releases (Releases 10.4R2 and earlier). [PR/609061: This issue has been resolved.]
Interfaces
If you configure a Layer 2 link aggregation (LAG) interface with storm control such that the interface shuts down as the result of a traffic storm, and if you then modify the LAG configuration from Layer 3 and back to Layer 2 again, the LAG interface never shuts down even if the traffic storm continues. [PR/578412: This issue has been resolved.] On EX4500 switches, BFD sessions might not start if you configure any interfaces on interfaces ge-0/0/0 through ge-0/0/19. [PR/590735: This issue has been resolved.] On EX4200 switch SFP interfaces, if autonegotiation is enabled and if these interfaces are connected to a link partner on which autonegotiation is disabled, the EX4200 interface might not establish a connection with its partner. As a workaround, use the same configuration on both sides of the connection: either enable autonegotiation on both sides or disable it on both sides. [PR/593126: This issue has been resolved.] A physical interface might not shut down even after the interface's configured hold time expires. [PR/602113: This issue has been resolved.] On EX Series switches, a LAG interface might not come up when the primary interface is disabled and link protection is enabled. [PR/603914: This issue has been resolved.] On EX4500 switches, when you delete a Layer 2 interface on which storm control is enabled using the delete interface interface-name command, that action might lead to inconsistencies in the Packet Forwarding Engine. Because of these inconsistencies, if you later add another Layer 2 interface and enable storm control on that interface, a Packet Forwarding Engine (pfem) core file might be created. [PR/607509: This issue has been resolved.]
305
Interfaces
If you use a wildcard character when configuring an interface range, an Ethernet switching process (eswd) core file might be created. [PR/599555: This issue has been resolved.] VRRP interfaces might not converge. [PR/602121: This issue has been resolved.]
J-Web Interface
In the J-Web interface, you cannot disable an IPv4 or IPv6 address on the Port Configuration page (Configure > Interfaces > Ports). [PR/600080: This issue has been resolved.] On EX2200 switches, J-Web Web management does not start. [PR/603062: This issue has been resolved.]
Virtual Chassis
An EX4200 Virtual Chassis might split when a linecard member is restarted. [PR/529308: This issue has been resolved.] An EX4200 Virtual Chassis cannot be accessed from the virtual management Ethernet (VME) interface after the master's management Ethernet interface, me0, has been removed. [PR/529656: This issue has been resolved.] On EX4500 Virtual Chassis, if you configure 4000 VLANs, the IGMP snooping process (mcsnoopd) might use more than 90 percent of the CPU for at least 10 minutes. [PR/537322: This issue has been resolved.] On EX4200 Virtual Chassis on which VSTP is configured, VSTP might experience unexpected topology changes. [PR/541091: This issue has been resolved.] On EX4200 Virtual Chassis, the next-hop information in the forwarding table is not cleared when a Virtual Chassis switchover occurs. [PR/576098: This issue has been resolved.] On EX4200 Virtual Chassis, high-priority packets are not sent properly from member switches in linecard roles to the master. [PR/593840: This issue has been resolved.] On EX8200 Virtual Chassis, after you upgrade Junos OS using the request system software add and request system reboot commands, the CPU load is very high on both the master and backup XRE200 External Routing Engines. The CPU load recovers to normal after 10 minutes or after you reboot the master switch. [PR/596374: This issue has been resolved.] During a graceful Routing Engine switchover (GRES) operation, if the master Routing Engine loses power, there might be a 30-second timeout in forwarding. [PR/600030: This issue has been resolved.] On EX4200 Virtual Chassis, it might take 20 minutes or longer to distribute the Junos OS image bundle in a 10-member Virtual Chassis. As a workaround, use the no-validate option to improve performance. [PR/604270: This issue has been resolved.]
306

The following issues have been resolved since Junos OS Release 10.4R5. The identifier following the description is the tracking number in our bug database. Access Control
In Preboot Execution Enviroments (PXE), the PXE boot process might fail if the host is moved to a port associated with a different DHCP pool. [PR/596152: This issue has been resolved.] If you have configured 802.1X (dot1x) on an interface, then removed the 802.1X configuration, 802.1X filters configured on that interface are not deleted. [PR/662196: This issue has been resolved.]
Hardware
On EX4200 switches, SFP-T (1-gigabit copper) transceivers installed in port 0 or port 2 of an SFP+ uplink module might not work correctly even though the interface link status is up. As a workaround, install the SFP-T transceivers in port 1 or port 3 of the uplink module. [PR/569307: This issue has been resolved.] When the switch temperature exceeds its threshold, alarms for EX-PFE2 Packet Forwarding Engines are not raised. The functionality of the switch is not affected. [PR/614354: This issue has been resolved.] When you use port 1 on the SFP uplink module, the system log files might report an error and might become full within a few minutes. [PR/661426: This issue has been resolved.]
Infrastructure
On EX2200 switches, if you configure the dhcp-option82 statement, the switch might stop operating and a software forwarding process (sfid) core file might be created. [PR/588990: This issue has been resolved.] On EX4500 switches, configuring the log-out-on-disconnect statement has no effect. [PR/590891: This issue has been resolved.] During a reboot of an EX8200 switch, the links on the interfaces of neighboring devices might go up and down repeatedly even though the interfaces on the EX8200 switch that connect to those interfaces on neighboring devices have not yet been initialized. [PR/591800: This issue has been resolved.] On EX8200 Virtual Chassis, VLANs might not be able to connect to each other. [PR/592691: This issue has been resolved.] On EX8200 switches or on XRE200 External Routing Engines, after routing and traffic recover from a graceful Routing Engine switchover (GRES) operation, a core file might be created after the Ethernet switching process (eswd) is restarted or after a line card is taken offline. [PR/596013: This issue has been resolved.] When you upgrade Junos OS, traffic might not flow between two directly connected interfaces. [PR/661131: This issue has been resolved.]
307
Interfaces
On EX Series switches, a LAG interface might not come up when the primary interface is disabled and link protection is enabled. [PR/603194: This issue has been resolved.] If you use the restart vrrp command to restart VRRP, a ppmd core file might be created. [PR/602606: This issue has been resolved.]
Management and RMON
If SNMP is running on the switch, the Ethernet switching process (eswd) might stop operating and you might see a core file on the switch. [PR/596305: This issue has been resolved.]
Virtual Chassis
On a Virtual Chassis that is configured with a private VLAN (PVLAN) and a link aggregation group (LAG), if the Virtual Chassis loses one of its members, traffic flow might not resume properly across the remaining LAG members, resulting in traffic loss. [PR/587953: This issue has been resolved.] On EX8200 Virtual Chassis, the output resource errors on the bme0 interface might increment continuously even after you reboot the interface. [PR/611243: This issue has been resolved.] On an EX4200 Virtual Chassis on which you have configured VSTP and access security (either dynamic ARP inspection or DHCP snooping), an Ethernet switching process (eswd) core file might be created. [PR/611991: This issue has been resolved.]

The following issues have been resolved since Junos OS Release 10.4R6. The identifier following the description is the tracking number in our bug database. Access Control and Port Security
When the username for 802.1X (dot1x) authentication is too long, Junos OS truncates the username field. [PR/588063: This issue has been resolved.]
Hardware
When certain SFP transceivers that are not attached to optical cables are inserted into an EX Series switch, the switch does not generate low-power warnings or alarms. The transceivers that exhibit this behavior have these vendor (Opnext) part numbers: TRS2000EN-S201 (10G-SR), TRS2000EN-S211 (10G-SR), and TRS5020EN-S201 (10G-LR). Use the show chassis pic fpc-slot slot-number pic-slot slot-number command to display the vendor part numbers of the tranceivers in your switch. [PR/613153: This issue has been resolved.]
Infrastructure
If you configure storm control with the action shutdown, after you reboot the switch, storm control is not enabled on all the ports on which it is configured. [PR/606054: This issue has been resolved.]
308
On EX4200 switches, if you specify the source-address statement when configuring a system log file, the switch might not send the correct source IP address to the system log (syslog) server after the switch reboots. [PR/608724: This issue has been resolved.] A memory leak might occur, as evidenced by "jt_nh_multiple_init() returned error-code (No memory:3)!" system log (syslog) messages. This leak disrupts traffic forwarding. [PR/676826: This issue has been resolved.]
Management and RMON
When you use the snmpwalk application to get information about switch interfaces, it returns information about the incorrect interface. [PR/664940: This issue has been resolved.]
Multicast
The system log (syslog) files might fill up with the message "snp_igmp_io_flood: relay failed". These messages are informational only. They indicate that the system corrected itself from a condition in which it would have flooded an IGMP packet of unknown type out from the same port it was received on. [PR/564675: This issue has been resolved.]

The following issues have been resolved since Junos OS Release 10.4R6. The identifier following the description is the tracking number in our bug database. Ethernet Switching and Spanning Trees
On an EX4200 switch, when you disable a Q-in-Q interface on which you have configured a large number (more than 500) of VLAN swap rules, control traffic might be affected for about 10 minutes. During this time, the forwarding process (pfem) can consume up to 98 percent of the CPU. The system resumes its normal state after the forwarding process completes its processing. [PR/678792: This issue has been resolved.] RSTP might process BPDUs that do not comply with the IEEE standard, which might lead to unintended spanning-tree convergence behavior. [PR/683829: This issue has been resolved.] When you enable VLANs and Q-in-Q tunneling on a switch, the switch drops packets and no MAC address learning occurs. [PR/685481: This issue has been resolved.]
Infrastructure
After a graceful Routing Engine switchover (GRES) operation, the switch might not be able to send LACP packets properly.[PR/570321: This issue has been resolved.] When the same firewall filter and Layer 3 classifier is applied to two Layer 3 interfaces, a Packet Forwarding Engine (pfem) core file might be created. [PR/683747: This issue has been resolved.]
309
An EX4200 switch might stop forwarding traffic, and a Packet Forwarding Engine (pfem) core file might be created. [PR/691504: This issue has been resolved.] When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd) core file might be created. [PR/692126: This issue has been resolved.]
If a router or switch acting as both an autonomous system boundary router (ASBR) and an area border router (ABR) is reachable through both a backbone area and a stub area, and if the advertisement through stub area advertising has a higher metric than the advertisement through the backbone area, the external routes might be installed incorrectly in the routing table. The routing table entry incorrectly shows that the next hop is through the stub area. [PR/610813: This issue has been resolved.]
Management and RMON
The system log (syslog) files contain storm-controlrelated messages even when storm control is not configured. [PR/679231: This issue has been resolved.]
Multicast Protocols
You might not be able to delete stale multicast routes even though no corresponding (S, G) traffic exists. [PR/674419: This issue has been resolved.] If interfaces go up and down frequently, a memory leak might occur and cfmd and mcsnoopd core files might be created. [PR/688356: This issue has been resolved.] Approximately every 300 seconds, a multicast route entry is deleted and added bacak again, resulting in a traffic loss of about 1-3 seconds. [PR/698129: This issue has been resolved.]
Virtual Chassis
On EX3200 and EX4200 switches, transmit FIFO queue overruns might cause the switch to stop working. [PR/695071: This issue has been resolved.] New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches

This section lists outstanding issues with the documentation.
310
Errata in Documentation for Junos OS Release 10.4 for EX Series Switches
The document titled Understanding Server Fail Fallback and Authentication on EX Series Switches incorrectly states that the RADIUS authentication server sends an EAPoL access-reject message. It should say that the RADIUS authentication server sends a RADIUS access-reject message. This mistake also appears in the example and CLI procedure documents about configuring server fail fallback.
Fibre Channel over Ethernet
When you are configuring priority-based flow control (PFC), do not specify the exact option when configuring the buffer for the queue that is using PFC.
Interfaces
The EX Series Switch Software Features Overview topic incorrectly states that VLAN-tagged Layer 3 subinterfaces are supported on EX4500 switches. VLAN-tagged Layer 3 subinterfaces are not supported on EX4500 switches in Junos OS Release 10.4. The Protocol Families and Supported Interface Types table in the topic "family (for EX Series switches)" incorrectly shows the circuit cross-connect (ccc) protocol family as being supported on aggregated Ethernet interfaces. This protocol family is not supported on aggregated Ethernet interfaces. The traffic statistics fields in show interfaces commands show only control traffic; the traffic statistics do not include data traffic. This information was not included in relevant topics. The documentation for configuring autonegotiation on Ethernet interfaces on EX Series switches neglects to state that you cannot disable autonegotiation on Tri-State copper Ethernet interfaces that are manually configured for 1-Gbps link speed. If you configure an interface for 1-Gbps link speed and no autonegotiation, you can commit the configuration without an error. However, on copper interfaces, this configuration is ignored as invalid and autonegotiation is enabled by default. To correct the configuration and disable autonegotiation:
1.
Delete the no-auto-negotiation statement and commit the configuration.
2. Set the interface speed with the speed statement to 10 or 100 Mbps, set the
no-auto-negotiation statement, and commit the configuration.
J-Web Interface
To access the J-Web interface, your management device requires the following software:
Supported browsersMicrosoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0 Language supportEnglish-version browsers Supported OSMicrosoft Windows XP Service Pack 3
311
In the J-Web interface, you cannot configure interface ranges and interface groups.
Layer 2 Protocols
The EX Series Switch Software Features Overview topic incorrectly states that private VLANs (PVLANs) support across switches is supported on EX8200 switches. PVLAN support across switches is not supported on EX8200 switches.
Management and RMON
In a port-mirroring configuration, you can now use the set ethernet-switching-options analyzer name output vlan vlan-id-or-name no-tag configuration mode command to specify that mirrored packets that are exiting from the output VLAN do not contain an additional VLAN tag (of the output VLAN). The no-tag statement is not yet described in the port-mirroring documentation.
Virtual Chassis
The EX Series Switch Software Features Overview in the EX Series Junos OS Release 10.4R1 documentation incorrectly states that, on EX8200 Virtual Chassis, the IP source guard feature is supported in Junos OS Release 10.3R1 and that the multicast storm control feature is supported in Junos OS Release 10.3R2. These features are not supported on EX8200 Virtual Chassis. In the EX4500 switch hardware documentation, the following note appears at several different locations: Operating an EX4500 switch without the Virtual Chassis module or the intraconnect module installed is not supported. EX4500 switches running Junos OS Release 10.4R2 or later will not boot if you do not install either the Virtual Chassis module or the Intraconnect module in the switch. This note is incorrect. The corrected note should read:
NOTE: Operating an EX4500 switch without the Virtual Chassis module or the intraconnect module installed is not supported. EX4500 switches running Junos OS Release 10.4R2 or later 10.4 releases will not boot if you do not install the intraconnect module in the switch.
New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 313
312
Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches
This section discusses the following topics:

Upgrading from Junos OS Release 10.4R3 or Later on page 313 Upgrading from Junos OS Release 10.4R2 or Earlier on page 314 Downgrading Software to Release 10.4R2 or Earlier on page 323 Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 324 Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches on page 324 Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches on page 325
Upgrading from Junos OS Release 10.4R3 or Later

You can use this procedure to upgrade Junos OS on a standalone EX Series switch with a single Routing Engine. You can also use it to upgrade all members of a Virtual Chassis or a single member of a Virtual Chassis. To upgrade software on an standalone EX8200 switch with dual Routing Engines, see Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure) or Upgrading Software Using Nonstop Software Upgrade (CLI Procedure). To install software upgrades on a switch with a single Routing Engine or on a Virtual Chassis:
1.
Download the software package as described in Downloading Software Packages from Juniper Networks.
2. (Optional) Back up the current software configuration to a second storage option.
See the Junos OS Installation and Upgrade Guide at

http://www.juniper.net/techpubs/software/junos/index.html for instructions.
3. (Optional) Copy the software package to the switch. We recommend that you use
FTP to copy the file to the /var/tmp directory. This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location.
4. Install the new package on the switch: user@switch> request system software add package
Replace package with one of the following paths:

For a software package in a local directory on the switch/var/tmp/package.tgz. For a software package on a remote server:

ftp://hostname/pathname/package.tgz http://hostname/pathname/package.tgz
where package.tgz is, for example, jinstall-ex-4200-10.4R4.7-domestic-signed.tgz.
313
Include the optional member option to install the software package on only one member of a Virtual Chassis:
user@switch> request system software add package member member-id
Other members of the Virtual Chassis are not affected. To install the software on all members of the Virtual Chassis, do not include the member option.
NOTE: To abort the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-ex-8200-10.2R1.8-domestic-signed.tgz. This is your last chance to stop the installation.
5. Reboot to start the new software (to reboot a single member, use the member option): user@switch> request system reboot 6. After the reboot has completed, log in and verify that the new version of the software
is properly installed:
user@switch> show version
Upgrading from Junos OS Release 10.4R2 or Earlier

Upgrading to Junos OS Release 10.4R3 or later from Release 10.4R2 or earlier is more involved than previous upgrades as a result of the introduction of resilient dual-root partitions in Release 10.4R3. This new feature incorporates enhancements that add additional steps when you upgrade from a release that does not support resilient dual-root partitions to one that does. Once you are running a release that supports resilient dual-root partitions, such as Release 10.4R4, future upgrades will not require these additional steps. The following points summarize the differences between this upgrade and previous upgrades. Detailed upgrade instructions are provided in subsequent sections.
The disk is automatically reformatted from three partitions to four partitions during the reboot of the switch that completes the Junos OS upgrade. The reformat increases the reboot time for EX8200 switches by 10 to 25 minutes per Routing Engine. For other switches, the increase in boot time is 5 to 10 minutes. The configuration files in /config are saved in volatile memory before the reformat and then restored after the reformathowever, the files in /var are not saved and are lost after the upgrade.
NOTE: We recommend that you copy your data files to external media using the request system snapshot command before you perform the upgrade. Files in the /var directory, such as log files and user /home directories, are not saved. In addition, a power failure during the reboot could cause the configuration files to be lost.
314
You must upgrade the loader software. You upgrade the loader software by installing the loader software package from the CLI. On switches other than the EX8200 switches, upgrading the loader software does not significantly increase the upgrade time because you can complete the upgrade of both Junos OS and the loader software with a single reboot. On EX8200 switches, upgrading the loader software requires two additional reboots per Routing Engine because of the way the loader software is stored in the flash memory. On EX8200 switches only, you can verify that the loader software requires upgrading before you perform the upgradeif the loader software does not need upgrading, the additional reboots per Routing Engine are not required.
NOTE: If you upgrade to Release 10.4R3 or later and do not upgrade the loader software, the switch will come up and will function normally. However, if the switch cannot boot from the active root partition, it will not be able to transparently boot from the alternate root partition.
Table 25 on page 315 lists the installation packages required to upgrade the loader software.
Table 25: Required Installation Packages for Upgrading the Loader Software
Platform
EX2200 switch EX3200 switch EX4200 switch EX4500 switch EX8200 switch XRE200 External Routing Engine
Installation Package
jloader-ex-2200-11.3date-signed.tgz jloader-ex-3242-11.3date-signed.tgz jloader-ex-3242-11.3date-signed.tgz jloader-ex-4500-11.3date-signed.tgz jloader-ex-8200-11.3date-signed.tgz
The loader software does not need to be upgraded.
To obtain the loader software package, see the Download Software page at http://www.juniper.net/support/products/junos/dom/. Click on the version, then the Software tab, then the name of the software install package. In the pop-up Alert box, click on the link to the PSN document.
For the upgrade to Release 10.4R4, the upgrade process automatically copies the contents of the primary root partition to the alternate root partition at the end of the upgrade process. Because the resilient dual-root partitions feature enables the switch to boot transparently from the alternate root partition, we recommend that you use the request system snapshot command to copy the contents of the primary root partition to the alternate root partition after all future Junos OS upgrades.
315
NOTE: If you upgrade the loader software in a separate step after you upgrade Junos OS, users might see the following message when they log in to the switch:
At least one package installed on this device has limited support
This message can be safely ignored. You can permanently remove this message by deleting the loader software package and rebooting the system. For example, on an EX4200 switch:
user@switch> request system software delete jloader-ex-3242 Unmounted /packages/mnt/jloader-ex-8200-11.3-20110310.0 ... user@switch> request system reboot Reboot the system ? [yes,no] (no) yes
The following pages include instructions and information for performing a software upgrade or downgrade:
Determining Whether the Loader Software Needs Upgrading on EX8200 Switches and EX8200 Virtual Chassis on page 316 Upgrading the Loader Software and Junos OS on EX2200, EX3200, Standalone EX4200, and EX4500 Switches on page 318 Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis on page 319 Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches on page 321 Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis on page 323
Determining Whether the Loader Software Needs Upgrading on EX8200 Switches and EX8200 Virtual Chassis Before you begin the software upgrade on an EX8200 switch or an EX8200 Virtual Chassis, determine whether the loader software needs upgrading. It is possible that a switch running a Junos OS release earlier than Release 10.4R3 has a version of the loader software installed that supports resilient dual-root partitions. For example, the switch might have been shipped from the factory with a Junos OS release earlier than Release 10.4R3 but with a version of the loader software that supports resilient dual-root partitions. Or the switch might have been downgraded from a Junos OS release that supports resilient dual-root partitions but still retain a version of the loader software that supports resilient dual-root partitions.
NOTE: This procedure is available only on EX8200 switches. On all other switches, you must upgrade your loader software.
To determine whether the loader software needs upgrading:

1.
Determine the version of the loader software:
316
user@switch> show chassis firmware Part Type Version FPC 6 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2 FPC 7 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2 Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 2 2011 - 04:29:01) 3.5.0 loader U-Boot loader FreeBSD/PowerPC U-Boot bootstrap loader 2.3 U-Boot 1.1.6 (Mar 2 2011 - 04:29:01) 3.5.0 FreeBSD/PowerPC U-Boot bootstrap loader 2.3
Routing Engine 1
NOTE: On an EX8200 Virtual Chassis, you cannot execute this command on the master external Routing Engine. The command must be executed on each member switch:
1.
From the master external Routing Engine, start a shell session on the member switch. For example:
user@external-routing-engine> request session member 0
2. Enter the CLI and execute the show chassis firmware command. 3. Repeat these steps for the other member switch.
The loader software version appears after the timestamp for U-Boot 1.1.6. In the preceding example, the version is 3.5.0. (Ignore the 1.1.6 version information in U-Boot 1.1.6it does not indicate whether or not the version of the loader software supports resilient dual-root partitioning.)
2. If the loader software version is 3.5.0 or later on EX8200 switches, your loader software
does not need upgrading to support resilient dual-root partitioning. To upgrade to Release 10.4R4, install Junos OS, following the standard installation procedures. See Upgrading from Junos OS Release 10.4R3 or Later on page 313.
3. If the loader software version is earlier than 3.5.0, you must upgrade your loader
software. Follow the instructions in Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches on page 321.
317
Upgrading the Loader Software and Junos OS on EX2200, EX3200, Standalone EX4200, and EX4500 Switches To upgrade the loader software and Junos OS on EX2200, EX3200, standalone EX4200, and EX4500 switches:
1.
Download the loader software package and the Junos OS package from the Juniper Networks website as described in Downloading Software Packages from Juniper Networks. Place the software packages on an internal software distribution site or in a local directory on the switch. We recommend using /var/tmp as the local directory on the switch.
NOTE: To obtain the loader software package, see the Download Software page at http://www.juniper.net/support/products/junos/dom/. Click on the version, then the Software tab, then the name of the software install package. In the pop-up Alert box, click the link to the PSN document.
NOTE: If you are monitoring the reboot from the console, you see messages similar to the following during the disk reformat:
Disk needs to be formatted in order to proceed Saving the configuration in memory before formatting the disk FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation) 32+0 records in 32+0 records out 16384 bytes transferred in 0.033161 secs (494075 bytes/sec) ******* Working on device /dev/da0 ******* . . . Restoring configuration
2. Install the loader package:
user@switch> request system software add package
For a software package in the /var/tmp directory on the switch/var/tmp/package.tgz For a software package on a remote server:

where package.tgz is, for example, jloader-ex-3242-11.3date-signed.tgz.

3. Install the Junos OS package, following the same procedure you used to install the
loader software package.

4. Reboot the switch:
318
user@switch> request system reboot Reboot the system ? [yes,no] (no) yes
If you are monitoring the reboot from the console, you see messages similar to the following during the partition reformat:
Disk needs to be formatted in order to proceed Saving the configuration in memory before formatting the disk FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation) 32+0 records in 32+0 records out 16384 bytes transferred in 0.033161 secs (494075 bytes/sec) ******* Working on device /dev/da0 ******* . . . Restoring configuration 5. Verify that the loader software has been upgraded: user@switch> show chassis firmware Part Type Version FPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:41:52) loader FreeBSD/arm U-Boot loader 1.1
1.0.0
The U-Boot version number that follows the date information must be 1.0.0 or later.
6. Verify that Junos OS has been upgraded:
user@switch> show version
Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis You perform the upgrade of the loader software and Junos OS of an EX4200 Virtual Chassis from the Virtual Chassis master switch. The master switch pushes the installation packages to all the Virtual Chassis members. You can also upgrade the loader software and Junos OS on a single member switch from the Virtual Chassis master switch. To upgrade the loader software and Junos OS:
1.
Download the loader software package and the Junos OS package from the Juniper Networks website as described in Downloading Software Packages from Juniper Networks. Place the software packages on an internal software distribution site or in a local directory on the master switch. We recommend using /var/tmp as the local directory on the master switch.
NOTE: To obtain the loader software package, see the Download Software page at http://www.juniper.net/support/products/junos/dom/. Click on the version, then the Software tab, then the name of the software install package. In the pop-up Alert box, click on the link to the PSN document.
2. Log in to the master of the Virtual Chassis. 3. Install the loader software package:
To install the package on all members of an EX4200 Virtual Chassis:
319
user@switch> request system software add package
To install the package on a single member of a Virtual Chassis:

user@switch> request system software add package member member-id


4. Install the Junos OS package, following the same procedure you used to install the
loader software package.

5. Reboot the Virtual Chassis:
user@switch> request system reboot Reboot the system ? [yes,no] (no) yes
If you are monitoring the reboot from the console, you see messages similar to the following during the disk reformat:
Disk needs to be formatted in order to proceed Saving the configuration in memory before formatting the disk FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation) 32+0 records in 32+0 records out 16384 bytes transferred in 0.033161 secs (494075 bytes/sec) ******* Working on device /dev/da0 ******* . . . Restoring configuration 6. Verify that the new version of the loader software is on all members of the Virtual
Chassis:
root@switch> show chassis firmware fpc0: -------------------------------------------------------------------------Part Type Version FPC 0 uboot U-Boot 1.1.6 (Mar 10 2011 - 11:27:42) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.1 FPC 1 uboot U-Boot 1.1.6 (Mar 10 2011 - 11:27:42) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.1
The U-Boot version number that follows the date information must be 1.0.0 or later.
7. Verify that the new Junos OS release is on all members of the Virtual Chassis: root@switch> show version
320
Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches
NOTE: On EX8200 switches only, you must upgrade Junos OS before you can upgrade the loader software.
The loader software for an EX8200 Routing Engine resides in two flash memory banks. At any time, one bank acts as the primary bank and the Routing Engine boots from it. The other bank is the backup bankif the Routing Engine cannot boot from the primary bank, it boots from the backup bank. When you upgrade the loader software, the upgraded software is installed in the backup bank, which then becomes the new primary bank. Thus the primary and backup banks alternate each time you upgrade the loader software, with the primary bank containing the most recently installed version of the software and the backup bank containing the previous version. To upgrade the loader software on an EX8200 Routing Engine, you must perform the upgrade twice: once for each bank. Each upgrade requires a reboot of the Routing Engine.
NOTE: If you do not upgrade the loader software in both banks and the Routing Engine boots from the previous version of the loader software in the backup bank, the Routing Engine can no longer boot transparently from the alternate root partition if it cannot boot from the primary root partition.
For an EX8200 switch with redundant Routing Engines, you must upgrade the loader software on both Routing Engines. You can upgrade the loader software on a Routing Engine only when it is master. Make sure that graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) are disabled before you begin the upgrade. To upgrade the master Routing Engine on a switch with redundant Routing Engines or to upgrade the Routing Engine on a switch with a single Routing Engine:
1.
Download and install the Junos OS package on each Routing Engine as described in
Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure).
2. Download the loader software package from the Juniper Networks website and place
the software package on an internal software distribution site or in a local directory on the switch. We recommend using /var/tmp as the local directory on the switch.
NOTE: To obtain the loader software package, see the Download Software page at http://www.juniper.net/support/products/junos/dom/. Click on the version, then the Software tab, then the name of the software install package. In the pop-up Alert box, click on the link to the PSN document.
3. Log in to the switch and enter the shell. We recommend using a console connection. 4. Determine the primary bank and the version of the loader software in the bank: % kenv | grep boot.primary.bank boot.primary.bank="0"
321
% kenv | grep boot.ver boot.ver="2.4.0" 5. Enter the CLI and install the loader package: user@switch> request system software add package


6. Upgrade the firmware: user@switch> request system firmware upgrade scb Firmware upgrade initiated.... Please wait for ~2mins for upgrade to complete.... 7. After waiting for a couple of minutes, reboot the Routing Engine: user@switch> request system reboot Reboot the system ? [yes,no] (no) yes 8. Enter the shell and verify that the previous backup bank is now the primary bank and
that it contains the upgraded loader software:

% kenv | grep boot.primary.bank boot.primary.bank="1" % kenv | grep boot.ver boot.ver="3.5.0" 9. To install the loader software in the current backup bank, repeat Step 4 through
Step 8.
NOTE: If you installed the loader software package from /var/tmp, you will need to copy the loader software package to /var/tmp again before you can repeat step 4 through step 8 because it is removed after each installation.
10. (Optional) The following message might be displayed when a user logs in to the
system:
--- JUNOS 10.4R4.4 built 2011-03-19 22:06:32 UTC At least one package installed on this device has limited support. Run 'file show /etc/notices/unsupported.txt' for details..
This message can be safely ignored. It appears as a result of upgrading the loader software after you upgrade Junos OS.
322
You can permanently remove this message by removing the loader software package and rebooting the system:
user@switch> request system software delete jloader-ex-8200 Unmounted /packages/mnt/jloader-ex-8200-11.3-20110310.0 ... user@switch> request system reboot Reboot the system ? [yes,no] (no) yes
To upgrade the backup Routing Engine on a switch with redundant Routing Engines:
1.
Log in to the backup Routing Engine. We recommend using a console connection.
2. Perform a master switchover so that the backup Routing Engine becomes the master: user@switch> request chassis routing-engine master switch warning: Traffic will be interrupted while the PFE is re-initialized Toggle mastership between routing engines ? [yes,no] (no) yes Resolving mastership... Complete. The local routing engine becomes the master. 3. Follow the same procedure for upgrading the loader software that you used for the
original master Routing Engine (Step 2 through Step 10). When you reboot the Routing Engine after upgrading the loader software in the first bank, mastership returns to the original master Routing Engine. You will need to perform another master switchover before you can upgrade the loader software in the second bank. Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis To upgrade an EX8200 Virtual Chassis, you must remove the member switches from the Virtual Chassis and upgrade them as described in Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches on page 321. The loader software on the XRE200 External Routing Engine does not require upgrading.
Downgrading Software to Release 10.4R2 or Earlier

When you downgrade to a Junos OS release that does not support resilient dual-root partitions (Release 10.4R2 or earlier), the downgrade process automatically:
Reformats the disk from four partitions to three partitions during the reboot of the switch that completes the Junos OS downgrade. The reformat causes a one-time increase in boot time10 to 25 additional minutes per Routing Engine for EX8200 switches; 5 to 10 additional minutes for other switches. Disables the boot-sequencing function of the loader software. With the boot-sequencing function disabled, the loader software behaves as it did before resilient dual-root partitions were introduced. The loader software itself is not downgradedthere is no need to downgrade the loader software.
To downgrade to Release 10.4R2 or earlier:

1.
Use the request system snapshot command to save your data files to external media before you perform the downgrade.
323
NOTE: Files in the /config directory are saved and restored during the downgrade process. However, files in the /var directory, such as log files and user /home directories, are not saved. In addition, a power failure during the reboot could cause the configuration files to be lost.
2. Downgrade Junos OS.

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases. You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases. For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html .
Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches

The ARP aging time configuration in the system configuration stanza in Junos OS Release 9.4R1 is incompatible with the ARP aging time configuration in Junos OS Release 9.3R1 or earlier and Junos OS Release 9.4R2 or later. If you have configured system arp aging-timer aging-time on EX Series switches running Junos OS Release 9.4R1 and upgrade to Junos OS Release 9.4R2 or later or downgrade to Junos OS Release 9.3R1 or earlier, the switch will display configuration errors on booting up after the upgrade or downgrade. As a workaround, delete the arp aging-timer aging-time configuration in the system configuration stanza and reapply the configuration after you complete the upgrade or downgrade. The format of the file in which the EX4200 Virtual Chassis topology information is stored was changed in Junos OS Release 9.4. When you downgrade Junos OS Release 9.4 or later running on EX4200 switches in a Virtual Chassis to Junos OS Release 9.3 or earlier, make topology changes, and then upgrade to Junos OS Release 9.4 or later, the topology changes you have made using Junos OS Release 9.3 or earlier are not retained. The switch restores the last topology change you have made using Junos OS Release 9.4.
324
Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches
If you are upgrading from Junos OS Release 9.3R1 and have voice over IP (VoIP) enabled on a private VLAN (PVLAN), you must remove this configuration before upgrading, to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases later than Junos OS Release 9.3R1. Related Documentation

New Features in Junos OS Release 10.4 for EX Series Switches on page 272 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 280 Limitations in Junos OS Release 10.4 for EX Series Switches on page 281 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 287 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 294 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 310
325
Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the documentation, follow the Junos OS Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ . Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments:

Document name Document part number Page number Software release version
Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf. Product warrantiesFor product warranty information, visit http://www.juniper.net/support/warranty/.
326
Requesting Technical Support
JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/. Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html. If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net:pub/incoming. Then send the filename, along with software version information (the output of the show version command) and the configuration, to support@juniper.net. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/.
327
Revision History
28 November 2011Revision 18, Junos Release 10.4R8 23 November 2011Revision 17, Junos Release 10.4R8 14 September 2011Revision 16, Junos Release 10.4R7 13 September 2011Revision 15, Junos Release 10.4R7 28 July 2011Revision 14, Junos Release 10.4R6 26 July 2011Revision 13, Junos Release 10.4R6 16 June 2011Revision 12, Junos Release 10.4R5 09 May 2011Revision 11, Junos Release 10.4R4 08 April 2011Revision 10, Junos Release 10.4R3 25 March 2011Revision 9, Junos Release 10.4R3 21 March 2011Revision 8, Junos Release 10.4R3 04 March 2011Revision 7, Junos Release 10.4R2 11 February 2011Revision 6, Junos Release 10.4R2 04 February 2011Revision 5, Junos Release 10.4R1 25 January 2011Revision 4, Junos Release 10.4R1 14 January 2011Revision 3, Junos Release 10.4R1 21 December 2010Revision 2, JUNOS Release 10.4R1
Copyright 2011, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
328

Junos Release Notes 10

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Junos Release Notes 10

Încărcat de

Drepturi de autor:

Formate disponibile

Junos OS 10.

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Copyright 2011, Juniper Networks, Inc.

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Copyright 2011, Juniper Networks, Inc.

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Copyright 2011, Juniper Networks, Inc.

For a list of supported MICs, refer to:

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Peak information rate (PIR) Scheduler map Delay buffer

Copyright 2011, Juniper Networks, Inc.

The following is a complete configuration example:

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Interfaces and Chassis

Copyright 2011, Juniper Networks, Inc.

The following scenarios are not supported by this feature:

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

jnxDomCurrentTable jnxDomAlarmSet jnxDomAlarmCleared

[SNMP MIBs and Traps Reference]

Copyright 2011, Juniper Networks, Inc.

[PIC Guide, Network Interfaces, Class of Service]

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Copyright 2011, Juniper Networks, Inc.

NOTE: 1. This feature is applicable in both oversubscribed and line-rate modes.

and line-rate modes, which can be overridden by the user configuration.

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Junos OS XML API and Scripting

Copyright 2011, Juniper Networks, Inc.

Response Tag Element

request system license update

request system software nonstop-upgrade

show amt statistics show amt summary show amt tunnel

<amt-instance-statistics> <amt-summary> <amt-tunnel-information>

show chassis redundant-power-supply

show chassis routing-engine bios

show class-of-service congestion-notification

show firewall filter version

show isis context-identifier

show isis context-identifier identifier

show mpls context-identifier

show network-access domain- map statistics

Copyright 2011, Juniper Networks, Inc.

Junos OS 10.4 Release Notes

Response Tag Element

show redundant-power-supply led

show redundant-power-supply power-supply

show redundant-power-supply status

show redundant-power-supply version

show security idp policy-commit-status

show services border-signaling-gateway charging statistics

show services border-signaling-gateway charging status show services l2tp destination

show services sessions

show services softwire

show services softwire flows

show services softwire statistics