Release Notes - Juniper Networks
Release Notes - Juniper Networks
Release Notes - Juniper Networks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Junos ® OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Release</strong> 11.4R7<br />
05 March 2013<br />
Revision 1<br />
These release notes accompany <strong>Release</strong> 11.4R7 of the Junos operating system (Junos<br />
OS). They describe device documentation and known problems with the software. Junos<br />
OS runs on all <strong>Juniper</strong> <strong>Networks</strong> M Series, MX Series, and T Series routing platforms, SRX<br />
Series Services Gateways, J Series Services Routers, and the EX Series Ethernet Switches.<br />
For the latest, most complete information about outstanding and resolved issues with<br />
the Junos OS software, see the <strong>Juniper</strong> <strong>Networks</strong> online software defect search application<br />
at http://prsearch.juniper.net.<br />
You can also find these release notes on the <strong>Juniper</strong> <strong>Networks</strong> Junos OS Documentation<br />
Web page, which is located at https://www.juniper.net/techpubs/software/junos/.<br />
Contents Junos OS <strong>Release</strong> <strong>Notes</strong> for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches . . . . . . . . . . . . 8<br />
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX<br />
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches . . . . . . . . . . . . . . 12<br />
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
1
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches . . . . . . . 18<br />
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<br />
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches . . . . . . . . . . 23<br />
Issues Resolved in <strong>Release</strong> 11.4R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24<br />
Issues Resolved in <strong>Release</strong> 11.4R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
Issues Resolved in <strong>Release</strong> 11.4R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Issues Resolved in <strong>Release</strong> 11.4R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
Issues Resolved in <strong>Release</strong> 11.4R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
Issues Resolved in <strong>Release</strong> 11.4R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
Issues Resolved in <strong>Release</strong> 11.4R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<br />
Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX<br />
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48<br />
Changes to the Junos OS for EX Series Switches Documentation . . . . . 48<br />
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s . . . . . . 49<br />
Upgrading from Junos OS <strong>Release</strong> 10.4R3 or Later . . . . . . . . . . . . . . . . . 50<br />
Upgrading from Junos OS <strong>Release</strong> 10.4R2 or Earlier . . . . . . . . . . . . . . . . . 51<br />
Downgrading to Junos OS <strong>Release</strong> 10.4R2 or Earlier . . . . . . . . . . . . . . . . 69<br />
Downgrading to an Earlier Junos OS <strong>Release</strong> . . . . . . . . . . . . . . . . . . . . . . 69<br />
Upgrading EX Series Switches Using NSSU . . . . . . . . . . . . . . . . . . . . . . . 70<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for M Series Multiservice Edge Routers, MX Series 3D<br />
Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . . 73<br />
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series<br />
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73<br />
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74<br />
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78<br />
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80<br />
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101<br />
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103<br />
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104<br />
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107<br />
Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113<br />
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114<br />
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117<br />
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145<br />
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151<br />
2<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152<br />
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos<br />
OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers . . . . . . . . 153<br />
Changes in Default Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series<br />
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
Current Software <strong>Release</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
Previous <strong>Release</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series,<br />
MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293<br />
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293<br />
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 319<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series,<br />
MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321<br />
Basic Procedure for Upgrading to <strong>Release</strong> 11.4 . . . . . . . . . . . . . . . . . . . . 321<br />
Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s . . . . . 324<br />
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 325<br />
Upgrading <strong>Juniper</strong> Network Routers Running Draft-Rosen Multicast<br />
VPN to Junos OS <strong>Release</strong> 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325<br />
Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . 327<br />
Upgrading Using ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328<br />
Upgrading from Junos OS <strong>Release</strong> 9.2 or Earlier on a Router Enabled<br />
for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328<br />
Downgrade from <strong>Release</strong> 11.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for Branch SRX Series Services Gateways and J Series<br />
Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331<br />
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 331<br />
<strong>Release</strong> 11.4R5 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332<br />
<strong>Release</strong> 11.4R3 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335<br />
<strong>Release</strong> 11.4R2 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336<br />
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338<br />
Hardware Features—SRX210 Services Gateways . . . . . . . . . . . . . . . . . 346<br />
Hardware Features—SRX240 Services Gateway . . . . . . . . . . . . . . . . . . 347<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch<br />
SRX Series Services Gateways and J Series Services Routers . . . . . . . . 350<br />
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351<br />
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351<br />
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352<br />
Deprecated Items for Branch SRX Series Services Gateways . . . . . . . . 353<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354<br />
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356<br />
Internet Protocol Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356<br />
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 356<br />
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
Virtual Private <strong>Networks</strong> (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
3
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
AX411 Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358<br />
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . 359<br />
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360<br />
Group VPN Interoperability with Cisco’s GET VPN for <strong>Juniper</strong> <strong>Networks</strong><br />
Security Devices that Support Group VPN . . . . . . . . . . . . . . . . . . . . 361<br />
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363<br />
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363<br />
Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . 365<br />
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 365<br />
IPv6 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367<br />
IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368<br />
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368<br />
Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370<br />
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370<br />
Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371<br />
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371<br />
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372<br />
Stream Control Transmission Protocol (SCTP) . . . . . . . . . . . . . . . . . . . 372<br />
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372<br />
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372<br />
Virtual Private <strong>Networks</strong> (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373<br />
Unsupported CLI for Branch SRX Series Services Gateways and J Series<br />
Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series<br />
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . 378<br />
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378<br />
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379<br />
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379<br />
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . 380<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R6 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R5 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R4 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R3 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388<br />
4<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4R2 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R1 for Branch SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397<br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch<br />
SRX Series Services Gateways and J Series Services Routers . . . . . . . . 401<br />
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 401<br />
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 407<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch<br />
SRX Series Services Gateways and J Series Services Routers . . . . . . . 409<br />
Upgrading and Downgrading among Junos OS <strong>Release</strong>s . . . . . . . . . . . 409<br />
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411<br />
Upgrade and Downgrade Scripts for Address Book Configuration . . . . . 411<br />
Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s . . . . . . . . 414<br />
Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for SRX Series<br />
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . 414<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for High-End SRX Series Services Gateways . . . . . . . . . 417<br />
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417<br />
<strong>Release</strong> 11.4R5 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417<br />
<strong>Release</strong> 11.4R4 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422<br />
<strong>Release</strong> 11.4R3 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422<br />
<strong>Release</strong> 11.4R2 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423<br />
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for<br />
High-End SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . 436<br />
AppSecure Application Package Upgrade Changes . . . . . . . . . . . . . . . 436<br />
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437<br />
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437<br />
Deprecated Items for High-End SRX Series Services Gateways . . . . . . 437<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438<br />
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 438<br />
In-Service Software Upgrade (ISSU) . . . . . . . . . . . . . . . . . . . . . . . . . . . 439<br />
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 439<br />
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440<br />
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440<br />
Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . 440<br />
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441<br />
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441<br />
Security Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441<br />
System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441<br />
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443<br />
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443<br />
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444<br />
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . 445<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445<br />
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 447<br />
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
5
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448<br />
Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . 448<br />
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 449<br />
Internet Protocol Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450<br />
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451<br />
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451<br />
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451<br />
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453<br />
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455<br />
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . 455<br />
Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455<br />
Virtual Private <strong>Networks</strong> (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458<br />
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458<br />
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458<br />
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458<br />
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459<br />
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R6 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R5 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R4 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R3 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R2 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R1 for High-End SRX Series<br />
Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479<br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End<br />
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482<br />
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 482<br />
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . 488<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End<br />
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489<br />
Upgrading and Downgrading among Junos OS <strong>Release</strong>s . . . . . . . . . . . 489<br />
Upgrading an AppSecure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491<br />
Upgrade and Downgrade Scripts for Address Book Configuration . . . . 491<br />
Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s . . . . . . . 494<br />
Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494<br />
Junos OS Documentation and <strong>Release</strong> <strong>Notes</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . 495<br />
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495<br />
6<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495<br />
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
7
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for EX Series Switches<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 49<br />
New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
This section describes new features in <strong>Release</strong> 11.4 of the Junos operating system (Junos<br />
OS) for EX Series switches.<br />
Not all EX Series software features are supported on all EX Series switches in the current<br />
release. For a list of all EX Series software features and their platform support, see EX<br />
Series Switch Software Features Overview.<br />
New features are described on the following pages:<br />
• Hardware on page 8<br />
• Access Control and Port Security on page 9<br />
• Ethernet Switching and Spanning Trees on page 9<br />
• Infrastructure on page 10<br />
• Layer 2 and Layer 3 Protocols on page 10<br />
• Management and RMON on page 10<br />
Hardware<br />
• Support for enhanced feature licenses on EX3300 switches—EX3300 switches now<br />
support enhanced feature licenses (EFLs). [See Understanding Software Licenses for<br />
EX Series Switches.]<br />
• EX4500 Virtual Chassis and mixed EX4200 and EX4500 Virtual Chassis<br />
enhancements—An EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual<br />
Chassis can now include up to ten EX4500 member switches. An EX4200 switch and<br />
an EX4500 switch can now be configured in the master and backup roles in the same<br />
mixed EX4200 and EX4500 Virtual Chassis. These Virtual Chassis now support nonstop<br />
bridging (NSB) and Link Aggregation Control Protocol (LACP). [See EX3300, EX4200,<br />
and EX4500 Virtual Chassis, Understanding Nonstop Bridging on EX Series Switches, and<br />
Understanding Aggregated Ethernet Interfaces and LACP.]<br />
• New line card support for EX8200 Virtual Chassis—The following line cards can now<br />
be used in EX8200 switches that are members of an EX8200 Virtual Chassis:<br />
8<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)<br />
• EX8200-2XS-40T (40-port RJ-45 with 4-port SFP and 2-port SFP+ line card)<br />
• EX8200-48PL (48-port PoE+ 20-Gbps line card)<br />
• EX8200-48TL (48-port RJ-45 20-Gbps line card)<br />
• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)<br />
[See Line Card Model and Version Compatibility in an EX8200 Switch.]<br />
• New extra-scale EX8200 line card—A new extra-scale line card provides larger route<br />
table sizes than the corresponding non-extra-scale model to store more IPv4 and IPv6<br />
unicast routes. This extra-scale model is supported on standalone EX8200 switches<br />
and on EX8200 Virtual Chassis.<br />
• 40-port SFP+ line card (EX8200-40XS-ES)<br />
[See Line Card Model and Version Compatibility in an EX8200 Switch.]<br />
Access Control and Port Security<br />
• Persistent MAC learning—Persistent MAC learning, also known as sticky MAC, is a port<br />
security feature that allows retention of dynamically learned MAC addresses on an<br />
interface across restarts of the switch and interface-down events. Persistent MAC<br />
address learning is disabled by default. By enabling persistent MAC learning along with<br />
MAC limiting, you can enable interfaces to learn MAC addresses of trusted workstations<br />
and servers during the period from when you connect the interface to your network<br />
until the limit for MAC addresses is reached, and ensure that after this initial period,<br />
with the limit reached, new addresses are not allowed even if the switch restarts. The<br />
alternatives to using persistent MAC learning with MAC limiting are to statically configure<br />
each MAC address on each port or to allow the port to continuously learn new MAC<br />
addresses after restarts or interface-down events. [See Understanding Persistent MAC<br />
Learning (Sticky MAC).]<br />
Ethernet Switching and Spanning Trees<br />
• Distributed periodic packet management (PPM) virtual routing and forwarding<br />
(VRF) support—VRF traffic is now processed on EX Series switches through distributed<br />
periodic packet management (PPM). Distributed PPM processing is transparent to<br />
users, and it allows the switches to better manage VRF traffic. [See Understanding<br />
Distributed Periodic Packet Management on EX Series Switches.]<br />
• Increasing the maximum number of searchable hash indexes—For all EX Series<br />
switches except the EX8200 switch, you can use a new feature to mitigate situations<br />
in which hash index collisions are causing problems with the learning of MAC addresses<br />
in the forwarding database (FDB). The FDB on those switches is a hash table with 8192<br />
hash indexes (rows) of MAC addresses and four entries per hash index. When the FDB<br />
is searched, a configured hash function calculates the hash index at which to start the<br />
search. By default, after the search starts at the determined hash index, the maximum<br />
number of hash indexes that can be searched is one hash index, or four entries. If you<br />
notice a higher incidence of hash index collisions in the FDB, you can now increase the<br />
maximum number of searchable hash indexes in increments of 4, from 4 to a maximum<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
9
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
of 32 entries. Increasing this number in turn increases the chances of finding an open<br />
entry in which to add a newly learned MAC address. However, searching more hash<br />
indexes requires more bandwidth and may impact the FDB performance and line-rate<br />
traffic. Therefore, you must carefully weigh the benefits of this feature against the<br />
number of hash index collisions, and if you decide to implement this feature, determine<br />
how much to increase the search parameters. To increase the maximum number of<br />
searchable hash indexes, enter the set ethernet-switching-options mac-lookup-length<br />
number-of-entries command. [See Understanding Bridging and VLANs on EX Series<br />
Switches.]<br />
Infrastructure<br />
• Nonstop active routing for Protocol Independent Multicast (PIM) on EX8200<br />
switches and EX8200 Virtual Chassis—Nonstop routing (NSR) for PIM is now<br />
supported on EX8200 switches and on EX8200 Virtual Chassis. You can now configure<br />
NSR to enable the transparent switchover between the master and backup Routing<br />
Engines without having to restart PIM. [See Understanding Nonstop Active Routing on<br />
EX Series Switches.]<br />
• Enhancement for upgrades of loader software on EX8200 switches from<br />
<strong>Release</strong> 10.3R2 or earlier—Loader software can now be upgraded on the backup<br />
Routing Engine, thus reducing the downtime for the switch when upgrading software<br />
from <strong>Release</strong> 10.3R2 or earlier. For <strong>Release</strong>s 10.4R3 or later, the loader software does<br />
not need to be upgraded.<br />
Layer 2 and Layer 3 Protocols<br />
• OSPFv2 on EX3300 switches—EX3300 switches now support OSPFv2. [See Layer 3<br />
Protocols Supported on EX Series Switches.]<br />
• Routed multicast traffic on virtual routing and forwarding (VRF) instances—Routed<br />
multicast traffic is now supported on all VRF instances, not just the default instance.<br />
[See Understanding Virtual Routing Instances on EX Series Switches].<br />
Management and RMON<br />
• Erasure of all user-created files on the switch—The media option has been added for<br />
the request system zeroize command. The request system zeroize media command<br />
completely erases all user-created files from the switch, including plain-text passwords,<br />
secrets, and private keys for SSH, local encryption, local authentication, IPsec, RADIUS,<br />
TACACS+, and Simple Network Management Protocol (SNMP), replacing all<br />
user-created data with zeros, and then reboots the switch, returning it to the factory<br />
default configuration. (Without the media option, the request system zeroize command<br />
simply removes configuration and log files and resets key values; and then reboots the<br />
switch, returning it to the factory default configuration.)<br />
CAUTION: Before running the request system zeroize or request system<br />
zeroize media command, use the request system snapshot command to<br />
back up the files currently used to run the switch to a secondary device.<br />
10<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
[See request system zeroize.]<br />
• Ethernet frame delay measurement—You can obtain Ethernet frame delay<br />
measurements (ETH-DM) on an EX Series switch. You can configure Operation,<br />
Administration, and Maintenance (OAM) statements for connectivity fault management<br />
(CFM) (IEEE 802.1ag) to provide on-demand measurements of frame delay and frame<br />
delay variation (jitter). You can configure the frame delay measurements in either a<br />
one-way mode or a two-way (round-trip) mode to gather frame delay statistics,<br />
including simultaneous statistics from multiple sessions. [See Understanding Ethernet<br />
Frame Delay Measurements on Switches.]<br />
• Support for IEEE 802.1ag Ethernet OAM on EX8200 switches—Support for the IEEE<br />
802.1ag standard for Operation, Administration, and Maintenance (OAM) is now<br />
available on EX8200 switches. The IEEE 802.1ag specification provides for Ethernet<br />
connectivity fault management (CFM), which monitors Ethernet networks that might<br />
comprise one or more service instances for network-compromising connectivity faults.<br />
[See Understanding Ethernet OAM Link Fault Management for an EX Series Switch.]<br />
Related<br />
Documentation<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
This section lists the changes in default behavior and syntax in Junos OS <strong>Release</strong> 11.4 for<br />
EX Series switches.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
11
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Ethernet Switching and Spanning Trees<br />
• The ingress-counting configuration statement at the [edit vlans] hierarchy level has<br />
been renamed l3-interfaces-ingress-counting. You use this configuration statement to<br />
activate a routed VLAN interface (RVI) input counter on a named VLAN on an EX8200<br />
switch.<br />
Fibre Channel over Ethernet<br />
• On EX4500 switches, App-FCoE and ETS values appear in the output for the show<br />
dcbx neighbors terse command but are not applicable to the switch; ignore these values.<br />
Hardware<br />
• If you attempt to configure an SFP uplink module to operate in 1-gigabit mode by<br />
including the sfpplus statement at the [edit chassis fpc slot pic pic-number] hierarchy<br />
level of the configuration, the configuration has no effect, and no warning or error<br />
message is displayed. The sfpplus statement configures the operating mode for SFP+<br />
uplink modules only, in Junos OS <strong>Release</strong> 10.4R2 and later.<br />
Infrastructure<br />
• The following changes have been made to the show system snapshot command:<br />
• You do not need to specify a media slice number for the location of a snapshot,<br />
because all information about both slices is displayed by default.<br />
• The command displays information about the backup of the root file system (/) and<br />
directories /altroot, /var, and /var/tmp.<br />
[This issue was being tracked by PR/785373.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
This section lists the limitations in Junos OS <strong>Release</strong> 11.4 for EX Series switches. If the<br />
limitation is associated with an item in our bug database, the description is followed by<br />
the bug tracking number.<br />
12<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
For the most complete and latest information about known Junos OS defects, use the<br />
<strong>Juniper</strong> online Junos Problem Report Search application at<br />
http://www.juniper.net/prsearch.<br />
Access Control and Port Security<br />
• On EX Series switches, you cannot configure 802.1X authentication on redundant trunk<br />
groups (RTGs). [This is a known software limitation.]<br />
Ethernet Switching and Spanning Trees<br />
• If the bridge priority of a VSTP root bridge is changed such that this bridge becomes a<br />
nonroot bridge, the transition might take more than 2 minutes, and you might see a<br />
loop during the transition. [PR/661691: This is a known software limitation.]<br />
• On EX4200 switches, a firewall filter that uses the source MAC address to block bridge<br />
protocol data unit (BPDU) switching frames might not block them. [This is a known<br />
software limitation.]<br />
• On EX Series switches, only dynamically learned routes can be imported from one<br />
routing table group to another. [This is a known software limitation.]<br />
Firewall Filters<br />
• On EX3200 and EX4200 switches, when a very large number of firewall filters are<br />
included in the configuration, it might take a long time, possibly as long as a few minutes,<br />
for the egress filter rules to be installed. [PR/468806: This is a known software<br />
limitation.]<br />
• On EX3300 switches, if you add and delete filters with a large number of terms (on<br />
the order of 1000 or more) in the same commit operation, not all the filters are installed.<br />
As a workaround, add filters in one commit operation, and delete filters in a separate<br />
commit operation. [PR/581982: This is a known software limitation.]<br />
• On EX8200 switches, if you configure an implicit or explicit discard action as the last<br />
term in an IPv6 firewall filter on a loopback (lo0) interface, all the control traffic from<br />
the loopback interface is dropped. To prevent this, you must configure an explicit accept<br />
action. [This is a known software limitation.]<br />
Hardware<br />
• On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network<br />
ports do not blink to indicate when there is link activity if you set the speed of the<br />
network ports to 10/100/1000 Mbps. However, if you set the speed to 10 Gbps, the<br />
LEDs blink. [PR/502178: This is a known limitation.]<br />
• You cannot connect EX2200-C-12P-2G switches to the pre-standard Cisco IP Phone<br />
7960 with a straight cable. As a workaround, use a crossover cable. [PR/726929: This<br />
is a known limitation.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
13
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Infrastructure<br />
• On EX Series switches, the show snmp mib walk etherMIB command does not display<br />
any output, even though the etherMIB is supported. This occurs because the values<br />
are not populated at the module level—they are populated at the table level only. You<br />
can issue the show snmp mib walk dot3StatsTable command, the show snmp mib walk<br />
dot3PauseTable command, or the show snmp mib walk dot3ControlTable command<br />
to display the output at the table level. [PR/442373: This is a known software limitation.]<br />
• Momentary loss of an inter-Routing Engine IPC message might trigger the alarm that<br />
displays the message Loss of communication with Backup RE. However, no functionality<br />
is affected. [PR/477943: This is a known software limitation.]<br />
• Routing between virtual routing instances for local direct routes is not supported.<br />
[PR/490932: This is a known software limitation.]<br />
• On EX4500 switches, the maintenance menu is not disabled even if you include the<br />
lcd maintenance-menu disable statement in the configuration. [PR/551546: This is a<br />
known software limitation.]<br />
• When you enable the filter-id attribute on the RADIUS server for a particular client,<br />
none of the required 802.1X authentication rules are installed in the IPv6 database.<br />
Therefore, IPv6 traffic on the authenticated interface is not filtered; only IPv4 traffic is<br />
filtered on that interface. [PR/560381: This is a known software limitation.]<br />
• On EX8200 switches, if OAM link fault management (LFM) is configured on a member<br />
of a VLAN on which Q-in-Q tunneling is also enabled, OAM PDUs cannot be transmitted<br />
to the Routing Engine. [PR/583053: This is a known software limitation.]<br />
• When you reconfigure the maximum transmission unit (MTU) value of a next hop more<br />
than eight times without restarting the switch, the interface uses the maximum value<br />
of the eight previously configured values as the next MTU value. [PR/590106: This is<br />
a known software limitation.]<br />
• On switches on which a large number of routed VLAN interfaces (RVIs) are configured,<br />
when the backup Routing Engine is rebooting and a large amount of traffic is being<br />
sent, OSPF and IS-IS sessions might go down and come back up on the RVIs. [This is<br />
a known software limitation.]<br />
• On EX8208 and EX8216 switches that have two Routing Engines, one Routing Engine<br />
cannot be running Junos OS <strong>Release</strong> 10.4 or later while the other one is running<br />
<strong>Release</strong> 10.3 or earlier. Ensure that both Routing Engines in a single switch run either<br />
<strong>Release</strong> 10.4 or later or <strong>Release</strong> 10.3 or earlier. [PR/604378: This is a known software<br />
limitation.]<br />
• On EX6210 and EX8200 switches that have two Routing Engines, and on EX8200<br />
Virtual Chassis that have two XRE200 External Routing Engine modules, you cannot<br />
issue the commit synchronize command from the J-Web interface. As a workaround,<br />
issue this command from the CLI. [This is a known software limitation.]<br />
14<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
High Availability<br />
• You cannot verify that nonstop bridging (NSB) is synchronizing Layer 2 protocol<br />
information to the backup Routing Engine even when NSB is properly configured. [This<br />
is a known software limitation.]<br />
• On EX Series Virtual Chassis using nonstop software upgrade (NSSU) to upgrade from<br />
a Junos OS <strong>Release</strong> 11.2 or earlier release to a Junos OS <strong>Release</strong> 11.3 or later release,<br />
after the NSSU operation finishes, the same MAC address might be assigned to multiple<br />
Layer 2 or aggregated Ethernet interfaces on different member switches within the<br />
Virtual Chassis. To set all Layer 2 and aggregated Ethernet ports to have unique MAC<br />
addresses, reboot the Virtual Chassis after the upgrade operation. To avoid these MAC<br />
address assignment issues, upgrade to Junos OS <strong>Release</strong> 11.3 or later without performing<br />
an NSSU operation.<br />
Unique MAC address assignment for Layer 2 and aggregated Ethernet interfaces in a<br />
Virtual Chassis was introduced in Junos OS <strong>Release</strong> 11.3. If you are upgrading to Junos<br />
OS <strong>Release</strong> 11.2 or earlier, you should expect to see the same MAC address assigned<br />
to multiple ports on different member switches within the Virtual Chassis.<br />
[PR/775203: This is a known software limitation.]<br />
Interfaces<br />
• EX Series switches do not support IPv6 interface statistics. Therefore, all values in the<br />
output of the show snmp mib walk ipv6IfStatsTable command always display a count<br />
of 0. [PR/480651: This is a known software limitation.]<br />
• On EX8216 switches, a link might go down momentarily when an interface is added to<br />
a LAG. [PR/510176: This is a known software limitation.]<br />
• On EX Series switches, if you clear LAG interface statistics while the LAG is down, then<br />
bring up the LAG and pass traffic without checking for statistics, and finally bring the<br />
LAG interface down and check interface statistics again, the statistics might be<br />
inaccurate. As a workaround, use the show interfaces interface-name command to<br />
check LAG interface statistics before bringing down the interface. [PR/542018: This is<br />
a known software limitation.]<br />
• You must connect directly to the master Switch Fabric and Routing Engine (SRE)<br />
module or Routing Engine (RE) module of the EX8200 member switch to configure<br />
Power over Ethernet (PoE) or Power over Ethernet Plus (PoE+) on an EX8200 Virtual<br />
Chassis. You cannot configure PoE or PoE+ through the XRE200 External Routing<br />
Engine.<br />
To configure PoE or PoE+ on an EX8200 member switch in an operational EX8200<br />
Virtual Chassis:<br />
1. Connect directly to the member switch that contains the ports on which you<br />
configure PoE or PoE+ using one of the following methods:<br />
• Log in to the Virtual Chassis and then enter the request session member member-id<br />
command to redirect the session to the member switch.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
15
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Cable a terminal device to the console port (labeled CON) on the master SRE or<br />
RE module. See Connecting an EX Series Switch to a Management Console.<br />
2. Configure PoE or PoE+. See Configuring PoE (CLI Procedure).<br />
[This is a known software limitation.]<br />
J-Web Interface<br />
• EX2200-C, EX3300, and EX6210 switches do not support switch connection and<br />
configuration through the J-Web interface. [This is a known software limitation.]<br />
• In the J-Web interface, you cannot commit some configuration changes in the Port<br />
Configuration page or the VLAN Configuration page because of the following limitations<br />
for port-mirroring ports and port-mirroring VLANs:<br />
• A port configured as the output port for an analyzer cannot be a member of any<br />
VLAN other than the default VLAN.<br />
• A VLAN configured to receive analyzer output can be associated with only one<br />
interface.<br />
[PR/400814: This is a known software limitation.]<br />
• In the J-Web interface, the Ethernet Switching Monitor page (Monitor > Switching ><br />
Ethernet Switching) might not display monitoring details if the switch has more than<br />
13,000 MAC entries. [PR/425693: This is a known software limitation.]<br />
• If four or more EX8200-40XS line cards are inserted in an EX8208 or EX8216 switch,<br />
the Support Information page (Maintain > Customer Support > Support Information)<br />
in the J-Web interface might fail to load because the configuration might be larger than<br />
the maximum size of 5 MB. The error message Configuration too large to handle is<br />
displayed. [PR/552549: This is a known software limitation.]<br />
• In the J-Web interface, you cannot configure interface ranges and interface groups.<br />
[PR/600559: This is a known software limitation.]<br />
• The J-Web interface does not support role-based access control; it supports only users<br />
in the super-user authorization class. Therefore, a user who is not in the super-user<br />
class, such as a user with view-only permission, is able to launch the J-Web interface<br />
and is allowed to configure everything, but the configuration fails on the switch, and<br />
the switch displays access permission errors. [PR/604595: This is a known software<br />
limitation.]<br />
Management and RMON<br />
• On EX Series switches, an SNMP query fails when the SNMP index size of a table is<br />
greater than 128 bytes, because the Net SNMP tool does not support SNMP index sizes<br />
greater than 128 bytes. [PR/441789: This is a known software limitation.]<br />
• When MVRP is configured on a trunk interface, you cannot configure connectivity fault<br />
management (CFM) on that interface. [PR/540218: This is a known software limitation.]<br />
• The connectivity fault management (CFM) process (cfmd) might create a core file.<br />
[PR/597302: This is a known software limitation.]<br />
16<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Multicast Protocols<br />
• MLD snooping of IPv6 multicast traffic is not supported. Layer 2 multicast traffic is<br />
always flooded on the VLAN. [This is a known software limitation.]<br />
Software Installation and Upgrade<br />
• Do not manually configure the autoinstallation statement at the [edit system]<br />
configuration hierarchy level. If you configure this statement, the switch loses network<br />
connectivity and cannot respond to either ping requests or to ARP requests. The initial<br />
default configuration that is present on the switch does include the autoinstallation<br />
statement at the [edit system] hierarchy level. The reason is that if the switch cannot<br />
find any configuration file stored in flash memory, it must try to obtain one from a TFTP<br />
server. However, the first time you commit a configuration on the switch, a configuration<br />
file is created in flash memory, and the statement is deleted from the configuration<br />
because it is no longer needed. [PR/610816:This is a known software limitation.]<br />
Virtual Chassis<br />
• When you configure mixed EX4200 and EX4500 Virtual Chassis with the J-Web<br />
interface, you can configure only the EX4500 switch to assume the master and backup<br />
roles and only the EX4200 switch to assume the linecard role. [This is a known software<br />
limitation.]<br />
• On standalone EX4500 switches, if you set the PIC mode to virtual-chassis, the switch<br />
has less bandwidth available for network ports than if you set the PIC mode to<br />
intraconnect. When the PIC mode setting is virtual-chassis, the network ports on a<br />
standalone EX4500 switch often do not achieve line-rate performance.<br />
The PIC mode on EX4500 switches can be set to virtual-chassis if the switch was<br />
ordered with a Virtual Chassis module installed and thus has its PIC mode set to<br />
virtual-chassis by default, or if you entered the request chassis pic-mode virtual-chassis<br />
operational mode command to configure the switch as a member of a Virtual Chassis.<br />
To check the PIC mode on an EX4500 switch on which a Virtual Chassis module is<br />
installed, use the show chassis pic-mode command.<br />
We recommend that you always set the PIC mode on a standalone EX4500 switch to<br />
intraconnect. To do this, use the request chassis pic-mode intraconnect operational<br />
mode command. [This is a known software limitation.]<br />
• On an EX4500 Virtual Chassis, if you issue the ping command to the IPv6 address of<br />
the virtual management Ethernet (VME) interface, the ping attempt fails. [PR/518314:<br />
This is a known software limitation.]<br />
• The automatic software update feature is not supported on EX4500 switches that<br />
are members of a Virtual Chassis. [PR/541084: This is a known software limitation.]<br />
• When an EX4500 switch becomes a member of a Virtual Chassis, it is assigned a<br />
member ID. If that member ID is a nonzero value, then if that member switch is<br />
downgraded to a software image that does not support Virtual Chassis, you cannot<br />
change the member ID to 0. A standalone EX4500 switch must have a member ID of<br />
0. The workaround is to convert the EX4500 Virtual Chassis member switch to a<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
17
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
standalone EX4500 switch before downgrading the software to an earlier release, as<br />
follows:<br />
1. Disconnect all Virtual Chassis cables from the member to be downgraded.<br />
2. Convert the member switch to a standalone EX4500 switch by issuing the request<br />
virtual-chassis reactivate command.<br />
3. Renumber the member ID of the standalone switch to 0 by issuing the request<br />
virtual-chassis renumber command.<br />
4. Downgrade the software to the earlier release.<br />
[PR/547590: This is a known software limitation.]<br />
• When you add a new member switch to an existing EX4200 Virtual Chassis, EX4500<br />
Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis in a ring topology, a<br />
member switch that was already part of the Virtual Chassis might become<br />
nonoperational for several seconds. After the downtime, the member switch returns<br />
to the operational state with no user intervention. Network traffic to the member switch<br />
is dropped during the downtime. To avoid this issue, follow this procedure:<br />
1. Cable one dedicated or user-configured Virtual Chassis port (VCP) on the new<br />
member switch to the existing Virtual Chassis.<br />
2. Power on the new member switch.<br />
3. Wait for the new switch to become operational in the Virtual Chassis. Monitor the<br />
show virtual-chassis command output to confirm the new switch is recognized by<br />
the Virtual Chassis and is in the Prsnt state.<br />
4. Cable the other dedicated or user-configured VCP on the new member switch to<br />
the Virtual Chassis.<br />
[PR/591404: This is a known software limitation.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
The following are outstanding issues in Junos OS <strong>Release</strong> 11.4R7 for EX Series switches.<br />
The identifier following the description is the tracking number in our bug database.<br />
18<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
For the most complete and latest information about known Junos OS defects, use the<br />
<strong>Juniper</strong> online Junos Problem Report Search application at<br />
http://www.juniper.net/prsearch.<br />
Other software issues that are common to both EX Series switches and M, MX, and T<br />
Series routers are listed in “Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and<br />
T Series Routers” on page 172.<br />
Access Control and Port Security<br />
• On EX Series switches, updates to 802.1X (dot1x) implementation are needed for<br />
MS-NAP support. [PR/719408]<br />
Class of Service<br />
• On EX Series switches, EXP CoS classification will not occur if the EXP CoS classifiers<br />
are deleted and then added. As a workaround, deactivate and then reactivate<br />
rewrite-rules using the deactivate class-of-service command and the activate<br />
class-of-service command. [PR/848273]<br />
Ethernet Switching and Spanning Trees<br />
• On EX Series switches and the QFX Series, if you reconfigure a trunk port to access<br />
mode and if you perform the necessary dependent configurations to delete all but one<br />
of the VLANs, or if you reconfigure an access port to trunk mode, VLAN Spanning Tree<br />
Protocol (VSTP) instances might not converge properly, resulting in the formation of<br />
a loop. As a workaround, delete the VSTP configuration before reconfiguring the ports.<br />
[PR/668449]<br />
• When using VSTP, if you try to enable all VLANs on a physical interface that is a member<br />
of all the VLANs, a configuration error might be displayed. As a workaround, ensure<br />
that the interface is a member of any VLAN before adding it to the VLAN configuration<br />
under VSTP. [PR/736488]<br />
Infrastructure<br />
• On EX8208 switches, when a line card that has no interface configurations and is not<br />
connected to any device is taken offline using the request chassis fpc-slot slot-number<br />
offline command, the Bidirectional Forwarding Detection process (bfd) starts and<br />
stops repeatedly. The same bfd process behavior occurs on a line card that is connected<br />
to a Layer 3 domain when another line card that is on the same switch and is connected<br />
to a Layer 2 domain is taken offline. [PR/548225]<br />
• When a large number of ARP entries are learned on routed VLAN interfaces (RVIs), if<br />
a topology change occurs, the Ethernet switching process (eswd) might consume all<br />
the CPU. [PR/614262]<br />
• On EX4500 switches, ICMPv6 packets might transit the Routing Engine even though<br />
IPv6 is not configured. [PR/682953]<br />
• When you upgrade Junos OS from a release earlier than <strong>Release</strong> 10.4R3, in which<br />
resilient dual-root partitioning was introduced, to a later release that supports resilient<br />
dual-root partitioning, the time required for the upgrade to complete is longer than<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
19
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
upgrading either between two releases that are earlier than <strong>Release</strong> 10.4R3 or between<br />
two releases that are <strong>Release</strong> 10.4R3 or later. [PR/683337]<br />
• On EX Series switches, when you are configuring DHCP option 82, the<br />
use-interface-description statement, which uses the interface description rather than<br />
the interface name (the default) in the circuit ID or remote ID value in the DHCP option<br />
82 information, does not work. [PR/695712]<br />
• When you run the commit check command, the word operation in the command output<br />
might be misspelled. [PR/704910]<br />
• If you delete an IPv6 configuration on a routed VLAN interface (RVI), ARP requests<br />
might not be trapped to the CPU and are not resolved. As a workaround, delete the<br />
RVI and then reconfigure it, or reboot the switch after you delete the IPv6 configuration.<br />
[PR/826862]<br />
• On EX8200 switches, the routing process consumes more CPU when OSPF traceoptions<br />
are set with the all tracing flag and nonstop active routing (NSR) is enabled. Do not<br />
enable traceoptions with NSR in the 11.4R7 release. [PR/844018]<br />
J-Web Interface<br />
• In the J-Web interface, in the Port Security Configuration page (Configure > Security<br />
> Port Security), you are required to configure the action option when you configure<br />
the MAC limit option even though configuring an action value is not mandatory in the<br />
CLI. [PR/434836]<br />
• In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration<br />
page, the Global Information table in the BGP Configuration page, or the Add Interface<br />
window in the LACP Configuration page, if you try to change the position of columns<br />
using the drag-and-drop method, only the column header moves to the new position<br />
instead of the entire column. [PR/465030]<br />
• In the J-Web interface, you cannot edit a VLAN configuration after you have configured<br />
an IPv6 address for the VLAN. As a workaround, refresh the page manually and then<br />
try to edit the VLAN configuration. [PR/466633]<br />
• When a large number of static routes are configured and you have navigated to pages<br />
other than page 1 in the Route Information table on the Static Routing monitoring page<br />
in the J-Web interface (Monitor > Routing > Route Information), changing the Route<br />
Table to query other routes refreshes the page but does not return to page 1. For<br />
example, if you run a query from page 3 and the new query returns very few results,<br />
the Results table continues to display page 3 and shows no results. To view the results,<br />
navigate to page 1 manually. [PR/476338]<br />
• In the J-Web interface for EX4500 switches, the Port Configuration page (Configure<br />
> Interfaces > Ports), the Port Security Configuration page (Configure > Security > Port<br />
Security), and the Filters Configuration page (Configure > Security > Filters) display<br />
features that are not supported on EX4500 switches. [PR/525671]<br />
• When you use an HTTPS connection in the Microsoft Internet Explorer browser to save<br />
a report from the following pages in the J-Web interface, the error message Internet<br />
Explorer was not able to open the Internet site is displayed on the pages:<br />
20<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• Files page (Maintain > Files)<br />
• History page (Maintain > Config Management > History)<br />
• Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)<br />
• Static Routing page (Monitor > Routing > Route Information)<br />
• Support Information page (Maintain > Customer Support > Support Information)<br />
• View Events page (Monitor > Events and Alarms > View Events)<br />
[PR/542887]<br />
• When you open a J-Web session using HTTPS, enter a username and password, and<br />
then click the Login button, the J-Web interface takes 20 seconds longer to launch and<br />
load the Dashboard page than it does if you use HTTP. [PR/549934]<br />
• In the J-Web interface, you cannot upload a software package using the HTTPS<br />
protocol. As a workaround, use either the HTTP protocol or the CLI. [PR/562560]<br />
• If you have accessed the J-Web interface using an HTTPS connection through the<br />
Microsoft Internet Explorer Web browser, you might not be able to download and save<br />
reports from some pages on the Monitor, Maintain, and Troubleshoot tabs. Some<br />
affected pages are at these locations:<br />
• Maintain > Files > Log Files > Download<br />
• Maintain > Config Management > History<br />
• Maintain > Customer Support > Support Information > Generate Report<br />
• Troubleshoot > Troubleshoot Port > Generate Report<br />
• Monitor > Events and Alarms > View Events > Generate Report<br />
• Monitor > Routing > Route Information > Generate Report<br />
As a workaround, use the Mozilla Firefox Web browser to download and save reports<br />
using an HTTPS connection. [PR/566581]<br />
• If you access the J-Web interface using the Microsoft Internet Web browser version 7,<br />
on the BGP Configuration page (Configure > Routing > BGP), all flags might be shown<br />
in the Configured Flags list (in the Edit Global Settings window, on the Trace Options<br />
tab) even though the flags are not configured. As a workaround, use the Mozilla Firefox<br />
Web browser. [PR/603669]<br />
• If you have created dynamic VLANs by enabling MVRP from the CLI, then in the J-Web<br />
interface, the following features do not work with dynamic VLANs and static VLANs:<br />
• In the Port Configuration page (Configure > Interface > Ports)—Port profile (select<br />
the interface, click Edit, and select Port Role) or the VLAN option (select the interface,<br />
click Edit, and select VLAN Options).<br />
• VLAN option on the Link Aggregation page (Configure > Interface > Link<br />
Aggregation)—Select the aggregated interface, click Edit, and click VLAN.<br />
• In the 802.1X Configuration page (Configure > Security > 802.1x)—VLAN assignment<br />
in the exclusion list (click Exclusion List and select VLAN Assignment) or the move<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
21
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
to guest VLAN option (select the port, click Edit, select 802.1X Configuration, and<br />
click the Authentication tab).<br />
• Port security configuration (Configure > Security > Port Security).<br />
• In the Port Mirroring Configuration page (Configure > Security > Port<br />
Mirroring)—Analyzer VLAN or ingress or egress VLAN (click Add or Edit and then add<br />
or edit the VLAN).<br />
[PR/669188]<br />
• In the J-Web interface, HTTPS access might work with an invalid certificate. As a<br />
workaround, after you change the certificate, issue the restart web-management<br />
command to restart the J-Web interface. [PR/700135]<br />
• On EX4500 Virtual Chassis, if you use the CLI to switch from virtual-chassis mode to<br />
intraconnect mode, the J-Web dashboard might not list all the Virtual Chassis hardware<br />
components, and the images of the master and backup members of the Virtual Chassis<br />
might not be visible after an autorefresh occurs. The J-Web dashboard also might not<br />
list the vcp-0 and vcp-1 Virtual Chassis ports (VCPs) in the rear view of an EX4200<br />
switch (in the linecard role) that is part of a mixed EX4200 and EX4500 Virtual Chassis.<br />
[PR/702924]<br />
• After you have disabled the LCD Maintenance Menu and rebooted the switch, the<br />
EZSetup option might be available. [PR/707279]<br />
• In some help files, the copyright date is set to 2011 instead of 2012. [PR/735607]<br />
• If you use EZSetup to configure a root password that contains a comma (,), the<br />
characters after the comma are not checked during authentication, making it possible<br />
to log in to the switch with several different passwords. As a workaround, configure<br />
the root password from the CLI. [PR/738310]<br />
• When a switch has no routed interfaces, you cannot use the J-Web interface to add<br />
OSPF areas. As a workaround, use the CLI to add these areas. [PR/746624]<br />
• In the J-Web interface, you cannot configure the TCP fragment flag for a firewall filter<br />
in the Filters Configuration page (Configure > Security > Filters). [PR/756241]<br />
• In the J-Web interface, you cannot delete a term from a filter and simultaneously add<br />
a new term to that filter in the Filters configuration page (Configure > Security > Filters).<br />
[PR/769534]<br />
• Some component names shown by the tooltip on the Temperature bar in the Health<br />
Status panel of the dashboard might be truncated. As a result, you might see many<br />
components that have the same name displayed. For example, the components GEPHY<br />
Front Left, GEPHY Front Middle, and GEPHY Front Right might all be displayed as<br />
GEPHYFront. As a workaround, to find temperature details of the components, navigate<br />
to Monitor > System View > Chassis Information and click the Temperature tab in<br />
Chassis Component Details. [PR/778313]<br />
• In the J-Web interface, the Help page for the Install package in the Software<br />
Maintenance page (Maintain > Software) might not appear. [PR/786654]<br />
22<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Management and RMON<br />
• On EX3200 and EX4200 switches, Ethernet OAM connectivity fault management<br />
(CFM) is not working with continuity check. [PR/835547]<br />
• On EX Series switches, the sFlow monitoring technology adaptive sampling rate might<br />
not change when traffic flows through an sFlow-enabled interface. [PR/852149]<br />
Virtual Chassis<br />
• When the ingress and egress ports are on different member switches and a packet is<br />
routed from the default routing instance to another forwarding instance type, the VLAN<br />
ID might be modified in such a way that the traffic is redirected to the default routing<br />
instance for subsequent routing. [PR/721436]<br />
• When you remove the hard drive from an XRE200 External Routing Engine, an SNMP<br />
trap and a system alarm might not be generated. [PR/710213]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
The following are the issues that have been resolved in Junos OS <strong>Release</strong> 11.4 for EX<br />
Series switches. The identifier following the descriptions is the tracking number in our<br />
bug database.<br />
For the most complete and latest information about known Junos OS defects, use the<br />
<strong>Juniper</strong> online Junos Problem Report Search application at<br />
http://www.juniper.net/prsearch.<br />
• Issues Resolved in <strong>Release</strong> 11.4R1 on page 24<br />
• Issues Resolved in <strong>Release</strong> 11.4R2 on page 32<br />
• Issues Resolved in <strong>Release</strong> 11.4R3 on page 36<br />
• Issues Resolved in <strong>Release</strong> 11.4R4 on page 41<br />
• Issues Resolved in <strong>Release</strong> 11.4R5 on page 42<br />
• Issues Resolved in <strong>Release</strong> 11.4R6 on page 44<br />
• Issues Resolved in <strong>Release</strong> 11.4R7 on page 46<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
23
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Issues Resolved in <strong>Release</strong> 11.4R1<br />
The following issues have been resolved in Junos OS <strong>Release</strong> 11.4R1. The identifier following<br />
the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• If storm control is enabled, the Link Aggregation Control Protocol (LACP) might stop<br />
and then restart when Layer 2 packets are sent at a high speed. As a workaround,<br />
disable storm control for all multicast traffic on aggregated Ethernet interfaces by<br />
issuing the command set ethernet-switching-options storm-control interface<br />
interface-name no-multicast. [PR/575560: This issue has been resolved.]<br />
• When the username for 802.1X (dot1x) authentication has more than 50 characters,<br />
Junos OS truncates the username field. [PR/588063: This issue has been resolved.]<br />
• The show lldp neighbors command displays interface descriptions instead of interface<br />
names. [PR/602442: This issue has been resolved.]<br />
• If you configure 802.1X (dot1x) authentication on an interface and then remove the<br />
802.1X configuration, 802.1X filters configured on that interface are not deleted.<br />
[PR/662196: This issue has been resolved.]<br />
• When you reboot or upgrade the software on a switch that has an active client<br />
connected to an 802.1X interface, a VLAN core file might be created. [PR/686513: This<br />
issue has been resolved.]<br />
Device Security<br />
• If you configure storm control with the action shutdown, after you reboot the switch,<br />
storm control is not enabled on all the ports on which it was configured. [PR/606054:<br />
This issue has been resolved.]<br />
Ethernet Switching and Spanning Trees<br />
• On EX8200 switches, you might not be able to configure private VLANs across the<br />
switch. [PR/599729: This issue has been resolved.]<br />
• An EX Series switch might take more than 20 minutes to learn ARP entries, because<br />
of which incorrect Layer 2 next hops might be installed on the Packet Forwarding<br />
Engine. This behavior can lead to inconsistent or intermittent communication issues<br />
with devices that are connected to the switch. [PR/612605: This issue has been<br />
resolved.]<br />
• On EX8200 switches, a Q-in-Q service VLAN might not be removed when a packet<br />
enters through a trunk port and exits from an access port. [PR/660247: This issue has<br />
been resolved.]<br />
• When BPDUs are forwarded to the best-effort queue instead of to the control queue,<br />
MSTP might not converge. [PR/665376: This issue has been resolved.]<br />
• On an EX4200 switch, when you disable a Q-in-Q interface on which you have<br />
configured a large number (more than 500) of VLAN swap rules, control traffic might<br />
be affected for about 10 minutes. During this time, the forwarding process (pfem) can<br />
consume up to 98 percent of the CPU. The system resumes its normal state after the<br />
24<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
forwarding process completes its processing. [PR/678792: This issue has been<br />
resolved.]<br />
• If you apply a large number of VLAN tags (approximately 1000 tags) and commit the<br />
configuration after applying each individual tag, an mgd core file might be created.<br />
[PR/680841: This issue has been resolved.]<br />
• RSTP might process BPDUs that do not comply with the IEEE standard, which might<br />
lead to unintended spanning-tree convergence behavior. [PR/683829: This issue has<br />
been resolved.]<br />
• When you enable VLANs and Q-in-Q tunneling on a switch, the switch drops packets<br />
and no MAC address learning occurs. [PR/685481: This issue has been resolved.]<br />
Firewall Filters<br />
• When you configure a firewall filter for the ethernet-switching family, a pfem core file<br />
might be created. [PR/580454: This issue has been resolved.]<br />
• On EX8200 switches, if you configure a discard term on an egress firewall filter, the<br />
filter might not block ARP broadcast packets. [PR/672621: This issue has been resolved.]<br />
• For two-rate three-color policers, the egress traffic might not flow at the configured<br />
peak information rate (PIR). [PR/687564: This issue has been resolved.]<br />
• When you configure VLAN ID translation when using Q-in-Q tunneling, if you apply a<br />
tricolor marking (TCM) policer to the Q-in-Q interface, a Packet Forwarding Engine<br />
(pfem) core file might be created. [PR/688438: This issue has been resolved.]<br />
Hardware<br />
• On an EX8200-40XS line card, if you insert an SFP transceiver into a port and then<br />
disable autonegotiation on the port, the link does not come up. [PR/609413: This issue<br />
has been resolved.]<br />
• When certain SFPs that are not attached to optical cables are inserted into an EX<br />
Series switch, the switch does not generate low-power warnings or alarms. The<br />
transceivers that exhibit this behavior have these vendor (Opnext) part numbers:<br />
TRS2000EN-S201 (10G-SR), TRS2000EN-S211 (10G-SR), and TRS5020EN-S201<br />
(10G-LR). Use the show chassis pic fpc-slot fpc-number pic-slot pic-number command<br />
to display the vendor part numbers of the transceivers in your switch. [PR/613153: This<br />
issue has been resolved.]<br />
• When the EX-PFE2 Packet Forwarding Engine temperature exceeds its threshold, an<br />
alarm might not be raised. The functionality of the switch is not affected. [PR/614354:<br />
This issue has been resolved.]<br />
• On EX6210 switches, traffic might not exit the 10-Gigabit Ethernet interfaces on the<br />
Routing Engines. [PR/669330: This issue has been resolved.]<br />
• On EX4500 switches, the LCD panel might not list the ADM (administrative status) or<br />
DPX (duplex) options in the Idle menu. Also, when you press Enter to cycle through<br />
the status LED modes, you might not be able to cycle through them. [PR/692341: This<br />
issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
25
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
High Availability<br />
• On EX8200 Virtual Chassis, NSSU might get stuck when you upgrade line cards one<br />
by one. As a workaround, configure upgrade groups for groups of line cards, which you<br />
can then upgrade simultaneously, with minimal traffic loss. [PR/669764: This issue<br />
has been resolved.]<br />
• When you perform a nonstop software upgrade (NSSU) operation on an EX8200<br />
Virtual Chassis, if you do not include the reboot option when you request the NSSU to<br />
have the switch perform an automatic reboot, the upgrade might stop responding<br />
indefinitely after the Junos OS images have been pushed to the master Routing Engine.<br />
[PR/692422: This issue has been resolved.]<br />
Infrastructure<br />
• The number of users reported by the show system users command does not include<br />
Web users. [PR/572822: This issue has been resolved.]<br />
• On EX8200 switches, packets might occasionally be dropped with CRC32 errors, which<br />
are a result of Packet Forwarding Engine corruption. [PR/576934: This issue has been<br />
resolved.]<br />
• On EX2200 switches, if you configure the dhcp-option82 statement, the switch might<br />
stop operating and a software forwarding process (sfid) core file might be created.<br />
[PR/588990: This issue has been resolved.]<br />
• During the reboot of an EX8200 switch, the links on the interfaces of neighboring<br />
devices might go up and down repeatedly even though the interfaces on the EX8200<br />
switch that connect to those interfaces on neighboring devices have not yet been<br />
initialized. [PR/591800: This issue has been resolved.]<br />
• When you press Tab during an SFTP session, an sftp core file might be created.<br />
[PR/593327: This issue has been resolved.]<br />
• On EX8200 switches or on XRE200 External Routing Engines, after routing and traffic<br />
recover from a graceful Routing Engine switchover (GRES) operation, a core file might<br />
be created after the Ethernet switching process (eswd) is restarted or after a line card<br />
is taken offline. [PR/596013: This issue has been resolved.]<br />
• If you move a host to a port associated with a different DHCP pool than the one with<br />
which it was originally associated, the Preboot Execution Environment (PXE) boot<br />
process might fail. [PR/596152: This issue has been resolved.]<br />
• The system log (syslog) file might contain the following message /var: filesystem full.<br />
[PR/600145: This issue has been resolved.]<br />
• On EX Series switches, the request system snapshot command mistakenly includes<br />
the as-primary option. [PR/603204: This issue has been resolved.]<br />
• When you commit an IPv6 configuration, the switch might display the db> prompt.<br />
[PR/606959: This issue has been resolved.]<br />
• On EX4200 switches, if you specify the source-address statement when configuring a<br />
system log (syslog) file, the switch might not send the correct source IP address to the<br />
syslog server after the switch reboots. [PR/608724: This issue has been resolved.]<br />
26<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• In rare instances, a file system inconsistency might exist if you shut down an EX Series<br />
switch ungracefully. The result is a system panic, and a vmcore file is created. As a<br />
workaround, use the nand-mediack utility for checking bad blocks in the NAND flash<br />
memory. Review KB20570 from the <strong>Juniper</strong> Technical Assistance Center for instructions<br />
about how to use this utility. [PR/609798: This issue has been resolved.]<br />
• Packet loss of about 2 to 5 percent might occur for traffic destined to MAC addresses<br />
that start with 03: or 09:. [PR/658631: This issue has been resolved.]<br />
• When you upgrade Junos OS, traffic might not flow between two directly connected<br />
interfaces. [PR/661131: This issue has been resolved.]<br />
• If you have configured port 1 on the SFP uplink module, the system log files might show<br />
an error and might get full within a few minutes. [PR/661426: This issue has been<br />
resolved.]<br />
• If you remove or change interfaces soon after completing a nonstop software upgrade<br />
(NSSU) operation, the multicast snooping process (mcsnoopd) might create a core<br />
file. [PR/662065: This issue has been resolved.]<br />
• If you delete a VLAN that has no VLAN ID, firewall filters might stop operating properly.<br />
[PR/662651: This issue has been resolved.]<br />
• When DHCP unicast packets are processed on a server for the first time, the processing<br />
time might slow down, which might prevent the DHCP lease from getting renewed.<br />
[PR/668511: This issue has been resolved.]<br />
• Layer 3 next-hop entries might remain queued in the kernel of the backup Routing<br />
Engine and might never be installed in the forwarding table. [PR/670799: This issue<br />
has been resolved.]<br />
• A memory leak might occur, as evidenced by jt_nh_multiple_init() returned error code<br />
(No memory:3)! system log (syslog) messages. This leak disrupts traffic forwarding.<br />
[PR/676826: This issue has been resolved.]<br />
• On EX Series switches, issuing the request system zeroize command reboots the switch<br />
but fails to remove the configuration files in the /config and /var/db/config directories<br />
and other user-created data. [PR/678403: This issue has been resolved.]<br />
• The system log (syslog) files might contain messages related to storm control even<br />
when storm control is not configured. [PR/679231: This issue has been resolved.]<br />
• The management process (mgd) might create a core file when reading long lines. For<br />
example, this can happen when the system displays a Junos OS configuration file that<br />
contains long lines. When mgd crashes, the command that you were executing does<br />
not succeed, and the following errors appear in the messages file:<br />
%KERN-3-BAD_PAGE_FAULT: pid 57182 (mgd), uid 0: pc 0x8870ab92 got a write<br />
fault at 0x8488000, x86 fault flags = 0x6<br />
%KERN-6: pid 57182 (mgd), uid 0: exited on signal 11 (core dumped)<br />
[PR/679992: This issue has been resolved.]<br />
• The /var/log/wtmp file might become excessively large, and thus the switch might run<br />
out of disk space on the /var partition. As a workaround, use the request system storage<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
27
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
cleanup command, or manually delete and re-create the /var/log/wtmp file from the<br />
shell. [PR/681369: This issue has been resolved.]<br />
• When the same firewall filter and Layer 3 classifier is applied to two Layer 3 interfaces,<br />
a Packet Forwarding Engine (pfem) core file might be created. [PR/683747: This issue<br />
has been resolved.]<br />
• On EX2200 switches, when you have configured a syslog action on the me0 interface,<br />
the switch might crash. [PR/694602: This issue has been resolved.]<br />
• On EX3200 and EX4200 switches, transmit FIFO queue overruns might cause the<br />
switch to stop working. [PR/695071: This issue has been resolved.]<br />
Interfaces<br />
• If you use the restart vrrp command to restart VRRP, a ppmd core file might be created.<br />
[PR/602606: This issue has been resolved.]<br />
• On EX4200 switches, when an uplink fails or is deactivated, failure detection is not<br />
propagated to the downlink LAG interfaces. [PR/605468: This issue has been resolved.]<br />
• The Ethernet interfaces in a link aggregation group (LAG) might all have the same<br />
current MAC address as the parent aggregated Ethernet (ae) interface. [PR/681385:<br />
This issue has been resolved.]<br />
• You might not be able to commit a configuration on an XRE200 External Routing<br />
Engine, and the switch might display the error could not save to juniper.save+.<br />
[PR/689764: This issue has been resolved.]<br />
• An EX4200 switch might stop forwarding traffic, and a Packet Forwarding Engine<br />
(pfem) core file might be created. [PR/691504: This issue has been resolved.]<br />
• When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd)<br />
core file might be created. [PR/692126: This issue has been resolved.]<br />
• On EX3200, EX4200, EX4500, EX6200, EX8208, and EX8216 switches, the root user<br />
is allowed to telnet into the me0 interface, which does not comply with the default<br />
Junos OS behavior, as documented in Connecting and Configuring an EX Series Switch<br />
(CLI Procedure). [PR/695346: This issue has been resolved.]<br />
IPv6<br />
• On EX Series switches, IPv6 neighbor unreachability detection does not work. As a<br />
workaround, use the clear ipv6 neighbor command to initiate neighbor detection.<br />
[PR/613230: This issue has been resolved.]<br />
J-Web Interface<br />
• In the J-Web interface, the link status might not be displayed correctly in the Port<br />
Configuration page or the LACP (Link Aggregation Control Protocol) Configuration<br />
page if the Commit Options preference is set to single commit (the Validate configuration<br />
changes option). [PR/566462: This issue has been resolved.]<br />
• If the password has been removed from the authentication-order statement and the<br />
external authentication server (TACACS+ or RADIUS) is down, you might not be able<br />
to log in to the J-Web interface. [PR/599613: This issue has been resolved.]<br />
28<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• In the J-Web interface, when you open the Static Routing Configuration page (Configure<br />
> Routing > Static Routing) and click Edit to edit an IPv6 static route, the J-Web interface<br />
displays the page for editing IPv4 addresses. As a workaround, use the CLI to edit the<br />
IPv6 addresses. [PR/660613: This issue has been resolved.]<br />
• In the J-Web interface, the report generated from the Events page (Monitor > Events<br />
and Alarms > View Events) does not show the description for the first four to five<br />
events. As a workaround, view the description from the Events page or from the Junos<br />
OS CLI. [PR/661752: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis that include an EX8216 switch in which an EX8200-40XS<br />
line card is installed in slot 2, 3, or 4, the J-Web interface does not populate the line<br />
card’s interfaces images in the expanded view of the dashboard. As a workaround,<br />
install the line card in a slot other than one of these three. [PR/662231: This issue has<br />
been resolved.]<br />
• In the J-Web interface, in the Static Routing configuration page (Configure > Routing<br />
> Static Route > Add), you can configure only negative values and boundary values in<br />
the IP octet, and you cannot configure empty values. As a workaround, fill in all the<br />
octets before committing the values. [PR/665435: This issue has been resolved.]<br />
• In the J-Web interface, you cannot associate a filter name that contains spaces to a<br />
VLAN in the VLAN Configuration page (Configure > Switching > VLAN). As a workaround,<br />
go to the Filters Configuration page (Configure > Security > Filters), click the filter name<br />
to be associated, and then click Edit. In the pop-up window, use the Association tab<br />
to associate a VLAN to the filter. [PR/677145: This issue has been resolved.]<br />
• In the J-Web interface, in the Redundant Trunk Group (RTG) Configuration page<br />
(Configure > Switching > RTG), the Commit option is not enabled. As a workaround,<br />
select the Validate and commit configuration change option before modifying the<br />
configuration. [PR/677220: This issue has been resolved.]<br />
• In the J-Web interface, the tooltip for Fan Image might not load in the dashboard. As<br />
a workaround, view the fan status in the Chassis Information page (Monitor > System<br />
View > Chassis Information). [PR/677922: This issue has been resolved.]<br />
• In the J-Web interface, the dashboard is not displayed. [PR/700274: This issue has<br />
been resolved.]<br />
Layer 2 and Layer 3 Protocols<br />
• If a router or switch acting as both an autonomous system boundary router (ASBR)<br />
and an area border router (ABR) is reachable through both a backbone area and a stub<br />
area, and if the advertisement through stub area advertising has a higher metric than<br />
the advertisement through the backbone area, the external routes might be installed<br />
incorrectly in the routing table. The routing table entry incorrectly shows that the next<br />
hop is through the stub area. [PR/610813: This issue has been resolved.]<br />
• When a BGP interface is flapping quickly, BGP might unnecessarily withdraw prefixes<br />
even when a good route to that prefix still exists. [PR/677191: This issue has been<br />
resolved.]<br />
• In the J-Web interface, if you discard any available MIB profile, file, or predefined object<br />
from accounting-options in the Point and Click CLI Configuration page (Configure ><br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
29
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
CLI Tools > Point and Click CLI), the J-Web session times out. As a workaround, perform<br />
the same operation from the CLI. [PR/689261: This issue has been resolved.]<br />
Management and RMON<br />
• When you configure sFlow monitoring technology, the switch allows you to configure<br />
separate ingress and egress sample rates on the same interface. As configuring more<br />
than one sample rate on an interface can lead to inaccurate results, configure just one<br />
rate per interface. [PR/582521: This issue has been resolved.]<br />
• The dot1qVlanStaticUntaggedPorts MIB reports incorrect values for voice VLANs.<br />
[PR/658559: This issue has been resolved.]<br />
• When you configure both sFlow monitoring technology and port-mirroring features,<br />
parity errors might occur, which might cause the switch to crash and then reboot.<br />
[PR/658614: This issue has been resolved.]<br />
• sFlow technology does not support IPv6 collectors, source IP addresses, or agent IDs.<br />
In Junos OS releases previous to this release, configuration of these features was not<br />
blocked. If your configuration includes any of these features, you must remove them<br />
before upgrading to this Junos OS release. [PR/659922: This issue has been resolved.]<br />
• When you create a static ARP entry for an interface and then issue the show snmp mib<br />
walk command, the static ARP entry is incorrectly identified in the command output<br />
as a dynamic entry (3) rather than a static entry (4). [PR/662290: This issue has been<br />
resolved.]<br />
• When the system is being polled for SNMP statistics, the syslog message Process<br />
(930,mib2d) attempted to exceed RLIMIT_DATA: attempted 65552 KB Max 65536 KB<br />
might appear repeatedly in the system log (syslog) file. This is the result of a memory<br />
leak caused by the MIB2 process (mib2d). [PR/664475: This issue has been resolved.]<br />
• When you use the snmpwalk application to get information about switch interfaces,<br />
it returns information about incorrect interfaces. [PR/664940: This issue has been<br />
resolved.]<br />
• For EX Series switches, sFlow technology and routing policy have been removed from<br />
the extended feature license (EFL). An EFL is now required only for the following<br />
features: Q-in-Q tunneling, BFD liveness detection, connectivity fault management<br />
(CFM), IGMP, MSDP, OSPFv2, PIM and PIM sparse mode, real-time performance<br />
monitoring (RPM), service VLANs (S-VLANs), unicast reverse path forwarding (RPF),<br />
virtual routers, and VRRP. [PR/672346: This issue has been resolved.]<br />
Multicast Protocols<br />
• You might not be able to delete stale multicast routes even though no corresponding<br />
(S, G) traffic exists. [PR/674419: This issue has been resolved.]<br />
• If interfaces go up and down frequently, a memory leak might occur, and cfmd and<br />
mcsnoopd core files might be created. [PR/688356: This issue has been resolved.]<br />
• A multicast route entry is deleted and added back again approximately every 300<br />
seconds, resulting in a traffic loss of about 1 to 3 seconds. [PR/698129: This issue has<br />
been resolved.]<br />
30<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Power over Ethernet<br />
• On EX2200-C switches, two problems might occur when devices powered by Power<br />
over Ethernet (PoE) are connected to the switch and the switch reboots. The first<br />
problem occurs when PoE is enabled on the switch interfaces. The powered devices<br />
connected to those interfaces draw power while the switch is rebooting, and then after<br />
the switch stabilizes, the powered devices reboot twice. The second problem occurs<br />
when PoE is disabled on the switch interfaces. The powered devices connected to<br />
those interfaces draw power while the switch is rebooting, and then after the switch<br />
stabilizes, the powered devices reboot twice and then shut down. As a workaround, if<br />
you do not want the powered devices to reboot, connect them to the interfaces after<br />
the switch has stabilized after its reboot. [PR/675971: This issue has been resolved.]<br />
Software Installation and Upgrade<br />
• On an XRE200 External Routing Engine, the rescue configuration might not get<br />
synchronized with the backup XRE200 External Routing Engine. [PR/687797: This<br />
issue has been resolved.]<br />
Virtual Chassis<br />
• On Virtual Chassis that are configured with a private VLAN (PVLAN) and a link<br />
aggregation group (LAG), if a Virtual Chassis loses one of its members, traffic flow<br />
might not resume properly across the remaining LAG members, resulting in traffic loss.<br />
[PR/587953: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis, the link status of an aggregated Ethernet (ae) interface<br />
managed by LACP goes down and comes back up when a graceful Routing Engine<br />
switchover (GRES) operation is performed between the XRE200 External Routing<br />
Engines. This switchover might have been initiated from the Junos OS CLI or because<br />
of a failure of the master Routing Engine. [PR/599772: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis running a Junos OS image with resilient dual-root<br />
partitioning, when the kernel synchronization process (ksyncd) on the backup Routing<br />
Engines fails or when the master and backup Routing Engines are out of sync, both<br />
conditions that create a ksyncd core file, it might take more than 12 minutes for the<br />
core file to be created. During this time, the Virtual Chassis is highly unstable: the<br />
Routing Engine CPU usage is at 100 percent; all control protocols, such as BFD, IS-IS,<br />
and OSPF, are continuously stopping and restarting; and the CLI prompt is not displayed<br />
after you type a CLI command. This issue does not occur with nonresilient dual-root<br />
partitioning Junos OS images. [PR/609061: This issue has been resolved.]<br />
• On EX4200 Virtual Chassis, if you configure an interface’s hold time, when you insert<br />
or remove a transceiver, the chassis manager process (chassism) might create a core<br />
file. As a workaround, delete the hold-time statement from the interface configuration<br />
before you remove or insert a transceiver. [PR/664754: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis, if the topology is formed such that ingress multicast traffic<br />
is routed first to the rendezvous point (RP) and then returns to the Virtual Chassis for<br />
egress via Layer 2 multicast, the multicast traffic is forwarded only to receivers<br />
connected to the Virtual Chassis member in which the returned multicast traffic is<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
31
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
received. Multicast traffic is not forwarded to other receivers in other Virtual Chassis<br />
members. [PR/666355: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis, GRE-tunneled traffic is not transmitted across the chassis.<br />
For possible workarounds, contact JTAC. [PR/669513: This issue has been resolved.]<br />
• In Virtual Chassis composed of both EX4200 and EX4500 switches, you cannot<br />
configure PoE. [PR/671980: This issue has been resolved.]<br />
• When EX4200 and EX4500 switches are interconnected into the same Virtual Chassis<br />
to form a mixed EX4200 and EX4500 Virtual Chassis, the switches might fail to form<br />
a Virtual Chassis. [PR/681072: This issue has been resolved.]<br />
Issues Resolved in <strong>Release</strong> 11.4R2<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R1. The identifier<br />
following the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• In the J-Web interface, if you navigate to any of the top panel tabs (such as Configure,<br />
Monitor, Maintain, and Troubleshoot) and then click Help > Help Contents, you might<br />
be directed to an undefined page. To display the correct help for a feature, first click<br />
the menu item corresponding to the feature to load the page, and then click Help ><br />
Help Contents. [PR/684958: This issue has been resolved.]<br />
• When you enable LLDP-MED autonegotiation on an EX Series switch, the<br />
autonegotiation bit in the LLDP-MED packet is set to not-supported, which might cause<br />
IP phones to discard LLDP-MED packets received from the switch. [PR/708752: This<br />
issue has been resolved.]<br />
• If incoming LLDP packets contain multiple Management Address TLVs, EX Series<br />
switches discard them. [PR/718781: This issue has been resolved.]<br />
• When DHCP snooping information is not learned, ARP request packets might add the<br />
following message to the system log (syslog) file: ESWD_DAI_FAILED: 3 (null) received,<br />
interface. [PR/719751: This issue has been resolved.]<br />
Ethernet Switching and Spanning Trees<br />
• When the same MAC address is learned on two VLANS, an Ethernet switching process<br />
(eswd) core file might be created. [PR/693942: This issue has been resolved.]<br />
• When you add a new VLAN on a switch on which you have also configured loopback<br />
and other IPv4 firewall filters, a Packet Forwarding Engine (pfem) core file might be<br />
created that contains the message No space available in tcam. [PR/701779: This issue<br />
has been resolved.]<br />
• When you configure the same VLAN ID on both interface VLAN tagging and global<br />
tagging, ARP entries cannot be resolved on the VLAN interface. [PR/722815: This issue<br />
has been resolved.]<br />
• Routed VLAN interfaces (RVIs) might use the system MAC address instead of using<br />
the MAC address one greater than the system MAC address (that is, system MAC<br />
32<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
address + 1), and Layer 3 ports might use their hardware MAC address instead of using<br />
the system MAC address. [PR/723643: This issue has been resolved]<br />
Hardware<br />
• For Opnext SFPs with <strong>Juniper</strong> part number 740-021308 and types SFP+ 10GE-SR,<br />
SFP+ 10GE-LR, or SFP+ 10GE-ER, when the low-power threshold is crossed, the<br />
power-low warning alarm is not set on extra-scale and Power over Ethernet (PoE) line<br />
cards. [PR/683732: This issue has been resolved.]<br />
• When you are using only one power supply in a switch, the fan status might remain in<br />
testing mode, and the LCD panel might not start. [PR/728770: This issue has been<br />
resolved.]<br />
• If you abruptly take a power supply offline, a chassimd core file might be created.<br />
[PR/737604: This issue has been resolved.]<br />
High Availability<br />
• If you perform a nonstop system software upgrade (NSSU) operation that includes<br />
the reboot option, some traffic loss might occur. [PR/717662: This issue has been<br />
resolved.]<br />
• If you perform a nonstop software upgrade (NSSU) operation, the Packet Forwarding<br />
Engine process (pfem) might restart. [PR/729095: This issue has been resolved.]<br />
Infrastructure<br />
• The system log (syslog) files might contain the message <strong>Juniper</strong> syscall not available.<br />
These messages are harmless, and you can ignore them. [PR/519153: This issue has<br />
been resolved.]<br />
• On EX8200 switches, when you run a failover operation on the Routing Engines, a<br />
vmcore file might be created. [PR/678465: This issue has been resolved.]<br />
• During a graceful Routing Engine switchover (GRES) operation between an EX4200<br />
and an EX4500 switch, a Packet Forwarding Engine (pfem) core file might be created.<br />
[PR/688618: This issue has been resolved.]<br />
• After you upgrade Junos OS, a software forwarding process (sfid) core file might be<br />
created. [PR/691958: This issue has been resolved.]<br />
• EX Series switches might not learn the MAC addresses of directly connected devices.<br />
[PR/695280: This issue has been resolved.]<br />
• When the switch is performing 802.1X (dot1x) authentication using MAC RADIUS, you<br />
might see the following message in the system log (syslog) file: kmem type temp using<br />
57344K, exceeding limit 57344K. [PR/697815: This issue has been resolved.]<br />
• On EX8200 switches that have IPv6 and IPv4 configured on routing instances, when<br />
many interfaces go down and come back up repeatedly, the next-hop programming<br />
for some routes might fail, which can cause disruptions in traffic. [PR/701985: This<br />
issue has been resolved.]<br />
• On EX3200 and EX4200 switches on which a VRF routing instance is configured, the<br />
default multicast route entry might not be set correctly, which might cause multicast<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
33
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
traffic loss. This occurs because the default PIM route entry is incorrectly shared with<br />
all VRF routing instances, so a multicast route change in one routing table could impact<br />
other routing tables. [PR/702600: This issue has been resolved.]<br />
• In rare cases, EX3300 switches running a Junos OS release earlier than <strong>Release</strong> 11.3R4<br />
or <strong>Release</strong> 11.4R2 might experience some traffic loss or a link failure as a result of<br />
non-user-configurable settings that are not optimized. To resolve this issue, upgrade<br />
to one of the following Junos OS releases:<br />
• Junos OS <strong>Release</strong> 11.3—R4 or later<br />
• Junos OS <strong>Release</strong> 11.4—R2 or later<br />
• Junos OS <strong>Release</strong> 12.1—R1 or later<br />
[PR/703147: This issue has been resolved.]<br />
• If the egress interface is a trunk interface, frames that exceed 9216 bytes might not be<br />
fragmented. [PR/705905: This issue has been resolved.]<br />
• On EX2200, EX3300, and EX6200 switches, and on EX8200 Virtual Chassis, NetBIOS<br />
snooping does not work. [PR/706588: This issue has been resolved.]<br />
• New hosts and routes might not be installed in the Packet Forwarding Engine, and the<br />
system log (syslog) files contains the following message: Failed to jtm_alloc for<br />
mrvl_rt_nh_uc_install. [PR/726043: This issue has been resolved.]<br />
• If the forwarding table contains more than 9000 route entries, issuing the clear arp<br />
command might not clear the entries in the hold state. [PR/729128: This issue has<br />
been resolved.]<br />
Interfaces<br />
• When you configure the member interfaces of an aggregated Ethernet interface before<br />
you configure the aggregated Ethernet (ae) device using set commands from the CLI,<br />
the aggregated Ethernet interface does not receive MAC updates. As a workaround,<br />
configure the aggregated Ethernet interface first, and then configure the member<br />
interfaces. [PR/680913: This issue has been resolved.]<br />
• EX Series switches do not show the control packet counters in both directions on the<br />
logical units of aggregated Ethernet (ae) interfaces. [PR/693202: This issue has been<br />
resolved.]<br />
• Interfaces might not come up, and the system log (syslog) file might contain the<br />
message DCD_CONFIG_WRITE_FAILED: configuration write failed for an RT ADD: Cannot<br />
allocate memory. [PR/697300: This issue has been resolved.]<br />
• On EX4500 switches with an interface in loopback mode, BPDUs might be processed<br />
instead of being dropped as expected, generating topology change notifications (TCNs).<br />
As a workaround, disable the interface that is in loopback mode. [PR/698077: This<br />
issue has been resolved.]<br />
• When you configure the no-preempt and interface-tracking options on a switch that is<br />
a VRRP master router, if the VRRP mastership is taken over by a switch that is a VRRP<br />
backup router and the tracking interface on the original master router goes down, then<br />
if the tracking interface on the original master router comes back up and the master's<br />
34<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
original priority is restored, the new master's mastership might transition to the original<br />
master router. [PR/699243: This issue has been resolved.]<br />
• On a link aggregation group (LAG) interface on which Q-in-Q tunneling is enabled on<br />
a VLAN, packets entering the LAG might be dropped. As a workaround, explicitly<br />
configure the VLAN to allow the desired traffic. [PR/699940: This issue has been<br />
resolved.]<br />
J-Web Interface<br />
• On EX4500 switches, you cannot configure BGP in the BGP Configuration page<br />
(Configure > Routing > BGP). [PR/699308: This issue has been resolved.]<br />
• In the J-Web interface on an EX4500 Virtual Chassis, if you configure four or more<br />
Virtual Chassis members in the Support Information page (Maintain > Customer<br />
Support > Support Information), you might see the error Configuration of switch is too<br />
large. [PR/704992: This issue has been resolved.]<br />
• In the J-Web interface, if you disable a port whose link status is down, the J-Web<br />
interface displays the incorrect link status for that interface. [PR/705836: This issue<br />
has been resolved.]<br />
• On SRX210 Services Gateways and EX Series switches, if you use the CLI to delete a<br />
DHCP pool, the J-Web interface Monitor page (Monitor > Services > DHCP > Pools)<br />
might not display the correct value in the Excluded address field. Instead, it might<br />
display the text [objec object] in the table. [PR/723555: This issue has been resolved.]<br />
Management and RMON<br />
• EX Series switches might not send jnxMIMst traps. [PR/707141: This issue has been<br />
resolved.]<br />
Software Installation and Upgrade<br />
• On EX3300 switches, when you load the factory default settings, the last two ports of<br />
the uplink ports are configured as Virtual Chassis ports (VCPs). If you convert these<br />
ports to normal network ports, they might not pass traffic. As a workaround, reboot<br />
the switch after converting the ports. [PR/685300: This issue has been resolved.]<br />
• On EX4200 switches, the EZSetup menu is not displayed on the LCD after you perform<br />
a factory-default configuration. [PR/712322: This issue has been resolved.]<br />
Virtual Chassis<br />
• On XRE200 External Routing Engines, the output of the show chassis hardware<br />
command might contain duplicate Routing Engine inventory information for members 8<br />
and 9. [PR/663272: This issue has been resolved.]<br />
• In EX4200 Virtual Chassis, if a member other than the master reboots from the backup<br />
partition, the system alarm Host # Boot from backup root should clear when that<br />
member is rebooted from the active partition. However, the master retains the alarm<br />
until it is rebooted or until the mastership switches. [PR/694256: This issue has been<br />
resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
35
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On EX8200 Virtual Chassis, LACP and all Layer 3 protocols flap constantly when an<br />
EX8200 member switch’s backup Routing Engine is rebooted, and the connection<br />
between the master XRE200 External Routing Engine and the EX8200 member switch<br />
might be lost. [PR/700295: This issue has been resolved.]<br />
• In mixed EX4200 and EX4500 Virtual Chassis, when you configure class of service,<br />
some traffic might be dropped because it is mapped to the incorrect queue. [PR/711071:<br />
This issue has been resolved.]<br />
• In a setup in which two XRE200 External Routing Engines (one acting as the master,<br />
the other as the backup) are connected to a member of an EX8200 Virtual Chassis<br />
that has two Routing Engines (one acting as the master, the other as the backup), if<br />
you remove the master Routing Engine or if you reboot this Routing Engine (for example,<br />
using the request system reboot member 0 re0 command when re0 is the master Routing<br />
Engine), interfaces on which the Link Aggregation Control Protocol (LACP) is configured<br />
might flap. This interface flapping does not occur if you remove or reboot the backup<br />
Routing Engine. [PR/718857: This issue has been resolved.]<br />
• On EX4500 Virtual Chassis, you cannot configure a mastership priority of 0 from the<br />
J-Web interface. As a workaround, configure this priority from the CLI. [PR/721426:<br />
This issue has been resolved.]<br />
Issues Resolved in <strong>Release</strong> 11.4R3<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R2. The identifier<br />
following the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• When an EX Series switch is reauthenticating users using 802.1X (dot1x), if the switch<br />
loses reachability to the RADIUS server, the dynamic filters that were installed when<br />
the same user was previously authenticated are not cleared, resulting in traffic issues.<br />
[PR/721124: This issue has been resolved.]<br />
• On EX Series switches running Junos <strong>Release</strong> 11.x, LLDP packets might not be generated<br />
out of interfaces that are part of a LAG, causing LLDP neighbors not to form. As a<br />
workaround, follow these steps:<br />
1. Delete the lldp-med configuration.<br />
2. Commit the configuration.<br />
3. Delete the lldp configuration.<br />
4. Commit the configuration.<br />
5. Configure lldp again.<br />
6. Commit the configuration.<br />
7. (Optional) Configure lldp-med again.<br />
8. (Optional) Depending on Step 7, commit the configuration.<br />
[PR/727627: This issue has been resolved.]<br />
36<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• You cannot configure the level for storm control. [PR/734307: This issue has been<br />
resolved.]<br />
• EX3200 switches might repeatedly create 802.1X core files. As a workaround, if access<br />
accounting is enabled, disable it by issuing the command deactivate access profile<br />
profile-name accounting. [PR/739921: This issue has been resolved.]<br />
• When you configure the Multiple VLAN Registration Protocol (MVRP), the LLDP process<br />
might create a core file as the result of a memory leak. [PR/740793: This issue has<br />
been resolved.]<br />
• If a VLAN change occurs quickly, the client might not be able to get an IP address.<br />
[PR/746479: This issue has been resolved.]<br />
Ethernet Switching and Spanning Trees<br />
• When you change the spanning-tree protocol from RSTP or VSTP to MSTP, the Ethernet<br />
switching process (eswd) might create a core file. [PR/725436: This issue has been<br />
resolved.]<br />
Firewall Filters<br />
• If you configure a firewall filter on a loopback interface whose last term is deny-all,<br />
static routes filtered with the reject action reach the CPU, and multicast trap and RPF<br />
fail packets are implicitly allowed to reach the CPU. [PR/710641: This issue has been<br />
resolved.]<br />
• If you configure both a regular analyzer and a firewall filter-based analyzer, the traffic<br />
from the regular analyzer might exit from the output port you configured for the firewall<br />
filter-based analyzer. [PR/724795: This issue has been resolved.]<br />
Hardware<br />
• If you power off and then restart an EX Series switch, the chassis process (chassisd)<br />
might not restart. This problem might also occur in switches that have redundant power<br />
supplies. [PR/708872: This issue has been resolved.]<br />
High Availability<br />
• On EX8200 switches and EX8200 Virtual Chassis that have nonstop active routing<br />
(NSR) for Protocol Independent Multicast (PIM) configured, some multicast data<br />
might be lost after a graceful Routing Engine switchover (GRES). [PR/690073: This<br />
issue has been resolved.]<br />
Infrastructure<br />
• In some cases, broadcast traffic that is received on the management port (me0) is<br />
broadcast to other subnets on the switch. [PR/705584: This issue has been resolved.]<br />
• After a MAC address moves, the ARP index might not point to the correct MAC address.<br />
As a workaround, run the clear ethernet-switching table command. [PR/718698: This<br />
issue has been resolved.]<br />
• A destination with two equal-cost next hops might not be installed in the Packet<br />
Forwarding Engine when a virtual management Ethernet (VME) interface is configured<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
37
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
and a default route with a reachable next hop is present. As a workaround, remove<br />
and then re-add one of the two equal-cost next hops. [PR/719745: This issue has been<br />
resolved.]<br />
• The allow-configuration-regexps statement at the [edit system login class] hierarchy<br />
level does not work exactly the same way as the deprecated allow-configuration<br />
statement at the same hierarchy level. [PR/720013: This issue has been resolved.]<br />
• When you issue NTP-related show commands, such as show ntp status, incorrect<br />
output might be displayed. [PR/722528: This issue has been resolved.]<br />
• On EX4200 switches, after you issue the request system zeroize media command, you<br />
might not be able to establish a connection with the switch using SSH, and you might<br />
not be able to issue the commit command on the switch. [PR/723918: This issue has<br />
been resolved.]<br />
• On EX8208 switches, when the SRE module is in the spare state and you configure it<br />
to go offline and then come back online again, the module’s ST LED does not turn back<br />
on. [PR/724455: This issue has been resolved.]<br />
• After a graceful Routing Engine switchover (GRES) operation, clone routes might move<br />
into the reject state. [PR/724729: This issue has been resolved.]<br />
• On EX8200 switches, after you issue the request system zeroize media command, the<br />
line cards might not come online. [PR/728082: This issue has been resolved.]<br />
• If you include the autoinstallation configuration statement at the [edit system] hierarchy<br />
level, the switch interfaces might not work correctly. [PR/728344: This issue has been<br />
resolved.]<br />
• The Ethernet switching process (eswd) might create a core file. [PR/732263: This issue<br />
has been resolved.]<br />
• When you quickly insert and then remove a line card, the chassis manager process<br />
(chassism) might become unstable. [PR/740730: This issue has been resolved.]<br />
• On EX8200 switches, a chassism core file might be created. [PR/745964: This issue<br />
has been resolved.]<br />
• On all EX Series switches except EX8200 switches, if you have configured several<br />
policer settings in the same filter, they might all be overwritten when you change one<br />
of the settings. As a workaround, delete the setting, and then add it back again with<br />
the desired changes. [PR/750497: This issue has been resolved.]<br />
Interfaces<br />
• If you set an interface speed at the [edit interfaces interface-range] hierarchy level, this<br />
speed might not be applied to the individual interface. If you set different interface<br />
speeds directly on the interface and at the [edit interfaces interface-range] hierarchy<br />
level, both settings are applied on the interface. [PR/697478: This issue has been<br />
resolved.]<br />
• When you delete the VLAN mapping for an aggregated Ethernet (ae) interface, the<br />
Ethernet switching process (eswd) might crash and display the error message No vlan<br />
matches vlan tag 116 for interface ae5.0. [PR/731731: This issue has been resolved.]<br />
38<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
J-Web Interface<br />
• In the J-Web interface, the dashboard does not display the uplink ports or uplink module<br />
ports unless transceivers are plugged into the ports. [PR/477549: This issue has been<br />
resolved.]<br />
• When a large number of inbound HTTP connections are established over an extended<br />
period of time, the HTTP process (httpd) might become trapped in a loop, resulting in<br />
high CPU utilization. The CPU load continues even after the stream of connection<br />
attempts is terminated. To reduce the CPU load, you must kill the process from the<br />
shell. Two workarounds are to disable the J-Web interface, or to allow access to the<br />
J-Web interface only from trusted networks. Alternatively, apply a policer at the edge<br />
or on the control plane (lo0) to rate-limit inbound connections to TCP port 80. Note<br />
that the typical side effects of applying rate limiting to services (for example, an<br />
increased risk of successful DoS attacks) also apply to inbound J-Web interface<br />
connections, so be careful before making changes to control plane protection firewall<br />
filters. See RFC 6192 for guidance on protecting the switch’s control plane. [PR/693434:<br />
This issue has been resolved.]<br />
• In the Login/Splash screen and the Help mapping file, the copyright date is set to 2011;<br />
it should be 2012. [PR/731790: This issue has been resolved.]<br />
• On the J-Web dashboard, the Total number of ports field in the Capacity utilization<br />
page might show incorrect values for a mixed EX4200 and EX4500 Virtual Chassis.<br />
As a workaround, use the show chassis hardware | match PIC | except Virtual command<br />
to display the correct values. [PR/734766: This issue has been resolved.]<br />
• In the J-Web interface, if you click the EX8200-48T, EX8200-48F, or EX8200-8XS<br />
line card in the chassis view in the dashboard, the expanded line card might not load<br />
its interfaces and might not display the interface status for both the EX8208 and<br />
EX8216 switches. As a workaround, first click the EX8200-40XS in the same chassis<br />
view and then close that line card. Then click the EX8200-48T, EX8200-48F, or<br />
EX8200-8XS line card to display the status of all interfaces. [PR/742448: This issue<br />
has been resolved.]<br />
• For EX Series switches, when you use the J-Web interface software upload package,<br />
the unlink option does not work. [PR/746546: This issue has been resolved.]<br />
• In the J-Web interface on an EX8200 switch that is in virtual-chassis mode, when you<br />
expand the number of uplink modules, line cards that have no uplink module report<br />
an error or map ports to nonexistent modules. This problem happens the first time that<br />
you configure capacity utilization values. [PR/750854: This issue has been resolved.]<br />
Layer 2 and Layer 3 Protocols<br />
• When you configure a static route that has two multihop paths, BFD might become<br />
unstable, and the routing protocol process (rpd) might crash. [PR/701966: This issue<br />
has been resolved.]<br />
• If PIM remains in the assert state, the routing protocol process (rpd) might create a<br />
core file. [PR/711150: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
39
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Management and RMON<br />
• On EX4200 switches and EX4200 Virtual Chassis, the event process (eventd) process<br />
might create a core file. [PR/737893: This issue has been resolved.]<br />
MPLS<br />
• On EX3200 and EX4200 switches, no counters are incremented in MPLS statistics<br />
files for label-switched paths (LSPs) that are used for circuit cross-connects (CCCs).<br />
[PR/724371: This issue has been resolved.]<br />
Software Installation and Upgrade<br />
• When you use NSSU to upgrade from Junos OS <strong>Release</strong> 11.3R5, all traffic across a link<br />
aggregation group (LAG) might be dropped. [PR/733050: This issue has been resolved.]<br />
• The unlink option in the request system software add package unlink command does<br />
not work on EX Series switches. [PR/739795: This issue has been resolved.]<br />
Virtual Chassis<br />
• On EX4200 Virtual Chassis, if you delete an uplink interface on which the family mpls<br />
option is configured, the MPLS functionality on the corresponding symmetric interfaces<br />
on the other members might be affected. [PR/704480: This issue has been resolved.]<br />
• In a setup in which two XRE200 External Routing Engines (one acting as the master,<br />
the other as the backup) are connected to a member of an EX8200 Virtual Chassis<br />
that has two Routing Engines (one acting as the master, the other as the backup), if<br />
you remove the master Routing Engine or if you reboot this Routing Engine (for example,<br />
using the request system reboot member 0 re0 command when re0 is the master Routing<br />
Engine), interfaces on which the Link Aggregation Control Protocol (LACP) is configured<br />
might flap. This interface flapping does not occur if you remove or reboot the backup<br />
Routing Engine. [PR/718857: This issue has been resolved.]<br />
• On an EX2200 switch used as an intermediary switch in an EX8200 Virtual Chassis<br />
setup, a link down is not detected after you reboot the partner XRE200 External Routing<br />
Engine. [PR/726501: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis, messages in the system log (syslog) file might show that<br />
a temperature alarm has been set and then cleared clear even though there has been<br />
no environmental trigger. [PR/730498: This issue has been resolved.]<br />
• The XRE200 External Routing Engine temperature monitors, which you can view using<br />
the show chassis environment command, might report temperatures that are twice<br />
the actual temperature. This temperature-reporting error has no impact on XRE200<br />
External Routing Engine behavior. Because the fans and the system receive the correct<br />
temperature internally, unwanted fan speed changes or an XRE200 External Routing<br />
Engine shutdown cannot occur as a result of this misreported temperature. However,<br />
the incorrect reported temperatures generate alarms and alarm messages. [PR/734233:<br />
This issue has been resolved.]<br />
40<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Issues Resolved in <strong>Release</strong> 11.4R4<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R3. The identifier<br />
following the description is the tracking number in our bug database.<br />
Ethernet Switching and Spanning Trees<br />
• If multicast clients are present across virtual routing and forwarding (VRF) instances,<br />
multicast traffic might not be received when you deactivate and then reactivate one<br />
of the VRF instances. [PR/769963: This issue has been resolved.]<br />
Hardware<br />
• On EX3300 switches, power supply failure errors might occur. To circumvent this<br />
problem, a software workaround has been provided. The software reads the power<br />
supply bit multiple times before it declares the power supply module to be down.<br />
[PR/743115: This issue has been resolved.]<br />
• EX4500 Series switches and EX8200-40XS line cards do not forward IP UDP packets<br />
when their destination port is 0x013f (PTP) or when the fragmented packet has the<br />
value 0x013f at the same offset (0x2c). [PR/775329: This issue has been resolved.]<br />
High Availability<br />
• On XRE200 External Routing Engines, when you specify the reboot option when<br />
performing a nonstop software upgrade (NSSU) operation, the physical link might flap<br />
because the Packet Forwarding Engine process (pfem) restarts on the line cards,<br />
resulting in traffic loss and protocol flapping. [PR/718472: This issue has been resolved.]<br />
Infrastructure<br />
• The request system zeroize command might not erase all files, such as files in the<br />
/config, /var/db/config, and /var/db directories. [PR/737916: This issue has been<br />
resolved.]<br />
• On EX4200 switches, a Packet Forwarding Engine process (pfem) core file might be<br />
created while the switch is running the PFE internal support script and saving the output<br />
to a file. [PR/749974: This issue has been resolved.]<br />
• You might see the following message in log files: Kernel/ (COMPOSITE NEXT HOP)<br />
failed, err 6 (No Memory). [PR/751985: This issue has been resolved.]<br />
• On EX8200 switch line cards, a Packet Forwarding Engine process (PFEM) process<br />
core file might be created as the result of a memory segmentation fault. [PR/757108:<br />
This issue has been resolved.]<br />
J-Web Interface<br />
• If you used the CLI to create a redundant trunk link (RTG) group whose members are<br />
not trunk ports, you cannot edit this group from the J-Web interface. As a workaround,<br />
edit the group from the CLI. [PR/745458: This issue has been resolved.]<br />
• The J-Web interface is vulnerable to HTML cross-site–scripting attacks, also called<br />
XST or cross-site tracing. [PR/752398: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
41
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Virtual Chassis<br />
• On XRE200 External Routing Engines, when you change link aggregation groups (LAGs),<br />
the trunk programming might become incorrect. [PR/733814: This issue has been<br />
resolved.]<br />
• On EX8200 Virtual Chassis, after you ungracefully remove the master Routing Engine<br />
from the EX8200 member switch, traffic might be interrupted for up to 2 minutes.<br />
[PR/742363: This issue has been resolved.]<br />
• On EX3300 switches, when a Virtual Chassis is formed, the Virtual Chassis backup<br />
member’s console CLI does not automatically redirect to the Virtual Chassis master’s<br />
console CLI. As a workaround, manually log out from the Virtual Chassis backup<br />
member. [PR/744241: This issue has been resolved.]<br />
• On EX8200 Virtual Chassis, the switch might incorrectly send untagged packets. As a<br />
result, some hosts in the VLAN might experience connectivity issues. [PR/752021: This<br />
issue has been resolved.]<br />
Issues Resolved in <strong>Release</strong> 11.4R5<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R4. The identifier<br />
following the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• If you enable 802.1X with MAC RADIUS authentication, that is, by including the<br />
mac-radius statement in the configuration, the authentication manager process (authd)<br />
might reach a memory limit when there are approximately 250 users. As a workaround,<br />
reset the authd process when it reaches 85 percent of its RLIMIT_DATA value (that is,<br />
85 percent of 130 MB). To check the amount of memory being used by the authd<br />
process, use the show system processes extensive operational mode command.<br />
[PR/783363: This issue has been resolved.]<br />
• When you configure DHCP snooping, DHCP Inform ACK packets might not pass to the<br />
client. [PR/787161: This issue has been resolved.]<br />
• If you configure a static MAC bypass for 802.1X (dot1x) authentication and you add a<br />
new host to the exclusion list, the MAC addresses of existing hosts that have already<br />
been successfully authenticated using static MAC bypass might move to an incorrect<br />
VLAN. [PR/787679: This issue has been resolved.]<br />
• On XRE200 External Routing Engines on which DHCP snooping and dynamic ARP<br />
inspection are enabled, when packets are transmitting out a different line card type<br />
from the ingress interface, an SFID core file might be created. [PR/794293: This issue<br />
has been resolved.]<br />
42<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Converged <strong>Networks</strong> (LAN and SAN)<br />
• On EX4500 switches, the DCBX protocol does not work. [PR795835: This issue has<br />
been resolved.]<br />
Ethernet Switching and Spanning Trees<br />
• When you add a new virtual routing and forwarding (VRF) instance, existing firewall<br />
filters might not be applied to the new VRF instance. [PR/786662: This issue has been<br />
resolved.]<br />
High Availability<br />
• In EX8200 Virtual Chassis, after one Virtual Chassis member is rebooted, the line card<br />
of the corresponding rebooted member switch is not brought down immediately, and<br />
hence the peer sees that the interfaces remain in the Up state. Additionally, the interface<br />
state is not cleared immediately in the switch card chassis kernel. The result is that<br />
the protocol session goes down, and traffic loss occurs even if you have configured<br />
nonstop active routing (NSR). [PR/754603: This issue has been resolved.]<br />
Infrastructure<br />
• On EX Series switches, during the MAC learning process, you might see an excessive<br />
number of log messages similar to MRVL-L2:mrvl_fdb_mac_entry_uc_set(). [PR/774675:<br />
This issue has been resolved.]<br />
• After you upgrade to Junos OS <strong>Release</strong> 11.4R3, 11.4R4, or 12.1R2, EX Series switches<br />
might stop responding to SNMP ifIndex list queries. As a workaround, restart the switch.<br />
If restarting the switch is not an option, restart the shared-memory daemon<br />
(shm-rtsdbd). [PR/782231: This issue has been resolved.]<br />
Interfaces<br />
• When VRRP is running between two EX8200 switches on a VLAN, after a master<br />
switchover, both switches might act as masters. [PR/752868: This issue has been<br />
resolved.]<br />
• When you issue the show vrrp brief command, a VRRP process (vrrpd) core file might<br />
be created. [PR/782227: This issue has been resolved.]<br />
• If you configure IPv6 and VRRP, the IPv6 VRRP MAC address might be used incorrectly<br />
as the source MAC address when routing traffic across VLANs. [PR/791586: This issue<br />
has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
43
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Multicast Protocols<br />
• On EX8200 switches and XRE200 External Routing Engines, when there is a high<br />
volume of PIM and IGMP join and leave activity, multicast next-hop tokens might<br />
become exhausted, leaving the switch unable to install next-hop multicast routes. As<br />
a result, the delivery of multicast traffic is affected. One symptom that this problem<br />
has occurred is the presence of the following messages in the system log (syslog) file:<br />
kernel: rnh_comp_request: RTM_ADD jpf_derived_token_alloc failed: 12; kernel:<br />
rt_alloc_new_indr_comp: indirect nexthop creation failed; kernel: rt_comp_get_new_fwdnh:<br />
can't get indirect nexthop. [PR/787302: This issue has been resolved.]<br />
Network Management and RMON<br />
• An incorrect ifType value might be displayed for counters on physical interfaces.<br />
[PR/784620: This issue has been resolved.]<br />
• Using snmpwalk for SNMP polling does not work in logical routers. [PR/791859: This<br />
issue has been resolved.]<br />
Virtual Chassis<br />
• On EX8200 Virtual Chassis, when you swap the members of a link aggregation group<br />
(LAG), a vmcore or ksyncd core file might be created on the backup Routing Engine.<br />
[PR/711679: This issue has been resolved.]<br />
• After you change the physical speed on a Virtual Chassis member interface, an<br />
aggregated Ethernet (ae) interface might flap after you issue the next commit command<br />
to commit configuration changes. [PR/779404: This issue has been resolved.]<br />
Issues Resolved in <strong>Release</strong> 11.4R6<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R5. The identifier<br />
following the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• When access configuration is not required and the guest VLAN feature is configured,<br />
supplicants might not be authenticated using the guest VLAN, and they might remain<br />
in the connecting state. [PR/783606: This issue has been resolved.]<br />
• An EX6200 switch might send 802.1Q tagged frames out of access ports when DHCP<br />
snooping is configured. This might cause Apple Macintosh end devices not to properly<br />
receive an IP address from the DHCP server. [PR/804010: This issue has been resolved.]<br />
• On EX6200 switches, LLDP stops working if you execute the set<br />
ethernet-switching-options voip interface access-ports vlan command. [PR/829898:<br />
This issue has been resolved.]<br />
44<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Firewall Filters<br />
• If you apply a policer to an interface, the policer might not work, and messages similar<br />
to the following are logged: dfw_bind_policer_template_to_filter:205 Binding policer<br />
fails. [PR/802489: This issue has been resolved.]<br />
Hardware<br />
• Non-<strong>Juniper</strong> <strong>Networks</strong> DAC cables do not work on EX Series switches. [PR/808139:<br />
This issue has been resolved.]<br />
High Availability<br />
• After you perform a nonstop software upgrade (NSSU), there might be a traffic outage<br />
for 150 seconds while the line cards are restarting. [PR/800460: This issue has been<br />
resolved.]<br />
Infrastructure<br />
• After you successfully install Junos OS, if you uninstall AI scripts, an mgd core file might<br />
be created. [PR/740554: This issue has been resolved.]<br />
• After an EX8200 switch has been up for several days, the line cards might reach<br />
100 percent CPU usage and then stay at 100 percent. [PR/752454: This issue has been<br />
resolved.]<br />
• On an EX8200 Virtual Chassis or a switch with redundant Routing Engines, when you<br />
swap the members of a link aggregation group (LAG), a vmcore or ksyncd core file<br />
might be created on the backup Routing Engine. [PR/793778: This issue has been<br />
resolved.]<br />
• On EX8200 switches, when you issue the request system reboot other-routing-engine<br />
command, a timeout error might be displayed before the Routing Engine initiates its<br />
reboot operation. [PR/795884: This issue has been resolved.]<br />
• On EX3300 switches, when you are configuring BGP authentication, after you have<br />
configured the authentication key, BGP peering is never established. [PR/803929: This<br />
issue has been resolved.]<br />
• On EX8200 Virtual Chassis, if you issue the request system reboot command, the<br />
request system reboot all-members command, or the request system reboot member<br />
command, the Routing Engines on the member switch do not reboot even though the<br />
command display shows that they are rebooting. [PR/808915: This issue has been<br />
resolved.]<br />
• On EX4200 switches, high CPU usage might be due to console cable noise. [PR818157:<br />
This issue has been resolved.]<br />
• When an uplink module in the switch is operating in the 1-gigabit mode, a chassism<br />
core file might be created if you remove an SFP transceiver from one of the module's<br />
interfaces. As the chassism process restarts, all traffic passing through the interface<br />
is dropped. This problem happens with both copper and fiber SFPs. [PR/828935: This<br />
issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
45
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Interfaces<br />
• On EX Series switches, if you have configured a link aggregation group (LAG) with link<br />
protection, an interface on the backup member might drop ingress traffic. [PR/796348:<br />
This issue has been resolved.]<br />
Layer 2 and Layer 3 Protocols<br />
• If you have configured nonstop active routing (NSR) for Protocol Independent Multicast<br />
(PIM), a core file might be created on an upstream router because of high churn in<br />
unicast routes or a continuous clearing of PIM join-distribution in the downstream<br />
router. To prevent this possibility, disable NSR for PIM. [PR/707900: This issue has<br />
been resolved.]<br />
Network Management and RMON<br />
• After a Routing Engine switchover, LACP and MIB process (mib2d) core files might be<br />
created. [PR/790966: This issue has been resolved.]<br />
• In EX3300 Virtual Chassis, if you perform an SNMP poll of jnxOperatingState for fan<br />
operation, the information for the last two members in the Virtual Chassis is incorrect.<br />
[PR/813881: This issue has been resolved.]<br />
• On EX Series switches that have Power over Ethernet (PoE) capability, chassisd (the<br />
chassis daemon) might crash when running SNMP requests (for example, SNMP get,<br />
get-next, and walk requests) on pethMainPse objects. This is caused by the system<br />
trying to free memory that is already freed. As a workaround, do not run SNMP requests<br />
on pethMainPse objects. [PR/817311: This issue has been resolved.]<br />
Issues Resolved in <strong>Release</strong> 11.4R7<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R6. The identifier<br />
following the description is the tracking number in our bug database.<br />
Access Control and Port Security<br />
• When you use the dynamic firewall filter allocation feature, if the filter ID string is very<br />
long and the reauthentication interval is very short, a memory leak might be observed<br />
with the 802.1x (dot1x) process. [PR/837183: This issue has been resolved.]<br />
Infrastructure<br />
• On EX2200 switches, overheat circuitry may be triggered and display the message,<br />
Triggering overheat circuitry at a temperature of around 0 degrees Celsius. [PR/609415:<br />
This issue has been resolved.]<br />
• The output of the show system users no-resolve command displays the resolved<br />
hostname. [PR/672599: This issue has been resolved.]<br />
• When many packets are queued up to have their next hop resolved, some packets<br />
might become corrupted. [PR/790201: This issue has been resolved.]<br />
46<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• When access security is configured using dynamic ARP inspection (DAI) or DHCP<br />
snooping along with VSTP, the VSTP BPDUs are blocked and not processed, which<br />
can create a looping condition. [PR/807134: This issue has been resolved.]<br />
• Traffic leaks might occur for unknown unicast and broadcast traffic from multiple<br />
VLANs when a MAC RADIUS-assigned VLAN is set on a switch interface through a<br />
server-initiated attribute change. If the 802.1x interface has VLAN100 assigned and<br />
the RADIUS server sends a different VLAN attribute (for example, 200 rather than<br />
100), after the interface is assigned in VLAN200, it also sends egress unknown unicast<br />
and broadcast traffic that belongs to VLAN100. [PR/829436: This issue has resolved.]<br />
• Multicast packets might be lost when the user switches from one IPTV channel to<br />
another. [PR/835538: This issue has been resolved.]<br />
• An SNMP poll might not return clear information for some field-replaceable units<br />
(FRUs), such as fans and power supplies. The FRU description might not indicate which<br />
physical switch contains the FRU. [PR/837332: This issue has been resolved.]<br />
• If you reboot the switch with the routed VLAN interface (RVI) disabled, then even if<br />
you reenable the RVI, the RVI traffic is not routed in the Packet Forwarding Engine; the<br />
traffic is trapped to the CPU and is policed by the rate limit in the Packet Forwarding<br />
Engine. [PR/838531: This issue is resolved.]<br />
• In a mixed-mode EX4500 and EX4200 Virtual Chassis, link aggregation may create a<br />
Packet Forwarding Engine (pfem) core file in some member switches. [PR/846498:<br />
This issue has been resolved.]<br />
Layer 2 and Layer 3 Protocols<br />
• Creating a routed VLAN interface (RVI) and deleting the Layer 3 interface (making it<br />
pure Layer 2) leaves a stale entry in the ethernet switching table. This could cause<br />
communication issues until the stale entries are cleared on the switch. [PR/674739:<br />
This issue has been resolved.]<br />
• On an EX4200 switch configured for VLAN translation, Windows NetBios traffic might<br />
not be translated. [PR791131: This issue has been resolved.]<br />
• On EX Series switches, Cisco Discovery Protocol (CDP) and VLAN Trunking Protocol<br />
(VTP) do not work through the Layer 2 Tunneling Protocol (L2TP). [PR/842852: This<br />
issue has been resolved.]<br />
Network Management and RMON<br />
• On EX8200 switches, sFlow monitoring technology packets were being generated<br />
with an incorrect source MAC address of 20:0b:ca:fe:5f:10. This issue has been fixed<br />
and EX8200 switches now use the outbound port’s MAC address as the source MAC<br />
address for the sFlow traffic. [PR/815366: This issue has been resolved.]<br />
• On EX Series switches, a configured OAM threshold value might get reset when the<br />
chassis is rebooted. [PR/829649: This issue has been resolved.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
47
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
• Changes to the Junos OS for EX Series Switches Documentation on page 48<br />
• Errata on page 48<br />
Changes to the Junos OS for EX Series Switches Documentation<br />
There are no changes to the documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
switches.<br />
Errata<br />
This section lists outstanding issues with the documentation for Junos OS <strong>Release</strong> 11.4<br />
for EX Series switches.<br />
Class of Service<br />
• On EX Series switches, you cannot configure a scheduler map on an individual interface<br />
that is a member of a link aggregation group (LAG). Instead, you must configure the<br />
scheduler map on the LAG itself (that is, on the aggregated Ethernet [ae] interface).<br />
[This issue was being tracked by PR/692629.]<br />
Ethernet Switching<br />
• In the topic Example: Setting Up Bridging with Multiple VLANs for EX Series Switches, one<br />
of the interfaces in the VLAN named “support” is incorrectly shown as ge-0/0/0.24.<br />
The correct interface name is ge-0/0/24.0.<br />
• The documentation for the vlans configuration statement incorrectly states the required<br />
privilege levels as routing and routing-control. The correct privilege levels for this<br />
statement are system and system-control.<br />
48<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Network Management and Monitoring<br />
• You can configure Ethernet OAM link fault management (LFM) on aggregated<br />
interfaces.<br />
Software Installation and Upgrade<br />
• request system software validate—The documentation for the request system software<br />
validate command incorrectly states that this command is supported on EX Series<br />
switches. This command is not supported on any EX Series switches. [This issue is<br />
being tracked by PR/803185.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 49<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
This section describes how to upgrade to or downgrade from Junos OS <strong>Release</strong> 11.4.<br />
NOTE: If you are upgrading from Junos OS <strong>Release</strong> 10.4R2 or earlier, you must<br />
install new loader software as part of the upgrade process. This special<br />
software upgrade takes a little more time to complete than a standard<br />
upgrade. See “Upgrading from Junos OS <strong>Release</strong> 10.4R2 or Earlier” on page 51<br />
for instructions.<br />
These instructions discuss the following subjects:<br />
• Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s on page 49<br />
• Upgrading from Junos OS <strong>Release</strong> 10.4R3 or Later on page 50<br />
• Upgrading from Junos OS <strong>Release</strong> 10.4R2 or Earlier on page 51<br />
• Downgrading to Junos OS <strong>Release</strong> 10.4R2 or Earlier on page 69<br />
• Downgrading to an Earlier Junos OS <strong>Release</strong> on page 69<br />
• Upgrading EX Series Switches Using NSSU on page 70<br />
Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s<br />
Support for upgrades and downgrades that span more than three Junos OS releases at<br />
a time is not provided, except for releases that are designated as Extended End-of-Life<br />
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
49
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
upgrade directly from one EEOL release to the next EEOL release even though EEOL<br />
releases generally occur in increments beyond three releases.<br />
You can upgrade or downgrade to the EEOL release that occurs directly before or after<br />
the currently installed EEOL release, or to two EEOL releases before or after. For example,<br />
Junos OS <strong>Release</strong>s 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS<br />
<strong>Release</strong> 10.0 to Junos OS <strong>Release</strong> 10.4 or even from Junos OS <strong>Release</strong> 10.0 to Junos OS<br />
<strong>Release</strong> 11.4. However, you cannot upgrade directly from a non-EEOL release that is more<br />
than three releases before or after. For example, you cannot directly upgrade from<br />
Junos OS <strong>Release</strong> 10.3 (a non-EEOL release) to Junos OS <strong>Release</strong> 11.4 or directly<br />
downgrade from Junos OS <strong>Release</strong> 11.4 to Junos OS <strong>Release</strong> 10.3.<br />
To upgrade or downgrade from a non-EEOL release to a release more than three releases<br />
before or after, first upgrade to the next EEOL release and then upgrade or downgrade<br />
from that EEOL release to your target release.<br />
For more information on EEOL releases and to review a list of EEOL releases, see<br />
http://www.juniper.net/support/eol/junos.html .<br />
Upgrading from Junos OS <strong>Release</strong> 10.4R3 or Later<br />
This section contains the procedure for upgrading from Junos OS <strong>Release</strong> 10.4R3 or later<br />
to Junos OS <strong>Release</strong> 11.4. You can use this procedure to upgrade Junos OS on a standalone<br />
EX Series switch with a single Routing Engine and to upgrade all members of a Virtual<br />
Chassis or a single member of a Virtual Chassis.<br />
To upgrade Junos OS on a standalone EX6200 switch or EX8200 switch with dual Routing<br />
Engines, see Installing Software on an EX Series Switch with Redundant Routing Engines<br />
(CLI Procedure).<br />
To upgrade Junos OS on a switch with a single Routing Engine or on a Virtual Chassis:<br />
1. Download the software package as described in Downloading Software Packages from<br />
<strong>Juniper</strong> <strong>Networks</strong>.<br />
2. (Optional) Back up the current software configuration to a second storage option.<br />
See the Junos OS Installation and Upgrade Guide for instructions.<br />
3. (Optional) Copy the software package to the switch. We recommend that you use<br />
FTP to copy the file to the /var/tmp directory.<br />
This step is optional because you can also upgrade Junos OS using a software image<br />
that is stored at a remote location.<br />
4. Install the new software package on the switch:<br />
user@switch> request system software add package<br />
Replace package with one of the following paths:<br />
• /var/tmp/package.tgz—For a software package in a local directory on the switch<br />
• ftp://hostname/pathname/package.tgz or<br />
http://hostname/pathname/package.tgz—For a software package on a remote server<br />
50<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
package.tgz is the name of the package; for example,<br />
jinstall-ex-4200-11.4R1.8-domestic-signed.tgz.<br />
To install software packages on all switches in a mixed EX4200 and EX4500 Virtual<br />
Chassis, use the set option to specify both the EX4200 package and the EX4500<br />
package:<br />
user@switch> request system software add set [package package]<br />
To install the software package on only one member of a Virtual Chassis, include the<br />
member option:<br />
user@switch> request system software add package member member-id<br />
Other members of the Virtual Chassis are not affected. To install the software on all<br />
members of the Virtual Chassis, do not include the member option.<br />
NOTE: To abort the installation, do not reboot your device. Instead, finish<br />
the installation, and then issue the request system software delete<br />
package.tgz command, where package.tgz is the name of the package; for<br />
example, jinstall-ex-8200-11.4R1.8-domestic-signed.tgz. This is the last<br />
chance to stop the installation.<br />
5. Reboot the switch to start the new software:<br />
user@switch> request system reboot<br />
To reboot only a single member in a Virtual Chassis, include the member option:<br />
user@switch> request system reboot member<br />
6. After the reboot has finished, log in and verify that the new version of the software is<br />
properly installed:<br />
user@switch> show version<br />
Upgrading from Junos OS <strong>Release</strong> 10.4R2 or Earlier<br />
Because of the introduction of resilient dual-root partitions in Junos OS <strong>Release</strong> 10.4R3,<br />
upgrading to Junos OS <strong>Release</strong> 11.4 from Junos OS <strong>Release</strong> 10.4R2 or earlier requires a<br />
different procedure than the one for upgrading from Junos OS <strong>Release</strong> 10.4R3 or later.<br />
The resilient dual-root partitions feature incorporates enhancements that add additional<br />
steps when you upgrade from a release that does not support resilient dual-root partitions<br />
to one that does. Once you are running a release that supports resilient dual-root<br />
partitions, such as Junos OS <strong>Release</strong> 11.4, future upgrades do not require these additional<br />
steps.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
51
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The following points summarize the differences between this upgrade and previous<br />
upgrades:<br />
• The disk partitions are automatically reformatted to four partitions during the reboot<br />
of the switch that completes the Junos OS upgrade. The reformat increases the reboot<br />
time for EX8200 switches by 10 to 25 minutes per Routing Engine. For other switches,<br />
the increase in boot time is 5 to 10 minutes.<br />
• The configuration files in the /config directory are saved in volatile memory before the<br />
reformat and then restored after the reformat. However, the files in the /var directory<br />
are not saved and are lost after the upgrade.<br />
NOTE: We recommend that you copy your data files to external media<br />
using the request system snapshot command before you perform the<br />
upgrade. Files in the /var directory, such as log files and user /home<br />
directories, are not saved. In addition, a power failure during the reboot<br />
could cause the configuration files to be lost.<br />
• You must upgrade the loader software. You upgrade the loader software by installing<br />
the loader software package from the CLI.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
On switches other than EX8200 switches, upgrading the loader software does not<br />
significantly increase upgrade time, because you can complete the upgrade of both<br />
Junos OS and the loader software with a single reboot.<br />
On EX8200 switches, upgrading the loader software requires an additional reboot per<br />
Routing Engine because of the way the loader software is stored in flash memory. On<br />
EX8200 switches only, you can verify that the loader software requires upgrading<br />
before you perform the upgrade—if the loader software does not need upgrading, the<br />
additional reboot per Routing Engine is not required.<br />
NOTE: If you upgrade to Junos OS <strong>Release</strong> 11.4 and do not upgrade the<br />
loader software, the switch comes up and functions normally. However, if<br />
the switch cannot boot from the active root partition, it cannot transparently<br />
boot from the alternate root partition either.<br />
Table 1 on page 53 lists the installation packages required to upgrade the loader<br />
software.<br />
52<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Table 1: Required Installation Packages for Upgrading the Loader Software<br />
Platform<br />
Installation Package<br />
EX2200 switch<br />
jloader-ex-2200-11.3build-signed.tgz<br />
EX3200 switch<br />
jloader-ex-3242-11.3build-signed.tgz<br />
EX4200 switch<br />
jloader-ex-3242-11.3build-signed.tgz<br />
EX4500 switch<br />
jloader-ex-4500-11.3build-signed.tgz<br />
EX8200 switch<br />
jloader-ex-8200-11.3build-signed.tgz<br />
XRE200 External Routing Engine<br />
The loader software does not need to be upgraded.<br />
• When you upgrade to a release that supports resilient dual-root partitions from one<br />
that does not, the upgrade process automatically copies the contents of the primary<br />
root partition to the alternate root partition at the end of the upgrade process. Because<br />
the resilient dual-root partitions feature enables the switch to boot transparently from<br />
the alternate root partition, we recommend that you use the request system snapshot<br />
command to copy the contents of the primary root partition to the alternate root<br />
partition after all Junos OS upgrades to releases that include dual-root partitions.<br />
NOTE: If you upgrade the loader software in a separate step after you upgrade<br />
Junos OS, users might see the following message when they log in to the<br />
switch: At least one package installed on this device has limited support<br />
This message can be safely ignored.<br />
You can permanently remove this message by deleting the loader software<br />
package and rebooting the system. For example, on an EX4200 switch:<br />
user@switch> request system software delete jloader-ex-3242<br />
Unmounted /packages/mnt/jloader-ex-3242-11.3 ...<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
The following sections include more detailed instructions for performing a software<br />
upgrade from Junos OS <strong>Release</strong> 10.4R2 or earlier:<br />
• Determining Whether the Loader Software Needs Upgrading on EX8200 Switches<br />
and EX8200 Virtual Chassis on page 54<br />
• Installing the Loader Software and Junos OS on EX2200, EX3200, Standalone EX4200,<br />
and Standalone EX4500 Switches on page 56<br />
• Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis on page 57<br />
• Upgrading the Loader Software on EX4500 Virtual Chassis and Mixed EX4200 and<br />
EX4500 Virtual Chassis on page 59<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
53
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Upgrading Junos OS and the Loader Software on Standalone EX8200<br />
Switches on page 60<br />
• Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis on page 63<br />
• Upgrading the Loader Software on the Line Cards in a Standalone EX8200 Switch or<br />
an EX8200 Virtual Chassis on page 67<br />
Determining Whether the Loader Software Needs Upgrading on EX8200 Switches and<br />
EX8200 Virtual Chassis<br />
Before you begin the software upgrade on an EX8200 switch or an EX8200 Virtual<br />
Chassis, determine whether the loader software on the Routing Engines and on the line<br />
cards needs upgrading.<br />
It is possible that a switch running a Junos OS release earlier than Junos OS <strong>Release</strong> 10.4R3<br />
has a version of the loader software installed on the Routing Engines that supports<br />
resilient dual-root partitions. For example, the switch might have been shipped from the<br />
factory with a Junos OS release earlier than Junos OS <strong>Release</strong> 10.4R3 but with a version<br />
of the loader software for the Routing Engines that supports resilient dual-root partitions.<br />
Or the switch might have been downgraded from a Junos OS release that supports<br />
resilient dual-root partitions but still retains a version of the loader software on the Routing<br />
Engines that supports resilient dual-root partitions.<br />
The line card loader software is factory installed and varies between line cards.<br />
NOTE: This procedure is available only on EX8200 switches. On all other<br />
switches, you must upgrade your Routing Engine loader software.<br />
NOTE: If you are upgrading the software multiple times, for example, from<br />
is Junos OS <strong>Release</strong> 10.3R2 to Junos OS <strong>Release</strong> 11.1R3 to Junos OS<br />
<strong>Release</strong> 11.4R1, we recommend that you complete the Junos OS software<br />
upgrade to Junos OS <strong>Release</strong> 11.4 and then upgrade the loader software. This<br />
reduces system downtime.<br />
54<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
To determine whether the loader software needs upgrading:<br />
1. Determine the version of the loader software for the Routing Engines and the line<br />
cards:<br />
user@switch> show chassis firmware<br />
Part Type Version<br />
FPC 6 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2<br />
FPC 7 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2<br />
Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
NOTE: On an EX8200 Virtual Chassis, you cannot execute the show chassis<br />
firmware command on the master external Routing Engine. You must<br />
execute this command on each member switch:<br />
1. From the master external Routing Engine, start a shell session on the<br />
member switch. For example:<br />
user@external-routing-engine> request session member 0<br />
2. Enter the CLI and execute the show chassis firmware command.<br />
3. Repeat these steps for the other member switch.<br />
The loader software version appears after the timestamp for U-Boot 1.1.6. In the<br />
preceding example, the version is 3.5.0. (Ignore the U-Boot version number [1.1.6]; it<br />
has nothing to do with the loader software version that you need to determine.)<br />
2. If the loader software version is 3.5.0 or later for Routing Engine 0 or Routing Engine 1,<br />
your loader software does not need upgrading to support resilient dual-root<br />
partitioning. To upgrade to Junos OS <strong>Release</strong> 11.4, install Junos OS, by following the<br />
standard installation procedures; see “Upgrading from Junos OS <strong>Release</strong> 10.4R3 or<br />
Later” on page 50.<br />
3. If the loader software version is earlier than 3.5.0 for Routing Engine 0 or Routing<br />
Engine 1, you must upgrade the loader software. Follow the instructions in “Upgrading<br />
Junos OS and the Loader Software on Standalone EX8200 Switches” on page 60 or<br />
“Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis” on page 63.<br />
4. If the loader software version is earlier than 3.5.0 for any FPC, consider upgrading the<br />
loader software for that line card.<br />
Upgrading the loader software version for a line card is not a requirement to complete<br />
any software upgrade. In rare cases, a line card might go offline immediately after a<br />
software upgrade because the loader software version on the line card requires an<br />
upgrade to become compatible with the upgraded Junos OS.<br />
Upgrading the loader software version to version 3.5.0 on the line cards as a best<br />
practice helps you avoid this problem and other less severe issues.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
55
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Follow the instructions in “Upgrading the Loader Software on the Line Cards in a<br />
Standalone EX8200 Switch or an EX8200 Virtual Chassis” on page 67 to complete<br />
the line card loader software upgrade procedure.<br />
Installing the Loader Software and Junos OS on EX2200, EX3200, Standalone EX4200,<br />
and Standalone EX4500 Switches<br />
To upgrade the loader software and Junos OS on EX2200, EX3200, standalone EX4200,<br />
and standalone EX4500 switches:<br />
1. Download the loader software package and the Junos OS package from the <strong>Juniper</strong><br />
<strong>Networks</strong> website as described in Downloading Software Packages from <strong>Juniper</strong><br />
<strong>Networks</strong>. Place the software packages on an internal software distribution site or in<br />
a local directory on the switch. We recommend using /var/tmp as the local directory<br />
on the switch.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
2. Install the loader package:<br />
user@switch> request system software add package<br />
Replace package with one of the following paths:<br />
• For a software package in the /var/tmp directory on the<br />
switch—/var/tmp/package.tgz<br />
• For a software package on a remote server:<br />
• ftp://hostname/pathname/package.tgz<br />
• http://hostname/pathname/package.tgz<br />
where package.tgz is, for example, jloader-ex-3242-11.3build-signed.tgz.<br />
3. Install the Junos OS package, following the same procedure you used to install the<br />
loader software package.<br />
4. Reboot the switch:<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
If you are monitoring the reboot from the console, you see messages similar to the<br />
following during the partition reformat:<br />
Disk needs to be formatted in order to proceed<br />
Saving the configuration in memory before formatting the disk<br />
FILE SYSTEM CLEAN; SKIPPING CHECKS<br />
clean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)<br />
32+0 records in<br />
32+0 records out<br />
16384 bytes transferred in 0.033161 secs (494075 bytes/sec)<br />
******* Working on device /dev/da0 *******<br />
56<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
.<br />
.<br />
.<br />
Restoring configuration<br />
5. Verify that the loader software has been upgraded:<br />
user@switch> show chassis firmware<br />
Part Type Version<br />
FPC 0 uboot U-Boot 1.1.6 (Mar 28 2011 - 04:09:20) 1.0.0<br />
2.4<br />
loader<br />
FreeBSD/PowerPC U-Boot bootstrap loader<br />
The U-Boot version that follows the date information must be 1.0.0 or later.<br />
6. Verify that Junos OS has been upgraded:<br />
user@switch> show version<br />
Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis<br />
You perform the upgrade of the loader software and Junos OS on an EX4200 Virtual<br />
Chassis from the Virtual Chassis master switch. The master switch pushes the installation<br />
packages to all Virtual Chassis members.<br />
NOTE: A Virtual Chassis is required to have the same version of Junos OS<br />
installed on all members in the Virtual Chassis. We do not recommend that<br />
you install different versions of Junos OS on individual members of a Virtual<br />
Chassis or that you upgrade members individually. Upgrading individual<br />
members of a Virtual Chassis is not recommended, and could cause Virtual<br />
Chassis instability if multiple Junos OS versions are running on individual<br />
members in a Virtual Chassis. See Understanding Automatic Software Update<br />
on EX4200 and EX4500 Virtual Chassis Member Switches and Replacing a<br />
Member Switch of an EX4200 or EX4500 Virtual Chassis Configuration (CLI<br />
Procedure).<br />
To upgrade the loader software and Junos OS:<br />
1. Download the loader software package and the Junos OS package from the <strong>Juniper</strong><br />
<strong>Networks</strong> website as described in Downloading Software Packages from <strong>Juniper</strong><br />
<strong>Networks</strong>. Place the software packages on an internal software distribution site or in<br />
a local directory on the master switch. We recommend using /var/tmp as the local<br />
directory on the master switch.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
2. Log in to the master switch of the Virtual Chassis.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
57
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
3. Install the loader software package:<br />
• To install the package on all members of the Virtual Chassis:<br />
user@switch> request system software add package<br />
• To install the package on a single member of the Virtual Chassis:<br />
user@switch> request system software add package member member-id<br />
Replace package with one of the following paths:<br />
• For a software package in the /var/tmp directory on the<br />
switch—/var/tmp/package.tgz<br />
• For a software package on a remote server:<br />
• ftp://hostname/pathname/package.tgz<br />
• http://hostname/pathname/package.tgz<br />
where package.tgz is, for example, jloader-ex-3242-11.3build-signed.tgz.<br />
4. Install the Junos OS package, following the same procedure you used to install the<br />
loader software package.<br />
5. Reboot the Virtual Chassis (to reboot a single member, use the member option):<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
If you are monitoring the reboot from the console, you see messages similar to the<br />
following during the disk reformat:<br />
Disk needs to be formatted in order to proceed<br />
Saving the configuration in memory before formatting the disk<br />
FILE SYSTEM CLEAN; SKIPPING CHECKS<br />
clean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)<br />
32+0 records in<br />
32+0 records out<br />
16384 bytes transferred in 0.033161 secs (494075 bytes/sec)<br />
******* Working on device /dev/da0 *******<br />
.<br />
.<br />
.<br />
Restoring configuration<br />
6. Verify that the new version of the loader software is on all members of the Virtual<br />
Chassis:<br />
user@switch> show chassis firmware<br />
fpc0:<br />
--------------------------------------------------------------------------<br />
Part Type Version<br />
FPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
The U-Boot version that follows the date information must be 1.0.0 or later.<br />
7. Verify that the new Junos OS release is on all members of the Virtual Chassis:<br />
user@switch> show version<br />
58<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Upgrading the Loader Software on EX4500 Virtual Chassis and Mixed EX4200 and<br />
EX4500 Virtual Chassis<br />
To create an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis,<br />
you must upgrade Junos OS on the member switches to Junos OS <strong>Release</strong> 11.1 or later<br />
before you form the Virtual Chassis. For instructions on how to upgrade Junos OS and<br />
the loader software on the member switches before they are part of the Virtual Chassis,<br />
see “Installing the Loader Software and Junos OS on EX2200, EX3200, Standalone<br />
EX4200, and Standalone EX4500 Switches” on page 56.<br />
If you did not upgrade the loader software on one or more of the member switches before<br />
you formed the Virtual Chassis, you can use the following procedure to upgrade the loader<br />
software on member switches after the Virtual Chassis is formed.<br />
To upgrade the loader software:<br />
1. Download the loader software package from the <strong>Juniper</strong> <strong>Networks</strong> website as<br />
described in Downloading Software Packages from <strong>Juniper</strong> <strong>Networks</strong>. Place the software<br />
packages on an internal software distribution site or in a local directory on the master<br />
switch. We recommend using /var/tmp as the local directory on the master switch.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
For a mixed EX4200 and EX4500 Virtual Chassis, you must download the loader<br />
packages for both switches.<br />
2. Log in to the master of the Virtual Chassis.<br />
3. Install the loader software package:<br />
• To install the package on all members of an EX4500 Virtual Chassis:<br />
user@switch> request system software add package<br />
• To install the package on all members of a mixed EX4200 and EX4500 Virtual<br />
Chassis:<br />
user@switch> request system software add set [ex4200-package ex4500-package]<br />
• To install the package on a single member of the Virtual Chassis:<br />
user@switch> request system software add package member member-id<br />
4. Reboot the Virtual Chassis (to reboot a single member, use the member option):<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
5. Verify that the correct version of the loader software is on all members of the Virtual<br />
Chassis:<br />
user@switch> show chassis firmware<br />
fpc0:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
59
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
--------------------------------------------------------------------------<br />
Part Type Version<br />
FPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
The U-Boot version that follows the date information must be 1.0.0 or later.<br />
Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches<br />
On EX8200 switches, you must upgrade Junos OS before you can upgrade the loader<br />
software.<br />
The loader software for an EX8200 Routing Engine resides in two flash memory banks.<br />
One bank acts as the primary bank, and the Routing Engine boots from it. The other bank<br />
is the backup bank—if the Routing Engine cannot boot from the primary bank, it boots<br />
from the backup bank. When you upgrade the loader software, the upgraded software<br />
is installed in the backup bank, which then becomes the new primary bank. Thus the<br />
primary and backup banks alternate each time you upgrade the loader software, with<br />
the primary bank containing the most recently installed version of the software and the<br />
backup bank containing the previous version.<br />
To upgrade the loader software on an EX8200 Routing Engine, you must perform the<br />
upgrade twice: once for each bank. Each upgrade requires a reboot of the Routing Engine.<br />
NOTE: If you do not upgrade the loader software in both banks and the<br />
Routing Engine boots from the previous version of the loader software in the<br />
backup bank, the Routing Engine cannot boot transparently from the alternate<br />
root partition if it attempts to do so, because it cannot boot from the primary<br />
root partition.<br />
For an EX8200 switch with redundant Routing Engines, you must upgrade the loader<br />
software on both Routing Engines.<br />
60<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
To upgrade the Junos OS and loader software on an EX8200 switch:<br />
1. Download and install the Junos OS package on each Routing Engine as described in<br />
Installing Software on an EX Series Switch with Redundant Routing Engines (CLI<br />
Procedure) or Installing Software on an EX Series Switch with a Single Routing Engine<br />
(CLI Procedure).<br />
NOTE: If you are also upgrading the loader software on one or more line<br />
cards, we recommend that you perform the loader software upgrade at<br />
this point of the procedure. See “Upgrading the Loader Software on the<br />
Line Cards in a Standalone EX8200 Switch or an EX8200 Virtual Chassis”<br />
on page 67.<br />
2. Download the loader software package from the <strong>Juniper</strong> <strong>Networks</strong> website and place<br />
the software package on an internal software distribution site or in a local directory<br />
on the switch. We recommend using /var/tmp as the local directory on the switch.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
3. Log in to the switch and enter the shell. We recommend using a console connection.<br />
4. (For a switch with a single Routing Engine, skip this step.) Enter the CLI, and determine<br />
which is the master and which is the backup Routing Engine:<br />
user@switch> show chassis routing-engine<br />
NOTE: If you do not have GRES enabled, you cannot use this command<br />
to determine which is the master and which is the backup Routing Engine.<br />
You can instead enter the shell and use this command to determine<br />
mastership:<br />
% sysctl hw.re.mastership<br />
A return of the value 1 means the Routing Engine on which you are logged<br />
in is the master. A return of the value 0 means the Routing Engine on which<br />
you are logged in is the backup.<br />
5. Enter the configuration mode and disable graceful Routing Engine switchover (GRES)<br />
and nonstop active routing (NSR):<br />
user@switch# deactivate chassis redundancy graceful-switchover<br />
user@switch# deactivate routing-options nonstop-routing<br />
6. Log in to the backup Routing Engine:<br />
user@switch> request routing-engine login other-routing-engine<br />
7. Install the loader package:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
61
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
user@switch> request system software add package<br />
Replace package with one of the following paths:<br />
• For a software package in the /var/tmp directory on the<br />
switch—/var/tmp/package.tgz<br />
• For a software package on a remote server:<br />
• ftp://hostname/pathname/package.tgz<br />
• http://hostname/pathname/package.tgz<br />
where package.tgz is, for example, jloader-ex-8200-11.3build-signed.tgz.<br />
8. Determine the primary bank and the version of the loader software in the bank:<br />
% kenv | grep boot.primary.bank<br />
boot.primary.bank="0"<br />
% kenv | grep boot.ver<br />
boot.ver="2.4.0"<br />
9. Upgrade the firmware:<br />
user@switch> request system firmware upgrade scb<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
10. After waiting for a couple of minutes, reboot the Routing Engine:<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
11. Enter the shell and verify that the previous backup bank is now the primary bank and<br />
that it contains the upgraded loader software:<br />
% kenv | grep boot.primary.bank<br />
boot.primary.bank="1"<br />
% kenv | grep boot.ver<br />
boot.ver="3.5.0"<br />
12. To install the loader software in the current backup bank, repeat Step 7 through Step 11.<br />
NOTE: If you installed the loader software package from the /var/tmp<br />
directory, you might need to copy the loader software package to the<br />
/var/tmp directory again before you can repeat Step 7 through Step 11,<br />
because it is sometimes removed after each installation.<br />
13. (Optional) The following message might be displayed when a user logs in to the<br />
system:<br />
--- JUNOS 11.4R1.9 built 2011-03-19 22:06:32 UTC<br />
At least one package installed on this device has limited support.<br />
Run 'file show /etc/notices/unsupported.txt' for details..<br />
This message can be safely ignored. It appears as a result of upgrading the loader<br />
software after you upgrade Junos OS.<br />
You can permanently remove this message by removing the loader software package<br />
and rebooting the system:<br />
62<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
user@switch> request system software delete jloader-ex-8200<br />
Unmounted /packages/mnt/jloader-ex-8200-11.3 ...<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
14. From configuration mode, reenable graceful Routing Engine switchover (GRES) and<br />
nonstop active routing (NSR):<br />
user@switch# activate chassis redundancy graceful-switchover<br />
user@switch# activate routing-options nonstop-routing<br />
15. After completing the upgrade of the loader software on the backup Routing Engine,<br />
perform a master switchover so the backup Routing Engine becomes the master:<br />
user@switch> request chassis routing-engine master switch<br />
Toggle mastership between routing engines ? [yes,no] (no) yes<br />
Resolving mastership...<br />
Complete. The other local routing engine becomes the master.<br />
{backup}<br />
user@switch><br />
16. Follow the same procedure for upgrading the loader software that you used for the<br />
original backup Routing Engine (Step 3 through Step 14).<br />
Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis<br />
On EX8200 Virtual Chassis, you must upgrade Junos OS before you can upgrade the<br />
loader software. If you are upgrading the loader software for the Routing Engines and<br />
for one or more line cards, we recommend that you upgrade the loader software on the<br />
line cards before upgrading the loader software on the Routing Engines.<br />
NOTE: A Virtual Chassis must have the same version of Junos OS installed<br />
on all members of the Virtual Chassis. We do not recommend installing<br />
different versions of Junos OS on individual members of a Virtual Chassis or<br />
upgrading members individually, because the multiple Junos OS versions<br />
could cause instability.<br />
As described in “Upgrading Junos OS and the Loader Software on Standalone EX8200<br />
Switches” on page 60, the loader software for a Routing Engine resides in two flash<br />
memory banks, and both banks must be upgraded with the new loader software.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
63
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
To upgrade Junos OS and the loader software:<br />
1. Download the loader software package and the Junos OS package from the <strong>Juniper</strong><br />
<strong>Networks</strong> website as described in Downloading Software Packages from <strong>Juniper</strong><br />
<strong>Networks</strong>. Place the software packages on an internal software distribution site or in<br />
a local directory on the master external Routing Engine. We recommend using /var/tmp<br />
as the local directory.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
2. Log in to the master external Routing Engine.<br />
3. Install the Junos OS package:<br />
user@external-routing-engine> request system software add package<br />
Replace package with one of the following paths:<br />
• For a software package in the /var/tmp directory on the<br />
switch—/var/tmp/package.tgz<br />
• For a software package on a remote server:<br />
• ftp://hostname/pathname/package.tgz<br />
• http://hostname/pathname/package.tgz<br />
where package.tgz is, for example, jinstall-ex-xre200-11.3R1.8-domestic-signed.tgz.<br />
4. Reboot the Virtual Chassis:<br />
user@external-routing-engine> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
5. After the reboot finishes, verify that Junos OS has been upgraded on all members:<br />
user@external-routing-engine> show version<br />
NOTE: If you are also upgrading the loader software on one or more line<br />
cards, we recommend that you perform the loader software upgrade at<br />
this point of the procedure. See “Upgrading the Loader Software on the<br />
Line Cards in a Standalone EX8200 Switch or an EX8200 Virtual Chassis”<br />
on page 67.<br />
6. Disable graceful Routing Engine switchover (GRES) and nonstop active routing (NSR):<br />
user@switch> deactivate chassis redundancy graceful-switchover<br />
user@switch> deactivate routing-options nonstop-routing<br />
7. Install the loader package:<br />
user@external-routing-engine> request system software add package<br />
64<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Replace package with the path to the loader package.<br />
The package is pushed to each member switch from the master external Routing<br />
Engine.<br />
8. Upgrade the loader software in the current backup banks on both Routing Engines on<br />
a member switch (member 0 is used in the command examples):<br />
a. Enter the CLI and log in to the member switch:<br />
user@external-routing-engine> request session member 0<br />
b. Upgrade the firmware in the backup bank on the master Routing Engine:<br />
user@switch> request system firmware upgrade scb<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
c. Wait a couple of minutes and then reboot the Routing Engine:<br />
user@switch> request system reboot<br />
Reboot the system ? [yes,no] (no) yes<br />
d. Upgrade the firmware in the current backup bank of the backup Routing Engine<br />
(now the master) by repeating Step a through Step c.<br />
Because the loader software has been upgraded in the backup banks, they now<br />
become the primary banks.<br />
9. After the reboots of the Routing Engines finish, log in to the member switch again and<br />
verify that the loader software has been upgraded in the primary banks:<br />
user@external-routing-engine> request session member 0<br />
user@switch> show chassis firmware<br />
Part Type Version<br />
FPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2<br />
FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00)<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader<br />
Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
The U-Boot version that appears after the build date and time must be 3.5.0 or later.<br />
10. Upgrade the loader software in the new backup banks on both Routing Engines on<br />
the member switch:<br />
a. Upgrade the firmware in the backup bank on the master Routing Engine:<br />
user@switch> request system firmware upgrade scb<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
b. Perform a master switchover to make the backup Routing Engine the master<br />
Routing Engine:<br />
user@switch> request chassis routing-engine master switch<br />
Toggle mastership between routing engines ? [yes,no] (no) yes<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
65
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
You are returned to the master external Routing Engine after the master switchover.<br />
c. Log back in to the member switch:<br />
user@external-routing-engine> request session member 0<br />
d. Upgrade the firmware in the backup bank on the new master Routing Engine:<br />
user@switch> request system firmware upgrade scb<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
e. Verify that the loader software has been upgraded in the new primary banks on<br />
both Routing Engines:<br />
user@switch> show chassis firmware<br />
Part Type Version<br />
FPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2<br />
FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00)<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader<br />
Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0<br />
loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4<br />
f. Exit to the master external Routing Engine.<br />
11. Reenable graceful Routing Engine switchover (GRES) and nonstop active routing<br />
(NSR):<br />
user@switch> activate chassis redundancy graceful-switchover<br />
user@switch> activate routing-options nonstop-routing<br />
12. Upgrade the loader software on the other member switch in the Virtual Chassis by<br />
repeating Step 7 through Step 9.<br />
66<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Upgrading the Loader Software on the Line Cards in a Standalone EX8200 Switch or an<br />
EX8200 Virtual Chassis<br />
The loader software on any line card in an EX8200 switch is updated using the same<br />
loader software package that upgrades the EX8200 Routing Engine loader software.<br />
The line card software loader contains two banks, each with a single loader software<br />
version. This procedure is used to upgrade the loader software for both banks of a line<br />
card in a standalone EX8200 switch or an EX8200 Virtual Chassis.<br />
NOTE: If you are upgrading Junos OS, the Routing Engine loader software,<br />
and the line card loader software, we recommend that you upgrade in this<br />
order: Junos OS software, line card loader software, Routing Engine loader<br />
software.<br />
NOTE: If you have already downloaded and installed the loader software<br />
package, proceed to Step 3.<br />
1. Download the loader software package from the <strong>Juniper</strong> <strong>Networks</strong> website and place<br />
the software package on an internal software distribution site or in a local directory<br />
on the switch. We recommend using /var/tmp as the local directory on the switch.<br />
NOTE: To obtain the loader software package, see the Download Software<br />
page at http://www.juniper.net/support/downloads/junos.html . Click the<br />
version, then the Software tab, and then the name of the software install<br />
package. In the pop-up Alert box, click the link to the PSN document.<br />
2. Disable graceful Routing Engine switchover (GRES) and nonstop active routing (NSR),<br />
if enabled. Commit the configuration:<br />
user@switch# deactivate chassis redundancy graceful-switchover<br />
user@switch# deactivate routing-options nonstop-routing<br />
user@switch# commit synchronize<br />
3. Install the loader package:<br />
user@switch> request system software add package<br />
Replace package with one of the following paths:<br />
• For a software package in the /var/tmp directory on the switch or external Routing<br />
Engine—/var/tmp/package.tgz<br />
• For a software package on a remote server:<br />
• ftp://hostname/pathname/package.tgz<br />
• http://hostname/pathname/package.tgz<br />
where package.tgz is, for example, jloader-ex-8200-11.3build-signed.tgz.<br />
4. Upgrade the loader software.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
67
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• To upgrade the loader software for a line card on a standalone EX8200 switch:<br />
user@switch> request system firmware upgrade fpc slot slot-number<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
• To upgrade the loader software for a line card on an EX8200 member switch in an<br />
EX8200 Virtual Chassis:<br />
user@switch> request system firmware upgrade fpc slot slot-number member member-id<br />
Firmware upgrade initiated....<br />
Please wait for ~2mins for upgrade to complete....<br />
5. Confirm the loader software upgrade:<br />
user@switch> show system firmware<br />
Part Type Tag Current Available Status<br />
version version<br />
FPC 6 U-Boot 0 2.3.0 UPGRADED SUCCESSFULLY<br />
FPC 7 U-Boot 0 2.3.0 OK<br />
Routing Engine 0 RE BIOS 0 3.1.1 OK<br />
Routing Engine 1 0 3.1.1 OK<br />
The status is UPGRADED SUCCESSFULLY if the boot loader version update process<br />
is complete.<br />
The status is PROGRAMMING if the boot loader version update process is still in<br />
progress.<br />
Do not proceed to the next step until the show system firmware command output<br />
confirms that the loader software upgrade is complete.<br />
6. Restart the line card.<br />
• To restart a line card on a standalone EX8200 switch:<br />
user@switch> request chassis fpc restart slot slot-number<br />
• To restart a line card on an EX8200 member switch in an EX8200 Virtual Chassis:<br />
user@switch> request chassis fpc restart slot slot-number member member-id<br />
NOTE: You can monitor the status of the line card restart by using the<br />
show chassis fpc command.<br />
7. After the line card restart finishes, confirm the loader software version update:<br />
user@switch> show chassis firmware<br />
Part Type Tag Current Available Status<br />
version version<br />
FPC 6 U-Boot 0 3.5.0 OK<br />
FPC 7 U-Boot 0 2.3.0 OK<br />
Routing Engine 0 RE BIOS 0 3.1.1 OK<br />
Routing Engine 1 0 3.1.1 OK<br />
The current version has been updated to 3.5.0. You have upgraded the loader software<br />
for one bank of the line card.<br />
8. Repeat Step 4 through Step 7 to upgrade the loader software on the other bank of<br />
the line card.<br />
68<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
NOTE: A bank switchover occurs automatically as part of the line card<br />
restart. Repeating Step 3 through Step 6 updates the loader software on<br />
the other bank.<br />
9. Repeat Step 4 through Step 8 for all other line cards that require a line card loader<br />
version upgrade.<br />
Downgrading to Junos OS <strong>Release</strong> 10.4R2 or Earlier<br />
When you downgrade to Junos OS <strong>Release</strong> 10.4R2 or earlier, which are releases that do<br />
not support resilient dual-root partitions, the downgrade process automatically:<br />
• Reformats the disk from four partitions to three partitions during the reboot of the<br />
switch that completes the Junos OS downgrade. The reformat causes a one-time<br />
increase in reboot time of 10 to 25 additional minutes per Routing Engine for EX8200<br />
switches and 5 to 10 additional minutes for other switches.<br />
• Disables the boot-sequencing function of the loader software. With the boot-sequencing<br />
function disabled, the loader software behaves as it did before resilient dual-root<br />
partitions were introduced. The loader software itself is not downgraded—there is no<br />
need to downgrade it.<br />
To downgrade to Junos OS <strong>Release</strong> 10.4R2 or earlier:<br />
1. Use the request system snapshot command to save your data files to external media<br />
before you perform the downgrade.<br />
NOTE: Files in the /config directory are saved and restored during the<br />
downgrade process. However, files in the /var directory, such as log files<br />
and user /home directories, are not saved. In addition, a power failure<br />
during the reboot could cause the configuration files to be lost.<br />
2. Install Junos OS.<br />
Downgrading to an Earlier Junos OS <strong>Release</strong><br />
CAUTION: Before you begin the software downgrade on your EX Series switch,<br />
you must verify the minimum Junos OS release supported on the switch and<br />
the components installed in the switch. Do not downgrade the software on<br />
a switch to a release prior to the first Junos OS release that supports the<br />
switch or a given component.<br />
To verify the first Junos OS release supported on your switch, see:<br />
• EX2200 Switch Models<br />
• EX3200 Switch Models<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
69
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• EX3300 Switch Models<br />
• EX4200 Switch Models<br />
• EX4500 Switch Models<br />
• Line Card Model and Version Compatibility in an EX8200 Switch<br />
Upgrading EX Series Switches Using NSSU<br />
You can use nonstop software upgrade (NSSU) to upgrade Junos OS releases on EX8200<br />
standalone switches and EX8200 Virtual Chassis. For instructions on how to perform an<br />
upgrade using NSSU, see Upgrading Software on an EX8200 Standalone Switch Using<br />
Nonstop Software Upgrade (CLI Procedure) or Upgrading Software on an EX8200 Virtual<br />
Chassis Using Nonstop Software Upgrade (CLI Procedure).<br />
Table 2 on page 70 details NSSU support per Junos OS release and provides pointers to<br />
any known issues for particular upgrade scenarios.<br />
Table 2: Using NSSU to Upgrade Junos OS on EX8200 Switches and EX8200 Virtual Chassis<br />
Switch<br />
Platform<br />
Upgrade<br />
from<br />
Junos<br />
OS<br />
<strong>Release</strong><br />
x.x<br />
Upgrade<br />
to Junos<br />
OS<br />
<strong>Release</strong><br />
10.4R4 or<br />
Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.1R4<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.1R5<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.2R1<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.3R1<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.4R1<br />
or Later<br />
EX8200<br />
standalone<br />
switch<br />
10.4 or<br />
later<br />
Not<br />
supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
11.1R1 or<br />
later<br />
–<br />
Supported<br />
Supported<br />
Supported<br />
Supported<br />
Supported<br />
11.2R1 or<br />
later<br />
–<br />
–<br />
–<br />
Supported<br />
Supported<br />
Supported<br />
11.3R1 or<br />
later<br />
–<br />
–<br />
–<br />
–<br />
Supported<br />
Supported<br />
11.4R1<br />
–<br />
–<br />
–<br />
–<br />
–<br />
Supported<br />
70<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
Table 2: Using NSSU to Upgrade Junos OS on EX8200 Switches and EX8200 Virtual<br />
Chassis (continued)<br />
Switch<br />
Platform<br />
Upgrade<br />
from<br />
Junos<br />
OS<br />
<strong>Release</strong><br />
x.x<br />
Upgrade<br />
to Junos<br />
OS<br />
<strong>Release</strong><br />
10.4R4 or<br />
Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.1R4<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.1R5<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.2R1<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.3R1<br />
or Later<br />
Upgrade to<br />
Junos OS<br />
<strong>Release</strong> 11.4R1<br />
or Later<br />
EX8200<br />
Virtual<br />
Chassis<br />
10.4R1 or<br />
later<br />
Not<br />
supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
Not supported<br />
11.1R1,<br />
11.1R2, or<br />
11.1R3<br />
–<br />
Not<br />
recommended<br />
Not<br />
recommended<br />
Not<br />
recommended<br />
Not<br />
recommended<br />
Not<br />
recommended<br />
11.1R4<br />
–<br />
Not<br />
recommended<br />
Supported<br />
Supported<br />
Supported<br />
Supported<br />
11.1R5 or<br />
later<br />
–<br />
–<br />
Supported<br />
Supported<br />
Supported<br />
Supported<br />
11.2R1 or<br />
later<br />
–<br />
–<br />
–<br />
Supported<br />
Supported<br />
Supported<br />
11.3R1 or<br />
later<br />
–<br />
–<br />
–<br />
–<br />
Supported<br />
Supported<br />
11.4R1 or<br />
later<br />
–<br />
–<br />
–<br />
–<br />
–<br />
Supported<br />
On an EX8200 Virtual Chassis, an NSSU operation can be performed only if you have<br />
configured the XRE200 External Routing Engine member ID to be 8 or 9.<br />
NOTE: If you are using NSSU to upgrade the software on an EX8200 switch<br />
from Junos OS <strong>Release</strong> 11.1 and sFlow technology is enabled, disable sFlow<br />
technology before you perform the upgrade using NSSU. After the upgrade<br />
is complete, you can reenable sFlow technology. If you do not disable sFlow<br />
technology before you perform the upgrade with NSSU, sFlow technology<br />
does not work properly. This issue does not affect upgrades from Junos OS<br />
<strong>Release</strong> 11.2 or later.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
71
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: If you are using NSSU to upgrade the software on an EX8200 switch<br />
from Junos OS <strong>Release</strong> 11.1 and NetBIOS snooping is enabled, disable NetBIOS<br />
snooping before you perform the upgrade using NSSU. After the upgrade is<br />
complete, you can reenable NetBIOS snooping. If you do not disable NetBIOS<br />
snooping before you perform the upgrade with NSSU, NetBIOS snooping<br />
does not work properly. This issue does not affect upgrades from Junos OS<br />
<strong>Release</strong> 11.2 or later.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 8<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for EX Series Switches<br />
on page 11<br />
• Limitations in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 12<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 18<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for EX Series Switches on page 23<br />
• Changes to and Errata in Documentation for Junos OS <strong>Release</strong> 11.4 for EX Series<br />
Switches on page 48<br />
72<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Junos OS <strong>Release</strong> <strong>Notes</strong> for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for M Series Multiservice Edge Routers, MX Series 3D Universal<br />
Edge Routers, and T Series Core Routers<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series<br />
Routers on page 73<br />
• Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong><br />
11.4 for M Series, MX Series, and T Series Routers on page 153<br />
• Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers on page 172<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 293<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 321<br />
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The following features have been added to Junos OS <strong>Release</strong> 11.4. Following the<br />
description is the title of the manual or manuals to consult for further information.<br />
• Class of Service on page 74<br />
• High Availability on page 78<br />
• Interfaces and Chassis on page 80<br />
• Junos OS XML API and Scripting on page 101<br />
• Layer 2 Ethernet Services on page 103<br />
• MPLS Applications on page 104<br />
• Multicast on page 107<br />
• Network Management on page 108<br />
• Routing Protocols on page 113<br />
• Services Applications on page 114<br />
• Subscriber Access Management on page 117<br />
• System Logging on page 145<br />
• User Interface and Configuration on page 151<br />
• VPNs on page 152<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
73
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Class of Service<br />
• Support for DSCP classification on customer edge links for CCC, TCC, and VPLS<br />
(MX Series routers with MPC/MIC interfaces)—Extends support for DSCP-based<br />
behavior aggregate (BA) classification for circuit cross-connect (CCC), translational<br />
cross-connect (TCC), and virtual private LAN service (VPLS) on MX Series routers with<br />
MPC/MIC interfaces.<br />
DSCP-based services provide support for a uniform end-to-end quality-of-service<br />
(QoS) model. By using the DSCP classifier, you can apply the QoS configuration for<br />
the CCC, TCC, and VPLS families at the IP level. Therefore, you do not have to depend<br />
on the underlying Layer 2 QoS support.<br />
[Class of Service]<br />
• Support for Layer 2 features on Channelized SONET/SDH OC3/STM1 (Multi-Rate)<br />
MICs with SFP (MX Series routers)—The following Layer 2 features are supported on<br />
the Channelized SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP:<br />
• Support for configuring interface MTU settings (range: 256–9192 bytes).<br />
• Support for configuring High-Level Data Link Control (HDLC) payload scrambling.<br />
• Support for crc-16 and crc-32 HDLC CRC checking modes.<br />
• Support for configuring HDLC idle cycle flag. The default idle cycle transmit value is<br />
is 0x7E.<br />
• Support for the following encapsulations:<br />
• cisco-hdlc—Cisco-compatible HDLC framing<br />
• cisco-hdlc-ccc—Cisco-compatible HDLC framing for a circuit cross-connect<br />
• cisco-hdlc-tcc—Cisco-compatible HDLC framing for a translational cross-connect<br />
• flexible-frame-relay—Multiple Frame Relay encapsulations<br />
• frame-relay—Frame Relay encapsulation<br />
• frame-relay-ccc—Frame Relay for a circuit cross-connect<br />
• frame-relay-tcc—Frame Relay for a translational cross-connect<br />
• frame-relay-ppp—Point-to-Point Protocol (PPP) over Frame Relay<br />
• ppp—Serial Point-to-Point Protocol (PPP) device<br />
• ppp-ccc—Serial PPP device for a circuit cross-connect<br />
• ppp-tcc—Serial PPP device for a translational cross-connect<br />
• MPLS circuit cross-connect<br />
• MPLS translational cross-connect<br />
• MPLS fast reroute<br />
[Class of Service]<br />
74<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Support for setting IPv6 DSCP and MPLS EXP independently (M120 routers, M320<br />
routers with Enhanced III FPCs, and MX Series routers)—On M120 routers, M320<br />
routers with Enhanced III FPCs, and MX Series 3D Universal Edge Routers, you can set<br />
the packet DSCP and MPLS EXP bits independently on IPv6 packets.<br />
To enable this feature, include the protocol mpls statement at the [edit class-of-service<br />
interfaces interface-name unit logical-unit rewrite-rules dscp-ipv6 rule-name] hierarchy<br />
level.<br />
You can set DSCP IPv6 values only at the ingress MPLS node. This feature is not<br />
supported on MPC/MIC interfaces.<br />
[Class of Service]<br />
• Unified command to display all QoS statistics (M Series, MX Series, and T Series<br />
routers)—Two new options, detail and comprehensive, are added to the show<br />
class-of-service interface interface-name command. These new options are added to<br />
provide a unified operational command that combines the output of existing commands<br />
and displays all quality-of-service (QoS) parameters and statistics for physical or<br />
logical interfaces.<br />
The output of the show class-of-service interface interface-name detail command is a<br />
combination of output of the following commands:<br />
• show interfaces brief<br />
• show interfaces filters interface-name<br />
• show interfaces policers interface-name<br />
• show class-of-service interface interface-name<br />
In the show class-of-service interface interface-name detail command, if interface-name<br />
is a physical interface, the QoS information is displayed for the physical interface as<br />
well as for the logical interfaces on the physical interface—that is, the commands listed<br />
above are executed first for the physical interface, and then for each of the logical<br />
interfaces. If interface-name is a logical interface, the QoS information is displayed<br />
only for the logical interface.<br />
The output of the show class-of-service interface interface-name comprehensive<br />
command is a combination of output of the following commands:<br />
• show interfaces interface-name extensive<br />
• show interfaces queue interface-name<br />
• show interfaces filters interface-name<br />
• show interfaces policers interface-name<br />
• show firewall filter filter-name<br />
• show policer policer-name<br />
• show class-of-service classifier name classifier-name<br />
• show class-of-service translation-table name trans-table-name<br />
• show class-of-service forwarding-class<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
75
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• show class-of-service traffic-control-profile tcp-name<br />
• show class-of-service scheduler-map scheduler-map-name<br />
• show class-of-service drop-profile drop-profile-name<br />
• show class-of-service rewrite-rule name rewrite-rule-name<br />
• show class-of-service fragmentation-map fragmap-name<br />
The show class-of-service interface interface-name comprehensive command displays<br />
a specific construct only when it is attached to the interface. For example, if a translation<br />
table is not attached to an interface, it is not displayed. The constructs are listed if they<br />
are configured on the interface, either explicitly or through default configuration.<br />
NOTE:<br />
• The output of the show class-of-service interface interface-name detail<br />
and show class-of-service interface interface-name comprehensive<br />
commands are a combination of existing command output and no new<br />
field or functionality is added in the output.<br />
• The show class-of-service interface interface-name detail and show<br />
class-of-service interface interface-name comprehensive commands can<br />
be used mainly for debugging. If you do not specify interface<br />
interface-name and want to see the output for many interfaces together<br />
using these commands, there might be some delay in displaying the<br />
output.<br />
• The show class-of-service interface interface-name detail and show<br />
class-of-service interface interface-name comprehensive commands do<br />
not display routing instance statistics and information related to interface<br />
sets, ATM CoS, CoS-based forwarding, and interface range match.<br />
• While displaying firewall QoS output, only classical, interface-specific,<br />
and Layer 2 policers–related information is displayed.<br />
[Class of Service, System Basics, Network Interfaces]<br />
• Support for rewrite rules and classifiers on Ethernet pseudowires (MX Series<br />
routers)—Enables you to configure rewrite rules and classifiers on Ethernet pseudowires<br />
that are configured on logical tunnel interfaces. This feature is supported on MPC/MIC<br />
modules on MX Series routers.<br />
You can use logical tunnel interfaces to create pseudowires by connecting two virtual<br />
routing forwarding (VRF) instances. A pseudowire can be used to represent a single<br />
subscriber (for example, a business subscriber).<br />
To configure this feature, create a logical interface by including the lt-fpc/pic/port<br />
statement at the [edit interfaces] hierarchy level or the [edit logical-systems<br />
logical-system-name interfaces] hierarchy level. You must specify an Ethernet<br />
encapsulation type and inet as the family.<br />
76<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
To configure the CoS parameters, include the rewrite-rules and classifier statements<br />
at the [edit class-of-service] hierarchy level. You can specify inet-precedence or dscp<br />
as the rewrite rule or the classification type.<br />
[Class of Service, Subscriber Access]<br />
• Policer support for aggregated Ethernet and SONET bundles (M120, M10i, and M7i<br />
routers (CFEB-E only), M320 routers (SFPC only), MX240, MX480, and MX960<br />
routers (DPC only)) Aggregated interfaces support single-rate policers, three-color<br />
marking policers, two-rate three-color marking policers, hierarchical policers, and<br />
percentage-based policers. By default, policer bandwidth and burst size applied on<br />
aggregated bundles are not matched to the user-configured bandwidth and burst size.<br />
You can configure interface-specific policers applied on an aggregated Ethernet bundle<br />
or an aggregated SONET bundle to match the effective bandwidth and burst size to<br />
user-configured values. The shared-bandwidth-policer statement is required to achieve<br />
this match behavior.<br />
This capability applies to all interface-specific policers of the following types: single-rate<br />
policers, single-rate three-color marking policers, two-rate three-color marking policers,<br />
and hierarchical policers. Percentage-based policers match the bandwidth to the<br />
user-configured values by default, and do not require shared-bandwidth-policer<br />
configuration. The shared-bandwidth-policer statement causes a split in burst size for<br />
percentage-based policers.<br />
To configure this feature, include the shared-bandwidth-policer statement at the [edit<br />
firewall policer policer-name], [edit firewall three-color-policer policer-name], or [edit<br />
firewall hierarchical-policer policer-name] hierarchy level.<br />
[Class of Service]<br />
• Configurable IEEE 802.1p inheritance support for push and swap from hidden tag<br />
(MX Series routers)—Configurable IEEE 802.1p inheritance of push and swap bits from<br />
the hidden tag of each incoming packet allows you to classify incoming packets based<br />
on the IEEE 802.1p bits from the hidden tag.<br />
You can configure inheritance of IEEE 802.1p bits from the hidden tag by including the<br />
swap-by-poppush statement at the [edit interfaces interface-name unit<br />
logical-unit-number] hierarchy level. To configure the classification of incoming packets<br />
based on the IEEE 802.1p bits from the hidden tag, include the hidden statement at<br />
the [edit class-of-service interfaces interface-name unit logical-unit-number classifiers<br />
ieee-802.1 vlan-tag] hierarchy level.<br />
This feature is supported on MX Series routers with DPCs, Enhanced DPCs, and<br />
Enhanced Queuing DPCs.<br />
[Class of Service, Ethernet Interfaces]<br />
• Queuing support for logical tunnel interfaces (MX Series routers with MPC/MIC<br />
interfaces)—You can configure CoS scheduling parameters on a logical tunnel interface.<br />
This configuration can be used to manage traffic entering a pseudowire. You can<br />
configure the CoS scheduling and queuing parameters at the physical interface or the<br />
logical interface level. To do this, configure a hierarchical scheduler on the physical<br />
interface.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
77
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Class of Service]<br />
• DSCP rewrite enabled on T640 and T1600 routers—DSCP rewrite is supported for<br />
the 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP).<br />
NOTE: This PIC is referred to as the 10-port 10-Gigabit Oversubscribed<br />
Ethernet PIC or 10-port 10-Gigabit OSE PIC in some software<br />
documentation.<br />
[Class of Service, T640 PIC Guide, T1600 PIC Guide]<br />
• Extends support for Layer 2 policers on MX Series routers with MPC/MIC<br />
interfaces—You can now configure Layer 2 policers for the ingress and egress interfaces<br />
on MX Series routers with MPC/MIC interfaces. Policer types include: single-rate<br />
two-color, single-rate three-color (color-blind and color-aware), and two-rate<br />
three-color (color-blind and color-aware). To configure Layer 2 policing, include the<br />
policer at the [edit firewall] hierarchy level.<br />
[Class of Service, Policy, Network Interfaces]<br />
High Availability<br />
• Nonstop active routing support for RSVP OAM and BFD over RSVP—Starting with<br />
<strong>Release</strong> 11.4, Junos OS extends the nonstop active routing support to the RSVP<br />
Operation, Administration, and Maintenance (OAM) feature. Nonstop active routing<br />
support for RSVP OAM ensures that the OAM state information is maintained across<br />
the switchover. Nonstop active routing support for RSVP OAM also enables the BFD<br />
sessions over RSVP LSPs to preserve the state information across the switchover, and<br />
to come back online after the switchover.<br />
However, nonstop active routing support for RSVP OAM does not include<br />
point-to-multipoint LSPs, logical systems, and bypass and detour LSPs.<br />
[High Availability]<br />
• Support for unified in-service software upgrade (T640 and T1600 Routers)—Supports<br />
unified in-service software upgrade (unified ISSU) on T640 and T1600 routers with<br />
10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP). Unified ISSU is a<br />
process to upgrade the system software with minimal disruption of transit traffic and<br />
no disruption on the control plane. In this process, the new system software version<br />
must be higher than the previous system software version. When unified ISSU<br />
completes, the new system software state is identical to that of the system software<br />
when the system upgrade is performed by powering off the system and then powering<br />
it back on.<br />
[High Availability]<br />
• Support for unified in-service software upgrade (MX Series routers with FPC2 and<br />
FPC3)—Supports unified in-service software upgrade (unified ISSU) on MX Series<br />
routers with FPC2 and FPC3.<br />
The following Physical Interface Cards (PICs) on MX-FPC2 and MX-FPC3 support<br />
unified ISSU:<br />
78<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
MX-FPC2<br />
• SONET/SDH OC48/STM16 (Multi-Rate) PIC with SFP (PB-1OC48-SON-B-SFP)<br />
• SONET/SDH OC48c/STM16 with SFP (PB-1OC48-SON-SFP)<br />
• SONET/SDH OC3c/STM1 (Multi-Rate) PIC with SFP (PB-4OC3-1OC12-SON2-SFP)<br />
• SONET/SDH OC12/STM4 (Multi-Rate) PIC with SFP (PB-4OC3-4OC12-SON-SFP)<br />
• Channelized OC48/STM16 Enhanced IQ (IQE) PIC with SFP<br />
(PB-1CHOC48-STM16-IQE-SFP)<br />
MX-FPC3<br />
• SONET/SDH OC192c/STM64 PIC (PC-1OC192-SON-VSR)<br />
• SONET/SDH OC192c/STM64 PIC with XFP (PC-1OC192-SON-XFP)<br />
• SONET/SDH OC48/STM16 PIC with SFP (PC-4OC48-SON-SFP)<br />
Unified ISSU is a process to upgrade the system software with minimal disruption of<br />
transit traffic and no disruption on the control plane. In this process, the new system<br />
software version must be higher than the previous system software version. When<br />
unified ISSU completes, the new system software state is identical to that of the system<br />
software when the system upgrade is performed by powering off the system and then<br />
powering it back on.<br />
[High Availability]<br />
• Layer 2 bridging support for MX Series Virtual Chassis (MX240, MX480, and MX960<br />
routers with MPC/MIC interfaces)—Supports the following Layer 2 bridging features<br />
and applications in an MX Series Virtual Chassis configuration:<br />
• Bridged interface configuration<br />
• Bridge domain configuration<br />
• Media access control (MAC) flooding and learning<br />
• Integrated routing and bridging (IRB)<br />
• Virtual private LAN service (VPLS)<br />
• Redundant pseudowires for Layer 2 circuits and VPLS<br />
Configuration of these Layer 2 bridging features works the same way for member<br />
routers in an MX Series Virtual Chassis as it does for standalone MX Series routers that<br />
are not part of a Virtual Chassis.<br />
[High Availability, Layer 2]<br />
• Support for unified in-service software upgrade (T640 and T1600 Routers with Type<br />
3 PICs)—Junos OS <strong>Release</strong> 11.4 supports unified in-service software upgrade (unified<br />
ISSU) on T640 and T1600 routers with 4-port Channelized SONET/SDH OC48/STM16<br />
Enhanced IQ (IQE) PIC with SFP (PC-4OC48-STM16-IQE-SFP).<br />
Unified ISSU is a process to upgrade the system software with minimal disruption of<br />
transit traffic and no disruption on the control plane. In this process, the new system<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
79
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
software version must be higher than the previous system software version. When<br />
unified ISSU completes, the new system software state is identical to that of the system<br />
software when the system upgrade is performed by powering off the system and then<br />
powering it back on.<br />
[High Availability]<br />
• Unified ISSU support for statistics preservation on MPC/MIC interfaces (MX Series<br />
3D Universal Edge Routers)—Enables support for the preservation of interface-specific<br />
and firewall filter statistics across a unified in-service software upgrade (unified ISSU)<br />
on an MX Series router with MPC/MIC interfaces. This support ensures that the router<br />
maintains statistics data across the unified ISSU and that statistics counters are<br />
operational after the unified ISSU completes.<br />
To preserve statistics across a unified ISSU, the router stores the statistics data as<br />
binary large objects. The router collects the statistics before the unified ISSU is<br />
initialized, and restores the statistics after the unified ISSU completes. No statistics<br />
are collected during the unified ISSU process.<br />
To verify that statistics are preserved across the unified ISSU, you can issue existing<br />
CLI operational commands such as show interfaces statistics after the unified ISSU<br />
completes.<br />
For a list of the MPCs and MICs that are supported during a unified ISSU on MX Series<br />
3D Universal Edge Routers, see the Junos OS High Availability Configuration Guide.<br />
[High Availability, Subscriber Access]<br />
Interfaces and Chassis<br />
• Internet Key Exchange version 2 (IKEv2)—Starting with Junos OS <strong>Release</strong> 11.4, both<br />
IKEv1 and IKEv2 are supported by default on all M Series, MX Series, and T Series routers.<br />
The version statement under the [edit services ipsec-vpn ike policy name] hierarchy<br />
level allows you to configure the specific IKE version to be supported. However, if only<br />
IKEv1 is supported, Junos OS rejects IKEv2 negotiations. Similarly, if only IKEv2 is<br />
supported, Junos OS rejects all IKEv1 negotiations.<br />
The key management process (kmd) determines which version of IKE is used in a<br />
negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the configured<br />
version for negotiations. If kmd is the IKE responder, it accepts connections from both<br />
IKEv1 and IKEv2.<br />
[Services Interfaces]<br />
• Support for Frame Relay DE loss priority mapping (M120 routers, M320 routers with<br />
Enhanced III FPC, M7i and M10i routers with Enhanced Compact Forwarding Engine<br />
Board, and MX Series routers)—Enables you to define a loss priority map based on<br />
the Frame Relay discard eligibility (DE) bit. To configure the Frame Relay DE loss priority<br />
mapping, include the loss-priority and code-point statements at the [edit class-of-service<br />
loss-priority-maps frame-relay-de] hierarchy level. For each mapping, the loss priority<br />
can be high, low, medium-high, or low. The value of the code point can be 0 or 1.<br />
The mapping does not take effect until you apply it to a logical interface. To apply a<br />
map to a logical interface, include the frame-relay-de map-name statement at the [edit<br />
80<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
class-of-service interfaces interface-name unit logical-unit-number loss-priority-maps]<br />
hierarchy level:<br />
[edit class-of-service interfaces interface-name unit logical-unit-number<br />
loss-priority-maps]<br />
frame-relay-de map-name;<br />
[Class of Service, System Basics, Network Interfaces]<br />
• Support for Frame Relay DE bit rewriting on Enhanced IQ PICs (M7i, M10i, M40e,<br />
M120, M320, MX Series, and T Series routers)—Enables you to rewrite the Frame<br />
Relay discard eligibility (DE) bit by including the frame-relay-de statement at the [edit<br />
class-of-service loss-priority-rewrites] hierarchy level. For each mapping, the loss priority<br />
can be high, low, medium-high, or low. The value of the code point can be 0 or 1.<br />
The Frame Relay DE bit rewrite does not take effect until you apply it to a logical<br />
interface. To apply the Frame Relay DE bit rewrite to the logical interface, include the<br />
frame-relay-de map-name statement at the [edit class-of-service interfaces<br />
interface-name unit logical-unit-number loss-priority-rewrites] hierarchy level:<br />
[edit class-of-service interfaces interface-name unit logical-unit-number<br />
loss-priority-rewrites]<br />
frame-relay-de map-name;<br />
[Class of Service, System Basics, Network Interfaces]<br />
• Support for carrying DE, FECN, and BECN bit information in Layer 2 VPN and Layer<br />
2 circuit control word (M120, M320, MX Series, and T Series routers)—Provides<br />
additional class-of-service (CoS) support for Frame Relay services over MPLS using<br />
Layer 2 virtual private networks (VPNs) and Layer 2 circuits. When you perform control<br />
word classification and rewrite, the discard eligibility (DE) bit, forward explicit congestion<br />
notification (FECN) bit, and backward explicit congestion notification (BECN) bit in<br />
the incoming Frame Relay packet for the circuit cross-connect (CCC) family are mapped<br />
to the Layer 2 circuit control word across the MPLS backbone. To enable this mapping,<br />
include the translate-discard-eligible and translate-fecn-and-becn statements at the<br />
[edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level.<br />
You can classify and rewrite the control word DE bit based on the packet loss priority<br />
(PLP) by using the translate-plp-control-word-de statement at the [edit interfaces<br />
interface-name unit logical-unit-number family ccc] hierarchy level. When you configure<br />
the translate-plp-control-word-de statement on the ingress PE router, the DE bit in the<br />
control word is rewritten based on the PLP. When you configure the<br />
translate-plp-control-word-de statement on the egress PE router, the PLP is derived<br />
based on the control word DE bit, and the DE bit in the outgoing Frame Relay header<br />
is rewritten based on the PLP. By default, control word classification and rewrite is<br />
disabled. The mapping of the PLP to the DE bit in the control word and the outgoing<br />
Frame Relay packet is fixed. For rewriting, the PLP values low and medium-low are<br />
mapped to the DE bit 0 and the PLP values high and medium-high are mapped to the<br />
DE bit 1. For classifying, the DE bit 0 is mapped to the PLP value low and the DE bit 1 is<br />
mapped to the PLP value high.<br />
To enable control word classification and rewrite, include the following statements at<br />
the [edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level:<br />
[edit interfaces interface-name unit logical-unit-number ]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
81
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
{<br />
encapsulation frame-relay-ccc;<br />
point-to-point;<br />
dlci dlci-number;<br />
family ccc {<br />
translate-discard-eligible;<br />
translate-fecn-and-becn;<br />
translate-plp-control-word-de;<br />
}<br />
}<br />
NOTE: The translate-discard-eligible and translate-plp-control-word-de<br />
statements are mutually exclusive—that is, you can configure only one of<br />
these statements.<br />
[Network Interfaces]<br />
• Extends support for the Two-Way Active Measurement Protocol (TWAMP) on MX<br />
Series routers with MPC/MIC interfaces—You can now configure TWAMP (RFC 5357)<br />
on MX Series routers with MPC/MIC interfaces. To configure TWAMP properties, include<br />
the twamp statement at the [edit services rpm] hierarchy level. In previous Junos OS<br />
releases, this feature was supported on M Series and T Series routers that support<br />
Multiservices PICs (running in either Layer 2 or Layer 3 mode), and on MX Series routers.<br />
[Services Interfaces]<br />
• Support for active monitoring on logical systems—A logical system is a partition<br />
created from a physical router that performs independent routing tasks. Several logical<br />
systems in a single router with their own interfaces, policies, instances, and routing<br />
tables can perform functions handled by several different routers. Starting with Junos<br />
OS <strong>Release</strong> 11.4, support for active monitoring is extended to logical systems running<br />
on T Series and MX Series routers. A shared services PIC handles flows from all the<br />
logical systems. Only version 9 flows, IPv4, and MPLS templates are supported.<br />
[Services Interfaces]<br />
• Connecting the JCS1200 platform to a TX Matrix Plus Router now supported—Both<br />
RSD (root system domain) and PSD (protected system domain) are now supported<br />
on TX Matrix Plus routers.<br />
A Protected System Domain (PSD) system consists of a redundant Routing Engine<br />
pair (or a single Routing Engine) on the JCS1200 platform, matched with one or more<br />
Flexible PIC Concentrators (FPCs) on a T Series router. You can now connect a TX<br />
Matrix Plus router to the JCS1200 platform to function as a PSD. To configure<br />
multichassis PSD, include the lcc number fpcs number statement at the [edit chassis<br />
system-domains protected system domains] hierarchy level. Up to 12 FPCs can be<br />
configured for a PSD.<br />
show chassis psd is now also supported on TX Matrix Plus routers.<br />
[Protected System Domain, System Basics, JCS1200 Control System Hardware, TX Matrix<br />
Plus Hardware Guide ]<br />
82<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Support for 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) on T1600 and T640<br />
routers—The 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) is a 1-port 40-Gigabit<br />
Ethernet Type 4 PIC with C form-factor pluggable (CFP) optics supported on T1600<br />
and T640 routers. The 40-Gigabit Ethernet PIC with CFP occupies FPC slot 0 or 1 in<br />
the Type 4 FPC. It shares certain common features, such as flexible encapsulation and<br />
MAC accounting, with the 4-port 10-Gigabit Ethernet LAN/WAN PIC with XFP (model<br />
number PD-4XGE-XFP).<br />
[Network Interfaces, Interfaces Command Reference, T640 PIC Guide, T1600 PIC Guide]<br />
• Support for channelized SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP (MX<br />
Series routers)—Enables support for SONET/SDH and PDH interfaces on MX Series<br />
routers. There are two types of SONET/SDH OC3/STM1 (Multi-Rate) MICs with<br />
SFP—the 8-port Channelized SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP<br />
(model number: MIC-3D-8CHOC3-4CHOC12), and the 4-port Channelized SONET/SDH<br />
OC3/STM1 (Multi-Rate) MIC with SFP (model number: MIC-3D-4CHOC3-2CHOC12).<br />
These MICs support POS/PDH interfaces on the MX80 3D Universal Edge Routers and<br />
other MX Series routers using the MX-MPC1-3D-Q, MX-MPC2-3D-Q, and<br />
MX-MPC2-3D-EQ MPCs to position a single device to meet multiservice edge<br />
requirements. These MICs provide the following basic functions:<br />
• SONET/SDH/PDH framing<br />
• Preclassification<br />
NOTE: CoS support is not directly available on these MICs. CoS functions<br />
are completely implemented in the Packet Forwarding Engine. These MICs<br />
only preclassify the packets.<br />
The following features are supported on the Channelized SONET/SDH OC3/STM1<br />
(Multi-Rate) MICs with SFP:<br />
• Default framing on all ports is SONET.<br />
• The MIC supports SONET and SDH framing mode on a per-port basis. To enable<br />
SONET or SDH framing, you need to set the framing statement at the [chassis fpc<br />
MPC-slot-number pic MIC-slot-number port port-number] hierarchy level.<br />
• The MIC supports channelized OC3/STM1 and channelized OC12/STM4 configuration<br />
on a per-port basis. You can set the speed of the port by configuring the speed<br />
statement at the [chassis fpc MPC-slot-number pic MIC-slot-number port port-number]<br />
hierarchy level.<br />
• By default, the speed of a port is set to OC3/STM1. You can use the show interface<br />
extensive operational mode command to view the speed of an interface.<br />
• The MIC supports remote and local loopback. Loopbacks can be configured<br />
independently on each port.<br />
• Simultaneous T3 and E3 interfaces can exist on the cau4 controller-level interface.<br />
• Simultaneous T1 and E1 interfaces can exist on the cau4 controller-level interface.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
83
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE:<br />
• The Channelized SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP<br />
does not support aggregate SONET (link bundling).<br />
• The Channelized SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP<br />
does not support container interfaces.<br />
• When a port is configured as channelized OC12, only six of the twelve<br />
OC1 slices can be deep-channelized from T1 through DS0. The remaining<br />
six OC1 slices can be channelized only to T3 or can be combined to form<br />
two OC3 slices. They cannot be channelized to T1 or DS0.<br />
[Channelized Interfaces, SONET/SDH Interfaces, Class of Service, System Basics]<br />
• Support for DS3/E3 MIC (MX Series routers)—Enables support for PDH interfaces<br />
on the MX80 3D Universal Edge Router and other MX Series routers using the<br />
MX-MPC1-3D-Q, MX-MPC2-3D-Q, and MX-MPC2-3D-EQ MPCs to position a single<br />
device to meet multiservice edge requirements. You can configure the DS3/E3 MIC<br />
(model number: MIC-3D-8DS3-E3) to function either in clear-channel mode or in<br />
channelized mode. When functioning in channelized mode, the DS3/E3 MIC supports<br />
PDH interfaces on the MX80 3D Universal Edge Router and MX Series routers that use<br />
MX-MPC1-3D-Q, MX-MPC2-3D-Q, or MX-MPC2-3D-EQ. When functioning in<br />
clear-channel mode, this MIC also supports PDH interfaces on the MX-MPC1-3D and<br />
MX-MPC2-3D MPCs.<br />
The DS3/E3 MIC provides the following basic functions:<br />
• PDH framing<br />
• Preclassification<br />
NOTE: CoS support is not directly available on this MIC. CoS functions are<br />
completely implemented in the Packet Forwarding Engine. The MIC only<br />
preclassifies the packets.<br />
By default, the DS3/E3 MIC functions in clear-channel mode. To enable the DS3/E3<br />
MIC to function in channelized mode, you need to use the software license<br />
S-MIC-3D-8CHDS3. To enable channelization, set the channelization option at the<br />
[chassis fpc MPC-slot-number pic MIC-slot-number] hierarchy level. You can use the<br />
channelization option to channelize individual DS3 interfaces.<br />
84<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
NOTE:<br />
• You can configure the channelization option to enable channelization for<br />
the DS3/E3 MICs only. Moreover, you can use the channelization option<br />
only on MX Series routers with Queuing and Enhanced Queuing MPCs<br />
(MX-MPC1-3D-Q, MX-MPC2-3D-Q, and MX-MPC2-3D-EQ) or on MX80<br />
routers. Configuring the channelization option on other MPCs does not<br />
have any effect. The MIC continues to operate in clear-channel mode.<br />
• Only clear-channel E3 mode is supported on the DS3/E3 MIC. Therefore,<br />
configuring the channelization option does not impact the E3 functionality.<br />
You can enable DS3 or E3 framing mode on individual ports of the DS3/E3 MIC. To do<br />
this, set the framing statement at the [chassis fpc MPC-slot-number pic MIC-slot-number<br />
port port-number] hierarchy level. By default, DS3 mode is enabled.<br />
NOTE: The DS3/E3 MIC does not support E3 subrate and scrambling.<br />
[Channelized Interfaces, Class of Service, System Basics]<br />
• Enhanced MX Switch Control Board (MX960, MX480, and MX240 routers)—The<br />
Enhanced MX SCB uses an XF chip that provides more than 120 Gbps per slot of<br />
bandwidth with redundancy. This SCB is supported on MX960, MX480, and MX240<br />
routers, and consists of the following components:<br />
• XF chip—Facilitates fabric planes<br />
• 3 Gbps and 6 Gbps HSL2 link speed<br />
• Front panel clock interface for future clocking support<br />
• Front panel small form-factor pluggable (SFP) transceivers or SFP+ external Ethernet<br />
switch interface for future support<br />
[MX960 3D Universal Edge Router Hardware Guide, MX480 3D Universal Edge Router<br />
Hardware Guide, MX240 3D Universal Edge Router Hardware Guide]<br />
• Command output changes for Enhanced MX Switch Control Board (MX960, MX480,<br />
and MX240 routers)—The Enhanced MX Switch Control Board (SCB) caters to the<br />
carrier Ethernet services router and carrier Ethernet transport markets that require<br />
higher-capacity traffic support demanding greater interface density (slot and capacity<br />
scale), as well as improved services.<br />
Starting with <strong>Release</strong> 11.4, Junos OS supports the Enhanced MX SCB, thereby resulting<br />
in the following command output changes:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
85
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• show chassis environment command displays CB N SF A and CB N SF B for the<br />
temperatures of the existing SF ASICs. For the Enhanced MX SCB, the temperature<br />
sensor is still present, but it now measures the temperature of the XF ASIC. The<br />
display output now shows CB N XF A and CB N XF B.<br />
• show environment cb command now includes information about new Power<br />
Management BUS (PMBus) devices on the board, including measured voltage,<br />
measured current, and calculated power.<br />
• show chassis hardware command shows the new part number 750-031391, and the<br />
description is Enhanced MX SCB.<br />
• show chassis hardware models command shows the new model SCBE-MX-S.<br />
• show chassis hardware extensive command shows the new assembly ID 0x09b0.<br />
• The output of the following commands shows a maximum of four active planes for<br />
the Enhanced MX SCB on MX Series routers with MPCs.<br />
• show chassis fabric summary<br />
• show chassis fabric fpc<br />
• show chassis fabric plane<br />
[System Basics]<br />
• Physical interface policers on MX Series routers with MPC/MIC interfaces—Physical<br />
interface policers are now available on the Trio chipset.<br />
[Policy]<br />
• Support for FIB localization—In Junos OS <strong>Release</strong> 11.4 and later, you can configure FIB<br />
localization for a Packet Forwarding Engine. FIB localization characterizes Packet<br />
Forwarding Engines in a router as either “FIB-Remote” or “FIB-Local.” FIB-Local Packet<br />
Forwarding Engines install all routes from the default inet and inet6 route tables into<br />
the Packet Forwarding Engine forwarding hardware. By default, FIB-Remote Packet<br />
Forwarding Engines do not install routes for these tables. Instead, FIB-Remote Packet<br />
Forwarding Engines create a default (0/0) route in the Packet Forwarding Engine<br />
forwarding hardware for the inet and inet6 tables. The default route references a next<br />
hop or a unilist of next hops that indicate the FIB-Local Packet Forwarding Engines<br />
that can perform full IP table lookups for received packets.<br />
When FIB localization is configured on a router with some FPCs being FIB-Remote and<br />
some others being FIB-Local, packets arriving on the interface of the FIB-Remote FPC<br />
are forwarded to one of the FIB-Local FPCs for route lookup and forwarding.<br />
The advantage of configuring FIB localization is that it enables upgrading the hardware<br />
forwarding table capacity of FIB-Local Packet Forwarding Engines while not requiring<br />
upgrades to the FIB-Remote Packet Forwarding Engines. In a typical network<br />
deployment, FIB-Local Packet Forwarding Engines are core-facing, while FIB-Remote<br />
Packet Forwarding Engines are edge-facing. The FIB-Remote Packet Forwarding<br />
Engines also load-balance traffic over the available set of FIB-Local Packet Forwarding<br />
Engines.<br />
86<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
To configure FIB localization, for IPv4 or IPv6 traffic, include the route-localization<br />
statement at the [edit chassis] hierarchy level. To configure the Packet Forwarding<br />
Engine of an FPC as either FIB-Local or FIB-Remote, include the fib-local or fib-remote<br />
statement at the [edit chassis fpc fpc-number route-localization] hierarchy level. To<br />
configure a routing policy to enable the forwarding table policy to mark route prefixes<br />
for installation in the forwarding hardware on the FIB-Remote Packet Forwarding<br />
Engines, include the no-route-localize statement at the [edit policy-options<br />
policy-statement policy-name term term-name then] hierarchy level.<br />
To verify route localization information, issue the show route localization or the show<br />
route localization detail commands.<br />
[System Basics, Policy]<br />
• Junos OS 64-bit migration on the T1600 Router—Unified in-service software upgrade<br />
(unified ISSU) is not supported when upgrading from 32-bit Junos OS to 64-bit Junos<br />
OS because GRES and NSR features need to be disabled during the upgrade. Mixing<br />
32-bit Junos OS and 64-bit Junos OS is not supported except for a small window of<br />
time during the upgrade process.<br />
• Support for IGMP snooping over MPCs (MX Series routers with MPCs)—Junos OS<br />
<strong>Release</strong> 11.4 supports the configuration of IGMP snooping over MPCs. For information<br />
about how to configure IGMP snooping, see the Junos OS Multicast Protocols Configuration<br />
Guide.<br />
[MX Series 3D Universal Edge Router Line Card Guide]<br />
• Passive flow monitoring support on ES-FPCs (T640 and T1600 routers)—Passive<br />
monitoring enables you to perform lawful intercept of packets that traverse an Ethernet<br />
link between routers or switches. Passive monitoring support is now extended for IPv4<br />
and IPv6 to the following PICs for the T640 and T1600 routers:<br />
• Gigabit Ethernet PIC with SFP<br />
• 10-Gigabit Ethernet PIC with XENPAK (T1600 router)<br />
• SONET/SDH OC192/STM64 PIC (T1600 router)<br />
• SONET/SDH OC192/STM64 PICs with XFP (T1600 router)<br />
• SONET/SDH OC48c/STM16 PIC with SFP (T1600 router)<br />
• SONET/SDH OC48/STM16 (Multi-Rate)<br />
• SONET/SDH OC12/STM4 (Multi-Rate) PIC with SFP<br />
• Type 1 SONET/SDH OC3/STM1 (Multi-Rate) PIC with SFP<br />
IPv6 passive monitoring is not supported on Monitoring Services PICs. You must<br />
configure port mirroring to forward the packets from the passive monitored ports to<br />
other interfaces. To configure port mirroring, include the port-mirroring statement at<br />
the [edit forwarding-options] hierarchy level.<br />
Configuring the interface in passive monitoring mode automatically configures it in<br />
promiscuous mode. To configure passive monitoring, include the passive-monitor-mode<br />
statement at the [edit interfaces interface-name] hierarchy level. Gigabit Ethernet<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
87
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
interfaces in passive monitoring mode do not support the stacked-vlan-tagging<br />
statement.<br />
To remove MPLS labels, include the pop-all-labels statement at the [edit interfaces<br />
interface-name gigether-options mpls] hierarchy level.<br />
[Services Interfaces, Network Interfaces]<br />
• Layer 2 interface statistics enhancement—On Dense Port Concentrators (DPCs) on<br />
MX Series routers, when a bridge domain is configured with an integrated routing and<br />
bridging (IRB) interface, packets that are routed by the IRB interface and transmitted<br />
out through a Layer 2 interface that is part of the bridge domain are now accounted<br />
for in the corresponding Layer 2 interface statistics. Prior to Junos OS <strong>Release</strong> 11.4, the<br />
Layer 2 interface statistics did not account for those packets that were routed by an<br />
IRB. The show interfaces irb extensive command displays the IRB-related statistics,<br />
while the show interfaces statistics interface-name command displays the layer 2<br />
interface level statistics.<br />
[Interfaces Command Reference]<br />
• Display pseudowire Layer 2 policing statistics (MX Series routers with MPCs/MICs<br />
or enhanced DPCs)—The Junos OS Routing Engine, kernel, and Packet Forwarding<br />
Engine can collect the statistics for a pseudowire policer from all Packet Forwarding<br />
Engines and display them on the Routing Engine. These statistics are displayed when<br />
you execute the show interfaces command, if a pseudowire policer is enabled.<br />
This feature is available for pseudowire logical interfaces at egress.<br />
[MX Solutions Guide]<br />
• Support for 64-bit Junos OS on T640 and TX Matrix Plus routers—Enables you to<br />
run 64-bit Junos OS on T640 and TX Matrix Plus routers. This feature also allows you<br />
to migrate from the existing 32-bit Junos OS, without any loss of features. However,<br />
64-bit capable Routing Engines are required for upgrading to 64-bit Junos OS. The<br />
64-bit version of Junos OS supports:<br />
• Physical memory of more than 4 GB.<br />
• Increased virtual address space for applications.<br />
The following features are not supported by 64-bit Junos OS:<br />
• Different versions of Junos OS running in separate Routing Engines. Both Routing<br />
Engines must have either 32-bit or 64-bit Junos OS in a single physical or virtual<br />
chassis.<br />
• Upgrade, without downtime, from 32-bit to 64-bit Junos OS using unified in-service<br />
software upgrade (unified ISSU).<br />
In Junos OS <strong>Release</strong> 11.4, no new CLI commands or alarms are introduced for this<br />
feature.<br />
[System Basics and Services Command Reference, Interfaces Command Reference,<br />
Software Installation and Upgrade]<br />
• Limiting traffic black-hole time by detecting Packet Forwarding Engine destinations<br />
that are unreachable over the fabric (T640 and T1600 routers)—Enables the T640<br />
88<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
and T1600 routers to limit traffic black-hole time by detecting unreachable destination<br />
Packet Forwarding Engines. The router signals neighboring routers when it cannot carry<br />
traffic because of the inability of some or all source Packet Forwarding Engines to<br />
forward traffic to some or all destination Packet Forwarding Engines on any fabric<br />
plane, after interfaces have been created. This inability to forward traffic results in a<br />
traffic black hole.<br />
Packet Forwarding Engine destinations can become unreachable because of the<br />
following reasons:<br />
• The fabric Switch Interface Boards (SIBs) go offline as a result of a CLI command<br />
or a pressed physical button.<br />
• The fabric SIBs are turned offline by the Switch Processor Mezzanine Board (SPMB)<br />
because of high temperature.<br />
• Voltage or polled I/O errors in the SIBs detected by the SPMB.<br />
• All Packet Forwarding Engines get destination errors on all planes from remote<br />
Packet Forwarding Engines, even when the SIBs are online.<br />
• Complete fabric loss caused by destination timeouts, even when the SIBs are online.<br />
When the system detects unreachable Packet Forwarding Engine destinations, healing<br />
from the traffic black hole is attempted. If the healing fails, the system turns off the<br />
interfaces, thereby stopping the black hole.<br />
The recovery process consists of the following steps:<br />
1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one<br />
by one.<br />
2. Fabric plane and FPC restart phase: Healing is attempted by restarting both the<br />
fabric planes and the FPCs. If there are bad FPCs that are unable to initiate<br />
high-speed links to the fabric after reboot, traffic black hole is limited because no<br />
interfaces are created for these FPCs.<br />
3. FPC offline phase: Traffic black hole is limited by turning the FPCs offline and by<br />
turning off interfaces because previous attempts at recovery have failed.<br />
By default, the system limits black-hole time by detecting severely degraded fabric.<br />
You do not need to configure anything to enable this feature. However, you can limit<br />
recovery actions to fabric plane restart only. You need to fix the traffic black hole by<br />
performing steps 2 and 3 manually.<br />
In Junos OS <strong>Release</strong> 11.4, new alarms are added to indicate which FPCs are creating a<br />
traffic black hole in the system and to provide information about FPCs that are turned<br />
offline to stop the black hole in the recovery process.<br />
In Junos OS <strong>Release</strong> 11.4, new error messages are added to indicate whether the traffic<br />
black hole is detected by unreachable FPCs in the system, or it is due to all planes being<br />
offline. These messages also indicate the actions taken on FPCs and planes to stop<br />
the black hole—for example, FPC online, FPC offline , FPC restart, FPC power off, plane<br />
online, and plane offline.<br />
In Junos OS <strong>Release</strong> 11.4, two new CLI commands are introduced for this feature:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
89
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The show chassis fabric unreachable-destinations command shows the list of<br />
destinations that have changed from reachable to unreachable.<br />
• The show chassis fabric reachability command shows the current state of fabric<br />
destination reachability, based on periodic reachability checks.<br />
[System Basics and Services Command Reference, System Log Messages Reference]<br />
• Support for four or five input feeds on six-input DC power supply—Enables you to<br />
provide four or five input feeds to the six-input DC power supply on standalone routers<br />
and LCC routers in a routing matrix. By default, the power supply is configured to have<br />
all the six input feeds connected.<br />
When providing four or five input feeds on standalone routers, you need to configure<br />
the feeds option at the [edit chassis pem] hierarchy level. When providing four or five<br />
input feeds on an LCC router in a routing matrix, you need to configure the feeds option<br />
at the [edit chassis lcc lcc-number pem] hierarchy level. The value assigned to the feeds<br />
option must be equal to the number of input feeds provided to the power supply.<br />
NOTE:<br />
• Before configuring input feeds for your router, see the T640 Core Router<br />
Hardware Guide or T1600 Core Router Hardware Guide for special<br />
considerations and for the number of input feeds supported by the router.<br />
• All power supplies in the router must use the same number of inputs<br />
feeds.<br />
When using the six-input 60-A DC power supply, you can monitor the input current,<br />
input voltage, fan current, and fan voltage by using the show chassis environment pem<br />
operational mode command.<br />
• Microcode remap (M320 and M120 routers)—M320 routers with E3 Type-1 FPCs and<br />
M120 routers with a single Type-1 FPC mapped to an FEB support a new microcode<br />
map to resolve microcode overflow resulting in bad PIC combinations.<br />
On M320 routers, the new microcode map is enabled by default and is the only option<br />
available.<br />
On M120 routers, you can enable the new microcode map by using the<br />
ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On<br />
M120 routers, the default microcode map remains configured if the ucode-imem-remap<br />
statement is not configured.<br />
[edit chassis]<br />
feb {<br />
slot number{<br />
ucode-imem-remap;<br />
}<br />
}<br />
NOTE: On M120 routers, the FEB is automatically restarted after the<br />
ucode-imem-remap statement is configured and committed.<br />
90<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
[System Basics, Network Interfaces]<br />
• Support for ESMC or SSM quality-based clock selection mode (MX Series<br />
routers)—Enables you to decide whether clock source selection should use the<br />
configured or received Ethernet Synchronization Message Channel (ESMC) or<br />
Synchronization Status Message (SSM) quality level for a qualifying interface.<br />
If you configure the selection-mode statement as configured-quality at the [edit chassis<br />
synchronization] hierarchy level, then the clock source selection algorithm uses the<br />
ESMC or SSM quality level configured for a qualifying interface.<br />
If you configure the selection-mode statement as received-quality at the [edit chassis<br />
synchronization] hierarchy level, then the clock source selection algorithm uses the<br />
ESMC or SSM quality level received on the qualifying interface.<br />
In both the selection modes, the interface qualifies for clock source selection only when<br />
the received ESMC or SSM quality level on the interface is equal to or better than the<br />
configured ESMC or SSM quality level for the interface.<br />
For the selection-mode statement configuration to take effect, you must set the<br />
quality-mode-enable statement at the [edit chassis synchronization] hierarchy level.<br />
To configure the ESMC or SSM quality-based clock selection mode, include the<br />
quality-mode-enable and selection-mode statements at the [edit chassis<br />
synchronization] hierarchy level.<br />
[System Basics, Junos OS Configuration Statements and Commands]<br />
• Additional MPC support for SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP<br />
(MX Series routers)—There are two types of SONET/SDH (Multi-Rate) MICs with<br />
SFP—the 8-port SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP, which offers high<br />
port density, and the 4-port SONET/SDH OC3/STM1 (Multi-Rate) MIC with SFP, which<br />
offers low port density. These MICs were introduced in Junos OS <strong>Release</strong> 11.2. Refer to<br />
the Junos OS 11.2 release notes for more information.<br />
In Junos OS <strong>Release</strong> 11.2, the 8-port and 4-port SONET/SDH OC3/STM1 (Multi-Rate)<br />
MICs with SFP are supported on the following MPCs:<br />
• 30-Gigabit Ethernet MPC (MX-MPC1-3D)<br />
• 30-Gigabit Ethernet Queuing MPC (MX-MPC1-3D-Q)<br />
In Junos OS <strong>Release</strong> 11.4, the support for 8-port and 4-port SONET/SDH OC3/STM1<br />
(Multi-Rate) MICs with SFP has been extended to the following MPCs:<br />
• 60-Gigabit Ethernet MPC (MX-MPC2-3D)<br />
• 60-Gigabit Ethernet Queuing MPC (MX-MPC2-3D-Q)<br />
• 60-Gigabit Ethernet Enhanced Queuing MPC (MX-MPC2-3D-EQ)<br />
[Network Interfaces]<br />
• Consortium Local Management Interface extended to Frame Relay protocol (MX<br />
Series routers)—Extended Consortium Local Management Interface (C-LMI) support<br />
for MX Series routers with specified MICs adds support for Consortium LMI based on<br />
the "Gang of Four" or "Consortium" standard (Section 6).<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
91
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The following MICs are supported:<br />
• MIC-8OC3OC12-4OC48-SFP—8-port clear-channel OC3/OC12/STM-1/STM-4,<br />
4-port clear-channel OC48/STM-16<br />
• MIC-4OC3OC12-1OC48-SFP—4-port clear-channel OC3/OC12/STM-1/STM-4, 1-port<br />
clear-channel OC48/STM-16<br />
• MIC-3D-8CHOC3-4CHOC12-SFP—8-port Channelized OC3/STM-1, 4-port<br />
Channelized OC12/STM-4<br />
• MIC-3D-4CHOC3-2CHOC12-SFP—4-port Channelized OC3/STM-1, 2-port<br />
Channelized OC12/STM-4<br />
• MIC-3D-8DS3-E3—8-port clear-channel DS3/E3<br />
The following are also supported:<br />
• MX80 router<br />
• MX-MPC1-3D—30 GB, per port queuing, 64 KB logical interfaces<br />
• MX-MPC2-3D—60 GB, per port queuing, 64 KB logical interfaces<br />
• MX-MPC1-3D-Q—30 GB, enhanced queuing, 128 KB queues (max 64 KB egress), 32<br />
KB logical interfaces<br />
• MX-MPC2-3D-Q—60 GB, enhanced queuing, 256 KB queues (max 128 KB egress),<br />
64 KB logical interfaces<br />
To configure C-LMI, you can use the lmi-type statement with its c-lmi option at the<br />
[edit interfaces interface lmi] hierarchy level.<br />
The following encapsulation types are not supported:<br />
• frame-relay-port-ccc<br />
• extended-frame-relay-ether-type-tcc<br />
• frame-relay-ether-type<br />
• frame-relay-ether-type-tcc<br />
[Channelized Interfaces, SONET/SDH Interfaces, E1/E3/T1/T3 Interfaces, Interfaces<br />
Fundamentals]<br />
• IPv6 support for the dynamic flow capture (DFC) application—Starting with Junos<br />
OS <strong>Release</strong> 11.4, support for intercepting IPv6 flows through the DFC application is<br />
extended to M320 and T Series routers. IPv6 support is configured using the family<br />
intet6 statement at the [edit interfaces dfc-identifier unit 1] hierarchy level.<br />
[Services Interfaces]<br />
• Support for 802.1ag connectivity fault management (CFM) monitoring with service<br />
protection (MX Series routers with MPC/MIC interfaces)—Extends support for service<br />
protection functionality for Carrier Ethernet transport networks on MX Series routers<br />
with MPC/MIC interfaces. Service protection can be achieved by configuring a working<br />
92<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
and protect transport path. These transport paths can be monitored using the 802.1ag<br />
CFM protocol.<br />
[Network Interfaces]<br />
• Support for chassis Enhanced Network Services modes (MX Series routers with<br />
MPCs)—You can configure MX Series 3D Universal Edge Routers to run in different<br />
network services modes. Each network services mode defines how the chassis identifies<br />
and uses certain modules. Junos OS <strong>Release</strong> 11.4 supports the addition of Enhanced<br />
IP Network Services mode and Enhanced Ethernet Network Services mode.<br />
To configure the chassis for Enhanced Network Services modes, include the<br />
network-services statement along with either the enhanced-ip or enhanced-ethernet<br />
service option at the [edit chassis] hierarchy level.<br />
When the chassis is configured for Enhanced IP Network Services mode, only MPCs<br />
and Multiservices DPCs are powered on. When the chassis is configured for Enhanced<br />
Ethernet Network Services mode, only MPCs and Multiservices DPCs are powered on<br />
and all restrictions for operating in Ethernet Network Services mode apply. For<br />
information about Ethernet Network Services restrictions, see “Restrictions on Junos<br />
OS Features for MX Series Routers” in the Junos OS System Basics Configuration Guide.<br />
NOTE: Only Multiservices DPCs are powered on with the Enhanced Network<br />
Services mode options. No other DPCs function with the Enhanced Network<br />
Services mode options.<br />
[System Basics]<br />
• 6rd support for Anycast—Enables hosting of a 6rd domain on multiple service PICs<br />
by assigning the same softwire rules to two service sets that use different service<br />
interfaces. Only one PIC actively processes the 6rd traffic at any time. When the<br />
currently active PIC goes down, the PIC hosting the same 6rd domain becomes active<br />
and takes over the processing of 6rd traffic.<br />
[Services Interfaces, Next-Generation Network Addressing]<br />
• 6rd support for hairpinning—Enables packets exiting one 6rd softwire to be processed<br />
by another softwire after twice NAT processing. This applies when a host behind a<br />
softwire initiator tries to communicate with another host behind a softwire initiator.<br />
[Services Interfaces, Next-Generation Network Addressing]<br />
• DS-Lite support for Anycast and 6PE (IPv6 Provider Edge)—Anycast enables hosting<br />
of a DS-Lite domain on multiple service PICs by assigning the same softwire rule to<br />
two service sets that use different service interfaces. Only one PIC actively processes<br />
the DS-Lite traffic at any time. When the currently active PIC goes down, the PIC hosting<br />
the same DS-Lite domain becomes active and takes over the processing of DS-Lite<br />
traffic. Anycast provides these benefits:<br />
• Service continuity and load-balancing.<br />
• Simplified configuration—one interface address can be used by one or more softwire<br />
initiators.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
93
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
6PE is available for ISPs with MPLS-enabled networks. These networks now can use<br />
MP-BGP to provide connectivity between the DS-Lite B4 and AFTR (or any two IPv6<br />
nodes). DS-Lite properly handles encapsulation and decapsulation despite the presence<br />
of additional MPLS header information.<br />
[Services Interfaces, Next-Generation Network Addressing Solutions]<br />
• Support for interface-level DHCP statistics (MX Series 3D Universal Edge<br />
Routers)—DHCP local server statistics are now maintained per interface. The show<br />
dhcp server statistics, show dhcpv6 server statistics, and clear dhcp server statistics<br />
commands now display information about extended DHCP and DHCPv6 local server<br />
statistics on the specified interface.<br />
[System Basics Configuration Guide]<br />
• Support for connection protection optimization in CFM (MX Series routers)—You<br />
can now optimize connection protection in Carrier Ethernet networks using existing<br />
continuity-check message (CCM) functionality to help increase network reliability and<br />
stability. Ethernet Connectivity Fault Management (CFM) monitors end-to-end services<br />
by exchanging CCMs at a configurable periodic interval. Starting in <strong>Release</strong> 11.4, Junos<br />
OS provides configuration support to trigger faster protection switching and faster<br />
convergence using the interface-status type, length, and value (TLV) in CCM packets<br />
when a failure condition is detected. Faster protection switching and convergence can<br />
be used when customer edge (CE) devices in the Ethernet domain detect faster service<br />
failures and propagates the information in the interface-status TLV of the CCMs. Upon<br />
receiving CCMs, the provider edge (PE) devices can configure certain actions to facilitate<br />
faster protection-switching and convergence. The features supported include:<br />
• Configuring faster protection-switching and faster convergence using an action<br />
profile with the action and clear-action statements.<br />
• Configuring a primary virtual LAN (VLAN) ID using the primary-vid statement.<br />
• Extending MEP functionality to accept a different maintenance association identifier<br />
(ID) from a neighbor by using the remote-maintenance-association statement.<br />
[Network Interfaces]<br />
• Synchronous Ethernet support for 10-Gigabit Ethernet MICs in LAN mode (MX Series<br />
routers)—Junos OS <strong>Release</strong> 11.4 extends Synchronous Ethernet functionality on the<br />
10-Gigabit Ethernet MICs by providing support while operating in LAN framing mode.<br />
In LAN mode, the LAN frequency is directly fed by the MIC's on-board clocking circuitry.<br />
To enable Synchronous Ethernet on the 10-Gigabit Ethernet MICs, you must enable<br />
LAN framing mode using the framing statement's lan option at the [edit chassis fpc<br />
fpc-slot pic pic-slot] hierarchy level.<br />
The interface must be configured in LAN-PHY mode using the framing-mode<br />
statement's wan-phy option at the [edit interfaces xe-fpc-slot/pic-slot/port] hierarchy<br />
level.<br />
[Ethernet Interfaces]<br />
• New MX5, MX10, and MX40 3D Universal Edge Routers—Starting in <strong>Release</strong> 11.2R3,<br />
Junos OS supports three new routers based on the modular MX80 chassis. Each router<br />
94<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
is a compact Ethernet-optimized edge router that provides switching and carrier class<br />
Ethernet routing. Each router provides full duplex, high-density Ethernet interfaces and<br />
high-capacity switching throughput and uses the Trio chipset for increased scalability<br />
of L2/L3 packet forwarding, buffering, and queuing.<br />
The ports are restricted based on the router’s associated license as follows:<br />
• MX5 router comes prepopulated with the Gigabit Ethernet MIC with SFP and allows<br />
usage of all 20 ports.<br />
• MX10 router comes prepopulated with the Gigabit Ethernet MIC with SFP and allows<br />
usage of all 20 ports and installation of an additional MIC in MIC slot 2.<br />
• MX40 router allows usage of both MIC slots and the first two ports of the fixed<br />
10-Gigabit Ethernet MIC (labeled 0/MIC 0).<br />
• MX80 router allows usage of both MIC slots and all four ports of the 10-Gigabit<br />
Ethernet MIC (labeled 0/MIC 0).<br />
Licenses allow you to upgrade from one router to another without a hardware upgrade.<br />
[MX5, MX10, MX40 and MX80 Hardware Guide, Line Card Guide]<br />
• License support to enhance port capacity of MX5, MX10, and MX40 routers—By<br />
installing additional licenses, you can enhance the port capacity of your router without<br />
a hardware upgrade. For example, an MX5 router, an MX10 router, or an MX40 router<br />
can have the port capacity of an MX80 router, provided the required licenses are<br />
installed. These routers use feature pack licenses, which provide additional port capacity<br />
with the same hardware. The soft enforcement policy allows the user to use a port for<br />
a certain period of time (usually a grace period of 30 days), and reverts if the license<br />
for that feature is not installed after the grace period. During the grace period, a reminder<br />
to purchase the license is reported in the system logs. Licenses can be upgraded or<br />
downgraded. When you downgrade the license, the port associated with the license<br />
is unusable. The upgrade license model with the feature ID is described in Table 3 on<br />
page 95.<br />
Table 3: Upgrade License Model for MX5, MX10, and MX40 Routers<br />
Feature ID<br />
Feature Name<br />
Functionality Allowed<br />
f1<br />
MX5T to MX10T upgrade<br />
Allows usage of ports in MIC slot 2.<br />
f2<br />
MX10T to MX40T upgrade<br />
Allows usage of ports in MIC slot 2, and the first two ports of<br />
MIC slot 0.<br />
f3<br />
MX40T to MX80T upgrade<br />
Allows usage of ports in MIC slot 2, with all four ports of MIC<br />
slot 0.<br />
To upgrade from one router to a higher-capacity router, appropriate licenses must be<br />
installed. For example, to upgrade an MX5 router to an MX80 router, you must install<br />
the licenses for all the three features listed in Table 3 on page 95. The three features<br />
can be provided in a single license key for ease of use. Nonapplicable feature IDs in a<br />
license key cause rejection of the license. If the user installs the license key for the f1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
95
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
feature on an MX10 router, the license key gets rejected because the MX10 router<br />
already has the port capacity associated with the license key for the f1 feature.<br />
[Line Card Guide, System Basics and Services Command Reference]<br />
• Support for integrated routing and bridging (IRB) MAC synchronization in<br />
multichassis link aggregation for aggregated Ethernet (MX Series routers)—MX<br />
Series routers with MPCs/MICs operating in multichassis link aggregation (MC-LAG)<br />
with aggregated Ethernet configurations now support integrated routing and bridging<br />
(IRB) MAC address synchronization. In earlier releases, VRRP was the only solution for<br />
sharing the same MAC across MC-LAG chassis for IRB interfaces. This feature is<br />
supported on 32-bit interfaces only and interoperates with earlier MPC/MIC releases..<br />
[Network Interfaces]<br />
• Inline static source NAT (MX Series routers with MPCs/MICs)—Enables configuration<br />
of MPCs/MICs to perform static source NAT IPv4 to IPv4 address translation. Use the<br />
new si (services-inline) interface type to define an interface that can be assigned to<br />
an interface style or next-hop style service set containing a NAT rule for inline NAT<br />
using the translation type basic-nat44.<br />
In order to use the inline interface, you must enable bandwidth for inline services on<br />
the MPC or MIC by entering the inline-services bandwidth bandwidth statement at the<br />
[edit chassis fpc fpc-number pic pic-number] hierarchy level.<br />
NOTE: Stateful firewall functionality still requires a Multiservices DPC or<br />
Multiservices PIC for stateful firewall–related functionality.<br />
Use the show services inline nat statistics interface interface-name command to display<br />
inline NAT statistics for all services-inline interfaces or a particular one.<br />
[Services Interfaces, Network Interfaces, Systems Basics and Service Command<br />
Reference]<br />
• Limiting black-hole time on M320 routers by detecting Packet Forwarding Engine<br />
destinations that are unreachable over the fabric—Enables M320 routers to limit<br />
black-hole time by detecting unreachable destination Packet Forwarding Engines. The<br />
router signals neighboring routers when it cannot carry traffic because of the inability<br />
of some or all source Packet Forwarding Engines to forward traffic to some or all<br />
destination Packet Forwarding Engines on any fabric plane, after interfaces have been<br />
created. This inability to forward traffic results in a traffic black hole by the system.<br />
When the system detects unreachable Packet Forwarding Engine destinations, it<br />
attempts to heal the traffic black hole. If the healing fails, the system turns off the<br />
interfaces, thereby stopping the traffic black hole and initiating the recovery process.<br />
The recovery process consists of the following steps:<br />
1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one<br />
by one.<br />
2. Fabric plane and FPC restart phase: Healing is attempted by restarting both the<br />
fabric planes and the FPCs. If there are bad FPCs that are unable to initiate<br />
96<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
high-speed links to the fabric after reboot, traffic black holes are limited because<br />
no interfaces are created for these FPCs.<br />
3. FPC offline phase: Traffic black holes are limited by turning the SIBs offline and by<br />
turning off interfaces because previous attempts at recovery have failed.<br />
• DS-Lite support for EIM, EIF, AP-P, and hairpinning—DS-Lite now supports:<br />
• EIM (Endpoint Independent Mapping)—EIM ensures that the source address and<br />
port are always mapped to the same address and port, irrespective of destination<br />
IP address and port.<br />
• EIF (Endpoint Independent Filtering)—EIF enables incoming traffic if at least one<br />
outgoing packet was sent and mapping has not timed out.<br />
• AP-P (Address Pooling Paired)—AP-P guarantees that an IP address is always<br />
mapped to the same IP address irrespective of port numbers<br />
• Hairpinning—Packets exiting one softwire can go back on another softwire after<br />
twice NAT processing. This is usually the case when one host behind the softwire<br />
initiator (B4) tries to communicate with a host behind another B4.<br />
No new CLI configuration statements have been created to implement these features.<br />
The following example shows a configuration that implements EIM, EIF, and AP-P.<br />
nat {<br />
rule rule1 {<br />
match-direction input;<br />
term t1 {<br />
then {<br />
translated {<br />
source-pool pool1;<br />
translation-type {<br />
napt-44;<br />
}<br />
mapping-type endpoint-independent;<br />
filtering-type {<br />
endpoint-independent;<br />
}<br />
address-pooling paired;<br />
}<br />
}<br />
}<br />
}<br />
}<br />
[Services Interfaces, Next-Generation Network Addressing Solutions]<br />
• Ping and traceroute available for DS-Lite softwire tunnels—You can now use ping<br />
and traceroute to determine the status of DS-Lite softwire tunnels.<br />
• IPv6 Ping—The softwire address endpoint on the DS-Lite softwire terminator (AFTR)<br />
is usually configured under softwire and need not be hosted on any interface. When<br />
it is not configured on any interface or loopback, previous releases of Junos OS did<br />
not provide replies to pings to the IPv6 softwire address. The new availability of an<br />
IPv6 ping provides a useful tool for the softwire initiator (B4) to verify AFTR's softwire<br />
address before creating a tunnel.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
97
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• IPv4 Ping—A special IPv4 address, 192.0.0.1, is reserved for AFTR. Previous releases<br />
of Junos OS did not respond to any pings sent to this address. B4 and other IPv4<br />
nodes can now ping to this address to see whether the DS-Lite tunnel is working.<br />
• Traceroute—AFTR now generates and forwards traceroute packets over the DS-Lite<br />
tunnel.<br />
No CLI configuration is necessary to use the new functionality. The following lines have<br />
been added to the output of show services softwire statistics interface interface-name<br />
ds-lite:<br />
ICMPv4 Error Packets sent :0<br />
ICMPv6 Packets sent :0<br />
[Services Interfaces, Next-Generation Network Addressing Solutions]<br />
• Extends support of single-core Routing Engine for M7i and M10i routers—Single-core<br />
Routing Engine support is extended to M7i and M10i routers. This Routing Engine is<br />
based on the single-core Intel Xeon CPU, operating at 1.73 GHz with 2 MB cache and<br />
has two DDR3 DIMM slots operating at 800 MHz that support 4 GB memory with error<br />
checking and correction (ECC). The new Routing Engine also supports:<br />
• 82574 Gigabit Ethernet Controller<br />
• 4 GB CompactFlash card<br />
• USB 2.0<br />
• Front accessible 64 GB solid-state drive (SSD)<br />
All CLI commands supported on the older Routing Engine are supported on the new<br />
Routing Engine.<br />
• Improvements to interface transmit statistics reporting (MX Series routers)—On<br />
MX Series routers, the logical interface-level statistics show only the offered load,<br />
which is often different from the actual transmitted load. To address this limitation,<br />
Junos OS introduces a new configuration statement in <strong>Release</strong> 11.4 R3 and later. The<br />
new configuration statement, interface-transmit-statistics at the [edit interface<br />
interface-name] hierarchy level, enables you to configure Junos OS to accurately capture<br />
and report the transmitted load on interfaces.<br />
When the interface-transmit-statistics statement is included at the [edit interface<br />
interface-name] hierarchy level, the following operational mode commands report the<br />
actual transmitted load:<br />
• show interface interface-name <br />
• monitor interface interface-name<br />
• show snmp mib get objectID.ifIndex<br />
NOTE: This configuration is not supported on Enhanced IQ (IQE) and<br />
Enhanced IQ2 (IQ2E) PICs.<br />
98<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The show interface interface-name command also shows whether the<br />
interface-transmit-statistics configuration is enabled or disabled on the interface.<br />
• Support for redundant fabric made on active control boards of MX Series routers—An<br />
FPC working with reduced fabric bandwidth can affect the rerouting process and can<br />
cause partial traffic black holes. You can now enable increased fabric bandwidth of<br />
active control boards for optimal and efficient performance and traffic handling. On<br />
an MX960, MX480, or MX240 router, you can configure the active control board to be<br />
in redundancy mode or in increased fabric bandwidth mode. In increased fabric<br />
bandwidth mode, the maximum number of available fabric planes are used for MX<br />
routers with Trio chips and the MPC3E. On MX960 routers with active control boards,<br />
six active planes are used, and on MX240 and MX480 routers with active control<br />
boards, eight active planes are used.<br />
To configure redundancy mode for the active control board, use the redundancy-mode<br />
redundant statement at the [edit chassis fabric] hierarchy level. When you configure<br />
this option, all the FPCs use four fabric planes as active planes, regardless of the type<br />
of the FPC. If you do not configure this option, increased fabric bandwidth mode is<br />
enabled by default on MX Series routers with a Switch Control Board (SCB). On the<br />
MX Series routers that contain the enhanced SCB with Trio chips and the MPC3E, the<br />
control boards operate in redundancy fabric mode (all the FPCs use four fabric planes<br />
as active planes) by default.<br />
To configure increased bandwidth mode for the active control board, use the<br />
increased-bandwidth statement at the [edit chassis fabric] hierarchy level. When you<br />
configure this option, all the available fabric planes are used.<br />
Configuring this feature does not affect the system. You can configure this feature<br />
without restarting the FPC or restarting the system.<br />
You can use the show chassis fabric redundancy-mode command to verify whether the<br />
redundancy fabric mode is enabled.<br />
[System Basics]<br />
• Support for disabling an FPC with degraded fabric bandwidth —An FPC working with<br />
degraded fabric bandwidth can affect the re-routing process and can cause partial<br />
traffic black holes. On an MX960, MX480, or MX240 router, you can now configure<br />
the option to bring down an FPC whose fabric bandwidth has degraded because of<br />
link errors or bad fabric planes. This configuration is particularly useful in partial<br />
black-hole scenarios where bringing the FPC offline results in faster re-routing.<br />
To configure this option on an FPC, use the offline-on-fabric-bandwidth-reduction<br />
statement at the [edit chassis fpc slot-number] hierarchy level.<br />
Configuring this feature does not affect the system. You can configure this feature<br />
without restarting the FPC or restarting the system.<br />
[System Basics]<br />
• Limiting traffic black-hole time by detecting Packet Forwarding Engine destinations<br />
that are unreachable over the fabric (MX240, MX480, and MX960 routers)—Enables<br />
the MX240, MX480, and MX960 routers to limit traffic black-hole time by detecting<br />
unreachable destination Packet Forwarding Engines. The router signals neighboring<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
99
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
routers when it cannot carry traffic because of the inability of some or all source Packet<br />
Forwarding Engines to forward traffic to some or all destination Packet Forwarding<br />
Engines on any fabric plane, after interfaces have been created. This inability to forward<br />
traffic results in a traffic black hole.<br />
Packet Forwarding Engine destinations can become unreachable for the following<br />
reasons:<br />
• The control boards go offline as a result of a CLI command or a pressed physical<br />
button.<br />
• The fabric control boards are turned offline because of high temperature.<br />
• Voltage or polled I/O errors in the SIBs detected by the SPMB.<br />
• All Packet Forwarding Engines receive destination errors on all planes from remote<br />
Packet Forwarding Engines, even when the SIBs are online.<br />
• Complete fabric loss caused by destination timeouts, even when the SIBs are online.<br />
When the system detects any unreachable Packet Forwarding Engine destinations,<br />
healing from a traffic black hole is attempted. If the healing fails, the system turns off<br />
the interfaces, thereby stopping the traffic black hole.<br />
The recovery process consists of the following phases:<br />
1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one<br />
by one. This phase does not start if the fabric plane is functioning properly and a<br />
single Flexible PIC Concentrator (FPC) is bad. An error message is generated to<br />
specify that a black hole is the reason for the fabric plane being turned offline. This<br />
phase is performed for fabric plane errors only.<br />
2. Fabric plane and FPC restart phase: The system waits for the first phase to be<br />
completed before examining the system state again. If the black hole condition still<br />
persists after the first phase is performed or if the problem occurs again within a<br />
duration of 10 minutes, healing is attempted by restarting both the fabric planes<br />
and the FPCs. If you the configured the action-fpc-restart-disable statement at the<br />
[edit chassis fabric degraded] hierarchy level to disable restart of the FPCs when a<br />
recovery is attempted, an alarm is triggered to indicate that a traffic black hole has<br />
occurred. In this second phase, three steps are taken:<br />
1. All the FPCs that have destination errors on a PFE are turned offline<br />
2. The fabric planes are turned offline and brought back online, one by one, starting<br />
with the spare plane.<br />
3. The FPCs that were turned offline are brought back online.<br />
3. FPC offline phase: The system waits for the second phase to be completed before<br />
examining the system state again. Traffic black hole is limited by turning the FPCs<br />
offline and by turning off interfaces because previous attempts at recovery have<br />
failed. If the problem is not resolved by restarting the FPCs or if the problem recurs<br />
within 10 minutes after restarting the FPCs, this phase is performed.<br />
By default, the system limits black-hole time by detecting severely degraded fabric.<br />
You do not need to configure anything to enable this feature. However, you can limit<br />
100<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
recovery actions to fabric plane restart only. You need to fix the traffic black hole by<br />
performing steps 2 and 3 manually.<br />
In Junos OS <strong>Release</strong> 11.4R2 and later, and Junos OS <strong>Release</strong> 12.1R1 and later, new alarms<br />
are added to indicate which FPCs are creating a traffic black hole in the system and<br />
to provide information about FPCs that are turned offline to stop the black hole in the<br />
recovery process.<br />
In Junos OS <strong>Release</strong> 11.4R2 and later, and Junos OS <strong>Release</strong> 12.1R1 and later, new error<br />
messages are added to indicate whether the traffic black hole is detected by<br />
unreachable FPCs in the system, or it is due to all planes being offline. These messages<br />
also indicate the actions taken on FPCs and planes to stop the black hole—for example,<br />
FPC online, FPC offline , FPC restart, FPC power off, plane online, and plane offline.<br />
Two new CLI commands are introduced for this feature:<br />
• The show chassis fabric unreachable-destinations command shows the list of<br />
destinations that have changed from reachable to unreachable.<br />
• The show chassis fabric reachability command shows the current state of fabric<br />
destination reachability, based on periodic reachability checks.<br />
[System Basics]<br />
Junos OS XML API and Scripting<br />
• Junos XML protocol operation supports loading sets of<br />
configuration mode commands —In Junos XML protocol sessions, the<br />
tag element supports the value set for the action attribute, which<br />
allows the client application to provide configuration data as a set of Junos OS<br />
configuration mode commands. When a set of configuration mode commands is<br />
provided as a data stream, it is enclosed in the tag element. When<br />
the set is provided in a previously saved file, the tag element is not<br />
included in the file. When the action attribute has a value of set, the default and only<br />
acceptable value for the format attribute is text.<br />
<br />
<br />
<br />
<br />
<br />
/* configuration mode commands to load */<br />
<br />
<br />
<br />
[Junos XML Management Protocol Guide]<br />
• NETCONF Perl client installation supports loading prerequisites from CPAN—Starting<br />
with Junos OS <strong>Release</strong> 11.4, when installing the NETCONF Perl client prerequisites, the<br />
install-prereqs.pl script provides the option to install all Perl modules that are part of<br />
the prerequisites directly from the Comprehensive Perl Archive Network (CPAN) global<br />
repository.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
101
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[NETCONF XML Management Protocol Guide]<br />
• Support added for the format attribute in Junos XML API operational request tags<br />
within a Junos XML protocol or NETCONF session—In Junos XML protocol and<br />
NETCONF sessions, a client application can include the format="text" or format="ascii"<br />
attribute in the opening tag of operational requests. The server formats the reply as<br />
ASCII text instead of the default XML-tagged format. The response, which is enclosed<br />
in an output tag element within the tag element, is identical to the CLI<br />
output except in cases where it includes disallowed characters. The Junos XML protocol<br />
server substitutes these characters with the equivalent predefined entity reference.<br />
<br />
[format="(text | ascii)"]<br />
<br />
<br />
<br />
<br />
operational-response<br />
<br />
<br />
[NETCONF XML Management Protocol Guide, Junos XML Management Protocol Guide]<br />
• Support added for NETCONF sessions in the jcs:open() function—The jcs:open()<br />
function includes the option to create a session either with the Junos XML protocol<br />
server on devices running Junos OS or with the NETCONF server on devices where<br />
NETCONF service over SSH is enabled. The additional support for NETCONF sessions<br />
permits automation scripts to configure and manage devices in a multivendor<br />
environment.<br />
When specifying a session protocol, the SLAX syntax is:<br />
var $connection = jcs:open(remote-hostname,<br />
session-options);<br />
where session-options is an XML node-set that specifies the session protocol and<br />
connection parameters. The structure of the node-set is:<br />
var $session-options := {<br />
("junoscript" | "netconf" | "junos-netconf");<br />
"username";<br />
"passphrase";<br />
"password";<br />
"port-number";<br />
Specifying a value of junoscript establishes a session with the Junos XML<br />
protocol server on a device running Junos OS, specifying netconf establishes a session<br />
with a NETCONF server over an SSHv2 connection, and specifying junos-netconf<br />
establishes a session with the NETCONF server over an SSHv1 connection on a device<br />
running Junos OS. If you do not specify a protocol, a junoscript session is created by<br />
default.<br />
[Junos OS Configuration and Operations Automation Guide]<br />
• NETCONF Java toolkit for rapid development of Java applications to manage Junos<br />
devices—The toolkit provides an object-oriented programmatic interface to manage<br />
102<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
and configure Junos routing, switching, and security devices via NETCONF (RFC 4741)<br />
protocol. The toolkit enables programmers familiar with the Java programming language<br />
to easily connect to a routing, switching, or security device, open a NETCONF session,<br />
construct configuration hierarchies in XML, and create and execute operational and<br />
configuration requests.<br />
The NETCONF Java toolkit provides classes with methods that implement the<br />
functionality of the NETCONF protocol operations defined in RFC 4741. All basic protocol<br />
operations are supported. The NETCONF XML management protocol uses XML-based<br />
data encoding for configuration data and remote procedure calls. The toolkit provides<br />
classes and methods that aid in creating, modifying, and parsing XML.<br />
[NETCONF Java Toolkit Guide]<br />
• jcs:open() extension function support for routing instances—The jcs:open() extension<br />
function returns a connection handle that is used to execute RPCs on a local or remote<br />
device. To redirect the SSH connection to originate from within a specific routing<br />
instance, include the name of the routing instance in the connection parameters. The<br />
routing instance must be configured at the [edit routing-instances] hierarchy level, and<br />
the remote device must be reachable either using the routing table for that routing<br />
instance or from one of the interfaces configured under that routing instance.<br />
[Junos OS Configuration and Operations Automation Guide]<br />
• Support for commit script access to the pre-inheritance candidate configuration in<br />
configure private sessions—Commit scripts can now invoke the <br />
RPC in a private configuration session to retrieve the private, pre-inheritance candidate<br />
configuration for that session. The RPC now includes the<br />
database-path attribute, which is used to specify the location of the pre-inheritance<br />
configuration database. In addition, the global variable, $junos-context contains a new<br />
commit-context/database-path element , which stores the location of the session’s<br />
pre-inheritance candidate configuration.<br />
To construct a commit script that retrieves the pre-inheritance candidate configuration<br />
specific to that session, include the RPC in the commit script, and<br />
set the attribute to $junos-context/commit-context/database-path.<br />
This feature is available in Junos OS <strong>Release</strong> 11.4R5 and subsequent 11.4 releases.<br />
Layer 2 Ethernet Services<br />
• IP multicast over Layer 2 trunk port support—Layer 3 multicast is now supported on<br />
Layer 2 trunk ports through integrated routing and bridging (IRB) interfaces on the<br />
MX80 router and on MX Series routers using Modular Port Concentrators<br />
(MPCs)/Modular Interface Controllers (MICs).<br />
[Layer 2]<br />
• Support for RADIUS attribute Local-Loopback-Interface for L2TP—With this release,<br />
the RADIUS attribute Local-Loopback-Interface [26-3] is now supported for an L2TP<br />
LAC configured on an MX Series router.<br />
You can configure the Local-Loopback-Interface attribute on a RADIUS server to<br />
manage multiple LAC devices. This attribute is used as the LAC source address on an<br />
LNS tunnel for PPPoE subscribers tunneled over L2TP.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
103
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
When you use the Tunnel-Client-Endpoint attribute as the LAC source address, you<br />
must configure the Tunnel-Client-Endpoint attribute for each MX Series router that<br />
uses the same RADIUS server. Starting with this release, you can use the<br />
Local-Loopback-Interface attribute, which needs to be configured only once.<br />
When the LAC initiates an Access-Request message to RADIUS for authentication,<br />
RADIUS returns the Local-Loopback-Interface attribute in the Access-Accept message.<br />
This attribute contains the name of the loopback interface, either as a generic interface<br />
name such as “lo0” or as a specific name like “lo0.0.” The MX Series router then uses<br />
the configured loopback interface IP address as the source address during tunnel<br />
negotiation with the LNS.<br />
MPLS Applications<br />
• Support for RSVP-signaled point-to-multipoint LSPs extended to logical systems<br />
(M Series, T Series, and MX Series routers)—Starting with Junos OS <strong>Release</strong> 11.4, the<br />
following topologies are supported:<br />
• A single logical system in a physical router. The logical system is one node in an<br />
RSVP-signaled point-to-multipoint LSP.<br />
• Multiple logical systems in a physical router, with each logical system acting as a<br />
label-switched router (LSR). The multiple logical systems can be unconnected,<br />
connected to each other internally with logical tunnel (lt) interfaces, or connected<br />
to each other externally with back-to-back connections.<br />
• One RSVP-signaled point-to-multipoint LSP, with some nodes being logical systems<br />
and other nodes being physical routers.<br />
• Support for shared risk link groups—In MPLS traffic engineering, a shared risk link<br />
group (SRLG) is a set of links sharing a common resource, which affects all links in the<br />
set if the common resource fails. These links share the same risk of failure and are<br />
therefore considered to belong to the same SRLG. For example, links sharing a common<br />
fiber are said to be in the same SRLG because a fault with the fiber might cause all<br />
links in the group to fail.<br />
An SRLG is represented by a 32-bit number unique within an IGP (OSPFv2 and IS-IS)<br />
domain. A link might belong to multiple SRLGs. The SRLG of a path in an LSP is the<br />
set of SRLGs for all the links in the path. When computing the secondary path for an<br />
LSP, it is preferable to find a path such that secondary and primary paths do not have<br />
any links in common and the SRLGs for the primary and secondary paths are disjoint.<br />
This ensures that a single point of failure on a particular link does not bring down both<br />
the primary and the secondary paths in the LSP.<br />
When SRLG is configured, the device uses the Constrained Shortest Path First (CSPF)<br />
algorithm and tries to keep the links used for the primary and secondary paths mutually<br />
exclusive. If the primary path goes down, the CSPF algorithm computes the secondary<br />
path by trying to avoid links sharing any SRLG with the primary path. In addition, when<br />
computing the path for a bypass LSP, CSPF tries to avoid links sharing any SRLG with<br />
the protected links.<br />
When SRLG is not configured, CSPF only takes into account the costs of the links when<br />
computing the secondary path.<br />
104<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Any change in link SRLG information triggers the IGP to send LSP updates for the new<br />
link SRLG information. CSPF recomputes the paths during the next round of<br />
reoptimization.<br />
Junos OS <strong>Release</strong> 11.4 and later support SRLG based on the following RFCs:<br />
• RFC 4203, OSPF Extensions in Support of Generalized Multi-Protocol Label Switching<br />
(GMPLS).<br />
• RFC 5307, IS-IS Extensions in Support of Generalized Multi-Protocol Label Switching<br />
(GMPLS).<br />
To configure the SRLG name, cost, and value, include the srlg srlg-name statement at<br />
the following hierarchy levels:<br />
• [edit routing-options]<br />
• [edit logical-systems logical-system-name routing-options]<br />
The srlg srlg-name statement has the following options:<br />
• srlg-cost—Include a cost for the SRLG ranging from 1 through 65535. The cost of<br />
the SRLG determines the level of impact this SRLG has on the CSPF algorithm for<br />
path computations. The higher the cost, the less likely it is for a secondary path<br />
to share the same SRLG as the primary path. By default, the srlg-cost is 1.<br />
• srlg-value—Include a group ID for the SRLG ranging from 1 through 4294967295.<br />
• Associate the SRLG with the MPLS interface at the [edit protocols mpls interface<br />
interface-name] or [edit logical-systems logical-system-name protocols mpls interface<br />
interface-name] hierarchy level.<br />
• For critical links where it is imperative to keep the secondary and primary paths<br />
completely disjoint from any common SRLG, configure the exclude-srlg statement<br />
at the [edit protocols mpls label-switched-path path-name] or [edit logical-systems<br />
logical-system-name protocols mpls label-switched-path path-name] hierarchy level.<br />
If exclude-srlg is configured, the CSPF algorithm excludes any link belonging to the<br />
set of SRLGs in the primary path. If exclude-srlg is not configured, and if a link belongs<br />
to the set of SRLGs in the primary path, CSPF adds the SRLG cost to the metric, but<br />
still accepts the link for computing the path.<br />
• To make the dynamic bypass LSP and the protected link completely disjoint in any<br />
SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface<br />
interface-name link-protection] or [edit logical-systems logical-system-name protocols<br />
rsvp interface interface-name link-protection] hierarchy level.<br />
• To make the manual bypass LSP and the protected link to be completely disjoint in<br />
any SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface<br />
interface-name link-protection bypass destination] hierarchy level or the [edit<br />
logical-systems logical-system-name protocols rsvp interface interface-name<br />
link-protection bypass destination] hierarchy level.<br />
For manual and dynamic bypass LSPs, if exclude-srlg is configured, the CSPF<br />
algorithm excludes any link belonging to the set of SRLGs of the protected link. If<br />
exclude-srlg is not configured, and if a link belongs to the set of SRLGs of the<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
105
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
protected link, CSPF adds the SRLG cost to the link metric, but still accepts the link<br />
for computing the path.<br />
Use the following operational mode commands to verify the SRLG configuration:<br />
• show mpls srlg—Verify SRLG-to-value mappings and SRLG cost.<br />
• show mpls lsp—Verify that when the primary or secondary path is up, the appropriate<br />
SRLG values are shown.<br />
• show mpls interface—Verify that the correct SRLG is associated with the appropriate<br />
interface.<br />
• show isis database extensive and show ospf database extensive—Verify the SRLG<br />
values in the type length values (TLV).<br />
• show ted database extensive and show ted link detail—Verify that the output shows<br />
the correct SRLG on the TE link.<br />
• show mpls admin-groups-extended—View MPLS extended administrative groups.<br />
[MPLS]<br />
• Support for MPLS feature interoperability (MX Series routers with MPC/MIC<br />
interfaces)—Extends support for MPLS feature interoperability with Junos OS <strong>Release</strong>s<br />
9.5 through 10.0 on MX Series routers with MPC/MIC interfaces. MPLS features can<br />
now interoperate between MPCs and DPCs on MX Series routers.<br />
The following features are supported on MPC/MIC interfaces:<br />
• Configuring up to 64 equal-cost multipaths (ECMP) next hops to load-balance the<br />
traffic on various routes such as OSPF, BGP, and IS-IS.<br />
• Configuring a network of RSVP-signaled MPLS routers to automatically update the<br />
full mesh of label-switched paths (LSPs) between the provider edge (PE) routers<br />
whenever a new PE router is added.<br />
[System Basics Configuration Guide, MPLS Configuration Guide]<br />
• Enhanced support for Junos Trio chipsets—Starting with Junos OS <strong>Release</strong> 11.4, the<br />
Junos Trio chipset supports the following features:<br />
• Multicast load balancing of point-to-multipoint label-switched-paths (LSPs) over<br />
aggregated Ethernet child links.<br />
• Automatic policers for MPLS point-to-multipoint LSPs.<br />
• Display of packet and byte statistics for sub-LSPs of a point-to-multipoint LSP.<br />
• GRES and graceful restart for MPLS point-to-multipoint LSPs.<br />
• Multicast virtual private network (MVPN) extranet or overlapping functionality.<br />
[MPLS, VPNs]<br />
• Host fast reroute (HFRR)—This feature adds a precomputed protection path into the<br />
Packet Forwarding Engine, such that if a link between a provider edge device and a<br />
server farm becomes unusable for forwarding, the Packet Forwarding Engine can use<br />
another path without having to wait for the router or the protocols to provide updated<br />
106<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
forwarding information. HFRR is a technology that protects IP endpoints on multipoint<br />
interfaces, such as Ethernet. This technology is important in data centers where fast<br />
service restoration for server endpoints is critical. After an interface or a link goes down,<br />
HFRR enables the local repair time to be approximately 50 milliseconds. You can<br />
configure HFRR by adding the link-protection statement to the interface configuration<br />
in the routing instance. We recommend that you include this statement on all provider<br />
edge (PE) devices that are connected to server farms through multipoint interfaces.<br />
• LSP setup protection using facility backup fast reroute—The facility-backup fast<br />
reroute mechanism has been extended to provide setup protection for LSPs that are<br />
in the process of being signaled. This feature is applicable in the following scenario:<br />
1. A failed link or node is present on the strict explicit path of an LSP before the LSP<br />
is signaled.<br />
2. There is also a bypass LSP protecting the link or node.<br />
3. RSVP signals the LSP through the bypass LSP. The LSP appears as if it was originally<br />
set up along its primary path and then failed over to the bypass LSP because of the<br />
link or node failure.<br />
4. When the link or node has recovered, the LSP can be automatically reverted to the<br />
primary path.<br />
Both point-to-point LSPs and point-to-multipoint LSPs are supported. To enable LSP<br />
setup protection, configure the setup-protection statement at the [edit protocols rsvp]<br />
hierarchy level. You should configure the setup-protection statement on each of the<br />
routers along the LSP path on which you want to enable LSP setup protection. You<br />
should also configure IGP traffic engineering on all of the routers on the LSP path. You<br />
can issue a show rsvp session command to determine whether or not the LSP has setup<br />
protection enabled on a router acting as a point of local repair (PLR) or a merge point.<br />
[MPLS Applications]<br />
Multicast<br />
• Source-specific multicast (SSM)-map definition for different groups to different<br />
sources—You can configure multiple source-specific multicast (SSM) maps so that<br />
different groups map to different sources, which enables a single multicast group to<br />
map to different sources for different interfaces.<br />
You do not need to separately define the SSM map and specify the sources to be used<br />
for mapping when the policy matches. That is, you do not need to include the ssm-map<br />
statement at the [edit routing-options multicast] hierarchy level:<br />
ssm-map ssm-map-name {<br />
policy (SSM Maps) [ policy-names ];<br />
source [ addresses ];<br />
}<br />
Instead, you can specify the SSM map in the then statement of the routing policy term<br />
by specifying the new ssm-source [ ip-addresses ] action that manipulates route<br />
characteristics:<br />
ssm-source [ addresses ];<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
107
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
policy-options {<br />
policy-statement ssm-policy-name {<br />
term term-name {<br />
from {<br />
route-filter match-condition {<br />
}<br />
then {<br />
ssm-source [ ip-addresses ];<br />
accept;<br />
}<br />
}<br />
}<br />
}<br />
In the ssm-source action, you use the list of ip-addresses to specify one or more IPv4<br />
or IPv6 source addresses for the SSM policy.<br />
[Multicast Routing Protocols]<br />
Network Management<br />
• New enterprise-specific MIBs to view PPP and PPPoE information (M Series and<br />
MX Series routers)—Junos OS <strong>Release</strong> 11.4 introduces three new enterprise-specific<br />
MIBs to extend SNMP support for PPP over PPPoE interfaces and PPPoE over Ethernet<br />
interfaces: JNX-PPP-MIB (RFC 1661), PPP-LCP-MIB (RFC 1471), and JNX-PPPOE-MIB<br />
(RFC 2516). PPP MIBs are supported on the Common Edge PPP process, jpppd. The<br />
PPPoE MIB is supported on the Common Edge PPPoE process, jpppoed. These MIBs<br />
contain PPP- and PPPoE-related information such as the type of authentication used,<br />
interface characteristics, status, and statistics.<br />
You can access this information using SNMP get and get-next requests. If an attribute<br />
is not supported, the attribute returns either zero or the default value.<br />
[SNMP MIBs and Traps Reference]<br />
• Support for P2MP MPLS-TE MIB—Starting with <strong>Release</strong> 11.3, Junos OS supports the<br />
standard P2MP MPLS-TE MIB as defined in draft-ietf-mpls-p2mp-te-mib-09.txt. Support<br />
for P2MP MPLS-TE MIB augments the standard P2P MPLS-TE MIB defined in RFC 3812<br />
and extends SNMP support to point-to-multipoint tunnel-related data. However, Junos<br />
OS implementation of the standard P2MP MPLS-TE MIB does not support<br />
mplsTeP2mpTunnelBranchPerfTable because Junos OS does not support the<br />
corresponding table in MPLS-TE MIB.<br />
[SNMP MIBs and Traps Reference]<br />
• SNMP support for LAC and LNS (MX Series routers with MPC/MIC interfaces)—SNMP<br />
extends support for MX Series routers with MPC/MIC interfaces acting as the L2TP<br />
network server (LNS) and L2TP access concentrator (LAC) in Junos OS <strong>Release</strong> 11.4<br />
and later. In earlier releases, SNMP support for LAC and LNS was provided only for M<br />
Series routers.<br />
The existing enterprise-specific MIB, JNX-L2TP-MIB, now maintains tunnel and session<br />
information for both M Series and MX Series routers. The MX Series routers use the<br />
Common Edge L2TP process, jl2tpd.<br />
108<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The following objects are not supported on the jl2tpd LAC in jnxL2TPTunnelStatsTable<br />
and jnxL2TPSessionStatsTable:<br />
• jnxL2tpTunnelStatsServiceInterface (applicable to LNS only)<br />
• jnxL2tpTunnelStatsTunnelGroup (applicable to LNS only)<br />
• jnxL2tpSessionStatsServiceInterface (applicable to LNS only)<br />
• jnxL2tpSessionStatsTunnelGroup (applicable to LNS only)<br />
• jnxL2tpSessionStatsInterfaceID (Applicable to LNS only)<br />
The following objects are not supported on jl2tpd:<br />
• jnxL2tpSessionStatsUserName<br />
• jnxL2tpSessionAssignedIpAddrType<br />
• jnxL2tpSessionAssignedIpAddress<br />
• jnxL2tpSessionLocalMRU<br />
• jnxL2tpSessionRemoteMRU<br />
• jnxL2tpSessionStatsAuthMethod<br />
• jnxL2tpSessionStatsNasIpAddrType<br />
• jnxL2tpSessionStatsNasIpAddress<br />
• jnxL2tpSessionStatsNasIpPort<br />
• jnxL2tpSessionStatsFramedProtocol<br />
• jnxL2tpSessionStatsFramedIpAddrType<br />
• jnxL2tpSessionStatsFramedIpAddress<br />
• jnxL2tpSessionStatsAcctDelayTime<br />
• jnxL2tpSessionStatsAcctSessionID<br />
• jnxL2tpSessionStatsAcctMethod<br />
• jnxL2tpSessionStatsAcctSessionTime<br />
• jnxL2tpSessionStatsAcctNasPortType<br />
• jnxL2tpSessionStatsAcctTnlClientAuthID<br />
• jnxL2tpSessionStatsAcctTnlServerAuthID<br />
• jnxL2tpSessionStatsUserProfileName<br />
The following objects in jnxL2tpTunnelStatsTable are not available on MPC/MICs:<br />
• jnxL2tpTunnelStatsErrorTxPkts<br />
• jnxL2tpTunnelStatsErrorRxPkts<br />
These objects continue to be supported by the M Series routers. You can access the<br />
tunnel- and session-related information for both the processes using SNMP get and<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
109
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
get-next requests. If an object is not supported, the object returns either zero or the<br />
default value.<br />
[SNMP MIBs and Traps Reference]<br />
• Enhancements to the jnxOperatingCPU Object—Junos OS <strong>Release</strong> 11.3 introduces the<br />
following three MIB objects to enhance the CPU utilization reporting over SNMP:<br />
• jnxOperating1MinAvgCPU—Indicates the average utilization of CPU during the last<br />
minute.<br />
• jnxOperating5MinAvgCPU—Indicates the average utilization of CPU during the last<br />
5-minute period.<br />
• jnxOperating15MinAvgCPU—Indicates the average utilization of CPU during the last<br />
15-minute period.<br />
All these objects return a zero value if the data is not available or is not applicable.<br />
[SNMP MIBs and Traps Reference]<br />
• Support for the pimNeighborLoss trap—Starting with <strong>Release</strong> 11.4, Junos OS supports<br />
the pimNeighborLoss trap as defined in RFC 2934. The Junos OS implementation of<br />
RFC 2934 is based on a draft version of the PIM MIB as defined in the pimmib.mib in<br />
the Junos OS Standard MIBs package.<br />
The pimNeighborLoss trap is generated when the device loses the adjacency with its<br />
only neighbor that has an IP address lower than that of the interface to which the<br />
neighbor is connected.<br />
[SNMP MIBs and Traps Reference]<br />
• MIB Support for VRF Route Entries—Starting with <strong>Release</strong> 11.4, Junos OS extends the<br />
SNMP support to Layer 3 Virtual Private Network (VPN) Routing and Forwarding Table<br />
(VRF) entries as defined in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN)<br />
MIB.<br />
The Junos OS support for RFC 4382 includes the following scalar objects and tables:<br />
• mplsL3VpnConfiguredVrfs<br />
• mplsL3VpnActiveVrfs<br />
• mplsL3VpnConnectedInterfaces<br />
• mplsL3VpnNotificationEnable<br />
• mplsL3VpnVrfConfMaxPossRts<br />
• mplsL3VpnVrfConfRteMxThrshTime<br />
• mplsL3VpnIllLblRcvThrsh<br />
• mplsL3VpnVrfTable<br />
• mplsL3VpnIfConfTable<br />
• mplsL3VpnVrfPerfTable<br />
110<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• mplsL3VpnVrfRteTable<br />
• mplsVpnVrfRTTable<br />
[ SNMP MIBs and Traps Reference ]<br />
• Junos OS MIB support for VPLS—Starting with <strong>Release</strong> 11.4, Junos OS extends SNMP<br />
support to virtual private LAN services (VPLS) networks so that users can access<br />
VPLS-related data over SNMP. The Junos OS SNMP support for VPLS covers both<br />
BGP-based and LDP-based VPLS networks.<br />
The Junos OS SNMP support for VPLS is based on the IETF standard MIB<br />
draft-ietf-l2vpn-vpls-mib-05.txt. <strong>Juniper</strong> <strong>Networks</strong> extension of the following MIBs<br />
defined in draft-ietf-l2vpn-vpls-mib-05.txt are implemented as part of the jnxExperiment<br />
branch:<br />
• VPLS-Generic-Draft-01-MIB implemented as mib-jnx-vpls-generic.txt.<br />
• VPLS-BGP-Draft-01-MIB implemented as mib-jnx-vpls-bgp.txt.<br />
• VPLS-LDP-Draft-01-MIB implemented as mib-jnx-vpls-ldp.txt.<br />
In the Junos OS implementation of these MIBs, all MIB objects are prefixed with jnx.<br />
[SNMP MIBs and Traps Reference]<br />
• Extended support for the enterprise-specific License MIB—Starting with Junos OS<br />
<strong>Release</strong> 11.3, the enterprise-specific License MIB is supported on all devices running<br />
Junos OS. The enterprise-specific License MIB was supported only on SRX devices<br />
when the License MIB was introduced in Junos OS <strong>Release</strong> 11.2.<br />
[SNMP MIBs and Traps Reference]<br />
• SNMP poll and trap support for DHCP leases (MX Series 3D Universal Edge<br />
Routers)—The <strong>Juniper</strong> <strong>Networks</strong> enterprise-specific DHCP and DHCPv6 MIB objects,<br />
jnxJdhcpMIB and jnxJdhcpv6MIB, have been modified to contain a new table for<br />
interface statistics and additional notifications. This feature includes support for gets<br />
and traps and support for DHCP local server and relay and DHCPv6 local server.<br />
[SNMP MIBs and Traps Reference]<br />
• SNMP support for address counters (MX Series 3D Universal Edge Routers)—This<br />
feature provides the ability to track the usage of address resources off-chassis.<br />
[SNMP MIBs and Traps Reference]<br />
• Junos OS support for proxy SNMP agent—Junos OS enables you to assign one of the<br />
devices in the network as a proxy SNMP agent through which the network management<br />
system (NMS) can query other devices in the network. When you configure a proxy,<br />
you can specify the names of devices to be managed through the proxy SNMP agent.<br />
When the NMS queries the proxy SNMP agent, the NMS specifies the community name<br />
(for SNMPv1 and SNMPv2) or the context and security name (for SNMPv3) associated<br />
with the device from which it requires the information.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
111
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: If you have configured authentication and privacy methods and<br />
passwords for SNMPv3, those parameters are also specified in the query<br />
for SNMPv3 information.<br />
To configure a proxy SNMP agent and specify devices to be managed by the proxy<br />
SNMP agent, you can include the following configuration statements at the [edit snmp]<br />
hierarchy level:<br />
proxy proxy-name{<br />
device-name device-name;<br />
{<br />
snmp-community community-name;<br />
no-default-comm-to-v3-config;<br />
}<br />
version-v3 {<br />
security-name security-name;<br />
context context-name;<br />
}<br />
logical-system logical-system {<br />
routing-instance routing-instance;<br />
}<br />
routing-instance routing-instance;<br />
}<br />
• The proxy statement enables you to specify a unique name for the proxy configuration.<br />
• The version-v1, version-v2, and version-v3 statements enable you to specify the SNMP<br />
version.<br />
• The no-default-comm-to-v3-config statement is an optional statement at the [edit<br />
snmp proxy proxy-name ] hierarchy level that when included<br />
in the configuration requires you to manually configure the statements at the [edit<br />
snmp v3 snmp-community community-name] and [edit snmp v3 vacm] hierarchy<br />
levels.<br />
If the no-default-comm-to-v3-config statement is not included at the [edit snmp<br />
proxy proxy-name ] hierarchy level, the [edit snmp v3<br />
snmp-community community-name] and [edit snmp v3 vacm] hierarchy level<br />
configurations are automatically initialized.<br />
• The logical-system and routing-instance statements are optional statements that<br />
enable you to specify logical system and routing instance names if you want to create<br />
proxies for logical systems or routing instances on the device.<br />
NOTE: The community and security configuration for the proxy should<br />
match the corresponding configuration on the device that is to be managed.<br />
112<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
NOTE: Because the proxy SNMP agent does not have trap forwarding<br />
capabilities, the devices that are managed by the proxy SNMP agent send<br />
the traps directly to the network management system.<br />
You can use the show snmp proxy operational mode command to view proxy details<br />
on a device. The show snmp proxy command returns the proxy names, device names,<br />
SNMP version, community/security, and context information. [Network Management]<br />
Routing Protocols<br />
• IPv6 tunneling capability on MX Series routers with MPCs now supported—Starting<br />
in Junos OS <strong>Release</strong> 11.4R6, MX Series routers with MPCs support IPv6 tunnel<br />
functionality. IPv6 encapsulation will be supported for both IPv4 and IPv6 packets.<br />
The following matrix summarizes the IP-IP tunnel functionality in MX Series routers<br />
with MPCs.<br />
•<br />
Inner Header<br />
IPv4<br />
Outer Header IPv4<br />
Yes (existing)<br />
Outer header IPv6<br />
Yes (with this PR)<br />
IPv6<br />
Yes (existing)<br />
YES (with this PR)<br />
See PR/574342 for more details.<br />
• For internal BGP (IBGP), advertise multiple paths to a destination (M Series, MX<br />
Series, and T Series routers)—For IPv4 unicast (family inet unicast) routes only, enables<br />
an IBGP peer to advertise multiple exit points to reach a destination. This provides fault<br />
tolerance, load balancing, and graceful maintenance operations.<br />
To set the number of paths to send to a neighbor, include the add-path send path-count<br />
number statement at the [edit protocols bgp group group-name neighbor address family<br />
inet unicast] hierarchy level.<br />
To enable a peer to receive multiple paths, include the add-path receive statement at<br />
the [edit protocols bgp group group-name family inet unicast] hierarchy level.<br />
To apply a policy that allows a BGP peer to send multiple paths for only specific routes,<br />
include the add-path send prefix-policy policy-name statement at the [edit protocols<br />
bgp group group-name neighbor address family inet unicast] hierarchy level.<br />
To configure the policy, use the policy-options hierarchy level, as you normally would.<br />
For example:<br />
user@host# set policy-options policy-statement allow_199 from route-filter<br />
199.1.1.1/32 exact<br />
user@host# set policy-options policy-statement allow_199 then accept<br />
[Routing Policy]<br />
• Frequent BGP keepalive messages and short BGP hold time—Enables BGP sessions<br />
to send frequent keepalive messages with a hold time as short as 10 seconds. Note<br />
that the hold time is three times the interval at which keepalive messages are sent,<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
113
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
and the hold time is the maximum number of seconds allowed to elapse between<br />
successive keepalive messages that BGP receives from a peer. When establishing a<br />
BGP connection with the local routing device, a peer sends an open message, which<br />
contains a hold-time value. BGP on the local routing device uses the smaller of either<br />
the local hold-time value or the peer’s hold-time value as the hold time for the BGP<br />
connection between the two peers. The default hold time is 90 seconds, meaning that<br />
the default frequency for keepalive messages is 30 seconds. More frequent keepalive<br />
messages and shorter hold times might be desirable in large-scale deployments with<br />
many active sessions (such as edge or large VPN deployments).<br />
To configure the hold time and the frequency of keepalive messages, include the<br />
hold-time statement at the [edit protocols bgp] hierarchy level. You can configure the<br />
hold time at a logical-system, routing-instance, global, group, or neighbor level. When<br />
you set a hold-time value to less than 20 seconds, we recommend that you also<br />
configure the BGP precision-timers statement. The precision-timers statement ensures<br />
that if scheduler slip messages occur, the routing device continues to send keepalive<br />
messages. When the precision-timers statement is included, keepalive message<br />
generation is performed in a dedicated kernel thread, which helps to prevent BGP<br />
session flaps.<br />
[Routing Protocols]<br />
Services Applications<br />
• Subscriber profiles for service activation—Enables you to specify which service plug-ins<br />
become activated on a per-subscriber basis. Previously, the only control mechanism<br />
for specifying service activation was to attach a service-set configuration to a selected<br />
interface or route. The new utility allows you to enable or disable services based on<br />
the subscriber associated with every data flow. As a result, you can apply differentiated<br />
services to different sets of subscribers.<br />
You can exercise the control mechanism in one of two ways, by using a CLI operational<br />
command or a RADIUS attribute. This feature applies only to MP-SDK services and<br />
does not depend on the specific services enabled or disabled, except that PTSP must<br />
be included in the chain.<br />
The general procedure consists of three steps:<br />
1. Configure a service set that includes all the services to be applied to flows. You can<br />
include a default subscriber profile that controls which services are and are not<br />
active by default. The default profile applies to all subscribers until overridden for<br />
a specific subscriber. In the absence of a default subscriber profile, all services<br />
specified in the service set are applied by default. You can also include one or more<br />
alternative subscriber profiles that can be implemented to override the default<br />
profile. The following sample configuration illustrates these components:<br />
services {<br />
service-set ss1 {<br />
application-identification-profile appidr1;<br />
idp-profile idpr1;<br />
aacl-rules aaclr1;<br />
hcm_rules hcmr1;<br />
sfw_rules sfwr1;<br />
114<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
subscriber-profile {<br />
sp1;<br />
}<br />
interface-service {<br />
service-interface ms-3/0/0.0;<br />
}<br />
}<br />
subscriber-profile sp1 {<br />
disable HCM;<br />
enable IDP {<br />
concurrent-data-sessions 10;<br />
}<br />
disable AACL;<br />
max-data-sessions-per-subscriber {<br />
limit 10;<br />
exceed-action [ syslog drop ];<br />
}<br />
}<br />
subscriber-profile sp2 {<br />
enable HCM;<br />
disable IDP;<br />
enable AACL,<br />
max-data-sessions-per-subscriber {<br />
limit 100;<br />
exceed-action [ syslog ];<br />
}<br />
}<br />
}<br />
Initially, all traffic reaching the service plane under service set ss1 receives all the<br />
services configured in service set ss1 that are enabled by the default subscriber<br />
profile sp1 applied to it. In the example, APPID, stateful firewall, and IDP are enabled,<br />
while HCM and AACL are disabled. However, IDP is enabled for only at most 10<br />
sessions concurrently. Beyond that threshold, IDP is also disabled. Also, because<br />
of the max-data-sessions-per-subscriber setting, any subscriber will be allowed a<br />
maximum of 10 concurrent data sessions. Beyond that threshold, data sessions will<br />
be logged and dropped.<br />
2. Dynamically override the default subscriber profile associated with a particular<br />
PTSP subscriber by using one of the following:<br />
• CLI operational command<br />
• RADIUS attribute setting in the access-accept message<br />
From the previous example, assume that the subscriber profile for subscriber X is<br />
dynamically set to sp2. After that, any new data session associated with subscriber<br />
X will have a different set of services applied to it. In the example, it would be APPID,<br />
stateful firewall, HCM, and AACL. Also, because the<br />
max-data-sessions-per-subscriber setting changes to 100, subscriber X will now<br />
have no upper limit on the number of concurrent data sessions, although if that<br />
number crosses the 100 threshold, the threshold-crossing event will be logged.<br />
The following examples illustrate the dynamic override settings:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
115
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Operational command:<br />
user@router> request services subscriber clear subscriber-profile client-id client-id<br />
user@router> request services subscriber set subscriber-profile<br />
subscriber-profile-name client-id client-id<br />
RADIUS configuration:<br />
user@router# set system services packet-triggered-subscribers partition-radius foo<br />
subscriber-service-profile attribute-26.4874.31<br />
3. Process a new data session at the service plane. This takes place as follows, with<br />
respect to subscriber profiles:<br />
1. A new flow starts. MP-SDK sends a SESSION-INTEREST event to the service<br />
plug-ins. The first plug-in in the chain is the subscriber’s (PTSP) plug-in.<br />
2. The subscriber’s plug-in matches the flow to its subscriber by searching its<br />
database. It sets the subscriber-id in the session metadata.<br />
3. The subscriber plug-in checks for the corresponding subscriber profile and which<br />
services are enabled. It then sets the services mask of enabled and disabled<br />
services in the session metadata.<br />
4. MP-SDK or JSF invokes only the services that are enabled per the services mask.<br />
The other services are skipped, even if configured in the service set.<br />
NOTE: Subscriber-profile changes affect only the upcoming flows.<br />
Existing flows remain unaffected.<br />
[Services Interfaces (Junos OS <strong>Release</strong> 12.1)]<br />
• NAT with deterministic port block allocation—You can configure NAT algorithm-based<br />
allocation of blocks of destination ports. By specifying this method, you ensure that<br />
an IP address and port are always mapped to the same IP address in a pool and the<br />
same block of ports, thus eliminating the need for the logging of address translations.<br />
Other benefits include:<br />
• Configuration of source IP address prefix matching in the from clause of a NAT rule<br />
provides a high degree of scalability.<br />
• All Junos OS-supported ALGs are supported.<br />
To configure deterministic port block allocation, include the<br />
deterministic-port-block-allocation block-size block-size statement at the [edit services<br />
nat pool pool-name port] hierarchy level and include the translation-type<br />
deterministic-napt44 statement at the [edit services nat rule rule-name term term-name<br />
then translated] hierarchy level.<br />
You can use the following new commands to display information:<br />
• show services nat deterministic-nat nat-port-block internal-host ip-address<br />
• show services nat deterministic-nat internal-host nat-address ip-address nat-port<br />
port-number<br />
116<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
[Next-Generation Network Addressing Solutions]<br />
Subscriber Access Management<br />
• Junos OS subscriber management scaling values (M120, M320, and MX Series<br />
routers)—A spreadsheet is available online that lists scaling values supported for Junos<br />
OS subscriber management beginning with Junos OS <strong>Release</strong> 10.1. Access the Subscriber<br />
Management Scaling Values (XLS) spreadsheet from the Downloads box at<br />
http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products<br />
/pathway-pages/subscriber-access/index.html. Substitute the number of the latest<br />
Junos OS release for the release-number. For example, ...en_us/junos11.1/....<br />
[Subscriber Management Scaling]<br />
• Junos OS subscriber management scaling values (MX5, MX10, MX40, and MX80<br />
routers)—This release of Junos OS includes limited support for subscriber management<br />
on the MX5, MX10, MX40,and MX80 3D Universal Edge routers. For more information<br />
about this support, see http://www.juniper.net/techpubs/en_US/release-independent/<br />
junos/topics/reference/general/mx80-features.html.<br />
• Configuring retransmission of L2TP control messages (MX Series 3D Universal Edge<br />
Routers)—L2TP peers maintain a queue of control messages that must be sent to the<br />
peer device. After a message is sent, the local peer waits for a response from the remote<br />
peer. If a response is not received, the local peer retransmits the message. You can<br />
configure how many times an unacknowledged message is retransmitted by the LAC<br />
or the LNS. For tunnels that have been established, include the<br />
retransmission-count-established statement at the [edit services l2tp tunnel] hierarchy<br />
level. For tunnels that are not yet established, include the<br />
retransmission-count-not-established statement.<br />
You can specify a maximum count in the range 0 through 30. The default count for<br />
established tunnels is 7; for tunnels that are not established, the default is 5. The local<br />
peer waits 1 second for the first response to a control message. The retransmit timer<br />
then doubles the interval between each successive retransmission, up to a maximum<br />
interval of 16 seconds. This behavior allows the remote peer more time to respond. If<br />
the maximum retransmission count is reached and no response has been received, the<br />
tunnel and all its sessions are cleared.<br />
BEST PRACTICE: Before you downgrade to a Junos OS release that does<br />
not support these statements, we recommend that you explicitly<br />
unconfigure the feature by including the no retransmission-count-established<br />
statement and the no retransmission-count-non-established statement at<br />
the [edit services l2tp tunnel] hierarchy level.<br />
BEST PRACTICE: During a unified in-service software upgrade (ISSU) on<br />
an MX Series router configured as the LAC, the LAC might not respond to<br />
control messages from the LNS. This can result in dropping LAC L2TP<br />
sessions. You can avoid this situation by ensuring that the maximum<br />
retransmission count on the LNS is set to 16 or higher.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
117
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Subscriber Access]<br />
• Configuring the idle timeout for L2TP tunnels without sessions (MX Series 3D<br />
Universal Edge Routers)—You can configure the LAC or the LNS to specify how long<br />
a tunnel without any sessions remains active. The idle timer starts when the last session<br />
on the tunnel is terminated. When the timer expires the tunnel is disconnected. This<br />
idle timeout frees up resources otherwise consumed by inactive tunnels.<br />
To configure how long the tunnel remains active, include the idle-timeout statement<br />
at the [edit services l2tp tunnel] hierarchy level. You can set the timer in the range 0<br />
through 86,400 seconds; the default value is 80 seconds. If you set the idle-timeout<br />
value to 0, the tunnel is forced to remain active indefinitely after the last session is<br />
terminated until one of the following occurs:<br />
• You issue the clear services l2tp tunnel command.<br />
• The remote peer disconnects the tunnel.<br />
BEST PRACTICE: Before you downgrade to a Junos OS release that does<br />
not support this statement, we recommend that you explicitly unconfigure<br />
the feature by including the no idle-timeout statement at the [edit services<br />
l2tp tunnel] hierarchy level.<br />
[Subscriber Access]<br />
• Configuring how long L2TP maintains dynamic information (MX Series 3D Universal<br />
Edge Routers)—You can configure the LAC or the LNS to specify how long the router<br />
attempts to maintain dynamic destinations, tunnels, and sessions after they have been<br />
torn down. This destruct timeout aids debugging and other analysis by saving underlying<br />
memory structures of those destinations, tunnels, or sessions. Any specific dynamic<br />
destination, tunnel, or session might not be maintained for this entire time period if the<br />
resources must be reclaimed early to allow new tunnels to be established. To set the<br />
destruct timeout, include the destruct-timeout statement at the [edit services l2tp]<br />
hierarchy level. You can set the timer in the range 10 through 3600 seconds; the default<br />
value is 300 seconds.<br />
BEST PRACTICE: Before you downgrade to a Junos OS release that does<br />
not support this statement, we recommend that you explicitly unconfigure<br />
the feature by including the no destruct-timeout statement at the [edit<br />
services l2tp] hierarchy level.<br />
[Subscriber Access]<br />
• Configuring connection speeds on the LAC (MX Series 3D Universal Edge<br />
Routers)—You can configure the resource used by the LAC to determine the setting<br />
for the speed of the connection from the LAC to the LNS (transmit speed) and of the<br />
connection from the LNS to the LAC (receive speed). The LAC sends the speeds to the<br />
LNS in Incoming-Call-Connected (ICCN) messages; the transmit speed is conveyed<br />
by AVP 24 and the receive speed by AVP 38.<br />
118<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
To use the recommended downstream traffic shaping rate for AVP 24 and the<br />
recommended upstream shaping rate for AVP 38, include the tx-connect-speed-method<br />
advisory statement at the [edit services l2tp] hierarchy level. You configure the advisory<br />
rates under the PPPoE logical interface underlying the subscriber interface with the<br />
advisory-options statement at the [edit interfaces interface-name unit<br />
logical-unit-number] hierarchy level. If the advisory speed is not configured on the<br />
underlying interface, then the tx-connect-speed-method advisory statement<br />
automatically sets the speed to 1 Gbps and sends this value in both AVP 24 and AVP<br />
38.<br />
Alternatively, to derive the speeds from the PPPoE IA tags, use the<br />
tx-connect-speed-method dsl-forum statement. In this case, AVP 24 is the value of<br />
Actual-Data-Rate-Downstream (VSA 26-129). AVP 38 is the value of<br />
Actual-Data-Rate-Upstream (26-130), and is sent only when the VSA values differ.<br />
[Subscriber Access]<br />
• Setting the tunnel name format (MX Series 3D Universal Edge Routers)—MX960,<br />
MX480, and MX240 routers with MPCs now support the configuration of the format<br />
for L2TP tunnel names. By default, the name of a tunnel corresponds to the<br />
Tunnel-Assignment-Id [82] returned by the AAA server. You can optionally configure<br />
the LAC to use more elements in the construction of a tunnel name by including the<br />
assignment-id-format client-server-id statement at the [edit services l2tp tunnel]<br />
hierarchy level. This format uses three attributes: Tunnel-Client-Auth-Id [90],<br />
Tunnel-Server-Endpoint [67], and Tunnel-Assignment-Id [82]. These attributes<br />
correspond, respectively, to the values configured in the tunnel profile for the LAC<br />
(source gateway) name, the tunnel endpoint (remote gateway) address on the LNS,<br />
and the tunnel ID.<br />
A consequence of the client-server-id format is that the LAC automatically creates a<br />
new tunnel when the AAA server returns a different Tunnel-Client-Auth-Id than<br />
previously returned. Before you downgrade to a Junos OS release that does not support<br />
this statement, we recommend that you explicitly unconfigure the feature by including<br />
the no assignment-id-format assignment-id statement at the [edit services l2tp tunnel]<br />
hierarchy level.<br />
[Subscriber Access]<br />
• Support for hierarchical policer as filter action (MX Series routers)—This feature<br />
enables you to have hierarchical policers as one type of filter action. Hierarchical policers<br />
rate-limit premium traffic separately from the aggregate traffic on an interface as<br />
determined by different configured rates. This feature is useful in provider edge<br />
applications using aggregate policing for general traffic and to apply a separate policer<br />
for premium traffic on a logical or physical interface. To enable all hierarchical policers<br />
of the same name in one filter to share the same policer instance in the Packet<br />
Forwarding Engine, use the filter-specific statement at the [edit firewall] hierarchy<br />
level.<br />
[Subscriber Access]<br />
• Unified ISSU support for subscriber management PPPoE access model (M120, M320,<br />
and MX Series routers)—Extends support for the unified in-service software upgrade<br />
(unified ISSU) feature to the PPPoE access model used by subscriber management.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
119
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
This support ensures that the router preserves all active PPPoE subscriber sessions<br />
and session services after completion of a unified ISSU.<br />
Unified ISSU for static and dynamic PPPoE access in subscriber management supports<br />
the following features:<br />
• Terminated, non-tunneled PPPoE connections configured with static or dynamic<br />
PPP logical interfaces and static or dynamic PPPoE underlying interfaces<br />
• Subscriber services on single-link PPP interfaces<br />
• Preservation of statistics for accounting, filter, and class of service (CoS) on MPC/MIC<br />
interfaces<br />
NOTE: Accounting statistics are not preserved after a unified ISSU on<br />
M120 and M320 routers with Enhanced Intelligent Queuing 2 (IQ2E) PICs.<br />
Unified ISSU for static and dynamic PPPoE access in subscriber management does<br />
not support Multilink Point-to-Point Protocol (MLPPP) bundle interfaces. (MLPPP<br />
bundle interfaces require the use of an Adaptive Services PIC or Multiservices PIC to<br />
provide PPP subscriber services. These PICs do not support unified ISSU.)<br />
You use the existing CLI statements and procedure to configure and initiate unified<br />
ISSU for subscriber management. To display information about the state of unified<br />
ISSU for subscriber management features, you can use the existing show system<br />
subscriber-management summary operational command.<br />
[Subscriber Access, High Availability]<br />
• PPPoE encapsulation type lockout support (M120, M320, and MX Series<br />
routers)—Enables you to configure the router to prevent (lock out) a failed or short-lived<br />
PPPoE subscriber session from reconnecting for a temporary period of time known as<br />
the lockout period. The lockout period is derived from a formula and increases<br />
exponentially based on the number of successive reconnection failures.<br />
Configuring PPPoE encapsulation type lockout protects the router and any external<br />
authentication, authorization, and accounting (AAA) servers, such as RADIUS or<br />
Diameter, from excessive loading as a result of failed or short-lived PPPoE subscriber<br />
sessions that occur repeatedly for the same subscriber. Subscriber sessions are<br />
identified by their unique media access control (MAC) source address.<br />
When you configure PPPoE encapsulation type lockout, the router detects a short-lived<br />
(also referred to as a short-cycle) subscriber session, determines the time between<br />
repeated short-cycle events, and applies a time penalty for each short-cycle event<br />
based on a default or configured lockout period. This action temporarily locks out the<br />
specified PPPoE subscriber by preventing connection to the router. When the lockout<br />
period expires, negotiation of the PPPoE subscriber session and associated MAC source<br />
address resumes.<br />
120<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Configuration of PPPoE encapsulation type lockout is supported on Intelligent Queuing<br />
2 (IQ2) PICs on M120 and M320 routers, and on MPC/MIC interfaces on MX Series<br />
routers. You can configure PPPoE encapsulation type lockout for all of the following<br />
static and dynamic PPPoE underlying interface types:<br />
• Static VLAN logical interface<br />
• Static VLAN demultiplexing (demux) logical interface<br />
• Dynamic VLAN logical interface<br />
• Dynamic VLAN demultiplexing (demux) logical interface<br />
PPPoE encapsulation type lockout is disabled by default. To configure PPPoE<br />
encapsulation type lockout and an optional lockout period, in seconds, you must include<br />
the new short-cycle-protection statement at any of the following hierarchy levels:<br />
• [edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number family<br />
pppoe]<br />
• [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number<br />
family pppoe]<br />
• [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number<br />
pppoe-underlying-options]<br />
• [edit interfaces demux0 unit logical-unit-number family pppoe]<br />
• [edit interfaces interface-name unit logical-unit-number family pppoe]<br />
• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]<br />
• [edit logical-systems logical-system-name interfaces interface-name unit<br />
logical-unit-number family pppoe]<br />
• [edit logical-systems logical-system-name interfaces interface-name unit<br />
logical-unit-number pppoe-underlying-options]<br />
If you include the short-cycle-protection statement without specifying the lockout<br />
period, the router uses the default lockout period of 1 through 300 seconds (5 minutes).<br />
To display information about the PPPoE encapsulation type lockout configuration on<br />
the PPPoE underlying interface, use the show pppoe lockout operational command,<br />
new in Junos OS <strong>Release</strong> 11.4, or the show pppoe underlying-interfaces operational<br />
command, enhanced in Junos OS <strong>Release</strong> 11.4. You can also use the new clear pppoe<br />
lockout operational command to clear the lockout condition for a specific MAC source<br />
address on a specific underlying interface, for all MAC source addresses on a specific<br />
underlying interface, or for all MAC source addresses on all underlying interfaces.<br />
[Subscriber Access, Interfaces Command Reference, Ethernet Interfaces]<br />
• Expression support for dynamic profiles (MX Series routers)—Junos OS <strong>Release</strong> 11.4<br />
supports the use of expressions for dynamic profile variables. Expressions are groups<br />
of arithmetic operators, string operators, and operands that you can create for use as<br />
variables within dynamic profiles.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
121
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
To configure expressions, include the expression operators and operands at the [edit<br />
dynamic-profiles profile-name variables] hierarchy level.<br />
Table 4 on page 122 lists supported operators and functions you can use to create<br />
expressions.<br />
NOTE: Precedence 1 is the lowest level.<br />
Table 4: Operators and Functions<br />
Operation<br />
Operator<br />
Associativity<br />
Precedence<br />
Action<br />
Arithmetic<br />
Addition<br />
+<br />
Left<br />
1<br />
Adds the elements to the right and left of the<br />
operator together.<br />
Arithmetic<br />
Subtraction<br />
-<br />
Left<br />
1<br />
Subtracts the element to the right of the<br />
operator from the element to the left of the<br />
operator.<br />
Arithmetic<br />
Multiplication<br />
*<br />
Left<br />
2<br />
Multiplies the element to the left of the operator<br />
by the element to the right of the operator.<br />
Arithmetic<br />
Division<br />
/<br />
Left<br />
2<br />
Divides the element to the left of the operator<br />
by the element to the right of the operator.<br />
Arithmetic<br />
Modulo<br />
%<br />
Left<br />
2<br />
Divides the element to the left of the operator<br />
by the element to the right of the operator and<br />
returns the integer remainder. If the element to<br />
the left of the operator is less than the element<br />
to the right of the operator, the result is the<br />
element to the left of the operator.<br />
Concatenation<br />
##<br />
Left<br />
3<br />
Creates a new string by joining the string values<br />
to the left of the operator and the values to the<br />
right of the operator together.<br />
Maximum<br />
max(param1,param2)<br />
Left<br />
4<br />
Takes the maximum of the two values passed<br />
as parameters.<br />
Minimum<br />
min(param1,param2)<br />
Left<br />
4<br />
Takes the minimum of the two values passed<br />
as parameters.<br />
Round<br />
round(param1)<br />
-<br />
4<br />
Rounds the value to the nearest integer.<br />
Truncate<br />
trunc(param1)<br />
-<br />
4<br />
Truncates a non-integer value to the value left<br />
of the decimal point.<br />
Convert to String<br />
toStr(param1)<br />
-<br />
4<br />
Converts the variable inside the parentheses to<br />
a null terminated string.<br />
Convert to Integer<br />
toInt(param1)<br />
-<br />
4<br />
Converts the parameter to an integer. A single<br />
string or variable is allowed as a parameter.<br />
122<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Table 4: Operators and Functions (continued)<br />
Operation<br />
Operator<br />
Associativity<br />
Precedence<br />
Action<br />
Random<br />
rand()<br />
-<br />
4<br />
Generates a random numerical value.<br />
Parentheses<br />
( )<br />
-<br />
5<br />
Groups operands and operators to achieve<br />
results different from simple precedence;<br />
effectively has the highest precedence.<br />
[Subscriber Access]<br />
• L2TP LAC support for unified ISSU (MX Series 3D Universal Edge Routers)—Unified<br />
ISSU for tunneled PPP clients over PPPoE is now fully supported on L2TP LACs on MX<br />
Series routers. When a unified ISSU is initiated, the LAC completes any L2TP<br />
negotiations that are in progress but rejects any new negotiations until the upgrade<br />
has completed. No new tunnels or sessions are established during the upgrade.<br />
Subscriber logouts are recorded during the upgrade and are completed after the<br />
upgrade has completed.<br />
L2TP LNS on MX Series routers supports only unified ISSU challenged behavior. The<br />
upgrade is gracefully rejected and does not proceed when any LNS destination exists,<br />
regardless of whether tunnels or sessions have been established.<br />
Unified ISSU is not supported by L2TP on M Series routers.<br />
[Subscriber Access, High Availability]<br />
• DHCPv6 support (MX Series routers)—Subscriber management now supports DHCPv6<br />
relay. DHCPv6 relay passes messages between a DHCPv6 client and a DHCPv6 server,<br />
and provides the type of support within an IPv6 network that the previously supported<br />
DHCP relay provides in an IPv4 network. DHCPv6 relay interacts with the AAA service<br />
framework to manage subscriber access and accounting. This interaction enables the<br />
relay to use an external authority, such as RADIUS, to provide IPv6 prefixes, client<br />
authentication, and configuration options.<br />
To configure DHCPv6 relay, you use the dhcpv6 statement at the [edit<br />
forwarding-options dhcp-relay] hierarchy level. Subscriber management also supports<br />
new operational commands that you can use to query the system and display<br />
information about DHCPv6 relay bindings and statistics.<br />
Table 5 on page 123 lists the DHCPv6 relay statements and operational commands<br />
that are introduced at the indicated hierarchy levels in Junos OS <strong>Release</strong> 11.4.<br />
Table 5: DHCPv6 Relay Support for New Statements and Operational<br />
Commands<br />
Statement or Command<br />
Supported Hierarchy Level<br />
dhcpv6<br />
[edit forwarding-options dhcp-relay]<br />
relay-agent-interface-id<br />
[edit forwarding-options dhcp-relay dhcpv6]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
123
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 5: DHCPv6 Relay Support for New Statements and Operational<br />
Commands (continued)<br />
Statement or Command<br />
Supported Hierarchy Level<br />
• relay-agent-interface-id<br />
• relay-agent-remote-id<br />
• relay-agent-subscriber-id<br />
[edit forwarding-options dhcp-relay dhcpv6 authentication<br />
username-include]<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
authentication username-include]<br />
• clear dhcpv6 relay binding<br />
• clear dhcpv6 relay statistics<br />
CLI operational mode<br />
• show dhcpv6 relay binding<br />
• show dhcpv6 relay statistics<br />
Table 6 on page 124 lists the existing statements that are now supported for DHCPv6<br />
relay at the indicated hierarchy levels.<br />
Table 6: DHCPv6 Relay Support for Existing Statements<br />
Statement<br />
Supported Hierarchy Level<br />
• active-server-group<br />
• authentication<br />
[edit forwarding-options dhcp-relay dhcpv6]<br />
• dynamic-profile<br />
• group<br />
• overrides<br />
• server-group<br />
• password<br />
• username-include<br />
[edit forwarding-options dhcp-relay dhcpv6 authentication]<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
authentication]<br />
• circuit-type<br />
• delimiter<br />
• domain-name<br />
• logical-system-name<br />
• routing-instance-name<br />
• user-prefix<br />
• aggregate-clients<br />
• use-primary<br />
[edit forwarding-options dhcp-relay dhcpv6 authentication<br />
username-include]<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
authentication username-include]<br />
[edit forwarding-options dhcp-relay dhcpv6 dynamic-profile]<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
dynamic-profile]<br />
124<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Table 6: DHCPv6 Relay Support for Existing Statements (continued)<br />
Statement<br />
Supported Hierarchy Level<br />
• overrides<br />
[edit forwarding-options dhcp-relay dhcpv6],<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name],<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
interface interface-name]<br />
• prefix<br />
• use-interface-description<br />
[edit forwarding-options dhcp-relay dhcpv6<br />
relay-agent-interface-id]<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
relay-agent-interface-id]<br />
• interface-client-limit<br />
• no-bind-on-request<br />
• send-release-on-delete<br />
[edit forwarding-options dhcp-relay dhcpv6 overrides],<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
overrides],<br />
and<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
interface interface-name overrides]<br />
interface<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name]<br />
trace<br />
[edit forwarding-options dhcp-relay dhcpv6 group group-name<br />
interface interface-name]<br />
[Subscriber Access]<br />
• Support for hierarchical CoS on interface sets of aggregated Ethernet interfaces<br />
(MX Series routers)—Enables you to apply hierarchical CoS to demux and PPPoE<br />
subscribers configured in interface sets of aggregated Ethernet interfaces. This feature<br />
is supported on MPC/MIC modules on MX Series routers. You must apply static CoS<br />
parameters to interface sets.<br />
You can configure the aggregated Ethernet interface with or without link protection.<br />
In addition, you can set the distribution model of the logical interfaces within the<br />
interface set to hash-based distribution or targeted distribution.<br />
The link membership list and scheduler mode of the interface set is inherited from the<br />
underlying aggregated Ethernet interface over which the interface set is configured.<br />
When an aggregated Ethernet interface operates in link protection mode, or if the<br />
scheduler mode is set to member-link-scheduler replicate, the scheduling parameters<br />
of the interface set are copied to each of the member links. If the scheduler mode of<br />
the aggregated Ethernet interface is set to member-link-scheduler scale, the scheduling<br />
parameters are scaled based on the number of active member links and applied to<br />
each of the aggregated interface member links.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
125
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
To create an interface set, include the interface-set interface-set-name statement at<br />
the [edit interfaces] hierarchy level or the [edit dynamic-profiles profile-name interfaces]<br />
hierarchy level. You can add demux or PPPoE interfaces to the set by including the<br />
interface interface-name unit logical-unit-number statement at the [edit interfaces<br />
interface-set interface-set-name] or the [edit dynamic-profiles profile-name interfaces<br />
interface-set interface-set-name] hierarchy level.<br />
To apply scheduling and queuing parameters to the interface set, include the<br />
output-traffic-control-profile profile-name statement at the [edit class-of-service<br />
interfaces interface-set interface-set-name] hierarchy level.<br />
[Class of Service, Subscriber Access]<br />
• Support for dynamic profile versions (MX Series routers)—Junos OS <strong>Release</strong> 11.4<br />
provides the ability to create new versions of dynamic profiles that are currently in use<br />
by subscribers. Any subscriber that logs in following a dynamic profile modification<br />
uses the latest version of the dynamic profile. Subscribers that are already active<br />
continue to use the older version of the dynamic profile until they log out or their session<br />
terminates.<br />
To enable the configuration of dynamic profile versions, include the versioning statement<br />
at the [edit system dynamic-profile-options] hierarchy level.<br />
When creating versions of dynamic profiles, keep the following in mind:<br />
• You can enable or disable dynamic profile versioning regardless of whether dynamic<br />
profiles are configured or not.<br />
• Each version of a dynamic profile is stored in the profile database as a new profile.<br />
• The name of the new profile version is derived by appending a four-character tag<br />
string to the original base dynamic profile name. This tag string contains two dollar<br />
sign ($) characters to identify the version field of the profile name. These two<br />
characters are followed by two numerical characters that represent the version<br />
number of the dynamic profile (for example, 01).<br />
• The dynamic profile that you modify is always stored as the latest version. You cannot<br />
create a modified dynamic profile and save it as an earlier version. For example, if<br />
you modify version three of a dynamic profile, it is saved as version four.<br />
• You can modify only the latest version of a dynamic profile.<br />
• If the dynamic profile version that you modify is not in use by any subscriber, the<br />
profile is overwritten with committed changes without creating a new version.<br />
• You can create a maximum of 10 versions of each dynamic profile.<br />
• If all 10 versions of a dynamic profile already exist, any modification to the dynamic<br />
profile results in modifying the latest version of that profile (that is, version $$10). If<br />
this version is in use, any modification attempt fails upon commit.<br />
• You can delete a dynamic profile only when it is not in use.<br />
• The dynamic profile version feature supports graceful restart and unified ISSU.<br />
126<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The show subscriber command has been enhanced to display the dynamic profile<br />
name and current version (when appropriate) in the Dynamic Profile Name field for<br />
each subscriber.<br />
[Subscriber Access]<br />
• Subscriber secure policy support for IPv6 traffic (MX Series routers)—Subscriber<br />
secure policy now mirrors IPv6 traffic as well as IPv4 traffic. IPv6 mirroring uses the<br />
existing statements and configuration procedures and requires no additional steps.<br />
As in the case of IPv4 mirroring, the IPv6 traffic is encapsulated in a UDP packet and<br />
sent to the mediation device. IPv6 mirroring can be based on information provided by<br />
either RADIUS or Dynamic Tasking Control Protocol (DTCP).<br />
[Subscriber Access]<br />
• Duplicate RADIUS accounting reports (MX Series routers)—By default, subscriber<br />
management sends RADIUS accounting reports to the accounting servers in the context<br />
in which the subscriber was last authenticated. However, in a Layer 3 wholesale network<br />
solution, the wholesaler and retailer might use different RADIUS accounting servers,<br />
and both might want to receive the accounting reports. You can now configure duplicate<br />
account reporting, and specify that subscriber management send the same RADIUS<br />
accounting report to both the wholesaler and the retailer accounting servers.<br />
To configure duplicate RADIUS accounting, you include the duplication statement at<br />
the [edit access profile profile-name accounting] hierarchy level.<br />
[Subscriber Access]<br />
• Centrally configured per-subscriber DHCP options (VSA 26-55) (MX Series<br />
routers)—Subscriber management enables you to centrally configure DHCP options<br />
on a RADIUS server and distribute the options on a per-subscriber basis. You use <strong>Juniper</strong><br />
<strong>Networks</strong> VSA 26-55 to include the DHCP options information in the Access-Accept<br />
message sent from the RADIUS server to the RADIUS client, and on to DHCP local<br />
server for return to the DHCP subscriber.<br />
The centrally configured DHCP options feature is supported for DHCP local server.<br />
DHCP local server provides a passthrough operation, performing minimal processing<br />
and error checking of the DHCP options string that the RADIUS server sends in VSA<br />
26-55. The new feature does not affect the previously supported functionality, in which<br />
VSA 26-55 is configured by DHCP local server or DHCP relay agent. Subscriber<br />
management supports the previous and new functionality for both DHCPv4 and<br />
DHCPv6.<br />
[Subscriber Access]<br />
• Support for concurrent IPoE DHCP and PPPoE logical interfaces on the same VLAN<br />
(MX Series routers with MPC/MIC interfaces)—Junos OS <strong>Release</strong> 11.4 supports the<br />
configuration of VLAN interfaces with multiple protocol interface stacks at the same<br />
time. This means that you can now configure both IPoE DHCP logical interfaces and<br />
PPPoE logical interfaces concurrently over the same VLAN interface.<br />
Configuring PPPoE concurrently with IPoE DHCP on the same VLAN interface requires<br />
that you use the family pppoe statement at the [edit interfaces interface-name unit<br />
logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name<br />
unit logical-unit-number], [edit dynamic-profiles profile-name interfaces demux0 unit<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
127
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
logical-unit-number], or [edit dynamic-profiles profile-name interfaces interface-name<br />
unit logical-unit-number] hierarchy level. This statement is supported only on MX Series<br />
routers with MPCs. However, all features specific to DHCP and PPPoE interfaces are<br />
supported with concurrent configuration on this platform.<br />
[Subscriber Access]<br />
• Support for processing DHCP information request messages (M120 and M320<br />
Multiservice Edge Routers, MX Series 3D Universal Edge Routers)—By default, DHCP<br />
local server and DHCPv6 local server ignore any DHCP information request messages<br />
that they receive. You can now override this default behavior to enable processing of<br />
these messages. Include the process-inform statement at any of the [edit ... system<br />
services dhcp-local-server ... overrides] or [edit ... system services dhcp-local-server<br />
dhcpv6 ... overrides] hierarchy levels. Overriding the default behavior is appropriate<br />
when the servers have DHCP clients with externally provided addresses; these clients<br />
might send DHCP information request messages to the server to request further<br />
configuration information from the server.<br />
By default, DHCP relay and DHCP relay proxy now automatically forward DHCP<br />
information request messages without modification as long as the messages are<br />
received on an interface configured for a DHCP server group. DHCP relay drops<br />
information request messages that it receives on any other interfaces. You cannot<br />
disable this default DHCP relay and relay proxy behavior.<br />
The information requested by these clients has typically been configured with the<br />
dhcp-attributes statement for an address pool defined by the address-assignment pool<br />
pool-name statement at the [edit access] hierarchy level.<br />
When you enable processing of DHCP information request messages, include the pool<br />
pool-name statement at the [edit system services dhcp-local-server overrides<br />
process-inform] or [edit system services dhcp-local-server dhcpv6 overrides<br />
process-inform] hierarchy level to optionally specify a pool name from which the local<br />
server retrieves the requested configuration information for the client. If you do not<br />
specify a local pool, then the local server requests that AAA select and return only the<br />
name of the relevant pool.<br />
When DHCPv6 is configured over PPP interfaces, the PPP RADIUS authentication data<br />
can be used to select the pool from which the response information is taken.<br />
Additionally, other RADIUS attributes can also be inserted into the DHCPv6 reply<br />
message. If an overlap exists between RADIUS attributes and local pool attributes,<br />
the RADIUS values are used instead of the local configuration data. If no RADIUS<br />
information is received from the underlying PPP interface, then the behavior is the<br />
same as described above for non-PPP interfaces.<br />
DHCP local server responds to the client with a DHCP ack message that includes the<br />
requested information—if it is available. DHCPv6 local server responds in the same<br />
manner but uses a DHCP reply message. No subscriber management is applied as a<br />
result of the DHCP inform message.<br />
[Subscriber Access]<br />
• Support for VLAN ID as a selector for IP demux interfaces (MX Series routers)—Junos<br />
OS <strong>Release</strong> 11.4 supports the configuration of IP demux interfaces using VLAN IDs as<br />
128<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
the selector. You can now configure dynamic IP demux interfaces over either static or<br />
dynamic VLAN demux interfaces. This feature provides the following support:<br />
• Only single and dual VLAN tag options are supported as VLAN selectors.<br />
• Both inet and inet6 families are supported.<br />
• All firewall and CoS features are supported.<br />
• Both static and dynamic demux interface creation is supported, including autosense<br />
VLAN creation.<br />
• Both DPC and MPC modules are supported.<br />
For details about how to configure dynamic IP demux interfaces over static or dynamic<br />
VLAN demux interfaces, see the Junos OS Special Document for <strong>Release</strong> 11.4 M Series,<br />
MX Series, and T Series Routers and the Junos OS Subscriber Access Configuration Guide.<br />
[Subscriber Access]<br />
• Support for session and idle timeouts for L2TP tunneled subscriber sessions (MX<br />
Series 3D Universal Edge Routers)—You can now manage the length of L2TP tunneled<br />
subscriber sessions by including the client-idle-timeout statement, the<br />
client-session-timeout statement, or both, at the [edit access profile profile-name<br />
session-options] hierarchy level. This functionality was previously supported only for<br />
PPP-terminated subscriber sessions.<br />
The session timeout defines how long the subscriber session is allowed to be up before<br />
it is terminated, regardless of user activity. The idle timeout monitors the session for<br />
upstream and downstream traffic, and terminates the session when there has been<br />
no traffic for the specified period. These timeouts apply on a per-routing-instance<br />
basis.<br />
You can also configure these limits on a per-subscriber basis with RADIUS attributes<br />
Session-Timeout [27] and Idle-Timeout [28]. The RADIUS attributes returned for a<br />
particular subscriber override any value set by the access profile applied when the user<br />
logs in.<br />
Issue the show subscribers detail command to display the session and idle timeouts<br />
applied to the subscribers’ sessions.<br />
[Subscriber Access]<br />
• Testing L2TP tunnel configurations on an L2TP LAC (MX Series 3D Universal Edge<br />
Routers)—You can now test L2TP tunnel configurations on an MX Series router<br />
configured as an L2TP LAC. In earlier releases, you had to bring up a tunneled PPP<br />
subscriber to test configurations. Now you can issue the test services l2tp tunnel<br />
command from CLI operation mode to map a subscriber to an L2TP tunnel, verify the<br />
L2TP tunnel configuration (both locally on the LAC and on a back-end server such as<br />
a RADIUS server), and verify that L2TP tunnels from the LAC can be established with<br />
the remote LNS.<br />
The Junos OS LAC implementation enables you to configure multiple tunnels from<br />
which one tunnel is chosen for tunneling a PPP subscriber. You can use the test services<br />
l2tp tunnel command to test all possible tunnel configurations to verify that each can<br />
be established. Alternatively, you can test only a specific tunnel for the subscriber.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
129
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
You must specify a configured subscriber username when you issue the command.<br />
The test generates a dummy password for the subscriber, or you can optionally specify<br />
the password. The test verifies whether the subscriber identified by that username can<br />
be tunneled according to the tunnel configuration. If the subscriber can be tunneled,<br />
then the test verifies whether the L2TP tunnel can be established with the LNS according<br />
to the L2TP configuration.<br />
You can optionally specify a tunnel ID, in which case only that tunnel is tested; the<br />
tunnel must be already configured for that username. If you omit this option, the test<br />
is applied to the full set of tunnel configurations that are returned for the username.<br />
The tunnel ID you specify is the same as that used by Tunnel-Assignment-Id (RADIUS<br />
attribute 82) and specified by the identification statement in the tunnel profile.<br />
[Subscriber Access, System Basics and Services Command Reference]<br />
• Parameterized filters and policers (MX Series routers)—This feature adds the ability<br />
to configure firewall filters and policers under a dynamic profile. The filter and policer<br />
definition can now utilize dynamic-profile variables, which allows you to customize<br />
your configuration at session creation time. You can configure a general filter or policer<br />
under a dynamic profile and then provide policing rates, destination addresses, ports,<br />
and so forth when a dynamic session is activated. To support this feature, the<br />
service-filter-hit-except match condition has been added to the [edit firewall] hierarchy<br />
level. In addition, the [edit dynamic-profile profile-name] hierarchy level is now supported<br />
for the [edit firewall] hierarchy.<br />
[Subscriber Access, Policy Framework]<br />
• DTCP trigger attributes and SNMP objects for subscriber secure policy traffic<br />
mirroring (MX Series routers)—A subscriber secure policy traffic mirroring session<br />
starts when the router, functioning as the intercept access point, receives a DTCP ADD<br />
message that contains a trigger attribute. In earlier releases, DTCP used the Interface<br />
ID attribute to trigger traffic mirroring. Junos OS <strong>Release</strong> 11.4 introduces support for<br />
additional DTCP attributes that trigger DTCP-initiated subscriber secure policy traffic<br />
mirroring.<br />
Junos OS <strong>Release</strong> 11.4 also provides additional SNMP trap support for subscriber secure<br />
policy, including SNMP objects to identify the subscriber and to track traffic statistics.<br />
Table 7 on page 130 shows the DTCP trigger attributes, including the previously supported<br />
Interface ID attribute. The attributes are listed in order of preference, from high to low.<br />
If an ADD message contains multiple trigger attributes, the subscriber secure policy<br />
uses the attribute with the highest preference and initiates the traffic mirroring<br />
associated with that trigger attribute.<br />
Table 7: DTCP Trigger Attributes<br />
Attribute<br />
Name<br />
DTCP Message<br />
Semantic<br />
Description of Mirroring Trigger<br />
Accounting<br />
Session ID<br />
X-Act-Sess-Id<br />
The text string of the accounting session ID<br />
associated with the subscriber.<br />
Calling Station<br />
ID<br />
X-Call-Sta-Id<br />
The text string of the calling station ID associated<br />
with the subscriber.<br />
130<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Table 7: DTCP Trigger Attributes (continued)<br />
Attribute<br />
Name<br />
DTCP Message<br />
Semantic<br />
Description of Mirroring Trigger<br />
IP Address<br />
X-IP-Addr-Unit<br />
X-Logical-System<br />
(optional)<br />
X-Routing-Instance<br />
(optional)<br />
The IPV4 address associated with the interface for<br />
the subscriber.<br />
You can optionally include the X-Logical-System<br />
and X-Routing-Instance attributes with this attribute.<br />
If neither is specified, the default logical system and<br />
routing instance are used.<br />
Interface ID<br />
X-Interface-Id<br />
The interface description string on which traffic<br />
mirroring is performed (for example, ge-0/0/0.1 or<br />
demux0.107472834).<br />
NAS Port ID<br />
X-NAS-Port-Id<br />
The text string of the NAS port ID associated with<br />
the subscriber.<br />
DHCP Option<br />
82<br />
X-RM-Circuit-Id<br />
X-RM-Agent-Id<br />
The combination of the remote circuit ID and the<br />
remote agent ID attributes, which specifies the DHCP<br />
Option 82 associated with the session.<br />
Remote Agent<br />
ID<br />
X-RM-Agent-Id<br />
The text string of Agent Remote ID suboption for<br />
the subscriber.<br />
User Name<br />
X-UserName<br />
X-Logical-System<br />
(optional)<br />
X-Routing-Instance<br />
(optional)<br />
• Can be a trigger when used by itself.<br />
• Can be used together with the Remote Circuit ID<br />
attribute to specify the DHCP Option 82 trigger.<br />
The user name for this subscriber.<br />
You can optionally include the X-Logical-System<br />
and X-Routing-Instance attributes with this attribute.<br />
If neither is specified, the default logical system and<br />
routing instance are used.<br />
Table 8: SNMP Trap Definitions<br />
Table 8 on page 131 shows the new subscriber secure policy SNMP objects and the trap<br />
definitions for Junos OS <strong>Release</strong> 11.4.<br />
New SNMP Object<br />
Description<br />
SNMP Trap Definition<br />
jnxJsPacketMirrorCallingStationIdentifier<br />
Calling station ID of subscriber<br />
whose traffic is being monitored.<br />
jnxJsPacketMirrorLiSubscriberLoggedIn<br />
jnxJsPacketMirrorLiSubscriberServiceActivated<br />
jnxJsPacketMirrorLiSubscriberLogInFailed<br />
jnxJsPacketMirrorLiSubscriberServiceActivationFailed<br />
jnxJsPacketMirrorNasIdentifier<br />
NAS ID of the router on which the<br />
traffic is being monitored.<br />
jnxJsPacketMirrorLiSubscriberLoggedIn<br />
jnxJsPacketMirrorLiSubscriberServiceActivated<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
131
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 8: SNMP Trap Definitions (continued)<br />
New SNMP Object<br />
Description<br />
SNMP Trap Definition<br />
jnxJsPacketMirrorOctetsReceived<br />
Number of octets of combined<br />
IPv4 and IPv6 subscriber traffic<br />
received.<br />
jnxJsPacketMirrorLiSubscriberLoggedOut<br />
jnxJsPacketMirrorOctetsTransmitted<br />
Number of octets of combined<br />
IPv4 and IPv6 subscriber traffic<br />
transmitted.<br />
jnxJsPacketMirrorLiSubscriberLoggedOut<br />
[Subscriber Access]<br />
• Service accounting with JSRC (M120 and M320 Multiservice Edge Routers, MX Series<br />
3D Universal Edge Routers)—When JSRC provisions subscriber services, you can now<br />
also use JSRC to report accounting data for those services. You can choose service<br />
activation/deactivation accounting to report cumulative service session statistics when<br />
a service is terminated, or interim accounting to report service session statistics at<br />
specified intervals for the duration of the session.<br />
When the SAE sends the <strong>Juniper</strong>-Policy-Install AVP (AVP code 2020) to specify a<br />
service for JSRC to activate, JSRC initiates service activation/deactivation accounting<br />
if that AVP also includes the <strong>Juniper</strong>-Acct-Collect AVP (AVP code 2054).<br />
JSRC initiates interim accounting when the <strong>Juniper</strong>-Policy-Install AVP includes the<br />
Acct-Interim-Interval AVP (AVP code 85). In this case, JSRC updates the accounting<br />
values at the interval specified in the AVP— in the range 600 through 86,400 seconds.<br />
JSRC and the SAE exchange Diameter Accounting-Request (ACR) and<br />
Accounting-Answer (ACA) messages to communicate accounting data. Both messages<br />
include the <strong>Juniper</strong>-Acct-Record AVP (AVP code 2053) to identify and confirm the<br />
service for which accounting information is requested.<br />
JSRC can provide an accounting only of volume statistics. You must employ either<br />
classic firewall filters or fast update firewall filters to collect the accounting data. To<br />
specify JSRC accounting, include the accounting-order activation-protocol statement<br />
at the [edit access profile] hierarchy level; this is the same access profile that configures<br />
JSRC service provisioning. Alternatively, you can configure the accounting reports to<br />
be sent by RADIUS by including instead the accounting-order radius statement at the<br />
[edit access profile] hierarchy level.<br />
[Subscriber Access]<br />
• Support for controlling the rate of flow of RADIUS messages (M120, M320, MX Series<br />
routers)—Junos OS <strong>Release</strong> 11.4 supports limiting the flow of RADIUS requests between<br />
the router and configured RADIUS servers. To specify the number of RADIUS requests<br />
per second that the router can send, collectively, to all configured RADIUS servers,<br />
include the request-rate configuration statement at the [access profile profile-name<br />
radius options] hierarchy level. By default, the router can send up to 500 requests per<br />
second to the RADIUS servers. You can specify a value from 500 through 4000 requests<br />
per second.<br />
132<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Junos OS <strong>Release</strong> 11.4 also enables you to limit the maximum number of outstanding<br />
requests from the router to a RADIUS server. To specify the maximum number of<br />
outstanding requests from the router to a RADIUS server, include the<br />
max-outstanding-requests configuration statement at the [access profile profile-name<br />
radius server] or [profile profile-name radius server] hierarchy level. By default, a<br />
RADIUS server can have up to 1000 outstanding RADIUS requests. You can specify a<br />
value from 0 through 2000 outstanding requests.<br />
To view the current RADIUS settings, as well as the effect of the new settings on<br />
performance, use the show network-access aaa statistics radius operational mode<br />
command.<br />
user@host> show network-access aaa statistics radius<br />
Outstanding Requests<br />
RADIUS Server Profile Configured Current Peak Exceeded<br />
12.1.11.254 pppoe-auth 111 0 1 0<br />
12.1.12.254 pppoe-auth-2 0 0 0 1<br />
12.1.13.254 pppoe-auth-3 64 0 10 0<br />
To clear the RADIUS statistics for the Peak and Exceeded columns, use the clear<br />
network-access aaa statistics radius operational mode command.<br />
[Subscriber Access]<br />
• Triggering ANCP OAM loopback tests (MX Series 3D Universal Edge Routers)—You<br />
can trigger ANCP OAM to perform a loopback test on the local loop (between the<br />
access node and the CPE), which can aid in simple fault isolation. When using an<br />
ATM-based local loop, the ANCP operation can trigger the access node to generate<br />
ATM (F4/F5) loopback cells on the local loop. For an Ethernet-based local loop, ANCP<br />
operation can trigger the access node to generate an Ethernet loopback message on<br />
the local loop. When the test is completed, the access node sends a message to the<br />
router with the results.<br />
To initiate local loop testing, you must identify a particular loop for the test. You can<br />
issue the request ancp oam neighbor command from CLI operation mode and identify<br />
the access loop by specifying an ANCP neighbor by IP address or system name; in either<br />
case you must also specify the access identifier for a subscriber on that access node.<br />
Alternatively, you can issue the request ancp oam interface command from CLI operation<br />
mode and identify the loop by specifying an ANCP interface or set of interfaces. With<br />
either command, you can also specify how many times the test must be run and how<br />
long the router waits for a response to the OAM request.<br />
[Subscriber Access]<br />
• Mapping ANCP attributes to vendor-specific attributes (MX Series 3D Universal<br />
Edge Routers)—You can now configure AAA to add the<br />
Downstream-Calculated-QoS-Rate VSA (IANA 4874, 26-141) and the<br />
Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142) to the RADIUS<br />
authentication and accounting request messages for subscribers. By default, these<br />
VSAs are not present in any RADIUS messages. To add the VSAs, include the<br />
juniper-dsl-attributes statement at the [edit access profile profile-name radius options]<br />
hierarchy level.<br />
AAA provides the default recommended transmit and receive speeds in these RADIUS<br />
messages. The default values are configured with the advisory-options statement at<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
133
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
the [edit protocols ancp interfaces interface-name] hierarchy level. The transmit speed<br />
is the recommended traffic value in bits per second used for downstream traffic for<br />
an ANCP interface, and is conveyed in the Downstream-Calculated-QoS-Rate VSA<br />
(IANA 4874, 26–141). The receive speed is the recommended traffic value in bits per<br />
second used for upstream traffic for an ANCP interface, and is conveyed in the<br />
Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142).<br />
In contrast to the <strong>Juniper</strong> <strong>Networks</strong> DSL VSAs, the DSL Forum (RFC 4679) VSA is added<br />
to RADIUS messages by default. You can use the exclude dsl-forum-attributes<br />
statement at the [edit access profile profile-name radius attributes] hierarchy level to<br />
prevent the DSL Forum VSA from being included in a specified type of RADIUS message.<br />
Similarly, you can use the exclude downstream-calculated-qos-rate and the exclude<br />
upstream-calculated-qos-rate statements to prevent these <strong>Juniper</strong> <strong>Networks</strong> VSAs<br />
from being included in a specified type of RADIUS message.<br />
[Subscriber Access]<br />
• Setting a recommended shaping rate for traffic on ANCP interfaces (MX Series 3D<br />
Universal Edge Routers)—When the access node sends information about the<br />
downstream and upstream calculated traffic rates for an interface, those values are<br />
used to shape the traffic sent to the interface so that it matches the subscriber local<br />
loop speed. You can now specify recommended values to be used in the event the<br />
router does not receive this information from the access node. The configured<br />
recommended values are used as the default values for two <strong>Juniper</strong> VSAs,<br />
Downstream-Calculated-QoS-Rate (IANA 4874, 26-141) and<br />
Upstream-Calculated-QoS-Rate (IANA 4874, 26-142). To set the recommended<br />
shaping rate, include the advisory-options statement at the [edit protocols ancp<br />
interfaces interface-name] hierarchy level and specify the downstream (transmit) or<br />
upstream (receive) traffic rate in bits per second.<br />
[Subscriber Access]<br />
• Improving the accuracy of the data rate reported by ANCP (MX Series 3D Universal<br />
Edge Routers)—When a DSLAM calculates the data rate on the subscriber local loop,<br />
it ignores the additional headers on the DSL line that are associated with the overhead<br />
of the access mode (ATM or Ethernet). However, when ANCP subsequently reports<br />
the upstream data rate or the downstream data rate, it includes the headers in its<br />
calculation and therefore reports a slightly higher value than that calculated by the<br />
DSLAM. This discrepancy causes the CoS shaping rate to be slightly higher than the<br />
actual rate.<br />
You can configure an adjustment factor that applies a percentage value to the total<br />
downstream and upstream data rates reported by ANCP. The adjustment factor applies<br />
globally for all subscribers of a particular DSL line type. The adjusted data rate results<br />
in a more accurate CoS shaping rate that is reported to CoS and to AAA whenever AAA<br />
requests the data rate from ANCP. To configure the adjustment factor, include the<br />
adjustment-factor statement at the [edit protocols ancp] hierarchy level.<br />
[Subscriber Access]<br />
• HTTP redirect service plugin (MX Series 3D Universal Edge Routers)—This feature<br />
adds IPv6 support for HTTP redirect. When you use a remote IPv6 HTTP redirect server,<br />
134<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
you can now configure an HTTP service rule to rewrite the IPv6-DA of incoming HTTP<br />
requests on the service router. This ensures that the requests reach the remote HTTP<br />
redirect server before being redirected to a captive portal. When you use a local HTTP<br />
redirect server, you can configure an HTTP service rule to redirect HTTP requests to a<br />
captive portal within a walled garden.<br />
[Subscriber Access]<br />
• AVP service bundle and definition (MX Series 3D Universal Edge Routers)—This<br />
feature adds the <strong>Juniper</strong>-Service-Bundle AVP (AVP code 2004), which is of type<br />
OctetString, and defines a name of the service bundle.<br />
[Subscriber Access]<br />
• Support for configurable RADIUS account termination reasons—Junos OS <strong>Release</strong><br />
11.4 supports configurable mapping of protocol-specific terminate reasons to the<br />
RADIUS Acct-Terminate-Cause attribute.<br />
NOTE: For a list of default termination reasons, see the Junos OS Special<br />
Document for <strong>Release</strong> 11.4 M Series, MX Series, and T Series Routers.<br />
When a AAA, DHCP, L2TP, or PPP session is terminated, protocol-specific terminate<br />
reasons (if determined) are converted to a specific termination cause, as defined by<br />
standard RADIUS attribute 49 (Acct-Terminate-Cause). This attribute is included in<br />
RADIUS Acct-Stop messages and is used to monitor and troubleshoot terminated user<br />
sessions.<br />
Terminate reason usage statistics are accumulated on the router. You can use the<br />
show network-access aaa terminate-code [reverse] [(aaa | dhcp | l2tp | ppp)] [(detail |<br />
summary | brief)] command to display information about mappings between application<br />
terminate reasons and RADIUS Acct-Terminate-Cause attributes. You can also use<br />
the clear network-access aaa statistics terminate-code command to clear all terminate<br />
mapping statistics.<br />
Junos OS <strong>Release</strong> 11.4 also supports the option to customize mappings between a<br />
terminate reason and a RADIUS Acct-Terminate-Cause attribute, enabling you to<br />
provide different information about the cause of a termination. To configure customized<br />
mappings between a terminate reason and a RADIUS Acct-Terminate-Cause attribute,<br />
include the terminate-code (aaa | dchp | l2tp | ppp) term-reason radius term-cause<br />
statement at the [edit access] hierarchy level.<br />
[Subscriber Access]<br />
• RADIUS support for limiting maximum number of concurrent PPPoE sessions (M120,<br />
M320, and MX Series routers)—Enables you to override the PPPoE maximum session<br />
value (configured with the max-sessions statement) with the PPPoE maximum session<br />
value returned by the RADIUS server in the Max-Clients-Per-Interface <strong>Juniper</strong> <strong>Networks</strong><br />
vendor-specific attribute (VSA) [26-143]. This feature is useful if you want to determine<br />
the PPPoE session limit on a per-subscriber basis.<br />
The PPPoE maximum session value specifies the maximum number of concurrent<br />
static or dynamic PPPoE logical interfaces (sessions) that the router can activate on<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
135
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
the PPPoE underlying interface, or the maximum number of active static or dynamic<br />
PPPoE sessions that the router can establish with a particular service entry in a PPPoE<br />
service name table.<br />
In earlier releases, the PPPoE maximum session value was determined on a<br />
per-interface basis by the number of active PPPoE sessions configured in the CLI with<br />
the max-sessions statement. In the current release, the PPPoE maximum session value<br />
is determined on a per-subscriber basis by the maximum session value returned by<br />
RADIUS in the Max-Clients-Per-Interface VSA [26-143] during the subscriber<br />
authentication process. The Max-Clients-Per-Interface VSA returns the PPPoE<br />
maximum session value in Access-Accept messages, but not in Change of Authorization<br />
Request (CoA-Request) messages.<br />
The Max-Clients-Per-Interface VSA uses <strong>Juniper</strong> <strong>Networks</strong> vendor ID 4874, and is<br />
defined as follows:<br />
Attribute<br />
Number<br />
Attribute Name<br />
Description<br />
Value<br />
Dynamic CoA<br />
Support<br />
26-143<br />
Max-Clients-Per-Interface<br />
Maximum allowable client<br />
sessions per interface. For DHCP<br />
clients, this value is the<br />
maximum sessions per logical<br />
interface. For PPPoE clients, this<br />
value is the maximum sessions<br />
(PPPoE interfaces) per PPPoE<br />
underlying interface.<br />
integer: 4-octet<br />
No<br />
By default, the maximum session value returned by RADIUS in the<br />
Max-Clients-Per-Interface VSA takes precedence over the configured PPPoE maximum<br />
session value; no special configuration is required on the router to use this feature.<br />
To clear (ignore) the value returned by RADIUS in the Max-Clients-Per-Interface VSA<br />
and restore the PPPoE maximum session value on the underlying interface to the value<br />
configured in the CLI with the max-sessions statement, you must include the new<br />
max-sessions-vsa-ignore statement at any of the following hierarchy levels:<br />
• [edit dynamic-profiles profile-name interfaces demux0 unit logical-unit-number family<br />
pppoe]<br />
• [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number<br />
family pppoe]<br />
• [edit interfaces interface-name unit logical-unit-number family pppoe]<br />
• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]<br />
• [edit logical-systems logical-system-name interfaces interface-name unit<br />
logical-unit-number family pppoe]<br />
• [edit logical-systems logical-system-name interfaces interface-name unit<br />
logical-unit-number pppoe-underlying-options]<br />
To display information about the maximum sessions configured on the PPPoE<br />
underlying interface, use the show pppoe underlying-interfaces operational command.<br />
136<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
[Junos OS Subscriber Access Configuration Guide, Junos OS Interfaces Command Reference,<br />
Junos OS Ethernet Interfaces Configuration Guide]<br />
• Inline L2TP LNS support (MX Series 3D Universal Edge Routers)—MX960, MX480,<br />
and MX240 routers with MPCs now support L2TP LNS functionality in addition to the<br />
L2TP LAC functionality previously supported. In earlier releases, L2TP LNS support<br />
was available only on certain M Series Multiservice Edge Routers and required a separate<br />
services PIC. The new MX Series support means that the MPCs you are already using<br />
for other applications can now be used to provide inline L2TP LNS services.<br />
To enable inline services on an MPC, include the inline-services statement at the [edit<br />
chassis fpc slot-number pic number] hierarchy level. You can configure the amount of<br />
bandwidth reserved on each Packet Forwarding Engine for tunnel traffic using inline<br />
services with the bandwidth statement at any of the [edit chassis fpc slot-number pic<br />
number inline-services] hierarchy levels.<br />
Inline services require that you configure a service interface—si—at the [edit interfaces]<br />
hierarchy level, either statically or with a dynamic profile.<br />
When you configure the properties of the L2TP tunnel on the LNS with the tunnel-group<br />
statement at the [edit services l2tp] hierarchy level, you can include the new<br />
aaa-access-profile statement to specify a local access profile that overrides the default<br />
AAA profile configured for the routing instance where the tunnel is terminated. You<br />
can also include the tos-reflect statement, which causes the LNS to reflect the IP ToS<br />
value in the inner IP header to the outer IP header.<br />
To monitor LNS operations and configuration, you can issue the following existing<br />
commands on the LNS: show services l2tp summary, show services l2tp destination,<br />
show services l2tp session, show services l2tp tunnel, and show subscribers.<br />
[Subscriber Access]<br />
• Unique identifiers for firewall variables in dynamic profiles (MX Series<br />
routers)—Enables the system to generate unique identifiers (UIDs) for parameterized<br />
filters in dynamic profiles created for services. The generated UIDs enable you to identify<br />
and configure separate parameter values for filters with the same variable name. In<br />
addition, assigning a UID improves performance of the router.<br />
For service profiles, you can request the generation of a UID for a user-defined variable<br />
by including the uid statement at the [edit dynamic-profiles profile-name variable<br />
variable-name] hierarchy level. You then reference the variable name in the filter.<br />
To enable selection of a particular filter in a dynamic profile that contains multiple<br />
variables of the same parameter and criteria type, you must indicate that the variable<br />
refers to a UID. To configure, include the uid-reference statement at the [edit<br />
dynamic-profiles profile-name variable variable-name] hierarchy level.<br />
For example, if the variable $in-filter receives the value of “filter1” from RADIUS, the<br />
filter definition named $filter is used.<br />
[Subscriber Access]<br />
• SNMP support for dual-stack subscriber secure policy traffic mirroring (MX Series<br />
routers)—Subscriber secure policy traffic mirroring now provides dual-stack support<br />
for DHCP and PPP subscribers. Dual-stack support enables the router to activate both<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
137
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
IPv4 and IPv6 traffic mirroring at different times. As part of the dual-stack<br />
enhancements, Junos OS <strong>Release</strong> 11.4 also includes a new SNMP object to identify the<br />
mirrored IPv6 traffic, and two existing SNMP objects that are modified to track IPv6<br />
traffic statistics.<br />
Table 9 on page 138 shows the new and modified SNMP objects.<br />
Table 9: SNMP Trap Definitions<br />
New SNMP Object<br />
Description<br />
SNMP Trap Definition<br />
jnxJsPacketMirrorTargetIpv6Address<br />
IPv6 address of the mirrored<br />
interface.<br />
jnxJsPacketMirrorLiSubscriberLoggedIn<br />
jnxJsPacketMirrorLiSubscriberServiceActivated<br />
jnxJsPacketMirrorLiSubscriberServiceDeactivated<br />
jnxJsPacketMirrorLiSubscriberLogInFailed<br />
jnxJsPacketMirrorLiSubscriberLoggedOut<br />
jnxJsPacketMirrorLiSubscriberServiceActivationFailed<br />
jnxJsPacketMirrorOctetsReceived<br />
Number of octets of<br />
combined IPv4 and IPv6<br />
subscriber traffic received.<br />
jnxJsPacketMirrorLiSubscriberLoggedOut<br />
jnxJsPacketMirrorOctetsTransmitted<br />
Number of octets of<br />
combined IPv4 and IPv6<br />
subscriber traffic<br />
transmitted.<br />
jnxJsPacketMirrorLiSubscriberLoggedOut<br />
[Subscriber Access]<br />
• Support for static and dynamic CoS and firewall filters on L2TP inline LNS service<br />
interfaces (MX Series routers)—Enables you to configure static and dynamic CoS<br />
parameters for PPP sessions terminated over L2TP network server (LNS) tunnels. This<br />
feature is supported on MX Series routers with MPC/MIC modules.<br />
Inline services at the LNS require that you configure a service interface (si) at the [edit<br />
interfaces] hierarchy level.<br />
When a service interface is configured for an L2TP LNS session, it has an inner IP header<br />
and an outer IP header. You can configure CoS for an LNS session that corresponds<br />
to the inner IP header because the outer IP header is used for the L2TP tunnel<br />
processing. However, we recommend that you configure the LNS to reflect the IP ToS<br />
value in the inner IP header to the outer IP header by including the tos-reflect statement<br />
at the [edit services l2tp] hierarchy level.<br />
To apply per-session CoS on egress traffic from the LAC, you can configure fixed and<br />
behavior aggregate (BA) classifiers by including the classifiers statement at the [edit<br />
class-of-service] hierarchy level. You can then apply the classifiers at the [edit<br />
class-of-service interfaces si-fpc/port/pic unit logical-unit-number] hierarchy level or<br />
at the [edit dynamic-profiles profile-name class-of-service interfaces<br />
138<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level. The following BA<br />
classifier types are supported: inet-precedence, dscp, and dscp-ipv6.<br />
To apply per-session CoS on ingress traffic to the LAC, you can configure rewrite rules,<br />
hierarchical scheduling, and shaping adjustments. To define rewrite rules, include the<br />
rewrite-rules statement at the [edit class-of-service] hierarchy level. You can then apply<br />
the rewrite rules at the [edit class-of-service interfaces si-fpc/port/pic unit<br />
logical-unit-number] hierarchy level or at the [edit dynamic-profiles profile-name<br />
class-of-service interfaces $junos-interface-ifd-name unit $junos-interface-unit] hierarchy<br />
level.<br />
By default, the shaping calculation on the service interface includes the L2TP<br />
encapsulation. If necessary, you can configure additional adjustments for downstream<br />
ATM traffic from the LAC or differences in Layer 2 protocols. To enable hierarchical<br />
scheduling for the service interface, include the hierarchical-scheduler statement at<br />
the [edit interfaces si-fpc/port/pic ] hierarchy level. To enable Level 3 nodes in the LNS<br />
scheduler hierarchy and provide better scaling, we recommend that you specify two<br />
hierarchy levels by including the maximum-hierarchy-levels statement at the [edit<br />
interfaces si-fpc/port/pic hierarchical-scheduler] hierarchy level.<br />
To apply additional shaping adjustments for static LNS sessions, you can configure<br />
the overhead-accounting statement for the service interface at the [edit class-of-service<br />
traffic-control-profiles profile-name] hierarchy level. For dynamic CoS, apply the<br />
overhead-accounting statement for the service interface at the [edit dynamic-profiles<br />
profile-name class-of-service traffic-control-profiles profile-name] hierarchy level.<br />
You can then apply the traffic control profile to the service interface by including the<br />
output-traffic-control-profile statement at the [edit class-of-service interfaces<br />
si-fpc/port/pic unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles<br />
profile-name class-of-service interfaces $junos-interface-ifd-name unit<br />
$junos-interface-unit] hierarchy level. To limit bandwidth for tunneled sessions with<br />
default CoS configurations, we recommend that you also configure CoS for remaining<br />
traffic by including the output-traffic-control-profile-remaining statement for the static<br />
interface.<br />
[Subscriber Access, Class of Service]<br />
• DHCPv6 multiple address support (MX Series routers)—Subscriber management<br />
now supports the assignment of multiple addresses to a DHCPv6 client. DHCPv6<br />
clients can request both IA_NA and IA_PD addresses in a single DHCPv6 Solicit message.<br />
This feature provides support for networking environments in which a customer<br />
premises equipment (CPE) device requires a host address and a delegated prefix.<br />
DHCPv6 multiple address support is enabled by default, and is activated when the<br />
client DHCPv6 Solicit message contains both the IA_NA and IA_PD options. The<br />
following list describes subscriber management enhancements to support multiple<br />
address assignment:<br />
• For dynamic profile support, you use the new Junos OS predefined variable,<br />
$junos-subscriber-ipv6-multi-address. The variable is applied as a demux source<br />
address array, and is expanded to include both the host and prefix addresses. You<br />
include the $junos-subscriber-ipv6-multi-address variable at the [edit dynamic-profile<br />
profile-name interfaces interface-name unit logical-unit-number family inet6<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
139
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
demux-source] hierarchy level. You can use this variable in place of the existing<br />
$junos-subscriber-ipv6-address variable, which only supports a single IPv6 address<br />
or prefix.<br />
• You can explicitly specify which address pool the router uses to assign the IA_PD<br />
address. This enables you to identify the address pool without using RADIUS or a<br />
network match. To specify which address pool you want to use to assign the IA_PD<br />
address, include the delegated-pool statement at the [edit system services<br />
dhcp-local-server dhcpv6 ... overrides] hierarchy levels. You can configure the<br />
delegated pool at the DHCPv6 local server global, group, or interface hierarchy levels.<br />
• The show dhcpv6 server binding and show subscriber commands now display<br />
information related to the DHCPv6 IA_NA and IA_PD multiple address assignments.<br />
[Subscriber Access]<br />
• Support for interface name in the authentication username—You can now include<br />
the interface name as part of the DHCPv4 and DHCPv6 authentication username for<br />
DHCP local server and DHCP relay agent. You can include the interface name globally<br />
or for a specific group.<br />
To configure the authentication interface name, include the interface-name statement<br />
at the appropriate [edit ... authentication username-include] hierarchy levels for DHCP<br />
and DHCPv6 local server, and DHCP and DHCPv6 relay agent.<br />
[Subscriber Access]<br />
• Support for the calling station ID field in RADIUS packets—Starting with <strong>Release</strong> 11.4,<br />
Junos OS supports the calling station ID field in RADIUS authentication and accounting<br />
packets for sessions originating from SSH, Telnet, and FTP-based clients. The calling<br />
station ID field contains the IP address of the host from which a user connects to the<br />
router.<br />
Addition of the calling station ID information in the RADIUS authentication packets<br />
enables you to configure the RADIUS server to authorize, track, and account users<br />
based on the calling station ID information. The calling station ID field also enables<br />
you to identify the geographical locations of the host from which the connection request<br />
originates.<br />
[System Basics]<br />
• Enhancements to tracing DHCP operations (M120 and M320 Multiservice Edge<br />
Routers, MX Series 3D Universal Edge Routers)—In earlier releases you configured<br />
DHCP trace logging in only the default:default LS:RI combination; the configuration<br />
was applied globally to all LS:RI instances. To apply DHCP trace operations to a<br />
nondefault LS:RI combination, you were required to configure a DHCP application in<br />
the default:default LS:RI combination.<br />
Trace logging is now configured by default outside the scope of the DHCP applications<br />
(DHCP relay or DHCP local server). To apply a DHCP trace configuration across all<br />
LS:RI combinations and all DHCP applications, include the traceoptions or<br />
interface-traceoptions statement at the [edit system processes dhcp-service] hierarchy<br />
level.<br />
140<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
NOTE: Configuration of event tracing on a per-LS:RI basis is not supported.<br />
The existing statements at the [edit system services dhcp-local-server] and [edit<br />
forwarding-options dhcp-relay] hierarchy levels have been deprecated and hidden in<br />
favor of the statements at the new level in the CLI hierarchy. The deprecated statements<br />
might be removed from a future release; we recommend that you transition to the new<br />
statements.<br />
Because a trace configuration can be configured in more than one scope (two old and<br />
deprecated, one new and recommended), the following rules apply to manage the<br />
interaction:<br />
• When you configure a filename or any other options for the trace log file, the<br />
configuration at the [edit system processes dhcp-service] hierarchy level has the<br />
highest precedence, followed by the configuration at the [edit system services<br />
dhcp-local-server] hierarchy level, and finally with the lowest precedence, the<br />
configuration at the [edit forwarding-options dhcp-relay] hierarchy level.<br />
• The flag configuration for multiple scopes is merged and applied to all trace log<br />
events.<br />
• You can now filter the generation of DHCP trace log events by severity level: error,<br />
warning, notice, info, verbose, and all. The default setting is error. However, if you<br />
configure the old statements, trace logging operates with an implicit severity of all,<br />
regardless of the severity level configured at the [edit system processes dhcp-service]<br />
hierarchy level.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
141
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The following table lists previously available traceoptions flags that have been<br />
deprecated and the corresponding flags that now provide the same functionality.<br />
Deprecated Flag<br />
Replacement Flag<br />
dhcpv6-general<br />
general<br />
dhcpv6-io<br />
io<br />
dhcpv6-packet<br />
packet<br />
dhcpv6-packet-option<br />
packet<br />
dhcpv6-rpd<br />
rpd<br />
dhcpv6-session-db<br />
session-db<br />
dhcpv6-state<br />
state<br />
packet-option<br />
packet<br />
Finally, the layout of trace log content has been enhanced to improve readability.<br />
[Subscriber Access]<br />
• Support for filter enhanced network services mode (MX Series routers with<br />
MPCs)—Junos OS <strong>Release</strong> 11.4 supports the limiting of static service filters or API-client<br />
filters to term-based filter format only for inet or inet6 families when Enhanced Network<br />
Services mode is configured at the [edit chassis network-services] hierarchy level. When<br />
used with one of the chassis Enhanced Network Services modes, firewall filters are<br />
generated only in term-based format for use with MPCs.<br />
To configure a firewall filter for use with Enhanced Network Services mode, include<br />
the enhanced-mode statement at the [edit firewall family inet filter filter-name] or [edit<br />
firewall family inet6 filter filter-name] hierarchy level.<br />
[Subscriber Access]<br />
• CoS enhancements for managing bandwidth for subscriber services (MX Series<br />
routers with MPC/MIC interfaces)—Enables you to prioritize and manage bandwidth<br />
for services more effectively at different levels of the broadband edge network. These<br />
enhancements are supported on MPC/MIC modules on MX Series routers.<br />
By default, MPC/MIC interfaces support scheduling of excess bandwidth for both lowand<br />
high-priority traffic. You can now specify the specific priority of the excess<br />
bandwidth by including the excess-rate-high [proportional value | percent value]<br />
statement or the excess-rate-low [ proportional value | percent value ] statement at<br />
the [edit class-of-service traffic-class-profile profile-name] hierarchy level or the [edit<br />
dynamic-profiles profile-name class-of-service traffic-class-profile profile-name] hierarchy<br />
level. Note that when you configure the excess-rate statement for an interface, you<br />
cannot also configure the excess-rate-low and excess-rate-high statements. We<br />
recommend that you configure either a percentage or a proportion of the excess<br />
142<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
bandwidth for all schedulers with the same parent in the hierarchy. For example, if you<br />
configure interface 1.1 with 20% of the excess bandwidth, configure interface 1.2 with<br />
80% of the excess bandwidth.<br />
On MPC/MIC interfaces, you can configure shaping of aggregate traffic at a given<br />
priority. By default, when traffic exceeds the shaping or guaranteed rates, the system<br />
demotes traffic with guaranteed priority. You can disable priority demotion by including<br />
the none option with the excess-priority statement at the [edit class-of-service<br />
schedulers scheduler-name] hierarchy level or the [edit dynamic-profiles profile-name<br />
class-of-service schedulers scheduler-name] hierarchy level. Traffic that exceeds the<br />
shaping rate is dropped.<br />
You can now configure a burst size for the shaping rate and guaranteed rate at the<br />
traffic control profile level, as well as for the shaping rate at the scheduler level. The<br />
burst value determines the number of rate credits that can accrue when the queue or<br />
scheduler node is held in the inactive round robin. This feature is useful to prevent<br />
excessive buffering at downstream DSLAMs, which typically have limited QoS and<br />
buffering capabilities. Include the burst-size option with the shaping-rate or<br />
guaranteed-rate statement at the [edit class-of-service traffic-control-profile<br />
profile-name] hierarchy level or the [edit dynamic-profiles profile-name class-of-service<br />
traffic-control-profile profile-name] hierarchy level. You can also include the burst-size<br />
option with the shaping rate at the [edit class-of-service schedulers scheduler-name]<br />
hierarchy level or the [edit dynamic-profiles profile-name class-of-service schedulers<br />
scheduler-name] hierarchy level.<br />
In addition, you can now configure an excess rate when no guaranteed rate is specified<br />
for a scheduler hierarchy without receiving a commit error.<br />
[Class of Service, Subscriber Access]<br />
• Support for automatic removal of subscriber VLANs—Junos OS <strong>Release</strong> 11.4 supports<br />
the automatic removal of subscriber VLANs when no client sessions (for example,<br />
DHCP or PPPoE) exist on the VLAN. Before Junos OS <strong>Release</strong> 11.4, you were only able<br />
to clear or delete subscriber VLANs manually.<br />
To automatically remove unused dynamic subscriber VLANS, include the<br />
remove-when-no-subscribers statement at the [edit interfaces interface-name<br />
auto-configure] hierarchy level.<br />
NOTE: The maintain-subscriber statement and remove-when-no-subscribers<br />
statement are mutually exclusive. You cannot specify that dynamically<br />
configured VLAN interfaces are removed when no subscribers exist when<br />
the router is also configured to maintain subscribers.<br />
When configuring automatic removal of dynamic subscriber VLANs, keep the following<br />
in mind:<br />
• You can configure automatic VLAN removal only on individual physical interfaces.<br />
You cannot configure the feature globally.<br />
• Automatic VLAN removal is not supported for use on Layer 2 Wholesale interfaces.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
143
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• PPPoE subscriber interfaces require the use of dynamic profiles when configured<br />
over dynamic VLANS. However, dynamic profiles are not required for use with DHCP<br />
subscriber interfaces that use underlying dynamic VLANs. Because the<br />
remove-when-no-subscribers functionality triggers when no dynamic client sessions<br />
exist on a dynamic VLAN, automatic removal of underlying dynamic VLANs is not<br />
supported when DHCP subscriber interfaces are not created using dynamic profiles.<br />
[Subscriber Access, Network Interfaces]<br />
• Support for address pool threshold traps (MX Series 3D Universal Edge Routers)—You<br />
can now set usage threshold traps to give advanced warning that an address pool is<br />
running short on available addresses. To configure address pool usage threshold traps,<br />
include the abatedUtilization utilization-value, abatedUtilization-v6 utilization-value,<br />
highUtilization percentage, and highUtilization-v6 percentage statements at the [edit<br />
access address-assignment] hierarchy level.<br />
[Subscriber Access]<br />
• Using access profiles to manage NAS port information (MX Series<br />
routers)—Subscriber management uses default settings and values specified in RADIUS<br />
to identify the NAS port used for subscriber authentication. The NAS-Port-Id (RADIUS<br />
attribute 87) and NAS-Port-Type (RADIUS attribute 61) provide the NAS port<br />
identification and type information.<br />
You can optionally configure access profiles to provide alternate values for the RADIUS<br />
NAS-Port-Id and NAS-Port-Type attributes. This enables you to use access profiles<br />
to specify the NAS port that is used for a given connection. For example, you might<br />
configure an access profile that specifies that a NAS port type of wireless is used for<br />
all Ethernet connections that are managed by that access profile.<br />
To configure an optional NAS-Port-Id, use the nas-port-id-format statement at the<br />
[edit access profile profile-name radius options] hierarchy level. The optional NAS-Port-Id<br />
can include any combination of the NAS identifier, the Agent Circuit ID (ACI), the Agent<br />
Remote ID (ARI), and the interface description.<br />
To configure an optional NAS-Port-Type, use the nas-port-type statement at the [edit<br />
access profile profile-name radius options] hierarchy level. The optional port type values<br />
are specified in RFC 2865 and are also described in the Junos OS Subscriber Access<br />
Configuration Guide.<br />
[Subscriber Access]<br />
• Support for enhanced policer statistics (MX Series Routers)—With this feature, you<br />
can query for additional statistics for policers as follows:<br />
• Offered–Packet statistics for traffic subjected to policing.<br />
• OutofSpec–Packet statistics for the packets that are marked out-of-specification<br />
(out-of-spec) by the policer. Changes to all packets that have out-of-spec actions,<br />
such as discard, color marking, or forwarding-class, are included in this counter.<br />
• Transmitted–Packet statistics for the traffic that is not discarded by the policer.<br />
When the policer action is discard, the statistics are the same as the in-spec statistics;<br />
when the policer action is non-discard (loss-priority or forwarding-class), the statistics<br />
are included in this counter.<br />
144<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
This feature is supported on MPC/MIC interfaces on MX Series routers.<br />
The new detail option has been added to the show firewall, show firewall filter<br />
filter-name, and show policer commands.<br />
To enable this feature, include the enhanced-policer statement at the [edit chassis]<br />
hierarchy level.<br />
[Subscriber Access]<br />
System Logging<br />
• New and deprecated system log tags—The following set of system log messages are<br />
new in this release:<br />
• ANALYZER—This chapter describes messages with the ANALYZER prefix on the<br />
<strong>Juniper</strong> <strong>Networks</strong> EX Series switches. They are generated by the sample process<br />
(sampled), which gathers information on mirrored traffic analysis for EX Series<br />
switches.<br />
• FABOAMD—This chapter describes messages with the FABOAMD prefix on the<br />
<strong>Juniper</strong> <strong>Networks</strong> QFabric QFX3000 switch. They are generated by the QFabric<br />
switch Operations, Administration, and Maintenance (OAM) process (faboamd),<br />
which enables OAM operations (such as a fabric ping) across different devices in<br />
the QFabric switch.<br />
The following system log messages are new in this release:<br />
• ANALYZER_INPUT_INTERFACES_LIMIT<br />
• APPIDD_APPPACK_INSTALL_RESULT<br />
• APPIDD_INTERNAL_ERROR<br />
• APPTRACK_SESSION_APP_UPDATE_LS<br />
• APPTRACK_SESSION_CLOSE_LS<br />
• APPTRACK_SESSION_CREATE_LS<br />
• APPTRACK_SESSION_VOL_UPDATE_LS<br />
• ASP_NAT_PORT_BLOCK_ALLOC<br />
• ASP_NAT_PORT_BLOCK_RELEASE<br />
• CHASSISD_ACQUIRE_MASTERSHIP<br />
• CHASSISD_FM_ACTION_FPC_OFFLINE<br />
• CHASSISD_FM_ACTION_FPC_ONLINE<br />
• CHASSISD_FM_ACTION_FPC_POWER_OFF<br />
• CHASSISD_FM_ACTION_FPC_RESTART<br />
• CHASSISD_FM_ACTION_PLANE_OFFLINE<br />
• CHASSISD_FM_ACTION_PLANE_ONLINE<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
145
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• CHASSISD_FM_DETECT_PLANES_DOWN<br />
• CHASSISD_FM_DETECT_UNREACHABLE<br />
• CHASSISD_VCHASSIS_LICENSE_ERROR<br />
• DCBX_PFC_DISABLED<br />
• DCBX_PFC_ENABLED<br />
• DCD_PARSE_WARN_INCOMPATIBLE_CFG<br />
• ESWD_LEARNT_FDB_MEMORY_ERROR<br />
• ESWD_OUT_OF_LOW_MEMORY<br />
• ESWD_STATIC_FDB_MEMORY_WARNING<br />
• ESWD_VLAN_MAC_LIMIT_EXCEEDED<br />
• EVENTD_SECURITY_LOG_CLEAR<br />
• FABOAMD_DEBUGGING<br />
• FABOAMD_TASK_SOCK_ERR<br />
• FLOW_HIGH_WATERMARK_TRIGGERED_LS<br />
• FLOW_IP_ACTION_LS<br />
• FLOW_LOW_WATERMARK_TRIGGERED_LS<br />
• FWAUTH_FTP_LONG_PASSWORD_LS<br />
• FWAUTH_FTP_LONG_USERNAME_LS<br />
• FWAUTH_FTP_USER_AUTH_ACCEPTED_LS<br />
• FWAUTH_FTP_USER_AUTH_FAIL_LS<br />
• FWAUTH_HTTP_USER_AUTH_FAIL_LS<br />
• FWAUTH_HTTP_USER_AUTH_OK_LS<br />
• FWAUTH_TELNET_LONG_PASSWORD_LS<br />
• FWAUTH_TELNET_LONG_USERNAME_LS<br />
• FWAUTH_TELNET_USER_AUTH_FAIL_LS<br />
• FWAUTH_TELNET_USER_AUTH_OK_LS<br />
• FWAUTH_WEBAUTH_FAIL_LS<br />
• FWAUTH_WEBAUTH_SUCCESS_LS<br />
• IDP_APPDDOS_APP_ATTACK_EVENT_LS<br />
• IDP_APPDDOS_APP_STATE_EVENT_LS<br />
• IDP_ATTACK_LOG_EVENT_LS<br />
• IDP_SESSION_LOG_EVENT_LS<br />
• JSRPD_SET_HW_MON_FAILURE<br />
146<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• JSRPD_SET_LOOPBACK_MON_FAILURE<br />
• JSRPD_SET_MBUF_MON_FAILURE<br />
• JSRPD_SET_NEXTHOP_MON_FAILURE<br />
• JSRPD_UNSET_HW_MON_FAILURE<br />
• JSRPD_UNSET_LOOPBACK_MON_FAILURE<br />
• JSRPD_UNSET_MBUF_MON_FAILURE<br />
• JSRPD_UNSET_NEXTHOP_MON_FAILURE<br />
• L2ALD_FREE_MAC_FAILED<br />
• LACPD_TIMEOUT<br />
• LICENSE_SHM_ATTACH_FAILURE<br />
• LICENSE_SHM_CREATE_FAILURE<br />
• LICENSE_SHM_DETACH_FAILURE<br />
• LICENSE_SHM_FILE_OPEN_FAILURE<br />
• LICENSE_SHM_KEY_CREATE_FAILURE<br />
• LICENSE_SHM_SCALE_READ_FAILURE<br />
• LICENSE_SHM_SCALE_UPDATE_FAILURE<br />
• LSYSD_CFG_RD_FAILED<br />
• LSYSD_INIT_FAILED<br />
• LSYSD_SEC_NODE_COMP_SYNC_FAILED<br />
• PKID_AFTER_KEY_GEN_SELF_TEST<br />
• PKID_CORRUPT_CERT<br />
• PKID_FIPS_KAT_SUCCESS<br />
• PKID_PV_OBJECT_READ<br />
• RPD_MPLS_REQ_BW_NOT_AVAILABLE<br />
• RPD_PTHREAD_CREATE<br />
• RPD_RSVP_INCORRECT_FLOWSPEC<br />
• RPD_RT_CFG_EIBGP_VTL_CONFLICT<br />
• RT_FLOW_SESSION_CLOSE_LS<br />
• RT_FLOW_SESSION_CREATE_LS<br />
• RT_FLOW_SESSION_DENY_LS<br />
• RT_SCREEN_ICMP_LS<br />
• RT_SCREEN_IP_LS<br />
• RT_SCREEN_SESSION_LIMIT_LS<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
147
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• RT_SCREEN_TCP_DST_IP_LS<br />
• RT_SCREEN_TCP_LS<br />
• RT_SCREEN_TCP_SRC_IP_LS<br />
• RT_SCREEN_UDP_LS<br />
• RTLOG_UTP_TCP_SYN_FLOOD_LS<br />
• SYSTEM_ABNORMAL_SHUTDOWN<br />
• UI_AUTH_BAD_LOCATION<br />
• UI_AUTH_BAD_TIME<br />
• UI_CLASS_MODIFIED_USERS<br />
• UI_CLI_IDLE_TIMEOUT<br />
• UI_COND_GROUPS<br />
• UI_COND_GROUPS_COMMIT<br />
• UI_COND_GROUPS_COMMIT_ABORT<br />
• UTMD_MAILNOTIFIER_FAILURE<br />
• WEBFILTER_URL_REDIRECTED<br />
The following system log messages are no longer documented, either because they<br />
indicate internal software errors that are not caused by configuration problems or<br />
because they are no longer generated. If these messages appear in your log, contact<br />
your technical support representative for assistance:<br />
• AV_HUGE_FILE_DROPPED_MT<br />
• AV_HUGE_FILE_NOT_SCANNED_MT<br />
• AV_MANY_MSGS_DROPPED_MT<br />
• AV_MANY_MSGS_NOT_SCANNED_MT<br />
• AV_SCANNER_DROP_FILE_MT<br />
• AV_SCANNER_ERROR_SKIPPED_MT<br />
• AV_VIRUS_DETECTED_MT<br />
• CHASSISD_FM_FABRIC_DOWN<br />
• CHASSISD_FPC_FABRIC_DOWN_REBOOT<br />
• DCD_PARSE_ERR_INCOMPATIBLE_CFG<br />
• JSRPD_SET_IP_MON_FAILURE<br />
• JSRPD_UNSET_IP_MON_FAILURE<br />
• KMD_DPD_IKE_SERVER_NOT_FOUND<br />
• KMD_DPD_INVALID_ADDRESS<br />
• KMD_DPD_INVALID_SEQUENCE_NUMBER<br />
148<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• KMD_DPD_NO_LOCAL_ADDRESS<br />
• KMD_DPD_REMOTE_PEER_NOT_FOUND<br />
• KMD_DPD_UNEXPECTED_IKE_STATUS<br />
• KMD_PM_AUTH_ALGORITHM_INVALID<br />
• KMD_PM_DYNAMIC_SA_INSTALL_FAILED<br />
• KMD_PM_ENCRYPTION_INVALID<br />
• KMD_PM_IKE_SRV_NOT_FOUND_CREATE<br />
• KMD_PM_KEY_NOT_SUPPORTED<br />
• KMD_PM_LIFETIME_DUPLICATE<br />
• KMD_PM_LIFETIME_LENGTH_UNEQUA<br />
• KMD_PM_LIFETIME_NO_DURATION<br />
• KMD_PM_LIFETIME_TYPE_UNDEFINED<br />
• KMD_PM_LIFETIME_UNITS_INVALID<br />
• KMD_PM_NEW_GROUP_UNSUPPORTED<br />
• KMD_PM_PHASE1_GROUP_UNREADABLE<br />
• KMD_PM_PHASE1_IKE_SRV_NOT_FOUND<br />
• KMD_PM_PHASE1_NO_IDENTITIES<br />
• KMD_PM_PHASE1_NO_SPD_HANDLER<br />
• KMD_PM_PHASE1_POLICY_LOOKUP_FAIL<br />
• KMD_PM_PHASE1_POLICY_NOT_FOUND<br />
• KMD_PM_PHASE1_PROTO_INVALID<br />
• KMD_PM_PHASE1_PROTO_NOT_ISAKMP<br />
• KMD_PM_PHASE1_PROTO_TWICE<br />
• KMD_PM_PHASE1_TXFORM_INCOMPLETE<br />
• KMD_PM_PHASE1_TXFORM_INVALID<br />
• KMD_PM_PHASE2_IDENTITY_MISMATCH<br />
• KMD_PM_PHASE2_NOTIF_UNKNOWN<br />
• KMD_PM_PHASE2_SELECTOR_UNDEFINED<br />
• KMD_PM_PROPOSAL_NO_AUTH<br />
• KMD_PM_PROPOSAL_NO_ENCRYPTION<br />
• KMD_PM_PROPOSAL_NO_KEY_LENGTH<br />
• KMD_PM_PROPOSAL_NULL_ESP<br />
• KMD_PM_PROPOSAL_PROTOCOL_INVALID<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
149
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• KMD_PM_PROTO_NOT_NEGOTIATED<br />
• KMD_PM_REMOTE_PEER_INVALID<br />
• KMD_PM_SA_DELETE_REJECT<br />
• KMD_SNMP_IKE_SERVER_NOT_FOUND<br />
• KMD_VPN_PV_KEY_EXCHG<br />
• RT_GTP_BAD_LICENSE<br />
• RT_GTP_DEL_TUNNEL_V0<br />
• RT_GTP_DEL_TUNNEL_V1<br />
• RT_GTP_SANITY_EXTENSION_HEADER<br />
• RT_SIP_MEM_ALLOC_FAILED<br />
• SSH_FIPS_SELFTEST_EXECUTED<br />
• SSH_KEYGEN_SELFTEST_DSA<br />
• SSH_KEYGEN_SELFTEST_RSA<br />
• SSH_MSG_REPLAY_DETECT<br />
• SSHD_FIPS_SELFTEST_EXECUTED<br />
• VSYSD_INIT_FAILED<br />
• Support for forwarding structured system log messages to remote system log<br />
server—The structured-data configuration statement is added at the [edit system<br />
syslog host] hierarchy level to enable the forwarding of system log messages in a<br />
structured format to a remote system log server. This statement configures the eventd<br />
process to forward system log messages in the IETF format, which allows<br />
vendor-specific extensions to be included in the message in a structured way. The<br />
system log messages can be received on a centralized server that is capable of<br />
accepting structured messages.<br />
By default, the eventd process forwards the entire message to the remote system log<br />
server, when message forwarding is enabled. The eventd process can be enabled to<br />
send only part of the message (strip the free-form text message). This configuration<br />
can be set by using the brief option provided for the structured-data statement.<br />
[System Basics]<br />
• Support for configuring system log file rotation frequency—The log-rotate-frequency<br />
configuration statement is added at the [edit system syslog] hierarchy to configure the<br />
system log file rotation frequency. The log rotation frequency is altered by configuring<br />
the time interval at which the log file size is checked. When the log file size has exceeded<br />
the configured limit, the old log file is archived and a new log file is created. The default<br />
log rotation frequency is 15 minutes and it can be configured for any value from 1 minute<br />
through 59 minutes.<br />
Currently, the cron process schedules the newsyslog process every 15 minutes and this<br />
value cannot be changed by administrators. If logging to log files takes place at a very<br />
rapid rate, log files can grow in size much beyond their actual configured limit before<br />
150<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
the newsyslog process can be scheduled to rotate the files. The log-rotate-frequency<br />
configuration statement helps to overcome this limitation.<br />
[System Basics]<br />
User Interface and Configuration<br />
• Support for the confirmed option with the commit command in the edit private<br />
mode—In Junos OS <strong>Release</strong> 11.4 and later, you can use the commit confirmed command<br />
in the [edit private] configuration mode.<br />
[CLI User Guide]<br />
• Support for configuring a proxy server for downloading licenses—In Junos OS <strong>Release</strong><br />
11.4 and later, you can download <strong>Juniper</strong> <strong>Networks</strong> license updates using a proxy server.<br />
In earlier releases, downloading license updates was only possible by directly connecting<br />
to the <strong>Juniper</strong> <strong>Networks</strong> License Management System. In an enterprise, there might be<br />
devices in a private network that might be restricted from connecting to the Internet<br />
directly for security reasons.<br />
In such scenarios, you can configure a proxy server in the private network to connect<br />
to the LMS and download the license updates and have the routers or devices in the<br />
private network connect to the proxy server to download the licenses or license updates.<br />
To enable this feature, configure the device with details of the proxy server at the [edit<br />
system proxy] hierarchy level.<br />
[System Basics]<br />
• Using conditions to apply configuration groups—In Junos OS <strong>Release</strong> 11.3 and later,<br />
you can use the when statement at the [edit groups group-name] hierarchy to define<br />
conditions under which a configuration group should be applied. You can configure a<br />
group to be applied based on the type of chassis, model, or Routing Engine, member<br />
of virtual chassis, node of cluster, and start and optional end time of day or date. If you<br />
specify multiple conditions in a single configuration group, all conditions must be met<br />
before the configuration group is applied. You can specify the start time or time duration<br />
for the configuration group to be applied. If only the start time is specified, the<br />
configuration group will be applied at the specified time and remain in effect until the<br />
time is changed. If the end time is specified, then on each day, the applied configuration<br />
group will be started and stopped at the specified times.<br />
[System Basics]<br />
• Enhancements to scheduler configuration on FRF.16 physical interfaces—Junos OS<br />
<strong>Release</strong> 11.4R5 extends the class-of-service scheduler support on FRF.16 physical<br />
interfaces to the excess-rate, excess-priority, and drop-profile-map configurations. The<br />
excess-rate, excess-priority, and drop-profile-map statements are configured at the<br />
[edit class-of-service schedulers scheduler-name] hierarchy level.<br />
• Support for the drop-profile-map configuration enables you to configure random<br />
early detection (RED) on FRF.16 bundle physical interfaces.<br />
• Support for the excess-rate configuration enables you to specify the percentage of<br />
the excess bandwidth traffic to share.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
151
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Support for the excess-priority configuration enables you to specify the priority for<br />
excess bandwidth traffic on a scheduler.<br />
These enhancements are supported only on Multiservices PICs installed on MX Series<br />
routers. [Services Interfaces]<br />
• Accurate reporting of output counters for MLFR UNI NNI bundles—Starting with<br />
<strong>Release</strong> 11.4R5, Junos OS reports the actual output counters in the Multilink Frame<br />
Relay UNI NNI bundle statistics section of the show interfaces lsq-interface statistics<br />
command output. From this release on, Junos OS also provides output counters for<br />
each data link connection identifier (DLCI) in Multilink Frame Relay (MLFR)<br />
user-to-network interface (UNI) network-to-network interface (NNI) bundles. In earlier<br />
releases, there was a discrepancy between the actual output counters and the reported<br />
value because of errors in calculating the output counters at the logical interface level.<br />
That is, at the logical interface level, the output counter was reported as the sum of<br />
exiting frames at the member links instead of the number of exiting frames per DLCI.<br />
[Services Interfaces]<br />
VPNs<br />
• NTP support for IPv6 VRF—In Junos OS <strong>Release</strong> 11.4 and later, NTP also supports IPv6<br />
VPN routing and forwarding (VRF) requests in addition to IPv4 VRF requests. This<br />
enables an NTP server running on a provider edge (PE) router to respond to NTP<br />
requests from a customer edge (CE) router. As a result, a PE router can process any<br />
NTP request packet coming from different routing instances.<br />
[System Basics]<br />
• Extended Y.1731 functionality on VPLS for frame-delay and delay-variation (MX<br />
Series routers with MPC interfaces)—MX Series routers with Modular Port<br />
Concentrators (MPCs) support Y.1731 functionality on VPLS for frame delay and delay<br />
variation.<br />
[VPNs, Line Card Guide]<br />
• Extends egress protection LSP support and interoperability between MX Series<br />
DPCs and MPC/MIC interfaces (MX240, MX480, and MX960 routers)—An egress<br />
protection LSP addresses the problem when a link failure occurs at the edge of the<br />
network (for example, a link failure between a PE router and a CE device). An egress<br />
protection LSP is an RSVP-signaled ultimate-hop popping LSP. Egress protection LSPs<br />
do not address the problem of a node failure at the edge of the network (for example,<br />
a failure of a PE router). Starting with <strong>Release</strong> 11.4, Junos OS extends support for egress<br />
protection LSP to MPC/MIC interfaces. Egress protection LSP can now interoperate<br />
between MX Series DPCs and MPC/MIC interfaces when both types are present on<br />
the same MX Series router. In previous Junos OS releases, this feature was supported<br />
only on DPCs in MX Series routers.<br />
[VPNs]<br />
Related<br />
Documentation<br />
• Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong><br />
11.4 for M Series, MX Series, and T Series Routers on page 153<br />
• Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers on page 172<br />
152<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 293<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 321<br />
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for<br />
M Series, MX Series, and T Series Routers<br />
• Changes in Default Behavior and Syntax on page 153<br />
Changes in Default Behavior and Syntax<br />
The following are changes made to Junos OS default behavior and syntax.<br />
• Class-of-Service on page 153<br />
• High Availability on page 155<br />
• Interfaces and Chassis on page 155<br />
• Junos OS XML API and Scripting on page 158<br />
• J-Web Interface on page 158<br />
• Multicast on page 158<br />
• Network Management on page 160<br />
• Routing Protocols on page 160<br />
• Services Applications on page 166<br />
• Security on page 167<br />
• System Services on page 167<br />
• Subscriber Access Management on page 168<br />
• User Interface and Configuration on page 171<br />
• VPNs on page 171<br />
Class-of-Service<br />
• Improvement to output of show services nat mappings summary—The output of the<br />
show services nat mappings summary command is now grouped by service interface,<br />
as shown.<br />
Service Interface:<br />
sp-1/0/0<br />
Total number of address mappings: 790<br />
Total number of endpoint independent port mappings: 1580<br />
Total number of endpoint independent filters: 1580<br />
Service Interface:<br />
sp-1/1/0<br />
Total number of address mappings: 914<br />
Total number of endpoint independent port mappings: 1828<br />
Total number of endpoint independent filters: 1828<br />
Service Interface:<br />
sp-4/0/0<br />
Total number of address mappings: 688<br />
Total number of endpoint independent port mappings: 1376<br />
Total number of endpoint independent filters: 1376<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
153
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Service Interface: sp-4/1/0<br />
Total number of address mappings: 648<br />
Total number of endpoint independent port mappings: 1296<br />
Total number of endpoint independent filters: 1296<br />
[System Basics and Services Command Reference]<br />
• Protection of routers from denial of service (DOS) attacks—New CLI options provide<br />
improved protection against DOS attacks.<br />
• NAT mapping refresh behavior—Prior to this release, a conversation was kept alive<br />
when either inbound or outbound flows were active. This remains the default behavior.<br />
As of this release, you can also specify mapping refresh for only inbound flows or<br />
only outbound flows. To configure mapping refresh behavior, include the<br />
mapping-refresh (inbound | outbound | inbound-outbound) statement at the [edit<br />
services nat rule rule-name term term-name then translated secure-nat-mapping]<br />
hierearchy level.<br />
• EIF inbound flow limit—Previously. the number of inbound connections on an EIF<br />
mapping was limited only by the maximum flows allowed on the system. You can<br />
now configure the number of inbound flows allowed for an EIF. To limit the number<br />
of inbound connections on an EIF mapping, include the eif-flow-limit number-of-flows<br />
statement at the [edit services nat rule rule-name term term-name then translated<br />
secure-nat-mapping] hierarchy level.<br />
The show services nat pool detail command now shows the current number of EIF<br />
flows and the flow limit.<br />
Current EIF Inbound flows count: 0<br />
EIF flow limit exceeded drops: 0<br />
• Maximum dropped flows—There is a default maximum of 2000 drop flows allowed<br />
per PIC at a given instance of time. You can now configure the maximum number of<br />
drop flows allowed per direction (ingress and egress) at any given instance of time.<br />
This enables you to limit the creation of drop flows during a denial-of-service (DOS)<br />
attack. When the maximum number of drop flows exceeds the configured or default<br />
limit, drop flows are not created and packets are dropped silently, meaning that no<br />
syslog message is generated for the dropped packets. If maximum dropped flows<br />
is configured, the appropriate error counters are incremented for packets dropped<br />
due to exceeded limits.<br />
To limit the number of drop flows, include the max-drop-flows ingress ingress-flows<br />
egress egress-flows statement at the [edit services service-set service-set-name]<br />
hierarchy level.<br />
The show services stateful-firewall statistics extensive commands now shows the<br />
maximum flow drop counters when max-drop-flows is configured.<br />
Drop Flows:<br />
Maximum Ingress Drop flows allowed: 20<br />
Maximum Egress Drop flows allowed: 20<br />
Current Ingress Drop flows: 0<br />
Current Egress Drop flows: 0<br />
Ingress Drop Flow limit drops count: 0<br />
Egress Drop Flow limit drops count: 0<br />
154<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
High Availability<br />
• Updates to command forwarding support for MX Series Virtual Chassis (MX240,<br />
MX480, and MX960 routers with MPC/MIC interfaces)—The following operational<br />
commands now support command forwarding in an MX Series Virtual Chassis<br />
configuration:<br />
• show chassis craft-interface<br />
• show chassis fan<br />
• show chassis pic<br />
• show chassis power<br />
Command forwarding enables you to monitor and manage an MX Series Virtual Chassis<br />
as a single network element by running operational commands on a specific member<br />
router in the Virtual Chassis, on both member routers, or on the local member router<br />
from which you issue the command. With command forwarding, the router sends the<br />
command to the specified member router or routers and displays the results as though<br />
the command were processed on the local router.<br />
To forward operational commands to one or both member routers in an MX Series<br />
Virtual Chassis, use one of the following options when you issue these commands:<br />
• To forward the command to a specified member router, use the member member-id<br />
option, where member-id can be 0 or 1.<br />
• To run the command on the local member router on which the command was issued,<br />
use the local option.<br />
• To forward the command to both member routers, use the all-members option. This<br />
is the default command forwarding option for the show chassis craft-interface, show<br />
chassis fan, show chassis pic, and show chassis power commands.<br />
[Junos OS System Basics and Services Command Reference, Junos OS High Availability<br />
Configuration Guide]<br />
Interfaces and Chassis<br />
• MRU display in LCP Negotiated Options (MX Series 3D Universal Edge Routers)—The<br />
show ppp interface extensive statement can now display Local MRU and Peer MRU in<br />
the LCP Negotiated Options section. For LNS inline-service (si) interfaces, however,<br />
the local MRU is not displayed because the default value of 1500 is always used and<br />
never advertised, and therefore not negotiated. The Peer MRU value is also now shown<br />
for PPPoE (pp0.0) interfaces.<br />
[System Basics and Services Command Reference]<br />
• Enable holdover mode on system restart (MX Series 3D Universal Edge Routers)—The<br />
synchronous Ethernet Equipment Clock (EEC) is in free-run mode when the chassis is<br />
switched on or restarted. When a synchronous EEC locks on to an upstream reference<br />
clock source at least once for a continuous period of 60 seconds, the EEC will have<br />
stored sufficient Synchronous Ethernet data in a replay holdover buffer. In case of<br />
failure of a reference clock source, the system goes to holdover mode and uses the<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
155
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
replay data in the holdover buffer to service the downstream Synchronous Ethernet<br />
clients.<br />
When a Modular Port Concentrator (MPC) with an EEC restarts (because of either a<br />
system crash or a manual restart), the holdover buffer data gets erased. Therefore,<br />
downstream Synchronous Ethernet clients cannot be serviced. This is also applicable<br />
when a new MPC containing an EEC is inserted into the system.<br />
In a practical deployment scenario, the status display of holdover mode is invalid only<br />
when the chassis is switched on or restarted.<br />
When an MPC containing an EEC is restarted or a new MPC containing an EEC is inserted<br />
into a system that is (already) in holdover mode, the EEC on this MPC cannot be<br />
considered to be in holdover mode because it does not have any Synchronous Ethernet<br />
replay information in its holdover data buffer. Therefore, you must first fix the system<br />
holdover issue before attempting to service the downstream Synchronous Ethernet<br />
clients on this MPC. To accomplish this, you must find a suitable upstream reference<br />
clock source and let the synchronous EEC lock on to this upstream reference clock<br />
source, and then service the downstream Synchronous Ethernet clients on this MPC.<br />
• Support of inverse-arp for frame-relay-ether-type—The inverse-arp checking supports<br />
frame-relay, atm-snap, and frame-relay-ether-type with the condition that when<br />
configuration includes inverse-arp on the logical interface, the router correctly passes<br />
the configuration check and the configuration is committed.<br />
[Network Interfaces]<br />
• Number of keepalive messages can be configured for greater control of inactivity<br />
timeouts for services interfaces—By default, a maximum of 4 consecutive keepalive<br />
messages are sent to prevent timeout when the TCP timeout limit configured in<br />
inactivity-tcp-timeout is exceeded. You can now configure a different maximum number<br />
of keepalive messages (from 0 through 30) by entering the tcp-tickles tcp-tickles<br />
statement at the [edit services interfaces interace-name service-options] hierarchy level.<br />
[ Services Interfaces ]<br />
• New command to monitor PPP recovery after a GRES or restart (MX Series 3D<br />
Universal Edge Routers)—The new show ppp statistics recovery command monitors<br />
the progress of PPP recovery after a GRES or restart. When the PPP subscriber sessions<br />
have been recovered, the command output displays Recovery state: recovery done to<br />
indicate that it is safe to force another GRES or restart. When you issue this command<br />
during the recovery process, the command might time out or fail silently rather than<br />
display output. Recovery is not complete until the command displays recovery done.<br />
[Interfaces Command Reference]<br />
• Multichassis link aggregation (MC-LAG)—When you configure the<br />
prefer-status-control-active statement at the [edit interfaces aex<br />
aggregated-ether-options mc-ae events iccp-peer-down] hierarchy level, you must also<br />
configure the status-control active statement at the [edit interfaces aex<br />
aggregated-ether-options mc-ae] hierarchy level. If you configure the status-control<br />
standby statement with the prefer-status-control-active statement, the system issues<br />
a warning. [JUNOS OS Ethernet Interfaces Configuration Guide]<br />
156<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Enhancement to Link Layer Discovery Protocol (LLDP) (MX Series and T Series<br />
routers)-–You can now configure LLDP to generate the interface name as the port ID<br />
Type TLV. To generate the interface name as the port ID Type, Length,and Value,<br />
include the interface-name statement at the [edit protocols lldp port-id-subtype]<br />
hierarchy level. The default behavior is to generate the SNMP Index of the interface as<br />
the port ID TLV. If you have changed the default behavior, include the locally-assigned<br />
statement at the [edit protocols lldp port-id-subtype] hierarchy level to reenable the<br />
default behavior of generating the SNMP Index of the interface as the port ID TLV.<br />
When you configure LLDP to generate the interface name as the port ID TLV on the<br />
remote neighbor, the show lldp neighbors command displays the interface name in the<br />
Port ID field. The default behavior is for the command to display the SNMP index of<br />
the interface of the remote neighbor in the Port ID field. [Ethernet Interfaces Configuration<br />
Guide, Interfaces Command Reference]<br />
• New options for multichassis link aggregation (MC-LAG)—For MC-LAG, you can now<br />
specify one of two actions to take if the Inter-Chassis Communication Protocol (ICCP)<br />
peer of the switch or router goes down. To bring down the interchassis link logical<br />
interface if the peer goes down, include the force-icl-down statement at the [edit<br />
interfaces aeX aggregated-ether-options events iccp-peer-down] hierarchy level. To<br />
have the router or switch become the active node when a peer goes down, include the<br />
prefer-status-control-active statement at the [edit interfaces aeX<br />
aggregated-ether-options mc-ae events iccp-peer-down] hierarchy level. When you<br />
configure the prefer-status-control-active statement, you must also configure the<br />
status-control active statement at the [edit interfaces aeX<br />
aggregated-ether-options-mc-ae] hierarchy level. If you do not configure the<br />
status-control as active with the prefer-status-control-active statement, the router or<br />
switch does not become the active node if a peer goes down. [Junos OS Ethernet<br />
Interfaces Configuration Guide]<br />
• Enhancement to show interfaces queue command—The output for the show interfaces<br />
queue command now displays rate-limit statistics for class-of-service schedulers for<br />
all IQ and Enhanced IQ (IQ2E) PICs when rate limiting is configured, even when no<br />
traffic is dropped. When rate limiting is configured but no traffic is dropped, the output<br />
for the RL-dropped packets and RL-dropped-bytes fields display the value zero (0).<br />
Previously, these fields were not displayed when no traffic was dropped and rate<br />
limiting was configured. To configure rate limiting for queues before packets are queued<br />
for output, you include the rate-limit statement at the [edit class-of-service schedulers<br />
transmit-rate rate] hierarchy level. [Interfaces Command Reference]<br />
• Enhancement to output for show chassis fabric plane extensive command (TX Matrix<br />
Plus routers)—The output for the show chassis fabric plane extensive command now<br />
includes more detailed information about link errors caused by CRC saturation. The<br />
output now displays whether a CRC-related link error occurred under the following<br />
two conditions:<br />
• CRC exceeded the rate threshold and reached saturation without optical errors—that<br />
is, no cable has been cut or removed, or has otherwise experienced an error. In this<br />
situation, the output now displays the following: Link error crc saturated.<br />
• CRC exceeded the rate threshold and reached saturation with optical errors—that<br />
is, a cable has been cut or removed, or has otherwise experienced an error. In this<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
157
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
situation, the output now displays the following: Link error crc saturated with optical<br />
errors.<br />
If a link error is caused when the CRC exceeds the rate threshold but does not reach<br />
saturation, the output for the command continues to display the following: Link error.<br />
[Interfaces Command Reference]<br />
• Configuring the flow-tap service for IPv6 traffic: The family inet | inet6 statement at<br />
the [edit services flow-tap] hierarchy enables you to specify the type of traffic for which<br />
you want to apply the flow-tap service. If the family statement is not included, the<br />
flow-tap service is, by default, applied to the IPv4 traffic. To apply flow-tap service to<br />
IPv6 traffic, you must include the family inet6 statement in the configuration. To enable<br />
the flow-tap service for IPv4 and IPv6 traffic, you must explicitly configure the family<br />
statement for both inet and inet6 families.<br />
However, you cannot configure the flow-tap service for IPv6 along with port mirroring<br />
or sampling of IPv6 traffic on routers that support LMNR-based FPCs. This restriction<br />
holds good even if the router does not have any LMNR-based FPC installed on it. There<br />
is no restriction on configuring the flow-tap service on routers that are configured for<br />
port mirroring or sampling of IPv4 traffic.<br />
• On MX80 routers, the FPC Slot output field has been changed to TFEB Slot for the<br />
show services accounting flow inline-jflow, show services accounting errors inline-jflow,<br />
and show services accounting status inline-jflow commands.<br />
Junos OS XML API and Scripting<br />
• RPC with inherit="inherit" attribute returns correct time<br />
attributes for committed configuration—In Junos OS <strong>Release</strong> 11.4R6 and earlier<br />
releases, when you configured some interfaces using the interface-range configuration<br />
statement, if you later requested the committed configuration using the<br />
RPC with the inherit="inherit" and database="committed"<br />
attributes, the device returned junos:changed-localtime and junos:changed-seconds in<br />
the RPC reply instead of junos:commit-localtime and junos:commit-seconds. This issue<br />
is fixed in Junos OS <strong>Release</strong> 11.4R7 and later releases so that the device returns the<br />
expected attributes in the RPC reply.<br />
J-Web Interface<br />
• On all M Series, MX Series, and T Series Series platforms, the username field does not<br />
accept HTML tags or the < and >characters. The following error message appears: A<br />
username cannot include certain characters, including < and >.<br />
Multicast<br />
• Configuration consistency for multicast VPNs—Starting with Junos OS <strong>Release</strong> 11.4,<br />
the provider tunnels for draft-rosen 6 anysource multicast VPNs are configured at the<br />
[edit routing-instances instance-name provider-tunnel] hierarchy level. This change<br />
provides consistency with draft-rosen 7 and next-generation BGP-based multicast<br />
VPNs. Specifically, the mdt, vpn-group-address, and vpn-tunnel-source statements at<br />
the [edit routing-instances instance-name protocols pim] hierarchy level are deprecated.<br />
158<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The deprecated statements continue to be supported in earlier releases. The following<br />
example compares the deprecated configuration and the new configuration.<br />
Deprecated draft-rosen 6 provider tunnel configuration:<br />
[edit routing-instances VPN-A]<br />
user@host# show<br />
protocols {<br />
pim {<br />
vpn-tunnel-source 192.68.1.1;<br />
vpn-group-address 239.1.1.1;<br />
mdt {<br />
threshold {<br />
group 225.2.2.0/24 {<br />
source 10.1.0.0/16 {<br />
rate 10;<br />
}<br />
}<br />
}<br />
tunnel-limit 20;<br />
group-range 239.5.5.0/24;<br />
}<br />
}<br />
}<br />
New draft-rosen 6 provider tunnel configuration:<br />
[edit routing-instances VPN-A]<br />
user@host# show<br />
provider-tunnel {<br />
pim-asm {<br />
family {<br />
inet {<br />
group-address 239.1.1.1;<br />
tunnel-source 192.68.1.1;<br />
}<br />
}<br />
}<br />
mdt {<br />
threshold {<br />
group 225.2.2.0/24 {<br />
source 21.1.0.0/16 {<br />
rate 10;<br />
}<br />
}<br />
}<br />
tunnel-limit 20;<br />
group-range 239.5.5.0/24;<br />
}<br />
}<br />
[Multicast]<br />
• Output show pim join command updated—The output for the show pim join command<br />
(both detail and extensive) has been modified. When you configure the<br />
accept-remote-source statement on the router, the Upstream interface output field<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
159
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
now displays the interface name and the Upstream neighbor output field now displays<br />
the nexthop IP address. Previously, both output fields just displayed unknown (no<br />
nexthop) and unknown, respectively.<br />
[Routing Protocols Command Reference]<br />
Network Management<br />
• Change in the Junos OS support for IS-IS MIB—In Junos OS <strong>Release</strong> 11.3 and later, the<br />
currently supported version of IS-IS MIB, as defined in Internet draft<br />
draft-ietf-isis-wg-mib-07.txt, is replaced with the latest version of IS-IS MIB, as defined<br />
in RFC 4444. Junos OS can support only one of these versions of IS-IS MIB in a release.<br />
Therefore, Junos OS <strong>Release</strong> 11.2 and earlier continue to support IS-IS MIB as defined<br />
in Internet draft draft-ietf-isis-wg-mib-07.txt, whereas Junos OS <strong>Release</strong> 11.3 and later<br />
support only the updated RFC 4444–based version of IS-IS MIB.<br />
[Network Management, SNMP MIBs and Traps Reference]<br />
Routing Protocols<br />
• Starting in Junos OS <strong>Release</strong> 10.4, you cannot deactivate a routing instance that<br />
contains a disabled loopback interface. The loopback interface must first be enabled,<br />
deleted, or deactivated in the configuration before you can deactivate a routing-instance<br />
containing that loopback interface. [Routing Protocols]<br />
• CLI output changes for operational mode commands related to multicast VPN—The<br />
output of some of the operational mode commands related to multicast VPN has been<br />
modified to display more meaningful information. The show mvpn... commands display<br />
text names for ingress tunnels. The neighbor display header field for the show mvpn...<br />
commands now use Inclusive Provider. For IR provider tunnels, the show mvpn...<br />
commands also include the label in the output. Ingress tunnel names now have tunnel<br />
type appended in the name. The show pim source and show pim join commands display<br />
PE address for upstream neighbors. The show multicast route command displays the<br />
provider tunnel's text name instead of displaying multiple interfaces for the provider<br />
tunnel branches.<br />
• show mvpn c-multicast<br />
user@host> show mvpn c-multicast<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
C-mcast IPv4 (S:G) Provider Tunnel St<br />
0.0.0.0/0:224.1.1.1/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.2/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.3/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
160<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET6<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
C-mcast IPv6 (S:G) Provider Tunnel St<br />
::/0:ff35:2001::1/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::2/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::3/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
user@host> show mvpn c-multicast extensive<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
C-mcast IPv4 (S:G) Provider Tunnel St<br />
0.0.0.0/0:224.1.1.1/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.2/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.3/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET6<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
C-mcast IPv6 (S:G) Provider Tunnel St<br />
::/0:ff35:2001::1/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::2/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::3/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
• show mvpn neighbor<br />
user@host> show mvpn neighbor<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
161
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
DS -- derived from (*, c-g)<br />
Family : INET<br />
RM -- remote VPN route<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET6<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
• show mvpn instance<br />
user@host> show mvpn instance<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Provider tunnel: I-P-tnl:INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
C-mcast IPv4 (S:G) Provider Tunnel St<br />
0.0.0.0/0:224.1.1.1/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.2/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.3/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
MVPN instance:<br />
Legend for provider tunnel<br />
162<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET6<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Provider tunnel: I-P-tnl:INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
C-mcast IPv6 (S:G) Provider Tunnel St<br />
::/0:ff35:2001::1/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::2/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::3/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
user@host> show mvpn instance summary<br />
MVPN Summary:<br />
Family: INET<br />
Instance: v1<br />
Neighbor count: 3<br />
C-multicast IPv4 route count: 3<br />
Family: INET6<br />
Instance: v1<br />
Neighbor count: 3<br />
C-multicast IPv6 route count: 3<br />
user@host> show mvpn instance extensive<br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Provider tunnel: I-P-tnl:INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
C-mcast IPv4 (S:G) Provider Tunnel St<br />
0.0.0.0/0:224.1.1.1/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.2/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
0.0.0.0/0:224.1.1.3/32 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
RM<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
163
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
MVPN instance:<br />
Legend for provider tunnel<br />
S- Selective provider tunnel<br />
Legend for c-multicast routes properties (Pr)<br />
DS -- derived from (*, c-g)<br />
RM -- remote VPN route<br />
Family : INET6<br />
Instance : v1<br />
MVPN Mode : RPT-SPT<br />
Provider tunnel: I-P-tnl:INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
Neighbor<br />
Inclusive Provider Tunnel<br />
10.0.0.20 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.20<br />
10.0.0.60 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.60<br />
10.0.0.80 INGRESS-REPLICATION:MPLS Label<br />
299776:10.0.0.80<br />
C-mcast IPv6 (S:G) Provider Tunnel St<br />
::/0:ff35:2001::1/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::2/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
::/0:ff35:2001::3/128 INGRESS-REPLICATION:MPLS Label 299776:10.0.0.40<br />
• show multicast route<br />
user@host> show multicast route instance v1 extensive<br />
Instance: v1 Family: INET<br />
Group: 224.1.1.1<br />
Source: (null)/0<br />
Upstream interface: fe-1/3/0.111<br />
Downstream interface list:<br />
lt-0/3/0.42 lt-0/3/0.46 lt-0/3/0.43<br />
Group: 224.1.1.2<br />
Source: (null)/0<br />
Upstream interface: fe-1/3/0.111<br />
Downstream interface list:<br />
lt-0/3/0.42 lt-0/3/0.46 lt-0/3/0.43<br />
Group: 224.1.1.3<br />
Source: (null)/0<br />
Upstream interface: fe-1/3/0.111<br />
Downstream interface list:<br />
lt-0/3/0.42 lt-0/3/0.46 lt-0/3/0.43<br />
Instance: v1 Family: INET6<br />
• show pim join<br />
user@host> show pim join instance v1<br />
Instance: PIM.v1 Family: INET<br />
R = Rendezvous Point Tree, S = Sparse, W = Wildcard<br />
Group: 224.1.1.1<br />
Source: *<br />
RP: 10.0.111.1<br />
Flags: sparse,rptree,wildcard<br />
164<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Upstream interface: fe-1/3/0.111 (administratively scoped)<br />
Group: 224.1.1.2<br />
Source: *<br />
RP: 10.0.111.1<br />
Flags: sparse,rptree,wildcard<br />
Upstream interface: fe-1/3/0.111 (administratively scoped)<br />
Group: 224.1.1.3<br />
Source: *<br />
RP: 10.0.111.1<br />
Flags: sparse,rptree,wildcard<br />
Upstream interface: fe-1/3/0.111 (administratively scoped)<br />
Instance: PIM.v1 Family: INET6<br />
R = Rendezvous Point Tree, S = Sparse, W = Wildcard<br />
Group: ff35:2001::1<br />
Source: *<br />
RP: ::ffff:10.0.0.41<br />
Flags: sparse,rptree,wildcard<br />
Upstream interface: Local<br />
Group: ff35:2001::2<br />
Source: *<br />
RP: ::ffff:10.0.0.41<br />
Flags: sparse,rptree,wildcard<br />
Upstream interface: Local<br />
Group: ff35:2001::3<br />
Source: *<br />
RP: ::ffff:10.0.0.41<br />
Flags: sparse,rptree,wildcard<br />
Upstream interface: Local<br />
• show pim source<br />
user@host> show pim source instance v1<br />
Instance: PIM.v1 Family: INET<br />
Source 10.0.111.1<br />
Prefix 10.0.111.1/32<br />
Upstream interface fe-1/3/0.111<br />
Upstream neighbor Direct<br />
Instance: PIM.v1 Family: INET6<br />
Source ::ffff:10.0.0.41<br />
Prefix ::ffff:10.0.0.41/128<br />
Upstream interface Local<br />
• If you configure the route-distinguisher statement in addition to the route-distinguisher-id<br />
statement, the value configured for route-distinguisher supersedes the value generated<br />
from route-distinguisher-id. To avoid a conflict in the two route distinguisher values,<br />
we recommend ensuring that the first half of the route distinguisher obtained by<br />
configuring the route-distinguisher statement is different from the first half of the route<br />
distinguisher obtained by configuring the route-distinguisher-id statement.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
165
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Services Applications<br />
• Option available to clear the DF (don't fragment) flag in packet headers under NAT<br />
64—You can specify clearing of the DF flag in IPv4 headers when performing NAT64<br />
translation. The flag is cleared when packets are less than 1280 bytes but might need<br />
to be fragmented when the IPv4-path-mtu size is less than 1280. When the flag is not<br />
cleared, a packet-too-big error message is generated and sent to the IPv6 host, which<br />
replies with a fragment header added. RFC 6145, IP/ICMP Translation Algorithm, provides<br />
a full discussion of the use of the DF flag to control fragmentation.<br />
To clear the DF flag, include the stateful-nat64 clear-dont-fragment-bit statement at<br />
the [edit services service-set service-set-name nat-options] hierarchy level.<br />
• Changes to softwire and firewall show commands—New softwire statistical counters<br />
are available in Junos OS <strong>Release</strong> 11.4R2 and later for the show services softwire<br />
statistics, show services stateful-firewall statistics detail, and show services<br />
stateful-firewall statistics extensive commands.<br />
Counters added for show services softwire statistics (DS-Lite or v6rd):<br />
• Softwires Created for EIF/HP—(DS-Lite only) Number of softwires created for<br />
endpoint-independent filtering (EIF) or hairpinning (HP).<br />
• Slow Path Packets Processed for EIF/HP—DS-Lite only. Number of slow path EIF/HP<br />
packets processed. These slow path packets initiate the creation of the softwire<br />
flow.<br />
• Softwire EIF Accept—(DS-Lite only) The number of packets which matched an EIF<br />
entry that initiated the creation of a DS-Lite tunnel. The EIF entry was previously<br />
triggered by a DS-Lite packet.<br />
• ICMPv4 Packets sent—(DS-Lite only) The number of ICMPv4 packets sent to ping<br />
the address 192.0.0.1, which is a unique IPv4 address reserved for the Address Family<br />
Transition Router (AFTR).<br />
• ICMPv4 Error Packets sent—(DS-Lite only) Number of non-ping echo requests received<br />
by the AFTR.<br />
• ICMPv6 Packets sent—(DS-Lite only) Number of ping requests sent to the AFTR<br />
softwire address.<br />
• Dropped ICMPv6 packets destined to AFTR—(DS-Lite only) Number of ICMPv6 error<br />
messages discarded whose destination was the AFTR address.<br />
• Flow Creation Failed - Retry for EIF/HP—(DS-Lite only) Number of failed flow creations<br />
for EIF/HP to be retried.<br />
• Softwire Creation Failed for EIF/HP—(DS-Lite only) Number of softwire creation<br />
failures for EIF/HP.<br />
• Flow Creation Failed For EIF/HP—(DS-Lite only) Number of flow creation failures for<br />
EIF/HP.<br />
• Slow Path Packets Processed (Gratuitous)—(v6rd only) Number of gratuitous packets<br />
received by the 6rd branch relay (BR).<br />
166<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Counters added for show services stateful-firewall statistics (detail and extensive):<br />
• Slow Path Hairpinned Packets—Number of slow path packets for hairpinned flows.<br />
Slow path packets are the packets that triggered initiation of the hairpinned flow.<br />
• Fast Path Hairpinned Packets—Number of packets received that matched an existing<br />
hairpinned flow.<br />
Security<br />
• Enhancements to DDoS Protection (MX Series Routers)—The configuration of DDoS<br />
Protection has changed slightly. You can now include the disable-fpc statement at the<br />
[edit system ddos-protection protocols protocol-group (aggregate | packet-type)]<br />
hierarchy level to disable policers on all line cards for a particular packet type or<br />
aggregate within a protocol group. The ability to configure this statement globally or<br />
for a particular line card remains unchanged.<br />
You can also now include the disable-logging statement at the [edit system<br />
ddos-protection protocols protocol-group (aggregate | packet-type)] hierarchy level to<br />
disable router-wide logging of DDoS violation events for a particular packet type or<br />
aggregate within a protocol group. The disable-logging statement has been moved<br />
from the [edit system ddos-protection violation] hierarchy level, and that hierarchy<br />
level has been removed from the CLI.<br />
The show ddos-protection protocols command now displays Partial in the Enabled field<br />
to indicate when some of the instances of the policer are disabled. The Routing Engine<br />
Information section of the output now includes fields for bandwidth, burst, and state.<br />
The show ddos-protection protocols parameters command and the show ddos-protection<br />
protocols statistics command now include a terse option to display information only<br />
for active protocol groups—that is, groups that show traffic in the Received (packets)<br />
column. The show ddos-protection protocols parameters command also displays part.<br />
for policers that have some disabled instances.<br />
[DDoS Protection]<br />
System Services<br />
• Enhancements to SSH—Additional statements have been added to [system services<br />
ssh], providing more capabilities to manage tunneled sessions and connection timeouts,<br />
and to configure additional key algorithms. SSH version 2 is now the default, and you<br />
can configure SSH version 1 if needed.<br />
The [system services ssh] statements now include the following:<br />
ssh {<br />
ciphers [ cipher-1 cipher-2 cipher-3 ...];<br />
client-alive-count-max seconds;<br />
client-alive-interval seconds;<br />
connection-limit limit;<br />
hostkey-algorithm ;<br />
key-exchange ;<br />
macs ;<br />
max-sessions-per-connection ;<br />
no-tcp-forwarding;<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
167
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
protocol-version [v1 v2];<br />
rate-limit limit;<br />
root-login (allow | deny | deny-password);<br />
}<br />
The new or updated ssh statements were introduced starting with Junos OS <strong>Release</strong> 11.2<br />
and include:<br />
• ciphers—Specify the set of ciphers the SSH server can use to perform encryption and<br />
decryption functions.<br />
• client-alive-count-max—Configure the number of client alive messages that can be<br />
sent without sshd receiving any messages back from the client.<br />
• client-alive-interval—Configure a timeout interval in seconds, after which if no data<br />
has been received from the client, sshd will send a message through the encrypted<br />
channel to request a response from the client. This option applies to SSH protocol<br />
version 2 only. Statement introduced in Junos OS <strong>Release</strong> 12.1.<br />
• hostkey-algorithm—Allow or disallow a host-key signature algorithm for the SSH host<br />
to use to authenticate another host.<br />
• key-exchange—Specify the set of Diffie-Hellman key exchange methods that the SSH<br />
server can use.<br />
• macs—Specify the set of message authentication code (MAC) algorithms that the<br />
SSH server can use to authenticate messages. Additionally, SHA-2 options are available<br />
as of <strong>Release</strong> 12.1 of Junos OS.<br />
• max-sessions-per-connection—Specify the maximum number of ssh sessions allowed<br />
per single SSH connection. Statement introduced in <strong>Release</strong> 11.4 of Junos OS.<br />
• no-tcp-forwarding—Configure this to prevent a user from creating an SSH tunnel over<br />
a CLI session to a Junos router. Statement introduced in <strong>Release</strong> 11.4 of Junos OS.<br />
• protocol-version—Specify the SSH protocol version. The default is changed from version<br />
1 to version 2 beginning with Junos OS <strong>Release</strong> 11.4.<br />
[edit system services ssh]<br />
Subscriber Access Management<br />
• Enhanced subscriber service accounting information—Subscriber access accounting<br />
has been enhanced in Junos OS <strong>Release</strong> 11.4R2 and later, and <strong>Release</strong> 12.1R1 and later.<br />
RADIUS VSA 26-83 (Service-Session), which is included in RADIUS service accounting<br />
start and stop packets, now includes the parameter values used to activate a subscriber<br />
service, in addition to the service name. In earlier releases, only the service name was<br />
included. When VSA 26-83 is not available from the RADIUS server, subscriber<br />
management sends the service name in the accounting message (as was the case in<br />
earlier releases).<br />
[Subscriber Acess]<br />
• Delay in removing subscriber routes after graceful Routing Engine switchover (M120,<br />
M320, and MX Series routers)—For a subscriber network in which either nonstop active<br />
routing (NSR) or graceful restart has been configured, you can configure the router to<br />
168<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
wait for 180 seconds (3 minutes) before removing access routes and access-internal<br />
routes after a graceful Routing Engine switchover (GRES) takes place.<br />
This 3-minute delay provides sufficient time for the appropriate client process (jpppd<br />
or jdhcpd) or routing protocol process (rpd) to reinstall the access routes and<br />
access-internal routes before the router removes the stale routes from the forwarding<br />
table. As a result, the risk of traffic loss is minimized because the router always has<br />
available subscriber routes.<br />
To configure the router to wait for 180 seconds before removing (flushing) access<br />
routes and access-internal routes after a graceful Routing Engine switchover, include<br />
the gres-route-flush-delay statement at the [edit system services<br />
subscriber-management] hierarchy level.<br />
Using the gres-route-flush-delay statement in your subscriber management<br />
configuration offers the following benefits:<br />
• Provides sufficient time to reinstall subscriber routes from the previously active<br />
Routing Engine<br />
In subscriber networks with graceful restart and routing protocols such as BGP and<br />
OSPF configured, the router purges any remaining stale routes as soon as the graceful<br />
restart operation completes, which can occur very soon after completion of the<br />
graceful Routing Engine switchover. Using the gres-route-flush-delay statement<br />
causes the router to retain the stale routes for a full 180 seconds, which provides<br />
sufficient time for the jpppd or jdhcpd client process to reinstall all of the subscriber<br />
routes.<br />
• Prevents loss of subscriber traffic due to unavailable routes<br />
In subscriber networks with nonstop active routing and routing protocols such as<br />
BGP and OSPF configured, the routing protocol process immediately purges the<br />
stale routes that correspond to subscriber routes. This removal results in a loss of<br />
subscriber traffic. Using the gres-route-flush-delay statement causes the router to<br />
retain the stale routes for a full 180 seconds, which prevents potential traffic loss<br />
due to unavailable routes.<br />
[Junos OS Subscriber Access Configuration Guide]<br />
• Strict enforcement of subscriber scaling license (MX Series routers)—You can<br />
configure the router to strictly enforce the subscriber scaling license feature, which is<br />
part of the Junos Subscriber Access Feature Pack license.<br />
When you enable strict scaling license enforcement, the router takes the following<br />
actions:<br />
• Strictly enforces the subscriber scaling license and does not allow any grace period.<br />
When the number of logged-in subscribers reaches the maximum allowed by the<br />
scaling license, no additional subscribers are allowed.<br />
• Creates the informational log message, “90% of installed subscriber scale licenses<br />
in use", to inform you when you have 10% of the total allowed licenses remaining.<br />
The router clears this condition when license usage falls below 90%. The log message<br />
is created again if the 90% usage is reached.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
169
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
To configure strict scaling license enforcement, you include the<br />
enforce-strict-scale-limit-license statement at the [edit system services<br />
subscriber-management] hierarchy level.<br />
[Subscriber Access]<br />
• Managing RADIUS Class attribute (attribute 25) information in service accounting<br />
reports—Subscriber management includes the Class attribute (RADIUS attribute 25)<br />
in all accounting packets for a subscriber session and the subscriber’s service sessions.<br />
By default, when the subscriber’s Class attribute is changed by a CoA action, the new<br />
Class attribute value is then used in subsequent accounting reports for both the<br />
subscriber session and the subscriber’s service sessions.<br />
You can override the default behavior and specify that, after a CoA action, the new<br />
Class attribute value is used in accounting reports for the subscriber sessions only. The<br />
accounting reports for the subscriber’s service sessions continue to use the original<br />
Class attribute that was assigned when the service sessions were created.<br />
To configure the router to override the default action, include the coa-no-override<br />
service-class-attribute statement at the [edit access profile profile-name accounting]<br />
hierarchy level.<br />
[Subscriber Access]<br />
• Triggering subscriber secure policy for subscribers on VLANs—Interface-based<br />
subscriber secure policy is now supported on dynamic, authenticated VLAN interfaces<br />
and VLAN demux interfaces. When you enable subscriber secure policy for these<br />
interfaces, traffic for all configured families (inet, inet6) including Layer 2 and Layer 3<br />
control traffic is mirrored. The mirrored packets include Layer 2 encapsulations.<br />
When you have DHCPv4/DHCPv6 subscribers over VLANs, two sessions are created<br />
for each subscriber—one for the Layer 2 VLAN, and one for DHCP. In this case do not<br />
use a trigger, such as Remote Circuit ID (ACI), that applies to both the VLAN and the<br />
DHCP sessions. If the DHCP and VLAN sessions match the same trigger, the DHCP<br />
subscriber login fails and subscriber secure policy is not triggered. You need to select<br />
a traffic mirroring trigger that matches only one of these sessions.<br />
• Session-ID added to output of show network-access aaa subscribers username<br />
command (MX Series routers)—The output of the show network-access aaa subscribers<br />
username username command now includes a column showing the Session-ID for the<br />
specified username.<br />
[Subscriber Access]<br />
• Archiving configuration files for a passive FTP server—Junos OS documentation for<br />
the archive-sites configuration statement at the [edit system archival configuration]<br />
hierarchy level is being updated to include information that the pasvftp prefix option<br />
can be used when archiving configuration files for a passive FTP server. This is in addition<br />
to prefix options for file//:, ftp://, and scp://. The pasvftp configuration statement<br />
option is of the form: pasvftp://username@host:url-path password password;<br />
[System Basics]<br />
170<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• GRE tunnels—Configuring more than 4K GRE tunnels in the devices with multiple<br />
tunnel PICs or Modular Port Concentrators (MPCs) / Dense Port Concentrators (DPCs)<br />
will now be rejected by the device.<br />
[Subscriber Management]<br />
• Interface support—An aggregated Ethernet (ae) interface is now supported in JSSCD<br />
groups.<br />
[Subscriber Management]<br />
User Interface and Configuration<br />
• Enhancement to test configuration operational statement—The new option syntax-only<br />
allows a user to check a partial configuration without checking for commit errors.<br />
[System Basics and Services Command Reference]<br />
• Starting in Junos OS <strong>Release</strong> 11.2, the set protocols mpls label-switched-path <br />
install command now also accepts IPv6 prefixes. In previous releases, only<br />
IPv4 prefixes were supported.<br />
VPNs<br />
• VPLS interface encapsulation—When you configure an interface for a VPLS routing<br />
instance, the physical interface encapsulation must be configured with a VPLS<br />
encapsulation (ethernet-vpls, extended-vlan-vpls, flexible-ethernet-services, or<br />
vlan-vpls); otherwise the commit will fail. [VPNs]<br />
• Starting in Junos OS <strong>Release</strong> 11.4, vrf-import policies must reference a target community<br />
in the from clause. If the import policy does not reference a specific community target<br />
or if the referenced community is a wildcard, the commit operation fails. As an exception,<br />
the policy does not need to reference a community target in the from clause when the<br />
policy action in the then clause is "reject." Prior to Junos OS <strong>Release</strong> 11.4, when the<br />
vrf-import policy did not reference a specific community target in the from clause, the<br />
commit operation succeeded, but the import policy had a nondeterministic effect.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
on page 73<br />
• Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers on page 172<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 293<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 321<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
171
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The current software release is <strong>Release</strong> 11.4. For information about obtaining the software<br />
packages, see “Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M<br />
Series, MX Series, and T Series Routers” on page 321.<br />
• Current Software <strong>Release</strong> on page 172<br />
• Previous <strong>Release</strong>s on page 202<br />
Current Software <strong>Release</strong><br />
Outstanding Issues<br />
Class of Service (CoS)<br />
• When GRES is configured, a live core file might be seen on the backup Routing Engine.<br />
This happens if VRRP priority changes continuously and the following configurations<br />
are changed on the distribution routers:<br />
• IRB interfaces<br />
• Routing and spanning-tree protocols<br />
• Multicast<br />
• VPLS routing instance<br />
• Bidirectional Forwarding Detection (BFD)<br />
The live core file does not affect traffic or functionality. [PR668695]<br />
• When the show interfaces extensive [interface] | display xml command is executed,<br />
there might appear issues in the XML output display of COS red/dropped packets. The<br />
"Dropped packets" is total of red-drop + tail-drop (+ rate-limit-drops in case of IQE)<br />
so the XML should also say “queue-counters-total-drop-packets.” It used to say<br />
“queue-counters-red-packets,” which was incorrect. [PR683410]<br />
• M7i and M10i routers with non-enhanced CFEB support only four forwarding classes.<br />
[PR786081]<br />
• If you set the following commands, Cosd crash after executing show class-of-service<br />
scheduler-map.<br />
set class-of-service interfaces ge-2/0/* scheduler-map-chassis derived<br />
set class-of-service interfaces ge-2/0/1 scheduler-map-chassis p0<br />
set class-of-service interfaces ge-2/1/* scheduler-map-chassis derived<br />
set class-of-service interfaces ge-2/1/1 scheduler-map-chassis p0<br />
The scheduler-map-chassis command for ge-2/0/1 and ge-2/1/1 has to be overridden<br />
because of the more specific configuration. This is happening correctly, but the 'derived'<br />
scheduler-map previously allocated for these interfaces is not getting freed. Cosd<br />
crashes when trying to display these scheduler maps since they are not fully populated.<br />
[PR807593]<br />
• Commit throws an error "Invalid rewrite rule rule-name for ifl . Ifd <br />
is not capable to rewrite inner vlan tag 802.1p bits" even though there is no rewrite<br />
configuration related to inner-vlan tag. [PR849710]<br />
172<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Forwarding and Sampling<br />
• When burst-size-limit is configured to a value more than 100,000,000 bytes on M7i or<br />
M10i routers with CFEB-E, the correct burst size is not reflected by CFEB-E on the router.<br />
[PR706272]<br />
• Firewall logs does not record rejected or accepted packets on the loopback filter though<br />
packets are rejected or accepted. [PR724059]<br />
• In Junos OS <strong>Release</strong> 10.2 and later, FBF does not disable uRPF when setting the<br />
uRPF(rpf-check) and FBF on an interface, which is in a routing instance. [PR735697]<br />
• When master Routing Engine switchover is performed because the backup Routing<br />
Engine is out of synchronization with the master and if GRES(Graceful Routing Engine<br />
Switchover)/NSR(nonstop active routing)/NSB(nonstop bridging) is enabled, the<br />
L2ald (Layer 2 address learning daemon) might generate a core file. [PR735913]<br />
• The Junos OS firewall process (dfwd) may generate core files and restart during a<br />
unified in-service software upgrade when the configuration includes Ascend-Data-filters.<br />
[PR746128]<br />
• PFED crashes while processing a corrupted message sent from the Packet Forwarding<br />
Engine. To fix this issue, changes are being made to PFED. However, the scope of this<br />
issue is limited due to the unknown nature of the corruption. A separate PR771108 is<br />
created to make some changes to the Packet Forwarding Engine. [PR750143]<br />
• When the accounting-options interface-profile command is executed to a large number<br />
of logical interfaces (approximately more than 2000), the accounting-options<br />
interface-profile rate control towards the Packet Forwarding Engine is broken. This<br />
issue is caused when attempting to gather interface statistics simultaneously on too<br />
many interfaces in a short interval. Intervals of less than 5 minutes are not<br />
recommended. In addition, gathering statistics on more than 500 interfaces using<br />
accounting-options interface-profile might lead to inaccurate statistics output.<br />
[PR753960]<br />
• Under some circumstances, PFED process might crash when fetching accounting<br />
statistics. [PR782281]<br />
• When set client-idle-timeout is over, VLAN is removed even though there is<br />
ingress/egress traffic on PPPoE clients. [PR784529]<br />
General Routing<br />
• The auto-complete feature is not working for the show policy command. [PR471332]<br />
• In the list of allowed options under the set access radius-options request-rate command<br />
on the CLI, the request-rate in seconds is displayed. [PR745252]<br />
• When service is added to the subscriber through radius COA, the service records are<br />
not full released to the DB. It causes sdb.db size to grow. PR 746587 fix this issue by<br />
releasing the record completely. [PR746587]<br />
• On an MX Series router with GRES enabled, when the system reboots after<br />
"dynamic-profile-options versioning" is committed, the DHCP/PPPoE subscriber fails<br />
to log in. [PR770140]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
173
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• When dynamic-profile versioning is enabled, CoA requests are not processed if authd<br />
restarts. [PR796416]<br />
• In a subscriber management environment, with GRES enabled, the subscriber<br />
management infrastructure process (smid) maintains a directory /mfs/var/sdb, which<br />
contains several logs/stats and databases that must be cleaned up and compacted<br />
every couple of hours. If the subscriber management infrastructure process compacts<br />
databases during berkeley database replication process (bdbrepd) hasn't finished the<br />
initial replication between Routing Engines, smid may get stuck in a loop cause it does<br />
not checkpoint or archive the log files anymore, so the /mfs directory eventually fills<br />
up. Then the router locks up with no telnet/console access, and no subscribers logging<br />
into the router. When issue happens, the following errors could be seen:<br />
/kernel: Process (1977,bdbrepd) has exceeded 85% of RLIMIT_DATA: used 114692 KB<br />
Max 131072 KB<br />
/kernel: Process (1977,bdbrepd) attempted to exceed RLIMIT_DATA: attempted 131076<br />
KB Max 131072 KB<br />
/kernel: pid 1977 (bdbrepd), uid 0 inumber 636230 on /mfs: filesystem full<br />
The storage usage of bdbrepd process could be observed by following command (the<br />
'SIZE' field means Total size of the process (text, data, and stack), in kilobytes):<br />
user@router> show system processes extensive | match bdbrepd<br />
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND<br />
1568 root 1 96 0 55068K 37940K select 28:32 0.00% bdbrepd<br />
[PR796430]<br />
• If Hagiwara CompactFlash does not support APM, don't try to initiate it. [PR593219]<br />
• In case of private commit, you can skip generating or applying a patch if no commit<br />
happened in other sessions between the time you entered the private session and<br />
committed. There is no need to update the private database to the last committed<br />
database because no commits happened from other private or shared session.<br />
juniper.db (shared database) should be updated with the private database commit<br />
changes. Simple file copy is enough. But you need to take care of database header<br />
(restoring the user_info, lr_info and exlocker information of juniper.db). [PR607942]<br />
• On certain M-series routers (M20, M40, M40e, and M7i/M10i without Enhanced CFEB),<br />
the following error message is displayed on the Packet Forwarding Engine console<br />
periodically: "pfe_get_ifl_stats failed" This error is seen only if aggregate interfaces<br />
(like AE or AS) is configured on the router. There is no functional impact because of<br />
this error message. [PR692081]<br />
• Provided that an MX Series router has only one interface that uses auto-configure to<br />
set up a VLAN interface for PPPoE/IPoE subscriber sessions, the system's<br />
auto-configure process is killed when you delete the auto-configure command under<br />
that interface. But the MX Series router does not clear the corresponding VLAN interface.<br />
Thus the subscribers can still dial in. [PR709911]<br />
• For SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP with fixed IPv6<br />
classification, IPv6 filter counting all non-BE FC/queue packets to the BE FC/Queue<br />
counter. [PR732893]<br />
174<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• An Layer 2 control read error is seen sometimes on a MIC bootup, causing the MIC to<br />
fail to boot up. [PR733067]<br />
• A PCI read error can sometimes cause the 8xOC3-2xOC12 MIC bootup to fail and the<br />
MIC to stay offline with "Hardware Error" status. [PR733520]<br />
• Under certain timing conditions, the Packet Forwarding Engine might install an<br />
uninitialized firewall filter next hop in the forwarding hardware memory. When a<br />
forwarding chipset encounters the uninitialized next hop during packet processing, it<br />
triggers an exception error condition. [PR751088]<br />
• When a large number of subscribers log in and log out simultaneously in a scaled<br />
configuration, errors might occur when logical interfaces are created. The errors occur<br />
because the rpd process fails to read ifstate notifications related to logical interface<br />
deletions. As a workaround, restart the rpd. [PR775033]<br />
• If RPF and/or SCU is enabled then any change to an ingress firewall table filter will<br />
trigger RPF/SCU reconfiguration for every prefix in the routing table. This may cause<br />
transient high CPU utilization on the fpc which may result in SNMP stats request being<br />
time out. [PR777082]<br />
• AE member link is rejecting packets due to bad unicast MAC. [PR783332]<br />
• The rms interface option is hidden for the following show commands and is not<br />
auto-completed on the CLI:<br />
-show interfaces redundancy -request interface revert -request interface switchover<br />
[PR784678]<br />
• With l3vpn composite next-hops configured and 3 or more odd number of core uplinks<br />
every l3vpn route deletion will syslog the following error messages. [LOG: Err] JTREE:<br />
(jt_mem_free) size 0 for addr 1595452, seg 1, inst 0 [LOG: Emergency] Multiple Free<br />
:jt_mem_free There is no operational impact. An even number of core-uplinks will not<br />
trigger such error logs. [PR786993]<br />
• MPLS LDP traceroute does not work if you have a default route 0/0 pointing to discard<br />
on the Egress router with DPC cards. [PR790935]<br />
• This PR provides fix for a Packet Forwarding Engine micro-kernel memory leak,<br />
applicable only to certain types of firewall filter configurations on Trio-based MPCs<br />
and DPCs. The concerned leak can occur with dynamic-profiles configuration with<br />
firewall filters (typical for subscriber services), or when protocols like Ethernet OAM<br />
are configured. The leak occurs only under a certain timing condition (so far observed<br />
for about 2-5% of interface delete operations), and only on interface delete operations.<br />
Leaked memory is of order of 1KB per incidence of the memory leak. Hence the issue<br />
will be of material impact in and only in deployment scenarios which involve many<br />
thousands of interface delete operations with either dynamic profiles configuration or<br />
Ethernet OAM configuration. [PR797790]<br />
• In a subscriber management environment with knob versioning enabled for<br />
dynamic-profile, during subscriber flapping or login/logout, the authd (authentication<br />
daemon) process may leak memory. [PR800028]<br />
• Dynamic VLAN may remain stuck in "termianting" state after line card reboot.<br />
[PR800533]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
175
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In a BRAS environment with PPPoE subscribers and parameterized firewalls and<br />
policers, the FPC memory usage will go high after a CoA change for the services'<br />
parameters. [PR805922]<br />
• In subscriber management scenario, during DHCP or PPPoE subscribers login, cosd<br />
process might leak memory when cosd is initializing cos related parameters for<br />
subscribers. It happens only if the subscriber has one cos service session. [PR815777]<br />
• In subscriber management environment, after scale DHCP/PPPoE subscribers (about<br />
16k) login/logout multiple times, some of them fail to login again due to system can<br />
not allocate memory for them. When issue happens, following errors could be seen:<br />
[LOG: Err] IFRT: 'IFL demux enable' (opcode 175) failed [LOG: Err] rt_table_index_alloc:<br />
failed to allocate index with error: memory allocation failure !!! [LOG: Err]<br />
ifdemux_create_table(): ifl 17716:IPv4 => failed to allocate index for demux rt table<br />
with error: memory allocation failure !!! [LOG: Err] IFRT: 'IFL demux enable' (opcode<br />
175) failed [LOG: Err] ifl 17716:IPv4; demux create table failed with error=8 [PR819614]<br />
• PPPoE sessions cannot be established as rpd is unable to read or access profile<br />
database during access-internal route creation via<br />
"dynamic-profile->routing-instances->routing-options->access-internal" stanza<br />
[PR830779]<br />
• An FPC may reboot when a live-core is requested and the /var partition does not have<br />
sufficient space to store the live-core. [PR835047]<br />
• In the low memory condition with NSR enable, the replication of the route from the<br />
master routing-engine to the backup routing engine might stucked into inconsistent<br />
state preventing the correct operation of the NSR. [PR840331]<br />
High Availability (HA) and Resiliency<br />
• On TX routing systems with GRES enabled, if a mastership switch is being requested<br />
on an LCC who's Backup Routing Engine’s em0 interface has physically failed, this will<br />
cause all FPCs on that LCC to disconnect from the old master Routing Engine, but NOT<br />
reconnect to the new Master Routing Engine. [PR799628]<br />
Infrastructure<br />
• On J Series devices, the top utility with "ores" options was not sorting the output based<br />
on resident memory size. [PR507675]<br />
• With IPv6 and PPPoE, DHCP, or other demux configured, an assertion panic can occur<br />
in in6_ether_iffconfig(). [PR686350]<br />
• On the M120 router , when the no-vrf-propagate-ttl statement is set or deleted, the<br />
FEB might reboot and dump a core. There is no known workaround. [PR691466]<br />
• IPv6 access and access-internal routes for IP demux interfaces are not installed<br />
successfully when the dynamic profile that creates the IP demux interface is configured<br />
with the router's unnumbered loopback address. This results in the failure of IPv6<br />
egress traffic forwarding. This problem does not affect IPv4 egress traffic on IP demux<br />
interfaces. As a workaround, configure the dynamic profile that creates the IP demux<br />
interface to use a numbered address rather than the router's unnumbered loopback<br />
address. [PR747029]<br />
176<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Filter Based Forwarding is not working for IPv6 traffic. [PR795730]<br />
• In a L3VPN environment, when PE enabled with composite-nexthop receives a ICMP<br />
packet from local CE having TTL=1 and "route-record" option destined towards remote<br />
VPN end, then below messages are seen in syslog of PE router. /kernel: %KERN-3:<br />
tag_send_nh_chain(): no mbuf after tag_nh_chain_comp_label_output() This syslog<br />
message doesn't indicate real mbuf issue. Hence this can be treated as non-intrusive.<br />
[PR811406]<br />
• A kernel crash may occur on routers running 10.4 or higher (which does not have fix for<br />
this PR), with "targeted-broadcast" knob configured on a broadcast interface. If this<br />
knob is configured, MAC address will be learnt for subnet broadcast IP (configured on<br />
that interface). When this ARP table entry gets timed out, it corrupts an internal data<br />
structure, leading to kernel crash. This MAC learning will happen with one of the<br />
following : 1. Mismatched IP subnet is configured on one of the connected devices 2.<br />
A malformed packet (ARP request to subnet broadcast IP) is received on that interface<br />
NOTE: - MAC address learnt for the subnet broadcast IP can't be seen using "show<br />
arp" command. - This issue is platform independent. [PR814507]<br />
• The Kernel crashes when a DHCP client is connected with a DHCP-relay configuration.<br />
[PR824470]<br />
Interfaces and Chassis<br />
• On logical tunnel (lt) interfaces, you might not be able to use the 'family vpls' option<br />
at the [edit interfaces lt-fpc/pic/port unit logical-unit-number] hierarchy level.<br />
[PR44358]<br />
• For Automatic Protection Switching (APS) on SONET/SDH interfaces, there are no<br />
operational mode commands that display the presence of APS mode mismatches.<br />
An APS mode mismatch occurs when one side is configured to use bidirectional mode,<br />
and the other side is configured to use unidirectional mode. [PR65800]<br />
• On the <strong>Juniper</strong> Control System (JCS) platform, the control and management traffic<br />
for all Routing Engines share the same physical link on the same switch module. In rare<br />
cases, the physical link might become oversubscribed, causing the management<br />
connection to Protected System Domains (PSDs) to be dropped. [PR293126]<br />
• In a SAToP pseudowire on a 4-port COC3/CSTM1 or 12-port T1/E1/J1 CE PIC, when<br />
there is data loss from the pseudowire or due to an alarm condition (LOS/LOF/AIS)<br />
at the peer end of the SAToP pseudowire, the local PIC does not transmit AIS. This PR<br />
addresses that issue. [PR602563]<br />
• An interface not defined in the logical system is participating in a VPLS instance<br />
configured under the logical system. [PR603130]<br />
• A panic occurs in rnh_index_alloc on the backup Routing Engine because the index is<br />
already allocated. In the system log or kernel message buffer, a message similar to the<br />
following may be seen: "rnh_cont_request: demux0.14 (3353) Got nhid=120882<br />
but already have child nhid=118652 for cifl ge-0/1/5.32767 (3349)." [PR682967]<br />
• When multiple vendor specific tags are included in PPPoE control packets, only the<br />
last of these tags are parsed by the PPPoE server for ACI/ARI and DSL Forum<br />
information. [PR689222]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
177
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In scaled configuration having 1000 vrrp groups, user can see messages like<br />
ppman_vrrpman_change_xmit_status on the backup vrrp router with the repeated<br />
Routing Engine switchover. [PR719560]<br />
• If packets are dropped due to high scaling rates, some protocol buffers might be leaked,<br />
causing an increase in the memory utilization of the PPP subscriber services daemon,<br />
which might eventually lead to the inability to log in additional PPPoE clients.<br />
[PR731963]<br />
• When child lsq interface comes before parent rlsq ifl interfaces, the cosd is indirectly<br />
adding parent ifls to cosd ifl database. In this flow of code the parent ifl is not added<br />
to the snmpif database in the cos module. This causes failures when pooling for parent<br />
interface queue counters. The same thing is true for AE ifls. [PR733411]<br />
• With a large number of PPPoE subscribers, a queue overflow occurs when a burst of<br />
PPP control packets are received. As a consequence, the PPPoE session cannot be<br />
established while bringing up subscribers because the system drops control packets<br />
during PPP negotiation. Also, when the subscriber sessions are up, the system loses<br />
LCP echo replies from the client and over time this might cause keepalive failures. This<br />
is caused by the improper PPP packet queue size set in the kernel. [PR735769]<br />
• IP header compression (VJ compression) is not rejected by PPP LCP. [PR737981]<br />
• PPPoE access-internal routes not cleaned up correctly. [PR739869]<br />
• Some error situation may create a scenario where peer backup router wrongly moving<br />
to master and sending a lower priority packet. We won't create the adjacency for Inherit<br />
groups any more. We will drop these packet in the Packet Forwarding Engine using this<br />
PR 742082. So you won't see these messages again. [Feb 18 13:12:54.568 LOG: Err]<br />
vrrpman_process_new_pkt_msg: Recv new priority pkt for inherit group. Ignore it. Group<br />
2, IP-Ver 0, If_index 141074, priority 100 [PR742082]<br />
• In a scenario where all PPPoE sessions attempt to reconnect simultaneously at a high<br />
rate, typically following a reboot or maintenance, it has been observed that the PPPoE<br />
daemon might get into a situation where it runs out of memory and fails to create new<br />
sessions. The system would be under a lot of stress due to reconnect attempts leading<br />
to this problem. A message similar to "allocateSession: no memory for dynamic<br />
allocation UIFL xe-5/0/1.1073806881" shows up in the log when PPPoE traceoptions<br />
are enabled. [PR747586]<br />
• This issue is specific to the M120 hardware since there are two independent FRU's from<br />
where the PIC needs to be detached/attached. This IPC messages goes out-of-order<br />
due to the additional control-plane messages related to routing-change as a result of<br />
PIC restart which happens in this case due to the buffer configuration change. When<br />
PIC needs to be detached and at the same time there are still a lot of protocol<br />
information which should be process as well, the ?detached? messages will NOT be<br />
able to be delivered in time. After PIC restarts it request to be attached again but<br />
obviously this action failed because from other FRU?s perspective the PIC has NOT<br />
been detached at all. [PR773081]<br />
• Occasionally, an MX Series router that is connected to a customer premises equipment<br />
(CPE) using PPP fails to send an LCP configure-ack/IPCP configure-ack for the first<br />
LCP configure-request/IPCP configure-request received from the CPE. For LCP, this<br />
178<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
occurs when the MX Series router receives the LCP configure-request from the CPE<br />
soon after sending PADS to the CPE. In the case of IPCP, this occurs when the router<br />
receives IPCP configure-request from the CPE while PPP connection is transitioning<br />
to the next step for configuring Layer 3 protocols using NCP. [PR773950]<br />
• With multiple nondefault routing instance configuration, jpppd seems to bring up the<br />
subscribers fine to ACTIVE state but the access-internal routes are not added to all<br />
subscribers. It appears as if only the first nondefault RI subscribers might have the<br />
routes installed and the rest of them have no routes. [PR775715]<br />
• LCP is terminated after LCP negotiation is finished successfully when you use static<br />
PPP interfaces, and the intention is to use static IP addressing on the subscriber CPE.<br />
To make this work, a configuration like below is needed:<br />
interfaces {<br />
pp0 {<br />
unit 14 {<br />
pppoe-options {<br />
underlying-interface ge-5/2/0.612;<br />
server;<br />
}<br />
keepalives interval 10 up-count 3 down-count 3;<br />
family inet {<br />
address 1.1.9.1/32 {<br />
destination 0.0.0.0 ### Gives a hint for static addressing on subscriber side<br />
}<br />
}<br />
}<br />
}<br />
[PR777042]<br />
• PPPoE sessions remain stuck in "init" state. [PR779047]<br />
• Junos OS <strong>Release</strong> 11.4X27 does not support unified in-service software upgrades (unified<br />
ISSU) for configurations that include interface sets. [PR-779377]<br />
• In a DHCPv6oPPPoE environment, DHCPv6 bindings are terminated if the IPv6 address<br />
is removed or added on a static IPv6 interface, not related to the PPPoE configuration.<br />
[PR780607]<br />
• In MLPPP scenario, in rare conditions (such as FPC crash), kernel may try to delete a<br />
MLPPP bundle with an invalid (although within the max bundle limit) bundle ID. This<br />
will casue vmcore and Routing Engine switchover. [PR780784]<br />
• In a PPPoE environment, the router might not be able to process any PADI (PPPoE<br />
Active Discovery Initiation) packets. This is caused by PPPoED memory leak issue.<br />
[PR781985]<br />
• On the fxp0 interface, when speed is configured at 10m for a full-duplex network, the<br />
following log message is generated:<br />
fxp0: Full duplex link mode is not supported with speed 10M, Hence Speed will default<br />
to 100M<br />
[PR791777]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
179
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• When you configure the untagged GE interface or untagged aggregate ethernet with<br />
link member on IQ PIC with per-unit-scheduler, this might cause the failure of interface<br />
statistics on this interface. As a result the following error will be reported in the log<br />
message and on "show interface extensive" outputs. [PR794975]<br />
• Continuously walking SNMP MIBs while PPP subscribers log in and out of the router<br />
causes the PPPoE daemon to go unresponsive due to synchronous retrieval of SNMP<br />
MIBs take larger time and blocking signals to be serviced by PPPoE daemon. Subscribers<br />
can no longer log into the router. The daemon will remain unresponsive as follows until<br />
it is restarted.<br />
user@router> show pppoe statistics<br />
error: the pppoe subsystem is not responding to management requests<br />
The SNMP MIBs being walked are as follows:<br />
1.3.6.1.4.1.2636.3.68.1.1 (jnxPPPObjects) 1.3.6.1.4.1.2636.3.67.1 (jnxPPPoEMIB)<br />
1.3.6.1.4.1.2636.3.64.1.1 (jnxSubscriberObjects)<br />
1.3.6.1.4.1.2636.3.12.1.1.1 (jnxIpv4AddrEntry)<br />
1.3.6.1.4.1.2636.3.51.1.1 (jnxUserAAAObjects)<br />
[PR795556]<br />
• jpppoed memory utilization spikes after GRES or jpppoed restart event. [PR800650]<br />
• In PPPoE subscriber management environment, during subscribers logging in, PPP<br />
daemon (jpppd) might leak memory due to following software issues:<br />
• During PPPoE subscribers logging in who use CHAP authentication method, if the<br />
CHAP protocol taking longer than 30 seconds to negotiate, PPPoE daemon (pppoed)<br />
will try to delete the underlying logical interface (IFL) through which the subscribers<br />
log in. Then pppd process try to remove the subscriber entry (which involves ensuring<br />
the IFL is correctly deleted). But sometimes jpppd will not remove some of the<br />
memory associated with the subscriber and cause jpppd memory leak.<br />
• Because software defect in PPP protocol NCP negotiation stage, jpppd process may<br />
leak pending buffers during subscribers logging in.<br />
The memory leak of jpppd process could be observed by following command (The<br />
RES field means "Current amount of resident memory, in kilobytes"): user@router><br />
show system processes extensive | match "PID | jppp" PID USERNAME THR PRI NICE<br />
SIZE RES STATE TIME WCPU COMMAND 1460 root 3 20 0 66912K 37420K sigwai<br />
20:17 0.00% jpppd [PR802915]<br />
• With LSQ interface, the MLPPP fragments cannot use the egress queue 4 to 7 on the<br />
MLPPP member links. There is no workaround. [PR805307]<br />
• In subscriber management environment, with either 'pppoe-underlying-options' or<br />
'advisory-options' or both of them configured for Ethernet interface, after each login<br />
and logout of a DHCP/PPPOE subscriber, it has some memory leak in kernel. After<br />
some time, BRAS starts to reject new sessions and needs to be restarted to restore its<br />
operation. The memory leak occurs in the Routing Engine kernel can be observed by<br />
following commands:<br />
Or<br />
user@router> show system virtual-memory | match iflog<br />
iflogical 1471864 281335K - 17671778 16,32,64,256,4096,16384,32768,262144,524288<br />
180<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
user@router> show chassis routing-engine<br />
Routing Engine status:<br />
Slot 0:<br />
Current state Master<br />
Election priority Backup<br />
Temperature 36 degrees C / 96 degrees F<br />
CPU temperature 42 degrees C / 107 degrees F<br />
DRAM 3584 MB<br />
Memory utilization 81 percent < -----------------------------<br />
[PR807838]<br />
• VC powerdown of VCMm leaves Ip demux interfaces in a "hardware-down" state<br />
[PR813902]<br />
• Warning message added is syslog when external sync is not supported. [PR817049]<br />
• If per-unit-schedular is configured under a physical interface(ifd), and trying to delete<br />
this ifd and its sub-interfaces (ifl) in one single commmit, ksyncd may core in the backup<br />
Routing Engine which will cause GRES malfunction. [PR827772]<br />
• Currently, no SNMP trap sent when backup SPMB failure happened. This PR is meant<br />
to enable the SNMP trap for such failure. [PR835167]<br />
• ERA events are not credited back by jpppoed. ERA has a purge timer of 10 minutes<br />
which reclaims stale events so new connections are allowed after the purge timer fires.<br />
In a high scaled scenario this can lead to slow PPPoE connections. [PR842935]<br />
• When packet has to be forwarded over NH topology unilist->indirect-indexed and<br />
when the packet size is greater than egress interface MTU w/ DF set, then we may log<br />
the following message and not send the message back to source indicating "frag<br />
needed and DF set". fpc0 NH: Can not find ifl for nh 1048590 fpc0 NH(nh_get_mtu_iff)<br />
: get unilist mtu failed [PR844987]<br />
• The device configuration daemon (dcd) may crash when a partial demux subinterface<br />
configuration is attempted to be committed. There is no impact to traffic forwarding<br />
but before the configuration can be committed, it must provide a valid<br />
'underlying-interface' for the demux subinterface. [PR852162]<br />
• On T Series routers the kmd process gets started on the backup Routing Engine and<br />
fails to connect to PIC and add manual security association to kernel giving a kmd logs<br />
error message to syslog/kmd logs as follows: “KMD_INTERNAL_ERROR.” This will not<br />
affect any ipsec functionality. [PR854975]<br />
J-Web Interface<br />
• For the following functionality, the J-Web interface is not launching up at workspace<br />
( Configure >Point >Protocols >Configure >Ospf3) .<br />
As a workaround, configure ospf3 (for example: set protocols ospf3 area 0.0.0.0<br />
interface fe-1/3/0) as follows on the CLI:<br />
• On the J-Web interface click on Configure >Point<br />
• Select Configuration Tree View >Protocol and click on expand button.<br />
• It display the configured CLI osfp3 parameters.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
181
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Click on area/prefix/interface option on the Tree View tab.<br />
• At work space it display the selected options required parameters.<br />
• At work space it display the selected options required parameters.<br />
• At workspace can perform add,edit,delete,commit operations<br />
[PR857540]<br />
Layer 2 Features<br />
• In L2vpn scenario, if there is no mpls route to neighbor and there is a static route with<br />
discard nexthop in inet.3 table as follows:<br />
user@router# show routing-options<br />
rib inet.3 {<br />
static {<br />
route 0.0.0.0/0 discard;<br />
}<br />
}<br />
Then the L2vpn connection will use the above static route in inet.3 table to connect<br />
its neighbor as follows:<br />
user@router# run show route table mpls<br />
mpls.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - =<br />
Last Active, * = Both<br />
0 *[MPLS/0] 00:01:42, metric 1<br />
Receive<br />
1 *[MPLS/0] 00:01:42, metric 1<br />
Receive<br />
2 *[MPLS/0] 00:01:42, metric 1<br />
Receive 1<br />
3 *[MPLS/0] 00:01:42, metric 1<br />
Receive<br />
ge-0/0/1.601 *[L2VPN/7] 00:01:38, metric2 0<br />
Discard<br />
In this situation, routing protocol daemon (rpd) generates a core file while walking<br />
snmp mib 'jnxVpnPwEntry'.[PR816821]<br />
Layer 2 Ethernet Services<br />
• DHCP Server Identifier (option 54) in a Request changes from server ip address to<br />
Giaddr address. [PR729833]<br />
• The DHCPv6 server application may not properly process DHCPv6 packets when<br />
Option 18 (DHCPv6 Interface-ID) and Option 37 (DHCPv6 Relay Agent Remote-ID)<br />
are received in the same packet. [PR774631]<br />
• DHCP server in a vrf responds with incorrect server identification address option 54 in<br />
DHCPOFFER. [PR776222]<br />
• Extracting option-37 (remote id) might cause an overflow that corrupts other data.<br />
The result is a failure of RADIUS account message. [PR777157]<br />
182<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• The AFTR information from RADIUS is advertised by MX Series router to the client via<br />
DHCPv6. [PR779679]<br />
• The old dhcp session still can be renewed by client after client move to another vlan.<br />
[PR784951]<br />
• In an MX Series Virtual Chassis environment, a traffic outage longer than 2 minutes<br />
occurs when a member of the VC-M LAG fails while LACP is in active mode with link<br />
protection on the VC-M router. The outage occurs while the LACP process restarts on<br />
the new VC-M router. To avoid this situation, make sure that LACP is running in active<br />
link protection mode on the device in front of the VC-M router. This device cannot be<br />
an EX Series Ethernet Switch, because the switch does not support LACP in link<br />
protection mode. [PR784965]<br />
• DHCP may fail to delete both routes for a DHCPv6 client, leaving the client stuck in the<br />
RELEASING state. When a client binds successfully after requesting both an address<br />
(IA_NA option) and a prefix (IA_PD option), two routes are added for the client. If only<br />
one of the routes is deleted and DHCP fails to properly retry the failed route deletion,<br />
the client remains in the RELEASING state. [PR784977]<br />
• DHCP relay does not forward ACK to client from the backup DHCP server after primary<br />
DHCP server failure. [PR799090]<br />
• To free the socket used by jdhcpd for bootp helper deactivate dhcp-service traceoptions.<br />
[PR817515]<br />
• In scenario where DHCP stray request is recieved on MX acting as DHCP relay and<br />
authenticaiton for this request fails, MX is generating DHCP NACK back to DHCP client<br />
[PR835794]<br />
Multiprotocol Label Switching (MPLS)<br />
• For point-to-multipoint LSPs configured for VPLS, the "ping mpls" command reports<br />
100 percent packet loss even though the VPLS connection is active. [PR287990]<br />
• The malformed packet is due to inconsistent handling of internal flag of the MX 3D<br />
platform when performing L2VPN switching of packets that have MPLS with 2 or more<br />
labels as layer3 inside ethernet (e.g. switching L3VPN over L2VPN). In this situation<br />
EOS bit is erroneously not getting set on the imposed label, resulting in the receiver<br />
interpreting the start of payload as one more label. [PR684256]<br />
• The RPD process may crash when executing the command clear mpls lsp name<br />
or monitor label-switched-path [PR756551]<br />
• If ldp-tunneling is configured on an LSP, and the router receives thousands of LDP<br />
routes through this LSP, and additionally the router has a large number of FPCs<br />
(especially in multi-chassis platform), during MPLS statistics collection, it is possible<br />
to see packets drop or delay on the link connect the Routing Engine with the Packet<br />
Forwarding Engine. If auto-bandwidth is enabled for the LSP, then auto-bandwidth<br />
will work incorrectly. Below kernel message type could be seen when issue happens:<br />
/kernel: rpd pid 16252 tid 100130 syscall 133 ran for 568 ms And also too much kernel<br />
resource was occupied once the issue happened, the Routing Engine based keep-alive<br />
processing could be impacted over the syscall period. bfdd[4325]:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
183
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
BFDD_TRAP_MHOP_STATE_DOWN: local discriminator: 1715, new state: down, peer<br />
addr: x.x.x.x [PR785360]<br />
Network Management and Monitoring<br />
• SNMP selects the first valid configured IP address on the loopback interfaces for the<br />
source address of SNMP Trap. It should select the lowest valid IP address configured<br />
on the loopback address [PR729699]<br />
• Junos OS <strong>Release</strong>s later than 10.0 reserves separate index pool for private and public<br />
interfaces. After an upgrade from version prior to 10.0 to version later than 10.0, some<br />
of the public interfaces may be included within the private index pool. There is no<br />
operational risk caused by this issue. [PR815028]<br />
• On MX 960 router after committing the load merge command, commit logs gets flooded<br />
with "/var/log/interfaces-log.0: No such file or directory." This issue happens when a<br />
burst of traces is triggered by an event (commit in this case). If the max tracefile size<br />
is configured to a low value, then this leads to a race condition during log rotation. This<br />
issue can be prevented by increasing the max size of the traceoptions file. [PR820322]<br />
• The default maximum log file size depends on the platform type for TX-Matrix or<br />
TX-Matrix Plus routers it is expected to be 10 MB. However, due to a software defect<br />
this file size was only 1 MB. [PR823143]<br />
Platform and Infrastructure<br />
• Junos OS does not support dynamic ARP resolution on Ethernet interfaces that are<br />
designated for port mirroring. This causes the Packet Forwarding Engine to drop mirrored<br />
packets. As a workaround, configure the next-hop address as a static ARP entry by<br />
including the 'arp ip-address' statement at the [edit interfaces ]<br />
hierarchy level. [PR237107]<br />
• Following a large output with jcs:get-input() will truncate the output after the<br />
---(more)--- prompt and cause all following user input to be hidden. As a workaround,<br />
add the | no-more option when executing op scripts. [PR473816]<br />
• Commit time warning is changed to trace message. [PR480082]<br />
• Enabling MAC Learning on interfaces for MPC cards throws errors. The error message<br />
has been found to be harmless. It has been reduced to the level of debug. No<br />
functionality change is required. [PR569800]<br />
• With 'chassis route-memory-enhanced' knob (or 'chassis memory-enhanced') is<br />
enabled, when there is a route change, the route may not be changed accordingly on<br />
the forwarding table. This may cause traffic black holes. This is caused by memory<br />
corruption issue on the Packet Forwarding Engine due to an incorrect jtree memory<br />
free. [PR683024]<br />
• You might see zombie processes increment while doing commit each time [PR692382]<br />
• mgd core at gram_make_object upon load config [PR708306]<br />
• When Graceful Routing Engine Switchover (GRES) is enabled, the firewall configuration<br />
might not synchronize properly, and this might cause traffic drop and even FPC crash<br />
184<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
after GRES switchover. A reboot of the line card is needed to clear this state and restore<br />
the issue. [PR708411]<br />
• When cscript data memory limit is exceeded when executing op, event or commit<br />
script, the cscript process could reset and leave a core file when failing to allocate<br />
memory past its limits. The script would not succeed to run, in the case of a commit<br />
script the commit would not succeed. [PR722161]<br />
• When tagged traffic is sent on an untagged interface, which is part of a bridge-domain<br />
or vpls instance with shared vlan learning (vlan-id all), traffic is learned on VLAN-ID<br />
4096 instead of the incoming vlan-id. [PR733877]<br />
• The output of the "file list detail" command can display a capital 'S' instead of a lower<br />
case 's' for the file or directory permission. The system shell output, however, displays<br />
the correct values. [PR736474]<br />
• The "request system zeroize" command deletes the /var/db/scripts directory and all<br />
subdirectories but does not re-create them. The directories and subdirectories need<br />
to be manually re-created via the root shell and the correct permission set. [PR736478]<br />
• Ifmon process might restart creating a coredump if the "monitor interface" command<br />
is issued multiple times within a short interval. [PR789262]<br />
• In 11.2 L3 services over MC-LAG are supported through IRB only and thus family inet is<br />
not supported directly on MC-LAG interface. However, appropriate commit check is<br />
missing in 11.2R3 and later maintenance releases of 11.2 [PR802938]<br />
• If set and delete configuration is done repeatedly on the management session for a<br />
long time, cli process will keep consuming memory during operation and could reach<br />
to the upper limit of it's available memory. [PR813673]<br />
• Commit may fail, when a config object is deleted and re-added as transient change<br />
from a commit script. [PR814796]<br />
• Tunnel services (MT-x/x) using MPC on PE installs (S,G) route on receiving IGMP report.<br />
[PR821893]<br />
• IPv6 traceroute is not setting traffic class with TOS command. Traceroute packets<br />
may not get to the correct queue and the COS bits may not be reflected properly in<br />
the traceroute outputs. [PR835359]<br />
• This applies to all <strong>Juniper</strong> M/MX and T-Series routers. In certain GRES scenarios, the<br />
backup Routing Engine may not have the complete state of the NH database from the<br />
active Routing Engine and may send duplicate NH add messages to the Packet<br />
Forwarding Engine with same NH Ids when it becomes active. This could potentially<br />
cause undesirable behavior in forwarding resulting in broken forwarding state and/or<br />
FPC cores. To limit the affect of these duplicate NH add messages, only certain<br />
duplicate NH adds messages which can be handled gracefully are allowed and all<br />
other duplicate add messages are rejected. The following table lists the NH types that<br />
support duplicate NH adds.<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
|New --> | RNH_ | RNH_ | RNH_ | RNH_ | RNH_ | Rest |<br />
|Old | UNICAST | REJECT | HOLD | DISCARD | AGGREGATE | of RNH |<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
185
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
| | | | | | | | |<br />
| \|/ | | | | | | |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
| | | | | | Reject if | | |RNH_UNICAST | Allow | Allow | Allow | Allow | child; | Reject |<br />
| | | | | | otherwise | |<br />
| | | | | | Accept | |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
|RNH_REJECT | Allow | Allow | Reject | Allow | Allow | Reject |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
|RNH_HOLD | Allow | Reject | Allow | Allow | Allow | Reject |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
|RNH_DISCARD | Allow | Allow | Allow | Allow | Allow | Allow |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
| |Allow if | | | | | |<br />
|RNH_AGGREGATE |DELETE_ | Allow | Allow | Allow | Allow | Reject |<br />
| |CHILD; | | | | | |<br />
| |Otherwise| | | | | |<br />
| |Reject | | | | | |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
|Rest of RNH | Reject | Reject | Reject | Allow | Reject | Reject |<br />
+--------------+---------+--------+--------+---------+-----------+--------+<br />
There is no workaround for this problem. [PR843907]<br />
Routing Protocols<br />
• When you configure damping globally and use the import policy to prevent damping<br />
for specific routes, and a peer sends a new route that has the local interface address<br />
as the next hop, the route is added to the routing table with default damping<br />
parameters, even though the import policy has a nondefault setting. As a result, damping<br />
settings do not change appropriately when the route attributes change. [PR51975]<br />
• In some scenarios MVPN-routes with same RD:Prefix may get generated from<br />
multiple-VRFs on a PE-router. When such a PE-router is not a MVPN-RR and has no<br />
MVPN-EBGP peers, it is possible that the core-network may lose the MVPN-route<br />
because of an erroneous MVPN-withdrawal sent by the PE because of the MVPN-route<br />
getting deleted from one of the PE VRFs; even if there are other-VRFs on the PE still<br />
advertising the route. [PR698493]<br />
• BGP family configuration expects that if any more specific configuration--for example<br />
neighbor vs. group, group vs. global--is present that no family configuration from less<br />
186<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
specific configuration is used. When family route-target advertise-default is configured<br />
at BGP peer group scope and BGP neighbor scope configuration contained family<br />
statements, advertise-default should not be propagated. [PR706925]<br />
• After upgrade to 10.4R9 following messages are seen "Cancelling deferral pp0 index<br />
131" These messages are not indicative of any problem and only cosmetic [PR742534]<br />
• The rpd process is reinitialized when you commit a configuration change. When multiple<br />
reinitializations occur while OSPF is running on the router, the periodic refresh of OSPF<br />
router LSAs may stop. If the LSAs are not refreshed, the router no longer participates<br />
in the OSPF routing domain. You can issue the "show ospf database router<br />
advertising-router router-id extensive | match timer" command to see evidence of the<br />
issue. In the error state, the output does not include the Gen timer field. [PR/744280:<br />
This issue has been resolved.] [PR744280]<br />
• When a subscriber dynamic profile is configured to add access routes, some route<br />
additions might fail intermittently, preventing those subscribers from forwarding traffic.<br />
This issue occurs more frequently when the CPU utilization is high. As a workaround,<br />
do not specify access-internal routes in the dynamic profile. Omitting this configuration<br />
enables the route additions to occur correctly by means of a different internal<br />
mechanism. [PR747631]<br />
• In scaled RIP topology (about 50 RIP neighbors and route injection), with Non-Stop<br />
Routing (NSR) enabled, after graceful-switchover (GRES), RIP packets will not be sent<br />
out for few seconds to few minutes. The blackout duration would be vary by number<br />
of ifls or routes the router has. The following errors could be seen when issue happens:<br />
Cannot send request for whole table to neighbor ae1.2460: Socket is not connected<br />
send msg failed: Socket is not connected [PR754140]<br />
• BFD flaps with AE bundle and 10 ms timer. [PR773101]<br />
• Routes are not deleted from routing table when interface is deleted. SPF calculation<br />
was not triggered in one particular code flow after the LSAs are deleted from database.<br />
SPF calculation is triggered when the LSA is being deleted due to zero links. [PR782029]<br />
• The routing protocol process (rpd) might crash when doing multiple GRES in<br />
combination with bgp peer flapping with large number of dampened routes. This is<br />
observed only when certain sequence criteria are met, but may not be exposed under<br />
all switchover conditions. [PR793875]<br />
• In some specific cases spf calculation may be incomplete because of the specific order<br />
the IS-IS LSP fragments are received. [PR797278]<br />
• Setting OSPF overload via the configuration sets both the metric field in router LSAs<br />
as well as te-metric field in opaque LSAs to 65535 or 2^16-1. Since te-metric is a 32-bit<br />
field, it should be set to 2^32-1. [PR797293]<br />
• The rdp generates a core file after the Routing Engine switchover. This occurs because<br />
*G, and S,G asserts created due to duplication of traffic are not handled properly after<br />
the Routing Engine switchover.<br />
HW type of chassis/linecard/RE. "ALL"<br />
Suspected software feature combination. Multicast feature<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
187
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Describe if any behavior/ change to existing function - Handle the *,G and S,G assert<br />
properly.<br />
[PR809338]<br />
• The autoexported secondary BGP routes that are advertised using "advertise-inactive"<br />
can miss the flash event; if so, this leaves the deleted secondary route in the stuck<br />
state. [PR818552]<br />
• The OSPF route will not be deleted from routing/forwarding table if configuration<br />
satisfies below simultaneously. 1. Router ID is not specified and it can be changed due<br />
to interface down. 2. There is an interface where OSPF is not running. Suppose OSPF<br />
is running on interface A and it is not running on interface B. IP address of interface A<br />
is selected as router ID. When interface A goes down and router ID is changed to the<br />
IP address of interface B, OSPF on interface A will lose adjacency to the remote OSPF<br />
router but router will keep routes learnt via OSPF. [PR820909]<br />
• Multiple route nexthops will not be returned via SNMP for ipCidrRouteTable object<br />
[PR831553]<br />
• It is possible that RPD's higher priority tasks (HPTs) are scheduled to run such that<br />
lower priority tasks (LPTs) may not be able to complete until HPTs are completed.<br />
[PR836197]<br />
• IS-IS reports prefix-export-limit exceeded even though the number of exported routes<br />
is smaller than the configured value of prefix-export-limit. [PR844224]<br />
• In scenarios that use BGP to distribute traffic flow specifications, if the recieved<br />
flow-spec Network Layer Reachability Information (NLRI) contains invalid argument<br />
(such as dscp is larger that 63), routing protocol daemon (rpd) will generate flow-spec<br />
routes and install them in the routing table for these NLRIs but these flow routes with<br />
invalid match conditions are rejected by dynamic firewall daemon (dfwd) from being<br />
added to the flowspec filters. When issue happens, the following errors could be seen:<br />
krt_flow_trans_match_config: Failed defining match conditions<br />
10.0.1.1,1.0.0.1,proto=6,dscp=81<br />
krt_flow_trans_term_add: Failed adding term 10.0.1.1,1.0.0.1,proto=6,dscp=81 to filter<br />
0x9504000 - Unknown error: 0<br />
krt_flow_trans_filter_add: Failed sending transaction (ADD FILTER SINGLE TERM) for<br />
filter 0x9504000 __flowspec_default_inet__ to add term<br />
10.0.1.1,1.0.0.1,proto=6,dscp=81 - Invalid argument<br />
When the BGP peer withdraws these flow routes, they will only be deleted but not<br />
freed, hence cause memory leak. [PR845039]<br />
188<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Services Applications<br />
• When you specify a standard application at the [edit security idp idp-policy<br />
rulebase-ips rule match application] hierarchy level, IDP<br />
does not detect the attack on the nonstandard port (for example, junos:ftp on port<br />
85). Whether it is a custom or predefined application, the application name does not<br />
matter. IDP simply looks at the protocol and port from the application definition. Only<br />
when traffic matches the protocol and port does IDP try to match or detect against<br />
the associated attack. [PR477748]<br />
• When the unit 0 for the multi-services PIC interface is not specified, the "monitor<br />
interface traffic" command doesn't display input packets number properly for that<br />
particular ms-I/F. e.g) user@lab# show interfaces ms-1/2/0 unit 1 { family inet; }<br />
[PR544318]<br />
• Support for displaying logical system and routing instance for L2TP tunnels (MX Series<br />
3D Universal Edge Routers)--When you issue the show services l2tp tunnel command<br />
with the detail or extensive option on either the LAC or LNS, the output now displays<br />
both the logical system and the routing instance in which the L2TP tunnel is brought<br />
up. [PR581182]<br />
• On M Series with L2TP multilink PPP sessions established, the l2tpd (l2tp daemon)<br />
might dump a core file when 'show services l2tp multilink' command is executed.<br />
[PR710538]<br />
• Extensive CLI requests associated with l2tp (show services l2tp ) may result<br />
in l2tpd process crash [PR755948]<br />
• The router may experience a dynamic flow capture process (dfcd) core dump when<br />
a Routing Engine switchover occurs in a highly scaled (100,000 or more subscribers)<br />
configuration that also has subscriber secure policies enabled. The switchover can<br />
result from either GRES or unified ISSU. [PR776698]<br />
• VC-Power up of VCMb chassis/line cards will cause L2tp LAC clients to terminate<br />
[PR777538]<br />
• The show services l2tp session 'interface' extension might not work at devices acting<br />
as L2TP LACs. [PR780651]<br />
• In L2TP setup with MX series router acting as LAC, if the value used passed from RADIUS<br />
in VSA "Tunnel-Client-Endpoint" does not exist on the router, Junos OS will send<br />
SCCRQ message to LNS with random source addresses. [PR788081]<br />
• When an MX Series router configured as an LNS sends an Access-Request message<br />
to RADIUS for an LNS subscriber, the LNS now includes the Called-Station-ID-Attribute<br />
when it receives AVP 21 in the ICRQ message from the LAC. [PR790035]<br />
• MX LNS does not support CLI command services l2tp session user filter option.<br />
[PR792239]<br />
• The clear services l2tp session user command accepts any arbitrary alphanumeric<br />
characters in place of a user name and the CLI command will drop all l2tp subscribers.<br />
[PR792631]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
189
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• MX CLI allows you to configure "*" for client name in the l2tp access profile leading to<br />
failure of establishing the l2tp connection. [PR799232]<br />
• In scenario where MX is acting as LAC and radius server is returning<br />
tunnel-server-endpoint attribute but NOT returning tunnel-client-endpoing memory<br />
leak in jl2tpd process can occur. Additionally same memory leak can occur if<br />
unnumbered loopback attribute is returned from radius for tunneled subscribers.<br />
[PR800107]<br />
• Called-station-id always sent by LNS irrespective of configuration on LNS. The knob<br />
of "excluding" this attribute didnt work. The fix was tested working in 11.4X27.38<br />
[PR818899]<br />
• An LNS configuration on MX boxes can be reported as invalid even if it has been<br />
successfully committed previously. [PR823709]<br />
• jl2tpd crash _thr_send_sig (thread=0x8a5e000, sig=6) at<br />
../../../../src/bsd/lib/libthr/thread/thr_kern.c:91 jl2tpd crash exhibited in an enviroment<br />
where MX480 router was configured as LAC and terminating 500 l2tp subscribers.<br />
[PR824760]<br />
• The "hot-standby" CLI knob under [edit interfaces <br />
redundancy-options] is made hidden for the Redundant Service PIC (RSP) [PR838762]<br />
• If flow-tap or radius-flow-tap is configured and logging, dfcd may be leaking file<br />
descriptors. RPD may crash and write a core with a signature like "kern.maxfiles limit<br />
exceeded by uid 0" due to this issue. [PR842124]<br />
Subscriber Access Management<br />
• The nas-port-extended-format now has an additional value ae-width, listed first. All<br />
doc references to nas-port-extended-format should include ae-width which can hold<br />
the ae number. regress@grafton# help apropos ae-width set access profile<br />
radius options nas-port-extended-format ae-width <br />
Number of bits for the aggregated ethernet identifier field [edit] regress@grafton#<br />
...adius radius options nas-port-extended-format ? Possible completions: adapter-width<br />
Number of bits for the adapter field (0..32 bits) ae-width Number of bits for the<br />
aggregated ethernet identifier field + apply-groups Groups from which to inherit<br />
configuration data + apply-groups-except Don't inherit configuration data from these<br />
groups port-width Number of bits for the port field (0..32 bits) slot-width Number of<br />
bits for the slot field (0..32 bits) stacked-vlan-width Number of bits for the S-VLAN<br />
subinterface field (bits) vlan-width Number of bits for the VLAN subinterface field<br />
(bits) [edit] [PR565353]<br />
• A Change-of-Authorization request is being NAK-ed on MX80 when a PPP subscriber<br />
is terminated in a non-default routing-instance. It works as expected if the subscriber<br />
is terminated in the default routing-instance. [PR704560]<br />
• In subscriber management environment with <strong>Juniper</strong> <strong>Networks</strong> Session and Resource<br />
Control (SRC) used, if BRAS (MX platforms) recieves an authentication message with<br />
null AAA message or null attributes in AAA message from SRC while subscribers login,<br />
the generic authentication service process (authd) may crash and core dump due to<br />
memory corruption and the subscriber will be stuck in "Terminating" state until the<br />
190<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
system is rebooted. If JSRC provisioning is deactivated, the subscriber will connect<br />
without any problem. [PR737308]<br />
• After a large number of concurrent PPP session logouts and GRES operation some<br />
sessions may not complete logout (services activated from SRC). Sessions eventually<br />
will time out and clear. [PR742900]<br />
• If <strong>Juniper</strong> <strong>Networks</strong> Session and Resource Control (JSRC) is used to manage subscribers<br />
policies, when subscribers log out, AAA messages may not be freed by the generic<br />
authentication service process (authd). So this may result in a memory leak in authd<br />
daemon. When the max memory is reached, new subscribers will not be able to log in.<br />
[PR753101]<br />
• Subscriber management supports three methods for assigning addresses to DHCP<br />
clients. When multiple methods are configured, the router uses the following precedence<br />
to determine which address to assign to the client. 1. Address defined on the RADIUS<br />
server by Internet Assigned Numbers Authority (IANA) vendor ID 4874 attributes 26-4<br />
(Primary-DNS) and 26-5 (Secondary-DNS). 2. Address defined on the RADIUS server<br />
by IANA vendor ID 2636 attributes 26-31 (Primary-DNS) and 26-33 (Secondary-DNS).<br />
3. Address defined in the local address pool on the router. [PR772408]<br />
• When adding new static DHCP binding where the newly added host address are already<br />
active in the dynamic DHCP pool, system will continue to use the dynamic mapping<br />
until it is available. If that subscriber release and reinitiate the DHCP request, the new<br />
static mapping would not take effect. [PR777257]<br />
• In scenario where multiple address ranges are used in address assignment pool for<br />
pppoe subscribers. Problem is exhibited after 1st range address space is exhausted.<br />
The MX BNG accepts new subscirbers at very low rate (few per minute) while "authd"<br />
process is running ~90% or Routing Engine CPU [PR778179]<br />
• Authd attempts to remove VLAN when subscribers are idle but connected [PR789009]<br />
• The captive portal content delivery service applied on PPPoE subscriber to rewrite<br />
IPDA is not working. The subscriber traffic is altered but is dropped on MSDPC.<br />
[PR789368]<br />
• In subscriber management scenario, if the subscribers (such as PPPoE, DHCP, IPOE)<br />
login through authenticated dynamic VLAN, after them logout, the authenticated<br />
dynamic VLAN will be removed, but the corresponding libstats iflstats entry will be left<br />
which should not be. Finally the memory leak will cause filesystem /mfs full and prevent<br />
subscribers from login. If issue happens, the following logs could be seen: /kernel:<br />
ifl(pp0.1073859148): ifl_config not found !!! smid: /mfs capacity 83% smid: /mfs<br />
capacity 85% authd[13198]: ===== Idle Timeout Exceeded Rid the subscriber =====<br />
last message repeated 2409 times smid: /mfs capacity 108% /kernel: pid 13197<br />
(jdhcpd), uid 0 inumber 24280 on /mfs: filesystem full jdhcpd:<br />
DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv4 client SDB<br />
session 8659554 on incoming interface demux0.1073841747 [PR796299]<br />
• MX-VC:Authd keeps retrying the attempts to fetch final stats for the logical interfaces<br />
that are already removed. [PR806104]<br />
• MX-VC:Authd sends duplicate requests to enable interim accounting in PFED for idle<br />
timeout configured on VLAN subscriber. [PR806112]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
191
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In subscriber management environment, while recieving a Change of Authorization<br />
(COA) packet with session ID that is ID of service session and the COA packet doesn't<br />
contain username, the lookup for the session id finds the service session rather than<br />
the subscriber session which isn't handled gracefully, then causing authd process crash<br />
and core dumped. The core files could be seen by executing CLI command "show<br />
system core-dumps". When issue happens, the following behaviors could be observed:<br />
user@router> show network-access aaa statistics authentication detail error: the<br />
general-authentication-service subsystem is not running user@router> show log<br />
messages %AUTH-3: general-authentication-service (PID 14502) terminated by signal<br />
number 11. Core dumped! [PR811607]<br />
• Stale addresses in local address pool. [PR815331]<br />
• Snmpwalk requests sent to MX returns multiple duplicate records for<br />
jnxUserAAAAccessPool. [PR840640]<br />
User Interface and Configuration<br />
• The logical router administrator can modify and delete master administrator-only<br />
configurations by performing local operations such as issuing the load override, load<br />
replace, and load update commands. [PR238991]<br />
• Selecting the Monitor port for any port in the Chassis Viewer page takes the user to<br />
the common Port Monitoring page instead of the corresponding Monitoring page of<br />
the selected port. [PR446890]<br />
• Replace pattern does not work with variables names. [PR477753]<br />
• Add IPv4/IPV6 Filters does not work as expected with IE. As a workaround, use IE after<br />
configuring the filters and click APPLY on the summary page. As this action does not<br />
take you back to the configuration page, navigate back to the IPV4/V6 firewall page<br />
by clicking the Security > IPv4/v6 firewall pages. [PR543607]<br />
• User needs to wait until the page is completely loaded before navigating away from<br />
the current page. [PR567756]<br />
• The J-Web interface allows the creation of duplicate term names in the Configure ><br />
Security > Filters > IPV4 Firewall Filters page. But the duplicate entry is not shown in<br />
the grid. There is no functionality impact on the J-Web interface. [PR574525]<br />
• Using the IE7 browser, while deleting a user from the Configure > System Properties ><br />
User Management > Users page on the J-Web interface, the system is not showing<br />
warning message, whereas in the Firefox browser error messages are shown.<br />
[PR595932]<br />
• If you access the J-Web interface using the Microsoft Internet Web browser version 7,<br />
on the BGP Configuration page (Configure > Routing > BGP), all flags might be shown<br />
in the Configured Flags list (in the Edit Global Settings window, on the Trace Options<br />
tab) even though the flags are not configured. As a workaround, use the Mozilla Firefox<br />
Web browser. [PR603669]<br />
• On the J-Web interface, next hop column in Monitor > Routing > Route Information<br />
displays only the interface address and the corresponding IP address is missing. The<br />
192<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
title of the first column displays "static route address" instead of "Destination Address."<br />
[PR684552]<br />
• The show routing-instance | display set | display inheritance command does not show<br />
the correct output with interface configured within routing-instance within group.<br />
[PR704529]<br />
• Protected sections of the group hierarchy do not have their protection status displayed<br />
correctly and are not prevented from adding new elements into existing groups.<br />
[PR717527]<br />
• The annotate command was not valid under firewall filter then hierarchy level and<br />
displayed "No valid completions" , and lead to the configuration could not be committed<br />
under edit private mode .<br />
[edit]<br />
liutao@mx480-a-re1# show | compare<br />
[edit firewall family inet filter LOOPBACK-OUTBOUND term allow-ipv6 then]<br />
+ /* Don't process the packet here; it's IPv6, not IPv4.<br />
+ * Accept it and have it be processed by the IPv6 ACL. */<br />
accept;<br />
syntax error.<br />
liutao@mx480-a-re1# commit full<br />
[edit firewall family inet filter LOOPBACK-OUTBOUND term allow-ipv6 then]<br />
'accept'<br />
outgoing comment does not match patch:<br />
[PR812111]<br />
VPNs<br />
• When you modify the frame-relay-tcc statement at the [edit interfaces interface-name<br />
unit logical-unit-number] hierarchy level of a Layer 2 VPN, the connection for the<br />
second logical interface might not come up. As a workaround, restart the chassis<br />
process (chassisd) or reboot the router. [PR32763]<br />
• Junos Os <strong>Release</strong> 11.4x26.1 upgrade may fail if PIM MVPN instance does not have the<br />
vpn-group-address configured. [PR753863]<br />
• UMH selection should select the highest IP address as the Upstream PE. However, in<br />
the code the highest IP address is selected by comparing lowest order byte of the IP<br />
address first. In this case between IP address 10.233.38.34 and IP address 10.233.32.46<br />
- 10.233.32.46 gets chosen as upstream PE because its lowest order byte (46) is more<br />
than the lowest order bye of 10.233.38.34. This is because code does not account for<br />
the endian-ness of the machine it is run on. Fix - convert the IP address to network<br />
order before comparing. [PR754114]<br />
• Deleted logical interfaces might not be freed due to references in MVPN. [PR851265]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
193
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Resolved Issues<br />
Class of Service (CoS)<br />
• After changing cos configuration and restarting cosd, cosd can get into a state where<br />
a traffic-control-profile is freed but its configuration database is still holding a reference<br />
to it. This results in staled pointer reference and causes cosd to crash. Restarting cosd<br />
will result in another crash. [PR738983: This issue has been resolved.]<br />
Forwarding and Sampling<br />
• If both Routing Engines (REs) have same Junos OS and Graceful Routing Engine<br />
Switchover (GRES) is enabled, filters attached to the Interface Logicals (IFLs) will get<br />
jumbled upon the Routing Engine switchover. This issue is fixed via this PR. If both REs<br />
have different Junos OS, and GRES is enabled, then we could still see similar problem.<br />
This behavior is not fixed via this PR as it is a non recommended way of Junos OS<br />
upgrade. In such upgrades, GRES needs to be disabled. [PR749463: This issue has been<br />
resolved.]<br />
General Routing<br />
• cgatool should not be part of jkernel-common.manifest.in Whoever product that<br />
requires cgatool would need to package jcrypto.manifest Currently,<br />
jkernel-common.manifest.in is used by both jkernel-qfx and jkernel-ppc. jkernel-qfx<br />
doesn't require cgatool to be in jkernel-common.manifest.in. Need same confirmation<br />
from jkernel-ppc.manifest. [PR549623: This issue has been resolved.]<br />
• When an MS-DPC PIC reboots due to a crash or manual intervention, it might get stuck<br />
in a booting loop if the MS-DPC up-time is more than 49 days and 17 hours. After 5<br />
consecutive boot failures, the MS-DPC PIC will go offline automatically and gives the<br />
following error message: [ 15:21:22.344 LOG: Err] ICHIP(0): SPI4 Training failed while<br />
waiting for PLL to get locked, ichip_sra_spi4_rx_snk_init_status_clk [ 15:21:22.344 LOG:<br />
Err] CMSPC: I-Chip(0) SPI4 Rx Sink init status clock failed, cmsdpc_spi4_init [<br />
15:21:22.344 LOG: Err] CMX: I(0) ASIC SPI4 init failed [ 15:21:22.379 LOG: Err] Node for<br />
service control ifl 68, is already present [ 15:21:23.207 LOG: Err] ASER0 SPI-4 XLR<br />
source core OOF did not go low in 20ms. [ 15:21:23.208 LOG: Err] ASER/XLR0 spi4 stop<br />
src train failed! [ 15:21:23.208 LOG: Err] ASER0 XLR SPI-4 sink core DPA incomplete<br />
in 20ms. [ 15:21:23.208 LOG: Err] ASER/XLR0 spi4 sink core init failed! [ 15:21:24.465<br />
LOG: Err] ICHIP(0): SPI4 Stats Unexpected 2'b 11 Error, isra_spi4_parse_panic_errors [<br />
15:21:24.465 LOG: Err] ICHIP(0): SPI4 Tx Lost Sync Error, isra_spi4_parse_panic_errors<br />
In order to recover from this state the whole MS-DPC needs to be rebooted. [PR828649:<br />
This issue has been resolved.]<br />
• When the transit traceroute packets with ttl=1 are received on the LSI interface, you<br />
may retrieve the Source Address from the LSI interface to reply ICMP. As LSI does not<br />
have any IFA, it will use first the IFA in routing-instance to reply. So Source Address<br />
used was the first IFA added in VPN routing-instance. As a workaround, if the incoming<br />
interface is LSI, then retrieve Source Address from the logical interface which is having<br />
the Destination IP Address. This will make sure we reply with Source Address from<br />
CE-facing the logical interface. [PR839920: This issue has been resolved.]<br />
194<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• VC-Subscriber license change not updated to all the Routing Engine's in back up<br />
members. [PR835039: This issue has been resolved.]<br />
• After the Routing Engine switchover or a reboot, MLFR interfaces may not send MVPN<br />
data to all downstream receivers. [PR787168: This issue has been resolved.]<br />
• When an FPC gone bad due to hardware failure is stuck in a boot mode, it might affect<br />
the communication between the routing engine and the Packet Forwarding Engine on<br />
for other FPCs. [PR831233: This issue has been resolved.]<br />
• A feature to supportOSI/CLNS type frames on Trinity platform was added in 11.2R1,<br />
and this feature is not supported on ichip based DPC. Despite DPC not supporting CLNS<br />
type next-hops, the following log message is seen: > $ zcat messages.log.gz | grep<br />
50556 > Sep 20 02:27:52 r2 fpc0 Table nexthop for unsupported proto. NH(50556)<br />
CLNP:2617 > Sep 20 02:27:52 r2 fpc1 Table nexthop for unsupported proto.<br />
NH(50556) CLNP:2617 > Sep 20 02:27:52 r2 fpc3 Table nexthop for unsupported<br />
proto. NH(50556) CLNP:2617 > Sep 20 02:53:20 r2 fpc0 NH: Failed to find nh<br />
(50556) for deletion > Sep 20 02:53:20 r2 fpc1 NH: Failed to find nh (50556) for<br />
deletion > Sep 20 02:53:20 r2 fpc3 NH: Failed to find nh (50556) for deletion This fix<br />
masks this log message for DPC. [PR680782: This issue has been resolved.]<br />
• After a software upgrade to Junos OS <strong>Release</strong> 11.4R3 or later, a "xe" interface may<br />
report "L2 channel errors" when issue show interface extensive. We have seen this issue<br />
when the xe interface is part of an "ae" bundle. [PR800634: This issue has been<br />
resolved.]<br />
• On TX Series system platforms, under very special corner case condition, non-enhanced<br />
FPCs might drop most of the traffic send into the fabric. TXP Platforms are not exposed<br />
to this symptom. You will see lots of fabric drops reported via the show pfe statistics<br />
traffic or show class-of-service fabric statistics command. FPC affected needs to be<br />
restarted to recover from this condition. Sometimes you might also see the following<br />
error log reported in the syslog. LOG: Err] NFAB(1/1): RODR offset overflow count<br />
incremented (65) LOG: Err] CMALARM: Error (code: 542, type:Minor) encountered,<br />
cmalarm_passive_alarm_signal LOG: Err] NFAB(1/1): PKTR ICELL signature error counter<br />
incremented [PR805682: This issue has been resolved.]<br />
• L2ald process may crash, during issue with core-dump and will fail to start the process.<br />
[PR731147: This issue has been resolved.]<br />
High Availability (HA) and Resiliency<br />
• On T640 router the in-service software upgrade process fails and generates an error<br />
message. This is because there was a failure in configuration synchronization.<br />
[PR783832: This issue has been resolved.]<br />
Infrastructure<br />
• Multicast traffic drops can occur if one of child links of Aggregated Ethernet (AE) bundle<br />
failed. [PR779238: This issue has been resolved.]<br />
• If a router is configured with a POSIX compliant time-zone string it does not update<br />
the time zone correctly. Problem can be observed in system logs and CLI commands<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
195
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
when date/time zone is referenced. set groups re0 system time-zone<br />
EST5EDT,M10.3.0/2,M2.3.0/2 The router will incorrectly reference the previously<br />
configured time zone. After time zone configuration modifications run commit full.<br />
[PR785946: This issue has been resolved.]<br />
• Over time when routing-table instances is added and removed, when the global index<br />
allocated to a route-table reaches around 36730, the default route-table (inet.0),<br />
having index 0 always, could be wrongly allocated to a newly added instance. After<br />
this corruption to the default routing-instance whenever this default route-table (inet.0)<br />
is accessed or modified this could result in kernel panic. The fix addresses this corruption<br />
by adding the default route-table inet.0 (index 0) to the structure tracking all default<br />
tables in the system, thereby ensuring that this index never gets re-allocated and not<br />
resulting in this kernel core. The possibility of running into this issue depends solely on<br />
the rate of adding and removing routing-instances. [PR829412: This issue has been<br />
resolved.]<br />
Interfaces and Chassis<br />
• Under certain circumstances,MX80 may crash when using the command "request<br />
system snapshot". [PR603468: This issue has been resolved.]<br />
• On E1 interface, when interface flaps on CE side of connection interface will flap a<br />
second time on the PE side [PR690403: This issue has been resolved.]<br />
• The message "NH: nonexistant forwarding nexthop for flood nexthop" occurs when<br />
the nexthop of member link in aggregate ethernet is deleted before the nexthop of<br />
aggregate is deleted. There is no operation impact. [PR695659: This issue has been<br />
resolved.]<br />
• There can be a mismatch between the ifIndex value on IF-MIB-ifName and the ifIndex<br />
value on SONET-APS-MIB-apsMapGroupName and apsMapEntry. [PR771877: This<br />
issue has been resolved.]<br />
• Kernel can cache a high incorrect value for stats and is rejecting the correct subsequently<br />
stats coming from the PIC. The fix consists in checking if the difference of what is<br />
cached in kernel and what is reported by the PIC is less than an acceptable value. If<br />
the answer is not kernel does not gets stuck permanently and recovers while fetching<br />
stats next time. [PR806015: This issue has been resolved.]<br />
• The hold-time down 300 configuration does not work when alarms appear below<br />
200ms in 1xOC192/STM64 PICs. [PR815464]<br />
• The show interfaces redundancy might display secondary as down upon following<br />
sequence: deactivate R.I.(that contains entire mfr ifls)-->restart fpc(that holds<br />
secondary MS pic)--> activate the R.I. back [PR816595: This issue has been resolved.]<br />
• MX's chassis-control interrupt storm falsely reported when a Field Replaceable Unit<br />
(FRU) is removed, inserted, or FPM button pushed. A FRU may not be recognized/boot,<br />
resulting in chassis operational failure. [PR823969: This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong> 11.4R6 a check of max active planes prevents more than 4 planes<br />
to become active, therefore, increase-bandwidth, i.e. 6 active planes, can not be<br />
achieved. This bug exists in 11.4R6 only and will be fixed in 11.4R7. Please advise<br />
196<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
customers who require fabric to operate in increased bandwidth mode skip 11.4R6 from<br />
their upgrade. [PR833074: This issue has been resolved.]<br />
• Although physical interface is disabled, reseating 1GbE SFP on MPC/MIC restores its<br />
output optical power, hence the opposite router interface turns Up(Near-end interface<br />
is still down). Only 1g-SFP on MPC/MIC has the problem, but 1g-SFP on DPC/MX, EX<br />
series and 10G-XFP on DPC/MX don't have the problem. When the sfp is reseated,<br />
then the sfp periodic is going ahead and enabling the laser irrespective of the fact that<br />
interface has been enabled or disabled. Driver needs to store the state for each sfp link<br />
and enable laser based on that. This software problem is fixed in 11.4R7, 12.1R6, 12.2R4,<br />
12.3R2 and later release. [PR836604: This issue has been resolved.]<br />
• It is possible that when a DPC boots up and link-training fails for all the links between<br />
fabric planes and the FPC, the interface is still brought up online and traffic blackholing<br />
will occur. [PR839076: This issue has been resolved.]<br />
• The logical interfaces are marked with 0 (null) after deactivate system commit<br />
synchronize and deactivate chassis redundancy which result backup the Routing Engine<br />
to core [PR840167: This issue has been resolved.]<br />
Layer 2 Features<br />
• The issue is due to another PR686399, where the DA mac entries on AE are getting<br />
aged out though the traffic is ingressing on different the Packet Forwarding Engine 's<br />
of same AE. [PR802924: This issue has been resolved.]<br />
Layer 2 Ethernet Services<br />
• It can happen that when changing an interface framing from lan-phy (default) to<br />
wan-phy and back a few times, the interface doesn't show up any more in "show<br />
interfaces terse". [PR836382: This issue has been resolved.]<br />
Multiprotocol Label Switching (MPLS)<br />
• Configuration changes to some attributes of the standby secondary path of an MPLS<br />
label-switched path (LSP) might cause the LSP to flap, which might result in packet<br />
loss. [PR394184: This issue has been resolved.]<br />
• For the same P2MP LSP, if the same node is acting as Egress as well as Transit, then<br />
sometimes traffic can get duplicated at CCC p2mp-receive-switch. This issue is not<br />
present in Junos OS <strong>Release</strong> 12.1 onwards. [PR843134: This issue has been resolved.]<br />
Network Management and Monitoring<br />
• Incorrect query can cause the Routing Engine CPU to go high. [PR771867: This issue<br />
has been resolved.]<br />
• The timestamp year msec command in syslog (not using structured data) is intended<br />
to include year and msec details in local syslog messages stored in rotating files, but<br />
not to be included in messages sent to a remote syslog collector. This fix corrects a<br />
wrong behavior introduced in 11.3R1 where such details were also included in syslog<br />
messages sent to a remote host. [PR820436: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
197
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Expand the buffer size and set break point to allow sending out large snmp messages<br />
due to ospf down event. [PR827660: This issue has been resolved.]<br />
• On a router with interfaces with Frame Relay encapsulation a SNMP WALK operation<br />
will cause a MIB daemon (mib2d) crash and will generate a mib2d core-dump. The<br />
crash itself does not cause any impact on the router as the MIB daemon is restarted<br />
automatically. The only effect is that a SNMP WALK will never complete successfully.<br />
user@router-re1> show snmp mib walk 1 | no-more<br />
sysDescr.0 = <strong>Juniper</strong> <strong>Networks</strong>, Inc. mx480 internet router, kernel Junos OS <strong>Release</strong><br />
11.4R6.5 #0: 2012-11-28 21:57:12 UTC<br />
builder@evenath.juniper.net:/volume/build/junos/11.4/release/11.4R6.5/obj-i<br />
386/bsd/kernels/JUNIPER/kernel Build date: 2012-11-28 21:39:15 UTC Copyright (c<br />
sysObjectID.0 = jnxProductNameMX480<br />
sysUpTime.0 = 339594 sysContact.0<br />
< .................................... ><br />
dot3OutPauseFrames.942 = 0<br />
dot3OutPauseFrames.943 = 0<br />
dot3OutPauseFrames.953 = 0<br />
dot3OutPauseFrames.954 = 0<br />
frDlcmiIfIndex.153 = 153<br />
frDlcmiIfIndex.512 = 512<br />
frDlcmiIfIndex.513 = 513<br />
frDlcmiState.153 = 6<br />
Request failed: General error<br />
user@router-re1> show log messages<br />
Dec 20 09:23:20 router-re1 clear-log[8240]: logfile cleared<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3-BAD_PAGE_FAULT: pid 7382 (mib2d),<br />
uid 0: pc 0x810fe09 got a read fault at 0x7c, x86 fault flags = 0x4<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: Trapframe Register Dump:<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: eax: 00000000 ecx: bfbeda88 edx:<br />
00000000 ebx: bfbeda7c<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: esp: bfbeda60 ebp: bfbeda98 esi:<br />
089de834 edi: 089fb680<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: eip: 0810fe09 eflags: 00010297<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: cs: 0033 ss: 003b ds: bfbe003b es:<br />
003b<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: fs: 003b trapno: 0000000c err:<br />
00000004<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: Page table info for PC address<br />
0x810fe09: PDE = 0x42e60067, PTE = 5290c425<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: Dumping 16 bytes starting at PC<br />
address 0x810fe09:<br />
Dec 20 09:23:38.683 router-re1 /kernel: %KERN-3: 8b 40 7c 89 04 24 e8 5a 3f 2f 00 89<br />
45 ec 8b 55<br />
Dec 20 09:23:40.787 router-re1 init: %AUTH-3: mib-process (PID 7382) terminated by<br />
signal number 11. Core dumped!<br />
Dec 20 09:23:40.787 router-re1 init: %AUTH-6: mib-process (PID 8247) started<br />
Dec 20 09:23:40.809 router-re1 mib2d[8247]:<br />
%DAEMON-5-LIBJSNMP_SA_IPC_REG_ROWS: ns_subagent_register_mibs: registering<br />
88 rows<br />
Dec 20 09:23:41.595 router-re1 mib2d[8247]: %DAEMON-6-LIBJSNMP_NS_LOG_INFO:<br />
INFO: ns_subagent_open_session: NET-SNMP version 5.3.1 AgentX subagent connected<br />
Dec 20 09:23:43.533 router-re1 dumpd: %USER-5: Core and context for mib2d saved in<br />
/var/tmp/mib2d.core-tarball.0.tgz<br />
198<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Dec 20 09:23:43.793 router-re1 mib2d[8247]: %DAEMON-6-SNMP_TRAP_LINK_UP:<br />
ifIndex 5, ifAdminStatus up(1), ifOperStatus up(1), ifName dsc<br />
< .................................... ><br />
user@router-re1> show system core-dumps<br />
/var/crash/*core*: No such file or directory<br />
-rw------- 1 root field 680417 Dec 20 09:23 /var/tmp/mib2d.core-tarball.0.tgz<br />
/var/tmp/pics/*core*: No such file or directory<br />
/var/crash/kernel.*: No such file or directory<br />
/tftpboot/corefiles/*core*: No such file or directory<br />
total 1<br />
[PR835722: This issue has been resolved.]<br />
Platform and Infrastructure<br />
• \n (\ and n as two separate characters) if present in the database, get displayed as<br />
\\n to the user. [PR705067: This issue has been resolved.]<br />
• MPC cards may become unresponsive after In Service Software Upgrade (ISSU) is<br />
completed. This is intermittent and not observed every time ISSU is performed. This<br />
issue was reported after upgrading Junos OS <strong>Release</strong> to 11.2R4 release through ISSU.<br />
[PR794406: This issue has been resolved.]<br />
• The output of the following commands might show up negative values for Ipkts and<br />
Opkts counters due to invalid format of output for the variables.:<br />
• show route forwarding-table vpn interface-name <br />
• rtinfo<br />
For example:<br />
user@test> show route forwarding-table vpn test-vpn interface-name ge-1/0/8<br />
Name Mtu Network Address Ipkts Ierr Opkts Oerr Coll<br />
ge-1/0/8 1522 00.1d.b5.27.48.ad -891806008 0 -1176087381 0 0<br />
The fix also corrects the output format for input and output bytes fields. [PR798999:<br />
This issue has been resolved.]<br />
• On TX/TXP multi-chassis systems, time synchronization between SCC/SFC chassis<br />
and the T640 router chassis, is not maintained. [PR811480: This issue has been<br />
resolved.]<br />
• HTTP-get probes fail when routing-instance is used for the probes. Removing<br />
routing-instance should work. [PR814357: This issue has been resolved.]<br />
• When two irb interfaces with the same layer 2 trunk interface within the bridge domain,<br />
multicast replication might be handled incorrect. [PR823435: This issue has been<br />
resolved.]<br />
• In CGNAT environment, Source-Address only hash might be getting broken on MPC<br />
after Service PIC restart. [PR827587: This issue has been resolved.]<br />
• When using configure private with large group definition and high number of groups<br />
the commit process can spend a lot of time to merge the configuration change with<br />
the global configuration. [PR828005: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
199
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The timestamp in the DDOS_VIOLATION report is not correct. The time the violation<br />
occured is the time when the message appeared in the log. [PR828085: This issue has<br />
been resolved.]<br />
• When a Trio based card is receiving an IPv6 packet encapsulated in a MPLS stack<br />
formed by two explicit-null labels (0 ? Ipv4 transport label, 2 ? ipv6 explicit-null label)<br />
is corrupting it. [PR830209: This issue has been resolved.]<br />
• With DHCP/BOOTP relay agent configured under [forwarding-options helpers]<br />
hierarchy, interface flapping will cause forwarding UDP daemon (fud) memory leak.<br />
The memory usage of fud process could be seen by following command:<br />
(SIZE: Total memory size of the process (text, data, and stack), in kilobytes)<br />
user@router> show system processes extensive | match "pid | fud"<br />
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND<br />
8436 root 2 0 2668K 1708K select 0:03 0.00% 0.00% fud<br />
user@router> show system processes extensive | match "pid | fud"<br />
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND<br />
8436 root 2 0 2676K 1716K select 0:03 0.00% 0.00% fud<br />
[PR831965: This issue has been resolved.]<br />
• The Junos kernel may crash when a specifically crafted TCP packet is received by the<br />
Routing Engine on a listening TCP port. TCP traffic traversing the router will not trigger<br />
this crash. Only TCP packets destined to the router itself, successfully reaching the<br />
Routing Engine through existing edge and control plane filtering, will be able to cause<br />
the crash. This issue can be triggered by both IPv4 and IPv6 TCP packets destined to<br />
the Routing Engine. This issue was found during internal product security testing. The<br />
<strong>Juniper</strong> SIRT is not aware of any malicious exploitation of this vulnerability. This issue<br />
only affects devices running Junos OS 7.6R1 and later. No other <strong>Juniper</strong> <strong>Networks</strong><br />
products or platforms are affected by this issue. Refer to PSN-2013-01-823 or KB26826<br />
for more information. [PR839412: This issue has been resolved.]<br />
Routing Protocols<br />
• In a scaled setup, with many routing-instances, if the FPCs are restarted, some pim<br />
encapsulation interfaces (pe) will be marked as down. [PR770213: This issue has been<br />
resolved.]<br />
• In an l3vpn configuration, if no-vrf-propagate-ttl is configured under the vrf, rpd can<br />
core when deactivating or deleting the routing instance vrf with no-vrf-propagate-ttl.<br />
[PR816851: This issue has been resolved.]<br />
• Enabling advertise-external knob towards the Route-Reflectors or remote PEs can<br />
trigger RPD to core if: - "multipath vpn-unequal-cost equal-external-internal" enabled<br />
in a VRF - a multipath route exists with contributors from iBGP - an external path with<br />
lower preference (local-preference, as-path, etc) exists in the same VRF [PR823844:<br />
This issue has been resolved.]<br />
• During unified ISSU, LACP timeout may occur when time between fpc-upgrade and<br />
the Routing Engine switchover takes more than 90sec due to large scale config.<br />
[PR826984: This issue has been resolved.]<br />
• Any protocol (MVPN,PIM,etc) which does install multicast nexthops and goes through<br />
a forwarding-table export policy with an install-nexthop policy action will fail to install<br />
200<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
forwarding nexthop and multicast traffic is not forwarded. [PR830448: This issue has<br />
been resolved.]<br />
Services Applications<br />
• SIP ALG was not allowing SIP 603 decline message [PR822679: This issue has been<br />
resolved.]<br />
• On an MX 480 router, the TCP ALGs such as FTP/PPTP operations fail on a Services<br />
PIC/DPC. This caused by the Services PIC/DPC fails to discard expired TCP flows<br />
causing resources exhaustion which causing failures to create addition NAT flows.<br />
[PR825355: This issue has been resolved.]<br />
• Service PIC might crash in routing loops scenarios because of SIP ALG [PR830070:<br />
This issue has been resolved.]<br />
• In the case of a stateful proxy, two SIP users behind the NAT device (so-called SIP<br />
hairpinning) will be unable to signal the call. [PR832364]<br />
• With RTSP ALG enabled, RTSP keep-alive packets might be dropped if it's already<br />
Ack'ed by the receiver. [PR834198: This issue has been resolved.]<br />
• Under some conditions ,MS-DPC may crash when encountered unknown flow-type ,<br />
after the fix , the CRASH behavior at this stage has been removed ,as simply dropping<br />
the packet will not do any harm. A counter is added to track all such instances when<br />
unknown flow-type is encountered. [PR834899: This issue has been resolved.]<br />
• In the case of a transparent proxy, two SIP users behind the NAT device (so-called SIP<br />
hairpinning) will be able to signal the call, but the RTP voice flow *may* be<br />
unidirectional if one side started to send his RTP traffic before the port was opened<br />
on the other end, causing an ICMP unreachable which confuses the NAT device.<br />
[PR834933: This issue has been resolved.]<br />
• In scenarios which use sp interface, such as IPSec VPN, multiservice process (mspd)<br />
will memory leak during sp interface flapping. The memory usage of mspd process<br />
can be checked by following CLI command:<br />
user@router> show system processes extensive | match "PID | mspd" (Note: The "RES"<br />
field means "Current amount of resident memory, in kilobytes")<br />
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND<br />
2048 root 1 96 0 36216K 34820K select 0:10 0.00% mspd<br />
When the memory usage of mspd process increases to system limit(about 131072KB),<br />
the following logs could be seen:<br />
/kernel: %KERN-5: Process (2048,mspd) attempted to exceed RLIMIT_DATA: attempted<br />
131076 KB Max 131072 KB<br />
[PR836735: This issue has been resolved.]<br />
• Service PIC might crash in corner cases when EIM is enabled for SIP ALG [PR847124:<br />
This issue has been resolved.]<br />
• When allocate the memory from shared memory for bitmaps used in port blocks , junos<br />
request as many bytes as the size of the block. If customers assign like 10K block size<br />
for deterministic nat or PBA then junos allocate 10K bytes for that bitmap. However,<br />
it only need 10K/8 bytes as one byte can represent 8 ports. This huge allocations are<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
201
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
leading to memory depletion when many source addresses are behind the NAT, and<br />
port blocks are big. [PR851724: This issue has been resolved.]<br />
User Interface and Configuration<br />
• The output of the show system users no-resolve command displays the resolved<br />
hostname. [PR672599: This issue has been resolved.]<br />
VPNs<br />
• In a scaled Multicast VPN setup, where many selective provider tunnels are used, and<br />
the MVPN instance is deleted, RPD can sometimes crash. [PR801667: This issue has<br />
been resolved.]<br />
• For Static PW if user configures "static send-oam", PW will go down (state: Vc-Down)<br />
[PR829666: This issue has been resolved.]<br />
Previous <strong>Release</strong>s<br />
• <strong>Release</strong> 11.4R6 on page 202<br />
• <strong>Release</strong> 11.4R5 on page 216<br />
• <strong>Release</strong> 11.4R4 on page 225<br />
• <strong>Release</strong> 11.4R3 on page 238<br />
• <strong>Release</strong> 11.4R2 on page 267<br />
• <strong>Release</strong> 11.4R1 on page 287<br />
• <strong>Release</strong> 11.3 on page 288<br />
<strong>Release</strong> 11.4R6<br />
• Class of Service (CoS)<br />
• Forwarding and Sampling<br />
• General Routing<br />
• Infrastructure<br />
• Interfaces and Chassis<br />
• Layer 2 Features<br />
• Layer 2 Ethernet Services<br />
• Multiprotocol Label Switching (MPLS)<br />
• Network Management and Monitoring<br />
• Platform and Infrastructure<br />
• Routing Protocols<br />
• Services Applications<br />
• User Interface and Configuration<br />
• VPNs<br />
202<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Class of Service (CoS)<br />
• A memory leak in cosd can occur because of one of the cosd 8011p rewrite function<br />
not releasing memory after use. This results in COSD memory running out of memory<br />
space thereby resulting in COSD cores continuously. [PR782728: This issue has been<br />
resolved.]<br />
• The 802.1Q P-Bits for host generated packets changed from 0 to 6 after upgrading<br />
from 10.4S6.6 to 11.2R7.4 for DHCPv4 and IPv6. RLI 17837 provided a cos knob for<br />
setting the 802.1Q bits for host generated packets. This RLI is committed in the branches<br />
12.2 throttle. This PR will add a subset of the RLI 17837 functionality in 11.2 S7 so that<br />
Routing Engine can set the 802.1Q bits of host generated packets from the Routing<br />
Engine. The cli command set class-of-service host-outbound-traffic ieee-802.1 default<br />
is added by the PR. The class-of-service daemon services this command and<br />
passes the ieee-802.1 value to the kernel. When this value is set the kernel sets the<br />
802.1Q P-Bits to this value for all host generated packets. The code changes added<br />
as part of this PR are a subset of those in 12.2 throttle. These changes only allow for<br />
setting the 802.1Q in the kernel for host generated packets. This PR does not address<br />
Packet Forwarding Engine generated host packets [PR795165: This issue has been<br />
resolved.]<br />
• During addition/deletion or just deletion of interface configured for shared scheduler,<br />
some portion of memory is not reclaimed back.Continuous addition/deletion of these<br />
interfaces results in memory depletion causing packet loss and other issues. [PR803939:<br />
This issue has been resolved.]<br />
• On IQ2E PIC, if the logical interfaces under two different interface-sets have their own<br />
scheduler-map configured, when the same iflset shaping parameters are applied on<br />
these two interface-sets, the iflset shaping profile is not shared between the<br />
interface-sets, hence, the number of iflset supported is reduced. There is no workaround.<br />
[PR804158: This issue has been resolved.]<br />
• When configured scheduler-map-chassis derived and auto bandwidth computation is<br />
not success, sosd might crash after the show class-of-service scheduler-map command.<br />
[PR811586: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
203
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Forwarding and Sampling<br />
• DCU statistics can be broken on a sub-interface under certain circumstances when<br />
another sub-interface having DCU enabled gets modified(add/delete/change). By<br />
DCU statsistics broken it could mean the value gets corrupted, and continue to count<br />
from there properly or always remain in broken. The circumstances when this issue<br />
could be triggerd are: - when 2 sub-interfaces have DCU enabled - when the last 16<br />
bits of the 20 bit sub-interface index are the same - configuration change is made on<br />
one of these sub-interfaces - other sub-interface could have DCU statistics broken.<br />
keyword: sub-interface = logical interface = IFL When this happens we can see<br />
messages like the following being logged on the FPC syslog or messages log file. Aug<br />
6 11:12:32.649 faraday-re1 fpc4 RT(rt_dest_class_stats_read): unable to read stats (ifl<br />
196619, IPv4) - Not found Aug 6 11:12:32.723 faraday-re1 fpc1<br />
RT(rt_dest_class_stats_read): unable to read stats (ifl 196619, IPv4) - Not found Aug<br />
6 11:12:32.768 faraday-re1 fpc4 RT(rt_dest_class_stats_read): unable to read stats (ifl<br />
196619, IPv4) - Not found Aug 6 11:12:32.843 faraday-re1 fpc1<br />
RT(rt_dest_class_stats_read): unable to read stats (ifl 196619, IPv4) - Not found<br />
[PR794116: This issue has been resolved.]<br />
• When there are more than 6 members in an aggregate Ethernet, it was observed that<br />
the traffic for individual member links are not updated with the right statistics, when<br />
show interface ae Statistics was executed. [PR798334: This issue has been<br />
resolved.]<br />
• The message 'ifmon: Failed to find shmlog_dolog8' is logged when monitor interface<br />
command is executed. [PR799849: This issue has been resolved.]<br />
• On an MX480 router, after performing GRES on the old master Routing Engine, the<br />
Packet Forwarding Engine process (pfed) generates the following core file: 0x08121989<br />
in pfed_conn_event_handler (ls_ipc_session=0x85e6f00,<br />
event=LIBSTATS_IPC_EVENT_SHUTDOWN. [PR801636: This issue has been resolved.]<br />
• On MPC sometimes the policer configuration does not get correctly programmed in<br />
Packet Forwarding Engine. The issue can affect Trio-based platforms with Junos OS<br />
<strong>Release</strong> 11.1 and above. It can be triggered by the following steps: 1) An interface-specific<br />
filter that contains at least a policer is already applied on an interface. 2) The<br />
parameters of the policer that is included by this filter are changed. Note that the policer<br />
type change will not trigger this issue, e.g., from term-specific policer to filter-specific<br />
policer. 3) In the instances of the interface-specific filter created after policer parameter<br />
change, the policer might not work as expected. Workaround: after 2) and before 3),<br />
make any change on the interface-specific filters that contain the changed policer.<br />
[PR819465: This issue has been resolved.]<br />
• It is possible for the CLI command show pfe statistics traffic to not display any output<br />
and time out. root@router > show pfe statistics traffic error: the mib-process subsystem<br />
is not responding to management requests This is because of MIB2D process unable<br />
to query the statistics information maintained by the Packet Forwarding Engine process<br />
(pfed) process because of transient errors on the socket between the 2 processes<br />
204<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
used for communication, despite both processes running on the system. This fix<br />
addresses this issue. [PR826086: This issue has been resolved.]<br />
• show interface aeXXX detail" may not have correct link information and some statistics<br />
shown as 0 when there is traffic. [PR828155: This issue has been resolved.]<br />
General Routing<br />
• The output of the command show lldp neighbors displays contents of Port-Description<br />
TLV instead of displaying contents of mandatory PortId TLV. Also the Port Description<br />
TLV gets generated using Port Name instead of using configured Port Description.<br />
[PR550544: This issue has been resolved.]<br />
• ifinfo or show interfaces extensive or show interface ae extensive could fail to complete<br />
depending on the scale of sub-interfaces. On failing to complete, the following error<br />
is displayed: rtslib: ERROR Failed to allocate new block of size 16384 and Cannot<br />
allocate memory This is because of a memory leak in ifinfo process which has been<br />
addressed. [PR696832: This issue has been resolved.]<br />
• FPC crashes with show route ip table index # hardware statistics command [PR710756:<br />
This issue has been resolved.]<br />
• When large CLI output is displayed the CLI CPU may go high and remain high. The issue<br />
has been fixed in latest releases. [PR731647: This issue has been resolved.]<br />
• The crash is triggered by an aggregate Ethernet link flap. The pre-requisite for the crash<br />
is a forwarding topology with composite nexthop pointing to unilist pointing to an<br />
aggregated interface(e.g VPLS pseudowire configured on MPLS LSP with node-link<br />
protection enabled). [PR746509: This issue has been resolved.]<br />
• In l3vpn setup, customer facing interface fails to forward traffic, If RPF and localization<br />
is enabled in sequence. [PR752540: This issue has been resolved.]<br />
• In rare circumstances, events ranging from noise chatter on the XAUI interface to<br />
unwanted electrical signal transition on the PHY interface might cause the ports on<br />
the PD-5-10XGE-SFPP PIC to get stuck in the down or up state, effectively dropping<br />
all the traffic on that port. [PR754344: This issue has been resolved.]<br />
• DPC might randomly crash during ISSU. It will be kept offline after the ISSU period.<br />
[PR773960: This issue has been resolved.]<br />
• Routing protocol daemon (rpd) may crash with core-dump after executing command<br />
show route community-name with an empty string: show route community-name ""<br />
[PR776542: This issue has been resolved.]<br />
• In scenario with indirect nexthop used (such as BGP, L3VPN), under high memory<br />
usage, in some conditions (such as interface or protocol flapping), the target nexthop<br />
of indirect nexthop changes between unilist (for example, over aggregate Ethernet<br />
interface, or need to load balance) and unicast or just between 2 unilist which have<br />
different nexthop count, Packet Forwarding Engine may dump multiple core files<br />
because of memory leak or memory corruption. [PR787570: This issue has been<br />
resolved.]<br />
• Junos OS <strong>Release</strong> 11.4 introduced PTP feature and this in turn introduced Periodic<br />
reading of clocking chip registers over SPI interface. This is a known thing since day 1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
205
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
of 11.4. With newer chassis (MX80/midRangius) program (MX80-T, MX40-T, MX10-T,<br />
MX5-T) H/w is reworked to implement SPI reads in h/w and it has significantly reduces<br />
clksyncd CPU usage to around 1-2% of CPU. [PR789804: This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong> 11.4R4, ETH-DM packets greater than 994 bytes fail DMM test.<br />
The size of default ETH-DM packets is much smaller and bigger ETH-DM packets are<br />
used only with optional data payload size. For packets sizes less than 994, the<br />
functionality works fine. [PR790040: This issue has been resolved.]<br />
• On an EX8200 Virtual Chassis or a switch with redundant Routing Engines, when you<br />
swap the members of a link aggregation group (LAG), a vmcore or ksyncd core file<br />
might be created on the backup Routing Engine. [PR793778: This issue has been<br />
resolved.]<br />
• It has been observed in the test lab that when there is a prefix and pointing to a<br />
multipath BGP nexthop (8 in number), and in turn each of this next-hops are pointing<br />
to multiple MPLS LSPs,the convergence number for 450k routes were in the order of<br />
15 to 20 minutes. It is also observed that any change in nexthjop, such as the interface<br />
flapping or neighbor flapping had a significant impact on convergence time computing<br />
the convergence for this 450 k prefix routes * 64 nexthop (8 paths for each of nexthop).<br />
[PR798771: This issue has been resolved.]<br />
• On M/T series platforms, in L3VPN scenario with l3vpn-composite-nexthop enabled,<br />
while PE recieving packet with DF bit set and packet size is larger than the core-facing<br />
interface's MTU, FPC/FEB may crash and core dump because of software defect of<br />
handling composite nexthop which need packet fragment. [PR800155: This issue has<br />
been resolved.]<br />
• When there are multiple recursive routes are available for a prefix such as BGP route<br />
pointing to a indirect (8) and in turn pointing to a unilist (32) and when this is going<br />
over an aggregate Ethernet of 8 links, we saw the software going through a large<br />
computation for each prefix and this makes it worse proportional to number of prefixes.<br />
At this instance, the system crashes because of the large computation. [PR800157:<br />
This issue has been resolved.]<br />
• Forwarding inconsistencies can occur on MX series routers, after a certain specific<br />
sequence of deleting and adding interfaces. This forwarding inconsistency can be silent,<br />
or can manifest as an ICMP destination unreachable message being sent to the<br />
originator of the traffic. [PR800305: This issue has been resolved.]<br />
• After a software upgrade to Junos OS <strong>Release</strong> 11.4R3 or later, a "xe" interface may<br />
report "L2 channel errors" when issue "show interface extensive". We have seen this<br />
issue when the xe interface is part of an "ae" bundle. [PR800634: This issue has been<br />
resolved.]<br />
[MPC] Non-QX cards doesn't tx PPP hellos on wire. [PR801565: This issue has been<br />
resolved.]<br />
• jddosd core-dump may be observed because of inefficient code while updating existing<br />
configuration. This problem has resolved in 11.4R6. [PR810754: This issue has been<br />
resolved.]<br />
• The KSYNCD core followed by kernel live core is observed very rarely after Routing<br />
Engine switchover. This issue can be detected when ksyncd core is observed along<br />
206<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
with below mentioned log message in /var/log/messages. "Aug 27 01:28:03 indiranagar1<br />
ksyncd[2506]: KSYNCD: resync error, issu_state[0], type Generic config subtype 8 :<br />
File exists." Reboot the backup Routing Engine. [PR810787: This issue has been<br />
resolved.]<br />
• You might encounter transient SLchip error when link flap event occurs. [PR812092:<br />
This issue has been resolved.]<br />
Infrastructure<br />
• When the delete command is issued on an unnumbered Ethernet user route (static<br />
route with a qualified next hop ), the destination route created as a part of this user<br />
route does not get deleted. This results in duplicate ARP entries for the same address.<br />
[PR752163: This issue has been resolved.]<br />
• If we flap the interface used as next hop in the forwarding table for the IPv6 remote<br />
router loopback address used for IPv6 BGP sessions, the session flaps although there<br />
is another valid route over the other interface. [PR791881: This issue has been resolved.]<br />
• Router might reboot while running show system core-dump core-file-info command.<br />
This command uses /tmp and while uncompressing the core file, /tmp file system<br />
might be exhausted. /tmp in turn uses swap device only. MFS (Memory File System)<br />
and the rest of OS share the same swap space. Consuming more swap spaces might<br />
lead to out of memory and swap situation, which could eventually bring down the<br />
system. [PR808243: This issue has been resolved.]<br />
• If Routing Engine running in low memory environment, while recieving IP fragmented<br />
packets which destined to Routing Engine, system may fails to defragment the packets<br />
and will free the memory of these fragmented packets. But the routine will try to free<br />
the already freed memory again which is incorrect, and in rare conditions, the freed<br />
memory may be allocated before the double free process occurs. Then an access to<br />
the freed memory will cause memory corruption and kernel crash. [PR810434: This<br />
issue has been resolved.]<br />
Interfaces and Chassis<br />
• After a MX series Routing Engine reboot, the internal em interface may be "link down".<br />
The fix for this is to monitor the link state of the em interfaces. When a em link is<br />
discovered to be harddown, re-init the em interface. This fix has been limited to address<br />
only MX series platforms. [PR611081: This issue has been resolved.]<br />
• On E1 interface, when interface flaps on CE side of connection interface will flap a<br />
second time on the PE side [PR690403: This issue has been resolved.]<br />
• The message "NH: nonexistant forwarding nexthop for flood nexthop" occurs when<br />
the nexthop of member link in aggregate Ethernet is deleted before the nexthop of<br />
aggregate is deleted. There is no operation impact. [PR695659: This issue has been<br />
resolved.]<br />
• Multiple inbound/outbound IPSEC tunnels seen for a single security association upon<br />
certain conditions such as router reboot. [PR730174: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
207
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• After a MS-DPC core-dump, it might result in ICHIP "stream blocked detected". Traffic<br />
flow will be dropped and can only be restored by restarting the DPC. This is because<br />
of SG FPGA soft reset issue. [PR743262: This issue has been resolved.]<br />
• You can find MPC/DPC goes to offline state with "Unresponsive" when you rebooted<br />
all the Routing Engines. *condition MX with Enhanced MX SCB *configration set chassis<br />
redundancy graceful-switchover [PR744661: This issue has been resolved.]<br />
• Load average values collected via SNMP do not show the correct values of the other<br />
Routing Engine. This can be verified by using the following commands: show snmp<br />
mib walk jnxOperatingEntry | match LoadAvg.9.1.0.0 show snmp mib walk<br />
jnxOperatingEntry | match LoadAvg.9.2.0.0 [PR782817: This issue has been resolved.]<br />
• In the environment of composite-next-hop with FMBB (fast make-before-break)<br />
function (e.g. VPLS, multicast, P2MP LSP), if system is configured with feature which<br />
contains interface having active/standby links (e.g. RLSQ/AMS/RMS), the Packet<br />
Forwarding Engine having standby interface might be incorrectly involved when building<br />
Packet Forwarding Engine flooding tree. This results in traffic blackhole. [PR786007:<br />
This issue has been resolved.]<br />
• "show chassis hardware" output for some optics is not correct sometimes. [PR792704:<br />
This issue has been resolved.]<br />
• On MX Series routers and PTX Series packet transport switches, a change to the 'oam<br />
lfm pdu holdtime' on an interface is not updated correctly. This results in an incorrect<br />
LFM state, which should be reported as Adjacency Lost. As a workaround, issue the<br />
clear oam ethernet link-fault-management state command from CLI to correctly update<br />
the 'pdu holdtimer.' [PR792763: This issue has been resolved.]<br />
• Issue is seen only when the following steps are followed: 1. Enable IRB MAC Sync<br />
feature. 2. Deactivate BD/MAC Sync/Service ID on the higher MAC node. 3. Activate<br />
virtual switch that configues MCAE under the virtual switch. The result: IRB MAC Sync<br />
happens even though the feature is not enabled. [PR793889: This issue has been<br />
resolved.]<br />
• An operation in order of PIC offline then deactivate ci member interface will have the<br />
deactivated member interface join to the ci upon PIC online. And it will cause<br />
unexpected forwarding issue. [PR803817: This issue has been resolved.]<br />
• When a hold-time is configured for xe interfaces, before the timer is started, the XFP<br />
alarm is checked before declaring the link status. As a result, it is possible for the link<br />
to remain down if there are XFP alarms/warnings as reported by the show interfaces<br />
diagnostics optics command. [PR804315: This issue has been resolved.]<br />
• When a PEM module is inserted into a chassis, no message is currently logged in<br />
/var/log/inventory file. This PR addresses this requirement. On inserting a PEM module<br />
into a chassis a message in the following format will be logged in file /var/log/inventory<br />
: PEM - part number , serial<br />
number eg. Oct 22 14:44:21 PEM 0 - part number 740-123456, serial<br />
number VK11111 [PR808450: This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong>s 11.4R4, and later, the option of routing-engine under request<br />
system snapshot" was mistakenly removed. [PR809321: This issue has been resolved.]<br />
208<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Once a GRES Mastership switch is performed and at some pointer later the FPC is<br />
rebooted the aggregate interface flag is set to 'down' once FPC comes back online.<br />
Any traffic which enters this FPC and is send to the aggregate interface via an ECMP<br />
path will get dropped. ECMP paths without aggregate members are not affected. This<br />
symptom is applicable on PTX platforms, T4000 systems with T4000-FPC5-3D and<br />
on MX platforms with TRIO FPCs from Junos OS <strong>Release</strong> 11.4R3 or higher. To clear the<br />
condition, flapping the aggregate Ethernet interface in 'Harddown' state such as<br />
'deactivate' and 'activate interface ae' [PR809383: This issue has been resolved.]<br />
• Interface damping is not working properly on MPC Type 2 3D [PR810159: This issue has<br />
been resolved.]<br />
• On a MX80, a broadcast storm on fxp0 will cause the process "irq32: tsec2" to consume<br />
enough CPU that the TFEB restarts. With the fix, the CPU this process is allowed to<br />
consume is limited to prevent impact to transit traffic. [PR816253: This issue has been<br />
resolved.]<br />
• Issue has been analyzed and fix would be available in upcoming releases. [PR817177:<br />
This issue has been resolved.]<br />
• When downgrading a Junos OS version, if a particular feature is not supported in the<br />
target Junos OS Version, then those unsupported features must be deactivated before<br />
downgrading the Junos OS version. [PR836448: This issue has been resolved]<br />
Layer 2 Features<br />
• With VPLS using IRB, line card may crash when large changes to interfaces and<br />
next-hops are processed. It is not deterministic which conditions will trigger the crash.<br />
[PR752378: This issue has been resolved.]<br />
• If an vpls interface is moved to an vpls aggregate bundle or changed to any other<br />
interface family different then vpls,on the next GRES/NSR Mastership switch, this<br />
interface will have the CCC-Down flag set and will not process any traffic. The interface<br />
needs to be deactivated and activated via configuration change to continue forwarding<br />
traffic. [PR788631: This issue has been resolved.]<br />
• After a physical interface that is configured for CoS on a logical tunnel interface flaps,<br />
the MAC address of the peering logical interface goes missing from the kernel. To<br />
resolve this issue, deactivate/activate the peering logical interface after the flap.<br />
[PR790559: This issue has been resolved.]<br />
• With many bridge domains or vpls routing instances, MPC may show forwarding<br />
congestion when clear bridge/vpls mac-table command is issued. [PR799606: This<br />
issue has been resolved.]<br />
• The monitor traffic interface irb operational command fails to capture outgoing packets.<br />
[PR802605: This issue has been resolved.]<br />
• Routing engine CPU utilization may increase faster than expected when LDP neighbors<br />
are configured under a mesh group of a local BGP-VPLS routing instance when the<br />
LDP neighbors themselves are not provisioned for VPLS service on the remote side.<br />
[PR808333: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
209
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Layer 2 Ethernet Services<br />
• LACP status disagreement after Routing Engine switchover. [PR751745: This issue has<br />
been resolved.]<br />
• In Junos OS <strong>Release</strong>s 11.4R2, and later, there might be a false alarm of a hardware<br />
problem from a DPC such as, "fpc0 EZ: %PFE-3:<br />
ezchip_periodic_check_free_rfd_buffer[4245] XETH(0/3) : Rx RFD buffers exhausted"<br />
This can be ignored, unless traffic impact is seen. [PR796824: This issue has been<br />
resolved.]<br />
Multiprotocol Label Switching (MPLS)<br />
• If the same route is received from both BGP and IGP (where BGP routes redistributed<br />
into IGP) and if BGP has a better route preference and then BGP route is flapped at<br />
least once the IGP route might get marked by LDP and never flushed once the BGP<br />
route is reinstalled. This leads to stale inactive routes in RIB. There is no harm in having<br />
inactive route and simply shows an additional route entry in the RIB database.<br />
[PR700119: This issue has been resolved.]<br />
• In GRES (graceful Routing Engine switchover) mode and because of a quick status<br />
change of MPLS CCC nexthop, a mismatch of index value between master and backup<br />
Routing Engines might happen, causing Backup Routing Engine to panic, generate a<br />
core file, and trigger a live core dump from master Routing Engine. [PR755473: This<br />
issue has been resolved.]<br />
• The issue appears to happen when MVPN tries to add a vt-interface for an egress<br />
tunnel. RSVP would try to find the flood nexthop for the route installed for the label<br />
for the branch LSPs in the P2MP LSP to add the vt-interface. When RSVP does not<br />
find the flood nexthop for the label route for a branch LSP, it triggers an assertion<br />
failure. [PR770538: This issue has been resolved.]<br />
• With the fix of this PR, at the end of the adjust-interval operation, the max_average<br />
counter does not reset to zero and maintains the old value until it receives a new sample.<br />
When the new sample is received, the max_average counter is updated to the new<br />
sample value. This is a just display counter fix and there is no operational impact. The<br />
auto-bandwidth functionality works as it is. [PR799155: This issue has been resolved.]<br />
• Some implementations of cSPF allow zero-bw LSPs (LSPs, which are requesting<br />
bandwidth of 0bps) to be calculated via links which have 0 bps of available bandwidth.<br />
In some cases implementation of RSVP in Junos OS allows AvailBW on link to become<br />
negative. This might happen, for example, in case of failure of one of links in ae bundle.<br />
As it's impossible to include negative values in OpaqLSA, in this case Junos OS<br />
announces 0 bps of AvailableBW on such links. Zero-bw LSPs will not be established<br />
via such link, because transit node with negative AvailBW fails check for bandwidth<br />
availability on egress interface. HeadEnd will constantly try to signal LSP and every<br />
time it will receive PathErr: BW Unavailable from node which has link with negative<br />
AvailBW. cSPF calculation will not resolve this, because according to TED on HEnd we<br />
have 0 bps of AvailBW on this link, not negative. [PR802995: This issue has been<br />
resolved.]<br />
210<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• When an aggregate Ethernet link along a path becomes oversubscribed because of<br />
failure of one or more member links of the aggregate Ethernet link, the ingress of a LSP<br />
may continue to use the same path although there may be alternate path available<br />
with sufficient bandwidth. This is so because CSPF algorithm during optimization of<br />
an existing LSP will continue to see such an over-subscribed link acceptable with<br />
sufficient available bandwidth. However, if a new LSP with a bandwidth requirement<br />
is signaled over such a link, the LSP will not get signaled successfully. [PR807670: This<br />
issue has been resolved.]<br />
• With RSVP disabled, when a SNMP get/get-next is received for RSVP MIB, a Path State<br />
Block (PSB) search request is enqueued, this enqueue operation returns nothing but,<br />
the memory allocated for the search request is not freed and this results in a memory<br />
leak of routing protocols daemon (rpd). The memory leak could be observed by the<br />
following commands: user@router> show task memory detail | match "rsvp psb lookup<br />
req" ------------------------ Allocator Memory Report ------------------------ Name<br />
Size Alloc DTP Alloc Alloc MaxAlloc MaxAlloc Size Blocks Bytes Blocks Bytes RSVP<br />
PSB lookup req 176 180 T 110 19800 110 19800 user@router> show system processes<br />
extensive | match rpd PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU<br />
COMMAND 1311 root 1 4 0 1529M 1479M kqread 75:25 0.44% rpd When the memory<br />
usage of rpd process increases to around 85% of system limit, the following logs could<br />
be seen: re0: /kernel: %KER-5:Process (1859,rpd) has exceeded 85% of RLIMIT_DATA:<br />
used 1835088 KB Max 2097152 KB [PR811951: This issue has been resolved.]<br />
Network Management and Monitoring<br />
• After a Routing Engine switchover, LACP and MIB process (mib2d) core files might be<br />
created. [PR790966: This issue has been resolved.]<br />
Platform and Infrastructure<br />
• PTSP and AACL services do not work with AMS interfaces. [PR727588: This issue has<br />
been resolved.]<br />
• In scenario where telnet session is disconnected ungracefully while accessing "load<br />
merge terminal" prompt problem can be exhibited with other CLI users unable to access<br />
configuration mode. [PR745280: This issue has been resolved.]<br />
• Memory exhaustion on the Packet Forwarding Engine ukern heap causing FPC core.<br />
[PR777609: This issue has been resolved.]<br />
• Need to add 'start-time', 'stop-time' and 'timezone' attributes in TACACS+ accounting<br />
packets. Solution: -------- Added a configuration knob to allow enabling these attributes<br />
to be framed into the accounting packets. Default behavior is to not include these<br />
attributes in the packet to maintain backward compatibility. The new knob is [ system<br />
tacplus-options timestamp-and-timezone ]. You will have to enable this knob and<br />
then check for the 'start-time', 'stop-time' and 'timezone' attributes in the accounting<br />
packets. [PR780484: This issue has been resolved.]<br />
• When Trio inline NAT translates a UDP pkt with UDP checksum 0x0000, it rewrites<br />
checksum to nonzero value. [PR782927: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
211
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Flow records obtained by using "inline-jflow" may contain incorrect AS value. Issue<br />
has been fixed in the Junos OS <strong>Release</strong> 11.4R6, and onwards. [PR788879: This issue<br />
has been resolved.]<br />
• MPC might crash during ISSU. [PR792909: This issue has been resolved.]<br />
• On MX Series platforms with Trio chipsets (in Junos OS releases 11.4R4 and later),<br />
when the first large sized(>1500) transit packet hits a resolve route on Packet<br />
Forwarding Engine it might cause memory to leak on Packet Forwarding Engine micro<br />
kernel. [PR802051: This issue has been resolved.]<br />
• With inline sampling, when there are multiple flow servers being configured or multiple<br />
equal cost paths exist for a single collector, the flow record packet might trigger the<br />
following trap message from the Packet Forwarding Engine which causes a drop for<br />
the flow record packet. PPE Sync XTXN Err Trap: Count 1659, PC 45f, 0x045f:<br />
balanced_multi_nh_use_cp_index [PR805061: This issue has been resolved.]<br />
• When two irb interfaces with the same layer 2 trunk interface within the bridge domain,<br />
multicast replication might be handled incorrect. [PR823435: This issue has been<br />
resolved.]<br />
Routing Protocols<br />
• The output of show route summary command might get delayed or timed out when<br />
the system is busy populating ~1M routes. [PR433419: This issue has been resolved.]<br />
• In a BGP peer group, if it is the case that either peers have only previously sent the<br />
default route-target filter (0:0:0/0) or family route-target was not negotiated, when<br />
a peer comes up that does send non-default route-target filter routes the router will<br />
not send its matching VPN routes to that peer. [PR703054: This issue has been<br />
resolved.]<br />
• If you have configured PIM nonstop active routing (NSR), a core file might be created<br />
on an upstream router because of high churn in unicast routes or a continuous clearing<br />
of PIM join-distribution in the downstream router. To prevent this possibility, disable<br />
NSR for PIM. [PR707900: This issue has been resolved.]<br />
• If there are more than one peers in a BGP group, and have NSR configured, in a rare<br />
condition, BGP session init job fails on the last established peer in the group, while at<br />
the same time, there is another peer in establish-ack-wait state. Then after that, the<br />
peer in establish-ack-wait state becomes established after getting an establish-ack<br />
from the remote peer which will cause routing protocol daemon (rpd) crash and<br />
generates a core file. [PR736198: This issue has been resolved.]<br />
• RPD can crash soon after OSPF switches from primary path to secondary path when<br />
LFA (loop free alternates) is enabled, along with LDP-SYNC: /kernel: BAD_PAGE_FAULT:<br />
pid 1472 (rpd), uid 0: pc 0x86ff81c got a read fault at 0x15, x86 fault flags = 0x4 The<br />
corruption happens because of race condition, when OSPF doesn't completely free a<br />
memory location which is later reused by LDP. [PR737141: This issue has been resolved.]<br />
• If a routing instance is configured to add static routes to it's instance specific routing<br />
table using both the routing-options static route stanza and the routing-options rib<br />
static route stanza and a configuration event changes<br />
something else in the routing-options rib stanza such<br />
212<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
as modifying the maximum-paths value, the static routes in the instance table specific<br />
section can be deleted. A commit full can be used to recover or only use one of the 2<br />
mechanisms for defining the static routes for that instance. [PR755558: This issue has<br />
been resolved.]<br />
• rpd generates core file at "rip_dc_retrans_callback_p2mp" while unconfiguring p2mp<br />
configuration. [PR769487: This issue has been resolved.]<br />
• The current implementation of the random number generator grand() is not thread<br />
safe, as it utilizes a number of global variables and arrays. When bgp precision timers<br />
are enabled, this can cause crashes, for example, when we jitter timers. The changes<br />
herein give each thread its own random number generator. [PR777802: This issue has<br />
been resolved.]<br />
• The routing protocol daemon (rpd) core might be generated in multicast environment.<br />
Issue was caused by an internal logic error. When a PIM (S,G) state was deleted, the<br />
code should have stopped processing the (S,G) but it did not. [PR785073: This issue<br />
has been resolved.]<br />
• On Junos OS platforms with 64 bit Kernel (Routing Engines), a bug in the Routing<br />
Protocol Daemon (RPD) memory allocator might cause corruption in the RPD memory<br />
which may finally lead to RPD crash. [PR792238: This issue has been resolved.]<br />
• A MX router which has only some bridge-domains configured for igmp-snooping may<br />
discard traffic in bridge-domains without igmp-snooping enabled. [PR795781: This<br />
issue has been resolved.]<br />
• When using precision-timers, it is possible that BGP does not send all its advertisements<br />
from its buffer, until the BGP session needs to send another non-keepalive message.<br />
[PR801037: This issue has been resolved.]<br />
• RPD core after making changes to policy-statement related to VPN [PR807357: This<br />
issue has been resolved.]<br />
• Unicast RPF check not working properly after bouncing the RPF interface , when there<br />
are 2 BGP routes for same destination via 2 different next-hop RPF interfaces.<br />
[PR814303: This issue has been resolved.]<br />
• RPD in backup cored@rt_nexthops_free multiple times [PR816754: This issue has been<br />
resolved.]<br />
Services Applications<br />
• With large NAT rules configuration, installation of service-sets, on PIC level, is not<br />
happening [PR751858: This issue has been resolved.]<br />
• MSDPC pic sending DPD triggers for tunnels that does not have IPSEC SAs. This result<br />
in kmd daemon on Routing Engine on is continuously trying to send initiate IPSEC phase<br />
1 negotiation since there are no active IKE/IPsec SAs. [PR754461: This issue has been<br />
resolved.]<br />
• This crash was observed during a mixed traffic test for 7 hours on below traffic profile.<br />
Traffic profile used HTTP 0.8m HTTPS 0.15m FTP 0.1m RTSP 0.08m UDP 8.87m (IMIX<br />
traffic) [PR769322: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
213
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Memory leak on FPC/FEB when service next-hops are deleted on LNS for l2tp sessions<br />
on non-MX platforms. For each l2tp session teardown, there are 240 bytes of memory<br />
leakes. After some time this leak will lead to FPC/FEB memory exhaustion leading to<br />
unpredictable FPC/FEB reset. [PR770903: This issue has been resolved.]<br />
• RTSP streaming is not working in a laptop when moving or fast forward the video<br />
[PR786085: This issue has been resolved.]<br />
• IDP daemon may go down temporarity if multiple IDP detector is installed [PR794335:<br />
This issue has been resolved.]<br />
• KMD process running high with key chain configuration, need to modify the ncessary<br />
changes so that KMD does not run wherever is it not required. [PR798030: This issue<br />
has been resolved.]<br />
• deNAT:wrong mapping between nat-port-block and internal-host [PR799947: This<br />
issue has been resolved.]<br />
• In a carrier-grade NAT (CGN) configuration that includes the "address-pooling paired"<br />
statement(APP feature) the service PIC might reset unexpectedly. This behavior occurs<br />
only in certain cornercase scenarios (with low probability to be seen in production) in<br />
which the service PIC software times out in an APP mapping but a new flow is created<br />
within the same mapping. There is no workaround. [PR800241: This issue has been<br />
resolved.]<br />
• NAPT:port range start from 512,should start from 1024,this PR fixed this issue.<br />
[PR804598: This issue has been resolved.]<br />
• CGNAT - The multiservice Dense Port Concentrator (MS-DPC) crashes when timing<br />
out an endpoint-independent mapping (fwnat_eim4_mapping_timeout). [PR805801:<br />
This issue has been resolved.]<br />
• MS-DPC PIC crash in fwnat_natpool_release_port_from_pblock. [PR809139: This issue<br />
has been resolved.]<br />
• When adding/deleting/changing the address ranges configured under NAT pool the<br />
Service PIC may run into an inconsistent state and restart [PR810994: This issue has<br />
been resolved.]<br />
• Please refer the AT, for the list of new commit constraint checks imposed. [PR815053:<br />
This issue has been resolved.]<br />
• Internally, each term is treated as a rule. Multiple copies of NAT pool is created one for<br />
each rule(or term). When address-allocation round-robin is configured, the NAT ip is<br />
read from separate copy of the NAT pool thus we see only 10 NAT IPs allocated for 20<br />
different hosts matching two different terms. After the fix , all terms now can share<br />
same NAT pool. [PR815147: This issue has been resolved.]<br />
• On MX240 Routers, the multiservices PIC generates core files in<br />
fwnat_eim4_mapping_timeout. [PR818448: This issue has been resolved.]<br />
• In common NAPT44 translation scenario, without Address-Pooling Paired (APP) and<br />
Endpoint-Independent Mapping (EIM) configured, if NAT pool mapping for a private<br />
address is being deleted (e.g. mapping-timeout and inactivity-timeout expire), and at<br />
the same time there is a flow being created for the same private address, then service<br />
214<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
PIC or MS-DPC might crash and core dumped in rare cases. [PR821037: This issue has<br />
been resolved.]<br />
• On MX Series Routers with the Carrier-Grade NAT configuration, the Packet Forwarding<br />
Engine process (pfed) might generate a core file. [PR825013: This issue has been<br />
resolved.]<br />
• On an MX 480 router, the FTP operations fail on a multiservices DPC. [PR825355: This<br />
issue has been resolved.]<br />
User Interface and Configuration<br />
• Invalid path element 'dialer-options' error seen for inet6 rpf-check under logical systems.<br />
[PR793472: This issue has been resolved.]<br />
VPNs<br />
• The issue is seen when multicast traffic is stopped and PIM states are allowed to clear.<br />
It was seen that some of (S, G) states on the PE did not clear. As a result data streams<br />
for the affected groups do not reach the intended receivers. However it was seen that<br />
the fix for this issue caused another issue to appear as documented in PR# 823884<br />
[In NG-MVPN RPT-SPT mode, failure and then recovery of the primary path to the RP,<br />
causes the PE routers to forward traffic on (*, G) even though the (S, G) join is pruned]<br />
[PR779786: This issue has been resolved.]<br />
• In L2VPN scenario with at least one L2VPN connection in up state, during SNMP walk<br />
on jnxVpnPwAssociatedInterface.bgpL2Vpn (OID: .1.3.6.1.4.1.2636.3.26.1.4.1.6.3.9), an<br />
infinite loop occurs because of software defect and causes routing protocol daemon<br />
(rpd) to stuck at 97% indefinitely until the rpd process is restarted. While in this state<br />
all protocol adjacency will expire and the router will stop forwarding traffic. [PR782654:<br />
This issue has been resolved.]<br />
• This issue was experienced in Junos OS <strong>Release</strong> 11.4R4 code with NG-MVPN RPT-SPT<br />
mode. When a link failure causes the route to the source and RP via the backup path,<br />
the PE in the backup path fails to forward multicast traffic to the receiver. This is<br />
documented in PR 794222 and upgrading to Junos OS <strong>Release</strong> 11.4R4-S2 fixes the<br />
above mentioned issue. [PR794222: This issue has been resolved.]<br />
• When the egress PE receives type 4 route before discovering the ingress PE, it queues<br />
all the type 4 routes for later processing. Due to a defect in the corresponding code,<br />
the replaying of type-4 was not happening always, thereby causing the ingress PE to<br />
not send the corresponding stream to the egress PE. [PR801437: This issue has been<br />
resolved.]<br />
• With "vpn-apply-export", per-nexthop label and a "bgp policy overridden nexthop<br />
rather than the bgp local-address", labeled route for L3VPN didn't install in standby<br />
Routing Engine even with NSR configured. BGP on standby Routing Engine thinks it is<br />
not nexthop self and does not create labeled route on standby Routing Engine. This<br />
will cause label/nexthop change after switchover, therefore traffic loss. [PR807285:<br />
This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
215
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Release</strong> 11.4R5<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R5. The identifier<br />
following the description is the tracking number in our bug database.<br />
Forwarding and Sampling<br />
• The customer might see the following firewall logs while running VRRPv3 over VPLS:<br />
04:39:14 pfe A irb.111 VRRP fe80::2 ff02::e42a:1:e:a0c 04:39:13 pfe A irb.111 ICMPv6<br />
fe80::2 ff02::1 04:39:13 pfe A irb.111 ICMPv6 fe80::1 ff02::8:0:1d:44f2 [PR748826: This<br />
issue has been resolved.]<br />
• Any change to the last member of a service-filter chain, can lead to the loss of layer 3<br />
connectivity over the interface. [PR750957: This issue has been resolved.]<br />
• The system archival feature configured that configuration is backup at an archival site<br />
periodically. This may leave behind files in /var/tmp when the connection to remote<br />
site fails. [PR778962: This issue has been resolved.]<br />
• When IPv4 and IPv6 classifiers are configured on a logical interface that already has<br />
a Layer 2 hierarchical policer configured on its physical interface, the rate of the policer<br />
deviates by more than 5 percentage. To prevent this issue, attach the Layer2 policer<br />
and the classifiers in a single commit. If the physical interface already has a policer<br />
configured, deactivate it first. Then in a single commit, attach the classifiers and<br />
reactivate the policer. [PR779357: This issue has been resolved.]<br />
• Sampled process might be cored when both Origin AS and Peer AS is configured for<br />
Routing Engine based sampling and when there is a commit command issued to apply<br />
the configuration changes done. [PR779620: This issue has been resolved.]<br />
• When we have a configuration with the [edit chassis enhanced-policer] knob configured,<br />
and Firewall filter with many terms having their own policer, then<br />
jnxFWCounterByteCount might not include values corresponding to .2 and .3 terms of<br />
a policer. The fix addresses the issue introduced when committing enhanced-policer<br />
functionality got misaligned during code integration. [PR783226: This issue has been<br />
resolved.]<br />
• IPFIX issue in Junos OS <strong>Release</strong> 11.4R2 on MP4C-3D-16XGE-SFPP- Unable to see IPFIX<br />
(IPv4) statistics while issuing the show command show services accounting flow<br />
inline-jflow fpc-slot 0. [PR787487: This issue has been resolved.]<br />
• show firewall detailcommand will not display all the firewall policer counters if the<br />
"enhanced-policer" chassis knob is set and if the configured filters contains more than<br />
10 policer counters. [PR789889: This issue has been resolved.]<br />
General Routing<br />
• Upon Major version ISSU on EQ-DPC with scaling configuration, longer packet loss<br />
duration will be seen. [PR780657: This issue has been resolved.]<br />
• On an FPC offline event, mcdiagd logs all the correlated sub-LSPs in the system log.<br />
This behaviour is independent of having traceoptions enabled or disabled. However,<br />
with traceoptions disabled, the logging was happening only in some of the correlated<br />
sub-LSPs. In this case, mcdiagd was providing the log messages to syslogd at a faster<br />
216<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
rate than that could be consumed and displayed by syslogd. The fix throttles the rate<br />
of mcdiagd sending messages to syslogd, and also adds an additional event timestamp<br />
to the log message to help identify the sub-LSPs that got correlated because of the<br />
FPC offline event. [PR754834: This issue has been resolved.]<br />
• With GRES enabled, ksyncd core is observed during switchover when one member of<br />
aggregated Ethernet uplink is flapped when router is in steady state. [PR735437: This<br />
issue has been resolved.]<br />
• When there are at least three routers to a specific destination (that is, two destination<br />
routes and one clone route), deleting and re-adding one of the logical interfaces (that<br />
is, board replacement) might trigger a kernel crash because of a timing issue with route<br />
deletion. This is triggered in the specific topologies such as an OSPFv3 next hop, which<br />
is connected to a different vendor device: lab@shark-re0> show route forwarding-table<br />
destination fe80::21f:9eff:fea9:c140 Routing table: default.inet6 Internet6: Destination<br />
Type RtRef Next hop Type Index NhRef Netif fe80::21f:9eff:fea9:c140/128 dest 0<br />
0:1f:9e:a9:c1:40 ucst 966 2 ae2.70 fe80::21f:9eff:fea9:c140/128 dest 0 0:1f:9e:a9:c1:40<br />
ucst 968 2 ae4.90 This type of next-hop topology was not seen when a <strong>Juniper</strong> device<br />
established an OSPFv3 adjacency to another <strong>Juniper</strong> device. [PR753849: This issue<br />
has been resolved.]<br />
• Memory leak on a router crashes the ADPC card and generates a core file. [PR768772:<br />
This issue has been resolved.]<br />
• During bulkget application, the Packet Forwarding Engine might generate some<br />
corrupted packet. pfed crashes and cores as a result. Fix: Added defensive mechanism<br />
to protect Routing Engine and avoid pfed to crash. [PR771108: This issue has been<br />
resolved.]<br />
• On a VPLS circuit with no-tunnel-services configured, when a provider edge(PE) device<br />
receives the MPLS frame from the core, it might be dropped by the PE as "L2 mismatch<br />
timeout" interface error. [PR781782: This issue has been resolved.]<br />
• On T Series core routers and on TX Matrix and TX Matrix Plus routers, packets marked<br />
with the error flag, example because of DA(Destination Address) reject, are also counted<br />
as L3 incomplete, which is not correct and is misleading. Packets marked as error from<br />
the PIC are now counted via the show pfe statistics error command. [PR782070: This<br />
issue has been resolved.]<br />
• On LMNR and Stoli FPCs, when a transit packet?s (300 Bytes or more packet size)<br />
ingress and egress interfaces are in the same Packet Forwarding Engine (with scaled<br />
egress NHs) and if a notification is sent to Routing Engine for that packet, FPC might<br />
reset. Following list provides some scenarios, where a notification is sent to Routing<br />
Engine:<br />
1. IP options packet is received<br />
2. TTL expired packet is received<br />
3. Sampling is configured and a packet is sampled<br />
[PR785143: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
217
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
High Availability (HA) and Resiliency<br />
• When you downgrade Junos OS from <strong>Release</strong> 11.4R4 to 11.3, a core file is created. This<br />
occurs because the interface information on the Gigabit Ethernet IQ PIC gets deleted<br />
when the FPC on which the PIC is installed on goes offline during the downgrade. To<br />
prevent this error, deactivate the physical interface configuration on the IQ PIC before<br />
the downgrade. You can reactivate the configuration after the downgrade. [PR784291:<br />
This issue has been resolved.]<br />
Infrastructure<br />
• Ethernet driver for the internal Ethernet interface on the Routing Engine causes the<br />
kernel to crash and Routing Engine reboot. This problem only could happen on Routing<br />
Engine models that use "bcm" type of Ethernet interfaces for internal communication.<br />
To identify if the Routing Engine is using this type of interface, use the following<br />
command:<br />
user@router-re1> show interfaces terse<br />
Interface Admin Link Proto Local Remote<br />
[..........]<br />
bcm0 up up
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Interfaces and Chassis<br />
• "HS Link FIFO underflow" errors may occur as traffic egresses a PIC when the ingress<br />
interface is on another PIC in the same MX-FPC. The speed of the interfaces and the<br />
traffic pattern are relevant to this problem. [PR687905: This issue has been resolved.]<br />
• Due to an incorrect calculation, memory heap utilization of a service PIC can go over<br />
100% under the show chassis pic CLI command. There is no service impact. [PR737676:<br />
This issue has been resolved.]<br />
• The failure of the BFD sessions is caused by a CPU hog in the kernel that is addressed<br />
as part of 11.4R3 ... there was insufficient time to get this patch into 11.4R2. The problem<br />
can be circumvented by increasing the BFD session timeout in scaled aggregate Ethernet<br />
configurations. [PR744882: This issue has been resolved.]<br />
• When "restart routing", "restart chassis-control" and "restart fpc" is done, sometimes<br />
DCD is not able to clear the pd-/pe- interfaces as a result fpc is struck in ready state<br />
and doesn't come up. [PR768928: This issue has been resolved.]<br />
• When an F13 SIB is removed, multiple events are handled by chassisd/fabric<br />
management. They include marking the plane faulty and recording the SIB's removal.<br />
SIB absence is checked at low frequency (every 10 seconds) so it is usually processed<br />
later than other events. However, if the SIB removal event wins the race, then we need<br />
to mark a SIB faulty when it is already absent and this situation is not handled correctly.<br />
[PR769769: This issue has been resolved.]<br />
• For IGMP snooping over A/A MC-LAG, with Integrated routing and bridging enabled or<br />
with singly homed receivers, it is required to configure the ICL port as a multicast router<br />
interface. However, currently there is no way to configure a trunk port in the default<br />
routing instance as a multicast router interface. Hence when an MC-LAG is configured<br />
in the default routing instance and the ICL is over a trunk port, IGMP snooping over the<br />
MC-LAG might not work correctly with IRB or singly homed receivers. As a workaround,<br />
the configuration in the default routing instance can be moved to a named routing<br />
instance. A trunk port in a named routing instance can be configured as router facing<br />
by using the set routing-instance routing-instance-name protocols igmp-snooping<br />
interface interface-name multicast-router-interfacecommand. Note that this command<br />
will enable igmp-snooping on all bridge-domains in the routing-instance and also apply<br />
the multicast router interface configuration to the trunk port associated with each of<br />
them. [PR774556: This issue has been resolved.]<br />
• Configuring Multicast address (Inet6) on an interface results in RPD core (mc_ssm_add).<br />
[PR780751: This issue has been resolved.]<br />
• Local SNMP walk for VRRP MIBs might loop continuously when the IRB interface is<br />
deleted. [PR785582: This issue has been resolved.]<br />
• The prefer-status-control-active configuration knob at [edit interfaces aeX<br />
aggregated-ether-options mc-ae events iccp-peer-down] hierarchy requires<br />
configuration knob to be active at the [edit interfaces aeX aggregated-ether-options<br />
mc-ae status-control] hierarchy. When this is not present prefer-status-control-active<br />
has no impact and its presence in the configuration knob wrongly implies that the<br />
current node is preferred active. [PR785930: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
219
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• monitor ethernet delay-measurement command does not timeout when CFM adjacency<br />
is down and/or all DMM frames are sent. As a result, ethdm binary does not close<br />
normally leading to an increase in resource consumption. [PR787985: This issue has<br />
been resolved.]<br />
• T640 frame relay interface status is shown as up/up with mismatched lmi-type.<br />
[PR791501: This issue has been resolved.]<br />
• The PPP daemon (pppd) may dump core file which is because of a counter overflow<br />
issue during memory allocation. [PR792261: This issue has been resolved.]<br />
• When upgrading to 11.4R4, links that are using tuneable DWDM XFP are not working<br />
anymore and are reporting a different wavelength than the configured one. [PR796330:<br />
This issue has been resolved.]<br />
Layer 2 Features<br />
• With VPLS configuration present, When chassis daemon is restarted or if an FPC is<br />
rebooted, There is a chance that the dynamic logical interfaces created by RPD are<br />
not deleted from the VT interface as a result of which the VT interface will be down<br />
along with the VPLS instances [PR786263: This issue has been resolved.]<br />
Multiprotocol Label Switching (MPLS)<br />
• MPLS forwarding broken when labeled BGP routes are distributed to LDP [PR724658:<br />
This issue has been resolved.]<br />
• If bfd packets are blocked and mpls ping is succeeding then BFD will not come up after<br />
bfd packets are unblocked. [PR770203: This issue has been resolved.]<br />
• Non <strong>Juniper</strong> routers may send RESV messages with the peak rate value different than<br />
the one received in the PATH message. Even though this doesn't have any functional<br />
impact the JunOS will still log a warning message. With this PR the<br />
"RPD_RSVP_INCORRECT_FLOWSPEC: Bandwidth in PATH Tspec greater than RESV<br />
flowspec for Session" messages are not logged anymore on peak rate mismatch.<br />
[PR780697: This issue has been resolved.]<br />
• A-----------B------------C X(primary) X(protector) Y(protector) Y(primary) Given a<br />
topology with primary and protector context IDs like above, B seems to have a problem<br />
installing LDP label routes in mpls.0 and the forwarding table. [PR782499: This issue<br />
has been resolved.]<br />
• RPD coredumps are generated on backup Routing Engine when RSVP+NSR+GRES<br />
and "routing-instance provider-tunnel rsvp-te" is configured. [PR782969: This issue<br />
has been resolved.]<br />
220<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Network Management and Monitoring<br />
• There may be an issue where multiple SNMP queries for large volumes of information<br />
may cause Mib2d to grow in size and eventually create a core file. Mib2d will restart,<br />
possibly multiple times, but should recover by itself. [PR742186: This issue has been<br />
resolved.]<br />
Platform and Infrastructure<br />
• Under very special race conditions the MPC CPU might stop processing and will be<br />
reset because of Level3/Level 2 watchdog expiration timer. Potential exposure are<br />
high load of traffic send to the Host. The following syslog message will be reported in<br />
the syslog once MPC reboots. "fpc[x] MPC: Reset reason (0xc): Level3 watchdog,<br />
Level2 watchdog" [PR717899: This issue has been resolved.]<br />
• In case of trio cards, for incoming vlan tagged packets, when some vlan tags are pushed<br />
or popped on the ingress Packet Forwarding Engine and the packet is sent to the host<br />
from the egress Packet Forwarding Engine, the packets received will not be correct.<br />
This can typically happen for CFM/OAM packets and cause some CFM/OAM<br />
functionality to break. [PR731639: This issue has been resolved.]<br />
• When queue rate-limit is configured for interfaces on MPCs, the rate of rate-limit drops<br />
reported in show interfaces queuemay not be accurate. The value fluctuates between<br />
0 and the actual rate. However the total count of dropped packets and bytes is<br />
displayed correctly. [PR740750: This issue has been resolved.]<br />
• By default, Junos OS will load configured scripts files from /var/db/scripts. If the<br />
load-scripts-from-flash is configured as below, the Junos OS will load the scripts file<br />
from /config/scripts. However, with such configuration, when Junos OS software<br />
upgrading is performed, the new Junos OS will fail on the configuration validation with<br />
messages "mgd error: could not open commit script" etc. Even scripts files are located<br />
under both flash and harddisk.<br />
router# show system scripts<br />
commit {<br />
file test-commit-script.xsl;<br />
}<br />
load-scripts-from-flash;<br />
[PR746370: This issue has been resolved.]<br />
• When an event policy, such as those use in AI Scripts, is configured for so-called<br />
unstructured syslog messages and also implements a dampening policy, only the first<br />
unstructured syslog messages will be processed by the system during the dampening<br />
interval. Other unstructured messages, regardless of difference, are also suppressed<br />
from being expressed via syslog. This reduces the effectiveness of AI Scripts, but also,<br />
because of PR612498 suppresses unstructured events from any other logging process.<br />
[PR773712: This issue has been resolved.]<br />
• There is known issue with ICMPv6 packet header. This issue is seen only if service-set<br />
is enabled on interface. ICMPv6 message generated by FPC will have IPv4 source<br />
address instead of IPv6 address of underlying interface on which service-set is enabled.<br />
[PR773828: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
221
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On Trio based platforms, LU chip might get into wedge condition which is caused by<br />
global Packet Processor Engine (PPE) timeout unrestored after ttrace (Trinity Trace).<br />
[PR785695: This issue has been resolved.]<br />
• When reconfiguring an interface from a native VLAN to another tagged VLAN, the<br />
logical interface mapping on the Packet Forwarding Engine might get corrupted. In<br />
case traffic is being received on this interface, it can lead to LU congestion and wedge.<br />
[PR792633: This issue has been resolved.]<br />
• Committing a Q-in-Q configuration results in an FPC crash in these conditions:<br />
• Core facing interface is configured this way:<br />
flexible-vlan-tagging;<br />
encapsulation flexible-ethernet-services;<br />
unit xxx {<br />
encapsulation vlan-bridge;<br />
vlan-tags outer xxx inner-range 1-4094;<br />
}<br />
• Core-facing interface is an aggregate interface.<br />
• Core-facing interface is on MPC card.<br />
[PR793429: This issue has been resolved.]<br />
• On MX Series platforms with the Trio chipset (in Junos OS <strong>Release</strong>s 11.4R4 and later),<br />
when the first large sized(>1500) transit packet hits a resolve route on Packet<br />
Forwarding Engine it might cause memory to leak on Packet Forwarding Engine micro<br />
kernel. [PR802051: This issue has been resolved.]<br />
Routing Protocols<br />
• OSPF routes flap only when commit full is performed, this has been fixed in latest<br />
releases [PR672838: This issue has been resolved.]<br />
• In rosen MVPN environment, while there is any data-MDT message updated because<br />
of some rare case (Like the assert loser becomes assert winner or a PIM router recovery<br />
from the reboot status) which in turn causes routes update, Routing Protocol Daemon<br />
(RPD) may core and reboot. [PR690188: This issue has been resolved.]<br />
• RPD may core after deleting or renaming a non-forwarding instance. Specifically, issue<br />
occurs when:<br />
1. the interface is configured in a non-forwarding instances (that is, routing instances<br />
xxx with no instance-type).<br />
2. and any one of the following:<br />
a. IGMP is configured with all interfaces (For example: protocols IGMP interface<br />
all)<br />
b. IGMP is configured on the specific interface (For example: protocols IGMP<br />
interface ge-0/0/0.1)<br />
c. MLD is configured with all interfaces (For example: protocols mld interface all)<br />
222<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
d. MLD is configured on the specific interface (For example: protocols mld interface<br />
ge-0/0/0.1)<br />
e. PIM is configured in the master instance with all interfaces (For example:<br />
protocols pim interface all)<br />
f. PIM is configured in the master instance on the specific interface (For example:<br />
protocols pim interface ge-0/0/0.1)<br />
3. and any one of the following actions are subsequently committed:<br />
a. delete the non-forwarding instance (For example: delete routing-instances xxx)<br />
b. rename the non-forwarding instance (For example: replace pattern xxx with yyy)<br />
[PR704699: This issue has been resolved.]<br />
• There is a race condition when family route-target is configured on a scaled system.<br />
During an IGP change that makes BGP VPN routes inactive, and those routes are<br />
monitored by family route-target, is is possible that RPD may core at a later time.<br />
[PR710117: This issue has been resolved.]<br />
• When GRES is done for around 10 times, the backup Routing Engine access freed<br />
multicast route and core generated. [PR751702: This issue has been resolved.]<br />
• If BFD authentication configured for IGP and use the meticulous-keyed-sha-1 algorithm,<br />
the sequence numbers will not get update every packet. There is no workaround once<br />
meticulous-keyed-sha1 is configure and hit the issue where BFD is stuck in INIT state.<br />
meticulous-keyed-md5 works as expected and can be used. [PR755303: This issue<br />
has been resolved.]<br />
• Advertise-external knob not working in C-EBGP scenario. [PR775175: This issue has<br />
been resolved.]<br />
• In scaled scenarios where BFD is created with transmit intervals of less than 100msec<br />
it is possible to end up in a state where we have duplicate stale entries left behind in<br />
the FPC for BFD sessions which do not exist any longer. This causes unnecessary BFD<br />
hello packet to be generated and transmitted for each of those entries to the BFD<br />
peering router despite not having a valid bfd session. This might result in PPMD and<br />
BFD processes on the remote peer routing-engine to report a constantly high CPU<br />
utilization. This issue is because of a race condition in PPMD which ends up duplicating<br />
transmission entries in FPC instead of cleaning up properly. The fix addresses this race<br />
condition. [PR778813: This issue has been resolved.]<br />
• The rpd crashes when the customer specific BGP configuration is unconfigured.<br />
[PR782816: This issue has been resolved.]<br />
• Routers can RPD core in task_timer_delete with an assert "!BIT_ISSET(flags,<br />
TIMERF_PROCESSING)" when a rare timing issue occurs while a thread is trying to free<br />
a BGP keepalive timer. If this keepalive timer is currently being processed by the<br />
keepalive thread in RPD the core will occur. [PR786842: This issue has been resolved.]<br />
• On a dual-Routing Engine system with NSR enabled we could run into an issue with<br />
the following symptoms: - RPD on backup Routing Engine showing high CPU utilization<br />
- master Routing Engine reporting BGP spooling messages - OSPF neighborship possibly<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
223
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
flapping This is because of a bug in RPD NSR infra on the backup-Routing Engine which<br />
leads to an increase in the collisions and ultimately the size of the hash-table structure.<br />
This results in RPD on backup Routing Engine spending a lot CPU cycles leading to the<br />
above symptoms. [PR788394: This issue has been resolved.]<br />
Services Applications<br />
• When a TX router is configured with a manual OSPF ipsec-sa for authentication,<br />
something like the following cosmetic messages will be logged: Feb 16 16:27:40<br />
flame-sfc-re1 lcc0-master kmd[17194]: KMD_RTSOCK_ERROR: Error adding inbound<br />
SA OSPF3_AH_SHA1_96 spi=1024 proto=AH to kernel: No such file or directory Feb 16<br />
16:27:40 flame-sfc-re1 lcc0-master kmd[17194]: KMD_RTSOCK_ERROR: Error adding<br />
outbound SA OSPF3_AH_SHA1_96 spi=1024 proto=AH to kernel: No such file or directory<br />
If there's a service PIC, there will be these additional cosmetic log entries: Feb 16 16:27:46<br />
flame-sfc-re1 lcc1-master kmd[16853]: KMD_INTERNAL_ERROR: Failed to connect<br />
PIC, ERR: Failed to connect PIC, ERR: F Feb 16 16:27:46 flame-sfc-re1 lcc1-master<br />
kmd[16853]: KMD_INTERNAL_ERROR: Unable to connect PIC sp-8/3/0; Feb 16 16:27:46<br />
flame-sfc-re1 lcc1-master kmd[16853]: KMD_INTERNAL_ERROR: Couldn't request<br />
PIC: sp-8/3/0 to send sa state [PR738736: This issue has been resolved.]<br />
• When using Junos OS maintenance releases 11.2R6, 11.4R2 or 12.1R1 (or any Junos OS<br />
service releases based on the mentioned maintenance releases) SNMP traps are not<br />
generated when the service PIC cpu usage exceeds 85% and/or the memory usage<br />
changes from one zone to another. The SNMP traps are not generated because of an<br />
internal Junos OS mis-programming. According to the <strong>Juniper</strong> SP-MIB definitions the<br />
following traps should be generated: a) jnxSpSvcSetCpuExceeded (OID<br />
1.3.6.1.4.1.2636.4.10.0.3) - when service PIC CPU usage becomes bigger than 85% b)<br />
jnxSpSvcSetCpuOk (OID 1.3.6.1.4.1.2636.4.10.0.4) - when service PIC CPU usage<br />
becomes smaller than 85% c) jnxSpSvcSetZoneEntered (OID 1.3.6.1.4.1.2636.4.10.0.1)<br />
- when service PIC memory usage enters a specific zone (Yellow, Orange or Red) d)<br />
jnxSpSvcSetZoneExited (OID 1.3.6.1.4.1.2636.4.10.0.1) - when service PIC memory usage<br />
leaves a specific zone (Yellow, Orange or Red) In Junos OS releases 11.2R7, 11.4R3 or<br />
12.1R2 and all later versions this specific Junos OS feature has been modified to send<br />
the SNMP traps correctly. [PR745190: This issue has been resolved.]<br />
• In some conditions EIM entries are not valid. EIF entries are used when a user tries to<br />
create a connection from internet to internal side. As the EIM entries are invalid MSDPC<br />
cores, code is fixed in the fixed versions of this PR. [PR750284: This issue has been<br />
resolved.]<br />
• MS-PIC might crash when releasing port block for a flow with SIP ALG enabled. SIP<br />
flows that can trigger this are the ones that have SDP media address as 127.0.0.1.<br />
[PR774589: This issue has been resolved.]<br />
224<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
VPNs<br />
• An optimization has been implemented with BGP-MVPN nexthop infrastructure which<br />
will improve scalability in some multi-dimensional scaling scenarios with aggregate<br />
interfaces. [PR690690: This issue has been resolved.]<br />
• When you disable protocols in a Layer 2 circuit with egress protection, rpd generates<br />
a core file if no routes are found in context routing table. [PR735789: This issue has<br />
been resolved.]<br />
• In 11.4, PE discards IPV6 BSR messages that come in with a HopLimit != 1. This is causing<br />
problems with working with Junos OS <strong>Release</strong> 10.4 which sometimes sends a BSR<br />
message with the default Hop Limit of 64. The fix is to relax this requirement of a Hop<br />
Limit of 1. A hidden command is added to enable this strict Hop Limt/TTL checking in<br />
case somebody really wants it. [PR779966: This issue has been resolved.]<br />
• In scaling scenarios, buffer overwrites might occur when there are multiple sources for<br />
the same group. This might lead rpd to generate a core file when MVPN traceoptions<br />
are enabled. [PR783615: This issue has been resolved.]<br />
• A direct route which is primary in another instance and imported into a VRF using<br />
rib-groups is not advertised when vrf-table-label is configured. The error message<br />
"BGP label allocation failure: Need a nexthop address on LAN" can be seen in "> show<br />
route advertising-protocol bgp". [PR789054: This issue has been resolved.]<br />
• The rpd incorrectly sets the PWE3 Control Word flag for local switching circuits. PWE3<br />
Control Word is needed for Layer 2 VPN OAM packets to get pushed to the Routing<br />
Engine. On MX Series routers with MPCs/MICs, the traffic payload is examined and if<br />
it matches the first nibble being 0001, it sends the traffic to Routing Engine for further<br />
processing. Once Layer 2 VPN traffic is set to IPv4, it would test against the IPV4 ID<br />
field. [PR793751: This issue has been resolved.]<br />
• This change would allow customers to use the less restrictive CLI knob<br />
'vrf-advertise-selective', which now accepts a null list. If no family is configured under<br />
vrf-advertise-selective, then no MVPN routes are advertised to the neighbor. [PR795108:<br />
This issue has been resolved.]<br />
<strong>Release</strong> 11.4R4<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R4. The identifier<br />
following the description is the tracking number in our bug database.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
225
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Class of Service (CoS)<br />
Forwarding and Sampling<br />
• When the configuration archiving FTP process stalls during file transfer, it can result<br />
in the The Packet Forwarding Engine process (pfed) process stalling as well. Once the<br />
master The Packet Forwarding Engine process (pfed) process is restarted, it results in<br />
the inability to commit certain new configuration changes. Ensuring that the<br />
configuration archiving and FTP server are correctly configured and working will avoid<br />
this problem. [PR528653: This issue has been resolved.]<br />
• Sampled memory increases when interfaces bounce and BGP is running. [PR594509:<br />
This issue has been resolved.]<br />
• On ADPC cards Output Layer-2 policer drops the packets when configured on a interface<br />
with vpls encapsulation. [PR749141: This issue has been resolved.]<br />
• Any change to the last member of a service-filter chain, can lead to the loss of layer 3<br />
connectivity over the interface. [PR750957: This issue has been resolved.]<br />
• This issue can occur for daemons that connect to pfed for statistics information. If the<br />
daemon starts before pfed or has problems making a connection to pfed then that<br />
daemon could experience a crash. This can also occur using cli commands like "show<br />
interface statistics" that invoke ifinfo. This problem was introduced by the fix for<br />
PR743135 and only exists in the specific releases that were fixed by that PR. There is<br />
no known work around to this problem except to use a release of Junos OS with the<br />
fix. [PR770766: This issue has been resolved.]<br />
• This PR eliminates an erroneous error message which would appear in syslog while<br />
pfed was checking the syntax of a configuration containing firewall filters that reference<br />
accounting counters. This problem only affected the syntax check prior to the commit,<br />
the actual configuration on the router was correctly committed. [PR772463: This issue<br />
has been resolved.]<br />
General Routing<br />
• RPD may core when a community named in the policy options configuration is changed<br />
and that community-name is used in the show route command before the changes<br />
effectively take place. [PR740427: This issue has been resolved.]<br />
• Once a child interface of an aggregate bundle is in down state (for example: CCC-Down<br />
of the logical member link interfaces), the next-hop of the control channel is not<br />
correctly programmed. LACP packets received are not dropped but processed and<br />
pointing to invalid NH entries, which might yield to such errors as follows or a<br />
combination of all:<br />
• fpc5 LUCHIP(0) IDMEM[0x000433ba] Read Uninitialized Memory Error<br />
• fpc5 LUCHIP(0) PLCT INT_STAT 0x00000001 Illegal PL Uninitialized EDMEM Read<br />
0x6db6db6d6db6db6d @ 0x1cf30001 XTXN 0xa8cd87 BULK 0x005c0094 FN 0<br />
sync PPE 14 CNTX 1<br />
• fpc5 LUCHIP(0) RMC 2 Uninitialized EDMEM[0x1001c0] Read<br />
(0x6db6db6d6db6db6d)<br />
226<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• fpc5 LUCHIP(0) PPE_6 Errors sync xtxn error thread timeout error<br />
• fpc5 PPE Sync DMEM WP Trap: Count 103, PC 620b, 0x620b: nat46_loop 0x620b:<br />
nat44_loop<br />
• fpc5 PPE Sync XTXN Err Trap: Count 980053, PC 2f9, 0x02f9: nh_ret_simple_last<br />
• fpc5 PPE Thread Timeout Trap: Count 2840, PC 4c6, 0x04c6: set_iif_inc_ifl_cnt fpc5<br />
PPE PPE Stack Err Trap: Count 20347, PC 310, 0x0310: add_default_layer1_overhead<br />
• fpc5 PPE PPE HW Fault Trap: Count 529, PC 373, 0x0373: inner_rewrite<br />
There is no operational impact other than the filling up of error messages in the system<br />
log. [PR703245: This issue has been resolved.]<br />
• When there are at least three routers to a specific destination (i.e. 2 destination routes<br />
and 1 clone route), deleting and re-adding one of the logical interfaces (i.e. board<br />
replacement), might trigger a kernel crash because of a timing issue with route deletion.<br />
This is triggered in the specific topologies such as an OSPF3 next hop, which is<br />
connected to a different vendor device:<br />
lab@shark-re0> show route forwarding-table destination<br />
fe80::21f:9eff:fea9:c140<br />
Routing table: default.inet6<br />
Internet6:<br />
Destination Type RtRef Next hop Type Index NhRef Netif<br />
fe80::21f:9eff:fea9:c140/128 dest 0 0:1f:9e:a9:c1:40 ucst 966 2 ae2.70<br />
fe80::21f:9eff:fea9:c140/128 dest 0 0:1f:9e:a9:c1:40 ucst 968 2 ae4.90<br />
This type of next-hop topology was not seen when <strong>Juniper</strong> established an OSPF3<br />
adjacency to another <strong>Juniper</strong>. [PR753849: This issue has been resolved.]<br />
• When an FPC restart is performed some of the PICs and physical interfaces were unable<br />
to be created by chassisd because of EBUSY error returned by kernel. Kernel was unable<br />
to process the new requests until the previous states of the same object (PIC, IFD in<br />
our case) was consumed by all peers interested in this. The enhancement addresses<br />
the design which makes sure new state changes which could have been processed by<br />
the faster peers are not blocked because of these slower peers. [PR769632: This issue<br />
has been resolved.]<br />
• There is an issue with the interworking of 'chassis route-memory-enhanced' knob and<br />
'protocols rsvp interface x/y/z.l link-protection' or 'protocols mpls label-switched-path<br />
node-link-protection'. This will cause failure of the installation of routes<br />
that are destined to go to segment 1 (because of the route-memory-enhanced)<br />
configuration. [PR695336: This issue has been resolved.]<br />
• On Systems platforms M320 E3FPC/M120/M7i(10i) CFEB-E with l2vpn or l2circuit,<br />
using a control-word and the mpls payload is corrupted in a certain way, the interface<br />
might stop forwarding traffic. To recovery from this condition a FPC reboot is needed.<br />
Only Junos OS <strong>Release</strong> 10.0 or later is exposed with non-cookie based PICs. Mx Series<br />
platforms with DPC are not exposed. [PR720523: This issue has been resolved.]<br />
• When receiving large bytes of PIM Join/Prune refreshes at a very rapid rate, it might<br />
exhaust ukernel buffer memory on Packet Forwarding Engine, and the PIM Join/Prune<br />
packets will be lost. [PR720966: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
227
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• When "delete", or "deactivate" "interface :family inet:accounting" configuration;<br />
FPCs which have the configuration removed may be reset unexpectedly. [PR743442:<br />
This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong> 11.2R3 or lower if IPv6 traffic needs to trigger ICMPv6 MTU exceeded<br />
message to the source and the source is resolved via next-table next-hop it might leak<br />
packet memory on the FPC. [PR745988: This issue has been resolved.]<br />
• Jtree memory leak occurs on I-chip based platforms when 'route-memory-enhanced'<br />
or 'memory-enhanced' is enabled, after there is route flapping which is using indirect<br />
nexthop. [PR751567: This issue has been resolved.]<br />
• Issue: Certain hardware data structure used for replicating packets on a single Packet<br />
Forwarding Engine stream (SSM list) is not getting updated when the corresponding<br />
nexthops get modified, resulting in use of stale data for multicast replication.<br />
Impact: All applications that depend on packet replication (IP multicast, P2MP, VPLS<br />
BUM traffic) can get impacted. Packets will either be sent out on wrong ifls or can get<br />
dropped. However this will happen only if the nexthops used for packet replication get<br />
modified.<br />
This can affect line cards using the I/J Chipset in MX, TX and M Series chassis.<br />
[PR776149: This issue has been resolved.]<br />
• *IF* you have DCU statistics configured in conjunction with the copy-plp class of servce<br />
knob & a output firewall filter you may encounter a situation where DCU stats are no<br />
longer working. Check first that both ingress & egress ports for the flows you are counting<br />
are *NOT* on different Packet Forwarding Engines the same fpc. *IF* this is the case<br />
then removing the copy-plp knob will restart the DCU statistics collection. [PR707834:<br />
This issue has been resolved.]<br />
• Summary: This PR fixes JTREE corruption seen with per-prefix load balancing when<br />
the route-memory-enhanced knob is enabled.<br />
Affected hardware: Stoli FPCs (FPCs that show up with a 'ES' suffix in the Description<br />
column of the 'show chassis hardware' output) and I-chip FPCs (ADPCs and Sahara<br />
FPCs) are exposed to this.<br />
Description: As soon as the forwarding table starts building up on the FPCs, all the<br />
affected FPCs will start reporting the following JTREE errors which is an indication of<br />
this issue.<br />
Apr 29 13:45:54 lab-router fpc5 JTREE(jt_nh_get_reachable_nh32): Not reachable<br />
0x00000000:0x082d1782 for seg 1 (rt_jtree_build_nh)<br />
Apr 29 13:45:54 lab-router fpc5 RT: Failed prefix add IPv4 - 1.0.0/24 (jtree nh build<br />
failed) on FE 0<br />
Apr 29 13:45:54 lab-router fpc5 RT: IPv4:0 - 1.0.0/24 (add rt entry into jtree failed)<br />
These messages will be seen as soon as the forwarding table starts building up, even<br />
if there is no traffic. When traffic starts flowing, the FPCs may crash as a result of this<br />
corrupted JTREE.<br />
Necessary conditions:<br />
228<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
1. route-memory-enhanced knob configured<br />
2. Per-prefix load balancing (which is the default unless per-packet is explicitly<br />
enabled) for some or all of the prefixes<br />
3. Routing table with either or both of the following:<br />
a. IPv4 prefixes with the first octet in the 0 to 127 range<br />
b. IPv6 prefixes beginning with 7fff:: or lower<br />
4. Above routes being resolved over an indirect next-hop (like above routes being<br />
received over BGP)<br />
5. The above next-hop is reachable through a load balanced path over Aggregated<br />
Ethernets (AEs) or MPLS (LDP / RSVP) LSPs. In case of load balancing over<br />
Aggregated Ethernets, at least one of the Aggregated Ethernet links being used in<br />
the load-balance must have link IP address<br />
a. Equal to or greater than 128.X.X.X - if IPv4<br />
b. Equal to or greater than 8000:: - if IPv6<br />
This issue is not seen if per-packet load balancing is configured on the router for all<br />
prefixes. [PR756464: This issue has been resolved.]<br />
High Availability (HA) and Resiliency<br />
• During high routing churn, a flapping interface can in some rare circumstances result<br />
in the replicated (backup) kernel to panic with reason ": bitstring<br />
index 14 not empty for .” [PR698608: This issue has been resolved.]<br />
• Determining readiness for graceful Routing Engine switchover in an MX Series Virtual<br />
Chassis (MX240, MX480, and MX960 routers with MPC/MIC interfaces)--You can use<br />
the new check option for the request virtual-chassis routing-engine master switch<br />
command to determine whether the member routers in an MX Series Virtual Chassis<br />
configuration are ready for a global graceful Routing Engine switchover (GRES)<br />
operation from a database synchronization perspective. A global GRES changes the<br />
mastership in an MX Series Virtual Chassis by switching the global roles of the master<br />
router and backup router in the Virtual Chassis configuration. Depending on the router<br />
configuration, a variable amount of time is required before a router is ready to perform<br />
a GRES. Attempting a GRES operation before the router is ready can cause system<br />
errors and unexpected behavior. Using the request virtual-chassis routing-engine master<br />
switch check command before you initiate the GRES operation ensures that the<br />
subscriber management and kernel databases on both member routers in an MX Series<br />
Virtual Chassis are synchronized and ready for the GRES operation. The request<br />
virtual-chassis routing-engine master switch check command, which you must issue<br />
from the Virtual Chassis master router (VC-Mm), checks various system and database<br />
components to determine whether they are ready for GRES, but does not initiate the<br />
global GRES operation itself. The readiness check includes ensuring that a system<br />
timer, which expires after 300 seconds, has completed before the global GRES<br />
operation can begin. If the member routers in an MX Series Virtual Chassis are ready<br />
for GRES from a database perspective, the request virtual-chassis routing-engine master<br />
switch check command returns the command prompt and displays no output. If the<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
229
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
member routers are not ready for GRES, the command displays information about the<br />
readiness of the system. [Junos OS High Availability Configuration Guide] [PR722016:<br />
This issue has been resolved.]<br />
• If one or more Packet Forwarding Engine peers are slow in consuming ifstates, that<br />
results in slave Routing Engine not sending CP ACK to the master Routing Engine within<br />
prescribed time. As a result of this, as of today, slave Routing Engine is assumed to be<br />
having a problem and hence the connection for slave Routing Engine peer is reset, so<br />
that ksyncd can cleanup the ifstates on the slave Routing Engine and resync with<br />
master Routing Engine again. With this fix, if slave CP ACK does not arrive in prescribed<br />
time, if there is any Packet Forwarding Engine which is causing this delay, the same is<br />
logged and the CP ACK timer is reset. If no peers are found to be causing the delay of<br />
slave CP ACK, the behavior is retained to reset the slave Routing Engine connection.<br />
[PR727344: This issue has been resolved.]<br />
• The MPC can core during ISSU. This issue is intermittent. [PR744992: This issue has<br />
been resolved.]<br />
• When performing ISSU on 10GE DPC, peer device will see link flap. [PR777798: This<br />
issue has been resolved.]<br />
• -Problem Summary On MX platforms with ADPC line cards, performing an ISSU upgrade<br />
to 11.4R3.7 might cause the ADPC line cards to reset, thus impacting router operation<br />
and defeating the purpose of ISSU. Customers with ADPC line cards on MX platforms<br />
should upgrade only in a maintenance window during which the resets can be tolerated.<br />
Other platforms are not affected by this bug, and ISSU works as expected. -Impact:<br />
ADPC line cards might reset, causing a traffic outage of approximately 150 seconds<br />
duration. -Workarounds: None [PR779348: This issue has been resolved.]<br />
Infrastructure<br />
• Certain system resources may become exhausted during Routing Engine switchover<br />
under heavy load, causing the system to restart. After restart, the router will operate<br />
as expected. [PR733555: This issue has been resolved.]<br />
• This problem is that there is a socket hole in the received sequence space on backup<br />
Routing Engine and that backup Routing Engine cannot handle the TCP SACK from<br />
master Routing Engine properly. When backup Routing Engine becomes new master<br />
Routing Engine by switchover, this potential sequence mismatch in the previous backup<br />
Routing Engine comes out on the new master Routing Engine, therefore, this message<br />
is generated on syslog. Once after the new master Routing Engine starts handling TCP<br />
SACK properly, this mismatch will be cleared and sooner or later this message stops.<br />
This is just a cosmetic issue. [PR743382: This issue has been resolved.]<br />
• Fetching ppX interface statistics leaks in pfestat_table leading to "pfestat_req_add:<br />
pfestat table out of ids" error logs. When we're in this state then it is NOT possible to<br />
fetch any interface statistics. To recover from this issue we need to reload the Routing<br />
Engine. Products affected by this are non-MX products which offer pppoe services.<br />
[PR751366: This issue has been resolved.]<br />
230<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Arp entries are not flushed out after diabling interface with purging,aging-timer<br />
configured on local router [PR753268: This issue has been resolved.]<br />
• In scenario where "family inet" is configured in pppoe dynamic profile, if ARP request<br />
is recieved on pppoe interface kernel crash is exhibited. [PR769646: This issue has<br />
been resolved.]<br />
Interfaces and Chassis<br />
• Error message seen on MX80 "fru_is_present: out of range slot -1 for CB" continuously.<br />
[PR540868: This issue has been resolved.]<br />
• "HS Link FIFO underflow" errors may occur as traffic egresses a PIC when the ingress<br />
interface is on another PIC in the same MX-FPC. The speed of the interfaces and the<br />
traffic pattern are relevant to this problem. [PR687905: This issue has been resolved.]<br />
• The issue will be seen if the following conditions are satisfied. 1. VPLS routing instance<br />
is created with configuration "protocol vpls connectivity-type permanane" 2. LSI<br />
interace for the vpls routing-instance has a Primary/secondary MPLS LSP present on<br />
the ADPC IFD which is the DUT. Now on just rebooting the ADPC, these logs are seen<br />
on the DPC console. [PR693066: This issue has been resolved.]<br />
• MPC2 may reboot when swapping MIC cards in the same MPC [PR728095: This issue<br />
has been resolved.]<br />
• On T Series ES type of FPC, BFD sessions might get flapped when other PIC on the<br />
same FPC is brought online. This is caused by the fact that the PIC drivers take long<br />
time to do initialization when being brought up which might cause the BFD thread to<br />
lose chances of processing the keepalive packets and hence drop the sessions.<br />
[PR733657: This issue has been resolved.]<br />
• The issue is present in Mx series platform MIPs must place their own MAC address in<br />
the Egress Identifier TLV in CFM Linktrace Messages that they process. They are<br />
incorrectly leaving this value unchanged. [PR735419: This issue has been resolved.]<br />
• Due to an incorrect calculation, memory heap utilization of a service PIC can go over<br />
100% under the show chassis pic command. There is no service impact. [PR737676:<br />
This issue has been resolved.]<br />
• In an Active/Active MC-LAG scenario, traffic might get dropped if:<br />
a. Upstream and downstream interfaces are MC-AE interfaces<br />
b. You have routing protocols running over the IRB<br />
c. Traffic crosses the ICL<br />
[PR746055: This issue has been resolved.]<br />
• Workaround : Deactivate and activate the interface solves the issue [PR747522: This<br />
issue has been resolved.]<br />
• On Junos OS <strong>Release</strong> earlier to 11.2, the BERT test results would report Error Bit/LOS<br />
sec for a newly confirmed E1 link in unframed mode. The issue would be seen on<br />
CHSTM1-IQ and CHE1T1-IQE pic. Due to known hardware limitation on CHSTM1-IQ pic,<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
231
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
this issue persists on this pic type. However for CHE1T1-IQE pic it has been fixed on<br />
Junos OS <strong>Release</strong>s 11.2R7 and later. [PR748175: This issue has been resolved.]<br />
• If rlsq interfaces are part of a routing instance, upon deactivation and activation of<br />
routing instance, all rlsq interfaces were not brought up. This issue is fixed as part of<br />
this PR. [PR749760: This issue has been resolved.]<br />
• a GE port with optic SFP-FX which has auto-negotiation disabled, it may claim up even<br />
though no cable connected and have issue with traffic forwarding on the interface.<br />
[PR751536: This issue has been resolved.]<br />
• This issue is specific to a i-chip-based DPCs/FPCs and impacts all type of multicast<br />
traffic such as IP multicast packets, or L2 multicast/broadcast packets going through<br />
L2VPN/VPLS. An i-chip-based DPC/FPC will only forward multicast traffic to the first<br />
1024 receivers of a multicast group if the total number of receivers on a particular PIC<br />
of the DPCE, for that group, is between 1025 and 1088 (1024+64). [PR752662: This<br />
issue has been resolved.]<br />
Layer 2 Features<br />
• In a router running a VPLS configuration, an administrator configuration change or a<br />
network event that causes the removal of an IFF from a VPLS instance could lead to<br />
a panic on the backup Routing Engine. [PR750036: This issue has been resolved.]<br />
• Routing-engine kernel crash was caused by a suspicious packet in the wrong system<br />
queue. Packet was classified as a TNP packet (ethertype: 0x8850). TNP is a L3 protocol<br />
used for inter process communication between the Routing Engine and the packet<br />
forwarding engine. [PR779079: This issue has been resolved.]<br />
Layer 2 Ethernet Services<br />
• With the configuration of STP/aggregate Ethernet under IRB interface, you might see<br />
kernel panic on both master/backup Routing Engines after a multiple GRES switchover<br />
is done. [PR742940: This issue has been resolved.]<br />
• There is a limitation in the support of IRB interfaces used with DHCP such that:<br />
• If an LT interface is configured as the underlying interface for an IRB interface and a<br />
DHCP client requests a unicast response, then instead of rejecting the send operation<br />
a corrupt packet is sent.<br />
• If the underlying interface of an IRB interface has a different number of tags configured<br />
than the bridge domain of the IRB interface and a DHCP client requests a unicast<br />
response a malformed packet is sent.<br />
• Regardless of tag configuration on the bridge domain, if the packet needs to be<br />
relayed out a VPLS tunnel (an LSI or VT interface as underlying) a malformed packet<br />
is sent.<br />
[PR751398: This issue has been resolved.]<br />
232<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Multiprotocol Label Switching (MPLS)<br />
• By design, family MPLS under virtual-router type routing-instance does not get created<br />
without a corresponding "protocols:ldp". Hence, without MPLS family, MPLS filter is<br />
not working on an interface configured under virtual-router type routing-instance. As<br />
a workaround, configure ldp in the instance, and disable it on all interfaces if not used.<br />
[PR601989: This issue has been resolved.]<br />
• Routing protocol daemon may redundantly try to save the RSVP ERO object in the<br />
graceful restart database. This is applicable only for non-traffic engineered LSPs when<br />
graceful restart is configured. [PR741694: This issue has been resolved.]<br />
• l3vpn-composite-nexthop with MPC and MSDPC doing stateful-firewall with interface<br />
service-set will drop packets on service input direction. The interface where service<br />
input/output is configured has to be inside a VRF, and the destination for which service<br />
input should intercept the traffic and send it to service PIC in MSDPC should be<br />
reachable through MPLS backbone, so resolved through composite next-hop, in orded<br />
to see this issue. [PR747914: This issue has been resolved.]<br />
• Traffic fails to go through service output when it comes from MPLS core and is routed<br />
inside VRF without vrf-table-label configured. This should NOT work on all types of<br />
FPCs except MPCs on MX. This PR fixes the problem on MPCs. [PR749661: This issue<br />
has been resolved.]<br />
• When LSP configured with auto-bandwidth switches from primary path to secondary<br />
path, bandwidth estimation on the secondary path may be under-estimated. Due to<br />
under-estimation, overflow sample count may get reset. [PR752777: This issue has<br />
been resolved.]<br />
• The kernel may crash at tag_mtu_calc when the Routing Engine attempts to send a<br />
packet larger than the configured MPLS MTU, warranting fragmentation (over a LSP)<br />
using a l3vpn-composite-nexthop. For the issue to occur both must be true: 1)<br />
l3-composite-nexthop knob must be turned on. 2) MPLS MTU must be manually<br />
configured by the user. [PR755950: This issue has been resolved.]<br />
• On TRIO platforms, when switch L2 MPLS packets on egress PE routers, the inner MPLS<br />
label TTL value is checked and if valid decreased by 1. During the egress process, the<br />
TTL value is rechecked. If the value is 1 at this point, the packet is sent to the Routing<br />
Engine instead of being forwarded out the interface. [PR776203: This issue has been<br />
resolved.]<br />
Platform and Infrastructure<br />
• Packets exchanged b/w logical routers within the same physical router over logical<br />
tunnel (LT) interfaces will not have their TTL decremented. [PR685639: This issue has<br />
been resolved.]<br />
• Under very special race conditions the MPC CPU might stop processing and will be<br />
reset because of Level3/Level 2 watchdog expiration timer. Potential exposure are<br />
high load of traffic send to the Host. The following syslog message will be reported in<br />
the syslog once MPC reboots. "fpc[x] MPC: Reset reason (0xc): Level3 watchdog,<br />
Level2 watchdog" [PR717899: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
233
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• enabling of Dynamic Profile versioning is not supported if dynamic profiles have been<br />
already configured on the router. If you deactivate existing dynamic profiles in order to<br />
enable and commit dynamic profile versioning, profile version numbers are not<br />
subsequently incremented. As a workaround, you must delete all existing dynamic<br />
profiles before you enable profile versioning, and then reconfigure the dynamic profiles.<br />
[PR741001: This issue has been resolved.]<br />
• This is an issue during the passing of timestamp message from kernel to rmopd for 64<br />
bit JunOS.Fix will be checked in soon. [PR746428: This issue has been resolved.]<br />
• If a filter contains multiple prefix actions and the filter is applied, changing one prefix<br />
action referenced by this filter might crash NPCs. The change on a prefix action could<br />
be direct or indirect (For example:, changing the policer reference by this prefix action).<br />
The workaround is detaching all such filters before changing a prefix action and then<br />
applying the filters back after the change. [PR750370: This issue has been resolved.]<br />
• When CoS rewrite is configured for an IRB interface, and the IRB interface participates<br />
in L2 multicast, the copies sent over the physical interface will not have the CoS rewrite<br />
applied. This issue is applicable only when the chassis is configured in the "enhanced-ip"<br />
mode. [PR754720: This issue has been resolved.]<br />
• A MPC-* FPC installed in a MX240/480/960 router or the integrated TFEB of a<br />
MX5/10/40/80 router may crash and reboot when the unsupported command show<br />
route hw nhs is executed from the FPC cli. This command is unsupported and should<br />
not be used without the explicit instructions of JTAC. It is not needed for the normal<br />
operation of a <strong>Juniper</strong> router. [PR772413: This issue has been resolved.]<br />
• If "source-filtering" is turned on under an interface, packets with multicast destination<br />
mac address will get dropped. Such packets are used by applications like CFM. The<br />
multicast mac addresses cannot be explicitly added to be accepted using the CLI.<br />
[PR772611: This issue has been resolved.]<br />
• Traffic-control-profile applied on LT logical interface used to terminate a vpls instance<br />
has no effect and the logical interface is not shaped. [PR773764: This issue has been<br />
resolved.]<br />
• Customers using Junos OS <strong>Release</strong> 11.4R3.6 code on MX routers with MPC 3D 16x 10GE<br />
(Agent Smith) line cards may experience issues with interfaces on these line cards.<br />
Some interfaces on the MPC 3D 16x 10GE (Agent Smith) line cards may be reported<br />
as UP ("Enabled" and "Physical Link UP")in the show interfaces command.<br />
However, show interfaces terse? command for the same interface reports<br />
that interface as DOWN (Admin - UP and Link Protocol - DOWN). The link lights at<br />
both ends of the link will be GREEN ? thereby indicating connectivity. However, no<br />
traffic passes through the affected interfaces. This issue was seen on interfaces that<br />
were part of Aggregated Ethernet (AE) bundle as well as on interfaces that were NOT<br />
part of the aggregate Ethernet bundle. In addition, "Wedge Detected" messages may<br />
be seen in the syslogs and in the telnet/ssh session to the router. This behavior was<br />
NOT seen with DPC hardware. This is documented in PR 776727 and upgrading to Junos<br />
OS <strong>Release</strong> 11.4R3.7 fixes the above mentioned issues. [PR776727: This issue has been<br />
resolved.]<br />
234<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Routing Protocols<br />
• The show bgp group output is updated to new multiline format in order to display the<br />
full name of table bgp.rtarget.0. [PR696476: This issue has been resolved.]<br />
• ISO/CLNS prefixes with more than /152 VPN prefix length when advertised by BGP<br />
across VPN core causes BGP adjacecny flap since the remote BGP rejects the same<br />
prefix as invalidate address. This is because the ISOVPN draft allows only up to /152<br />
prefixes. [PR742491: This issue has been resolved.]<br />
• Pruned multicast traffic continues to flow from the source even when receiver leaves<br />
the multicast group for Junos OS <strong>Release</strong>s 10.4R8.5 ,10.4R9,10.4R9.2. [PR746474: This<br />
issue has been resolved.]<br />
• Route advertisement stops for RT family enabled BGP peers after VRF is deactivated<br />
and activated. This issue is only seen with RT enabled peers and non-stop routing<br />
enabled. [PR749288: This issue has been resolved.]<br />
• If there are some link micro flapping, it may bring the BFD into a problematic state. As<br />
a result, for next event of BFD state down, it will not bring down the client sessions like<br />
OSPF, ISIS, BGP, etc. [PR749388: This issue has been resolved.]<br />
• The routing protocol daemon (rpd) crashes and dump a core file after executing show<br />
ospf context-identifier area command which is given for an area that has not<br />
been configured. The issue is caused by insufficient check code. [PR750914: This issue<br />
has been resolved.]<br />
• The multipath flash mechanism runs unnecessarily when BGP multipath is configured<br />
for inet-vpn routes. When large amounts of inet-vpn routes change, there is a noticable<br />
delay in convergence for the inet-vpn routes. [PR751469: This issue has been resolved.]<br />
• If BGP receives an ISO-VPN prefix of length 248, i.e. ISO part of prefix contains<br />
NSEL-byte, BGP session will be reset. This is according to standards, but it would be<br />
good if BGP can handle this gracefully w/o resetting BGP-session. This PR makes BGP<br />
handle it gracefully, by ignoring the NSEL byte received in the ISO-VPN prefix. [PR771835:<br />
This issue has been resolved.]<br />
• Customer needs these debug logs to be changed to severity LOG_DEBUG. "mcsn[91713]:<br />
krt_decode_nexthop: Try freeing: nh-handle: 0x0 nh-index: 1049040 fwdtype: 2" This<br />
was introduced as part 11.4 with severity set to "LOG_INFO" (will not be seen with<br />
earlier releases). This is used as a debug log and is harmless. "mcsn[91713]: Received<br />
MC_AE_OPTIONS TLV for intf device ae1; mc_ae_id 0, status 2" This was introduced<br />
as part of RLI 8857 in 10.0 (reference from PR-411614). This also has a severity of<br />
"LOG_INFO" and is part of the rpd-infra that is used by mcsnoopd. [PR772063: This<br />
issue has been resolved.]<br />
• Routing protocol daemon (rpd) might dump a core file while processing malformed<br />
RIP or RIPng message from neighbor during adjacency establishment. [PR772601: This<br />
issue has been resolved.]<br />
• Limited Support for multiple area TLVs in a single ISIS Hello message: When many<br />
area TLVs are found in a single IS-IS Hello packet, L1 adjacencies may not be formed<br />
correctly and can be stuck in the initializing state. Currently, there are no identified<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
235
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
workarounds; however, this does not impact L2 adjacencies. [PR775852: This issue has<br />
been resolved.]<br />
Services Applications<br />
• When you pump in more than 2.1 Million passive monitoring flows into Monitor-II PIC,<br />
the router might not send memory overload SNMP trap. [PR677162: This issue has been<br />
resolved.]<br />
• When sending traffic through IPSec tunnels for above 2.5Gbps on an MS-400 PIC, the<br />
Service-PIC might bounce because of prolonged flow control. [PR705201: This issue<br />
has been resolved.]<br />
• If the Service PIC processing DS-Lite packets receives packets from overlapping IPv4<br />
addresses present behind different B4s at the same time then there is a possibility that<br />
the PIC will crash with a similar coredump. [PR711307: This issue has been resolved.]<br />
• "linerate-mode" may not be applied correctly to interfaces when first configured on a<br />
PIC which does not support "linerate-mode" and later on replace the first PIC with a<br />
second PIC which supports "linerate-mode" [PR734887: This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong>s 10.4 and later, the number of outstanding IPSec tunnels has<br />
changed to be 50 tunnels instead of 200 outstanding tunnels in previous releases.<br />
[PR739683: This issue has been resolved.]<br />
• * Issue here is observing DCD_CONFIG_WRITE_FAILED with "Device not configured"<br />
error when system is rebooted with rlsq configuration. * Reason why we are seeing this<br />
error, service-pic is unable to create control logical interface hence sp interface is down.<br />
Since device is not there and while trying to add lsq ifls, observing the error. After some<br />
retries of booting sp pic (say 1 or 2 tries and came up), not seeing these errors and the<br />
bundles are UP. * Workaround here we can try deactivate interfaces -> request system<br />
reboot -> activate interfaces , instead of only request system reboot. [PR741121: This<br />
issue has been resolved.]<br />
• This PR enables visibility of Address Pool Paired out of port errors via the cli command<br />
show services nat pool detail:<br />
user@router-re0> show services nat pool detail<br />
Interface: sp-7/0/0, Service set: nat44 NAT pool: public-pool, Translation<br />
type: dynamic<br />
Address range: 100.100.0.1-100.100.0.254<br />
Port range: 512-65535, Ports in use: 64512, Out of port errors: 0, Max ports<br />
used: 64512<br />
AP-P out of port errors: 440601
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
seen in the following output: user@router> show services stateful-firewall flow-analysis<br />
| display xml <br />
<br />
sp-0/0/0 <br />
.... output omitted .... <br />
sp-0/1/0<br />
.... output omitted<br />
.... ... output omitted .... The Junos OS software has<br />
been modified to include a new tag which is the parent<br />
of both the tag and the<br />
tag thus tying the pic name with existing flow<br />
analysis details: user@router> show services stateful-firewall flow-analysis | display<br />
xml <br />
<br />
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
VPNs<br />
• An optimization has been implemented with BGP-MVPN nexthop infrastructure which<br />
will improve scalability in some multi-dimensional scaling scenarios with aggregate<br />
interfaces. [PR690690: This issue has been resolved.]<br />
• Under certain circumstances a vrf-import policy's term with the "accept" action that<br />
matches the BGP VPN route based on the criteria different than the target community<br />
can reject the matching route. [PR706064: This issue has been resolved.]<br />
• Currently, MVPN Leaf-AD routes with IR provider tunnels are sent without the PMSI<br />
attributes. These routes should be sent with the PMSI attributes. The label will be the<br />
same label as advertised in the Type 1 route. [PR717451: This issue has been resolved.]<br />
• With BGP MVPNs when there are many interfaces in the vrf, it is possible that RPD may<br />
core. If a forwarding entry has a large number of outgoing interfaces, this memory error<br />
will occur. The exact number of oifs needed to trigger this issue is not known. [PR749379:<br />
This issue has been resolved.]<br />
• In NG-MVPN with a multihomed source attached to ingress PE, when original-DR goes<br />
down and then comes back to claim its role as DR, the other node will loose its<br />
intermediate DR-role and withdraw its type 5 AD-route. However the new DR which<br />
comes back will not advertise a type 5 AD route. As result of this misbehaviour, neither<br />
the non-DR nor the DR will advertise a type 5 AD route in the re-convergence case and<br />
hence no egress-PE could join the source. [PR754222: This issue has been resolved.]<br />
• The issue happens when the ingress PE receives the type-4 leaf AD route before<br />
discovering the egress PE as a neighbor using a type-1 route. PE ignores the type-4 leaf<br />
AD route as there is no nbr. When the ingress PE receives the type-1 route, it only<br />
processes inclusive p-tnl and since it did not add the unicast IR tunnel as a leaf to the<br />
spmsi tunnel, the egress PE doesn't receive the traffic. [PR755209: This issue has been<br />
resolved.]<br />
• When the label for intra-AS AD route changes, it is not reflected in the intra-as AD route<br />
generated to the MVPN PE peers as a result the peers still use the old label information<br />
and results traffic drop. [PR771059: This issue has been resolved.]<br />
<strong>Release</strong> 11.4R3<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R3. The identifier<br />
following the description is the tracking number in our bug database.<br />
Class of Service<br />
• The IQ2E rate limit fails to function on PPPoE subscribers. [PR674857: This issue has<br />
been resolved.]<br />
• The configuration, set class-of-service interfaces all unit * classifiers exp , causes<br />
the exp classifier exp-default to be attached to every label switched interface (LSI) of<br />
the router. This is regardless of the specified, and the configuration at the<br />
[edit class-of-service routing-instances] level. [PR710427: This issue has been resolved.]<br />
• cosd crash is triggered by the ae* interface configuration under the class-of-service<br />
stanza. [PR724638: This issue has been resolved.]<br />
238<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Sometimes, the aggregated Ethernet bundle or some member links of the aggregated<br />
Ethernet bundle are missing in the Packet Forwarding Engine cos classifier binding<br />
command output. This causes the egress cos/dscp value to change to unexpected<br />
values. Hence CoS does not work as expected. [PR727949 This issue has been resolved.]<br />
• Deactivating the interface that has chassis-derived scheduler with wild cards configured<br />
causes Cosd write-failed error messages. [PR729249: This issue has been resolved.]<br />
• The issue is seen on IQ2, and IQ2E PIC on the M Series platform. When a port and a<br />
logical interface on the port is configured with the same shaping rate in the egress<br />
direction, and the scheduling mode is changed, the transmit rate in ingress direction<br />
may go down. [PR730428: This issue has been resolved.]<br />
• Changes related to Class of Service settings might affect interface byte counter<br />
accuracy. [PR731948: This issue has been resolved.]<br />
• This issue is specific to traffic-control profile and scheduler-map constructs in the<br />
class-of-service hierarchy. It is a Trio specific issue. When you have a traffic control<br />
profile or scheduler-map that is bound to a physical interface hosted on one FPC and<br />
the same traffic-control profile is bound to a logical interface hosted on a different<br />
FPC, after you move the traffic control profile from the physical interface to its own<br />
logical interface, scheduling on this logical interface may not work as expected. You<br />
need to have a logical interface on another Packet Forwarding Engine complex referring<br />
to the same traffic-control profile for this issue to happen. Then moving the traffic<br />
control profile from logical interface to the physical interface and then back again may<br />
cause this issue. As a workaround, instead of having only one traffic control profile and<br />
moving it from the physical interface to the logical interface, you can define two<br />
separate traffic control profiles - one exclusively for the physical interface and other<br />
for the logical interface. These two traffic-control profiles instead of pointing to one<br />
scheduler-map would have two different scheduler-maps. The contents of traffic<br />
control profiles as well as scheduler maps would be the same. [PR735870: This issue<br />
has been resolved.]<br />
• Junos OS <strong>Release</strong>s 11.4R1 and 11.4R2 support hierarchical policers on all Trio platforms<br />
except MX80 platforms. Junos OS <strong>Release</strong> 11.4R3 supports hierarchical policers in<br />
MX80 platforms as well. [PR737500: This issue has been resolved.]<br />
Forwarding and Sampling<br />
• When you configure output sampling in a routing instance, the commit fails, throwing<br />
up an error message indicating that the output rate was not specified. However, when<br />
you configure output sampling in a global routing instance, the commit succeeds. A<br />
fix was made to accept the configuration without the rate command so that when you<br />
configure output sampling in a routing instance, the commit succeeds. [PR710741: This<br />
issue has been resolved.]<br />
• On MX Series routers with DPC/FPC, M320 with E3-FPC, M120, and M7i/M10i with<br />
E-CFEB, in larger scale environments or negative conditions, core files might be<br />
generated on the Packet Forwarding Engine caused by memory corruption. [PR710853:<br />
This issue has been resolved.]<br />
• You cannot convert certain VPLS filters from the Ichip format to the ABC format on<br />
an ABC-based FPC on M10i and M7i routers. Therefore, these VPLS filters cannot be<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
239
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
applied correctly on the ABC-based FPC, thereby causing packet drops. The loss in<br />
traffic is recorded as a firewall drop on the FPC. This problem is specific to certain VPLS<br />
filters on an ABC-based FPC in M10i and M7i routers. [PR718066: This issue has been<br />
resolved.]<br />
• On MX Series routers , the “Transit Statistics Input bytes” counter is randomly modified<br />
by mistake and does not increment from that moment on. [PR721445: This issue has<br />
been resolved.]<br />
• When you configure VRF on a router and the routing instance corresponding to the<br />
VRF is changed, the following message is seen on the FPC: "Multiple Free :jt_mem_free."<br />
This might result in Jtree memory corruption and thereby affect forwarding<br />
non-deterministically. [PR730686: This issue has been resolved.]<br />
• When you upgrade to Junos OS <strong>Release</strong> 11.4R1, you will experience an important increase<br />
in the response time to snmpbulkwalk queries retrieving statistics from the Packet<br />
Forwarding Engine. [PR731833: This issue has been resolved.]<br />
• When bringing up a large scaled of subscribers, the subscriber management<br />
infrastructure daemon (smid) might keep restarting. [PR733712: This issue has been<br />
resolved.]<br />
• When sampling is enabled under forwarding-options, the churn of PPPoE subscribers<br />
causes the number of sample memory allocations to continuously increase. [PR741218:<br />
This issue has been resolved.]<br />
• When the number of MAC addresses is specified by the interface-mac-limit command,<br />
but not reflected on the screen, the number of MAC addresses remains at the default<br />
value. [PR743934: This issue has been resolved.]<br />
• When "interface:accounting-profile" is configured on MX Series platforms running<br />
Junos OS <strong>Release</strong>s 10.4S8,10.4R9.2, and 11.2R1 or later, there are memory leaks, the<br />
rate of which depends on the number of interfaces with "accounting-profiles". During<br />
testing with 1000 logical interfaces, we noticed up to 50 MB of memory leaks every<br />
five minutes. [PR744537: This issue has been resolved.]<br />
General Routing<br />
• MX Series routers incorrectly display DHCP subscribers in the output of the show<br />
subscribers output when some DHCP clients are in the "init" state. [PR710594: This<br />
issue has been resolved.]<br />
• PR 710339 has changes to NACK COA with invalid parameters. However it requires a<br />
dummy $junos-cos-scheduler in the hierarchical CoS definition. This fix eliminates that<br />
requirement. [PR728756: This issue has been resolved.]<br />
• Under certain circumstances while performing MIB walks you can get a mib2dcore.<br />
The core situation will recover and normal operation will continue without any<br />
intervention. All other router functionality will continue as usual. [PR740692: This issue<br />
has been resolved.]<br />
240<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
High Availability<br />
• During ISSU on MX Series platform, if an MPC has any non-Ethernet MICs plugged in<br />
slot 0, the ISSU procedure will not request offline confirmation for mics in slot-0.<br />
[PR693863: This issue has been resolved.]<br />
• This issue is triggered when you commit sync the following two operations together:<br />
• Set mpls max-labels to 4: set interfaces unit family mpls<br />
maximum-labels 4<br />
• Enable graceful Routing Engine switchover: set chassis redundancy<br />
graceful-switchover<br />
If graceful Routing Engine switchover had been enabled first and then mpls max-labels<br />
was set to 4 in different commits, this issue would have not been exposed. It is always<br />
safe not to merge any other operations with enabling graceful Routing Engine<br />
switchover. As a workaround, avoid merging any operations with the enabling of graceful<br />
Routing Engine switchover operation, in the same commit. Once the issue is seen, on<br />
the backup Routing Engine, run the following command on the cli, to restart the<br />
kernel-replication process, to make sure that all the states are resynced to the backup<br />
Routing Engine from the master Routing Engine: restart kernel-replication gracefully.<br />
[PR705626: This issue has been resolved.]<br />
• The MPC can generate core files during ISSU. This issue is intermittent. [PR744992:<br />
This issue has been resolved.]<br />
• This issue is seen only where there are tunnel physical interfaces in a configuration on<br />
MPC1/2 (QX based) neo MPCs and an ISSU is attempted from a Junos OS <strong>Release</strong><br />
11.2-based build. If attempted, the tunnel physical interfaces will stop forwarding after<br />
the ISSU. To fix this issue, deactivate and activate the tunnel physical interfaces. This<br />
can be done by deactivating and activating chassis fpc pic tunnel-services.<br />
[PR739744: This issue has been resolved.]<br />
Infrastructure<br />
• Because of certain changes to the Junos OS multicast infrastructure in Junos OS <strong>Release</strong><br />
11.1 and later, Unified ISSU is not supported when upgrading from Junos OS <strong>Release</strong><br />
10.x to 11.1 or 11.2 on M Series, T Series, and TX Series devices with multicast<br />
configuration.<br />
Attempting a unified ISSU might cause undesirable results such as a kernel or routing<br />
protocol process crash in such scenarios. Prior to the fix for this PR, the backup Routing<br />
Engine crashes when performing ISSU . After the fix to this PR, backup Routing Engine<br />
won't crash, but it displays error messages. ISSU fails regardless of the fix for PR in<br />
above given scenario. [PR675582: This issue has been resolved.]<br />
• Under certain rare conditions Kernel "devfs" might become locked. This lock might<br />
cause other processes that use /dev/filesystem to wait. Eventually some processes<br />
start spawning until reaching the maximum limit, as a consequence the Kernel crashes.<br />
The following message logged by the kernel is an indication that the system is<br />
approaching the maximum number of active processes:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
241
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
/kernel: %KERN-2: nearing maxproc limit by uid 0, please see tuning(7) and<br />
login.conf(5). /kernel: %KERN-2: Process with Most Children- 1:init - Children<br />
- 365<br />
[PR678971: This issue has been resolved.]<br />
• Specially crafted kernel routes that are generated based on directly connected networks<br />
(clone routes) might introduce reference count inconsistencies upon link flap if the<br />
clone routes can be rewired to a different interface. This can happen if the longest<br />
prefix match finds another destination for the IP address of the flapping interface. If<br />
the parent reference count is wrongly reduced to zero, the kernel will panic when it<br />
tries to delete one of the remaining child routes. [PR685941: This issue has been<br />
resolved.]<br />
• /mfs partition has only 64 MB when only compact flash is available as storage media<br />
and for large configuration file is possible to not be able to hold it. So, when HDD is<br />
broken and the /mfs partition is not large enough to store the configuration files, the<br />
Routing Engine does not boot. [PR720540: This issue has been resolved.]<br />
• When Nonstop active routing (NSR) is enabled and we shutting down bgp on the<br />
secondary Routing Engine or we are switching over from secondary Routing Engine to<br />
primary Routing Engine , we may hit the issue in case there are some packets to be<br />
processed in the PRL layer. This is a race condition between the socket close and fewer<br />
packets that come late and are queued up in the PRL layer to be processed. This<br />
happens because during socket close SA association is flipped from socket to<br />
timed-wait socket and TCP layer does not know about this flip. TCP layer, blindly<br />
accesses SA field which is now NULL and crashes. [PR726671: This issue has been<br />
resolved.]<br />
• The ether type is set to IP when it should be set to MPLS. [PR731925: This issue has<br />
been resolved.]<br />
• Routing Engine generates core files because of loss of soft watchdog after configuration<br />
change. [PR736927: This issue has been resolved.]<br />
Interfaces<br />
• Under rare circumstances, PPPoE subscribers over dynamic VLANs can be left stranded<br />
in INIT state without an underlying demux0 interface. This does not prevent a PPPoE<br />
subscriber from creating new sessions and successfully logging in. [PR697488: This<br />
issue has been resolved.]<br />
• When you issue NTP-related show commands, such as show ntp status, incorrect<br />
output might be displayed. [PR722528: This issue has been resolved.]<br />
• Primary/Secondary DNS VSA values are not passed to PPP clients through IPCP before<br />
Junos OS <strong>Release</strong> 11.4R3. [PR724418: This issue has been resolved.]<br />
• When the length of the received packet exceeds the available buffer length, jpppd<br />
might crash. [PR726254: This issue has been resolved.]<br />
• With autosensed VLAN configured, under certain conditions, autoconfd (the VLAN<br />
autosensing daemon) dumps core files because of memory corruption. [PR728020:<br />
This issue has been resolved.]<br />
242<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Interfaces and Chassis<br />
• The password recovery process does not work on some MX80 routers. [PR585092:<br />
This issue has been resolved.]<br />
• In some scenarios when VRRP is enabled on an aggregated interface and the interface<br />
is a VRRP backup, pinging the private IP address of the aggregated interface fails.<br />
[PR594020: This issue has been resolved.]<br />
• The following message might be displayed during bootstartup on MX5, MX10, MX40,<br />
and MX/80 platforms.<br />
Chassis control process: WARNING: Chassis configuration for network services<br />
has been changed. A system reboot is mandatory. Please reboot the system NOW.<br />
Continuing without a reboot might result in unexpected system behavior.<br />
[PR672306: This issue has been resolved.]<br />
• The backup Routing Engine crashes with the following panic: “rnh_index_alloc: nhindex”<br />
when the LSQ bundle with ATM member links flaps randomly because of reset/reboot<br />
of the remote end device. [PR675650: This issue has been resolved.]<br />
• On an MLFR uni-nni RLSQ interface, Multilink input statistics do not work after 8 logical<br />
units (dlci's). This does not have any impact on the Multilink traffic. [PR688197: This<br />
issue has been resolved.]<br />
• When certificate key size is 2048 bytes and total combined certificate request size is<br />
greater than 4096 bytes, the PKID service might crash on certificate enrollment.<br />
[PR698846: This issue has been resolved.]<br />
• When both IPv6 multicast and unicast traffic is input, changing the MTU for the output<br />
interface causes incorrect counter for "Output packets". [PR700018: This issue has<br />
been resolved.]<br />
• Standby SCG keeps staying Deviation as "unknown" and Status as "present" after<br />
Routing Engine master switch. [PR701800: This issue has been resolved.]<br />
• When a multiservices PIC is switched over and one link in the RLSQ bundle is down,<br />
and the other side is set to remote-loopback, all BGP and Bidirectional Forwarding<br />
Detection (BFD) sessions go down [PR701915: This issue has been resolved.]<br />
• While using VRRP with logical systems, sometimes the show vrrp command for logical<br />
systems does not display information for all groups. You can retry the show command<br />
in such a case.[PR704068: This issue has been resolved.]<br />
• Regarding the K2-Routing Engine (64-bit Routing Engine) when speed/link mode are<br />
statically configured on the router for the fxp0 interface, the driver for fxp0 accepts<br />
the configuration from DCD process, but does not propagate the setting to the hardware<br />
driver. Instead, the driver setting is forced to auto-negotiate. Thus, as the fxp0 interface<br />
is auto-negotiating, and the far end device is forced to 100/full, the auto-negotiation<br />
on fxp0 will detect the speed but not the duplex and defaults that duplex to half-duplex.<br />
[PR704740: This issue has been resolved.]<br />
• On IQE PICs, in case of PPP encapsulation, if an interface's admin status is changed<br />
from disabled to enabled, it may result in the interface on the peer end flapping<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
243
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
(operstatus changing from DOWN to UP to DOWN and back UP again) occasionally.<br />
[PR705598: This issue has been resolved.]<br />
• In a Multi-Chassis Link Aggregation Group (MC-LAG) Active/Active environment with<br />
Aggregate Ethernet (AE) interface as Multi-Chassis Link (MC-Link), after graceful<br />
Routing Engine switchover, the Inter-Chassis Data Link (ICL-link) interface might be<br />
accepted as the MAC destination interface in the ARP Cache table and ignoring ARP<br />
request from client from MC-Link interface. As a consequence, traffic might be lost.<br />
Only after ARP aging timeout in the Routing Engine, the Routing Engine will send the<br />
ARP request and traffic will be restored. [PR706091: This issue has been resolved.]<br />
• Router might crash while trying to bring up 52k PPPoEv4 subscribers with<br />
service-accounting at login time. [PR706495: This issue has been resolved.]<br />
• This issue can be seen after RSVP LSP are reestablished because of optimization or<br />
bandwidth adjustment. [PR706635: This issue has been resolved.]<br />
• Interface optics-options do not work as expected on MX-MPC2-3D and<br />
MX-MPC2-3D-EQ. [PR706824: This issue has been resolved.]<br />
• In Active/Active MC-LAG if we power off both PEs and start only PE, MC-Links will not<br />
come up (we need an initial TCP connection for MC-LAG finite state). [PR707494: This<br />
issue has been resolved.]<br />
• Port(s) in PIC DPCE-R-4XGE-XFP might get stuck in down status after power-up<br />
sequence such as for example upon a reboot of the router or FPC. If encountered,<br />
recovery mechanism is to toggle the LAN/WAN phy mode. This issue does not occur<br />
upon a link flap event. The configuration below shows how to toggle the LAN/WAN<br />
phy mode. Under the edit interface hierarchy execute the following<br />
commands:<br />
set framing wan-phy<br />
lab@LABROUTER# show<br />
framing {<br />
wan-phy;<br />
}<br />
commit<br />
Now delete the interface framing configuration:<br />
delete framing<br />
show<br />
commit<br />
[PR708382: This issue has been resolved.]<br />
• If we have a RLSQ interface configured under a routing instance and after we perform<br />
deactivate or activate on the routing in certain scenarios the ingress traffic from the<br />
member media links are not sent to the correct LSQ PIC and hence we see a traffic<br />
black hole. [PR708720: This issue has been resolved.]<br />
• instance-import under routing-options hierarchy might lead to commit error on TX<br />
Series and TXP Series routers. [PR709337: This issue has been resolved.]<br />
• On MX Series routers using DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) cards broadcast<br />
and multicast frames are not forwarded correctly to the IRB interface.<br />
244<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
If a bridge domain or VPLS routing instance contains CE-facing interfaces located on<br />
built-in PIC 1 of a DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) card then broadcast<br />
and multicast frames received on those specific interfaces are not forwarded correctly<br />
to the IRB interface associated with the bridge domain or VPLS routing instance.<br />
The fact that broadcast and multicast frames are not forwarded correctly to the IRB<br />
interface can cause different behaviors for protocols that rely on this kind of traffic.<br />
For example, the IRB interface will not receive ARP requests from the CE attached to<br />
that interface or routing protocols running between the CE and the IRB interface will<br />
fail to build adjacencies.<br />
This problem is restricted to DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) cards for MX<br />
Series routers and is restricted to interfaces in the second half of the card (situated on<br />
built-in PIC 1).<br />
If the DPCE-R-Q-20GE-SFP is installed in an MX Series router in slot 1 as in the following<br />
example:<br />
user@router-re1> show chassis hardware<br />
Hardware inventory:<br />
Item Version Part number Serial number Description<br />
Chassis<br />
JN11BD460AFB MX480<br />
<br />
FPC 1 REV 25 750-017679 ZB7257 DPCE 20x 1GE R EQ<br />
CPU REV 04 710-022351 YX4734 DPC PMB<br />
PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) EQ<br />
Xcvr 7 REV 01 740-014132 72152014 SFP-T<br />
PIC 1 BUILTIN BUILTIN 10x 1GE(LAN) EQ<br />
Xcvr 7 REV 01 740-013111 70731026 SFP-T<br />
<br />
Only interfaces named ge-1/1/* will be affected by this problem. Interfaces named<br />
ge-1/0/* although situated on the same DPC will forward broadcast and multicast<br />
frames correctly.<br />
Other types of DPC or MPC cards for MX Series routers are not affected by this problem.<br />
[PR712414: This issue has been resolved.]<br />
• FPCs might reboot in a scaled environment, or log messages complaining that PFEMAN<br />
thread is hogging the CPU. [PR718774: This issue has been resolved.]<br />
• No NTP Time sync among Routing Engines in Virtual Chassis. The fix is available in<br />
Junos OS <strong>Release</strong> 11.4R3 and later releases. [PR719901: This issue has been resolved.]<br />
• Configuration write fails for an logical interface prior to reaching the max logical interface<br />
limit for a 4x CHDS3 IQ PIC. [PR711654: This issue has been resolved.]<br />
• Because of a bug in the Junos OS kernel code, various types of interfaces show up as<br />
member links of an aggregated Ethernet interface, though these same interfaces are<br />
not configured to become part of a given aggregated Ethernet bundle. For example,<br />
the interface extensive for an aggregated Ethernet bundle configuration with xe-8/1/0<br />
and xe-4/3/3 as member links:<br />
LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx<br />
xe-8/1/0.0 223171 223707 0 0<br />
xe-4/3/3.0 223171 223716 0 0<br />
lc-3/1/0.32769 0 0 0 0<br />
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
lc-3/1/0 is incorrectly added.<br />
[or]<br />
xe-7/1/3 and xe-7/2/0 are not configured to be member links of ae1<br />
Physical interface: ae1, Enabled, Physical link is Up<br />
<br />
LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx<br />
xe-7/1/3.0 0 0 0 0
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
from the [edit system ddos-protection violation] hierarchy level, and that hierarchy<br />
level has been removed from the CLI.<br />
The show ddos-protection protocols command now displays Partial in the Enabled<br />
field to indicate when some of the instances of the policer are disabled. The Routing<br />
Engine Information section of the output now includes fields for bandwidth, burst, and<br />
state. The show ddos-protection protocols parameters command and the show<br />
ddos-protection protocols statistics command now include a terse option to display<br />
information only for active protocol groups-that is, groups that show traffic in the<br />
Received (packets) column. The show ddos-protection protocols parameters command<br />
also displays part. for policers that have some disabled instances. [PR722873: This<br />
issue has been resolved.]<br />
• KRT Q might get stuck in a system with a dual Routing Engine running NSR and per<br />
packet load balancing:<br />
• The master Routing Engine and RPD installs a unicast next hop for a route.<br />
• The master Routing Engine and RPD then installs another next hop for the same<br />
route effectively changing the next hop for the route from unicast to a unilist.<br />
• The backup RPD does not get a next-hop delete for the old unicast next-hop. Instead,<br />
the backup RPD only achieves a route change to point to the new unilist.<br />
• NSR switch over occurs and the master ship is toggled.<br />
• The new master RPD changes route to point to unilist. This will release reference on<br />
the single path route. Since RPD has next-hop ID cached for it, RPD tries to delete<br />
the unicast next-hop in the kernel.<br />
• KRT Q gets stuck in 'EPERM –Jtree walk in progress' in the new master Routing<br />
Engine.<br />
[PR722890: This issue has been resolved.]<br />
• Two new configuration statements are provided for [system services ssh] for configuring<br />
a client-alive mechanism. The client-alive mechanism is valuable when the client or<br />
server depends on knowing when a connection has become inactive. It differs from<br />
the standard keepalive mechanism because the client-alive messages are sent through<br />
the encrypted channel. The client-alive mechanism is not enabled by default. To enable<br />
it, configure the client-alive-count-max and the client-alive-interval. This option applies<br />
to SSH protocol version 2 only. [PR722932: This issue has been resolved.]<br />
• If LSQ PIC is flow controlled for a period of five seconds or longer, the kernel does close<br />
the PFEMAN socket to the LSQ PIC. Once the back-pressure is cleared, the PFEMAN<br />
socket gets not reconnected and the PIC does not close the PFEMAN socket to the<br />
Routing Engine as the TCP Reset frame is dropped already. From this time onwards,<br />
any bundle state changes are not propagated from the Routing Engine to the LSQ PIC.<br />
The following sequence of message log entries illustrates the symptom:<br />
Dec 12 01:53:21 router fpc2 Transient flow-control asserted by MAC0 on sp-2/1<br />
for 1 seconds<br />
Dec 12 01:53:22 router fpc2 Transient flow-control asserted by MAC0 on sp-2/1<br />
for 2 seconds<br />
Dec 12 01:53:23 router fpc2 Prolonged flow-control asserted by MAC0 on sp-2/1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
247
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Dec 12 01:53:25 router /kernel: pfe_send_failed(index 9, type 20), err=32<br />
Dec 12 01:53:25 router /kernel: pfe_listener_disconnect: conn dropped: listener<br />
idx=7, tnpaddr=0x12020080, reason: none<br />
Dec 12 01:54:33 router fpc2 MAC flow-control cleared on sp-2/1<br />
A manual LSQ PIC restart is needed to recover from this condition. [PR723663: This<br />
issue has been resolved.]<br />
• Now the clear oam ethernet link-fault-management state intf command resets local<br />
OAM loopback (if enabled) along with the existing behavior of resetting discovery state<br />
machine. [PR723739: This issue has been resolved.]<br />
• Both Routing Engines might crash and dump VMcore, when PIC receives FRF.15 packets<br />
as payload of FRF.16 encapsulation. This issue occurs only in the environment in which<br />
RLSQ is configured with hot-standby option. [PR725162: This issue has been resolved.]<br />
• Run time change in ’no-accept-data/accept-data’ fails to take effect in few cases for<br />
Inherit group. If ping to VIP is not required then don't configure ’no-accept-data’. It is<br />
disabled by default. By default, ping to VIP will fail. restart vrrp will resolve the issue.<br />
Software upgrade from other releases to Junos OS <strong>Release</strong> 11.4R2 with an existing<br />
'accept-data/no-accept-data' configuration is not impacted.<br />
'accept-data/no-accept-data' configuration will work as designed after software<br />
upgrade. This issue is not applicable for Active group. [PR725556: This issue has been<br />
resolved.]<br />
• COC12 interface stays in the ’down’ state for extended periods of time when deleting<br />
the local loopback configuration. [PR726762: This issue has been resolved.]<br />
• The PPP daemon generates core files when there are invalid (or unexpected) packets<br />
received at the local router during LCP state change. A warning message is supposed<br />
to be generated and return a ?junk? value to the previous function. The ?junk? value<br />
was incorrectly returning causing the core files. The fix for this issue is to add additional<br />
an error check in the function which generates the ?junk? value. PPP will recover after<br />
the core. [PR728833: This issue has been resolved.]<br />
• If the Inter Chassis Link (ICL) between MCAE nodes is down to begin with when Inter<br />
Chassis Control Protocol (ICCP) restarts, the MCAE interfaces continue to stay in<br />
standby state and do not become active. [PR729043: This issue has been resolved.]<br />
• In MX Virtual Chassis environment, Virtual Chassis Control Protocol Daemon (VCCPD)<br />
might get starved out under heavy load. This will result in breaking the Virtual Chassis.<br />
[PR729045: This issue has been resolved.]<br />
• When Graceful Routing Engine Switchover is enabled on a system, during graceful<br />
Routing Engine switchover or re-synchronization activities between the Routing Engines,<br />
the Kernel might dump core files which is because of incorrect code handling of a<br />
background clean-up thread. [PR729325: This issue has been resolved.]<br />
• Traffic for certain l2circuits might stop working after Routing Engine switchover. The<br />
same issue was also noticed after adding an logical interface/VLAN to the interface<br />
that has vlan-ccc ifls associated to l2circuits. The workaround is delete or add<br />
encapsulation on the vlan-ccc unit interface associated with the affected l2circuits.<br />
This issue is related only to 4x10GE(LAN/WAN) XFP PIC (see PR718495) and 100GE<br />
CFP PIC. [PR730249: This issue has been resolved.]<br />
248<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Local Loopback on a SONET interface seems to be intermittent with hold-timers<br />
configured. [PR730844: This issue has been resolved.]<br />
• Configuration changes resulting in an indirect to change from a unilist to a unicast could<br />
result in an ADPC/SDPC crash. [PR731727: This issue has been resolved.]<br />
• An SNMP trap is not generated when Fan or Blower is not spinning. [PR732363: This<br />
issue has been resolved.]<br />
• The software information about Ethernet MICs and non-Ethernet mics are stored in<br />
Junos OS in different structures. The crash occurs because of memory corruption<br />
caused by the FRR-marking feature in the non-Ethernet-mic structures. The PR has<br />
been fixed in Junos OS <strong>Release</strong> 11.4R2 and later. [PR733566: This issue has been<br />
resolved.]<br />
• While doing traceroute Hard Coded Address "10.0.0.1" can be seen as one of the Hop<br />
Address when there is no valid Address for the Incoming Interface. [PR734058: This<br />
issue has been resolved.]<br />
• FPC crashes is because of a port conversion corner case that was seen when deleting<br />
2 VCPs that resided on the same pic. The problem is not easy to reproduce. The problem<br />
might be reproduced by deleting VCPs that reside on the same pic while the kernel is<br />
under load. As a workaround, delete subsequent ports only after verifying a network<br />
port was created for a deleted VCP. When deleting VCPs that coexist on the same pic,<br />
ensure the network port for the previously deleted VCP exists before deleting the next<br />
VCP. This ensures conversion for the first deleted port has been completed and a<br />
network port for the 'to-be-deleted' port is not yet created. [PR735122: This issue has<br />
been resolved.]<br />
• When Ethernet OAM is enabled on member links of a lag group the peer address<br />
reported in the output of the show oam ethernet link-fault-management command<br />
displays the peer address as the lag group's MAC address. [PR735436: This issue has<br />
been resolved.]<br />
• Messages such as “Dispatching Synchronous Ethernet Capability TLV” are informational<br />
or debug messages and can be safely ignored. [PR735516: This issue has been resolved.]<br />
• When PPPoE subscribers dial in and dial out, then kernel task devbuf will have a memory<br />
leak. [PR735637: This issue has been resolved.]<br />
• When Active/Active (A/A) mode is enabled and the aggregated Ethernet interface<br />
name and ICL link start with the same digit, the aggregated Ethernet bundle, that is<br />
going to the MC-LAG device providing connectivity to the Core network, does not come<br />
up. This issue is seen in MX Series platforms.[PR736012: This issue has been resolved.]<br />
• Whenever there is any alarm (RDI-L, RDI-P or AIS-L) on the interface, on switchover<br />
in transmission, 10g port configured in WAN-PHY mode on DPC 4x 10GE R, with<br />
hold-time down time of less than 1 second, flaps even before the down hold time is<br />
expired. Code has been modified now to address this issue and the fix is available in<br />
Junos OS <strong>Release</strong>s 11.4R3, 11.2R7, 12.1R2, 10.0R5, and 10.4R10. [PR736477: This issue<br />
has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
249
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Chassisd core might be generated while performing Routing Engine switchover. It is<br />
caused by interrupt storm when master Routing Engine transition to backup and<br />
chassisd can be stalled. [PR738084: This issue has been resolved.]<br />
• When VPLS neighbor is configured under the user-configured mesh group, the flood<br />
route for LSI logical interface is deleted. This issue is observed in M Series routers as<br />
flood routes are maintained per logical interface. The problem could occur in any<br />
dynamic logical interface. [PR736993: This issue has been resolved.]<br />
• Jtree Memory full condition can lead to junk value being stored in the composite next<br />
hop structure. A change operation on the composite next hop can lead to crash because<br />
of junk value stored in its structure. [PR739631: This issue has been resolved.]<br />
• CB intake temperature shows as empty for backup CB for a few seconds when backup<br />
Routing Engine is rebooted or halted. [PR740453: This issue has been resolved.]<br />
• If the configuration has routing instances with the character "/" in its name and the<br />
routing instance has VPLS family configured under it, a configuration change at the<br />
top level causes IFFs to get deleted and added back, which results in flapping of the<br />
respective VPLS connections. [PR740950: This issue has been resolved.]<br />
• On Ichip platforms, when there are more than 16 ECMP routes exist, after some of the<br />
routes flapping (but the available ECMP routes still more than 16), the memory on FPC<br />
might be corrupted and error messages such as "jtree memory free using incorrect<br />
value" might be displayed. [PR743323: This issue has been resolved.]<br />
• On VRRP backup router for a given IRB unit, following a non-graceful Routing Engine<br />
switchover, ARP entries for this IRB may be not learnt over MC-LAG. [PR743385: This<br />
issue has been resolved.]<br />
• With the "delete" or "deactivate" "interface :family inet:accounting" configuration;<br />
FPCs that have the configuration removed might be reset unexpectedly. [PR743442:<br />
This issue has been resolved.]<br />
• VPLS interface sometimes stops flooding multicast or broadcast or unknown unicast<br />
routes when following operations are performed:<br />
• Deactivate/activate VPLS interface at a global level (deactivate interface interface<br />
name)<br />
• Disable/enable VPLS interface at a global level (deactivate interface interface name)<br />
• Graceful Routing Engine switchover without NSR setup<br />
• Restart routing<br />
This issue can be avoided if you deactivate/activate (or disable/enable) the VPLS<br />
interface or make the PIC offline or online. [PR744361: This issue has been resolved.]<br />
• 'fru_is_present: out of range slot 0 for' logs are displayed in chassisd logs for all the<br />
routers where CIP FRU is not present. This log is cosmetic in nature. [PR746923: This<br />
issue has been resolved.]<br />
• With 'epd-threshold' configured in the scheduler map for ATM2 interface, the EPD<br />
threshold (early packet discard) value applied to the interface might not be correct.<br />
As a consequence, packets might be unexpectedly tail dropped. This is caused by the<br />
250<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
defect code of edp-threshold value calculation. [PR748864: This issue has been<br />
resolved.]<br />
• FPC crashes because of excessive interrupt services from Agave PICS. The fix for the<br />
PR is enabling the throttling on the IQ2pics to handle the interrupt storm on Agave<br />
PICS. [PR722812: This issue has been resolved.]<br />
Layer 2 Ethernet Services<br />
• When the front panel of a MX Series Routing Engine is brushed against, the Routing<br />
Engine powers down resulting in outages of customer networks. [PR703076: This issue<br />
has been resolved.]<br />
• IPv6 DHCP relay agent and IPv4 bootp mode do not interoperate. This functionality is<br />
currently being evaluated. [PR710545: This issue has been resolved.]<br />
• A defect (PR-716885) was introduced causing incoming DHCP packets to be tagged<br />
with the wrong Layer 3 interface number when those packets were received on an IRB<br />
interface. This resulted in failure to transmit the DHCP responses back out the<br />
appropriate interface, leaving the protocol handshake incomplete. This problem is<br />
resolved in Junos OS <strong>Release</strong> 11.4R2. [PR716885: This issue has been resolved.]<br />
• LACP packets might be dropped during the period of congestion on the interface<br />
between the forwarding and the control plane because of inadequate LACP<br />
prioritization. [PR719484: This issue has been resolved.]<br />
• Jdhcpd (DHCP daemon) might dump core files in DHCP or DHCPv6 environment, and<br />
the subscriber client state “RELEASE” is observed. [PR735945: This issue has been<br />
resolved.]<br />
• With STP/aggregate Ethernet configured under IRB interface, you might see kernel<br />
panic on both master and backup Routing Engines after a multiple graceful Routing<br />
Engine switchover is done. [PR742940: This issue has been resolved.]<br />
MPLS Applications<br />
• By design, the MPLS family under virtual-router type routing-instance is not created<br />
without a corresponding "protocols:ldp". Hence, without MPLS family, MPLS filter does<br />
not work on an interface configured under virtual-router type routing-instance. As a<br />
workaround, configure LDP in the instance, and disable it on all interfaces if not used.<br />
[PR601989: This issue has been resolved.]<br />
• RPD might consume more CPU cycles when doing an snmpwalk on mplsLspState.<br />
[PR707889: This issue has been resolved.]<br />
• The counter values reported by SNMP mibs mplsLspInfoAggrPackets and<br />
mplsLspInfoAggrOctets are incorrect. If the LSP has a secondary standby path, the<br />
counter value will increase by the total value transmitted every MPLS statistics interval.<br />
If the LSP has no secondary standby path, the counter increments correctly until the<br />
LSP reverts from the primary to the secondary path. When this occurs, the counter<br />
value will increase by the total value transmitted every MPLS statistics interval.<br />
[PR709310: This issue has been resolved.]<br />
• MPLS statistics are not updated for auto-bandwidth for CCC circuits [PR722744: This<br />
issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
251
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Graceful restart of MPLS protocol might trigger this problem when adaptive LSPs are<br />
present in the system. RPD generates core files because of this issue. [PR725579: This<br />
issue has been resolved.]<br />
• On Junos OS <strong>Release</strong> 9.6, the no-decrement-ttl command hides the internal network<br />
when trace route is done on an MPLS core running RSVP LSP. but the same fails when<br />
running Junos OS <strong>Release</strong> 10.4 code. This bug was introduced because of new feature<br />
of no-propagate-ttl command which was introduced under VRF. [PR725779: This issue<br />
has been resolved.]<br />
• If l3vpn-composite-nexthops were configured under [edit routing-options] and at the<br />
same time an output filter was applied to lo0 unit 0, the router might have malformed<br />
the L3 part of locally generated MPLS packets (one or more labels). This is limited to<br />
only those packets that are originated from within a routing-instance and hence that<br />
have their lookup done in the .inet.0 (for example: ping<br />
routing-instance .) Packets generated for the main instance (inet.0)<br />
are not affected. Transit packets are unaffected in any case. [PR734580: This issue<br />
has been resolved.]<br />
• RPD_MPLS_INTF_MAX_LABELS_ERROR is seen in log messages even if the<br />
maximum-labels option is configured under "family mpls". [PR734680: This issue has<br />
been resolved.]<br />
• With nonstop routing (NSR) enabled, under very rare case, the routing protocol daemon<br />
(rpd) might crash and dump core files. It is caused when RPD is very busy and there<br />
are many background jobs waiting to run. One of them is LDP resync write job. There<br />
is a window in which LDP is waiting for LDP resync write job to run to flush the data on<br />
session(a). Before the job runs, LDP on standby Routing Engine learns that session(a)<br />
is not operational anymore and it moves on to request session sync for session(b).<br />
LDP on master starts session sync for session(b) and creates a job LDP sync session.<br />
Then the old job LDP resync write runs and re-starts session sync for session(b) by<br />
creating a job LDP sync session but finds out that it has already created (It should not<br />
have been created) and RPD cores. This window increases with busy RPD and there<br />
is more likelihood of this core happening. [PR735337: This issue has been resolved.]<br />
• Performing "monitor label-switched-path" might cause routing process hog CPU<br />
resources and will not release except restart routing process. [PR735994: This issue<br />
has been resolved.]<br />
• RPD sometimes cores when running snmp walk to mplsXCLspId. RPD core seems to<br />
happen more in case, when the number of LSP (ingress/egress/transit) is increased.<br />
[PR737147: This issue has been resolved.]<br />
• Sometimes the MPLS Autobandwidth value "Max AvgBW util" displays an incorrect<br />
value. This is because of an error in the way that the value is calculated. [PR737922:<br />
This issue has been resolved.]<br />
• If member links of an aggregate bundles or ECMP paths are located on MPC in slot 8<br />
or higher l3vpn traffic using l3vpn-composite-nexthops might get dropped. [PR740719:<br />
This issue has been resolved.]<br />
• l3vpn-composite-nexthop with MPC and MSDPC doing stateful-firewall with interface<br />
service-set drops packets on service input direction. The interface where service<br />
252<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
input/output is configured has to be inside a VRF, and the destination for which service<br />
input should intercept the traffic and send it to service PIC in MSDPC should be<br />
reachable through MPLS backbone, so resolved through composite next-hop, in order<br />
to see this issue. [PR747914: This issue has been resolved.]<br />
Multicast<br />
• In multicast VPN setup with one or more MLFR interface(s) in routing instance, and<br />
two MS PICs configured in redundant mode, multicast packets with some DSCP value<br />
are lost on making the primary MS PIC offline or online, followed by deactivating or<br />
activating the routing instance. [PR696475: This issue has been resolved.]<br />
• PIM join messages is fragmented on the IPv6 PIM sparse (PIM-SM) mode, if the join<br />
message exceeds the configured MTU. The multicast traffic should take the interface<br />
MTU and not the path MTU to avoid the fragmentation of PIM join messages. [PR718212:<br />
This issue has been resolved.]<br />
• In NG-MVPN environment, local receiver where the multicast receiver and source are<br />
connected with the same PE, multicast traffic might be dropped when Provider Tunnel<br />
flaps. [PR724131: This issue has been resolved.]<br />
• In a VPLS multihoming environment where two PE routers are connected to two<br />
interconnected CE routers and STP root protection is enabled on the PE routers, only<br />
one PE router's interface is in forwarding state while the other PE router's interface is<br />
in blocking state. IGMP snooping membership will be learnt only on the forwarding PE<br />
router. When the link interconnecting the two CE routers fails, the PE router interface<br />
in blocking state transitions to the forwarding state. On this transition, the IGMP<br />
snooping process on that PE sends a general query message toward the CE router in<br />
order to immediately reconstruct the group membership state and minimize data loss<br />
for the IGMP hosts. When the link interconnecting the two CE routers is restored, the<br />
original spanning-tree state on both PE routers is restored. The forwarding PE receives<br />
a spanning-tree topology change message. IGMP snooping process on the PE however,<br />
does not send a general query message toward the CE router to immediately reconstruct<br />
the group membership state, resulting in data loss till the next periodic query is received<br />
from the router and the hosts respond to it. [PR724313: This issue has been resolved.]<br />
Network Management<br />
• When firewall filter counter names are changed, MIB2D assumes all changes are<br />
implemented immediately at commit. MIB2D queries the Packet Forwarding Engine<br />
before it is updated and therefore gets the incorrect list of counter names. Queries<br />
done through SNMP therefore reflect the old firewall counter names. [PR703606: This<br />
issue has been resolved.]<br />
• With a large scale of subscribers that are configured over VLAN demux interface, high<br />
CPU utilization of Mib2d (Management information database of SNMP) might be<br />
observed after flapping subscribers. [PR710573: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
253
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Platform and Infrastructure<br />
• Random VLAN Id's associated with MAC-address learning from untagged frames on<br />
trinity cards. [PR594605: This issue has been resolved.]<br />
• When disable em0 interface is performed , em1 interface is also disabled. This causes<br />
loss of communication via em1 interface. [PR596113: This issue has been resolved.]<br />
• As a precautionary measure, a periodic sanity check is added to FPC. It checks FPC<br />
error conditions and performs the appropriate actions in case of an error. [PR660761:<br />
This issue has been resolved.]<br />
• The time stamp of the messages in the firewall log is showing incorrect values. The<br />
system time and time stamp in log messages are not affected. If NTP server is<br />
configured, the issue does not happen. [PR661768: This issue has been resolved.]<br />
• On an MX chassis with enhanced-ip network services configured; multicast traffic may<br />
be temporarily impacted on all hosts listening to a group if at least one host is going<br />
through an IRB (that has an aggregated Ethernet as an L2 interface) and the aggregated<br />
Ethernet or the IRB interface is removed. [PR696417: This issue has been resolved.]<br />
• At times when RPD/Kernel doesn't have correct index values for the LSI/VT<br />
sub-interface which is part of a VPLS routing-instance can lead to the forwarding to<br />
stop. This can be seen on either Enabling VPLS routing-instance or moving between<br />
LSI and VT sub-interface associated with a VPLS routing-instance. When this issue<br />
occurs we can notice that forwarding stops on this VPLS routing-instance and the<br />
following log messages:<br />
Jan 11 15:38:14.405 2012 testlab-ARA03 tfeb0<br />
HALP-trinity_nh_indirect_get_vpls_oif_entry vpls interface ifl=424 does not<br />
have indirect_nh!<br />
Jan 11 15:38:16.356 2012 testlab-ARA03 tfeb0<br />
HALP-trinity_nh_indirect_update_fabcallIndirect NH(1048600), ifl is neither<br />
LSI/VT ifl,.local.,ifl=(0)<br />
[PR704283: This issue has been resolved.]<br />
• An MX MPC type card or the MX80 TFEB can crash when a L2 interface is added to a<br />
bridge-domain or a VPLS routing-instance. This kind of crash will only occur if previous<br />
events left stale entries in the forwarding table of the MX MPC or MX80 TFEB. After<br />
the crash the MX MPC or the MX80 TFEB will restart automatically. [PR711182: This<br />
issue has been resolved.]<br />
• In MVPN scenarios with extranets or hub and spoke NG-MVPNs, it is possible to have<br />
more than one customer site using the same provider tunnel on one PE. In such<br />
deployments, at the receiver PE with multiple customer sites, if IPv6 multicast traffic<br />
is carried over the IPv4 provider tunnel, all customer sites may not receive the IPv6<br />
multicast traffic; only the first site will receive IPv6 traffic. This issue is only for IPv6<br />
over IPv4 tunneled traffic; IPv4 over IPv4 will work correctly. [PR711891: This issue has<br />
been resolved.]<br />
• FPC type 4.1-ES and type 1/2/3-ES sends out bogus cells which sometimes affects to<br />
the other FPCs and cause RKME error on the other FPCs. The FPC detecting RKME<br />
error sometimes stops sending out traffic. To have the FPC send traffic, user need to<br />
restart the FPC. [PR717384: This issue has been resolved.]<br />
254<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• During certain configuration corner cases when the source-address or destination<br />
address associated with one of the listed Packet Forwarding Engine firewall filter logs<br />
is of a certain length, it causes the syslog module in the Packet Forwarding Engine to<br />
crash. SYSLOG_IP6_GEN SYSLOG_IP6_ICMP SYSLOG_IP6_TCP_UDP [PR718485: This<br />
issue has been resolved.]<br />
• The allow-configuration-regexps statement at the [edit system login class] hierarchy<br />
level does not work exactly the same way as the deprecated allow-configuration<br />
statement at the same hierarchy level. [PR720013: This issue has been resolved.]<br />
• A 3D chipset which is operating at Layer 2 will look at the IP length and discard trailer<br />
bytes before forwarding the frame. The TPID must be 0x8100, the Ethertype must be<br />
0x8000, and this only happens for frames 322 bytes or less, including CRC. [PR720576:<br />
This issue has been resolved.]<br />
• On M-series platform (except M320, M120 and M10i/M7i with enhanced CFEB), when<br />
a link within an Aggregate Ethernet bundle flaps, a MAC frame might be incorrectly<br />
forwarded to another VPLS instance. There is no workaround. [PR721131: This issue has<br />
been resolved.]<br />
• When l3vpn-composite-nexthop knob is enabled, the VPN label is pushed in the ingress<br />
Packet Forwarding Engine. The Egress Packet Forwarding Engine pushes the LSP label.<br />
When EXP rewrite is configured on the outgoing interface, the egress Packet Forwarding<br />
Engine was performing the rewrite only on the LSP label. [PR723816: This issue has<br />
been resolved.]<br />
• Injecting an excessively long packet for debug (the packet in invalid) results in a buffer<br />
being overrun leading to a crash. Care must be exercised when using packet inject to<br />
debug TRIO. The nominal packet length (within the LU) is only 320 bytes, the crash<br />
resulted when a 971 byte parcel was injected -- overrunning the display buffer.<br />
[PR724232: This issue has been resolved.]<br />
• MX acting as bootp helper does not add padding when option82 is included in the<br />
bootp messages. [PR724391: This issue has been resolved.]<br />
• MPC might crash when "shaping-rate 106g" is configured under traffic-control-profile.<br />
[PR724794: This issue has been resolved.]<br />
• After a MPC restart unexpectedly, the following messages can be seen in the<br />
/var/log/messages file:<br />
Jan 10 16:52:01 myrouter fpc0 MPC: Reset reason (0xc): Level3 watchdog, Level2<br />
watchdog<br />
[PR724924: This issue has been resolved.]<br />
• Ping with a size that exceeds MTU does not work, because ICMPv6 Path MTU packets<br />
to the originator are sent with an incorrect MTU value. [PR725695: This issue has been<br />
resolved.]<br />
• Protecting an OSPF Hello with IPSEC AH may cause a cosmetic log entry like the<br />
following when "forwarding-options helpers bootp" is configured:<br />
Jan 12 13:17:29.946 SomeRouter /kernel: ipsec_is_inbound_pkt_valid(2004):<br />
Socket option not set with the addr=130.215.0.129, ifl=331, rtbl_idx=0,<br />
so=0xa53c31a0<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
255
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[PR728779: This issue has been resolved.]<br />
• The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a<br />
MAC check only if certain padding is valid, which makes it easier for remote attackers<br />
to recover plaintext via a padding oracle attack. [PR730229: This issue has been<br />
resolved.]<br />
• The nh entry in the fabric table for self ping application was getting deleted when the<br />
lo0 inet family was getting removed. [PR730714: This issue has been resolved.]<br />
• When queue rate-limit is configured for interfaces on MPC Type 1 3D or MPC Type 2<br />
3D (i.e. non-Q/EQ MPCs), the output of 'show interfaces queue' for such interfaces<br />
does not display the count of packets and bytes dropped because of rate-limit.<br />
[PR732274: This issue has been resolved.]<br />
• A core dump is generated when a time conditional is applied to a configuration group<br />
in a configuration that includes a commit script. [PR732402: This issue has been<br />
resolved.]<br />
• VRRP transit Traffic(DA MAC address of VRRP group mac-addresses) flowing on a<br />
node, specifically through an IFD, which has VRRP configured locally, will dropped<br />
those pacekts, if the locally configured VRRP group is different from transit VRRP<br />
group. This is only on Trio platforms. [PR732516: This issue has been resolved.]<br />
• When a tagged interface is part of a bridge domain or vpls routing instance with shared<br />
vlan learning enabled using "vlan-id all" configuration, and the interface has an explicit<br />
input vlan-map which pops all the incoming vlan-ids, the mac-addresses in the bridge<br />
domain/vpls routing instance is learnt on an incorrect vlan-id. [PR733864: This issue<br />
has been resolved.]<br />
• MPC might crash and generate core file after executing Packet Forwarding Engine base<br />
command to show luchip information. [PR733873: This issue has been resolved.]<br />
• If MIC offline is issued after MPC platform performs ISSU, it will potentially cause<br />
system crash because of PCIe accessing to IXCHIP being power down. This only happens<br />
with MICs having IXCHIP. [PR735932: This issue has been resolved.]<br />
• With output-vlan-map configured with vlan push action, the CFI bit of the outer vlan<br />
tag on the outgoing frame might have the CFI bit set incorrectly. [PR735935: This issue<br />
has been resolved.]<br />
• Port mirroring feature is not working when the ingress and egress(port mirror port) is<br />
on different Packet Forwarding Engine for Layer 2 traffic with PPPOE traffic underneath<br />
it in a MPC card. [PR736145: This issue has been resolved.]<br />
• In L3VPN scenario, transit packets which require fragmentation, traversing over the<br />
mpls core, might get dropped at the egress PE, if the egress PE?s, CE facing interface<br />
is on trio chipset cards. [PR736749: This issue has been resolved.]<br />
• The route record fields of certain flows can be incorrect, if these flows are received in<br />
an interface, while IIF lookup terminates in a non-leaf node. [PR737472: This issue has<br />
been resolved.]<br />
• If a graceful Routing Engine switchover is performed before an NPC has finished its<br />
fabric training, its attempts to reconnect will not be recognized by the master Routing<br />
256<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Engine. In this reconnect period if the FPC crashes chassisd will mark it for removal<br />
and cleanup. If the NPC comes on again before the cleanup is done chassisd will accept<br />
the connection but 6 minutes later will assert the nmi for this FPC. It will restart again<br />
normally. [PR737774: This issue has been resolved.]<br />
• LU wedges under (1) scaled flow (> 1M flows), and (2) high export rate (> 1kpps). The<br />
workaround is to limit the flow-export-rate to 1kpps. [PR744230: This issue has been<br />
resolved.]<br />
• If interface is disabled and enabled cyclically, interface stop forwarding traffic.<br />
[PR744824: This issue has been resolved.]<br />
• Customers using Junos OS <strong>Release</strong> 11.4R3.6 code on MX routers with MPC 3D 16x 10GE<br />
(Agent Smith) line cards might experience issues with interfaces on these line cards.<br />
Some interfaces on the MPC 3D 16x 10GE (Agent Smith) line cards might be reported<br />
as UP ("Enabled" and "Physical Link UP")in the show interfaces command.<br />
However, show interfaces terse? command for the same interface reports<br />
that interface as DOWN (Admin - UP and Link Protocol - DOWN). The link lights at<br />
both ends of the link is GREEN ? thereby indicating connectivity. However, no traffic<br />
passes through the affected interfaces. This issue is seen on interfaces that are part<br />
of the Aggregated Ethernet bundle as well as on interfaces that were not part of the<br />
Aggregated Ethernet bundle.<br />
In addition, "Wedge Detected" messages might be seen in the system logs and in the<br />
telnet or ssh session to the router. This behavior was not seen with DPC hardware. This<br />
is documented in PR 776727 and upgrading to Junos OS <strong>Release</strong> 11.4R3.7 fixes the<br />
above mentioned issues. [PR776727: This issue has been resolved.]<br />
Routing Policy and Firewall Filters<br />
• NSD core files are generated. [PR725908: This issue has been resolved.]<br />
Routing Protocols<br />
• Prior to Junos OS <strong>Release</strong> 12.2, filtering BGP routes by community value does not work<br />
properly when issuing the following CLI command: show route receive-protocol bgp<br />
. For example:<br />
{master}<br />
juniper@PR01.sjc1> show route receive-protocol bgp 128.241.219.125 1.0.4.0/22<br />
community 2914:420 detail<br />
inet.0: 378385 destinations, 2919636 routes (377586 active, 2 holddown, 1440<br />
hidden)<br />
Restart Complete<br />
However, this works properly when filtering based-on the name of the community:<br />
{master}<br />
juniper@PR01.sjc1> show route receive-protocol bgp 128.241.219.125 1.0.4.0/22<br />
community-name ALL detail<br />
inet.0: 378385 destinations, 2919632 routes (377586 active, 2 holddown, 1440<br />
hidden)<br />
Restart Complete<br />
1.0.4.0/22 (6 entries, 1 announced)<br />
Accepted<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
257
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Nexthop: 128.241.219.125<br />
MED: 5<br />
AS path: 2914 4323 7545 7545 7545 7545 56203 I<br />
Communities: 2914:420 2914:1008 2914:2000 2914:3000<br />
This issue is resolved in Junos OS <strong>Release</strong> 12.2. [PR677777: This issue has been resolved.]<br />
• When PIM neighbors on logical-routers or routing-instances go down because of missing<br />
hello packet exceeding dead interval and when it it happens without link down, PIM<br />
neighbors will not come back even if neighbors start receiving hello packets again.<br />
[PR690517: This issue has been resolved.]<br />
• When the traceoptions under the [edit routing-options] configuration hierarchy are<br />
deactivated, the "ipv6_ra_receive_advertisement" debug message (and others) may<br />
continue to be logged well after deactivating the configuration. [PR699797: This issue<br />
has been resolved.]<br />
• After the second power failure of VC-M, BGP flaps resulting in a 2-5 minute traffic loss<br />
with 60,000 scaled subscriber's scenario with NSR. After the first VC-M power failure,<br />
the VC-B takes over VC mastership and there is a 2-3 second traffic loss as expected.<br />
When the original VC-M is powered back up, it takes the VC-B role. When VC-B comes<br />
up, it synchronizes system state with the VC-M. Non Stop Routing (NSR) synchronization<br />
involves sockets with replication enabled. This replicates the routing protocol sockets<br />
and their state between master and backup. The state of these replicated routing<br />
sockets are kept in sync with the master so that on a role transition the backup can<br />
continue to communicate with the routing peers without interruption. The problem is<br />
that approximately ten minutes after the VC-B is powered up, the VC-B replicated BGP<br />
protocol TCP sequence numbers stops being in sync with the VC-M BGP socket. Hence,<br />
the TCP functionality in NSR is not in the correct state on VC-B and does not recover<br />
from this automatically. If there is a second power failure of the VC-M, the BGP<br />
connection flaps. This is because the BGP remote peer receives TCP packets with the<br />
wrong sequence number. This causes it to respond with TCP duplicate<br />
acknowledgements. After the BGP hold time expires, the remote peer tears down the<br />
connection and a new one is formed. During this time there is traffic loss from 2-5<br />
minutes while BGP connection is reestablished. As a workaround, after the first failure<br />
of VC-M, as part of recovery of the chassis, after the VC has settled and is in a steady<br />
state, disable and re-enable NSR. To disable and re-enable NSR:<br />
1. After VC-B power up, wait until VC has settled and is in steady state.<br />
2. Disable NSR: deactivate routing-options nonstop-routing commit<br />
3. Wait until VC has settled and is in steady state<br />
4. Enable NSR: activate routing-options nonstop-routing commit Disable/Enable NSR<br />
has no adverse impact on the system and the network. Specifically BGP connections<br />
remain up and there is no packet loss.<br />
[PR706856]<br />
• When composite-nexthop is used, for instance, VPLS, FRR or L3VPN with<br />
l3vpn-composite- nexthop enabled, after routing protocol process (RPD) was restarted,<br />
if there is any interface, which is associated to the composite-nexthop, flapping, the<br />
RPD will crash and dump a core. [PR706995: This issue has been resolved.]<br />
258<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• If PIM remains in the assert state, the routing protocol process (rpd) might create a<br />
core file. [PR711150: This issue has been resolved.]<br />
• When MSDP SA message received from MSDP peer is rejected by MSDP import policy,<br />
that reject action does not prevent MSDP from passing that SA to MVPN and/or PIM<br />
modules. This PR fixes that behavior -- a rejected SA no longer gets imported to<br />
bgp.mvpn.0 table. [PR711333: This issue has been resolved.]<br />
• In the NG-MVN scenario the "maximum-prefixes" knob configured under<br />
.mvpn.0 rib does not take effect. Configuration example:<br />
user@router# show routing-instances vrf routing-options<br />
rib vrf.mvpn.0 {<br />
maximum-prefixes 5 threshold 3;<br />
}<br />
Fix is available in the Junos OS <strong>Release</strong>s 10.4R9, 11.4R3, 11.2R6, and later releases.<br />
[PR712060: This issue has been resolved.]<br />
• When there are more then one tunnel PICs on the system and after bringing down one<br />
active tunnel PIC, the pe/pd interfaces may fail to switch to another active one in scaled<br />
environment. [PR717158: This issue has been resolved.]<br />
• Errror "Error: OID not increasing" is reported while doing snmpwalk on<br />
IPMROUTE-STD-MIB::ipMRouteNextHopState. [PR717893: This issue has been<br />
resolved.]<br />
• RPD core is observed at rt_nh_cmp on the back up while trying to sync the selected gw<br />
with the master. For this issue to trigger, NSR needs to be enabled,<br />
per-packet-load-balance needs to be disabled and there should be multiple paths in<br />
the BGP. [PR718759: This issue has been resolved.]<br />
• If route record is enabled in a logical system (either explicitly or implicitly via sampling)<br />
and the logical system is restarted (via 'restart routing') or by deactivation or removal<br />
of its configuration, the logical system may hang for several minutes and then abort.<br />
[PR721208: This issue has been resolved.]<br />
• Next hop ack are handled incorrectly. [PR722452: This issue has been resolved.]<br />
• With Rosen MVPNs, an egress PE may not correctly be updating the forwarding state<br />
of the multicast routes. This can happen when both (*,G) and (S,G) PIM states exist,<br />
and the SPT bit is not set on the S,G route. In this case, the egress PE may not correctly<br />
add oifs to the multicast forwarding route [PR722508: This issue has been resolved.]<br />
• Bidirectional Forwarding Detection (BFD) session may flap after it came back from<br />
graceful Routing Engine switchovers. [PR722522: This issue has been resolved.]<br />
• When BGP is configured with Bidirectional Forwarding Detection (BFD) enabled, if<br />
there is a BGP peer established with direct connection, after interface is<br />
disabled/deactivated, Bidirectional Forwarding Detection (BFD) will send a Admin<br />
Down state notification to the remote peer. This might cause the BGP session not to<br />
be teared down until BGP hold timer expires resulting in a short temporary traffic<br />
blackhole. [PR722798: This issue has been resolved.]<br />
• If BGP export policies are ran for the routes coming from restarting BGP router (graceful<br />
restarting router) during graceful restart then helper router may end up advertising less<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
259
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
routes to remote BGP peers. One possible scenario is IGP graceful restart failure during<br />
BGP graceful restart. [PR723809: This issue has been resolved.]<br />
• If Multichassis Link Aggregation (MC-LAG) is configured in Active/Standby mode, with<br />
IGMP-snooping and state replication for MC-LAG enabled, the backup router will<br />
mistakenly obtain the vlan id value using the whole 16 bits of 802.1Q tag rather than<br />
the 12 bits of vlan id value, when the IGMP report is received from active router. Since<br />
the vlan id obtained is not equal to the bridge-domain vlan, the packet will be ignored<br />
and the IGMP-snooping state replication will not complete. [PR723962: This issue has<br />
been resolved.]<br />
• In a scaled Layer 3 MPLS VPN network with the "l3vpn-composite-nexthop" knob<br />
enabled, if BGP multipath is configured, the routing protocol daemon (RPD) may crash<br />
when topology changes. [PR724615: This issue has been resolved.]<br />
• When L3VPN composite nexthop and BGP multipath are enabled, routing protocol<br />
daemon (rpd) might dump a core file which is because of multipath composite nexthop<br />
unresolved. When downloading such a nexthop to kernel, the issue occurs. [PR724777:<br />
This issue has been resolved.]<br />
• In a situation where "prefix-export-limit", and NSR is configured together, when there<br />
is a Routing Engine mastership switches, ISIS overload bit may be set after the NSR<br />
switchover. This issue is triggered because of inconsistent state between the master<br />
Routing Engine, and the back-up Routing Engine. [PR725478: This issue has been<br />
resolved.]<br />
• RPD crashes when a route is resolved through indirect next-hop which points to service<br />
next-hop, i.e. l2tp session (LNS setup with service PIC). The indirect next-hop in this<br />
case is created when having a bgp route that points to a multihop bgp peer reachable<br />
through L2TP session, or configuring resolve static route which resolves via l2tp session.<br />
[PR725800: This issue has been resolved.]<br />
• When Auto-RP is receiving a negative prefix from RP mapping agent (The group range<br />
which is declared as "negative prefix" is denied from RP mapping and should be treated<br />
as dense group), if there is (S,G) entry present matching the received negative prefix,<br />
the Routing Protocol Daemon (RPD) might dump core files during dense mode<br />
processing. [PR725993: This issue has been resolved.]<br />
• RPD CPU and memory increasing constantly after passing invalid framed route from<br />
radius [PR727195: This issue has been resolved.]<br />
• When user deactivates BGP in a scaled topology* using the deactivate protocol bgp<br />
command while SNMP polling being ON for BGP related OIDs; the "Routing Protocol"<br />
Process - rpd - would spike CPU usage along with below syslog messages.<br />
rpd[2223]: RPD_SCHED_SLIP: 5 sec scheduler slip, user: 5 sec 335518 usec, system:<br />
0 sec, 0 usec While in this state, the router can be unresponsive and any<br />
rpd related commands would result in a timeout with below syslog message:<br />
mgd[51686]: UI_READ_TIMEOUT: Timeout on read of peer 'routing'<br />
[PR729196: This issue has been resolved.]<br />
• In inter-AS option B scenario, unreachable NLRIs can be sent via MP-eBGP session for<br />
some prefixes after IGP topology changes. The issue can affect prefixes with multiple<br />
paths. [PR730950: This issue has been resolved.]<br />
260<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• On broadcast networks running ISIS, a RPD restart event on one ISIS router could result<br />
in the loss of ISIS routes on another router, which will remain in this state until the<br />
adjacency is cleared. This issue will not occur on ISIS point-to-point networks.<br />
[PR734158: This issue has been resolved.]<br />
• In NSR mode for multicast enabled, backup RPD might dump core at rt_iflist_kref().<br />
This has been fixed in 12.1R2. [PR734769: This issue has been resolved.]<br />
• An error in the logic for nonstop routing switchover when family "inet6 labeled-unicast"<br />
is configured causes RPD to crash after a nonstop routing switchover. [PR736669: This<br />
issue has been resolved.]<br />
• In the MVPN setup, downstream interface change or move could cause multcast traffic<br />
outage in the MVPN instance. And the problem will be seen in case one of logical<br />
interface for multicast shares the same ifd with VPLS logical interface. [PR737144: This<br />
issue has been resolved.]<br />
• If route generate statement is configured to install the next-hop from prefixes learned<br />
from multiple BGP peers and the contributing routes have a different preference2<br />
value. When the BGP neighbor that advertises the primary contributing prefix for the<br />
generate route goes down, then the next hop for the route generated by the route<br />
generate statement, might get stuck pointing to the BGP peer that is down. [PR738206:<br />
This issue has been resolved.]<br />
• Two Mx960 connected via two aggregated Ethernet links and these are distribution<br />
routers. aggregated Ethernet flap test was executed on one of the Mx960, where all<br />
the aggregated Ethernet links were flapped twice randomly.Core occured on other<br />
Mx960 during this test execution. [PR740116: This issue has been resolved.]<br />
• When enable the use of None-stop-Routing (NSR), auto-rd, or "route target filtering";<br />
BGP's peer group creation will be deferred. During this window, if the command 'show<br />
bgp group' is executed it might trigger a rpd core dump. This can only happen during<br />
unstable bgp peer groups. [PR741719: This issue has been resolved.]<br />
• With ISO-VPN setup, CLNS traffic outage might occur because of ISIS route loss. Issue<br />
might occur when sending a set of prefix via BGP the size of which is higher than the<br />
maximum IS-IS fragment size. It could also be seen by redistributing the same set of<br />
prefixes from static routes into IS-IS database. [PR745969: This issue has been<br />
resolved.]<br />
• Pruned multicast traffic continues to flow from the source even when receiver leaves<br />
the multicast group for Junos OS <strong>Release</strong>s 10.4R8.5 ,10.4R9,10.4R9.2. [PR746474: This<br />
issue has been resolved.]<br />
• The eBGP default behavior, ie the no-advertise-peer-as knob, which is to not send an<br />
update back to the same AS, did not properly filter the advertised update in some<br />
cases. [PR748197: This issue has been resolved.]<br />
• If PIM is configured with Dense or Dense Sparse mode, and there are more than 1500<br />
sources for a group we will experience RPD_SCHED_SLIP, with IGMP running high on<br />
CPU Cycles. [PR748420: This issue has been resolved.]<br />
• if there are some link micro flapping, it may bring the Bidirectional Forwarding Detection<br />
(BFD) into a problematic state. as a result, for next event of BFD state down, it will not<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
261
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
bring down the client sessions like OSPF, ISIS, BGP. [PR749388: This issue has been<br />
resolved.]<br />
Services Applications<br />
• IP fragments that reach the MS-PIC or MS-DPC, are not getting filtered out by a<br />
stateful-firewall rule configured to explicitly block them and hence might hog the<br />
compute CPUs in the Service PIC/DPC. [PR689364: This issue has been resolved.]<br />
• SNMP polling fails on the Mx960 router running 10.4R7 when the stateful-firewall rule<br />
has a match condition for the default snmp application. [PR690830: This issue has<br />
been resolved.]<br />
• In some circumstances after power off/on Routing-Engine some MS-DPC core can be<br />
seen in system because of Packet Forwarding Engine trying to connect to<br />
Routing-Engine after disconnection. [PR698226: This issue has been resolved.]<br />
• Flows are not getting created in cases as restarting PIC, doing graceful Routing Engine<br />
switchover twice, high number of VRFs configured. This issue will be hit quickly with<br />
large number of ifls. The other symptom of this PR is wrong values seen in source AS<br />
, destination AS values. [PR706803: This issue has been resolved.]<br />
• When enabling the PPTP Application Layer Gateway module in presence of Statefull<br />
Firewall NAT service-set configurations, the "Set-Link-Info Peer Call Id" and "Echo-Reply<br />
Id" PPTP parameters might be incorrectly translated when crossing the ALG. [PR721810:<br />
This issue has been resolved.]<br />
• While bringing up tunnels with single source address and multiple destination address,<br />
L2TP tunnel comes up with single destination address only. [PR722354: This issue has<br />
been resolved.]<br />
• Default Junos OS configuration contains an application definition for matching UDP<br />
based traceroute. It does not include port 33434 which is also used by unix traceroute<br />
implementation. [PR727825: This issue has been resolved.]<br />
• On MX routers with subscriber management feature enabled, a small amount of<br />
memory leak occurs in jl2tpd process when subscriber sessions are logged out and<br />
l2tpd tunnel is brought down. Additionally in situations where in because of<br />
misconfiguration tunnel records that don't have both source address and<br />
Tunnel-Client-Endpoint configured on the tunnel-profile and radius server a small<br />
memory leaks occurs. [PR728467: This issue has been resolved.]<br />
• Even without traffic, if there is more than one service-set, Packet Forwarding Engine<br />
Kernel connectivity can be lost because of memory leak on Packet Forwarding Engine<br />
level [PR728677: This issue has been resolved.]<br />
• On MX routers with subscriber management feature enabled, upon very frequent<br />
execution of -show services l2tp - commands, child processes of jl2tpd daemon<br />
do not exit cleanly resulting in defunct process to be left behind. If these said commands<br />
are executed repeatedly over time, ultimately the maxproc limit of jl2tpd is reached<br />
and the daemon would core and in situations with graceful Routing Engine switchover<br />
enabled it can finally lead to kernel crash because of Process Table overflow. Typical<br />
error messages in this case are:<br />
Upon jl2tpd nearing the limit of maxproc:<br />
262<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
/kernel: nearing maxproc limit by uid 0, please see tuning(7) and login.conf(5).<br />
/kernel: Process with Most Children- 2231:jl2tpd - Children - 399<br />
Upon jl2tpd exceeding the maxproc limit:<br />
/kernel: maxproc limit exceeded by uid 0, please see tuning(7) and login.conf(5).<br />
/kernel: Process with Most Children- 2231:jl2tpd - Children - 400<br />
...<br />
/kernel: pid 1437 (jl2tpd), uid 0: exited on signal 10 (core dumped)<br />
From bsd shell, ps -aux command would show defunct processes upon this issue<br />
occurrence:<br />
root 40840 0.0 0.0 0 0 ?? Z 2:13AM 0:00.01 <br />
root 40843 0.0 0.0 0 0 ?? Z 2:13AM 0:00.01 <br />
[PR729509: This issue has been resolved.]<br />
• If running services IDS, a memory leak can occur. [PR738019: This issue has been<br />
resolved.]<br />
• In MX80 routers, Option refresh, and template refresh packets are not reaching collector.<br />
Because of a software defect, these packets were not reaching the collector devices.<br />
This issue is fixed in later Junos OS releases. [PR738164: This issue has been resolved.]<br />
• It is not possible to have 4000 stable mlppp bundles over l2tp sessions through MSPIC<br />
setup if the release used has the fix for 574756. [PR739338: This issue has been<br />
resolved.]<br />
• L2TP peer using non default port is unable to connect to MX LNS. [PR739488: This<br />
issue has been resolved.]<br />
• Total ALG errors counter does NOT include SIP ALG errors.The total ALG errors counter<br />
is only 1080 whereas SIP ALG error counter is 71M. This issue is fixed now. [PR739601:<br />
This issue has been resolved.]<br />
• In Junos OS <strong>Release</strong>s 10.4 and later, the number of outstanding IPSec tunnels has<br />
changed to be 50 tunnels instead of 200 outstanding tunnels in previous releases.<br />
[PR739683: This issue has been resolved.]<br />
• When using Junos OS maintenance releases such as Junos OS <strong>Release</strong>s 11.2R6, 11.4R2,<br />
or 12.1R1 (or any Junos OS service releases based on the mentioned maintenance<br />
releases), SNMP traps are not generated when the service PIC cpu usage exceeds 85%<br />
and/or the memory usage changes from one zone to another. The SNMP traps are not<br />
generated because of an internal Junos OS mis-programming. According to the <strong>Juniper</strong><br />
SP-MIB definitions the following traps should be generated:<br />
• jnxSpSvcSetCpuExceeded (OID 1.3.6.1.4.1.2636.4.10.0.3) - when service PIC CPU<br />
usage becomes bigger than 85%<br />
• jnxSpSvcSetCpuOk (OID 1.3.6.1.4.1.2636.4.10.0.4) - when service PIC CPU usage<br />
becomes smaller than 85%<br />
• jnxSpSvcSetZoneEntered (OID 1.3.6.1.4.1.2636.4.10.0.1) - when service PIC memory<br />
usage enters a specific zone (Yellow, Orange or Red)<br />
• jnxSpSvcSetZoneExited (OID 1.3.6.1.4.1.2636.4.10.0.1) - when service PIC memory<br />
usage leaves a specific zone (Yellow, Orange or Red)<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
263
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
In Junos OS <strong>Release</strong>s 11.2R7, 11.4R3 or 12.1R2 and later, this specific Junos OS feature<br />
has been modified to send the SNMP traps correctly. [PR745190: This issue has been<br />
resolved.]<br />
Software Installation<br />
• The request system snapshot partition command does not create a swap partition that<br />
leads into various problems related to mounting memory-based files ystems and usage<br />
of the swap itself. [PR746678: This issue has been resolved.]<br />
Subscriber Access Management<br />
• MX-Series routers ignore the "framed-ip-netmask" of 255.255.255.255 returned from<br />
RADIUS during access-accept and passes the mask length of local address-pool in<br />
"framed-ip-netmask" value within the accounting messages. [PR722345: This issue<br />
has been resolved.]<br />
• On MX-series working as DHCP-LS with linked pools, adding a new linked pool will fail<br />
if static hosts are also configured in any of the pools on the same box, and at least one<br />
subscriber having a static host configuration is connected at the time of adding the<br />
new pool. [PR726255: This issue has been resolved.]<br />
• Authd (authentication daemon) memory leak occurs, while the subscribers continuously<br />
login and logout at the same rate. This is caused by insufficient code of memory<br />
clean-up. [PR726669: This issue has been resolved.]<br />
• NAS-Port-Type and NAS-Port-Format configuration per access profile is not used in<br />
RADIUS request messages. [PR727431: This issue has been resolved.]<br />
• PPPoE sessions stuck after invalid parameters from SRC. Fixed in 11.4R3. [PR728969:<br />
This issue has been resolved.]<br />
User Interface and Configuration<br />
• Help syslog may not work on Mx80 devices. [PR561512: This issue has been resolved.]<br />
• From 2011 daylight saving is not being used for Africa/Cairo timezone, but Junos OS is<br />
using daylight saving so if we set timezone to Africa/Cairo, we will see time difference<br />
between router and actual Cairo time. [PR670234: This issue has been resolved.]<br />
• With large configuration, MGD may crash after issuing show | compare command.<br />
[PR712222: This issue has been resolved.]<br />
• Rollback incorrectly removes the protection from configuration statements. As a<br />
workaround, apply protect on hierarchies rather than leaf statements. [PR716780: This<br />
issue has been resolved.]<br />
• When we modify the device configuration using Jweb CLI editor (Configure->CLI<br />
Tools->CLI Editor, the already installed certificate in the device may become invalid.<br />
[PR719080: This issue has been resolved.]<br />
• While performing ISSU from/to Junos OS release 11.4R2, we could see the following<br />
error message on the console:<br />
264<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
"Layer 2 address flooding and learning process: rtslib: ERROR kernel does not<br />
support all messages: expected 101 got 96,a reboot or software upgrade may be<br />
required"<br />
Such an error message is not a functional failure and is simply a warning message.ISSU<br />
should still function correctly. [PR727146: This issue has been resolved.]<br />
VPLS<br />
• In Junos OS releases 10.0 and 10.1, the bridge-domain mac learn limit on Packet<br />
Forwarding Engine can sometimes become negative if the bridge-domain is deleted<br />
and re-added immediately as part of a configuration change. If that happens, mac<br />
learning on that bridge-domain can get affected. As a workaround, the bridge-domain<br />
or VPLS routing instance configuration need to be deactivated and activated to get<br />
out of this situation. [PR467549: This issue has been resolved.]<br />
• The problem was because of re-using the logical interface index. In case of ccc routes,<br />
the logical interface index is used as the route prefix. RPD changes introduced as a<br />
part of 572780 fixes this issue. [PR570168: This issue has been resolved.]<br />
• Ethernet II packets with ethertype less than 0x0600 are dropped by 3D Packet<br />
Forwarding Engine (MPC/Trio chip-set) when working at layer 2. For exampke, Extreme<br />
Network's EAPS packets meet this criteria and will be dropped when use with affected<br />
releases. [PR573730: This issue has been resolved.]<br />
• Forwarding stops on this VPLS routing-instance because of incorrect handling of<br />
indirect nexthop. [PR694304: This issue has been resolved.]<br />
• On MX platforms, the logic to recreate a VPLS instance if the 'no-tunnel-services' knob<br />
was changed since the last commit was faulty, causing RPD to crash in certain race<br />
conditions. Nonstop Routing is required to trigger the issue, as is the 'no-tunnel-services'<br />
knob on one or more VPLS instances. [PR725204: This issue has been resolved.]<br />
VPNs<br />
• RPD is high to ~94% when upgrading from Junos OS <strong>Release</strong>s earlier than 10.2 to 10.2R1<br />
or later. The CPU utilization for the user is high as well ~95%. From the takes accounting<br />
it looks like L2VC is stuck on something as the user time for this task keeps increasing<br />
over time. The high CPU sticks with the master Routing Engine on a master switchover.<br />
[11:01]user@router> show task accounting | no-more<br />
[11:01]Task accounting is enabled.<br />
[11:01]<br />
[11:01]Task Started User Time System Time Longest<br />
Run<br />
[11:01]Scheduler 3148 0.029 0.000 0.000<br />
[11:01]RSVP<br />
<br />
[11:01]L3_BANCO_SUDAMER_D-OSPF 42 0.000 0.000 0.000<br />
[11:01]Common L2 VC 292 27.325 0.132 0.099<br />
From the rtsockmon it looks like prefixes are added and deleted continuously. However<br />
another router on same code with and similar prefix flap does not show high RPD CPU.<br />
[10:42]% rtsockmon -t<br />
[10:42] sender flag type op<br />
[10:42][10:42:43] kernel P route add inet 10.247.134.10 tid=46<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
265
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
plen=32 type=dest flags=0x0 nh=hold nhflags=0x1 nhidx=8208 altfwdnhidx=0<br />
filtidx=0<br />
[10:42][10:42:43] kernel P nexthop add inet 10.247.134.10 nh=hold<br />
flags=0x1 idx=8208 ifidx=1138 filteridx=0<br />
[10:42][10:42:47] kernel P route delete inet 10.247.134.10 tid=46<br />
plen=32 type=dest flags=0x180 nh=hold nhflags=0x1 nhidx=8208 altfwdnhidx=0<br />
filtidx=0<br />
[10:42][10:42:47] kernel P nexthop delete inet 10.247.134.10 nh=hold<br />
flags=0x5 idx=8208 ifidx=1138 filteridx=0<br />
[10:42][10:42:53] kernel P route add inet 10.247.134.10 tid=46<br />
plen=32 type=dest flags=0x0 nh=hold nhflags=0x1 nhidx=14187 altfwdnhidx=0<br />
filtidx=0<br />
[10:42][10:42:53] kernel P nexthop add inet 10.247.134.10 nh=hold<br />
flags=0x1 idx=14187 ifidx=1138 filteridx=0<br />
[10:42][10:42:57] kernel P route delete inet 10.247.134.10 tid=46<br />
plen=32 type=dest flags=0x180 nh=hold nhflags=0x1 nhidx=14187 altfwdnhidx=0<br />
filtidx=0<br />
[10:42][10:42:57] kernel P nexthop delete inet 10.247.134.10 nh=hold<br />
flags=0x5 idx=14187 ifidx=1138 filteridx=0<br />
Problem is a consequence of the routing-instance's length mismatch between mib2d<br />
(35 characters) and rpd (longer). Customer is currently making use of instances whose<br />
names are longer than 35 characters: [PR689502: This issue has been resolved.]<br />
• In MVPN environment, when P-tunnels are built using PIM supporting multiple families,<br />
after Routing Engine switchover, Kernel Routing Table (KRT) stuck might occur.<br />
[PR717523: This issue has been resolved.]<br />
• In a NG-MVPN setup a receiver PE will get the multicast traffic for a particular (C-S,C-G)<br />
even if it does not have any local C-Join for that particular group. This can happen if<br />
the following conditions are met: - a selective (S-PMSI) tunnel is used for that particular<br />
(C-S,C-G) - the provider tunnel signaling protocol is mLDP - the receiver PE is running<br />
Junos OS 11.4R1.14 - another receiver PE (running any Junos OS <strong>Release</strong>) in the same<br />
MVPN instance has a C-Join for that (C-S,C-G) [PR725027: This issue has been<br />
resolved.]<br />
• The different endianness of an MX80's PowerPC was not considered in<br />
mpls-internet-multicast functions, causing routing failures. [PR732563: This issue has<br />
been resolved.]<br />
• In Junos OS <strong>Release</strong> 12.1R2, continuous rpd restart can lead to rpd crash. Problem is<br />
seen one in 5 or 6 successive rpd restarts. [PR734276: This issue has been resolved.]<br />
• In Rosen6 MVPN environment, with nonstop routing (NSR) enabled but PIM NSR<br />
disabled, after Routing Engine switchover, it may cause the mt- interface not to be<br />
added in the VRF of the new master Routing Engine. [PR737819: This issue has been<br />
resolved.]<br />
• If both the custom VRF import and VRF export policies modify the as_path,<br />
auto-exported routes may not have the right as_path, or RPD might core. This is minor<br />
because this configuration is rare. [PR737851: This issue has been resolved.]<br />
• In M320 routers, the E3 FPCs could crash when L3VPN CNH,<br />
vpn-label-memory-enhanced, route-memory-enhanced knobs are used in conjunction.<br />
[PR738922: This issue has been resolved.]<br />
266<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• MTU value corresponding to the AC interface configured in L2VPN instances, is being<br />
advertised with an inappropriate format. This could prevent L2VPN VC's from being<br />
able to get established, should an MTU mismatch is detected between remote ends.<br />
[PR740415: This issue has been resolved.]<br />
• When a configuration change (not related to rosen6 mvpn) is committed, it can still<br />
result in brief multicast traffic disruption because of errorneous deletion of mt interface<br />
[PR742108: This issue has been resolved.]<br />
<strong>Release</strong> 11.4R2<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R2. The identifier<br />
following the description is the tracking number in our bug database.<br />
Class of Service<br />
• show class-of-service classifier name "classifier name with spaces" does not work for<br />
classifiers which has spaces in their name [PR535967: This issue has been resolved.]<br />
• Service PIC reboots because Service PIC keepalives use the same HNQ as certain Host<br />
inbound traffic causing the queue to starve and drop packets randomly. [PR690653:<br />
This issue has been resolved.]<br />
• If a traffic control profile is applied to non EQ DPC interfaces using wild-card via apply<br />
?group which is not supported, commit will go through successfully along with<br />
generating a syslog message similar to the one pasted below<br />
UI_CONFIGURATION_ERROR: Process: cosd, path: [edit class-of-service interfaces<br />
ge-*/*/*], statement: output-traffic-control-profile, traffic control profile not allowed<br />
on interface ge-5/0/0 This will cause cosd to misbehave on other DPC?s which support<br />
this configuration because of configuration not being applied as intended. Work-around<br />
for this issue is to deactivate/delete the wild-card configuration and apply the<br />
configuration specifically on the required interfaces and restart COSD to recover from<br />
this state. [PR693650: This issue has been resolved.]<br />
• On MX platforms, under class-of-service configuration, if an interface-set is configured<br />
on an interface that does not support hierarchical scheduling, then this will cause a<br />
configuration error to be logged: cosd[21730]:<br />
%DAEMON-3-UI_CONFIGURATION_ERROR: Process: cosd, path: [edit class-f-service<br />
interfaces interface-set], statement: ge-0/0/1-10, cos configuration of interface-set<br />
is supported only on QDPC Because of this configuration error, the COS daemon dumps<br />
a core and exits. [PR699980: This issue has been resolved.]<br />
• Update once analyzed [PR711510: This issue has been resolved.]<br />
• A software defect is introduced in Junos OS <strong>Release</strong> 10.4R8 which: a) when having the<br />
following configuration stanza: set class-of-service interfaces<br />
-//* scheduler-map-chassis derived b) when a command<br />
in the show class-of-service family is issued, "cosd" restarts unexpectedly. Subsequent<br />
output of "show class-of-service" does not display correctly. [PR717331: This issue has<br />
been resolved.]<br />
• cosd crash triggered by ae* interface configuration under class of service stanza<br />
[PR724638: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
267
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Forwarding and Sampling<br />
• Any sampling related configuration changes, once committed when sampled is running,<br />
would result in deleting the old sampling instance tree and creates a new tree and as<br />
a part of deleting the old instance tree the core is encountered [PR688417: This issue<br />
has been resolved.]<br />
• authd_aaa_acc.cc:1282Failed to create AAA msg, session-id:803 seen in message logs<br />
and accounting volume stats are not sent in accounting stops. Accounting interim<br />
packets are NOT sent at all. [PR700153: This issue has been resolved.]<br />
• Output of "show interface ge-x/x/x extensive" is taking 20 sec to complete [PR700679:<br />
This issue has been resolved.]<br />
• The dfwd (firewall daemon) will NAK when receiving a session delete before which<br />
session add is never received from pppd (ppp daemon), this might cause some<br />
undesirable behavior in PPPoE. [PR704491: This issue has been resolved.]<br />
• Packet Forwarding Engine may crash after "clear auto-configuration interfaces demux0"<br />
in a scaled PPPoE subscriber setup. [PR705977: This issue has been resolved.]<br />
• When committing a configurations, where a firewall filter contains multiple 'next term'<br />
actions, the firewall compiler process (dfwc) could crash and dump core. [PR706863:<br />
This issue has been resolved.]<br />
• The issue is seen when FPCs that are part of an aggregate Ethernet logical interface<br />
are rebooted or restarted and this issue is not readily reproducible. The issue is seen<br />
because of the bug in the logic that was calculating the bps/pps for an aggregate<br />
Ethernet logical interface. For an aggregate Ethernet logical interface the stats are<br />
preserved on Routing Engine for all the child links including bps/pps. We are not<br />
supposed to use the preserved bps/pps for the stale child links of an aggregate Ethernet<br />
logical interface while calculating the bundle bps/pps for an aggregate Ethernet logical<br />
interface. Under certain scenarios we could not tell the stale child links of an aggregate<br />
Ethernet logical interface from its active child links and this led to incorrect aggregate<br />
Ethernet bundle bps/pps. We have fixed the bug in the logic. The issue has been fixed<br />
in 10.4R10, 11.2R6, 11.4X29 and 11.4R2 and all future releases. [PR710277: This issue has<br />
been resolved.]<br />
• On MX routers using DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) cards broadcast and<br />
multicast frames are not forwarded correctly to the IRB interface. If a bridge-domain<br />
or VPLS routing-instance contains CE facing interfaces located on built-in PIC 1 of a<br />
DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) card then broadcast and multicast frames<br />
received on those specific interfaces are not forwarded correctly to the IRB interface<br />
associated with the bridge-domain or VPLS routing-instance. The fact that broadcast<br />
and mutlicast frames are not forwarded correctly to the IRB interface can cause<br />
different behaviors for protocols that rely on this kind of traffic. For example the IRB<br />
interface will not receive ARP requests from the CE attached to that interface or routing<br />
protocols running between the CE and the IRB interface will fail to build adjacencies.<br />
This problem is restricted to DPCE-R-Q-20GE-SFP (DPCE 20x 1GE R EQ) cards for MX<br />
routers and is restricted to interfaces in the second half of the card (situated on built-in<br />
PIC 1). If the DPCE-R-Q-20GE-SFP is installed in an MX router in slot 1 as in the following<br />
example: user@router-re1> show chassis hardware Hardware inventory: Item Version<br />
268<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Part number Serial number Description Chassis JN11BD460AFB MX480 <br />
FPC 1 REV 25 750-017679 ZB7257 DPCE 20x 1GE R EQ CPU REV 04 710-022351 YX4734<br />
DPC PMB PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) EQ Xcvr 7 REV 01 740-014132 72152014<br />
SFP-T PIC 1 BUILTIN BUILTIN 10x 1GE(LAN) EQ Xcvr 7 REV 01 740-013111 70731026<br />
SFP-T Only interfaces named ge-1/1/* will be affected by this problem.<br />
Interfaces named ge-1/0/* although situated on the same DPC will forward broadcast<br />
and multicast frames correctly. Other types of DPC or MPC cards for MX routers are<br />
not affected by this problem. [PR712414: This issue has been resolved.]<br />
• On T Series FPC4 or Enhanced Scaling Type of FPC with 'route-memory-enhanced'<br />
knob enabled, a lot of FPC errors might be observed and FPC will crash. It is caused by<br />
insufficient nexthop handling in JTREE which is the forwarding data structure on Packet<br />
Forwarding Engine. [PR723371: This issue has been resolved.]<br />
• In scenario where sampling is enabled under forwarding-options, PPPoE subscribers<br />
churn will cause sampled memory allocations to continuesly increase. [PR741218: This<br />
issue has been resolved.]<br />
High Availability<br />
• Kernel core during upgrade. [PR687671: This issue has been resolved.]<br />
• During init error the live core has been generated too early, in this case the error got<br />
recovered after few retries. [PR701294: This issue has been resolved.]<br />
• The protocol convergence time (such as BGP) will significantly increase when flapping<br />
the routing protocol neighbor, which is because of ifstraced daemon (ifstate trace<br />
daemon) competing with Routing Protocol Daemon (RPD) for CPU cycles. [PR705947:<br />
This issue has been resolved.]<br />
• After ISSU is done with option "no-old-master-upgrade", SIB state becomes Check<br />
and BFD state becomes state Init. [PR707215: This issue has been resolved.]<br />
• Interface on PC-10GE-SFP does not report link flap however remote end interface<br />
reports a flap during ISSU upgrade [PR718585: This issue has been resolved.]<br />
Infrastructure<br />
• in FIPS mode, there is an IPSec tunnel between master and backup Routing Engine.<br />
Config sync etc has to happen over this tunnel, so the concerned daemons mark their<br />
sockets as IPSec enabled. If the traffic to that socket is not encrypted, then it may get<br />
dropped with the following error message. /kernel: ipsec_is_inbound_pkt_valid(1957):<br />
Packets are sent in clear to a socket with ipsec enabled; addr=128.0.0.4, ifl=3, rtbl_idx=1,<br />
tcp flags=0x10 [PR603942: This issue has been resolved.]<br />
• Scope 1 closed - as not relevant [PR664354: This issue has been resolved.]<br />
• Under certain rare conditions Kernel "devfs" may become locked, this may cause other<br />
processes that use /dev/filesystem to wait, eventually some processes start spawning<br />
until reaching the maximum limit, as a consequence the Kernel will crash. The following<br />
message logged by the kernel is an indication that the system is approaching the<br />
maximum number of active processes: /kernel: %KERN-2: nearing maxproc limit by<br />
uid 0, please see tuning(7) and login.conf(5). /kernel: %KERN-2: Process with Most<br />
Children- 1:init - Children - 365 [PR678971: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
269
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• If a labeled IPv4 or IPv6 route is entered into the forwarding table when no MPLS family<br />
is configured in the interface. This may cause KRT to get stuck. [PR679270: This issue<br />
has been resolved.]<br />
• The bug currently has only manifested itself in the compat32 layer (i.e. 32-bit<br />
applications, 64-bit kernel) in relation to umtx_op system calls to perform<br />
UMTX_OP_LOCK operations, and even then is subject to timing dependencies for it to<br />
occur. Since 64-bit kernel started shipping in 10.4, customers from 10.4 onwards running<br />
in this hybrid/compat mode may hit this problem. [PR682294: This issue has been<br />
resolved.]<br />
• Failure to handle transient low memory conditions in the kernel. Fix involves retry the<br />
operation rather than asserting [PR687618: This issue has been resolved.]<br />
• System goes to DB> when a tcpdump is initiated on LT interface on MX series routers<br />
[PR698565: This issue has been resolved.]<br />
• Under scaling environment with more than 1024 BGP peers, after the operation<br />
'deactivate protocol bgp' and then 'activate protocol bgp', the Routing Protocol Daemon<br />
(RPD) might crash. [PR707678: This issue has been resolved.]<br />
• Improper handling of error code during the send failure can result in state mismatch<br />
between the master Routing Engine and the backup Routing Engine, resulting in a logic<br />
error culminating in a panic. The problem is likely to be seen on highly loaded systems<br />
that are running low on Routing Engine kernel memory. [PR710325: This issue has been<br />
resolved.]<br />
• icmpv6 error codes are not handled correctly and displayed on the source router even<br />
when destination router send back correct reply to the source. [PR718122: This issue<br />
has been resolved.]<br />
• When NSR is enabled and we shutting down bgp on the secondary OR we are switching<br />
over from secondary to primary, we may hit the issue. [PR726671: This issue has been<br />
resolved.]<br />
• Config changes resulting in an indirect to change from a unilist to a unicast could result<br />
in ADPC/SDPC crash. [PR731727: This issue has been resolved.]<br />
• the ether type was set to IP when it should have been set to MPLS [PR731925: This<br />
issue has been resolved.]<br />
Interfaces<br />
• When committing and invalid configuration using and invalid interface with GRE<br />
keepalives, the commit error was too general of an error. The fix for this issue provides<br />
an explanation to the error and allows the user to locate the configuration error very<br />
quickly. [PR701058: This issue has been resolved.]<br />
• Under rare circumstances, jpppd can experience a core in a PPPoE/LAC (L2TP) over<br />
dynamic vlan setup. The affected subscriber will retry to login and succeed. [PR717320:<br />
This issue has been resolved.]<br />
• KRT Q might get stuck in a system with Dual Routing Engine running NSR and per<br />
packet load balancing - Master Routing Engine/RPD installs a unicast next hop for a<br />
route - Master Routing Engine/RPD then installs another next hop for the same route<br />
270<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
effectively changing the next hop for the route from unicast to a unilist - The backup<br />
rpd does NOT get a next-hop delete for the old unicast next-hop. Instead, the backup<br />
rpd only gets a route change to point to the new unilist. - NSR switch over happens<br />
and the master ship is toggled - New master rpd changes route to point to unilist. This<br />
will release reference on the single path route. Since rpd has next-hop id cached for it,<br />
rpd tries to delete the unicast next-hop in the kernel. - KRT Q might gets stuck in 'EPERM<br />
-- Jtree walk in progress' in the new master Routing Engine [PR722890: This issue has<br />
been resolved.]<br />
Interfaces and Chassis<br />
• Latency during the initialization of the xge-pic driver may cause BFD to flap. [PR503403:<br />
This issue has been resolved.]<br />
• on MPC with MICs, the GE port failed to claim down if auto-negotiation fall into<br />
incomplete state. 10.4R8, 11.1R7, 11.2R4, 11.4R2, 12.1R1 and later releases will have the<br />
fix. [PR575163: This issue has been resolved.]<br />
• In some scenarios when VRRP is enabled on an aggregated interface and the interface<br />
is a VRRP backup, ping to the private IP address of the aggregated interface will fail.<br />
[PR594020: This issue has been resolved.]<br />
• We might see alarm set for fxp0 of backup Routing Engine even if management-ethernet<br />
link-down ignore is configured under "chassis alarm" hierarchy. [PR610124: This issue<br />
has been resolved.]<br />
• In complex service configurations, there may be instances where the MS-DPC receives<br />
fragments that it reassembles, services, then re-fragments. Under such conditions, the<br />
MS-DPC may stop forwarding all traffic and require a reboot. [PR661035: This issue<br />
has been resolved.]<br />
• When an admin interface (em0/fxp0) has the same address as a routing interface,<br />
Routing Engine may restarts unexpectedly. [PR668053: This issue has been resolved.]<br />
• On a MLFR uni-nni RLSQ interface Multilink input statistics doesn't work after 8 logical<br />
units (dlci's). This doesn't have any impact on the Multilink traffic. [PR688197: This<br />
issue has been resolved.]<br />
• When logical unit of ci is disabled, it returns incorrect ifOutOctets value to MIB get or<br />
walk. But when it is enabled again, it will get to return the correct value. [PR672633:<br />
This issue has been resolved.]<br />
• This problem is happening only on 4X10g PIC and only when we set HCOS on more<br />
than one interface at a time followed by commit. If you set HCOS on each interface<br />
one after the other with commit on each interface, then there is no problem. [PR690383:<br />
This issue has been resolved.]<br />
• MX with enhanced fan tray wrongly reports 6 fan's per tray via SNMP's jnxFruTable<br />
while each enhanced fan tray reports speeds for 12 fan's per tray. Correct value is 12.<br />
[PR693285: This issue has been resolved.]<br />
• On the MX-Series routers, the output of 'show snmp mib walk jnxContentsSerialNo'<br />
is incorrectly displaying a serial number for the pic on a built-in MIC. The correct output<br />
for the serial number should be 'BUILTIN'. [PR694336: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
271
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On multilink interfaces(mlppp/mfr/mlfr) pps/bps counters fluctuate around the actual<br />
value beyond permissible limits. The total packets/bytes counts are accurately<br />
accounted. There is no forwarding impact because of this issue. There is no workaround<br />
to this problem. [PR694340: This issue has been resolved.]<br />
• Classification of Routing Engine outbound traffic using host-outbound-traffic keyword<br />
under [edit class-of-service] hierarchy does not work for IPsec packets. On Junos OS<br />
<strong>Release</strong>s without the fix of this PR all host generated outbound traffic that needs to<br />
go through the IPSEC tunnel will get classified to the default best effort queue only.<br />
[PR694878: This issue has been resolved.]<br />
• If an aggregate bundle goes down because of minimum-links 2 or higher configured,<br />
bundle member links might not attach to the bundle once the aggregate bundle comes<br />
back up. Outbound traffic will not use this member link (no blackholing) and inbound<br />
traffic for this member link is properly processed and forwarded. The same symptom<br />
might also be visible right after system reboot without the need of member link flaps.<br />
To recover from this condition disable/enable the affected member link with<br />
configuration changes. The following Junos OS <strong>Release</strong>s are affected: 10.4R6, 10.4R7,<br />
11.1R6, and 11.2R3 [PR695895: This issue has been resolved.]<br />
• The IPSec throughput was dropped suddenly and hard to recover when the throughput<br />
was more than ~6,7Gbps. [PR697529: This issue has been resolved.]<br />
• An issue was discovered where a non-<strong>Juniper</strong>, non-standard SFP conflicted with the<br />
hardware addressing of the MIC causing it to fail to load. Remember while non-<strong>Juniper</strong><br />
SFP's should function, they are not supported. [PR697577: This issue has been resolved.]<br />
• This MS-DPC core happens because of a race condition between setting IPSEC SA<br />
bundle ptr to NULL from control thread as a result of SA delete msg from kmd-re, while<br />
a data thread(s) is trying to access the same SA ptr after it checked that the ptr is not<br />
NULL. The fix is to always save a copy of the non NULL SA bundle ptr in a local param<br />
and access only the local param. That way the data thread will avoid running into such<br />
race condition. It is also safe to access that local param given that the bundle SA ptr<br />
will be valid for 1sec after setting it to NULL in its parent policy array. [PR698788: This<br />
issue has been resolved.]<br />
• Traffic will get tail dropped under below condition. - When we have more than 4<br />
forwarding-classes configured. - Egress interface is on IQ PIC, and is only configured<br />
for 4 queues (default). - When we classify traffic on ingress interface in a particular<br />
FC and map that FC to either queue 4, 5, 6, or 7. This PR fixes this problem,<br />
"forwarding-class-map" must be configured to reclassify the on egress VPLS interface.<br />
Below is sample configuration, here ge-3/3/0 is customer facing VPLS interface.<br />
{master}[edit class-of-service] lab@dia-m120-re0# show forwarding-class-map |<br />
display set set class-of-service forwarding-class-map one class standard-high<br />
queue-num 4 set class-of-service forwarding-class-map one class standard-high<br />
restricted-queue 0 set class-of-service forwarding-class-map one class premiumnrt<br />
queue-num 7 set class-of-service forwarding-class-map one class premiumnrt<br />
restricted-queue 2 set class-of-service forwarding-class-map one class business-critical<br />
queue-num 5 set class-of-service forwarding-class-map one class business-critical<br />
restricted-queue 1 set class-of-service forwarding-class-map one class standard<br />
queue-num 0 set class-of-service forwarding-class-map one class standard<br />
restricted-queue 0 set class-of-service forwarding-class-map one class business<br />
272<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
queue-num 1 set class-of-service forwarding-class-map one class business<br />
restricted-queue 1 set class-of-service forwarding-class-map one class premiumrt<br />
queue-num 2 set class-of-service forwarding-class-map one class premiumrt<br />
restricted-queue 2 set class-of-service forwarding-class-map one class nc_premiumnrt<br />
queue-num 3 set class-of-service forwarding-class-map one class nc_premiumnrt<br />
restricted-queue 3 {master}[edit class-of-service] lab@dia-m120-re0# show interfaces<br />
ge-3/3/0 | display set set class-of-service interfaces ge-3/3/0 unit 512<br />
output-forwarding-class-map one [PR699538: This issue has been resolved.]<br />
• outer vlan header of arp packet missing after Routing Engine switchover in DHCP<br />
subscriber scenario [PR699931: This issue has been resolved.]<br />
• The issues happens only when the Fan Tray are replaced with the Enhanced Fan tray<br />
and while doing so the enhanced fan tray was added/removed/added in a short period<br />
of time causing the counter value to set incorrectly. The alarm is a warning alarm to<br />
check if proper Fan Trays are installed. If the required fan trays are installed and they<br />
are working fine then this should not affect the functionality of the cards. [PR700112:<br />
This issue has been resolved.]<br />
• MXVC members may not reconnect after MXVC reboot causing virtual chassis<br />
segmentation [PR700592: This issue has been resolved.]<br />
• Interfaces on MPC's using STP-T transceivers may bounce upon ISSU upgrade.<br />
[PR701726: This issue has been resolved.]<br />
• Standby SCG keeps staying Deviation as "unknown" and Status as "present" after<br />
Routing Engine master switch. [PR701800: This issue has been resolved.]<br />
• After flap one of the members of aggregate Ethernet link <strong>Juniper</strong> can start sending<br />
wrong "Oampdu max size" in OAMPDU (5 reserved bits are not set to zero) as result<br />
Huawei does not accept the OAMPDUs. [PR701853: This issue has been resolved.]<br />
• Introduced in Junos OS <strong>Release</strong> 10.4R8, a MX-FPC, a MS-DPC, or a DPC may restart<br />
unexpectedly with the following error messages: [Oct 25 04:21:08.749 LOG: Err]<br />
ia_wpkt_next : pkt_ring[937] has a packet 0x421fea20 [PR701928: This issue has been<br />
resolved.]<br />
• While using vrrp with logical systems, sometime it can happen that show vrrp command<br />
for logical systems does not display information for all groups. The show command<br />
can be retried in such a case. [PR704068: This issue has been resolved.]<br />
• When some mlppp t1 interfaces kept flapping very quickly, the MS-pic memory usage<br />
keeps increasing and at last the memory usage may be up to 99%. [PR705577: This<br />
issue has been resolved.]<br />
• In Multi-Chassis Link Aggregation Group (MC-LAG) Active/Active environment with<br />
Aggregate Ethernet (AE) interface as Multi-Chassis Link (MC-Link), after graceful<br />
Routing Engine switchover, Inter-Chassis Data Link (ICL-link) interface might be<br />
accepted as MAC destination interface in ARP Cache table and ignoring ARP request<br />
from client from MC-Link interface. As a consequence, traffic might be lost. Only after<br />
ARP aging timeout in Routing Engine, the Routing Engine will send the ARP request<br />
and traffic will be restored. [PR706091: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
273
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Cprod tool does not work with MS-DPC. This is fixed in 10.4R9 and newer Junos OS<br />
<strong>Release</strong>s [PR706395: This issue has been resolved.]<br />
• A defect introduced by a change in the processing of HDLC keepalives impacted the<br />
default HDLC keepalive timer. With this issue, HDLC keepalives are no longer sent at<br />
the default timer of 10 seconds. But rather at a timer greater than 30 seconds and this<br />
was triggering a temporary loss of keepalives on the peer routers. This issue effects<br />
Junos OS <strong>Release</strong> 10.4R7.5, and its service releases. [PR707244: This issue has been<br />
resolved.]<br />
• In Active/Active MC-LAG if we power off both PEs and start only PE, MC-Links will not<br />
come up (we need an initial TCP connection for MC-LAG finite state). [PR707494: This<br />
issue has been resolved.]<br />
• l2ald process might experience a software exception if service-id is not configured<br />
[PR707895: This issue has been resolved.]<br />
• When IQ2 interface is administratively disabled and configured no-auto-negotiation,<br />
the inteface will keep flapping and accompany with below similar messages: (FPC<br />
Slot 0, PIC Slot 0) IQ2(0/0): disabled Link 7 [PR709800: This issue has been resolved.]<br />
• This crash will be seen on a heavily loaded fpc(when it runs out of SRAM memory)<br />
hosting the lsq/rlsq link or bundle interfaces. Symptoms before hitting this issue is<br />
LWM messages similar to "esource Category:jtree Instance:jtree0-seg0<br />
Type:free-dwords Available:104832 is less than LWM limit:104857,<br />
rsmon_syslog_limit()". There is no workaround to this problem. [PR710702: This issue<br />
has been resolved.]<br />
• Due to a bug in the Junos OS kernel code, various types of interfaces show up as member<br />
links of an Aggregated Ethernet (AE) interface, though these same interfaces aren't<br />
configured to become part of a given aggregate Ethernet bundle. For example: The<br />
interface extensive for a ae bundle configuration with xe-8/1/0 and xe-4/3/3 as member<br />
links LACP Statistics: LACP Rx LACP Tx Unknown Rx Illegal Rx xe-8/1/0.0 223171 223707<br />
0 0 xe-4/3/3.0 223171 223716 0 0 lc-3/1/0.32769 0 0 0 0
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
onwards any bundle state changes are not propagated form the Routing Engine to the<br />
LSQ PIC. The following sequence of message log entries does illustrate the symptom:<br />
Dec 12 01:53:21 router fpc2 Transient flow-control asserted by MAC0 on sp-2/1 for 1<br />
seconds Dec 12 01:53:22 router fpc2 Transient flow-control asserted by MAC0 on sp-2/1<br />
for 2 seconds Dec 12 01:53:23 router fpc2 Prolonged flow-control asserted by MAC0<br />
on sp-2/1 Dec 12 01:53:25 router /kernel: pfe_send_failed(index 9, type 20), err=32 Dec<br />
12 01:53:25 router /kernel: pfe_listener_disconnect: conn dropped: listener idx=7,<br />
tnpaddr=0x12020080, reason: none Dec 12 01:54:33 router fpc2 MAC flow-control<br />
cleared on sp-2/1 A manual LSQ PIC restart is needed to recover from this condition<br />
[PR723663: This issue has been resolved.]<br />
• Now clear oam ethernet link-fault-management state command will reset local<br />
oam loopback(if enabled) also along with existing behavior of resetting discovery state<br />
machine. [PR723739: This issue has been resolved.]<br />
• Run time change in no-accept-data/accept-data failed to take effect in few cases for<br />
Inherit group. If ping to VIP is not require then don't configure no-accept-data. It is<br />
disable by default. By default - ping to VIP will fail. 'restart vrrp' will resolve the issue.<br />
SW upgrade from other release to 11.4R2 release with an existing<br />
'accept-data/no-accept-data' configuration is not impacted.<br />
'accept-data/no-accept-data' configuration will work as design after SW upgrade.<br />
This issue is not applicable for Active group. [PR725556: This issue has been resolved.]<br />
• When Graceful Routing Engine Switchover is enabled on system, during graceful Routing<br />
Engine switchover or re-synchronization activities are happening between the Routing<br />
Engines, the Kernel might dump core file which is because of incorrect code handling<br />
of a background clean-up thread. [PR729325: This issue has been resolved.]<br />
• During Routing Engine switchover or connectivity-fault management (CFM) process<br />
(cfmd) restart, Connectivity Check Messages (CCM) received from remote Maintenance<br />
End Points (MEP) are not processed properly. All action profile events are ignored<br />
during the period, after CFMD restart, the events are not cleared. This might cause<br />
cfmd to function incorrectly. [PR729490: This issue has been resolved.]<br />
• The software information about Ethernet MICs and non-Ethernet mics are stored in<br />
Junos OS in different structures. The crash occurs because of memory corruption<br />
caused by the FRR marking feature in the non-Ethernet-mic structures. The PR has<br />
been fixed in 11.4R2 and onward. [PR733566: This issue has been resolved.]<br />
Layer 2 Ethernet Services<br />
• Kernel messages of the following sort might be seen after upgrade to some 10.X versions<br />
/kernel: PCF8584(WR): target ack failure on byte 0 /kernel: PCF8584(WR):<br />
(i2c_s1=0x08, group=0xe, device=0x54) These messages are cosmetic and indicate<br />
that the Host Subsystem could not communicate with the Fan Tray to gather<br />
environment related information. It has been fixed with this PR. [PR606130: This issue<br />
has been resolved.]<br />
• When the IPv6 neighbor is behind LT (which is terminated to a BD) the IRB interface<br />
cannot communicate with the neighbor as the LT cookie is not taken care of while<br />
constructing the IPv6 packet. [PR670636: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
275
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The possible range of values to configure LACP system priority is 0 through 65,535.<br />
The command line help does not prompt the possible values to configure LACP system<br />
priority. [PR680484: This issue has been resolved.]<br />
• The jnxLacpAggregateInterfaceName.0 field contains a hex value but no ascii value<br />
for the XE interfaces. [PR702518: This issue has been resolved.]<br />
• A defect (PR-716885) was introduced causing incoming DHCP packets to be tagged<br />
with the wrong layer 3 interface number when those packets were received on an IRB<br />
interface. This resulted in failure to transmit the DHCP responses back out the<br />
appropriate interface, leaving the protocol handshake incomplete. This problem is<br />
resolved in <strong>Release</strong> 11.4 R2. [PR716885: This issue has been resolved.]<br />
• The domain name for DHCPv6 usernames was incorrectly placed before DHCPv6<br />
specific attributes, for example client-id. With this change the domain name is placed<br />
at the end of the username and is preceded by '@'. [PR719639: This issue has been<br />
resolved.]<br />
• The system can't handle the dhcp packets after graceful Routing Engine switchover,<br />
when dynamic subscriber interfaces configured using IP demux interfaces. [PR721669:<br />
This issue has been resolved.]<br />
MPLS Applications<br />
• With Junos OS Version 10.4R7 MPLS packets received on L2 Circuit via LT tunnel<br />
interfaces doe not perform label swap operations but only strip the L2 Circuit Tunnel<br />
label. The nexthop node will drop the mpls packets because of unknown label<br />
information. With Junos OS Version 11.1R6 explicit NULL packets with IPv4/IPv6 payload<br />
that go though a path that pushes MPLS labels (LSP stitching) will come out corrupted,<br />
with the top 4 bytes of the IP portion missing. At the same time, explicit NULL packets<br />
with MPLS payload (For example: L2VPN packets with the outer label replaced by<br />
explicit NULL on the PHP node) will fail label lookup on the inner (VPN) label and will<br />
get punted to the CPU (based on lookup done for the outer (NULL) label), instead of<br />
forwarded. [PR692838: This issue has been resolved.]<br />
• show mpls path | resolve command is showing IP addresses instead of resolving them<br />
in FQDN. [PR694620: This issue has been resolved.]<br />
• When LSP switches from primary->secondary-primary path, the Max Avg counter<br />
might show up incorrect higher value when compared to actual LSP bandwidth. As<br />
the result of this, on the next adjust interval, LSP would be signalled with incorrect high<br />
last Max avg counter value. This issue will be seen only with secondary LSP configured.<br />
[PR695154: This issue has been resolved.]<br />
• When family mpls is removed but family inet remains on an interface, the nexthop may<br />
go into discard state on the Packet Forwarding Engine. The nexthop in discard state<br />
will cause packet loss for any routes associated with that nexthop. Here are the two<br />
ways to remove family mpls but not family inet from an interface: - deactivate interfaces<br />
unit family mpls - set interfaces unit family<br />
mpls maximum-labels [PR698169: This issue has been resolved.]<br />
• When nonstop-routing is used with adaptive LSPs, deleting an adaptive LSP can result<br />
in RPD core on the backup routing-engine. [PR698232: This issue has been resolved.]<br />
276<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Topology: P2mp branch LSR R1-----------DUT --------- R2 | | | R3 DUT is the P2MP<br />
branch LSR with R1 being the source and R2 & R3 being two branches. On receiving<br />
P2mp traffic from R1, DUT duplicates the traffic and sends to R2 and R3. It was observed<br />
in 11.4 image that the clone route doesn't have reference to the second branch<br />
regress@frontnine# run show route forwarding-table label 299840 extensive Routing<br />
table: default.mpls [Index 0] MPLS: Destination: 299840 Route type: user Route<br />
reference: 0 Route interface-index: 0 Flags: accounting, sent to PFE Next-hop type:<br />
indirect Index: 2097150 Reference: 2 Nexthop: Next-hop type: composite Index: 572<br />
Reference: 1 Nexthop: Next-hop type: composite Index: 548 Reference: 2 Nexthop:<br />
20.1.0.1 Next-hop type: unicast Index: 513 Reference: 10 Next-hop interface: et-3/1/9.0<br />
Nexthop: Next-hop type: composite Index: 571 Reference: 2 Nexthop: 30.1.0.1 Next-hop<br />
type: unicast Index: 547 Reference: 8 Next-hop interface: et-3/1/1.0 Destination:<br />
299840(S=0) Route type: user Route reference: 0 Route interface-index: 0 Flags:<br />
accounting, sent to PFE Next-hop type: indirect Index: 2097151 Reference: 2 Nexthop:<br />
Next-hop type: composite Index: 551 Reference: 1 Nexthop: Next-hop type: composite<br />
Index: 550 Reference: 1 Nexthop: 20.1.0.1 Next-hop type: unicast Index: 513 Reference:<br />
10 Next-hop interface: et-3/1/9.0 >>>>>>>>> only reference to one branch [PR699098:<br />
This issue has been resolved.]<br />
• After 9.3R3, customer may see unwanted mpls lsp convergence even there is no<br />
optimize-timer configured. Seems to be fast-reroute related issue. [PR699273: This<br />
issue has been resolved.]<br />
• - show mpls lsp statistics and monitor label-switched-path commands are not working<br />
for TE tunnels carrying CCC traffic. - only monitor label-switched-path is not working<br />
for TE tunnels carrying L2circuits traffic. [PR705019: This issue has been resolved.]<br />
• If the LSP path is cleared after the first reoptimization, the LSP path never comes up.<br />
[PR718318: This issue has been resolved.]<br />
• Graceful restart of MPLS protocol may trigger this problem when adaptive LSPs are<br />
present in the system. RPD will core because of the issue. [PR725579: This issue has<br />
been resolved.]<br />
Multicast<br />
• With Junos OS <strong>Release</strong> 10.0 or higher performing ISSU software upgrade, multicast<br />
resolve routes for ipv6 or ipv6 routes might not be installed properly in all FPCs.<br />
Multicast traffic will not be forwarded anymore. The following syslog message will<br />
indicate the problem. RT: Failed prefix change IPv4:0 - 224/4 (unknown prefix) RT:<br />
Failed prefix change IPv6:0 - ff00::/8 (change failed) To recover from this condition<br />
FPC reporting the above syslog messages needs to get restarted. [PR559108: This<br />
issue has been resolved.]<br />
• PIM join messages is fragmented on the IPv6 PIM sparse (PIM-SM) mode, if the join<br />
message exceeds the configured MTU. The multicast traffic should take the interface<br />
MTU and not the path MTU to avoid the fragmentation of PIM join messages. [PR718212:<br />
This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
277
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Network Management<br />
• When firewall filter counter names are changes, MIB2D assumes all changes are<br />
implemented immidiately at commit. MIB2D queries the Packet Forwarding Engine<br />
before it is updated and therefore gets the incorrect list of counter names. Queries<br />
done via SNMP therefore reflect the old firewall counter names. [PR703606: This issue<br />
has been resolved.]<br />
Platform and Infrastructure<br />
• Random VLAN Id's associated to MAC-address learning from untagged frames on<br />
trinity cards. [PR594605: This issue has been resolved.]<br />
• When there are large configuration, or next-hop, it is possible for a DPC to fail to come<br />
online after being inserted or restarted. The logs will then show the message: "PFEMAN<br />
resync in progress" every 10 seconds. This is caused by a race condition on the<br />
routing-engine when it initially tries to download the configuration and routes to the<br />
DPC, and eventually causes the DPC to stay in dormant state. [PR609644: This issue<br />
has been resolved.]<br />
• On TRIO based platforms, if the ingress Layer 2 size of a frame is larger than the egress<br />
MTU of an interface, the Packet Forwarding Engine will attempt to fragment the packet.<br />
If however the resulting Layer 3 packet with egress encapsulation is still smaller than<br />
the egress MTU size, the Packet Forwarding Engine makes an incorrect calculation<br />
resulting in the MQCHIP wedge condition. The affected Packet Forwarding Engine will<br />
need to be restarted in order to recover [PR661698: This issue has been resolved.]<br />
• The time stamp of the messages in firewall log is showing incorrect values. The system<br />
time and time stamp in log messages are not affected. If NTP server is configured, the<br />
issue does not happen. [PR661768: This issue has been resolved.]<br />
• For a situation where the number of IPSec tunnel is more than 1000, memory leaks<br />
may happen which cause the error message to be printed out: <br />
(FPC Slot , PIC Slot ) Cannot allocate spd handle for dynamic rule for<br />
tunnel: __SDM08-SET._junos_.tunnel11__. See PSN-2011-12-450 for more information.<br />
[PR666919: This issue has been resolved.]<br />
• On 10.4R8 code base egress PIC sampling will not work as expected when packet is<br />
transitioning from IP to MPLS. [PR679654: This issue has been resolved.]<br />
• After deactivate family mpls under ae, you might see "Could not decrement reroute<br />
counters for logical interface" log [PR684158: This issue has been resolved.]<br />
• While processing Packet Forwarding Engine routing updates, the Packet Forwarding<br />
Engine tries to access an uninitialized memory pointer and the following log messages<br />
can be seen: [Sep 20 13:29:14.272 LOG: Err] routing_chip_sram_write(0): SRAM write<br />
error, offset 0x1000001 [Sep 20 13:29:15.261 LOG: Err] ICHIP: Ir SRAM offset<br />
0x04000004 out of range, i_r_sram_wr There is no other adverse affect to the system<br />
and the message can be ignored [PR691503: This issue has been resolved.]<br />
• If you have an ingress interface with larger MTU than an egress interfaces, fragmenting<br />
packets on a Trio-based MPC may lead to interfaces on the egress MPC to stop<br />
transmitting. The necessary conditions which have to be met are: 1. An ingress interface<br />
with MTU value larger than that of an egress interface 2. The egress interface is a<br />
278<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
TRIO-based MPC 3. An ingress packet is larger than the MTU of the egress interface A<br />
system which has all of the above conditions is susceptible to egress interface being<br />
locked up. [PR692417: This issue has been resolved.]<br />
• Customer would see packet drop if downstream router has policing enabled because<br />
we don't clear the DEI bit on the SVLAN tag. [PR692482: This issue has been resolved.]<br />
• MPC Core was seen on router running 10.2S6.4. Issue was observed when the irb<br />
interface called under the routing instance vpls was deleted [PR693470: This issue<br />
has been resolved.]<br />
• MPC might crash when aggregate interface configured because of invalid child members<br />
installed at Packet Forwarding Engine side. [PR695225: This issue has been resolved.]<br />
• On an MX chassis with enhanced-ip network services configured; multicast traffic may<br />
be temporarily impacted on all hosts listening to a group if at least one host is going<br />
through an IRB (that has an aggregate Ethernet as an L2 interface) and the aggregate<br />
Ethernet or the IRB interface is removed. [PR696417: This issue has been resolved.]<br />
• Under some condition, we will report "HALP-trinity_nh_indirect_get_irb_fwd_nhIndirect<br />
NH(xxxxxxx), IRB egress set to discard:0xyy...yy" in certain circumstance of VPLS, IRB,<br />
VT/LSI over MPC environment. The error occurs because we didn't get the IRB<br />
forwarding NH when installing an IRB entry. This can occur when the target logical<br />
interface is either zero or the target logical interface not a LSI/VT interface. Even if this<br />
appears to be traffic affecting, not side impact has been reported in the customer<br />
where this message has appeared. [PR698776: This issue has been resolved.]<br />
• The Packet Forwarding Engine may core if a block of memory is freed while it is still in<br />
use on the Packet Forwarding Engine. [PR699176: This issue has been resolved.]<br />
• Trio cards may experience a crash and generate a core file because of a bug in PCIe<br />
handling. When this issue happens you might see the following messages followed by<br />
a core file: [LOG]MQ(x): pio_handle(0x414f6e00); pio_read_u64() failed: 1(generic<br />
failure)! addr=0000000002245ca8 [LOG] SCHED: Thread 26 (PIC Periodic) aborted,<br />
hogged 2505 ms [LOG] syslog called with interrupts off (caller pc:0x4094cfc4) [LOG]<br />
Dumping core-NPC [PR699679: This issue has been resolved.]<br />
• In scenarios where LDP traffic is tunneled over ECMP, MPLS LSPs that are single-hop,<br />
or share a common egress interface, the LSP traffic statistics may be reported<br />
incorrectly. [PR700154: This issue has been resolved.]<br />
• When two users are in configuration mode at the same time and one runs a show<br />
command, the other user might get locked. He cannot run any command unless the<br />
first user exits the configuration mode. [PR701250: This issue has been resolved.]<br />
• Configuring Routing Engine based input sampling and port-mirroring on the same<br />
interface of MPC card results in wrong flow records sent to netflow server [PR701549:<br />
This issue has been resolved.]<br />
• On T-series or M-320 FPC (except Enhanced Type 3 FPC), after deleting a VRF instance<br />
having interfaces which are not local on core facing FPC, and then adding VRF instance<br />
back having the same interfaces, L3VPN traffic interruption might occur. [PR701700:<br />
This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
279
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• At times when RPD/Kernel doesn't have correct index values for the LSI/VT<br />
sub-interface which is part of a VPLS routing-instance can lead to the forwarding to<br />
stop. This can be seen on either Enabling VPLS routing-instance or moving between<br />
LSI and VT sub-interface associated with a VPLS routing-instance. When this issue<br />
occurs we can notice that forwarding stops on this VPLS routing-instance and the<br />
following log messages: Jan 11 15:38:14.405 2012 testlab-ARA03 tfeb0<br />
HALP-trinity_nh_indirect_get_vpls_oif_entry vpls interface ifl=424 does not have<br />
indirect_nh! Jan 11 15:38:16.356 2012 testlab-ARA03 tfeb0<br />
HALP-trinity_nh_indirect_update_fabcallIndirect NH(1048600), ifl is neither LSI/VT<br />
ifl,.local.,ifl=(0) [PR704283: This issue has been resolved.]<br />
• This PR applies to MX routers running PPPoE subscriber management software in<br />
Junos OS <strong>Release</strong> 11.1 and earlier releases. It is not an issue in 11.2 and later releases.<br />
When the IP MTU for a PPPoE session requires that the MX PPPoE server fragments<br />
an IP packet, the PPPoE header length in the outgoing fragment is not set to the<br />
fragmented length. As a result, the PPPoE client receiver drops these fragments causing<br />
packet loss. [PR705578: This issue has been resolved.]<br />
• In 11.1 and above, using interface-mode trunk to configure VLAN's may fail to actually<br />
program the VLAN's in the Packet Forwarding Engine. This happens when interface is<br />
also configured with "speed auto". JTAC can check the programming of the Packet<br />
Forwarding Engine to verify this issue is being hit. [PR706134: This issue has been<br />
resolved.]<br />
• On T-Series or M320 (with none E3 FPC) platform, when there is more than 16 ECMP<br />
routes exist, after some of the routes flapping (but the available ECMP routes still more<br />
than 16), the Memory on FPC may be corrupted and error messages like "jtree memory<br />
free using incorrect value" may be prompted. [PR707453: This issue has been resolved.]<br />
• An MX MPC type card or the MX80 TFEB can crash when a L2 interface is added to a<br />
bridge-domain or a VPLS routing-instance. This kind of crash will only occur if previous<br />
events left stale entries in the forwarding table of the MX MPC or MX80 TFEB. After<br />
the crash the MX MPC or the MX80 TFEB will restart automatically. [PR711182: This<br />
issue has been resolved.]<br />
• If $junos-input-filter and/or $junos-output-filter variables configured on PPPoE<br />
subscriber interface without default value configured , when the PPPoE authentication<br />
fails or authentication does pass but the ERX-input-policy and/or ERX-output-policy<br />
VSAs are not returned by the radius server, DFWD process will have memory leak and<br />
crash eventually. [PR711426: This issue has been resolved.]<br />
• MPLS LSP traceroute will not display right information for intermediate (transit) LSRs<br />
of an MPLS LSP, when the ingress interface of the LSP is on a Trio based Packet<br />
Forwarding Engine, and the Egress interface of the LSP is on an IChip based Packet<br />
Forwarding Engine (ADPC). [PR716881: This issue has been resolved.]<br />
• VSTP may not work on dual tagged Trio interfaces that are part of a bridge domain /<br />
VPLS instance. [PR717046: This issue has been resolved.]<br />
• During certain configuration corner cases when the source-address or destination<br />
address associated with one of the listed Packet Forwarding Engine firewall filter logs<br />
is of a certain length, it causes the syslog module in the Packet Forwarding Engine to<br />
280<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
crash. SYSLOG_IP6_GEN SYSLOG_IP6_ICMP SYSLOG_IP6_TCP_UDP [PR718485: This<br />
issue has been resolved.]<br />
• When ipv6 address goes more than 96 bits while commit it throws an commit script<br />
error root# commit error: string is not in UTF-8 warning: 126 126 warning: 126 126<br />
warning: 126 126 error: 1 error reported by commit scripts error: commit script failure<br />
[PR720242: This issue has been resolved.]<br />
• On M-series platform (except M320, M120 and M10i/M7i with enhanced CFEB), when<br />
a link within an Aggregate Ethernet bundle flaps, a MAC frame might be incorrectly<br />
forwarded to another VPLS instance. There is no workaround. [PR721131: This issue has<br />
been resolved.]<br />
• After a MPC restart unexpectedly, the following messages can be seen in<br />
/var/log/messages: Jan 10 16:52:01 myrouter fpc0 MPC: Reset reason (0xc): Level3<br />
watchdog, Level2 watchdog [PR724924: This issue has been resolved.]<br />
• With output-vlan-map configured with vlan push action, the CFI bit of the outer vlan<br />
tag on the outgoing frame might have the CFI bit set incorrectly. [PR735935: This issue<br />
has been resolved.]<br />
Routing Protocols<br />
• 'show bgp summary' can show incorrect active route count at receiving updates of<br />
inactive routes from RR Client [PR685850: This issue has been resolved.]<br />
• If "forwarding-options sampling" or "routing-options route-record" is configured, stale<br />
routes may appear and persist in the routing table in holddown state. Those routes are<br />
not active and do not affect forwarding, but they do consume memory and if left will<br />
lead to the memory footprint of RPD increasing over time. For mpls routes it will also<br />
effect Packet Forwarding Engine and Kernel memory since the next-hops are not<br />
deleted till the route is deleted within RPD. Junos OS <strong>Release</strong>s 10.4R7 and 11.2R3 are<br />
effected. [PR688820: This issue has been resolved.]<br />
• In dense networks and time race condition, unnecessary OSPF LS retransmission for<br />
implicit Ack may happen (opposite of RFC2328). [PR691201: This issue has been<br />
resolved.]<br />
• After deactivating and reactivating a VRF routing instance with vrf-table-label knob<br />
configured, the label switch interface (LSI) interface for this instance ends up with only<br />
GF_INET family, instead of the expected three families: GF_INET, GF_INET6 and GF_ISO.<br />
This would cause IPv6 packets loss when they are travering the LSI interface.<br />
[PR692079: This issue has been resolved.]<br />
• After a nsr ospf sham links may go down. Restart routing to reactivate. [PR693719: This<br />
issue has been resolved.]<br />
• When activate pim on a routing-instance vrf, The vrf.inet6.1 table should be created,<br />
but in rare cases the table fails to be created. If this happens, IPv6 multicast routes are<br />
NOT able to flash into krt to install in kernel. [PR695113: This issue has been resolved.]<br />
• Changes to martian addresses (RFC5735 that obsoletes RFC3330), that are not present<br />
in Junos OS martians default settings. PSN-2011-10-393 [PR698121: This issue has<br />
been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
281
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In certain scaled next-generation multicast VPN configurations, deleted route entries<br />
may get stuck in the KRT queue, as displayed by the show krt queue command. This<br />
condition does not appear to affect traffic flow. [PR698172: This issue has been<br />
resolved.]<br />
• get-next for pimRPSetHoldTime or pimRPSetExpiryTime may list output of same OID<br />
mentioned in the get-next command. Instead it should list the output for next OID.<br />
[PR700079: This issue has been resolved.]<br />
• Scheduler slips can occur when FPC's containing physical interfaces with thousands<br />
of logical interfaces are taken offline or online. [PR701021: This issue has been resolved.]<br />
• Under rare circumstances, backup might core when backup discards a route. [PR703854:<br />
This issue has been resolved.]<br />
• When having VRF multipath enabled, and mixed direct and multihop bgp peering inside<br />
the VRF, rpd will crash if it tries to install a multipath bgp route. [PR705086: This issue<br />
has been resolved.]<br />
• PE router puts a wrong value in OSPF Route Type Extended Community Attribute when<br />
advertises BGP route to remote PE. The issue can be seen in L3VPN setup when OSPF<br />
running between PE and CE with "route-type-community vendor" configured under<br />
the routing-instance. [PR705915: This issue has been resolved.]<br />
• For a BGP session with bgp damping enabled after a flap the received prefixes are not<br />
reported correctly in show bgp summary and show bgp neighbour commands.<br />
[PR706324: This issue has been resolved.]<br />
• When an igmp-only interface is configured and we have static/dynamic groups, PIM<br />
XIF code could modify the corresponding route table entry inline without waiting for<br />
pim to install the route. During this time, the entry could point to non-multicast nexthop,<br />
such as FLOOD NH. This problem is rare and not easily reproducible. [PR712137: This<br />
issue has been resolved.]<br />
• The Routing Protocol Daemon (RPD) may leave a soft core if there are multiple paths<br />
for the same L2VPN connections. [PR717541: This issue has been resolved.]<br />
• rpd core observed at rt_nh_cmp on the back up while trying to sync the selected gw<br />
with the master. For this issue to trigger, NSR needs to be enabled,<br />
per-packet-load-balance needs to be disabled and there should be multiple paths in<br />
the BGP. [PR718759: This issue has been resolved.]<br />
• When trying to send BGP packets with message size more than 4092 bytes (the<br />
maximum length of BGP message is 4096 bytes), the RPD daemon will crash.<br />
[PR720693: This issue has been resolved.]<br />
• When BGP is configured with BFD enabled, if there is a BGP peer established with direct<br />
connection, after interface is disabled/deactivated, BFD will send a Admin Down state<br />
notification to the remote peer. This might cause the BGP session not to be teared<br />
down until BGP hold timer expires resulting in a short temporary traffic blackhole.<br />
[PR722798: This issue has been resolved.]<br />
• The configuration of DDoS Protection has changed slightly. You can now include the<br />
disable-fpc statement at the [edit system ddos-protection protocols protocol-group<br />
(aggregate | packet-type)] hierarchy level to disable policers on all line cards for a<br />
282<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
particular packet type or aggregate within a protocol group. The ability to configure<br />
this statement globally or for a particular line card remains unchanged. You can also<br />
now include the disable-logging statement at the [edit system ddos-protection protocols<br />
protocol-group (aggregate | packet-type)] hierarchy level to disable router-wide logging<br />
of DDoS violation events for a particular packet type or aggregate within a protocol<br />
group. The disable-logging statement has been moved from the [edit system<br />
ddos-protection violation] hierarchy level, and that hierarchy level has been removed<br />
from the CLI. The show ddos-protection protocols command now displays Partial in<br />
the Enabled field to indicate when some of the instances of the policer are disabled.<br />
The Routing Engine Information section of the output now includes fields for bandwidth,<br />
burst, and state. The show ddos-protection protocols parameters command and the<br />
show ddos-protection protocols statistics command now include a terse option to<br />
display information only for active protocol groups--that is, groups that show traffic<br />
in the Received (packets) column. The show ddos-protection protocols parameters<br />
command also displays part. for policers that have some disabled instances. [PR722873:<br />
This issue has been resolved.]<br />
• If BGP export policies are ran for the routes coming from restarting BGP router (graceful<br />
restarting router) during graceful restart then helper router may end up advertising less<br />
routes to remote BGP peers. One possible scenario is IGP graceful restart failure during<br />
BGP graceful restart. [PR723809: This issue has been resolved.]<br />
• In NG-MVPN environment, local receiver (the multicast receiver and source are<br />
connected with the same PE) multicast traffic might be dropped when Provider Tunnel<br />
flaps. [PR724131: This issue has been resolved.]<br />
• In a scaled Layer 3 MPLS VPN network with the "l3vpn-composite-nexthop" knob<br />
enabled, if BGP multipath is configured, the routing protocol daemon (RPD) may crash<br />
when topology changes. [PR724615: This issue has been resolved.]<br />
• When L3VPN composite nexthop and BGP multipath are enabled, Routing Engine<br />
Daemon (RPD) might dump core files which is because of multipath composite nexthop<br />
unresolved and when downloading such a nexthop to kernel, the issue occurs.<br />
[PR724777: This issue has been resolved.]<br />
• An error in the logic for nonstop routing switchover when family "inet6 labeled-unicast"<br />
is configured causes RPD to crash after a nonstop routing switchover. [PR736669: This<br />
issue has been resolved.]<br />
• Conditions : - If route generate statement is configured to install the next-hop from<br />
prefixes learned from multiple BGP peers and the contributing routes have a different<br />
preference2 value. Trigger : When the BGP neighbor that advertises the primary<br />
contributing prefix for the generate route goes down, then the next hop for the route<br />
generated by the route generate statement, might get stuck pointing to the BGP peer<br />
that is down. [PR738206: This issue has been resolved.]<br />
• Two Mx960 connected via two aggregate Ethernet links and these are distribution<br />
routers. aggregate Ethernet flap test was executed on one of the Mx960, where all the<br />
ae links were flapped twice randomly.Core occured on other Mx960 during this test<br />
execution. [PR740116: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
283
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Services Applications<br />
• This PR is because of misconfiguration. Hence it is better to avoid misconfiguration.<br />
Due to misconfiguration if the Local Address of Dynamic L2TP SI is same as tunnel<br />
Destination , it results in to recursion because NH of tunnel Destination itself is the<br />
same tunnel Destination. For example: set dynamic-profiles dyn-lns-profile0 interfaces<br />
$junos-interface-ifd-name unit $junos-interface-unit family inet address 60.0.0.1/24<br />
set interfaces ge-1/3/0 unit 11 family inet address 60.0.0.1/24 set services l2tp<br />
tunnel-group ce-l2tp-tunnel-group3 service-interface si-1/3/0 Workaround would be<br />
to have different network addresses given in si interface ( dynamic configuration ) than<br />
that of access interface. [PR677189: This issue has been resolved.]<br />
• IDP Policy failed to get installed on deleting nat rules and adding it [PR679178: This<br />
issue has been resolved.]<br />
• Certain COS configuration on IRB interface that has MS-DPC results in such errors<br />
which has no functionality issues. [PR680944: This issue has been resolved.]<br />
• There was SNMP data collection problem and it is fixed. [PR689249: This issue has<br />
been resolved.]<br />
• When you send a DTCP version 0.7 ADD message with X-JTAP-IP-VERSION field set<br />
to Ipv6, you would see Junos OS router returning '400, Bad Request'. As a workaround,<br />
you can use DTCP version 0.8. [PR692005: This issue has been resolved.]<br />
• In production networks there can be cases where we can have temporary double user<br />
login because of ungraceful ppp session termination from client side, and there is an<br />
immediate login from the same user. These cases are not being handled properly on<br />
l2tp code for m7i/m10i/m120 with service PIC which is leading to routes for<br />
Framed-IP-Address and Framed-Route to be deleted completely from routing table<br />
when the old l2tp session is teared down because of lcp keepalive timeouts. [PR695585:<br />
This issue has been resolved.]<br />
• When toggling between source-prefix and source-pool values for inline NAT, behavior<br />
of the NAT feature was inconsistent. The fix to the PR resolved the issue and the proper<br />
pool or prefix is always used. [PR696700: This issue has been resolved.]<br />
• When running MS-PIC or MS-DPC configured for Stateful-Firewall NAT service with<br />
Address-Pooling Paired (APP) and Endpoint-Independent Mapping (EIM) enabled, if<br />
the pattern of the traffic causes the PIC to report "AP port allocation errors", upon<br />
expiring of some flows the PIC might dump a core and restart. [PR699662: This issue<br />
has been resolved.]<br />
• When the bypass-traffic-on-pic-failure configuration knob is used, and following a<br />
crash of the MSPMAND daemon on the MS400 pic, on which the IDP package is<br />
installed, the bypass is not triggered immediately because there is generation of a core<br />
file. This causes black-holing of traffic. The fix for this issue is to let the traffic bypass<br />
start immediately when MSPMAND cores, and the PIC is considered in a failure state.<br />
[PR702591: This issue has been resolved.]<br />
• When running a service-set with stateful-NAT configured that includes address-pooling<br />
paired and endpoint-independent mapping, NAT ports and/or NAT address/port<br />
284<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
mappings might not get released when corresponding flows are removed and mapping<br />
timeout timers are expired. [PR702934: This issue has been resolved.]<br />
• Flows are not getting created in cases as restarting pic, doing graceful Routing Engine<br />
switchover twice, high number of VRFs configured. This issue will be hit quickly with<br />
large number of ifls. The other symptom of this PR is wrong values seen in source AS<br />
, destination AS values. [PR706803: This issue has been resolved.]<br />
• The issue is seen only with l2tp data traffic with tunnel-id/session-id 0/0 is exceptioned<br />
to the Routing Engine. [PR707253: This issue has been resolved.]<br />
• When running a Stateful-Firewall NAT service-set with EIM (Endpoint Independent<br />
Mapping) the MS-PIC or MS-DPC might dump a core file upon mapping expiration<br />
[PR708580: This issue has been resolved.]<br />
• When running IDP service traffic inspection on MS-PIC or MS-DPC, the inspection of<br />
MS-RPC and other application traffic might lead the mspmand daemon to restart and<br />
dump a core file. [PR709412: This issue has been resolved.]<br />
• If you have traceoptions configured under the sampling stanza and make configuration<br />
changes which requires sampled daemon to re-read the configuration again via SIGHUP,<br />
we do leak file descriptors. Once you run out of file descriptors the following syslog<br />
message will be reported /kernel: %KERN-2: kern.maxfiles limit exceeded by uid 2018,<br />
please see tuning(7). If you restart sample daemon with the CLI command restart<br />
sampling gracefully" all open file descriptors will be released. [PR709889: This issue<br />
has been resolved.]<br />
• The time when flow record packet is sent out becomes inaccurate after MS-PIC (or<br />
MSDPC)runs over 49.7 days. As a result, flow record packet will be delivered to the<br />
flow collector at unexpected time and the time lag will be seen with the traffic trend<br />
based on SNMP data. [PR718209: This issue has been resolved.]<br />
• The Service PIC will crash when traceroute is run over Ds-Lite softwire. [PR720935:<br />
This issue has been resolved.]<br />
• When enabling the PPTP Application Layer Gateway module in presence of Statefull<br />
Firewall NAT service-set configurations, the "Set-Link-Info Peer Call Id" and "Echo-Reply<br />
Id" PPTP parameters might be incorrectly translated when crossing the ALG. [PR721810:<br />
This issue has been resolved.]<br />
• Even without traffic, if there is more than one service-set, Packet Forwarding Engine<br />
kernel connectivity can be lost because of memory leak on Packet Forwarding Engine<br />
level [PR728677: This issue has been resolved.]<br />
• If running services IDS, a memory leak can occur. [PR738019: This issue has been<br />
resolved.]<br />
Subscriber Access Management<br />
• When a CoA, sent to a service session of a subscriber, contains more than one change<br />
request, then it can happen, that some of the changes are executed while others aren't<br />
and 'Invalid-Request' response is returned. The Fix to this PR addresses the case when<br />
a service deactivation and activation using non-existant filters is sent in one CoA. The<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
285
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
correct behavior is to return 'Invalid-Request' and keep the active service session<br />
untouched. [PR692331: This issue has been resolved.]<br />
• "client-idle-timeout" under access profile stanza does not work when RADIUS<br />
accounting is not configured [PR717870: This issue has been resolved.]<br />
System Logging<br />
• A deactivate; commit; activate on "set forwarding-options ip-options-protocol-queue"<br />
may cause RSVP Hello packets to be dropped. [PR690827: This issue has been<br />
resolved.]<br />
User Interface and Configuration<br />
• With the addition of "allow-configuration-regexps" and "deny-configuration-regexps"<br />
to control router configuration access for users in Junos OS <strong>Release</strong> 11.2, the configured<br />
settings were not properly displayed in the output of "show cli authorization". The fix<br />
for this PR addresses this issue. [PR696738: This issue has been resolved.]<br />
• "show system users" command will not work when Jweb is not installed in the device.<br />
[PR706676: This issue has been resolved.]<br />
• With large configuration, MGD may crash after issuing show | compare command.<br />
[PR712222: This issue has been resolved.]<br />
VPLS<br />
• VPLS routing table reference count have to be decremented on removal. [PR674009:<br />
This issue has been resolved.]<br />
• The message is harmless and the severity of the log message was changed from ERROR<br />
to DEBUG [PR694138: This issue has been resolved.]<br />
• Forwarding stops on this VPLS routing-instance because of incorrect handling of<br />
indirect nexthop. [PR694304: This issue has been resolved.]<br />
• When multiple VPLS instances are configured using manually-defined mesh-groups<br />
and some without defining mesh-groups, show vpls connections may not display some<br />
of them. [PR709061: This issue has been resolved.]<br />
VPNs<br />
• Under NG-MVPN scenario, if the provider tunnels are shared by multiple routing<br />
instances. When a "clear bgp neighbor" is issued on the PE that is the egress for the<br />
provider tunnel, not all provider-tunnels recover. Some LSPs stay is down state (state<br />
is UP on the egress but down on the ingress of the LSP). [PR687998: This issue has<br />
been resolved.]<br />
• Under NG-MVPN scenario with ingress replication, some of the traffic will be lost after<br />
ingress router reboot because of the binding of the customer multicast routes to the<br />
inclusive ingress-replication tunnel is missing. [PR690210: This issue has been resolved.]<br />
• Due to implementation flaws,Downstream interface list(OIL)for MVPN with multicast<br />
receivers directly connected to the PE was not getting created properly.After the fix of<br />
286<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
this defect,OIL is listing all the interfaces appropriately. [PR690237: This issue has been<br />
resolved.]<br />
• bootstrap-import filters BSR packets from lsi/vt intf wrongly. [PR702198: This issue<br />
has been resolved.]<br />
• In Rosen MVPN scenario, the Routing Protocol Daemon (RPD) might dump core files<br />
after PIM mdt group-range configuration is changed. [PR704648: This issue has been<br />
resolved.]<br />
• Under NG-MVPN scenario, when there are multiple router reflectors in the core or there<br />
are fast routes flapping on source PE, after issue clear pim join command on source<br />
PE, multicast traffic from the source to the receivers will be stopped. [PR706855: This<br />
issue has been resolved.]<br />
• After a routing engine switchover, l2vpn address family routes may not be advertised<br />
by BGP. [PR707743: This issue has been resolved.]<br />
• In Multicast Tunnels environment, KRT queue (between RPD and Kernel) gets stuck<br />
with error 'ENOENT -- Item not found' after restarting the FPC containing the tunnel<br />
PIC in the box and sometimes there's a RPD (Routing Protocol Daemon) core on backup<br />
Routing Engine . [PR708189: This issue has been resolved.]<br />
• In a NG-MVPN setup a receiver PE will get the multicast traffic for a particular (C-S,C-G)<br />
even if it does not have any local C-Join for that particular group. This can happen if<br />
the following conditions are met: - a selective (S-PMSI) tunnel is used for that particular<br />
(C-S,C-G) - the provider tunnel signaling protocol is mLDP - the receiver PE is running<br />
Junos OS 11.4R1.14 - another receiver PE (running any Junos OS <strong>Release</strong>) in the same<br />
MVPN instance has a C-Join for that (C-S,C-G) [PR725027: This issue has been<br />
resolved.]<br />
• The different endianness of an MX80's PowerPC was not considered in<br />
mpls-internet-multicast functions, causing routing failures. [PR732563: This issue has<br />
been resolved.]<br />
<strong>Release</strong> 11.4R1<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.4R1. The identifier<br />
following the description is the tracking number in our bug database.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
287
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Forwarding and Sampling<br />
• Any sampling related configuration changes are committed when the sampled process<br />
is running, the old sampling instance tree is deleted and a new tree is created. With<br />
this issue, when the old sampling instance tree is deleted, the system dumps core files.<br />
[PR688417: This issue has been resolved.]<br />
Interfaces and Chassis<br />
• On an MX480 router the Multiservices DPC crashes because of a race condition when<br />
the IPsec SA bundle ptr is set to NULL from the control thread as a result of SA delete<br />
msg from the kmd-re, while a data thread(s) tries to access the same SA ptr after<br />
verifying that the ptr is not NULL. [PR698788: This issue has been resolved.]<br />
Layer 2 Ethernet Services<br />
• In certain scenarios, the DHCP relay packets might be rejected. [PR695083: This issue<br />
has been resolved.]<br />
Platform and Infrastructure<br />
• On M120, M7i/M10i with enhanced CFEB, M320 with E3 FPCs, and MX Series routers<br />
with DPCs, when three or more MPLS labels are being pushed, the TTL of the innermost<br />
label might incorrectly be set to zero. [PR694163: This issue has been resolved.]<br />
<strong>Release</strong> 11.3<br />
The following issues have been resolved since Junos OS <strong>Release</strong> 11.3R3. The identifier<br />
following the description is the tracking number in our bug database.<br />
Forwarding and Sampling<br />
• Certain mis-configuration causes check-out fail w/o proper reason. [PR597801: This<br />
issue has been resolved.]<br />
High Availability<br />
• Kernel core during upgrade. [PR687671: This issue has been resolved]<br />
• On MX Series routers, the error message “/kernel: Unlist request: unilist(nh index =<br />
1048575) found on the rnhlist_deleted_root patnode” appears continuously. [PR667046:<br />
This issue has been resolved]<br />
• After a unified ISSU from Junos OS <strong>Release</strong>s 10.0 to 10.4, the sampling feature does<br />
not function. The sampled process responsible for sampling no longer receives the<br />
data from the Packet Forwarding Engine. [PR681271: This issue has been resolved]<br />
Interfaces and Chassis<br />
• On the ATM PIC cbr shaping rate configuration, specify a value in cells per second by<br />
entering a decimal number followed by the abbreviation c; values expressed in cells<br />
per second are converted to bits per second by means of the formula 1 cps = 384 bps.<br />
The cell rate configuration was removed from Junos OS releases from 10.1R1 and later<br />
which built between 23-Jan-2010 and 15-Sep-2011. As workaround, use bits per second<br />
288<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
(bps) configuration to specify the ATM cbr shaping rate. The cell rate configuration<br />
has been added back from below Junos OS <strong>Release</strong>s and later: 10.4R8, 10.4S7, 11.1R6,<br />
11.2R3, 11.3R3 and 11.4R1. [PR685558: This issue has been resolved]<br />
• On the M120 router, when the no-vrf-propagate-ttl statement is set or deleted, the<br />
Forwarding Engine Board (FEB) might reboot and dump a core. [PR691466: This issue<br />
has been resolved]<br />
• When an interface enabled for OAM goes down, the message "first cells dropped at<br />
cif" is added to the system log file. [PR559492: This issue has been resolved]<br />
MPLS Applications<br />
• When LFA link Protection is configured for IGP with LDP-IGP Synchronization enabled,<br />
if LSP(LDP) routes are installed in inet.0, after LDP session is cleared, the LDP session<br />
is not able to bring up. [PR600181: This issue has been resolved]<br />
• In a Next Generation MVPN scenario, a kernel memory buffer may get corrupted when<br />
the router receives a bootstrap or auto-RP message whose packet size exceeds 204<br />
bytes. The memory corruption will cause the Junos OS kernel to crash every time such<br />
a packet is received. This problem will only be encountered in a Next-Gen MVPN<br />
scenarios that use Ingress Replication as the P-tunnel type and has Auto-RP or<br />
Bootstrap as the group-to-RP mapping mechanism. [PR681963: This issue has been<br />
resolved]<br />
• When an IP route directly resolves over an LSP or the LSP route is also installed in<br />
inet.0 table, then the LSP statistics may incorrectly contribute to the bypass LSP<br />
statistics, even when packets are not being forwarded on the bypass LSP. [PR682966:<br />
This issue has been resolved]<br />
• Under certain circumstances, the automatic bandwidth timer smearing function does<br />
not space out the timer interval evenly. Also, the interval between the timers are not<br />
equal. [PR606051: This issue has been resolved]<br />
Multicast<br />
• With Junos OS <strong>Release</strong> 10.0 or later performing ISSU software upgrade, multicast<br />
resolve routes for IPv6 or IPv6 routes might not be installed properly in all FPCs.<br />
Multicast traffic will not be forwarded anymore. The following syslog message will<br />
indicate the problem. RT: Failed prefix change IPv4:0 - 224/4 (unknown prefix) RT:<br />
Failed prefix change IPv6:0 - ff00::/8 (change failed) To recover from this condition<br />
FPC reporting the above syslog messages needs to get restarted. [PR559108: This<br />
issue has been resolved]<br />
Network Management<br />
• Mib2d may core when interfaces are created and deleted at very fast rate on scaled<br />
setup. [PR602812: This issue has been resolved]<br />
• The cause of the snmpd core in this PR is a result of the fix that went into PR607704.<br />
Junos OS <strong>Release</strong> 10.4R6 only is exposed to this issue at this time. [PR674874: This<br />
issue has been resolved]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
289
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• When an SNMP MIB walk is performed for ipv6IfNetToMediaState without any IPv6<br />
configuration on the router, the error message "MIB2D_SYSCTL_FAILURE:<br />
ipv6_n2m_update_sysctl_info: sysctl getting kernel MD6 data failed: Bad address"<br />
appears. [PR612585: This issue has been resolved]<br />
Platform and Infrastructure<br />
• "commit at" with commit scripts sometimes may lockup CLI. [PR537074: This issue<br />
has been resolved]<br />
• The time stamp of the messages in firewall log is showing incorrect values. The system<br />
time and time stamp in log messages are not affected. If NTP server is configured, the<br />
issue does not happen. [PR661768: This issue has been resolved]<br />
• Under some rare scenario, it is possible for a DPC to fail to come online after being<br />
inserted or restarted. The logs will then show the message: "PFEMAN resync in progress"<br />
every 10 seconds. This is caused by a race condition on the routing-engine when it<br />
initially tries to download the configuration and routes to the DPC, and eventually<br />
causes the DPC to stay in dormant state. [PR609644: This issue has been resolved]<br />
• MPC might crash when aggregate interface configured because of invalid child members<br />
installed at Packet Forwarding Engine side. [PR695225: This issue has been resolved]<br />
• Failure to handle transient low memory conditions in the kernel. Fix involves retry the<br />
operation rather than asserting. [PR687618: This issue has been resolved]<br />
Routing Protocols<br />
• When deleting a static route from a VRF instance the operator should avoid issuing a<br />
show route next-hop detail command for the newly deleted route<br />
for a period of 3 minutes. This ensures adequate time for even a highly scaled system<br />
to completely free all data structures associated with the deleted route and avoids<br />
the RPD crash documented in PR 605798. [PR605798: This issue has been resolved]<br />
• Issue happens with NSR switchover or ISSU update because of different indirect nh is<br />
allocetd on new master. The cnh code needs to handle refcount of cnh properly when<br />
change from old cnh to new cnh if new cnh already exists on patricia tree. [PR612182:<br />
This issue has been resolved]<br />
• fbf route with qualified-next-hop and nexthop interface will installed route table<br />
wrongly. [PR670339: This issue has been resolved]<br />
• The show bgp summary command displays the wrong data regarding the active routes.<br />
A route can be active but not reported by the above command. [PR680080: This issue<br />
has been resolved]<br />
• When sham-link is activated the exported static route is erroneously treated as vpn<br />
route received via BGP. It resulted in that exported static route shows up in the database<br />
with DN bit set. [PR686947: This issue has been resolved]<br />
• It was not releasing the link for file , so code changes has been done for the same.<br />
[PR687959: This issue has been resolved]<br />
290<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• RPD may crash with BGP multipath configured if the route list includes BGP multipath<br />
routes along with non BGP routes for same destinations. [PR688763: This issue has<br />
been resolved]<br />
• If "forwarding-options sampling" or "routing-options route-record" is configured, stale<br />
routes may appear and persist in the routing table in holddown state. Those routes are<br />
not active and do not affect forwarding, but they do consume memory and if left will<br />
lead to the memory footprint of RPD increasing over time. For mpls routes it will also<br />
effect Packet Forwarding Engine and Kernel memory since the next-hops are not<br />
deleted till the route is deleted within RPD. Junos OS <strong>Release</strong>s 10.4R7 and 11.2R3 are<br />
effected. [PR688820: This issue has been resolved]<br />
• If bgp "keep all" is configured, and "multipath" is enabled under "routing-options" of<br />
a vrf, and there exists multiple equal cost bgp vpn routes for the same destination in<br />
bgp.l3vpn table, when this new vrf is added to the configuration, rpd may core because<br />
of a delayed bgp reconfig job in a scaled configuration. [PR691170: This issue has been<br />
resolved]<br />
• When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd)<br />
core file might be created. [PR691170: This issue has been resolved]<br />
• RPD might take long time to bring up an OSPF neighbor to FULL state when there are<br />
large number of OSPF neighbors with large size of OSPF LSA database. [PR692239:<br />
This issue has been resolved]<br />
• Under some circumstances where a BGP router that has been configured with family<br />
route-target the router may fail to send some VPN routes. This will most typically<br />
happen for a PE router in a scaled configured that has received the default RT-Constrain<br />
route, 0:0:0/0. [PR692940: This issue has been resolved]<br />
• When family route-target is used on a PE and one or more peers that it is configured<br />
on do not negotiate RT-Constrain (RFC 4684), the PE will generate a default RTC<br />
route of 0:0:0/96. This default route is not appropriate for non-transit BGP hosts. By<br />
default, a BGP non-transit PE will discard VPN routes that do not have matching local<br />
route-target communities. If at a later time a VRF is configured with a route-target that<br />
it had previously discarded VPN routes for, the attached BGP neighbors will not re-send<br />
the appropriate VPN routes. This is because of the fact that the attached BGP neighbor<br />
had a matching default RTC route and thinks it has already sent the associated VPN<br />
routes. [PR695918: This issue has been resolved]<br />
• Changes to martian addresses (RFC5735 that obsoletes RFC3330), that are not present<br />
in Junos OS martians default settings. PSN-2011-10-393. [PR698121: This issue has<br />
been resolved]<br />
• The routing protocol process crashes when the default-lsa option is configured in an<br />
NSSA under a routing instance, which also receives a default route from another VPN<br />
instance. [PR606075: This issue has been resolved]<br />
• The routing protocol process might crash after a graceful Routing Engine switchover<br />
in a Layer 3 VPN with external or internal BGP multipath that contains a composite<br />
next hop as a component next hop. [PR665996: This issue has been resolved]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
291
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• After a BGP session flap, the output of the show bgp summary command might not<br />
display the correct number of "Active routes" for VPN routing instances. [PR673830:<br />
This issue has been resolved]<br />
• The ipMRouteInterfaceTable MIB walk does not display PIM SM interfaces. [PR678051:<br />
This issue has been resolved]<br />
• The output of the show pim statistics inet6 command includes fields that are not<br />
necessary for IPv6 multicast. [PR682938: This issue has been resolved]<br />
• When a PIM is used between downstream PEs in an MVPN environment, the<br />
nondesignated PE router receives multicast traffic from a designated router on a<br />
downstream port. When reverse path forwarding occurs, faulty results are returned<br />
and the router always attempts to build the local multicast route table causing memory<br />
leaks in the routing protocol process. When the memory leak is large enough, the routing<br />
protocol process might crash and dump core files. [PR685111: This issue has been<br />
resolved]<br />
User Interface and Configuration<br />
• The Routing Engine(s) will crash with a trap with the backtrace<br />
bcopy/if_pfe_ttp_output/if_pfe_ae_ttp_output. if_pfe_ttp_output may not appear in<br />
the backtrace. The configuration includes dhcp, PPPoE/VLAN, or demux/ae. [PR682735:<br />
This issue has been resolved.]<br />
• A panic occurs in rnh_index_alloc on the backup Routing Engine because the index is<br />
already allocated. In the syslog or kernel message buffer, a message similar to the<br />
following may be seen: "rnh_cont_request: demux0.14 (3353) Got nhid=120882<br />
but already have child nhid=118652 for cifl ge-0/1/5.32767 (3349)". [PR682967: This<br />
issue has been resolved.]<br />
• CLI "show interface as0 extensive " does not show the sonet child member links stats<br />
part of aggregated bundle. This effects the monitoring & management of bandwidth<br />
concerns on the as bundle links. [PR677553: This issue has been resolved.]<br />
• With IPv6 and PPPoE, DHCP, or other demux configured, an assertion panic can occur<br />
in in6_ether_iffconfig(). [PR686350: This issue has been resolved.]<br />
• Adding configuration from "load set terminal" for restricted user may not allowed even<br />
for authorized configuration hierarchies. "load merge terminal" on the other hand does<br />
not have this issue. [PR678664: This issue has been resolved.]<br />
• Add constraint to [ system login user full-name ] to not allow newline (\n)<br />
characters. [PR690013: This issue has been resolved.]<br />
• Jweb does not work on the multi-core Routing Engines which have 64-bit Junos OS.<br />
[PR692444: This issue has been resolved.]<br />
• Right click option to Navigate to Chassis info or System info in Chassis view is not<br />
working properly. Instead operator is expected to navigate to respective page by clicking<br />
on that page itself from Monitor page instead of using right click option. [PR684849:<br />
This issue has been resolved.]<br />
292<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
VPLS<br />
• With non-stop routing and a large number of LDP-based virtual-private LAN service<br />
configured, the routing process might crash during a routing-engine switchover event.<br />
[PR610594: This issue has been resolved.]<br />
• On certain topology, a core link flap might result in VPLS in RD state w/<br />
pseudowire-status-tlv configuration. This is a timing issue and may not occur every<br />
time on every topology. [PR687375: This issue has been resolved.]<br />
VPNs<br />
• The routing protocol process dumps core files during a P-PIM process after the default<br />
MDT switches to a data MDT. [PR669365: This issue has been resolved.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
on page 73<br />
• Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong><br />
11.4 for M Series, MX Series, and T Series Routers on page 153<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 293<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 321<br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T<br />
Series Routers<br />
Errata<br />
Class of Service<br />
• The Junos OS Class of Service Configuration Guide contains errors in the following topics<br />
related to IEEE 802.1p inheritance:<br />
• The topic titled Understanding IEEE 802.1p Inheritance push and swap from a<br />
Transparent or Hidden Tag should be titled Understanding IEEE 802.1p Inheritance<br />
push and swap from a Transparent Tag, as in previous and subsequent versions. This<br />
section also incorrectly references a hidden tag and hidden statement, which are<br />
invalid. This topic should also include the following sentence:<br />
• MX Series routers with Modular Port Concentrators (MPCs) and Modular Interface<br />
Cards (MICs) support configurable IEEE 802.1p inheritance of push and swap bits<br />
from the transparent tag of each incoming packet, which allows you to classify<br />
incoming packets based on the IEEE 802.1p bits from the transparent tag.<br />
• The "hidden" configuration statement is not supported. Including the “hidden”<br />
statement was a documentation error, and the statement is therefore removed from<br />
subsequent versions.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
293
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The topic Configuring IEEE 802.1p Inheritance push and swap from the Hidden Tag<br />
was incorrectly included and is therefore removed from subsequent versions.<br />
• References to the "hidden" configuration statement and the topic "Configuring IEEE<br />
802.1p Inheritance push and swap from the Hidden Tag" are also incorrect.<br />
[Junos OS Class of Service Configuration Guide]<br />
Firewall Filters<br />
• If you configure the icmp-code match condition in an IPv6 firewall filter, we recommend<br />
that you also configure the next-header icmpv6 or next-header icmp6 match condition<br />
in the same term. The next-header icmp6 and next-header icmpv6 match conditions<br />
perform the same function. next-header icmp6 is the preferred option. next-header<br />
icmpv6 is hidden in the Junos OS CLI.<br />
High Availability<br />
• TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix<br />
do not currently support nonstop active routing.<br />
[High Availability]<br />
• The Virtual Chassis Components Overview topic and the Guidelines for Configuring Virtual<br />
Chassis Ports topic in the Junos OS High Availability Configuration Guide incorrectly<br />
state that an MX Series Virtual Chassis configuration supports up to 24 Virtual Chassis<br />
ports per trunk. An MX Series Virtual Chassis configuration actually supports up to 16<br />
Virtual Chassis ports per trunk.<br />
[Junos OS High Availability Configuration Guide]<br />
• The MX Series Virtual Chassis documentation in the Junos OS High Availability<br />
Configuration Guide failed to include the following information about how slot numbering<br />
in the Virtual Chassis affects your use of SNMP.<br />
Junos OS supports the use of SNMP to monitor the routers and other devices in your<br />
network. For example, the <strong>Juniper</strong> <strong>Networks</strong> jnxBoxAnatomy enterprise-specific Chassis<br />
MIB contains the jnxFruTable object, which shows the status of field-replaceable units<br />
(FRUs) in the chassis. Within the jnxFruTable object, the jnxFruSlot object displays the<br />
slot number where the FRU is installed.<br />
If you are using the jnxFruSlot object in jnxFruTable to display the slot numbers of line<br />
cards installed in a member router of an MX Series Virtual Chassis, keep in mind that<br />
the offset used for slot numbering in an MX Series Virtual Chassis affects the value<br />
that appears for the jnxFruSlot object.<br />
Table 10 on page 295 lists the jnxFruSlot number that appears in the jnxFruTable of the<br />
jnxBoxAnatomy MIB, and the corresponding line card physical slot number in each<br />
member router of a two-member MX Series Virtual Chassis. For example, a jnxFruSlot<br />
value of 15 corresponds to physical slot 3 in member 0 of an MX Series Virtual Chassis.<br />
A jnxFruSlot value of 30 corresponds to physical slot 6 in member 1 of an MX Series<br />
Virtual Chassis.<br />
294<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Table 10: jnxFruSlot Numbers and Corresponding Slot Numbers in an MX<br />
Series Virtual Chassis<br />
jnxFruSlot Number<br />
Line Card Slot Number<br />
MX Series Virtual Chassis Member ID<br />
Line Cards in MX Series Virtual Chassis Member ID 0 (offset = 12):<br />
12<br />
0<br />
0<br />
13<br />
1<br />
0<br />
14<br />
2<br />
0<br />
15<br />
3<br />
0<br />
16<br />
4<br />
0<br />
17<br />
5<br />
0<br />
18<br />
6<br />
0<br />
19<br />
7<br />
0<br />
20<br />
8<br />
0<br />
21<br />
9<br />
0<br />
22<br />
10<br />
0<br />
23<br />
11<br />
0<br />
Line Cards in MX Series Virtual Chassis Member ID 1 (offset = 24)<br />
24<br />
0<br />
1<br />
25<br />
1<br />
1<br />
26<br />
2<br />
1<br />
27<br />
3<br />
1<br />
28<br />
4<br />
1<br />
29<br />
5<br />
1<br />
30<br />
6<br />
1<br />
31<br />
7<br />
1<br />
32<br />
8<br />
1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
295
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 10: jnxFruSlot Numbers and Corresponding Slot Numbers in an MX<br />
Series Virtual Chassis (continued)<br />
jnxFruSlot Number<br />
Line Card Slot Number<br />
MX Series Virtual Chassis Member ID<br />
33<br />
9<br />
1<br />
34<br />
10<br />
1<br />
35<br />
11<br />
1<br />
[Junos OS High Availability Configuration Guide, Junos OS SNMP MIBs and Traps<br />
Reference]<br />
Infrastructure<br />
• The description of PR 675582 in the Previous <strong>Release</strong>s subsection under the Issues in<br />
Junos OS <strong>Release</strong> for M Series, MX Series, and T Series Routers main section, which lists<br />
the resolved issues, ambiguously mentions that unified ISSU is not supported when<br />
upgrading from Junos OS <strong>Release</strong> 10.x to 11.1 or 11.2 on M Series, T Series, and TX Series<br />
devices with multicast configuration. The correct statement regarding this limitation<br />
on unified ISSU is as follows:<br />
Because of certain changes to the Junos OS multicast infrastructure in Junos OS <strong>Release</strong><br />
11.1 and later, unified ISSU is not supported when upgrading from Junos OS <strong>Release</strong><br />
10.x to 11.1 or 11.2 and later on M Series, T Series, and TX Series devices with multicast<br />
configuration.<br />
[<strong>Release</strong> <strong>Notes</strong>]<br />
Interfaces and Chassis<br />
• The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces<br />
Configuration Guide states that one way to configure an ATM II interface to enable a<br />
Layer 2 circuit connection across all versions of Junos OS is the following:<br />
• For Layer 2 circuit cell relay and Layer 2 trunk modes, the atm-l2circuit-mode cell<br />
statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation<br />
atm-ccc-cell-relay statement at the [edit interface interface-name] hierarchy level.<br />
The configuration above is correct and interoperates with routers running all versions<br />
of Junos OS.<br />
However, the chapter does not mention that you can also include the encapsulation<br />
atm-ccc-cell-relay statement at the [edit interface interface-name unit<br />
logical-unit-number] hierarchy level. When you use this configuration, keep the following<br />
points in mind:<br />
• This configuration interoperates between <strong>Juniper</strong> <strong>Networks</strong> routers running Junos<br />
OS <strong>Release</strong> 8.2 or earlier.<br />
• This configuration does not interoperate with other network equipment, including a<br />
<strong>Juniper</strong> <strong>Networks</strong> router running Junos OS <strong>Release</strong> 8.3 or later.<br />
296<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• For a <strong>Juniper</strong> <strong>Networks</strong> router running Junos OS <strong>Release</strong> 8.3 or later to interoperate<br />
with another <strong>Juniper</strong> <strong>Networks</strong> router running Junos OS <strong>Release</strong> 8.2 or earlier, on the<br />
router running Junos OS <strong>Release</strong> 8.3 or later, include the use-null-cw statement at<br />
the [edit interfaces interface-name atm-options] hierarchy level.<br />
• The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic)<br />
an extra null control word in the MPLS packet.<br />
• The use-null-cw statement is not supported on a router running Junos OS <strong>Release</strong><br />
8.2 or earlier.<br />
[ATM Interfaces]<br />
• With Junos OS <strong>Release</strong> 10.1 and later, you need not include the tunnel option or the<br />
clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.<br />
[Services Interfaces]<br />
• The 10.3 through 11.1 Network Interfaces Configuration Guides and the 11.2 Ethernet<br />
Interfaces Configuration Guide require the following corrections:<br />
• A new fifth bullet was added to the "802.3 link aggregation" bullet list, as follows:<br />
Multiple <strong>Juniper</strong> <strong>Networks</strong> Type 4, 100-Gigabit Ethernet PICs on a T1600 router can<br />
be combined into a static aggregated Ethernet bundle to connect to a different type<br />
of 100 gigabit Ethernet PIC on a remote router, from <strong>Juniper</strong> <strong>Networks</strong> or other<br />
vendors. LACP is not supported in this configuration.<br />
• The "Ingress traffic performance" bullet was revised and now reads as follows:<br />
Ingress traffic performance—Maximum ingress throughput is 100 gigabits per second<br />
on the physical interface, with 50 gigabits per second on the two assigned logical<br />
interfaces. To achieve 100 gigabits per second ingress traffic performance, use one<br />
of the interoperability modes described below. For example, if VLAN steering mode<br />
is not used when connecting to a remote 100 gigabits per second interface (that is<br />
on a different 100 gigabits per second PIC on a <strong>Juniper</strong> <strong>Networks</strong> router or a different<br />
vendor’s equipment), then all ingress traffic will try to use one of the 50 gigabits per<br />
second Packet Forwarding Engines, rather than be distributed among the two 50<br />
gigabits per second Packet Forwarding Engines, resulting in a total of 50 gigabits<br />
per second ingress performance.<br />
[Network Interfaces, Ethernet Interfaces]<br />
• The 20-port Gigabit Ethernet MIC (MIC-3D-20GE-SFP) does not have hardware<br />
counters for VLAN frames. Therefore, the VLAN tagged frames field displays 0 when<br />
the show interfaces command is executed on a 20-port Gigabit Ethernet MIC. In other<br />
words, the number of VLAN tagged frames cannot be determined for the 20-port<br />
Gigabit Ethernet MIC. This information is documented in Junos OS Documentation,<br />
<strong>Release</strong> 12.2 and later only.<br />
• Single-core Routing Engine support for M7i and M10i routers—The information about<br />
the single-core Routing Engine support on M7i and M10i routers is not updated as part<br />
of Junos OS Documentation, <strong>Release</strong> 11.4R4. More information about this feature will<br />
be added to the Junos OS Interfaces Fundamentals Configuration Guide and Junos OS<br />
Software Installation and Upgrade Guide in Junos OS <strong>Release</strong> 12.2R1.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
297
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The show chassis network-services command displays the network services mode that<br />
is currently active and running on the router, instead of the configured network services<br />
mode.<br />
[System Basics and Services Command Reference]<br />
• The lmi-type statement incorrectly states that Consortium LMI is supported only on<br />
M320 routers with Enhanced III FPCs and specific IQE PICs and on MX80, MX240,<br />
MX480, and MX960 routers with MICs specified in the Configuring Tunable Keepalives<br />
for Frame Relay LMI section. The following is the correct compatibility statement:<br />
Consortium LMI is supported on all MPCs and I-chip based FPCs.<br />
[Frame Relay Interfaces]<br />
• The interface-mode configuration statement topic incorrectly states that you cannot<br />
use the accept option with the interface-mode statement at the [edit interfaces<br />
interface-name unit logical-unit-number family bridge] and [edit logical-systems<br />
logical-system-name interfaces interface-name unit logical-unit-number family bridge]<br />
hierarchy levels to configure a logical interface to accept untagged packets on MPCs<br />
or MICs. You can configure the access option with the interface-mode statement to<br />
accept untagged packets on MPCs or MICs on MX Series routers.<br />
[Network Interfaces, Ethernet Interfaces]<br />
• The show chassis fabric reachability and the show chassis fabric unreachable-destinations<br />
command topics fail to state that these commands are also supported on MX240,<br />
MX480, and MX960 routers from Junos OS <strong>Release</strong> 11.4R2 and Junos OS <strong>Release</strong> 12.1.<br />
The Supported Platforms section of this topic fails to mention MX240, MX480, and<br />
MX960 routers on which these commands are supported.<br />
[System Basics and Services Command Reference]<br />
• The Interfaces and Chassis subsection in the New Features in Junos OS <strong>Release</strong> for M<br />
Series, MX Series, and T Series Routers section of the Junos OS 12.1R1 and Junos OS<br />
11.4R3 <strong>Release</strong> <strong>Notes</strong> fails to describe the following information regarding support for<br />
disabling FPCs with degraded fabric bandwidth. This feature is available in Junos OS<br />
<strong>Release</strong> 12.1R1 and later, and Junos OS <strong>Release</strong> 11.4R3 and later.<br />
Support for disabling an FPC with degraded fabric bandwidth —An FPC working with<br />
degraded fabric bandwidth can affect the re-routing process and can cause partial<br />
traffic black holes. On an MX960, MX480, or MX240 router, you can now configure<br />
the option to bring down an FPC whose fabric bandwidth has degraded because of<br />
link errors or bad fabric planes. This configuration is particularly useful in partial black<br />
hole scenarios where bringing the FPC offline results in faster re-routing.<br />
To configure this option on an FPC, use the offline-on-fabric-bandwidth-reduction<br />
statement at the [edit chassis fpc slot-number] hierarchy level.<br />
Configuring this feature does not affect the system. You can configure this feature<br />
without restarting the FPC or restarting the system.<br />
[<strong>Release</strong> <strong>Notes</strong>]<br />
• The Interfaces and Chassis subsection in the New Features in Junos OS <strong>Release</strong> for M<br />
Series, MX Series, and T Series Routers section of the Junos OS 12.2R1 and Junos OS<br />
298<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
11.4R3 <strong>Release</strong> <strong>Notes</strong> fails to describe the following information regarding support for<br />
redundancy fabric mode for active control boards on MX Series routers. This feature<br />
is available in Junos OS <strong>Release</strong> 11.4R3 and later, and Junos OS <strong>Release</strong> 12.2 and later.<br />
Support for redundant fabric made on active control boards of MX Series routers—An<br />
FPC working with reduced fabric bandwidth can affect the re-routing process and can<br />
cause partial traffic black holes. You can now enable increased fabric bandwidth of<br />
active control boards for optimal and efficient performance and traffic handling. On<br />
an MX960, MX480, or MX240 router, you can configure the active control board to be<br />
in redundancy mode or in increased fabric bandwidth mode. In increased fabric<br />
bandwidth mode, the maximum number of available fabric planes are used for MX<br />
routers with Trio chips and the MPC3E. On MX960 routers with active control boards,<br />
6 active planes are used, and on MX240 and MX480 routers with active control boards,<br />
8 active planes are used.<br />
To configure redundancy mode for the active control board, use the redundancy-mode<br />
redundant statement at the [edit chassis fabric] hierarchy level. When you configure<br />
this option, all the FPCs use 4 fabric planes as active planes, regardless of the type of<br />
the FPC. If you do not configure this option, increased fabric bandwidth mode is enabled<br />
by default on MX routers with Switch Control Board (SCB). The MX Series routers that<br />
contain the enhanced Switch Control Board (SCB) with Trio chips and the MPC3E, the<br />
control boards operate in redundancy fabric mode (all the FPCs use 4 fabric planes<br />
as active planes) by default.<br />
To configure increased bandwidth mode for the active control board, use the<br />
increased-bandwidth statement at the [edit chassis fabric] hierarchy level. When you<br />
configure this option, all the available fabric planes are used.<br />
Configuring this feature does not affect the system. You can configure this feature<br />
without restarting the FPC or restarting the system.<br />
You can use the show chassis fabric redundancy-mode command to verify whether the<br />
redundancy fabric mode is enabled.<br />
[<strong>Release</strong> <strong>Notes</strong>]<br />
• The Interfaces and Chassis subsection in the New Features in Junos OS <strong>Release</strong> 12.2 for<br />
M Series, MX Series, and T Series Routers section of the Junos OS 12.1R1 and Junos OS<br />
11.4R2 <strong>Release</strong> <strong>Notes</strong> fails to describe the following information regarding support for<br />
limiting black hole-time by detecting unreachable destinations. This feature is available<br />
in Junos OS <strong>Release</strong> 11.4R2 and later, and Junos OS <strong>Release</strong> 12.1R1 and later.<br />
Limiting traffic black-hole time by detecting Packet Forwarding Engine destinations<br />
that are unreachable over the fabric (MX240, MX480, and MX960 routers)—Enables<br />
the MX240, MX480, and MX960 routers to limit traffic black-hole time by detecting<br />
unreachable destination Packet Forwarding Engines. The router signals neighboring<br />
routers when it cannot carry traffic because of the inability of some or all source Packet<br />
Forwarding Engines to forward traffic to some or all destination Packet Forwarding<br />
Engines on any fabric plane, after interfaces have been created. This inability to forward<br />
traffic results in a traffic black hole.<br />
Packet Forwarding Engine destinations can become unreachable for the following<br />
reasons:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
299
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The control boards go offline as a result of a CLI command or a pressed physical<br />
button.<br />
• The fabric control boards are turned offline because of high temperature.<br />
• Voltage or polled I/O errors in the SIBs detected by the SPMB.<br />
• All Packet Forwarding Engines receive destination errors on all planes from remote<br />
Packet Forwarding Engines, even when the SIBs are online.<br />
• Complete fabric loss caused by destination timeouts, even when the SIBs are online.<br />
When the system detects any unreachable Packet Forwarding Engine destinations,<br />
healing from a traffic black hole is attempted. If the healing fails, the system turns off<br />
the interfaces, thereby stopping the traffic black hole.<br />
The recovery process consists of the following phases:<br />
1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one<br />
by one. This phase does not start if the fabric plane is functioning properly and a<br />
single Flexible PIC Concentrator (FPC) is bad. An error message is generated to<br />
specify that a black hole is the reason for the fabric plane being turned offline. This<br />
phase is performed for fabric plane errors only.<br />
2. Fabric plane and FPC restart phase: The system waits for the first phase to be<br />
completed before examining the system state again. If the black hole condition still<br />
persists after the first phase is performed or if the problem occurs again within a<br />
duration of 10 minutes, healing is attempted by restarting both the fabric planes<br />
and the FPCs. If you the configured the action-fpc-restart-disable statement at the<br />
[edit chassis fabric degraded] hierarchy level to disable restart of the FPCs when a<br />
recovery is attempted, an alarm is triggered to indicate that a traffic black hole has<br />
occurred. In this second phase, three steps are taken:<br />
1. All the FPCs that have destination errors on a PFE are turned offline<br />
2. The fabric planes are turned offline and brought back online, one by one, starting<br />
with the spare plane.<br />
3. The FPCs that were turned offline are brought back online.<br />
3. FPC offline phase: The system waits for the second phase to be completed before<br />
examining the system state again. Traffic black hole is limited by turning the FPCs<br />
offline and by turning off interfaces because previous attempts at recovery have<br />
failed. If the problem is not resolved by restarting the FPCs or if the problem recurs<br />
within 10 minutes after restarting the FPCs, this phase is performed.<br />
By default, the system limits black-hole time by detecting severely degraded fabric.<br />
You do not need to configure anything to enable this feature. However, you can limit<br />
recovery actions to fabric plane restart only. You need to fix the traffic black hole by<br />
performing steps 2 and 3 manually.<br />
In Junos OS <strong>Release</strong> 11.4R2 and later, and Junos OS <strong>Release</strong> 12.1R1 and later, new alarms<br />
are added to indicate which FPCs are creating a traffic black hole in the system and<br />
to provide information about FPCs that are turned offline to stop the black hole in the<br />
recovery process.<br />
300<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
In Junos OS <strong>Release</strong> 11.4R2 and later, and Junos OS <strong>Release</strong> 12.1R1 and later, new error<br />
messages are added to indicate whether the traffic black hole is detected by<br />
unreachable FPCs in the system, or it is due to all planes being offline. These messages<br />
also indicate the actions taken on FPCs and planes to stop the black hole—for example,<br />
FPC online, FPC offline , FPC restart, FPC power off, plane online, and plane offline.<br />
Two new CLI commands are introduced for this feature:<br />
• The show chassis fabric unreachable-destinations command shows the list of<br />
destinations that have changed from reachable to unreachable.<br />
• The show chassis fabric reachability command shows the current state of fabric<br />
destination reachability, based on periodic reachability checks.<br />
[<strong>Release</strong> <strong>Notes</strong>]<br />
• The tunnel-services configuration statement topic incorrectly states that you can use<br />
the tunnel-services statement to specify that the IQ2 or IQ2E PIC will work both as a<br />
regular PIC and as a tunnel PIC. The correct functionality of the tunnel-services<br />
statement is as follows:<br />
You can specify the IQ2 and IQ2E PICs to work exclusively in tunnel mode or as a regular<br />
PIC. To configure exclusive tunnel mode, use the tunnel-only statement at the [edit<br />
chassis fpc slot-number pic slot-number tunnel-services] hierarchy level. The default<br />
setting uses IQ2 and IQ2E PICs as a regular PIC. If you do not configure the tunnel-only<br />
option, the IQ2 and IQ2 PICs operate as regular PICs.<br />
[System Basics, Chassis-Level Features]<br />
• The frame-error configuration statement topic incorrectly states that the default<br />
window during which frame errors are counted until they reach the configured threshold<br />
is 100 milliseconds. The correct description of the default window is as follows:<br />
The window or period during which frame errors are counted is 5 seconds or multiples<br />
of it (with a maximum value of 1 minute). This window denotes the duration as intervals<br />
of 100 milliseconds, encoded as a 16-bit unsigned integer. This window is not<br />
configurable in Junos OS. According to the IEEE 802.3ah standard, the default value<br />
of the frame-errors window is 1 second. This window has a lower bound of 1 second<br />
and an upper bound of 1 minute.<br />
[Network Interfaces, Ethernet Interfaces]<br />
• In the Chassis Conditions That Trigger Alarms section, the introductory paragraph<br />
contains an incorrect link for Table 9. Instead of specifying Table 9 as a link, the "Chassis<br />
Component Alarm Conditions on M5 and M10 Routers" heading that points to Table<br />
1 is presented. The correct description is as follows:<br />
Table 1 through Table 9 list the alarms that the chassis components can generate.<br />
Also, the following additional information regarding the generation of alarms when<br />
the management interface is down in routers with a single Routing Engine or the master<br />
Routing Engine applies to Table 1 through Table 8.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
301
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 11: Chassis Component Alarm Conditions<br />
Chassis<br />
Component<br />
Alarm Condition<br />
Remedy<br />
Alarm<br />
Severity<br />
Routing Engine<br />
The Ethernet management<br />
interface (fxp0 or em0) on<br />
the Routing Engine is down.<br />
• Check the interface<br />
cable connection.<br />
• Reboot the system.<br />
Red<br />
• If the alarm recurs, open<br />
a support case using the<br />
Case Manager link at<br />
http://www.juniper.net/support/<br />
or call 1-888-314-JTAC<br />
(within the United<br />
States) or<br />
1-408-745-9500 (from<br />
outside the United<br />
States)<br />
[System Basics, Chassis-Level Features]<br />
• The Support for redundant fabric made on active control boards of MX Series routers<br />
topic in the Interfaces and Chassis subsection in the New Features in Junos OS <strong>Release</strong><br />
12.2 for M Series, MX Series, and T Series Routers section of the Junos OS 12.2R2 <strong>Release</strong><br />
<strong>Notes</strong> and Junos OS 11.4R6 <strong>Release</strong> <strong>Notes</strong> erroneously states that If you do not configure<br />
the redundancy-mode redundant statement at the [edit chassis fabric] hierarchy level,<br />
increased fabric bandwidth mode is enabled by default on MX routers.<br />
The correct default behavior of redundant fabric mode on MX routers is as follows:<br />
Increased fabric bandwidth mode is enabled by default on MX routers with Switch<br />
Control Board (SCB). On MX routers that contain the enhanced SCB with Trio chips<br />
and the MPC3E, redundancy mode is enabled by default.<br />
[<strong>Release</strong> <strong>Notes</strong>]<br />
J-Web Interface<br />
• To access the J-Web interface, your management device requires the following<br />
software:<br />
• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version<br />
3.0<br />
• Language support—English-version browsers<br />
302<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• Supported OS—Microsoft Windows XP Service Pack 3<br />
Junos OS XML API and Scripting<br />
• In the Junos OS Configuration and Operations Automation Guide, the archive-sites<br />
configuration statement incorrectly states that you can configure an HTTP URL at the<br />
[edit event-options destinations dest-name archive-sites url] hierarchy level. HTTP URLs<br />
are not supported under this configuration hierarchy level.<br />
[Junos OS Configuration and Operations Automation Guide]<br />
Layer 2 Ethernet Services<br />
• In the Layer 2 Configuration Guide, the examples provided in the sections Configuring<br />
Layer 2 Protocol Tunneling, Configuring BPDU Protection on Individual Interfaces, and<br />
Configuring BPDU Protection on All Edge Ports are incorrect for configuring Layer 2<br />
tunneling with routing instances.<br />
• In the MX Series Ethernet Services Routers Solutions Guide, the configuration commands<br />
in the Example: Configuring One VPLS Instance for Several VLANs section incorrectly<br />
describe the usage of the vlan-id all statement for normalizing VLANs in VPLS instances.<br />
The following information replaces the configuration commands and supplements<br />
the description in that section for the sample topology:<br />
Alternatively, instead of configuring a VPLS instance, you can define a virtual switch<br />
with a bridge domain and associate the logical interfaces as trunk ports with the bridge<br />
domain. This configuration is necessary if you want to configure a list or range of VLAN<br />
IDs on the logical interfaces and use the vlan-id all statement to normalize VLANs.<br />
A Layer 2 virtual switch, which isolates a LAN segment with its spanning-tree protocol<br />
instance and separates its VLAN ID space, filters and forwards traffic only at the data<br />
link layer. Each bridge domain consists of a set of logical ports that participate in Layer<br />
2 learning and forwarding.<br />
You can configure VPLS ports in a virtual switch so that the logical interfaces of the<br />
Layer 2 bridge domains in the virtual switch can handle VPLS routing instance traffic.<br />
VPLS configuration no longer requires a dedicated routing instance of type vpls. Packets<br />
received on a Layer 2 trunk interface are forwarded within a bridge domain that has<br />
the same VLAN identifier. A trunk interface is implicitly associated with bridge domains<br />
based on VLAN membership.<br />
You can use either of the following two mechanisms to normalize VLAN identifiers and<br />
process them in a bridge domain or a VPLS routing instance:<br />
• By using the input-vlan-map and the output-vlan-map statements at the [edit<br />
interfaces interface-name] hierarchy level to configure VLAN mapping.<br />
• By using either the vlan-id statement or the vlan-tags statement to configure a<br />
normalizing VLAN identifier.<br />
The vlan-id and vlan-tags statements are used to specify the normalizing VLAN identifier<br />
under the bridge domain or VPLS routing instance. The normalizing VLAN identifier is<br />
used to perform the following functions:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
303
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Translate, or normalize, the VLAN tags of received packets received into a learn<br />
VLAN identifier.<br />
• • Create multiple learning domains that each contain a learn VLAN identifier. A<br />
learning domain is a MAC address database to which MAC addresses are added<br />
based on the learn VLAN identifier.<br />
If you configure the vlan-id all statement in a VPLS routing instance, we recommend<br />
using the input-vlan-map pop and output-vlan-map push statements on the logical<br />
interface to pop the service VLAN ID on input and push the service VLAN ID on output<br />
and in this way limit the impact of doubly-tagged frames on scaling. You cannot use<br />
the native vlan- id statement when the vlan-id all statement is included in the<br />
configuration.<br />
For the same network topology illustrated in Figure 1, if VLANs 1 through 1000 for<br />
customer C1 span the same sites, you can normalize the VLANs by doing one of the<br />
following. Using either of these optimal methods, you can switch and normalize all of<br />
these VLANs in an effective, streamlined manner without configuring separately for<br />
each VLAN ID.<br />
• By configuring a VPLS routing instance if the logical interfaces are specified with a<br />
range of consecutive VLANs or a list of non-contiguous VLAN IDs and using VLAN<br />
maps to rewrite the VLAN tags on all of the incoming and outgoing packets on the<br />
logical interfaces with a normalized VLAN ID<br />
• By configuring a virtual-switch instance consisting of a set of bridge domains that<br />
are associated with one or more logical interfaces configured as a trunk port<br />
You cannot use the vlan-id statement to enable VLAN normalization in VPLS instances,<br />
if the logical interfaces in the VPLS instance are configured with the vlan-id-list or<br />
vlan-id-range statement. In such a scenario, you can use the input-vlan-map or the<br />
output-vlan-map option to achieve VLAN normalization.<br />
The following example illustrates the use of the VLAN mapping functionality in VPLS<br />
routing instances to normalize VLANs. This method is beneficial in scenarios with<br />
flexible VLAN tagging (asymmetric tag depth). In such an environment, the VLAN<br />
configuration data that you specified applies the appropriate VLAN tags to the input<br />
and output VLAN maps for the ingress and egress logical interfaces respectively. For<br />
example, if certain packets are received as single- tagged packets and if the remaining<br />
packets are received as double-tagged packets, using VLAN mapping enables<br />
normalization.<br />
Using the VLAN mapping capability is effective only if packets of unequal VLAN tags<br />
are received or transmitted from logical interfaces to achieve normalization. We<br />
recommend that you do not use VLAN mapping in environments in which the VLAN<br />
tags are of equal tag depths for optimal configuration. In such cases, you can use the<br />
vlan-id all statement to enable normalization of VLANs.<br />
[edit]<br />
interfaces ge-1/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
vlan-id-range 1-1000;<br />
304<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
input-vlan-map {<br />
push; /* Push the service vlan on input */<br />
vlan-id 1200; # This VLAN ID is the normalized VLAN for incoming packets<br />
}<br />
output-vlan-map pop; /* Pop the service vlan on output */<br />
}<br />
unit 11 {<br />
encapsulation vlan-vpls;<br />
vlan-id 1500;<br />
}<br />
}<br />
interfaces ge-2/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
vlan-id-range 1-1000; # Note the use of the VLAN id range statement.<br />
input-vlan-map {<br />
push; /* Push the service vlan on input */<br />
vlan-id 1300; # This VLAN ID is the normalized VLAN for incoming packets<br />
}<br />
output-vlan-map pop; /* Pop the service vlan on output */<br />
}<br />
}<br />
}<br />
interfaces ge-3/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
vlan-id 1-1000;<br />
input-vlan-map {<br />
push; /* Push the service vlan on input */<br />
vlan-id 1400; # This VLAN ID is the normalized VLAN for incoming packets<br />
}<br />
output-vlan-map pop; /* Pop the service vlan on output */<br />
}<br />
}<br />
}<br />
interfaces ge-6/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 11 {<br />
encapsulation vlan-vpls;<br />
vlan-id 1500;<br />
}<br />
}<br />
routing-instances {<br />
customer-c1-v1-to-v1000 {<br />
instance-type vpls;<br />
interface ge-1/0/0.1;<br />
interface ge-2/0/0.1;<br />
interface ge-3/0/0.1;<br />
} # End of customer-c1-v1-to-v1000<br />
customer-c1-v1500 {<br />
instance-type vpls;<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
305
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
interface ge-1/0/0.11;<br />
interface ge-6/0/0.11;<br />
} # End of customer-c1-v1500<br />
} # End of routing-instances<br />
The following operations are performed when you use the VLAN mapping configuration:<br />
• Packets received on logical interfaces ge-1/0/0.1 , or ge-2/0/0.1, or ge-3/0/0.1, with<br />
a single VLAN tag in the range from 1 through 1000 in the frame are accepted.<br />
• The VLAN tags of a received packet are compared with the normalized VLAN tags<br />
specified with the vlan-id statement in the input VLAN map. If the VLAN tags of the<br />
received packet are different from the normalized VLAN tags, then the received VLAN<br />
tag is converted to the normalized VLAN tag of 1200 for packets received on the<br />
logical interface ge-1/0/0.1. Similarly, for logical interface ge-2/0/0.1, the normalized<br />
VLAN tag is 1300 for received packets and for logical interface ge-3/0/0.1, the<br />
normalized VLAN tag is 1400. Then, the source MAC address of a received packet is<br />
learned based on the normalized VLAN configuration.<br />
For output packets, based on the output vlan-map pop statement configured on the<br />
logical interfaces ge-1/0/0.1 , or ge-2/0/0.1, or ge-3/0/0.1, if the VLAN tags associated<br />
with an egress logical interface do not match the normalized VLAN tags within the<br />
packet, then the VLAN tags in the packets that are being transmitted from the egress<br />
logical interface are removed.<br />
• Unknown source MAC addresses and unknown destination MAC addresses are<br />
learned based on their normalized VLAN values of 1 through 1000.<br />
• All packets sent on the VPLS pseudowire have a normalized VLAN tag after the<br />
source MAC address field in the encapsulated Ethernet packet.<br />
• The input-vlan-map pop and output-vlan-map push statements on the logical interface<br />
cause the service VLAN ID to be popped on input and the service VLAN ID to be<br />
pushed on output and in this way, the impact of doubly-tagged frames on scaling is<br />
limited.<br />
The following example illustrates the use of the vlan-id all statement in logical interfaces<br />
when a virtual switch instance with a bridge domain is associated with the logical<br />
interfaces. You can normalize VLANs and create learning domains for each VLAN. A<br />
routing instance uses a trunk bridge to connect different departments in an organization,<br />
each with their own VLANs, at two different sites. You must configure a bridge domain<br />
and VLAN identifier for each VLAN associated with the trunk interface.<br />
[edit]<br />
interfaces ge-1/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
family-bridge {<br />
interface-mode trunk;<br />
vlan-id-range 1-1000; # Note the use of the VLAN id range statement.<br />
}<br />
}<br />
unit 11 {<br />
306<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
encapsulation vlan-vpls;<br />
family-bridge {<br />
interface-mode trunk;<br />
vlan-id 1500;<br />
}<br />
}<br />
}<br />
interfaces ge-2/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
interface-mode trunk;<br />
vlan-id-range 1-1000; # Note the use of the VLAN id range statement.<br />
}<br />
}<br />
}<br />
interfaces ge-3/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 1 {<br />
encapsulation vlan-vpls;<br />
interface-mode trunk;<br />
vlan-id-range 1-1000; # Note the use of the VLAN id range statement.<br />
}<br />
}<br />
}<br />
interfaces ge-6/0/0 {<br />
encapsulation flexible-ethernet-services;<br />
flexible-vlan-tagging;<br />
unit 11 {<br />
encapsulation vlan-vpls;<br />
interface-mode trunk;<br />
vlan-id 1500;<br />
}<br />
}<br />
}<br />
routing-instances {<br />
customer-c1-virtual-switch {<br />
instance-type virutal-switch;<br />
interface ge-1/0/0.1;<br />
interface ge-2/0/0.1;<br />
interface ge-3/0/0.1;<br />
bridge-domains {<br />
c1-vlan-v1-to-v1000 {<br />
vlan-id all; # Note the use of the VLAN id all statement<br />
}<br />
}<br />
} # End of customer-c1-v1-to-v1000<br />
customer-c2-virtual-switch {<br />
instance-type virtual-switch;<br />
interface ge-1/0/0.11;<br />
interface ge-6/0/0.11;<br />
bridge-domains {<br />
c1-vlan-v1500 {<br />
vlan-id all; # Note the use of the VLAN id all statement<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
307
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
}<br />
}<br />
} # End of customer-c1-v1500<br />
} # End of routing-instances<br />
Note the use of the vlan-id all and vlan-id-range statements in the virtual-switch<br />
instance called customer-c1-v1-to-v1000. The vlan-id all statement implicitly creates<br />
multiple learning domains, each with its own normalized VLAN.<br />
The following operations are performed when you use the vlan-id all configuration:<br />
• The logical interfaces are configured as a trunk port that multiplexes traffic from<br />
multiple VLANs and usually interconnects switches.<br />
• All the VLAN identifiers are associated with a Layer 2 trunk port. Each of the logical<br />
interfaces, ge-1/0/0.1 , or ge-2/0/0.1, or ge-3/0/0.1, accepts packets tagged with any<br />
VLAN ID specified in the respective vlan-id-range statements.<br />
• The association of the received packet to a logical interface is done by matching the<br />
VLAN tags of the received packet with the VLAN tags configured on one of the logical<br />
interfaces on that physical port. The vlan-id all configuration within the bridge domain<br />
c1-vlan-v1-to-v1000 for customer-c1-virtual-switch sets the normalized VLAN value.<br />
For a logical interface with a single VLAN tag, a learning domain implicitly created<br />
for each normalized VLAN of the interface.<br />
• Bridge domain c1-vlan-v1-to-v1000 for customer-c1-virtual-switch has three logical<br />
interfaces:<br />
• Logical interface ge-1/0/0.1 configured on physical port ge-1/0/0.<br />
• Logical interface ge-2/0/0.1configured on physical port ge-2/0/0.<br />
• Logical interface ge-3/0/0.1configured on physical port ge-3/0/0.<br />
• Packets received on logical interfaces ge-1/0/0.11 or ge-6/0/0.11 with a single VLAN<br />
tag of 1500 in the frame are accepted.<br />
• Unknown source MAC addresses and unknown destination MAC addresses are<br />
learned based on their normalized VLAN values of 1 through 1000.<br />
• All packets sent on the VPLS pseudowire have a normalized VLAN tag after the<br />
source MAC address field in the encapsulated Ethernet packet.<br />
• Although there are only three logical interfaces in the VPLS instance called<br />
customer-c1-virtual-switch, the same MAC address (for example, M1) can be learned<br />
on different logical interfaces for different VLANs. For example, MAC address M1<br />
could be learned on logical interface ge-1/0/0.1 for VLAN 500 and also on logical<br />
interface ge-2/0/0.1 for VLAN 600.<br />
[MX Series Ethernet Services Routers SolutionsGuide]<br />
308<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Multicast<br />
• The listings for the following RFCs incorrectly state that Junos OS supports only SSM<br />
include mode. Both include mode and exclude mode are supported in Junos OS <strong>Release</strong><br />
9.3 and later.<br />
• RFC 3376, Internet Group Management Protocol, Version 3<br />
• RFC 3590, Source Address Selection for the Multicast Listener Discovery (MLD) Protocol<br />
[Hierarchy and Standards Reference]<br />
Routing Policy and Firewall Filters<br />
• The conditions under which enhanced network services mode must be configured for<br />
use with firewall filters were documented incorrectly in the Firewall Filters and Enhanced<br />
Network Services Mode Overview topic. Use the following guidelines when configuring<br />
enhanced network services mode with firewall filters:<br />
• In configurations where interfaces are created either statically or dynamically and<br />
firewall filters are applied dynamically, you must configure the chassis network<br />
services to run in enhanced mode by including the network-services statement at<br />
the [edit chassis] hierarchy level.<br />
• In configurations where interfaces are created statically and firewall filters are applied<br />
statically, you must do both of the following:<br />
• Configure chassis network services to run in enhanced mode by including the<br />
network-services statement at the [edit chassis] hierarchy level,<br />
• Configure each firewall filter for enhanced mode by including the enhanced-mode<br />
statement at the [edit firewall filter filter-name], [edit firewall family family-name<br />
filter filter-name], [edit logical-system logical-system-name firewall filter filter-name],<br />
or [edit logical-system logical-system-name firewall family family-name filter<br />
filter-name] hierarchy level.<br />
• When you configure an IPv6 firewall filter, the next-header icmp6 and next-header<br />
icmpv6 match conditions perform the same function. next-header icmp6 is the preferred<br />
option. next-header icmpv6 is hidden in the Junos OS CLI.<br />
• The description of the filter-name option in the documentation for the filter and<br />
simple-filter configuration statements is incorrect. The correct description is:<br />
filter-name—Name that identifies the filter. This must be a non-reserved string of not<br />
more than 64 characters. No special characters are restricted. However, to include<br />
spaces in the name, enclose it in quotation marks (“ ”).<br />
[Firewall Filter and Policer Configuration Guide]<br />
• The description of the routing-instance-name option in the documentation for the<br />
routing-instances configuration statement is incorrect. The correct description is:<br />
routing-instance-name—Name of the routing instance. This must be a non-reserved<br />
string of not more than 128 characters.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
309
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Routing Protocols Configuration Guide]<br />
• In routing instances, when a BGP neighbor sends BGP messages to the local routing<br />
device, the incoming interface on which these messages are received must be configured<br />
in the same routing instance that the BGP neighbor configuration exists in. This is true<br />
for neighbors that are a single hop away or multiple hops away.<br />
[Routing Protocols]<br />
Services Applications<br />
• The clear services l2tp session statistics and clear services l2tp tunnel statistics topics<br />
in the System Basics and Services Command Reference Guide for Junos OS <strong>Release</strong><br />
10.4 through 11.4 erroneously state that these commands are supported on MX Series<br />
routers. This support will be added in a future release.<br />
[System Basics and Services Command Reference]<br />
• The rate statement for packet sampling is now configured at the [edit forwarding<br />
options sampling input family family] hierarchy level.<br />
[Services Interfaces]<br />
• The documentation for the secured-port-block-allocation that appears at the [edit<br />
services nat pool poolname port secured-port-block-allocation] shows incorrect ranges<br />
of values for the block-size block-size and max-blocks-per-address max-blocks options.<br />
The correct range of values for block-size is 1 through 60,000; the correct range of<br />
values for max-blocks is 1 through 512.<br />
[Services Interface, Next-Generation Network Solutions]<br />
• The aes-128-cbc, aes-192-cbc, and aes-256-cb options that you can configure with the<br />
encryption-algorithm statement at the [edit services ipsec-vpn ipsec proposal<br />
proposal-name] hierarchy level are incorrectly specified as ase-128-cbc, ase-192-cbc,<br />
and ase-256-cb options in the following topics in the Security Services section of the<br />
System Basics Configuration Guide:<br />
• Security Services Configuration Statements<br />
• Configuring Minimum IKE Requirements for IPsec on an ES PIC<br />
• Configuring an IKE Proposal for Dynamic SAs<br />
• encryption-algorithm<br />
[System Basics, Security Services]<br />
• Certain changes to NAT (network address translation) PBA (port block allocation)<br />
configuration require a reboot of the services PIC in order for the changes order to take<br />
effect. A warning should be issued during the commit, informing you of the need to<br />
reboot. Because the warning is not currently being issued, the documentation should<br />
include the following warnings:<br />
• For secured port block allocation, you must reboot when you change block-size,<br />
port-range, add or delete prefixes, or modify the from hierarchy in the NAT rule.<br />
310<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
• For deterministic PBA, you must reboot when you change block-size or<br />
max-blocks-per-address.<br />
Subscriber Access Management<br />
• The Subscriber Access Configuration Guide fails to state that L2TP on MX Series routers<br />
is supported only on MX240, MX480, and MX960 routers. It is not supported on MX80<br />
routers.<br />
[Subscriber Access]<br />
• The Configuring Per-Subscriber Session Accounting topic in the Subscriber Access<br />
Configuration Guide incorrectly states that the update-interval statement rounds up<br />
an interval of 10 through 15 minutes to 15. The actual behavior is that all configured<br />
values are rounded up to the next higher multiple of 10. For example, the values 811<br />
through 819 are all accepted by the CLI, but are all rounded up to 820.<br />
[Subscriber Access]<br />
• The DHCP topics in the Junos OS Subscriber Access Configuration Guide for Junos OS<br />
release 11.4 neglect to describe port requirements for DHCP firewall filters. Accurate<br />
filtering of DHCP packets at the Routing Engine is different when the DHCP services<br />
are managed by the jdhcpd process (MX Series routers, M120 routers, and M320 routers)<br />
rather than the dhcpd and fud processes (other router series). For the MX Series routers,<br />
you must specify both port 67 (bootps) and port 68 (bootpc) for both the source port<br />
and destination port in the match conditions for the filter term that acts on packets<br />
from the DHCP server.<br />
In the following sample filter, the dhcp-server-accept term matches on UDP (DHCP)<br />
packets with a source port of 67 or 68 and a destination port of 67 or 68.<br />
firewall {<br />
family inet {<br />
filter RE-protect {<br />
term dhcp-client-accept {<br />
from {<br />
source-address {<br />
0.0.0.0/32;<br />
}<br />
destination-address {<br />
255.255.255.255/32;<br />
}<br />
protocol udp;<br />
source-port 68;<br />
destination-port 67;<br />
}<br />
then {<br />
count dhcp-client-accept;<br />
accept;<br />
}<br />
}<br />
term dhcp-server-accept {<br />
from {<br />
protocol udp;<br />
source-port [ 67 68 ];<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
311
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
destination-port [ 67 68 ];<br />
}<br />
then {<br />
count dhcp-server-accept;<br />
accept;<br />
}<br />
}<br />
}<br />
}<br />
}<br />
• The Configuring an L2TP Tunnel Group for LNS Sessions with Inline Services Interfaces<br />
topic in the Subscriber Access Configuration Guide for Junos OS <strong>Release</strong> 11.4 incorrectly<br />
mentions support for the tunnel-timeout statement at the [edit services l2tp<br />
tunnel-group name] hierarchy level. This statement is not supported on MX Series<br />
routers. The syslog statement at the same hierarchy level is also not supported for MX<br />
Series routers.<br />
[Subscriber Access]<br />
• The Junos OS Subscriber Management Scaling Values (XLS) spreadsheet for <strong>Release</strong><br />
11.4 neglected to include the following note:<br />
To scale beyond 64,000 logical interfaces in an aggregated Ethernet configuration,<br />
you must have an RE-S-1800 and you must enable Enhanced IP Network Services<br />
mode on the router. To enable this mode, include the chassis network-services<br />
enhanced-ip statement at the [edit chassis] hierarchy level and reboot the router. When<br />
the router reboots, only MPCs and Multiservices DPCs come online. For more information<br />
about network services modes, see<br />
http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/network-services-mode-overview.html.<br />
• In the Software Feature Licenses topic of the Software Installation and Upgrade Guide,<br />
the Junos OS Feature Licenses table states that the L2TP Base license for L2TP scaling<br />
is not supported. In fact, the correct license is the LNS Feature Pack license and it does<br />
support L2TP LNS scaling. For details about L2TP scaling values, see the Junos OS<br />
Subscriber Management Scaling Values (XLS) spreadsheet from the Downloads box<br />
at http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products<br />
/pathway-pages/subscriber-access/index.html. Substitute the number of the latest<br />
Junos OS release for the release-number. For example, ...en_us/junos11.4/....<br />
• The PPP MIB overview topic in the SNMP MIBs and Traps Reference Guide fails to state<br />
that the PPP MIB is supported on the Common Edge PPP process, jpppd. SNMP support<br />
for PPP over PPPoE interfaces is active only if the jpppd process is enabled.<br />
The PPPoE MIB overview topic in the SNMP MIBs and Traps Reference Guide fails to<br />
state that the PPPoE MIB is supported on the Common Edge PPPoE process, jpppoed.<br />
SNMP support for PPPoE over Ethernet interfaces is active only if the jpppoed process<br />
is enabled.<br />
[SNMP MIBS and Traps Reference]<br />
• In the Junos OS Subscriber Access Configuration Guide, the Dedicated Queue Scaling<br />
for CoS Configurations on Trio MPC/MIC Interfaces Overview topic incorrectly describes<br />
the number of subscribers that can be supported per MPC port on a 60-Gigabit Ethernet<br />
Enhanced Queuing MPC. Because this MPC is limited to 16,000 subscribers per PIC,<br />
312<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
you can accommodate a maximum of 16,000 subscribers per port whether you dedicate<br />
4 or 8 queues per subscriber.<br />
[Subscriber Access ]<br />
• The DHCP in Broadband <strong>Networks</strong> topic erroneously states that the Junos OS subscriber<br />
management solution currently supports only DHCP as a multiple-client configuration<br />
protocol. However, subscriber management solutions support DHCP and PPPoE as<br />
multiple-client configuration protocols.<br />
[Broadband Subscriber Management Solutions]<br />
• The Configuring Service Packet Counting topic in the Junos OS Subscriber Access<br />
Configuration Guide does not include the following configuration guideline. When you<br />
specify the service-accounting action for the term, you cannot additionally configure<br />
the count action in the same term.<br />
[Subscriber Access]<br />
• The table titled Supported <strong>Juniper</strong> <strong>Networks</strong> VSAs in the <strong>Juniper</strong> <strong>Networks</strong> VSAs<br />
Supported by the AAA Service Framework topic lists RADIUS VSA 26-157<br />
(IPv6-NdRa-Pool-Name). This VSA is not supported and should not appear in the<br />
table.<br />
[Subscriber Access]<br />
• The Configuring a Dynamic Profile for Client Access topic erroneously uses the<br />
$junos-underlying-interface variable when an IGMP interface is configured in the client<br />
access dynamic profile. The following example provides the appropriate use of the<br />
$junos-interface-name variable:<br />
[edit dynamic-profiles access-profile]<br />
user@host# set protocols igmp interface $junos-interface-name<br />
• The Subscriber Access Configuration Guide and the System Basics Configuration Guide<br />
contain information about the override-nas-information statement. This statement<br />
does not appear in the CLI and is not supported.<br />
[Subscriber Access, System Basics]<br />
• When you modify dynamic CoS parameters with a RADIUS change of authorization<br />
(CoA) message, Junos OS accepts invalid configurations. For example, if you specify<br />
a transmit rate that exceeds the allowed 100 percent, the system does not reject the<br />
configuration and returns unexpected shaping behavior.<br />
[Subscriber Access]<br />
• <strong>Juniper</strong> <strong>Networks</strong> does not support multicast RIF mapping and ANCP when configured<br />
simultaneously on the same logical interface. For example, configuring a multicast<br />
VLAN and ANCP on the same logical interface is not supported, and the subscriber<br />
VLANs are the same for both ANCP and multicast.<br />
[Subscriber Access]<br />
• The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber<br />
Access Configuration Guide erroneously states that dynamic CoS is supported for<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
313
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
dynamic VLANs on the Trio MPC/MIC family of products. In Junos OS <strong>Release</strong> 11.1,<br />
dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.<br />
[Subscriber Access]<br />
• The Subscriber Access Configuration Guide incorrectly describes the authentication-order<br />
statement as it is used for subscriber access management. When configuring the<br />
authentication-order statement for subscriber access management, you must always<br />
specify the radius method. Subscriber access management does not support the<br />
password keyword (the default), and authentication fails when you do not specify an<br />
authentication method.<br />
[Subscriber Access]<br />
• In the Subscriber Access Configuration Guide, the <strong>Juniper</strong> <strong>Networks</strong> VSAs Supported by<br />
the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table<br />
incorrectly describe VSA 26-59. The correct description is as follows:<br />
Attribute Number<br />
Attribute Name<br />
Description<br />
26-59<br />
Med-Dev-Handle<br />
Identifier that associates mirrored traffic to a specific<br />
subscriber.<br />
[Subscriber Access]<br />
• In the Subscriber Access Configuration Guide, the table titled "Supported <strong>Juniper</strong><br />
<strong>Networks</strong> VSAs" in the "<strong>Juniper</strong> <strong>Networks</strong> VSAs Supported by the AAA Service<br />
Framework" topic lists RADIUS VSA 26-42 (Input-Gigapackets) and VSA 26-43<br />
(Output-Gigapackets). These two VSAs are not supported.<br />
[Subscriber Access]<br />
• In the Junos OS Subscriber Access Configuration Guide, the "Qualifications for Change of<br />
Authorization" section in the topic titled “RADIUS-initiated Change of Authorization<br />
(CoA) Overview”, has been rewritten as follows to clarify how CoA uses the RADIUS<br />
attributes and VSAs.<br />
314<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Qualifications for Change of Authorization<br />
To complete the change of authorization for a user, you specify identification<br />
attributes and session attributes. The identification attributes identify the subscriber.<br />
Session attributes specify the operation (activation or deactivation) to perform on<br />
the subscriber’s session and also include any client attributes for the session (for<br />
example, QoS attributes). The AAA Service Framework handles the actual request.<br />
Table 12 on page 315 shows the identification attributes for CoA operations.<br />
NOTE: Using the Acct-Session-ID attribute to identify the subscriber<br />
session is more explicit than using the User-Name attribute. When you<br />
use the Acct-Session-ID, the attribute identifies the specific subscriber<br />
and session. When you use the User-Name as the identifier, the CoA<br />
operation is applied to the first session that was logged in with the<br />
specified username. However, because a subscriber might have multiple<br />
sessions associated with the same username, the first session might<br />
not be the correct session for the CoA operation.<br />
Table 12: Identification Attributes<br />
Attribute<br />
Description<br />
User-Name [RADIUS attribute 1]<br />
Subscriber username.<br />
Acct-Session-ID [RADIUS attribute 44]<br />
Specific subscriber and session.<br />
Table 13 on page 315 shows the session attributes for CoA operations. Any additional<br />
client attributes that you include depend on your particular session requirements.<br />
Table 13: Session Attributes<br />
Attribute<br />
Description<br />
Activate-Service [<strong>Juniper</strong> <strong>Networks</strong> VSA 26–65]<br />
Service to activate for the subscriber.<br />
Deactivate-Service [<strong>Juniper</strong> <strong>Networks</strong> VSA<br />
26–66]<br />
Service to deactivate for the subscriber.<br />
[Subscriber Access]<br />
• The table on the MX5, MX10, MX40, and MX80 3D Universal Edge Router index page<br />
(http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products<br />
/pathway-pages/mx-series/mx5-mx10-mx40-mx80/index.html) is unclear regarding<br />
subscriber management support on the MX80 router. The MX80 router supports only<br />
those subscriber management features that were qualified on MX Series routers up<br />
through Junos OS <strong>Release</strong> 10.1. Features first available in <strong>Release</strong> 10.2 and later releases<br />
have not yet been qualified on the MX80 router.<br />
[Subscriber Access]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
315
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In the Junos OS Subscriber Access Configuration Guide, the DHCPv6 Local Server Overview<br />
topic includes a note stating that the DHCPv6 local server does not support dynamic<br />
profiles or the local address-assignment pools feature. That note is incorrect—DHCPv6<br />
local server supports address-assignment pool starting in Junos OS <strong>Release</strong> 10.0, and<br />
supports dynamic profiles starting in Junos OS <strong>Release</strong> 10.1.<br />
[Subscriber Access<br />
• The show subscribers topic in the Junos OS System Basics and Services Command<br />
Reference omits the following information about using the address option for the show<br />
subscribers command.<br />
When you issue the show subscribers address command, you must specify the IPv4 or<br />
IPv6 address prefix without a netmask, as shown in the following example:<br />
user@host> show subscribers address 192.168.17.1 detail<br />
If you specify the IP address as a prefix with a netmask, as shown in the following<br />
example, the router displays a message that the IP address is invalid, and rejects the<br />
command.<br />
user@host> show subscribers address 192.168.17.1/32 detail<br />
Invalid argument: invalid ip_address 192.168.17.1/32<br />
[Junos OS System Basics and Services Command Reference]<br />
• The Example: HTTP Service Attached to a Static Interface topic in the Junos OS Subscriber<br />
Access Configuration Guide provides an incorrect example for configuring a service filter<br />
as a walled garden. The correct example is as follows:<br />
The following example uses a service filter as a walled garden by defining a rule named<br />
redirect, referencing the rule in a profile named http-redirect, configuring a service set<br />
named http-redirect that references the http-redirect captive portal content delivery<br />
profile, and attaching the http-redirect service set to static interface ge-1/0/1.0.<br />
[edit services]<br />
captive-portal-content-delivery {<br />
rule redirect {<br />
match-direction input;<br />
term t1 {<br />
from {<br />
destination-address {<br />
100.0.1.1/32;<br />
}<br />
}<br />
then {<br />
redirect http://www.google.com;<br />
}<br />
}<br />
}<br />
profile http-redirect {<br />
cpcd-rules redirect;<br />
}<br />
}<br />
service-set http-redirect {<br />
captive-portal-content-delivery-profile http-redirect;<br />
interface-service {<br />
service-interface ms-1/0/0;<br />
316<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
}<br />
}<br />
[edit interfaces ge-1/0/1]<br />
unit 0 {<br />
family inet {<br />
service {<br />
input {<br />
service-set http-redirect service-filter walled;<br />
}<br />
output {<br />
service-set http-redirect;<br />
}<br />
}<br />
address 10.1.3.2/24;<br />
}<br />
}<br />
[Subscriber Access]<br />
• The Junos OS Subscriber Management Scaling Values (XLS) spreadsheet erroneously<br />
states that the maximum number of PPPoE interfaces per MPC1 is 15,996. The correct<br />
value is 31,998.<br />
[Subscriber Management Scaling]<br />
• The documentation for the subscriber management domain mapping feature in the<br />
Subscriber Access Configuration Guide describes using the aaa-logical-system and<br />
target-logical-system statements to configure mapping to a non-default logical system.<br />
Subscriber management is supported in the default logical system only. Configuring<br />
a non-default logical system is a future extension of subscriber management and is<br />
not supported in current Junos OS releases.<br />
[Subscriber Access]<br />
•<br />
The Dedicated Queue Scaling for CoS Configurations on Trio MPC/MIC Interfaces Overview<br />
topic in the Junos OS Subscriber Access Configuration Guide does not explain the queuing<br />
behavior on 30-Gigabit Ethernet Queuing MPCs with only one MIC. See Dedicated<br />
Queue Scaling for CoS Configurations on MIC and MPC Interfaces Overview for a more<br />
complete explanation of dedicated queue scaling.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
317
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
System Logging<br />
• The Junos OS <strong>Release</strong> 11.2 System Log Error Messages Reference Guide does not list<br />
the following new message that is now recorded in the system log, when the RSVP<br />
fails to reserve the requested bandwidth for a label-switched path (LSP):<br />
RPD_MPLS_REQ_BW_NOT_AVAILABLE<br />
System Log Message: RSVP failed to set up path with the requested bandwidth on<br />
LSP lsp-name<br />
Description: After a successful CSPF computation, network conditions changed and<br />
RSVP failed to set up path with the requested bandwidth and resulted in a path error.<br />
The LSP did not come up if it happened during initial LSP establishment. Otherwise,<br />
during an optimization or automatic bandwidth adjustment, the LSP continued to stay<br />
up on the old path and used the previous amount of bandwidth.<br />
Type: Event: This message reports an event, not an error<br />
Severity: warning<br />
Facility: LOG_DAEMON<br />
Action: This condition arises when the requested bandwidth is not available. No action<br />
required in general, but if the LSP does not get established at the first place, you may<br />
want to re-optimize the LSP, change the LSP bandwidth configuration, or add additional<br />
hardware to increase the available bandwidth.<br />
[System Log Error Messages Reference]<br />
User Interface and Configuration<br />
• The show system statistics bridge command displays system statistics on MX Series<br />
routers.<br />
[System Basics Command Reference]<br />
• In the Configuring ECMP Next Hops for RSVP and LDP LSPs for Load Balancing and<br />
maximum-ecmp documents, the following note was omitted:<br />
NOTE: MX Series routers with one or more Modular Port Concentrator<br />
(MPC) cards and with Junos OS 11.4 or earlier installed, support the<br />
configuration of the maximum-ecmp statement with only 16 next hops. You<br />
should not configure the maximum-ecmp statement with 32 or 64 next<br />
hops. When you commit the configuration with 32 or 64 next hops, the<br />
following warning message appears:<br />
Error: Number of members in Unilist NH exceeds the maximum supported 16<br />
on Trio.<br />
[MPLS Configuration Guide]<br />
318<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
VPNs<br />
• Junos OS <strong>Release</strong> 11.2 and earlier do not support point-to-multipoint LSPs with<br />
next-generation multicast VPNs on MX80 routers.<br />
[VPNs]<br />
• In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement<br />
that caused contradictory information about which platforms support LDP BGP<br />
interworking has been removed. The M7i router was also omitted from the list of<br />
supported platforms. The M7i router does support LDP BGP interworking.<br />
[VPNs]<br />
Changes to the Junos OS Documentation Set<br />
The following are the changes made to the Junos OS documentation set:<br />
• A new solutions guide, Junos OSNext-Generation Network Addressing CGN and IPv6<br />
Solutions, is now available at<br />
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/<br />
solutions-guide-next-generation-network-addressing/ngna-solutions-guide.pdf. The<br />
guide provides consolidated and updated information about how to use Carrier-Grade<br />
NAT (CGN) and related IPv6 transition technologies, including Dual-Stack Lite (DS-Lite),<br />
6rd, and 6to4 Provider-Managed Tunnels (PMT).<br />
• The Junos OS DDoS Protection Configuration Guide is now available at the following<br />
URL:<br />
http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/<br />
config-guide-ddos/ddos-protection.html.<br />
• Stateless firewall filter and traffic policer documentation is no longer included in the<br />
Junos OS Policy Framework Configuration Guide. This material is now available in the<br />
Junos OS Firewall Filter and Policer Configuration Guide only.<br />
• Routing policy, traffic sampling, forwarding, and monitoring documentation is no longer<br />
included in the Junos OS Policy Framework Configuration Guide. This material is now<br />
available in the Junos OS Routing Policy Configuration Guide.<br />
• The material that was formerly covered in the Junos OS Policy Framework Configuration<br />
Guide Web pages is now available as three subject-based Web pages. You can locate<br />
the links to the new Web pages at the following URLs:<br />
• Routing Policy, Traffic Sampling, Forwarding, and Monitoring<br />
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products<br />
/pathway-pages/config-guide-policy/config-guide-policy.html<br />
• Stateless Firewall Filter<br />
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products<br />
/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html<br />
• Traffic Policer<br />
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products<br />
/pathway-pages/config-guide-firewall-filter/config-guide-policer.html<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
319
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• The Junos OS Hierarchy and Standards Reference is now available as three subject-based<br />
Web pages. You can locate the links to the new Web pages for the guides at the<br />
following URLs:<br />
• Junos OS Configuration Statements and<br />
Commands—http://www.juniper.net/techpubs/en_US/junos11.1/information-products<br />
/pathway-pages/reference-hierarchy/junos-configuration-hierarchies.html<br />
• Junos OS Product and Feature<br />
Descriptions—http://www.juniper.net/techpubs/en_US/junos11.1/information-products<br />
/pathway-pages/reference-hierarchy/junos-product-features.html<br />
• Standards Supported by the Junos<br />
OS—http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages<br />
/reference-hierarchy/junos-supported-standards.html<br />
• In Junos OS <strong>Release</strong> 10.3R1 and later, PDF files are not available for individual HTML<br />
pages in the Junos OS documentation set. PDF files are available for the complete<br />
Junos OS <strong>Release</strong> 10.3 configuration guides at<br />
http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the<br />
complete hardware guides are accessible at the following URLs:<br />
• For M Series routers:<br />
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products<br />
/pathway-pages/m-series/<br />
• For MX Series routers:<br />
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products<br />
/pathway-pages/mx-series/<br />
• For T Series and TX Matrix routers:<br />
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products<br />
/pathway-pages/t-series/<br />
In addition, individual HTML pages have a Print link in the upper left corner of the text<br />
area on the page.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
on page 73<br />
• Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong><br />
11.4 for M Series, MX Series, and T Series Routers on page 153<br />
• Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers on page 172<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 321<br />
320<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T<br />
Series Routers<br />
This section discusses the following topics:<br />
• Basic Procedure for Upgrading to <strong>Release</strong> 11.4 on page 321<br />
• Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s on page 324<br />
• Upgrading a Router with Redundant Routing Engines on page 325<br />
• Upgrading <strong>Juniper</strong> Network Routers Running Draft-Rosen Multicast VPN to Junos OS<br />
<strong>Release</strong> 10.1 on page 325<br />
• Upgrading the Software for a Routing Matrix on page 327<br />
• Upgrading Using ISSU on page 328<br />
• Upgrading from Junos OS <strong>Release</strong> 9.2 or Earlier on a Router Enabled for Both PIM and<br />
NSR on page 328<br />
• Downgrade from <strong>Release</strong> 11.4 on page 329<br />
Basic Procedure for Upgrading to <strong>Release</strong> 11.4<br />
In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1,<br />
9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate<br />
option on the request system software install command.<br />
When upgrading or downgrading Junos OS, always use the jinstall package. Use other<br />
packages (such as the jbundle package) only when so instructed by a <strong>Juniper</strong> <strong>Networks</strong><br />
support representative. For information about the contents of the jinstall package and<br />
details of the installation process, see the Junos OS Installation and Upgrade Guide.<br />
NOTE: With Junos OS <strong>Release</strong> 9.0 and later, the compact flash disk memory<br />
requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB<br />
memory, see the Customer Support Center JTAC Technical Bulletin<br />
PSN-2007-10-001 at<br />
https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001<br />
&actionBtn=Search.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
321
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: Before upgrading, back up the file system and the currently active<br />
Junos configuration so that you can recover to a known, stable environment<br />
in case the upgrade is unsuccessful. Issue the following command:<br />
user@host> request system snapshot<br />
The installation process rebuilds the file system and completely reinstalls<br />
Junos OS. Configuration information from the previous software installation<br />
is retained, but the contents of log files might be erased. Stored files on the<br />
routing platform, such as configuration templates and shell scripts (the only<br />
exceptions are the juniper.conf and ssh files) might be removed. To preserve<br />
the stored files, copy them to another system before upgrading or<br />
downgrading the routing platform. For more information, see the Junos OS<br />
System Basics Configuration Guide.<br />
322<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
The download and installation process for Junos OS <strong>Release</strong> 11.4 is different from earlier<br />
Junos OS releases.<br />
Perform the following steps to download and install Junos OS:<br />
1. Using a Web browser, navigate to the All Junos Platforms software download URL on<br />
the <strong>Juniper</strong> <strong>Networks</strong> web page:<br />
http://www.juniper.net/support/downloads/<br />
2. Select the name of the Junos OS platform for the software that you want to download.<br />
3. Select the release number (the number of the software version that you want to<br />
download) from the <strong>Release</strong> drop-down list to the right of the Download Software<br />
page.<br />
4. Select the Software tab.<br />
5. In the Install Package section of the Software tab, select the software package for the<br />
release.<br />
6. Log in to the <strong>Juniper</strong> <strong>Networks</strong> authentication system using the username (generally<br />
your e-mail address) and password supplied by <strong>Juniper</strong> <strong>Networks</strong> representatives.<br />
7. Review and accept the End User License Agreement.<br />
8. Download the software to a local host.<br />
9. Copy the software to the routing platform or to your internal software distribution<br />
site.<br />
10. Install the new jinstall package on the routing platform.<br />
NOTE: We recommend that you upgrade all software packages out of<br />
band using the console because in-band connections are lost during the<br />
upgrade process.<br />
Customers in the United States and Canada use the following command:<br />
user@host> request system software add validate reboot<br />
source/jinstall-11.4R71-domestic-signed.tgz<br />
All other customers use the following command:<br />
user@host> request system software add validate reboot<br />
source/jinstall-11.4R71-export-signed.tgz<br />
Replace source with one of the following values:<br />
• /pathname—For a software package that is installed from a local directory on the<br />
router.<br />
• For software packages that are downloaded and installed from a remote location:<br />
• ftp://hostname/pathname<br />
• http://hostname/pathname<br />
• scp://hostname/pathname (available only for Canada and U.S. version)<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
323
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The validate option validates the software package against the current configuration<br />
as a prerequisite to adding the software package to ensure that the router reboots<br />
successfully. This is the default behavior when the software package being added is<br />
a different release.<br />
Adding the reboot command reboots the router after the upgrade is validated and<br />
installed. When the reboot is complete, the router displays the login prompt. The<br />
loading process can take 5 to 10 minutes.<br />
Rebooting occurs only if the upgrade is successful.<br />
NOTE: After you install a Junos OS <strong>Release</strong> 11.4 jinstall package, you cannot<br />
issue the request system software rollback command to return to the previously<br />
installed software. Instead you must issue the request system software add<br />
validate command and specify the jinstall package that corresponds to the<br />
previously installed software.<br />
NOTE: Before you upgrade a router that you are using for voice traffic, you<br />
should monitor call traffic on each virtual BGF. Confirm that no emergency<br />
calls are active. When you have determined that no emergency calls are<br />
active, you can wait for nonemergency call traffic to drain as a result of<br />
graceful shutdown, or you can force a shutdown. For detailed information<br />
on how to monitor call traffic before upgrading, see the Junos OS Multiplay<br />
Solutions Guide.<br />
Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s<br />
Support for upgrades and downgrades that span more than three Junos OS releases at<br />
a time is not provided, except for releases that are designated as Extended End-of-Life<br />
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can<br />
upgrade directly from one EEOL release to the next EEOL release even though EEOL<br />
releases generally occur in increments beyond three releases.<br />
You can upgrade or downgrade to the EEOL release that occurs directly before or after<br />
the currently installed EEOL release, or to two EEOL releases before or after the currently<br />
installed release. For example, Junos OS <strong>Release</strong>s 10.0, 10.4, and 11.4 are EEOL releases.<br />
You can upgrade from Junos OS <strong>Release</strong> 10.0 to <strong>Release</strong> 10.4 or even from Junos OS<br />
<strong>Release</strong> 10.0 to <strong>Release</strong> 11.4. However, you cannot upgrade or downgrade directly from<br />
a non-EEOL release that is more than three releases ahead or behind. For example, you<br />
cannot directly upgrade from Junos OS <strong>Release</strong> 10.3 (a non-EEOL release) to Junos OS<br />
<strong>Release</strong> 11.4 or directly downgrade from Junos OS <strong>Release</strong> 11.4 to Junos OS <strong>Release</strong> 10.3.<br />
To upgrade or downgrade from a non-EEOL release to a release more than three releases<br />
before or after the currenlty installed release, first upgrade to the next EEOL release and<br />
then upgrade or downgrade from that EEOL release to your target release.<br />
For more information about EEOL releases and to review a list of EEOL releases, see<br />
http://www.juniper.net/support/eol/junos.html .<br />
324<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Upgrading a Router with Redundant Routing Engines<br />
If the router has two Routing Engines, perform a Junos OS installation on each Routing<br />
Engine separately to avoid disrupting network operation as follows:<br />
1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine<br />
and save the configuration change to both Routing Engines.<br />
2. Install the new Junos OS release on the backup Routing Engine while keeping the<br />
currently running software version on the master Routing Engine.<br />
3. After making sure that the new software version is running correctly on the backup<br />
Routing Engine, switch over to the backup Routing Engine to activate the new software.<br />
4. Install the new software on the original master Routing Engine that is now active as<br />
the backup Routing Engine.<br />
For the detailed procedure, see the Junos OS Installation and Upgrade Guide.<br />
Upgrading <strong>Juniper</strong> Network Routers Running Draft-Rosen Multicast VPN to Junos<br />
OS <strong>Release</strong> 10.1<br />
In releases prior to Junos OS <strong>Release</strong> 10.1, the draft-rosen multicast VPN feature<br />
implements the unicast lo0.x address configured within that instance as the source<br />
address used to establish PIM neighbors and create the multicast tunnel. In this mode,<br />
the multicast VPN loopback address is used for reverse path forwarding (RPF) route<br />
resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN<br />
loopback address is also used as the source address in outgoing PIM control messages.<br />
In Junos OS <strong>Release</strong> 10.1 and later, you can use the router’s main instance loopback<br />
(lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM<br />
state for the multicast VPN. We strongly recommend that you perform the following<br />
procedure when upgrading to Junos OS <strong>Release</strong> 10.1 if your draft-rosen multicast VPN<br />
network includes both <strong>Juniper</strong> Network routers and other vendors’ routers functioning<br />
as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout<br />
the upgrade process.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
325
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Because Junos OS <strong>Release</strong> 10.1 supports using the router’s main instance loopback (lo0.0)<br />
address, it is no longer necessary for the multicast VPN loopback address to match the<br />
main instance loopback adddress lo0.0 to maintain interoperability.<br />
NOTE: You might want to maintain a multicast VPN instance lo0.x address<br />
to use for protocol peering (such as IBGP sessions), or as a stable router<br />
identifier, or to support the PIM bootstrap server function within the VPN<br />
instance.<br />
Complete the following steps when upgrading routers in your draft-rosen multicast VPN<br />
network to Junos OS <strong>Release</strong> 10.1 if you want to configure the routers’s main instance<br />
loopback address for draft-rosen multicast VPN:<br />
1. Upgrade all M7i and M10i routers to Junos OS <strong>Release</strong> 10.1 before you configure the<br />
loopback address for draft-rosen Multicast VPN.<br />
NOTE: Do not configure the new feature until all the M7i and M10i routers<br />
in the network have been upgraded to Junos OS <strong>Release</strong> 10.1.<br />
2. After you have upgraded all routers, configure each router’s main instance loopback<br />
address as the source address for multicast interfaces. Include the default-vpn-source<br />
interface-name loopback-interface-name] statement at the [edit protocols pim]<br />
hierarchy level.<br />
3. After you have configured the router’s main loopback address on each PE router,<br />
delete the multicast VPN loopback address (lo0.x) from all routers.<br />
We also recommend that you remove the multicast VPN loopback address from all<br />
PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure<br />
interoperability with other vendors’ routers in a draft-rosen multicast VPN network,<br />
you had to perform additional configuration. Remove that configuration from both<br />
the <strong>Juniper</strong> <strong>Networks</strong> routers and the other vendors’ routers. This configuration should<br />
be on <strong>Juniper</strong> <strong>Networks</strong> routers and on the other vendors’ routers where you configured<br />
the lo0.mvpn address in each VRF instance as the same address as the main loopback<br />
(lo0.0) address.<br />
This configuration is not required when you upgrade to Junos OS <strong>Release</strong> 10.1 and use<br />
the main loopback address as the source address for multicast interfaces.<br />
NOTE: To maintain a loopback address for a specific instance, configure<br />
a loopback address value that does not match the main instance address<br />
(lo0.0).<br />
For more information about configuring the draft-rosen Multicast VPN feature, see the<br />
Junos OS Multicast Configuration Guide.<br />
326<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
Upgrading the Software for a Routing Matrix<br />
A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a<br />
TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade<br />
software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto<br />
the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or<br />
sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix<br />
(specified in the Junos OS CLI by using the lcc option). To avoid network disruption during<br />
the upgrade, ensure the following conditions before beginning the upgrade process:<br />
• A minimum of free disk space and DRAM on each Routing Engine. The software upgrade<br />
will fail on any Routing Engine without the required amount of free disk space and<br />
DRAM. To determine the amount of disk space currently available on all Routing Engines<br />
of the routing matrix, use the CLI show system storage command. To determine the<br />
amount of DRAM currently available on all the Routing Engines in the routing matrix,<br />
use the CLI show chassis routing-engine command.<br />
• The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)<br />
and T640 routers or T1600 routers (LCC) are all re0 or are all re1.<br />
• The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC)<br />
and T640 routers or T1600 routers (LCC) are all re1 or are all re0.<br />
• All master Routing Engines in all routers run the same version of software. This is<br />
necessary for the routing matrix to operate.<br />
• All master and backup Routing Engines run the same version of software before<br />
beginning the upgrade procedure. Different versions of the Junos OS can have<br />
incompatible message formats especially if you turn on GRES. Because the steps in<br />
the process include changing mastership, running the same version of software is<br />
recommended.<br />
• For a routing matrix with a TX Matrix router, the same Routing Engine model is used<br />
within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix.<br />
For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using<br />
two RE-1600s is supported. However, an SCC or an LCC with two different Routing<br />
Engine models is not supported. We suggest that all Routing Engines be the same<br />
model throughout all routers in the routing matrix. To determine the Routing Engine<br />
type, use the CLI show chassis hardware | match routing command.<br />
• For a routing matrix with a TX Matrix Plus router, the SFC contains two model<br />
RE-DUO-C2600-16G Routing Engines, and each LCC contains two model<br />
RE-DUO-C1800-8G Routing Engines.<br />
NOTE: It is considered best practice to make sure that all master Routing<br />
Engines are re0 and all backup Routing Engines are re1 (or vice versa). For<br />
the purposes of this document, the master Routing Engine is re0 and the<br />
backup Routing Engine is re1.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
327
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
To upgrade the software for a routing matrix, perform the following steps:<br />
1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine<br />
(re0) and save the configuration change to both Routing Engines.<br />
2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping<br />
the currently running software version on the master Routing Engine (re0).<br />
3. Load the new Junos OS on the backup Routing Engine. After making sure that the new<br />
software version is running correctly on the backup Routing Engine (re1), switch<br />
mastership back to the original master Routing Engine (re0) to activate the new<br />
software.<br />
4. Install the new software on the new backup Routing Engine (re0).<br />
For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the<br />
Routing Matrix with a TX Matrix Plus Feature Guide.<br />
Upgrading Using ISSU<br />
Unified in-service software upgrade (ISSU) enables you to upgrade between two different<br />
Junos OS releases with no disruption on the control plane and with minimal disruption<br />
of traffic. Unified in-service software upgrade is only supported by dual Routing Engine<br />
platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active<br />
routing (NSR) must be enabled. For additional information about using unified in-service<br />
software upgrade, see the Junos High Availability Configuration Guide.<br />
Upgrading from Junos OS <strong>Release</strong> 9.2 or Earlier on a Router Enabled for Both PIM<br />
and NSR<br />
Junos OS <strong>Release</strong> 9.3 introduced NSR support for PIM for IPv4 traffic. However, the<br />
following PIM features are not currently supported with NSR. The commit operation fails<br />
if the configuration includes both NSR and one or more of these features:<br />
• Anycast RP<br />
• Draft-Rosen multicast VPNs (MVPNs)<br />
• Local RP<br />
• Next-generation MVPNs with PIM provider tunnels<br />
• PIM join load balancing<br />
Junos OS 9.3 <strong>Release</strong> introduced a new configuration statement that disables NSR for<br />
PIM only, so that you can activate incompatible PIM features and continue to use NSR<br />
for the other protocols on the router: the nonstop-routing disable statement at the [edit<br />
protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features,<br />
not only incompatible features.)<br />
If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported<br />
PIM features is enabled but NSR is not enabled, no additional steps are necessary and<br />
you can use the standard upgrade procedure described in other sections of these<br />
instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use<br />
328<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
the standard reboot or ISSU procedures described in the other sections of these<br />
instructions.<br />
Because the nonstop-routing disable statement was not available in Junos OS <strong>Release</strong><br />
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to<br />
be upgraded from Junos OS <strong>Release</strong> 9.2 or earlier to a later release, you must disable<br />
PIM before the upgrade and reenable it after the router is running the upgraded Junos<br />
OS and you have entered the nonstop-routing disable statement. If your router is running<br />
Junos OS <strong>Release</strong> 9.3 or later, you can upgrade to a later release without disabling NSR<br />
or PIM–simply use the standard reboot or ISSU procedures described in the other sections<br />
of these instructions.<br />
To disable and reenable PIM:<br />
1. On the router running Junos OS <strong>Release</strong> 9.2 or earlier, enter configuration mode and<br />
disable PIM:<br />
[edit]<br />
user@host# deactivate protocols pim<br />
user@host# commit<br />
2. Upgrade to Junos OS <strong>Release</strong> 9.3 or later software using the instructions appropriate<br />
for the router type. You can either use the standard procedure with reboot or use ISSU.<br />
3. After the router reboots and is running the upgraded Junos OS, enter configuration<br />
mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable<br />
PIM:<br />
[edit]<br />
user@host# set protocols pim nonstop-routing disable<br />
user@host# activate protocols pim<br />
user@host# commit<br />
Downgrade from <strong>Release</strong> 11.4<br />
To downgrade from <strong>Release</strong> 11.4 to another supported release, follow the procedure for<br />
upgrading, but replace the 11.4 jinstall package with one that corresponds to the<br />
appropriate release.<br />
NOTE: You cannot downgrade more than three releases. For example, if your<br />
routing platform is running Junos OS <strong>Release</strong> 11.4, you can downgrade the<br />
software to <strong>Release</strong> 10.4 directly, but not to <strong>Release</strong> 10.3 or earlier; as a<br />
workaround, you can first downgrade to <strong>Release</strong> 10.4 and then downgrade<br />
to <strong>Release</strong> 10.3.<br />
For more information, see the Junos OS Installation and Upgrade Guide.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers<br />
on page 73<br />
• Changes in Default Behavior and Syntax, and for Future <strong>Release</strong>s in Junos OS <strong>Release</strong><br />
11.4 for M Series, MX Series, and T Series Routers on page 153<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
329
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Issues in Junos OS <strong>Release</strong> 11.4 for M Series, MX Series, and T Series Routers on page 172<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for M Series, MX Series,<br />
and T Series Routers on page 293<br />
330<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Junos OS <strong>Release</strong> <strong>Notes</strong> for Branch SRX Series Services Gateways and J Series Services Routers<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for Branch SRX Series Services Gateways and J Series Services<br />
Routers<br />
Powered by Junos OS, <strong>Juniper</strong> <strong>Networks</strong> Branch SRX Series Services Gateways provide<br />
robust networking and security services. Branch SRX Series Services Gateways are<br />
designed to secure enterprise infrastructure, data centers, and server farms. The Branch<br />
SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, and<br />
SRX650 devices.<br />
<strong>Juniper</strong> <strong>Networks</strong> J Series Services Routers running Junos OS provide stable, reliable, and<br />
efficient IP routing, WAN and LAN connectivity, and management services for small to<br />
medium-sized enterprise networks. These routers also provide network security features,<br />
including a stateful firewall with access control policies and screens to protect against<br />
attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,<br />
J2350, J4350, and J6350 devices.<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 350<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 357<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 378<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 380<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 401<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 409<br />
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series<br />
Services Routers<br />
The following features have been added to Junos OS <strong>Release</strong> 11.4. Following the<br />
description is the title of the manual or manuals to consult for further information.<br />
NOTE: For the latest updates about support and issues on Junos Pulse, see<br />
the Junos Pulse <strong>Release</strong> <strong>Notes</strong> at<br />
http://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/<br />
pathway-pages/junos-pulse/index.html<br />
• <strong>Release</strong> 11.4R5 New Features on page 332<br />
• <strong>Release</strong> 11.4R3 New Features on page 335<br />
• <strong>Release</strong> 11.4R2 New Features on page 336<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
331
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Software Features on page 338<br />
• Hardware Features—SRX210 Services Gateways on page 346<br />
• Hardware Features—SRX240 Services Gateway on page 347<br />
<strong>Release</strong> 11.4R5 New Features<br />
Network Address Translation (NAT)<br />
• Network Address Translation support for port mapping—This feature is supported<br />
on all branch SRX Series and J Series devices<br />
Network Address Translation (NAT) now provides destination-port low to high and<br />
mapped-port low to high statements to allow static NAT to map ports as follows:<br />
• To map multiple IP addresses to the same IP addresses on a specified range of ports<br />
• To map a specific IP address and port to a different IP address and port<br />
Examples of configuring static NAT with port mapping:<br />
set security nat static rule-set rs from zone trust rule r1 match destination-address 1.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r1 destination-port 100 to 200<br />
set security nat static rule-set rs from zone trust rule r1 then static-nat prefix 10.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r1 then static-nat prefix mapped-port 300<br />
to 400<br />
set security nat static rule-set rs from zone trust rule r2 match destination-address 1.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r2 destination-port 300 to 400<br />
set security nat static rule-set rs from zone trust rule r2 then static-nat prefix 10.1.1.2/32<br />
set security nat static rule-set rs from zone trust rule r2 then static-nat prefix mapped-port 300<br />
to 400<br />
set security nat static rule-set rs from zone trust rule r3 match destination-address 1.1.1.3/32<br />
set security nat static rule-set rs from zone trust rule r3 destination-port 300<br />
set security nat static rule-set rs from zone trust rule r3 then static-nat prefix 10.1.1.2/32<br />
set security nat static rule-set rs from zone trust rule r3 then static-nat prefix mapped-port 200<br />
New IPSec Phase 2 Authentication Algorithm<br />
• Prior to Junos OS <strong>Release</strong> 11.2R6, 11.4R3, and 12.1R1, if you configure set security ipsec<br />
proposal authentication-algorithm hmac-sha-256-128 , HMAC calculation on<br />
Branch SRX devices 96-bit of ESP authentication data length was used instead of<br />
128-bit. In order to address interoperability issue between the Junos OS <strong>Release</strong> 11.4R3<br />
and 11.4R3 onwards, a new authentication-algorithm hmac-sha-256-96 (non-RFC<br />
compliant) is used in 11.4R5.<br />
Syntax: set security ipsec proposal authentication-algorithm<br />
hmac-sha-256-96<br />
user@host>set security ipsec proposal my-proposal authentication-algorithm ?<br />
Possible completions:<br />
hmac-md5-96<br />
HMAC-MD5-96 authentication algorithm<br />
hmac-sha-256-128 HMAC-SHA-256-128 authentication algorithm<br />
hmac-sha-256-96 HMAC-SHA-256-96 authentication algorithm (non-RFC<br />
compliant)<br />
hmac-sha1-96<br />
HMAC-SHA1-96 authentication algorithm<br />
check the authentication by running show security ipsec security-associations detail.<br />
user@host>show security ipsec security-associations index 1 detail<br />
332<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
D: 1 Virtual-system: root, VPN Name: my-tunnel<br />
Local Gateway: 10.10.10.1, Remote Gateway: 10.10.10.2<br />
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)<br />
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)<br />
Version: IKEv1<br />
DF-bit: clear<br />
Policy-name: my-policy<br />
Direction: inbound, SPI: 6ee39796, AUX-SPI: 0<br />
, VPN Monitoring: -<br />
Hard lifetime: Expires in 3175 seconds<br />
Lifesize Remaining: Unlimited<br />
Soft lifetime: Expires in 2551 seconds<br />
Mode: Tunnel(0 0), Type: dynamic, State: installed<br />
Protocol: ESP, Authentication: hmac-sha256-96, Encryption: aes-cbc (256<br />
bits)<br />
Anti-replay service: disabled<br />
Direction: outbound, SPI: 8ae3ae5e, AUX-SPI: 0<br />
, VPN Monitoring: -<br />
Hard lifetime: Expires in 3175 seconds<br />
Lifesize Remaining: Unlimited<br />
Soft lifetime: Expires in 2551 seconds<br />
Mode: Tunnel(0 0), Type: dynamic, State: installed<br />
Protocol: ESP, Authentication: hmac-sha256-96, Encryption: aes-cbc (256<br />
bits)<br />
Anti-replay service: disabled<br />
• Compatibility matrix of Phase 2 authentication method: VPN makes truncation<br />
method work as hmac-sha-256-128 on Junos OS <strong>Release</strong> 11.4R3. After the proposal is<br />
chosen in phase 2 negotiations, the SA uses 96 bit length truncation. So, if a remote<br />
gateway running Junos OS <strong>Release</strong> 11.4R3 and later releases which uses<br />
hmac-sha-256-128, the SRX device fails to decrypt from the gateway. In this case refer<br />
to the compatibility matrix table of each method and release given as follows:<br />
Table 14: Compatibility matrix of Phase 2 authentication method:<br />
<strong>Release</strong><br />
Remote<br />
Prior to 11.4R3<br />
11.4R3 onwards<br />
Local<br />
Authentication<br />
Method<br />
hmac-sha-256-128<br />
VPN knob<br />
(hmac-sha-256-96)<br />
hmac-sha-256-128<br />
Prior to<br />
11.4R3<br />
hmac-sha-256-128<br />
Same method<br />
Compatible<br />
Not compatible<br />
11.4R3<br />
onwards<br />
VPN knob<br />
(hmac-sha-256-96)<br />
Compatible<br />
Same method<br />
Not compatible<br />
hmac-sha-256-128<br />
Not Compatible<br />
Not compatible<br />
Same method<br />
Control Plane and Data Plane Memory Adjustment<br />
Advanced security software memory usage is growing from release to release due to<br />
increased functionality. With Junos OS <strong>Release</strong> 11.4 you cannot load large policy on Branch<br />
SRX 1G devices (SRX100H, SRX110H, SRX210H/HE, SRX220H and SRX240H).<br />
When you load a large IDP policy, the device runs out of memory on the control plane,<br />
which triggers a system reboot or freeze. In order to address this issue, a new CLI command<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
333
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
is introduced to re-distribute memory between control plane and data plane. This CLI<br />
command is referred to as Memory optionand will be available from 11.4R5 onwards.<br />
Syntax: set security advanced-services data-plane memory low<br />
This CLI command can be committed if one of the following Advanced Security License<br />
is installed on the device.<br />
• IDP Signature (idp-sig)<br />
• Kaspersky Anti Virus (av_key_kaspersky_engine)<br />
• Sophos Anti Virus (av_key_sophos_engine)<br />
The following error message is displayed during commit if the required licenses are not<br />
installed on the device.<br />
user@host>set security advanced-services data-plane memory low<br />
user@host>commit<br />
'low'<br />
Please reduce data plane memory, only when advanced services (UTM & IDP)<br />
licenses present<br />
error: configuration check-out failed<br />
NOTE: After commit complete you must reboot the system to take effect of<br />
the change. If you have deployed a cluster, make sure to reboot all nodes. If<br />
you rollback to the previous memory allocation by using delete security<br />
advanced-services data-plane memory low, you need to reboot the system<br />
after commit.<br />
user@host>commit<br />
warning: You have changed the system's data plane memory size.<br />
You must reboot the system for your change to take effect.<br />
If you have deployed a cluster, be sure to reboot all nodes.<br />
commit complete<br />
• To check the control or data plane memory allocation and memory status<br />
• The default memory allocation can be checked by running the show chassis<br />
routing-engine command.<br />
user @host>show chassis routing-engine | match memory<br />
Total memory 1024 MB Max 666 MB used ( 65 percent)<br />
Control plane memory 560 MB Max 448 MB used ( 80 percent)<br />
Data plane memory 464 MB Max 218 MB used ( 47 percent)<br />
• The current memory status can be checked by running the show security flow status<br />
command. The Advanced services data-plane memory mode: Default means the<br />
data-plane memory allocation remains unchanged.<br />
user @host>show security flow status<br />
Flow forwarding mode:<br />
Inet forwarding mode: flow based<br />
Inet6 forwarding mode: drop<br />
MPLS forwarding mode: drop<br />
ISO forwarding mode: drop<br />
334<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Advanced services data-plane memory mode: Default<br />
Flow trace status<br />
Flow tracing status: off<br />
• After you configure set security advanced-services data-plane memory lowand commit,<br />
the status is changed to Default (config changed, reboot needed).<br />
user @host>show security flow status<br />
Flow forwarding mode:<br />
Inet forwarding mode: flow based<br />
Inet6 forwarding mode: drop<br />
MPLS forwarding mode: drop<br />
ISO forwarding mode: drop<br />
Advanced services data-plane memory mode: Default (config changed, reboot<br />
needed)<br />
Flow trace status<br />
Flow tracing status: off<br />
• After system reboot (for example: request system reboot), the data-plane mode is<br />
changed to Low, and the additional control plane memory is allocated compared to<br />
default mode by reducing data-plane memory accordingly.<br />
user @host>show security flow status<br />
Flow forwarding mode:<br />
Inet forwarding mode: flow based<br />
Inet6 forwarding mode: drop<br />
MPLS forwarding mode: drop<br />
ISO forwarding mode: drop<br />
Advanced services data-plane memory mode: Low<br />
Flow trace status<br />
Flow tracing status: off<br />
user @host>show chassis routing-engine | match memory<br />
Total memory 1024 MB Max 625 MB used ( 61 percent)<br />
Control plane memory 624 MB Max 399 MB used ( 64 percent)
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Release</strong> 11.4R2 New Features<br />
CX111 3G Adapter CLI Management<br />
• CX111 3G Adapter CLI Management—This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
The CX111 3G adapter is primarily used as a backup for the WAN connection on SRX<br />
Series for the branch devices. The CX111 adapter is the only available 3G solution that<br />
has a built-in 3G LED signal indicator and that can be installed anywhere for optimal<br />
3G performance. The CX111 adapter acts as a transparent Layer 2 bridge to provide<br />
quick and simple 3G access. The 3G adapter integrates smoothly with an existing SRX<br />
Series for the branch device. The CX111 adapter maintains the wireless modem (or<br />
modems, if more than one modem is used) in a disconnected state, then triggers a<br />
new connection whenever an SRX Series device requests a new session.<br />
This feature enhances the management of the CX111 3G adapter to include the usage<br />
of the CLI. Users can now use CLI command to monitor the 3G modem and manage<br />
the CX111 adapter.<br />
To differentiate between multiple adapters connected to SRX Series devices, use the<br />
set services wireless-wan adapter command. The adapter's management IP address<br />
is used to communicate between SRX Series devices and the adapter. In Junos OS,<br />
the entire configuration for the adapter is used to maintain the adapter data.<br />
To manage the CX111 3G adapter, use the show wireless-wan adapter command.<br />
For CX111 adapter firmware upgrade, use the request wireless-wan adapter firmware<br />
upgrade command.<br />
For CX111 adapter firmware upgrade status, use the show wireless-wan adapter firmware<br />
upgrade command.<br />
Intrusion Detection and Prevention (IDP)<br />
• IDP policy compilation improvements—This feature is supported on all branch SRX<br />
Series devices with IDP enabled.<br />
The IDP policy compilation process has been optimized to use less memory and compile<br />
faster. Policies that were too large to compile on smaller platforms running earlier<br />
Junos OS releases may compile successfully on this release.<br />
J-Web<br />
• Application Tracking—This feature is supported on SRX100, SRX210, SRX220, SRX240,<br />
and SRX650 devices.<br />
The Application tracking feature is used to monitor sessions and bytes of a particular<br />
application or application group. The following page has been added to the J-Web<br />
user interface:<br />
• Application Tracking<br />
• Security Logging—This feature is supported on SRX100, SRX210, SRX220, SRX240,<br />
and SRX650 devices.<br />
336<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
The following page has been added to the J-Web user interface:<br />
• Security Logging<br />
IP Monitoring<br />
• IP Monitoring—This feature is supported on SRX100, SRX210, SRX220, SRX240, and<br />
SRX650 devices.<br />
Enhanced the IP Monitoring feature to support the following actions:<br />
• Specifying the no-preempt option. If the no-preempt option is specified, the policy<br />
does not perform preemptive failback when it is in a failover state or when the RPM<br />
probe test recovers from a failure.<br />
• Setting preferred metric values. If the preferred metric value is set, during failover,<br />
the route is injected with the set preferred metric value.<br />
• Enabling and disabling interfaces.<br />
• Interface-Enable – On a physical or logical interface, when the interface-enable<br />
action is configured, the initial state of the interface is disable after startup, and it<br />
continues to remain in the disable state as long as the associated RPM probe is<br />
in the pass state. When the associated RPM probe fails, the configured physical<br />
and logical interfaces are enabled.<br />
• Interface-Disable – On a physical or logical interface, when the interface-disable<br />
action is configured, the interface state remains unchanged. When the associated<br />
RPM probe fails, the physical and logical interfaces are disabled.<br />
MAC Limiting<br />
• MAC Limiting on Layer 3 Routing Interfaces—This feature is supported on SRX100,<br />
SRX210, SRX220, SRX240, and SRX650 devices.<br />
The MAC limiting feature provides a mechanism for limiting MAC addresses on devices<br />
that are connected to a Layer 3 routed Gigabit Ethernet (GE), Fast Ethernet (FE), or<br />
10 Gigabit Ethernet (XE) interface. With MAC filters, you can allow traffic with specific<br />
source MAC. Software-based MAC limiting is supported. MAC limiting is applicable<br />
only on interfaces with plain Ethernet or VLAN tagged encapsulation.<br />
Interfaces and Routing<br />
USB Enable/Disable Feature—This feature is supported on SRX100, SRX210, SRX220,<br />
SRX240, and SRX650 Services Gateways and on J Series Services Routers.<br />
This feature allows the administrator to disable all USB ports on the services gateway<br />
or services router to block users from connecting a USB mass storage device to the<br />
gateway or router. If a USB device is already mounted and connected, this feature<br />
unmounts and disables the device. Any transactions in progress on the USB device are<br />
aborted.<br />
Table 15 on page 338 lists the supported CLI commands:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
337
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 15: CLI Commands and Description<br />
CLI Command<br />
Description<br />
show chassis usb storage<br />
Displays the current status of any USB mass storage device and whether<br />
they are enabled or disabled.<br />
set chassis usb storage disable<br />
Disables mass storage devices that are connected on the USB ports.<br />
delete chassis usb storage disable<br />
Enables the use of USB mass storage devices on USB ports.<br />
NOTE:<br />
• The USB ports on a services gateway or services router are functional by<br />
default.<br />
• Even if the USB ports are disabled, the USB LEDs still light up when the<br />
device is plugged in.<br />
• This feature is supported only in Junos OS and is not supported in the<br />
uboot/loader phase.<br />
• When Junos OS is booted from a USB storage device, this feature is<br />
unavailable.<br />
• If a USB port is disabled, the request system reboot media usb command is<br />
unsupported and will fail.<br />
• If the kernel is configured to boot from USB, the kernel will check if USB is<br />
disabled early in the boot process. If USB is disabled, the kernel will reboot.<br />
Software Features<br />
AppSecure<br />
• Applications Groups—This feature is supported on SRX100, SRX210, SRX220, SRX240,<br />
and SRX650 devices.<br />
Application grouping is an enhancement to the AppSecure feature. It allows users to<br />
group applications in policies.<br />
Application grouping is mainly used to support:<br />
• Customer-defined and predefined application groups in the application identification<br />
module<br />
• Multiple applications or groups in the application groups<br />
• Application group support for application firewall (AppFW)—This feature is supported<br />
on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.<br />
The SRX Series devices allow configuring application firewall policies based on<br />
individual applications. This new feature allows you to group applications and<br />
338<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
application groups under a single name for simplified, consistent reuse when defining<br />
application firewall policies.<br />
[Junos OS Security Configuration Guide]<br />
• Application signature management and usability enhancements—This feature is<br />
supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.<br />
<strong>Juniper</strong> <strong>Networks</strong> provides improvements in the usability and management of predefined<br />
application signatures available through the Junos OS application signature package<br />
subscription service. Previously, predefined application signature updates were<br />
downloaded to the Junos OS configuration file, resulting in an unnecessarily large file.<br />
To improve usability, application signature updates are now downloaded and installed<br />
in a separate application signature database on the SRX Series device.<br />
Using CLI commands, users can manage predefined and custom application signatures<br />
and application signature groups, as follows:<br />
• View detailed and summary information.<br />
• Copy, disable, and enable predefined application signatures for maximum flexibility<br />
in the use and reuse of predefined application signatures and custom application<br />
signatures.<br />
• Create custom signatures by copying a predefined signature and using it as a<br />
template.<br />
In addition, the CLI services application-identification commands provide more options<br />
for the display and configuration of custom application signatures and application<br />
signature groups<br />
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS<br />
Security Configuration Guide]<br />
• Heuristic detection of encrypted P2P applications—This feature is supported on<br />
SRX100, SRX210, SRX220, SRX240, and SRX650 devices.<br />
Peer-to-peer applications such as Skype contain encrypted data packets. The SRX<br />
Series devices cannot identify the encrypted data packets with the current application<br />
signatures, which are based on regular expression patterns. Heuristics are used to<br />
improve the detection rate. Junos OS detects encrypted peer-to-peer traffic on TCP<br />
and UDP.<br />
If a session cannot be identified as known encrypted peer-to-peer traffic, you can<br />
assign it to a special application called junos:unspecified-encrypted. Application<br />
firewall can configure a policy on this application similar to other dynamic<br />
applications.<br />
The edit services application-identification command has a new option,<br />
enable-heuristics, which you use to enable detection of encrypted peer-to-peer<br />
applications. The enable-heuristics command is off by default.<br />
The show services application-identification counter command has two new per-SPU<br />
counters, Unspecified encrypted sessions and Encrypted P2P sessions.<br />
root>show services application-identification counter<br />
pic: 1/0<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
339
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Counter type<br />
Value<br />
Unspecified encrypted sessions 10<br />
Encrypted P2P sessions 5<br />
pic: 1/1<br />
...<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
• IPv6 application firewall support—This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices. Application firewall now supports IPv6<br />
addressing on these SRX Series Services Gateways.<br />
Application firewall was previously supported in the IPv4 environment. Beginning<br />
with Junos OS <strong>Release</strong> 11.4, it is also supported on IPv6.<br />
<strong>Juniper</strong> <strong>Networks</strong> devices provide additional security protection against known<br />
dynamic applications that can send traffic that might not be adequately controlled<br />
by standard network firewall policies. The application firewall functionality enforces<br />
polices based on the results of the application identification process. The application<br />
identification process identifies applications using pattern matching, protocol<br />
decoding, and heuristics.<br />
To implement application firewall support:<br />
• Network security policy–Modify the policy configuration to support the application<br />
firewall rule set within the existing configuration.<br />
• Application firewall rule set–Define an application firewall rule set to be referenced<br />
by the network security policy.<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
• Nested application identification enhancement—This feature is supported on<br />
SRX100, SRX210, SRX220, SRX240, and SRX650 devices.<br />
New application identification contexts have been added for more extensive nested<br />
application matching. Several new HTTP contexts have been added for application<br />
detection:<br />
• http-get-url-parsed-param-parsed<br />
• http-post-url-parsed-param-parsed<br />
• http-post-variable-parsed<br />
• http-header-user-agent<br />
• http-header-cookie<br />
For encrypted HTTP sessions, the new ssl-server-name context extracts the server<br />
name from an SSL SERVER HELLO message and an SSL CLIENT HELLO message<br />
if they exist.<br />
[Junos OS Security Configuration Guide ]<br />
• Onbox application tracking statistics—This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
340<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
This feature adds application-level statistics to the AppSecure suite. Application<br />
statistics allow an administrator to access cumulative statistics as well as statistics<br />
accumulated over user-defined intervals. The administrator can clear the statistics<br />
and configure the interval values.<br />
Bytes and session count statistics are maintained. Because the statistics count<br />
occurs at AppTrack session close event time, the byte and session counts are not<br />
updated until the session closes.<br />
SRX Series devices support a history of 8 intervals that an administrator can use to<br />
display the application session and byte counts.<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
Global Policy<br />
• Global policy —This feature is supported on SRX100, SRX210, SRX220, SRX240, and<br />
SRX650 devices.<br />
Unlike other security policies, global policies do not reference specific source and<br />
destination zones (from-zone and to-zone). Global policies allow you to regulate traffic<br />
with addresses and applications, regardless of their security zones. Global policies<br />
reference user-defined addresses or the predefined address “any.” These addresses<br />
can span multiple security zones.<br />
[Junos OS Security Configuration Guide]<br />
• Web authentication—This feature is supported on SRX100, SRX210, SRX220, SRX240,<br />
and SRX650 devices. Web authentication now supports IPv6 addresses.<br />
• Firewall Authentication—This feature is supported on SRX100, SRX210, SRX220,<br />
SRX240, and SRX650 devices. Firewall authentication now supports IPv6 addresses.<br />
Intrusion Detection and Prevention (IDP)<br />
• IDP content decompression on HTTP —This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
To avoid IDP detection evasion on the HTTP compressed content, an IDP submodule<br />
has been added that decompresses the protocol content. The signature pattern<br />
matching is performed on the decompressed content. The decompression feature is<br />
disabled by default.<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
• IDP attack description—This feature is supported on SRX100, SRX210, SRX220,<br />
SRX240, and SRX650 for both J-Web and the CLI.<br />
The IDP attack description feature enables users to use the CLI to learn more about<br />
IDP attack objects. Currently, users view IDP attack objects in the<br />
/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for<br />
users to investigate and manage IDP attack objects. Users can quickly and easily<br />
administer IDP attack objects when the details are displayed through the CLI.<br />
You can use the show security idp attack description and the show security idp attack<br />
detail operational mode commands to display details about IDP attack objects.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
341
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Junos OS CLI Reference Guide]<br />
J-Web<br />
• Customer branding of firewall authentication webpage— This feature is supported<br />
on SRX100, SRX210, SRX220, SRX240,and SRX650 devices.<br />
<strong>Juniper</strong> <strong>Networks</strong> enables the administrator to replace the embedded <strong>Juniper</strong> <strong>Networks</strong><br />
logo present on the firewall authentication webpage with a customer graphic. It also<br />
provides the ability to create a different logo for different logical systems.<br />
• IDP monitoring—This feature is supported on SRX100, SRX210, SRX220, SRX240,<br />
SRX650, and J Series devices.<br />
The following pages have been added to the J-Web user interface:<br />
• Attacks Monitoring page<br />
• Applications Monitoring page<br />
• IDP performance in J-Web—IDP performance in J-Web has been improved for SRX100,<br />
SRX210, SRX220, SRX240, SRX650, and all J Series devices.<br />
• J-Web for Layer 2 transparency—This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
The following pages have been added to the J-Web user interface:<br />
• Configuring bridge domains<br />
• Configuring static MAC address to Layer 2 interfaces under bridge domains<br />
• Monitoring bridge domains<br />
• Configuring interface as family bridge<br />
• MAC learning and limiting global MAC learning count<br />
• Security flow bridge configurations<br />
• J-Web DVPN pages enhancement—This feature is supported on SRX100, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
The following J-Web pages have been created for dynamic VPN (DVPN) configuration<br />
and converted to the EXTJS framework to enhance usability:<br />
• Dynamic VPN Global Settings<br />
• Dynamic VPN Client Edit<br />
For configuration, you can now configure IKE and IPsec autokey for DVPN through the<br />
Auto Tunnel > Phase I and Phase II pages.<br />
342<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Security<br />
• Enhanced Web Filtering—This feature is supported on SRX100, SRX110, SRX210,<br />
SRX220, SRX240, and SRX650 devices.<br />
Enhanced Web Filtering with Websense is an integrated URL filtering solution. When<br />
you enable Enhanced Web Filtering on the device, the device intercepts HTTP and<br />
HTTPS requests and then sends the HTTP URL or the HTTPS destination IP to the<br />
Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of over<br />
95 categories and also provides a site reputation. The TSC returns the URL category<br />
and the site reputation information to the device. The device then determines whether<br />
it can permit or block the request based on the information provided by the TSC.<br />
You can consider Enhanced Web Filtering as an alternative to the existing integrated<br />
URL filtering Surf Control Content Portal Authority (SC-CPA) solution on the SRX<br />
Series devices. J Series devices, however, support only the existing SC-CPA functionality.<br />
NOTE: You need to install a new license on the device to upgrade to the<br />
Enhanced Web Filtering solution.<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
• GTP IE removal—This feature is supported on all branch SRX Series and J Series devices.<br />
The multiple versions of the Third-Generation Partnership Project (3GPP) create<br />
interoperability problems in the mobile network. Junos OS <strong>Release</strong> 11.4 supports removal<br />
of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows<br />
you to retain interoperability.<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
• Security policies for self-traffic—This feature is supported on all branch SRX Series<br />
and J Series devices.<br />
Users can now configure security policies for the self-traffic (the host inbound traffic<br />
or the host outbound traffic) of the device. The user can further apply relevant services<br />
to the new self-traffic policy.<br />
The security policies for the self-traffic are configured under the new default security<br />
zone called junos-host zone.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
• Internet Key Exchange version 2 (IKEv2)—This feature is supported on all branch SRX<br />
Series devices.<br />
IKEv2 is the next-generation standard for secure key exchange between peer devices,<br />
defined in RFC 4306. IKEv2 is available in Junos OS <strong>Release</strong> 11.4 for securing IPsec<br />
traffic. The initial release does not support all the capabilities described in the RFCs.<br />
The advantages of using version 2 over version 1 are as follows;<br />
• Simplifies the existing IKEv1<br />
• Single RFC, including NAT-T, EAP, and remote address acquisition<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
343
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Replaces the 8 initial exchanges with a single 4-message exchange<br />
• Reduces the latency for the IPsec SA setup and increases connection establishment<br />
speed<br />
• Increases robustness against DoS attack<br />
• Improves reliability through the use of sequence numbers, acknowledgements, and<br />
error correction<br />
• Offers forward compatibility<br />
• Provides simple cryptographic mechanisms<br />
IKEv2 includes support for:<br />
• Route-based VPN<br />
• Site-to-site VPN<br />
• Dead peer detection (liveness check)<br />
• Chassis cluster<br />
• Certificate-based authentication<br />
• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange<br />
• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist<br />
without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if<br />
the child SAs are currently active, the corresponding IKE SA will be rekeyed.<br />
• Version 1 and version 2<br />
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]<br />
SNMP<br />
• <strong>Juniper</strong> <strong>Networks</strong> enterprise-specific License MIB—This feature is supported on<br />
SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices. It extends SNMP<br />
support for licensing information.<br />
The enterprise-specific License MIB:<br />
• Contains information about license features and the expiration details to reduce the<br />
burden involved in managing licenses.<br />
• Generates traps to alert users. For example, an alert is generated when a license<br />
expires or when the total number of users exceeds the maximum number specified<br />
in the license.<br />
• Provides access to license-related information through the SNMP get and get-next<br />
operations.<br />
344<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
[Junos OS SNMP MIBs and Traps Reference, MIB Reference for Branch SRX Series Services<br />
Gateways.]<br />
UTM<br />
• UTM support in chassis cluster active/active configuration—This feature is supported<br />
on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.<br />
Previously, only UTM support for the Packet Forwarding Engine in active/backup chassis<br />
cluster configurations existed. Also, both the Packet Forwarding Engine and the Routing<br />
Engine had to be active in the same node for UTM functionality to work.<br />
This feature introduces UTM support for active/active chassis cluster configurations<br />
where the Packet Forwarding Engine can be active on both the cluster nodes. With<br />
active/active chassis cluster support, Routing Engine and Packet Forwarding Engine<br />
can be active in different nodes.<br />
NOTE: Sophos AV is not supported as part of active/active chassis cluster<br />
implementation.<br />
UTM supports stateless (no state regarding UTM is synced between the cluster nodes)<br />
Packet Forwarding Engine active/active chassis cluster configurations.<br />
With Junos OS <strong>Release</strong> 11.4, the UTM functionality is supported in both active/active<br />
and active/backup chassis cluster configurations.<br />
UTM with chassis cluster supports the following failover types:<br />
• Manual failover<br />
• RG0 automatic failover<br />
• RG1+ automatic failover<br />
• Failover through flowd restart<br />
• Failover through reboot<br />
Chassis cluster support is enabled for the following UTM features:<br />
• Content filtering<br />
• URL (Web) filtering<br />
• Antispam<br />
• Express antivirus scanning<br />
• Full file-based antivirus scanning<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
345
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Junos OS Security Configuration Guide, Junos OS Feature Support Reference for SRX<br />
Series and J Series Devices]<br />
Virtual Private LAN Service (VPLS)<br />
• Filtering and policing support (packet based)—This feature is supported on SRX100,<br />
SRX210, SRX220, SRX240, SRX650, and all J Series devices.<br />
This feature permits users to configure both firewall filters and policers for virtual<br />
private LAN service (VPLS). Firewall filters enable you to filter packets based on their<br />
components and perform an action on packets that match the filter. Policers enable<br />
you to limit the amount of traffic that passes into or out of an interface.<br />
This feature can be enabled by configuring VPLS filters, policers, and accounting through<br />
various CLI commands. VPLS filters and policers act on a Layer 2 frame that includes<br />
the media access control (MAC) header (after any VLAN rewrite or other rules are<br />
applied), but that does not include the cyclical redundancy check (CRC) field.<br />
NOTE: You can apply VPLS filters and policers on the PE routers, only to<br />
customer-facing (PE-CE) interfaces.<br />
[Junos OS MPLS Configuration Guide for Security Devices]<br />
Virtual Private <strong>Networks</strong> (VPN)<br />
• Site-to-site VPN support for NAT-T—This feature is supported on all branch SRX<br />
Series devices and J Series devices.<br />
Site-to-site IKE gateway configuration for Network Address Translation-Traversal<br />
(NAT-T) is now supported on the server side (IKE responder). This is in addition to the<br />
current implementation of NAT-T support for dynamic IKE gateway configuration. A<br />
remote-identity value is used to validate a peer’s ike-id or id during Phase 1 of IKE tunnel<br />
negotiation.<br />
[Junos OS Security Configuration Guide]<br />
Hardware Features—SRX210 Services Gateways<br />
AX411 Access Point<br />
• AX411 Access Point management is now supported on SRX100 and SRX110 Series<br />
devices in addition to existing support on SRX210, SRX220, SRX240, and SRX650<br />
devices.<br />
The AX411 Access Point provides network access for wireless clients such as laptop or<br />
desktop computers, personal digital assistants (PDAs), and any other device equipped<br />
with a Wi-Fi adapter. The AX411 Access Point supports the new IEEE 802.11n wireless<br />
networking standard with backward compatibility for IEEE 802.11a/b/g standards.<br />
You can manage and configure access points from the SRX Series device through the<br />
Junos operating system (Junos OS) command-line interface (CLI), J-Web interface,<br />
and Network and Security Manager (NSM).<br />
346<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
3G ExpressCard Support on the SRX210 Services Gateway<br />
• Junos OS <strong>Release</strong> 11.4 supports the Sierra Wireless AirCard 503 (AC503) ExpressCard<br />
for GSM, HSPA, and UMTS networks on SRX210 devices, to provide wireless WAN<br />
connectivity as backup to primary WAN links. The AC503 ExpressCard is not available<br />
from <strong>Juniper</strong> <strong>Networks</strong>.<br />
3G USB Modem Support on the SRX210 Services Gateway<br />
• Junos OS <strong>Release</strong> 11.4 supports the Sierra Wireless USB modem (U319, HSPA+<br />
quad-band) on the SRX210 device (on USB port 1).<br />
To use the 3G USB modem on the SRX210 device:<br />
1. Upgrade the BIOS software packaged inside the Junos OS image. For detailed<br />
information about BIOS upgrade procedures, see the Junos OS Initial Configuration<br />
Guide for Security Devices.<br />
NOTE: You need the BIOS version of 2.1 or later to use the 3G USB<br />
modems on the SRX210 device.<br />
2. Configure the WAN port using the CLI command set chassis routing-engine usb-wwan<br />
port 1 to enable the USB port to use the U319 USB modem. See the Junos OS CLI<br />
Reference Guide.<br />
3. Plug the 3G USB modem in to the appropriate USB slot (USB port 1) on the device.<br />
NOTE: You can use the USB modem with a standard USB extension<br />
cable of 1.8288 meters (6 ft) or longer.<br />
4. Reboot the device to start using the 3G USB modem.<br />
Hardware Features—SRX240 Services Gateway<br />
This topic includes the following sections:<br />
• Introduction on page 347<br />
• Hardware Features on page 348<br />
• SRX240 Services Gateway Models on page 349<br />
Introduction<br />
The <strong>Juniper</strong> <strong>Networks</strong> SRX240 Services Gateway offers complete functionality and<br />
flexibility for delivering secure, reliable data over IP, and provides multiple interfaces that<br />
support WAN and LAN connectivity and Power over Ethernet (PoE).<br />
The SRX240 Services Gateway provides IP Security (IPsec), virtual private network (VPN),<br />
and firewall services for small and medium-sized companies and enterprise branch and<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
347
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
remote offices. Additional security features include Unified Threat Management (UTM),<br />
which consists of IPS antispam, antivirus, and Web filtering.<br />
Hardware Features<br />
Table 16 on page 348 lists the hardware features supported on various models of the<br />
SRX240 Services Gateway<br />
Table 16: SRX240 Services Gateway Hardware Features<br />
Features<br />
SRX240 Services<br />
Gateway with AC<br />
Power Supply and No<br />
PoE Support<br />
SRX240 Services<br />
Gateway with AC<br />
Power Supply and<br />
PoE Support<br />
SRX240 Services<br />
Gateway with DC<br />
Power Supply<br />
DDR memory<br />
• For SRX240B:<br />
512 MB<br />
• For SRX240B2:<br />
1 GB<br />
• For SRX240H:<br />
1 GB<br />
• For SRX240H2:<br />
2 GB<br />
• For SRX240H-TAA:<br />
1 GB<br />
• For SRX240H-POE:<br />
1 GB<br />
• For SRX240H2-POE:<br />
2 GB<br />
• For<br />
SRX240H-POE-TAA:<br />
1 GB<br />
• For<br />
SRX240H2-POE-TAA:<br />
2 GB<br />
• For<br />
SRX240H-DC:<br />
1 GB<br />
• For<br />
SRX240H2-DC:<br />
2 GB<br />
• For SRX240H2-TAA:<br />
2 GB<br />
PoE support<br />
No<br />
Yes<br />
No<br />
Power supply<br />
rating<br />
150 watts<br />
360 watts<br />
190 watts<br />
Input voltage<br />
100 to 240 VAC<br />
100 to 240 VAC<br />
–48 VDC<br />
Operating range:<br />
–40.5 V to –72 V<br />
Gigabit Ethernet<br />
ports<br />
16<br />
16<br />
16<br />
Console ports<br />
1<br />
1<br />
1<br />
Universal Serial<br />
Bus (USB) ports<br />
2<br />
2<br />
2<br />
Mini-PIM slots<br />
4<br />
4<br />
4<br />
LEDs<br />
Status, Alarm, HA, Power,<br />
Mini-PIMs, and Port<br />
(TX/RX/Link and PoE)<br />
Status, Alarm, HA,<br />
Power, Mini-PIMs, and<br />
Port (TX/RX/Link and<br />
PoE)<br />
Status, Alarm, HA,<br />
Power, Mini-PIMs,<br />
Port (TX/RX/Link<br />
and PoE), DC power<br />
feed LEDs.<br />
NOTE: The PoE LED is enabled only on the PoE variant of the SRX240 Services Gateway.<br />
348<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Table 16: SRX240 Services Gateway Hardware Features (continued)<br />
Features<br />
SRX240 Services<br />
Gateway with AC<br />
Power Supply and No<br />
PoE Support<br />
SRX240 Services<br />
Gateway with AC<br />
Power Supply and<br />
PoE Support<br />
SRX240 Services<br />
Gateway with DC<br />
Power Supply<br />
Internal flash<br />
memory<br />
• For SRX240B:<br />
1 GB<br />
• For SRX240B2:<br />
2 GB<br />
• For SRX240H:<br />
1 GB<br />
• For SRX240H2:<br />
2 GB<br />
• For SRX240H-TAA:<br />
1 GB<br />
• For SRX240H-POE:<br />
1 GB<br />
• For SRX240H2-POE:<br />
2 GB<br />
• For<br />
SRX240H-POE-TAA:<br />
1 GB<br />
• For<br />
SRX240H2-POE-TAA:<br />
2 GB<br />
• For<br />
SRX240H-DC:<br />
1 GB<br />
• For<br />
SRX240H2-DC:<br />
2 GB<br />
• For SRX240H2-TAA:<br />
2 GB<br />
Fans<br />
6<br />
6<br />
6<br />
Air filters<br />
One<br />
None<br />
One<br />
(Separately orderable)<br />
NEBS-compliance<br />
No<br />
No<br />
Yes<br />
NOTE: An air filter is not shipped with the SRX240 Services Gateway with<br />
AC power supply models. To meet NEBS requirements, you must order the<br />
air filter separately and install it. Contact your <strong>Juniper</strong> <strong>Networks</strong> customer<br />
service representative for more information.<br />
SRX240 Services Gateway Models<br />
Table 17 on page 349 lists the SRX240 Services Gateway models.<br />
Table 17: SRX240 Services Gateway Models<br />
Model Name<br />
Device Description<br />
SRX240B<br />
512 MB RAM, 1 GB flash memory with AC<br />
power supply<br />
SRX240B2<br />
1 GB RAM, 2 GB flash memory with AC power<br />
supply<br />
SRX240H<br />
1 GB RAM, 1 GB flash memory with AC power<br />
supply<br />
SRX240H2<br />
2 GB RAM, 2 GB flash memory with AC power<br />
supply<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
349
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 17: SRX240 Services Gateway Models (continued)<br />
Model Name<br />
Device Description<br />
SRX240H-TAA<br />
1 GB RAM, 1 GB flash memory with AC power<br />
supply (TAA compliant)<br />
SRX240H2-TAA<br />
2 GB RAM, 2 GB flash memory with AC power<br />
supply (TAA compliant)<br />
SRX240H-DC<br />
1 GB RAM, 1 GB flash memory with DC power<br />
supply<br />
SRX240H2-DC<br />
2 GB RAM, 2 GB flash memory with DC power<br />
supply<br />
SRX240H-POE<br />
1 GB RAM, 1 GB flash memory and Power<br />
over Ethernet (PoE) with AC power supply<br />
SRX240H2-POE<br />
2 GB RAM, 2 GB flash memory and Power<br />
over Ethernet (PoE) with AC power supply<br />
SRX240H-POE-TAA<br />
1 GB RAM, 1 GB flash memory and Power<br />
over Ethernet (PoE) with AC power supply<br />
(TAA compliant)<br />
SRX240H2-POE-TAA<br />
2 GB RAM, 2 GB flash memory and Power<br />
over Ethernet (PoE) with AC power supply<br />
(TAA compliant)<br />
All models run Junos OS.<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers<br />
The following current system behavior, configuration statement usage, and operational<br />
mode command usage might not yet be documented in the Junos OS documentation:<br />
350<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Authentication<br />
• The client-match match-name option under security hierarchy edit security policies<br />
from-zone zone-name to-zone zone-name policy policy-name then permit<br />
firewall-authentication now supports a maximum of 64 users or user groups in the<br />
policy.<br />
AppSecure<br />
• On SRX100, SRX110, SRX210, SRX220, SRX240, and SRX650 devices, application<br />
tracking is enabled by default. You can disable application tracking with the set security<br />
application-tracking disable command. This command allows you to disable and<br />
reenable application tracking without modifying your existing zone selections.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
351
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Command-Line Interface (CLI)<br />
• On all branch SRX Series devices, when the device is in low-memory condition and IDP<br />
is processing operations such as security package install or policy compilation, IDP<br />
aborts the operation.<br />
To disable this functionality, a new command, disable-low-memory-handling, has been<br />
introduced to continue IDP operations in low-memory condition.<br />
NOTE: The device might reboot suddenly if you enable the device to<br />
continue IDP operations in low-memory condition.<br />
• On all branch SRX Series devices, any device running Junos OS <strong>Release</strong> 11.4 and earlier<br />
and configured with SHA-256 authentication must be upgraded immediately. Earlier<br />
releases truncated the SHA-256 message digest to 96 bits from the correct size of 128<br />
bits. The hmac-sha-256-96 parameter fixes this compatibility issue.<br />
• On all branch SRX Series and J Series devices, the following commands are now<br />
supported:<br />
CLI Command<br />
Description<br />
show pppoe interfaces<br />
List all Point-to-Point Protocol over Ethernet<br />
(PPPoE) sessions.<br />
request pppoe connect<br />
Connect to all sessions that are down.<br />
request pppoe connect pppoe interface name<br />
Connect only to the specified session.<br />
request pppoe disconnect<br />
Disconnect all sessions that are up.<br />
request pppoe disconnect session id or pppoe<br />
interface name<br />
Disconnect only the specified session, identified<br />
by either a session ID or a PPPoE interface name.<br />
• In Junos OS <strong>Release</strong> 11.2 and 11.4 the set security zone security-zones tcp-rst<br />
command in the CLI Help displays an incorrect description as:<br />
tcp-rst—Send RST for TCP SYN packet not matching session<br />
The correct description is:<br />
tcp-rst—Send RST for NON-SYN packet not matching TCP session<br />
• On all branch SRX Series devices, in Junos OS <strong>Release</strong> 11.4 and earlier releases, if an<br />
invalid value of reboot_reason was detected, the show chassis routing-engine command<br />
would indicate a normal shutdown. Because of this, a flash memory corruption would<br />
go undetected. This issue is now fixed in Junos OS <strong>Release</strong> 12.1. The behavior is changed,<br />
and the reboot reason displays "Unknown reboot_reason", with the invalid value of<br />
reboot_reason, in hexadecimal format.<br />
352<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Deprecated Items for Branch SRX Series Services Gateways<br />
Table 18 on page 353 lists deprecated items (such as CLI statements, commands, options,<br />
and interfaces).<br />
CLI statements and commands are deprecated—rather than immediately removed—to<br />
provide backward compatibility and a chance to bring your configuration into compliance<br />
with the new configuration. We strongly recommend that you phase out deprecated<br />
items and replace them with supported alternatives.<br />
Table 18: Items Deprecated in <strong>Release</strong> 11.4<br />
Deprecated Item<br />
Replacement<br />
Hierarchy Level or<br />
Command Syntax<br />
Additional Information<br />
clear services flow<br />
-<br />
-<br />
On all branch SRX Series<br />
devices the clear services flow<br />
command is not supported.<br />
download-timeout<br />
-<br />
download-timeout timeout<br />
On all branch SRX Series<br />
devices, the<br />
download-timeout command<br />
is deprecated. If the<br />
configuration is present it will<br />
be ignored. The idpd daemon<br />
internally triggers<br />
security-package to install<br />
when an automatic download<br />
is completed. There is no<br />
need to configure any<br />
download-timeout.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
353
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Flow and Processing<br />
• Max content-size-limit changes from 20MB to 15MB<br />
The maximum number of content size refers to the maximum size of the file that the<br />
system can buffer for scanning. Beyond that the system does either “block” or<br />
“log-and-permit” based on configuration (e.g., fallback-options content-size). As part<br />
of memory adjustment by the memory option, the maximum number of<br />
content-size-limit will be decreased from 20000 Kbytes to 15000 Kbytes after applying<br />
set security advanced-services data-plane memory low memory option. Therefore if<br />
you configured the content-size-limit as 15001 or above, this configuration statement<br />
will be removed along with all subsequent scan-options statement under<br />
“content-size-limit”. As a workaround, please re configure the content-size-limit as<br />
15000 or below prior to configuring the memory option.<br />
Before applying memory option, the maximum content-size-limit can be configured<br />
up to 20000 Kbytes<br />
user@host#set security utm feature-profile anti-virus kaspersky-lab-engine<br />
profile scan-options content-size-limit ?<br />
Possible completions:<br />
Content size limit (20..20000)<br />
user@host#set security utm feature-profile anti-virus sophos-engine profile<br />
scan-options content-size-limit ?<br />
Possible completions:<br />
Content size limit (20..20000)<br />
show security utm<br />
feature-profile {<br />
anti-virus {<br />
kaspersky-lab-engine {<br />
profile 1 {<br />
scan-options {<br />
intelligent-prescreening;<br />
scan-mode all;<br />
scan-extension junos-default-extension;<br />
content-size-limit 20000;
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Value 20000 is not within range (20..15000)<br />
mgd: commit complete<br />
After system rebooting, see the removed statements.<br />
edit<br />
user@host>show security utm<br />
feature-profile {<br />
anti-virus {<br />
kaspersky-lab-engine {<br />
profile 1 {<br />
scan-options {<br />
intelligent-prescreening;<br />
scan-mode all;<br />
scan-extension junos-default-extension;<br />
}<br />
}<br />
}<br />
}<br />
}<br />
The maximum content-size-limit can be configured up to 15000 Kbytes<br />
user@host#set security utm feature-profile anti-virus kaspersky-lab-engine<br />
profile scan-options content-size-limit ?<br />
Possible completions:<br />
Content size limit (20..15000)<br />
user@host#set security utm feature-profile anti-virus sophos-engine profile<br />
scan-options content-size-limit ?<br />
Possible completions:<br />
Content size limit (20..15000)<br />
• On all branch SRX Series and J Series devices, if the maximum number of leaves on a<br />
multicast distribution tree is exceeded, multicast sessions are created up to the<br />
maximum number of leaves, and any multicast sessions that exceed the maximum<br />
number of leaves are ignored. In previous releases, no multicast traffic was forwarded<br />
if the maximum number of leaves on the multicast distribution tree was exceeded.<br />
The maximum number of leaves on a multicast distribution tree is device specific.<br />
• On SRX100, SRX110, and SRX210 devices, when you power on or reboot the device,<br />
the Subscriber Identity Module (SIM) will be locked. If the SIM Personal Identification<br />
Number (PIN) or the unlock code is configured in the set interfaces cl-0/0/8<br />
cellular-options gsm-options sim-unlock-code configuration command, then Junos OS<br />
attempts to unlock the SIM only once. This is to keep the SIM from being blocked. If<br />
the SIM is blocked, you must provide a PIN Unblocking Key (PUK) obtained from the<br />
service provider. If the wrong SIM PIN is configured, the SIM will remain locked, and the<br />
administrator can unlock it by using the remaining two attempts.<br />
• The minimum value you can configure for TCP session initialization is 4 seconds. The<br />
default value is 20 seconds; if required you can set the TCP session initialization value<br />
to less than 20 seconds.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
355
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all branch SRX Series devices, TCP session configuration has been enhanced. In<br />
earlier releases, the TCP session was only invalidated after 2 seconds of receiving a<br />
FIN or ACK packet. As a result, if there were new incoming SYN packets (with the same<br />
five tuples) within this 2 seconds, the packets would use the same TCP session, which<br />
would be terminated within 2 seconds. Therefore a new session could not be<br />
established.<br />
A new configuration attribute, fin-invalidate-session, has been introduced at the edit<br />
security flow tcp-session hierarchy level. This command invalidates a TCP session<br />
immediately on reception of a FIN or ACK packet. New incoming SYN packets will need<br />
to establish a new session.<br />
To end a session immediately on reception of a FIN or ACK packet, use the set security<br />
flow tcp-session fin-invalidate-session command.<br />
Interfaces and Routing<br />
• On SRX240 and SRX650 devices, for the Layer 2 link aggregation group (LAG) interface,<br />
the hash algorithm for load balancing is now based on source IP address and destination<br />
IP address instead of source MAC address and destination MAC address.<br />
Internet Protocol Security (IPsec)<br />
• On Octeon-based branch SRX Series devices, for Path Maximum Transmission Unit<br />
(PMTU) calculations, the IPsec authentication data length is fixed at 16 bytes. However,<br />
the authentication data length for packets going through the IPsec tunnel is in<br />
accordance with the authentication algorithm negotiated for that tunnel.<br />
The authentication data lengths for the different algorithms are:<br />
• hmac-md5-96 (12 bytes)<br />
• hmac-sha-256-128 (16 bytes)<br />
• hmac-sha1-96 (12 bytes)<br />
Intrusion Detection and Prevention (IDP)<br />
• On all branch SRX Series devices, for a dynamic attack group using the direction filter,<br />
the expression AND should be used in the exclude values. As is the case with all filters,<br />
the default expression is OR. However, there is a choice of AND in the case of the<br />
direction filter.<br />
For example, if you want to choose all attacks with the direction client-to-server,<br />
configure the direction filter using the set security idp dynamic-attack-group dyn1 filters<br />
direction values client-to-server command.<br />
In the case of chain attacks, each of the multiple members has its own direction. If a<br />
policy includes chain attacks, a client-to-server filter selects all chain attacks that have<br />
any member with client-to-server as the direction. This means chain attacks that<br />
include members with server-to-client or ANY as the direction are selected if the chain<br />
has at least one member with client-to-server as the direction.<br />
356<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
To prevent these chain attacks from being added to the policy, configure the dynamic<br />
group as follows:<br />
• set security idp dynamic-attack-group dyn1 filters direction expression and<br />
• set security idp dynamic-attack-group dyn1 filters direction values client-to-server<br />
• set security idp dynamic-attack-group dyn1 filters direction values<br />
exclude-server-to-client<br />
• set security idp dynamic-attack-group dyn1 filters direction values exclude-any<br />
J-Web<br />
• On all branch SRX Series devices, you can use J-Web to enable and disable logical<br />
interfaces.<br />
System Logging<br />
The following system log messages have been introduced in Junos OS <strong>Release</strong> 11.4R7.<br />
• When sensor-configuration disable-low-memory-handling is not set and IPD receives<br />
a low-memory signal, the following message appears: Processing low memory signal<br />
• When sensor-configuration disable-low-memory-handling is set and IPD receives a<br />
low-memory signal, the following message appears: Ignoring low memory signal<br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
• On SRX650 devices, the perfect forward secrecy setting in an IPsec policy overrides<br />
the settings in proposal-sets in Junos OS <strong>Release</strong> 10.4 and later.<br />
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J<br />
Series Services Routers<br />
AppSecure<br />
• J-Web pages for AppSecure are preliminary.<br />
• Custom application signatures and custom nested application signatures are not<br />
currently supported by J-Web.<br />
• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not<br />
applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW<br />
counters.<br />
AX411 Access Points<br />
• On SRX210, SRX240, and SRX650 devices, you can configure and manage maximum<br />
of four access points.<br />
• On all branch SRX Series devices, managing AX411 WLAN Access Points through a<br />
Layer 3 aggregated Ethernet (ae) interface is not supported.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
357
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Chassis Cluster<br />
• SRX100, SRX210, SRX220 SRX240, and SRX650 devices have the following chassis<br />
cluster limitations:<br />
• Virtual Router Redundancy Protocol (VRRP) is not supported.<br />
• Unified in-service software upgrade (ISSU) is not supported.<br />
• The 3G dialer interface is not supported.<br />
• On SRX Series device failover, access points on the Layer 2 switch reboot and all<br />
wireless clients lose connectivity for 4 to 6 minutes.<br />
• On very-high-bit-rate digital subscriber line (VDSL) Mini-PIMs, chassis cluster is not<br />
supported for VDSL mode.<br />
• Queuing on the aggregated Ethernet (ae) interface is not supported.<br />
• Group VPN is not supported.<br />
• Sampling features such as flow monitoring, packet capture, and port mirror on the<br />
redundant Ethernet (reth) interfaces are not supported.<br />
• Switching is not supported in chassis cluster mode for SRX100 and SRX210.<br />
• The Chassis Cluster MIB is not supported.<br />
• Any packet-based services like MPLS and CLNS are not supported.<br />
• On lsq-0/0/0 interface, Link services Multilink Point-to-Point Protocol (MLPPP),<br />
Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol<br />
(CRTP) are not supported.<br />
• On lt-0/0/0 interface, CoS for real-time performance monitoring (RPM) is not<br />
supported.<br />
• Packet-based forwarding for MPLS and International Organization for Standardization<br />
(ISO) protocol families is not supported.<br />
• The factory default configuration for SRX100 devices automatically enables Layer 2<br />
Ethernet switching. Layer 2 Ethernet switching is not supported in chassis cluster mode<br />
for SRX100 devices. If you use the factory default configuration, you must delete the<br />
Ethernet switching before you enable chassis clustering.<br />
CAUTION: Enabling chassis clustering while Ethernet switching is enabled<br />
is not a supported configuration and might result in undesirable behavior<br />
from the devices, leading to possible network instability.<br />
The default configuration for other SRX Series devices and all J Series devices does<br />
not automatically enable Ethernet switching. However, if you have enabled Ethernet<br />
switching, be sure to disable it before enabling clustering on these devices too.<br />
• On all J Series devices, a Fast Ethernet port from a 4-port Ethernet PIM cannot be used<br />
as a fabric link port in a chassis cluster.<br />
358<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On all branch SRX Series devices, redundant Ethernet (reth) interfaces and lo0 interface<br />
are supported for IKE external interface configuration in IPsec VPN. Other interface<br />
types can be configured, but IPsec VPN might not work.<br />
• On all J Series devices, the ISDN feature on chassis cluster is not supported.<br />
• On all branch SRX Series devices, frequent plug and play of USB keys is not supported.<br />
You must wait for the device node creation before removing the USB Key.<br />
Command-Line Interface (CLI)<br />
• On all J Series devices, RADIUS accounting is not supported.<br />
• On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the<br />
device by using the CLI. The number of users allowed to access the device is limited<br />
as follows:<br />
• For SRX210 devices: four CLI users and three J-Web users<br />
• For SRX240 devices: six CLI users and five J-Web users<br />
• On J6350 devices, there is a difference in the power ratings provided by user<br />
documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM<br />
Power and Thermal Calculator) and the power ratings displayed by CLI (by a unit of<br />
1). The CLI display rounds off the value to a lower integer and the ratings provided in<br />
user documentation rounds off the value to the higher integer. As a workaround, follow<br />
the user documentation for accurate ratings.<br />
DOCSIS Mini-PIM<br />
• On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100<br />
Mbps throughput in each direction.<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On all branch SRX and J Series devices DHCP is not supported in a chassis cluster.<br />
• On all branch SRX Series and J Series devices, DHCPv6 client authentication is not<br />
supported.<br />
Dynamic VPN<br />
SRX100, SRX210, and SRX240 devices have the following limitations:<br />
• The IKE configuration for the Junos Pulse client does not support the hexadecimal<br />
preshared key.<br />
• The Junos Pulse client IPsec does not support the Authentication Header (AH) protocol<br />
and the Encapsulating Security Payload (ESP) protocol with NULL authentication.<br />
• When you log in through the Web browser (instead of logging in through the Junos<br />
Pulse client) and a new client is available, you are prompted for a client upgrade even<br />
if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
359
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
client with the force-upgrade option configured, the client upgrade occurs automatically<br />
(without a prompt).<br />
• On all branch SRX Series devices, DH-group 14 is not supported for dynamic VPN.<br />
• On all branch SRX Series devices, when you download pulse client through Mozilla<br />
browser, you get “Launching the VPN client” page when pulse is still downloading but<br />
when you download the pulse client through Internet Explore “Launching the VPN<br />
Client” page comes after pulse has been download and installed.<br />
Flow and Processing<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the<br />
number of large packet buffers, Routing Engine based sampling might run out of buffers<br />
for packet sizes greater than or equal to 1500 bytes and hence those packets will not<br />
be sampled. The Routing Engine could run out of buffers when the rate of the traffic<br />
stream is high.<br />
• On SRX100 and SRX240 devices, the data file transfer rate for more than 20 Mbps is<br />
reduced by 60 percent with the introduction of Junos Pulse 1.0 client as compared to<br />
the Acadia client that was used before Junos OS <strong>Release</strong> 11.1.<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the default authentication<br />
table capacity is 10,000; the administrator can increase the capacity to a maximum<br />
of 15,000.<br />
• On all branch SRX Series and J Series devices, when devices are operating in flow mode,<br />
the Routing Engine side cannot detect the path maximum transmission unit (PMTU)<br />
of an IPv6 multicast address (with a large size packet).<br />
• On all branch SRX Series devices, you cannot configure route policies and route patterns<br />
in the same dial plan.<br />
• On all branch SRX Series devices, you can configure no more than four members in a<br />
station group. Station groups are used for hunt groups and ring groups.<br />
• On all J Series devices, even when forwarding options are set to drop packets for the<br />
ISO protocol family, the device forms End System-to-Intermediate System (ES-IS)<br />
adjacencies and transmits packets because ES-IS packets are Layer 2 terminating<br />
packets.<br />
• On all branch SRX Series and J Series devices, high CPU utilization triggered for reasons<br />
such as CPU intensive commands and SNMP walks causes the Bidirectional Forwarding<br />
Detection (BFD) protocol to flap while processing large BGP updates.<br />
• On SRX210, SRX240, and J Series devices, broadcast TFTP is not supported when flow<br />
is enabled on the device.<br />
• On SRX210, SRX240, and SRX650 devices, the maximum number of concurrent<br />
sessions for SSH, Telnet, and Web is as follows:<br />
Sessions<br />
SRX210<br />
SRX240<br />
SRX650<br />
SSH<br />
3<br />
5<br />
5<br />
360<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Sessions<br />
SRX210<br />
SRX240<br />
SRX650<br />
Telnet<br />
3<br />
5<br />
5<br />
Web<br />
3<br />
5<br />
5<br />
NOTE: These defaults are provided for performance reasons.<br />
• On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you<br />
limit use of CLI and J-Web to the numbers of sessions listed in the following table:<br />
Device<br />
CLI<br />
J-Web<br />
Console<br />
SRX210<br />
3<br />
3<br />
1<br />
SRX240<br />
5<br />
5<br />
1<br />
• On SRX100 devices, Layer 3 control protocols (OSPF, using multicast destination MAC<br />
address) on the VLAN Layer 3 interface work only with access switch ports.<br />
• On all branch SRX Series and J Series devices, a mismatch between the Firewall Counter<br />
Packet and Byte Statistics values, and between the Interface Packet and Byte Statistics<br />
values, might occur when the rate of traffic increases above certain rates of traffic.<br />
• On all branch SRX Series devices, sessions going through GRE over IPsec are not marked<br />
as backup on backup node, instead, they are marked as active on backup node. This<br />
behavior causes the real active session to be deleted. Nesting tunnel, like GRE over<br />
IPsec, is not supported on chassis cluster.<br />
Group VPN Interoperability with Cisco’s GET VPN for <strong>Juniper</strong> <strong>Networks</strong> Security<br />
Devices that Support Group VPN<br />
Cisco’s implementation of the Group Domain of Interpretation (GDOI) is called Group<br />
Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are<br />
both based on RFC 3547, The Group Domain of Interpretation, there are some<br />
implementation differences that you need to be aware of when deploying GDOI in a<br />
networking environment that includes both <strong>Juniper</strong> <strong>Networks</strong> security devices and Cisco<br />
routers. This topic discusses important items to note when using Cisco routers with GET<br />
VPN and <strong>Juniper</strong> <strong>Networks</strong> security devices with group VPN.<br />
Cisco GET VPN members and <strong>Juniper</strong> Group VPN members can interoperate as long as<br />
the server role is played by a Cisco GET VPN server, <strong>Juniper</strong> <strong>Networks</strong> security devices<br />
are group members.<br />
The group VPN in <strong>Release</strong> 12.1 of Junos OS has been tested with Cisco GET VPN servers<br />
running Version 12.4(22)T and Version 12.4(24)T.<br />
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group<br />
includes a <strong>Juniper</strong> <strong>Networks</strong> security device. The Cisco GET VPN server implements a<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
361
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
proprietary ACK for unicast rekey messages. If a group member does not respond to the<br />
unicast rekey messages, the group member is removed from the group and is not able<br />
to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as<br />
bad security parameter indexes (SPIs). The <strong>Juniper</strong> <strong>Networks</strong> security device can recover<br />
from this situation by reregistering with the server and download the new key.<br />
Antireplay must be disabled on the Cisco server when a VPN group of more than two<br />
members includes a <strong>Juniper</strong> <strong>Networks</strong> security device. The Cisco server supports<br />
time-based antireplay by default. A <strong>Juniper</strong> <strong>Networks</strong> security device will not interoperate<br />
with a Cisco group member if time-based antireplay is used because the timestamp in<br />
the IPsec packet is proprietary. <strong>Juniper</strong> <strong>Networks</strong> security devices are not able to<br />
synchronize time with the Cisco GET VPN server and Cisco GET VPN members because<br />
the sync payload is also proprietary. Counter-based antireplay can be enabled if there<br />
are only two group members.<br />
According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds<br />
before a key expires, and the Cisco GET VPN member triggers rekeys 60 seconds before<br />
a key expires. When interacting with a Cisco GET VPN server, a <strong>Juniper</strong> <strong>Networks</strong> security<br />
device member needs to match Cisco behavior.<br />
A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies<br />
associated with the keys are dynamically installed. A policy does not have to be configured<br />
on a Cisco GET VPN member locally, but a deny policy can optionally be configured to<br />
prevent certain traffic from passing through the security policies set by the server. For<br />
example, the server can set a policy to have traffic between subnet A and subnet B be<br />
encrypted by key 1. The member can set a deny policy to allow OSPF traffic between<br />
subnet A and subnet B not to be encrypted by key 1. However, the member cannot set a<br />
permit policy to allow more traffic to be protected by the key. The centralized security<br />
policy configuration does not apply to the <strong>Juniper</strong> <strong>Networks</strong> security device.<br />
On a <strong>Juniper</strong> <strong>Networks</strong> security device, the ipsec-group-vpn configuration statement in<br />
the permit tunnel rule in a scope policy references the group VPN. This allows multiple<br />
policies referencing a VPN to share an SA. This configuration is required to interoperate<br />
with Cisco GET VPN servers.<br />
Logical key hierarchy (LKH), a method for adding and removing group members, is not<br />
supported with group VPN on <strong>Juniper</strong> <strong>Networks</strong> security devices.<br />
GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered<br />
list of servers with which the member can register or reregister. Multiple group servers<br />
cannot be configured on group VPN members.<br />
362<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Hardware<br />
• On SRX650 devices, the T1/E1 GPIMs (2-port or 4-port version) do not work in Junos<br />
OS <strong>Release</strong> 9.6R1. This issue is resolved in Junos OS <strong>Release</strong> 9.6R2 and later releases,<br />
but if you roll back to the 9.6R1 image, this issue is still seen.<br />
Interfaces and Routing<br />
• On all branch SRX Series devices, the subnet directed broadcast feature is not<br />
supported.<br />
• On SRX100, SRX110, SRX210, SRX220, SRX240, and SRX550 devices, Link Aggregation<br />
Control Protocol (LACP) is not supported on the 1-Port Gigabit Ethernet Small<br />
Form-Factor Pluggable (SFP) Mini-PIM.<br />
• On SRX100 and J Series devices, dynamic VLAN assignments and guest VLANs are<br />
not supported.<br />
• On SRX650 devices, Ethernet switching is not supported on Gigabit Ethernet interfaces<br />
(ge-0/0/0 through ge-0/0/3 ports).<br />
• On SRX210, SRX220, SRX240, and SRX650 devices, logs cannot be sent to NSM when<br />
logging is configured in the stream mode. Logs cannot be sent because the security<br />
log does not support configuration of the source IP address for the fxp0 interface and<br />
the security log destination in stream mode cannot be routed through the fxp0 interface.<br />
This implies that you cannot configure the security log server in the same subnet as<br />
the fxp0 interface and route the log server through the fxp0 interface.<br />
• On all branch SRX Series devices, the number of child interfaces per node is restricted<br />
to 4 on the redundant Ethernet (reth) interface and the number of child interfaces per<br />
reth interface is restricted to 8.<br />
• On SRX240 High Memory devices, traffic might stop between the SRX240 device and<br />
the Cisco switch due to link mode mismatch. We recommend setting same value to<br />
the autonegotiation parameters on both ends.<br />
• On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a<br />
workaround, run the restart fpc command and restart the FPC.<br />
• On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested.<br />
• On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS<br />
messages are dropped on an integrated routing and bridging (IRB) interface. As a<br />
workaround, enable IGMP snooping to use IGMP over IRB interfaces.<br />
• On all J Series devices, the DS3 interface does not have an option to configure<br />
multilink-frame-relay-uni-nni (MFR).<br />
• On SRX210, SRX220, and SRX240 devices, every time the VDSL2 Mini-PIM is restarted<br />
in the asymmetric digital subscriber line (ADSL) mode, the first packet passing through<br />
the Mini-PIM is dropped.<br />
• On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server<br />
operation does not work when the probe is configured with the option<br />
destination-interface.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
363
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all J Series devices, Link Layer Discovery Protocol (LLDP) is not supported on routed<br />
ports.<br />
• In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the<br />
user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper<br />
matching the ATM CoS rate must be configured to avoid congestion drops in<br />
segmentation and reassembly (SAR) as shown in following examples:<br />
Example:<br />
set interfaces at-5/0/0 unit 0 vci 1.110<br />
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS<br />
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS<br />
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER<br />
• On SRX210, SRX220, and SRX240 devices, 1-Port Gigabit Ethernet SFP Mini-PIM does<br />
not support switching.<br />
• On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame<br />
counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.<br />
• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the<br />
reserved VLAN address range, and the user is not allowed any configured VLANs from<br />
this range.<br />
• On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be<br />
used either as RJ-45 or small form-factor pluggable transceiver (SFP) ports. If both<br />
are present and providing power, the SFP media is preferred. If the SFP media is removed<br />
or the link is brought down, then the interface will switch to the RJ-45 medium. This<br />
can take up to 15 seconds, during which the LED for the RJ-45 port might go on and off<br />
intermittently. Similarly, when the RJ-45 medium is active and a SFP link is brought<br />
up, the interface will transition to the SFP medium, and this transition could also take<br />
a few seconds.<br />
• On SRX210 devices, the USB modem interface can handle bidirectional traffic of up<br />
to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps<br />
or above), keepalives do not get exchanged, and the interface goes down.<br />
• On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 aggregated Ethernet<br />
(ae) interface, the following features are not supported:<br />
• Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPoE)<br />
• J-Web<br />
• 10-Gigabit Ethernet<br />
• On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.<br />
• On SRX240 High Memory devices, when the system login deny-sources statement is<br />
used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used<br />
to copy the configuration during the commit routine. Use a firewall filter on the lo0.0<br />
interface to restrict the Routing Engine access, However if you choose to use the system<br />
364<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
login deny-sources statement, check the private addresses that were automatically<br />
on lo0.x and sp-0/0/0.x and exclude them from the denied list.<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, on<br />
VLAN-tagged routed interfaces, LLDP is not supported.<br />
Internet Key Exchange Version 2 (IKEv2)<br />
On all branch SRX Series devices, IKEv2 does not include support for:<br />
• Policy-based tunnels<br />
• Dial-up tunnels<br />
• Network Address Translation-Traversal (NAT-T)<br />
• VPN monitoring<br />
• Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for<br />
multiple tunnels<br />
• Extensible Authentication Protocol (EAP)<br />
• IPv6<br />
• Multiple child SAs for the same traffic selectors for each QoS value<br />
• Proposal enhancement features<br />
• Reuse of Diffie-Hellman (DH) exponentials<br />
• Configuration payloads<br />
• IP Payload Compression Protocol (IPComp)<br />
• Dynamic Endpoint (DEP)<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX100, SRX210, SRX220, SRX240 devices, configuration changes under [edit<br />
security utm] or [edit security alg] may trigger unnecessary IDP configuration check<br />
When any of the following security configuration statements are changed and<br />
committed, a child idpd process is invoked to check the change on active IDP policy.<br />
• edit security policies (regardless of idp enabled on a policy)<br />
• edit security idp<br />
• edit security address-book<br />
• edit security zone<br />
• edit security alg<br />
• edit security utm<br />
If the change has an impact on active IDP policy, IDP compiles IDP policy and push it<br />
to dataplane. If not, IDP only checks and does nothing. However, IDP may push compiled<br />
IDP policy to datapalne even if there is no change on active IDP policy.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
365
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: "utm" and "alg" are not directly related to IDP configuration, but<br />
by default they have a relationship to a security zone internally.<br />
As a work around, In order to avoid IDP commit check for "utm" or "alg"<br />
configuration change, you can explicitly configure internal "junos-host"<br />
security zone (e.g., “set security zones security-zone junos-host” and<br />
“commit”), then the "junos-host" security zone will not be loaded from the<br />
default configuration file. This new security zone has been introduced in<br />
Junos OS Relesae 11.4R1 and defined in "jsrxsme-series-defaults.conf" file<br />
to manage host-inbound and host-outbound self traffic by using security<br />
policy.<br />
• On all branch SRX Series devices, from Junos OS <strong>Release</strong> 11.2 and later, the IDP security<br />
package is based on the Berkeley database. Hence, when the Junos OS image is<br />
upgraded from Junos OS <strong>Release</strong> 11.1 or earlier to Junos OS 11.2 or later, a migration of<br />
IDP security package files needs to be performed. This is done automatically on upgrade<br />
when the IDP daemon comes up. Similarly, when the image is downgraded, a migration<br />
(secDb install) is automatically performed when the IDP daemon comes up, and<br />
previously installed database files are deleted.<br />
However, migration is dependent on the XML files for the installed database present<br />
on the device. For first-time installation, completely updated XML files are required. If<br />
the last update on the device was an incremental update, migration might fail. In such<br />
a case, you have to manually download and install the IDP security package using the<br />
download or install CLI command before using the IDP configuration with predefined<br />
attacks or groups.<br />
As a workaround, use the following CLI commands to manually download the individual<br />
components of the security package from the <strong>Juniper</strong> Security Engineering portal and<br />
install the full update:<br />
• request security idp security-package download full-update<br />
• request security idp security-package install<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services<br />
application-identification uninstall command will uninstall all predefined signatures.<br />
• On all branch SRX Series devices, IDP does not allow header checks for nonpacket<br />
contexts.<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the maximum supported<br />
number of entries in the ASC table is 100,000 entries. Because the user land buffer<br />
has a fixed size of 1 MB as a limitation, the table displays a maximum of 38,837 cache<br />
entries.<br />
• On SRX650 device, the maximum number of IDP sessions supported is 16,384 on<br />
SRX210 devices, 32,768 on SRX240 devices, and 131,072.<br />
• On all branch SRX Series devices, IDP deployed in both active/active and active/passive<br />
chassis clusters has the following limitations:<br />
366<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• No inspection of sessions that fail over or fail back.<br />
• The IP action table is not synchronized across nodes.<br />
• The Routing Engine on the secondary node might not be able to reach networks that<br />
are reachable only through a Packet Forwarding Engine.<br />
• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses<br />
a session ID and it happens to be processed on a node other than the one on which<br />
the session ID is cached, the SSL session cannot be decrypted and will be bypassed<br />
for IDP inspection.<br />
• On all branch SRX Series devices, IDP deployed in active/active chassis clusters has<br />
a limitation that for time-binding scope source traffic, if attacks from a source (with<br />
more than one destination) have active sessions distributed across nodes, then the<br />
attack might not be detected because time-binding counting has a local-node-only<br />
view. Detecting this sort of attack requires an RTO synchronization of the time-binding<br />
state that is not currently supported.<br />
NOTE: On SRX100 devices, IDP chassis cluster is supported in<br />
active/backup mode.<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the IDP policies for each<br />
user logical system are compiled together and stored on the data plane memory. To<br />
estimate adequate data plane memory for a configuration, consider these two factors:<br />
• IDP policies applied to each user logical system are considered unique instances<br />
because the ID and zones for each user logical system are different. Estimates need<br />
to take into account the combined memory requirements for all user logical systems.<br />
• As the application database increases, compiled policies will require more memory.<br />
Memory usage should be kept below the available data plane memory to<br />
accommodate increase in database size.<br />
IPv6 IPsec<br />
The IPv6 IPsec implementation has the following limitations:<br />
• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path<br />
maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6<br />
minimum MTU size of 1280 bytes.<br />
• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are<br />
32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small<br />
performance degradation is observed.<br />
• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel<br />
scalability numbers might drop.<br />
• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel<br />
throughput performance.<br />
• The IPv6 IPsec VPN does not support the following functions:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
367
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• 4in6 and 6in4 policy-based site-to-site VPN, IKE<br />
• 4in6 and 6in4 route-based site-to-site VPN, IKE<br />
• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key<br />
• 4in6 and 6in4 route-based site-to-site VPN, Manual Key<br />
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE<br />
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key<br />
• Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth<br />
• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)<br />
• IKE peer type—Dynamic IP<br />
• Chassis cluster for basic VPN features<br />
• IKE authentication—PKI/RSA<br />
• Network Address Translation-Traversal (NAT-T)<br />
• VPN monitoring<br />
• Hub-and-spoke VPNs<br />
• Next Hop Tunnel Binding Table (NHTB)<br />
• Dead Peer Detection (DPD)<br />
• Simple Network Management Protocol (SNMP) for IPsec VPN MIBs<br />
• Chassis cluster for advanced VPN features<br />
• IPv6 link-local address<br />
IPv6 Support<br />
• NSM—Consult the Network and Security Manager (NSM) release notes for version<br />
compatibility, required schema updates, platform limitations, and other specific details<br />
regarding NSM support for IPv6 addressing on SRX Series and J Series devices.<br />
• Tunnel traffic—IPv6 advanced flow does not support the following tunnel types:<br />
• IPv4 IPIP<br />
• IPv4 GRE<br />
• IPv4 IPsec<br />
• Dual-stack lite<br />
J-Web<br />
• J-Web browser support for Dell PowerConnect and SRX Series devices—To access<br />
J-Web for all platforms, your device requires the following supported browsers and<br />
OS:<br />
368<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• Browser: Microsoft Internet Explorer version 7.0, and Mozilla Firefox version above<br />
3.0 and below 3.5.<br />
NOTE: Other browser versions might not provide access to J-Web and<br />
only English-version browsers are supported.<br />
• OS: Microsoft Windows XP Service Pack 3<br />
• SRX Series and J Series browser compatibility<br />
• To access the J-Web interface, your management device requires the following<br />
software:<br />
• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox<br />
version (3.0 or later)<br />
• Language support—English-version browsers<br />
• Supported OS—Microsoft Windows XP Service Pack 3<br />
• If the device is running the worldwide version of the Junos OS and you are using the<br />
Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option<br />
in the Web browser to access the device.<br />
• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript<br />
and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed<br />
by default on the Dashboard page. You can enable or disable it using options in the<br />
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also<br />
causes the Chassis View to be displayed.<br />
• On all branch SRX Series devices, in the J-Web interface, there is no support for changing<br />
the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert<br />
from T1 to E1 and vice versa.<br />
• On all branch SRX Series and J Series devices, users cannot differentiate between<br />
Active and Inactive configurations on the System Identity, Management Access, User<br />
Management, and Date & Time pages.<br />
• On SRX210 devices, there is no maximum length when the user commits the hostname<br />
in CLI mode; however, only 58 characters, maximum, are displayed in the J-Web System<br />
Identification panel.<br />
• On all J Series devices, some J-Web pages for new features (for example, the Quick<br />
Configuration page for the switching features on J Series devices) display content in<br />
one or more modal pop-up windows. In the modal pop-up windows, you can interact<br />
only with the content in the window and not with the rest of the J-Web page. As a<br />
result, online Help is not available when modal pop-up windows are displayed. You<br />
can access the online Help for a feature only by clicking the Help button on a J-Web<br />
page.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
369
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all branch SRX Series devices, you cannot use J-Web to configure a VLAN interface<br />
for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external<br />
interfaces.<br />
• On all branch SRX Series devices, in the J-Web Configure > Security > Address Book<br />
interface, a maximum of only 26 global address book entries are displayed even if the<br />
entry list is more than 26.<br />
Layer 2 Transparent Mode<br />
• DHCP server propagation is not supported in Layer 2 transparent mode.<br />
Network Address Translation (NAT)<br />
• Maximum capacities for source pools and IP addresses have been extended on SRX650<br />
devices, as follows:<br />
Devices<br />
Source NAT<br />
Pools<br />
PAT<br />
Maximum<br />
Address<br />
Capacity<br />
Pat Port Number<br />
Source NAT<br />
rules number<br />
SRX650<br />
1024<br />
1024<br />
64M<br />
1024<br />
Increasing the capacity of source NAT pools consumes memory needed for port<br />
allocation. When source NAT pool and IP address limits are reached, port ranges should<br />
be reassigned. That is, the number of ports for each IP address should be decreased<br />
when the number of IP addresses and source NAT pools is increased. This ensures NAT<br />
does not consume too much memory. Use the port-range statement in configuration<br />
mode in the CLI to assign a new port range or the pool-default-port-range statement<br />
to override the specified default.<br />
Configuring port overloading should also be done carefully when source NAT pools<br />
are increased.<br />
For source pool with port address translation (PAT) in range (64,510 through 65,533),<br />
two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,<br />
and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports<br />
(64,512 through 65,535) for Application Layer Gateway (ALG) module use.<br />
• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge<br />
of the carrier network, the device-wide NAT rule capacity has been changed.<br />
The number of destination and static NAT rules has been incremented as shown in<br />
Table 19 on page 371. The limitation on the number of destination-rule-set and<br />
static-rule-set has been increased.<br />
Table 19 on page 371 provides the requirements per device to increase the configuration<br />
limitation as well as to scale the capacity for each device.<br />
370<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Table 19: Number of Rules on SRX Series and J Series Devices<br />
NAT Rule Type<br />
SRX100<br />
SRX210<br />
SRX240<br />
SRX650<br />
J Series<br />
Source NAT rule<br />
512<br />
512<br />
1024<br />
1024<br />
512<br />
Destination NAT<br />
rule<br />
512<br />
512<br />
1024<br />
1024<br />
512<br />
Static NAT rule<br />
512<br />
512<br />
1024<br />
6144<br />
512<br />
The restriction on the number of rules per rule set has been increased so that there is<br />
only a device-wide limitation on how many rules a device can support. This restriction<br />
is provided to help you better plan and configure the NAT rules for the device.<br />
Power over Ethernet (PoE)<br />
• On SRX210-PoE devices, SDK packages might not work.<br />
Security Policies<br />
• J Series devices do not support the authentication order password radius or password<br />
ldap in the edit access profile profile-name authentication-order command. Instead, use<br />
order radius password or ldap password.<br />
• On all branch SRX Series and J Series devices, the limitation on the number of addresses<br />
in an address-set has been increased. The number of addresses in an address-set now<br />
depends on the device and is equal to the number of addresses supported by the policy.<br />
Table 20: Number of Addresses in an address-set on SRX Series and J<br />
Series Devices<br />
Device<br />
address-set<br />
Default<br />
1024<br />
SRX100 High Memory<br />
1024<br />
SRX100 Low Memory<br />
512<br />
SRX210 High Memory<br />
1024<br />
SRX210 Low Memory<br />
512<br />
SRX240 High Memory<br />
1024<br />
SRX240 Low Memory<br />
512<br />
SRX650<br />
1024<br />
J Series<br />
1024<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
371
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
SNMP<br />
• On all J Series devices, the SNMP NAT related MIB is not supported.<br />
Stream Control Transmission Protocol (SCTP)<br />
• SCTP is not supported on IPv6. It is supported only on IPv4.<br />
Switching<br />
• Layer 2 transparent mode support—On SRX100, SRX110, SRX210, SRX220, SRX240,<br />
and SRX650 devices, the following features are not supported for Layer 2 transparent<br />
mode:<br />
• Gateway-Address Resolution Protocol (G-ARP) on the Layer 2 interface<br />
• Spanning Tree Protocol (STP)<br />
• IP address monitoring on any interface<br />
• Transit traffic through integrated routing and bridging (IRB)<br />
• On SRX100, SRX110, SRX210, SRX240, and SRX650 devices, change of authorization<br />
is not supported with 802.1x.<br />
• On SRX100, SRX110, SRX210, SRX240, and SRX650 devices, on the routed VLAN<br />
interface, the following features are not supported:<br />
• ISIS (family ISO)<br />
• Class of service<br />
• Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and<br />
so on) on VLAN interfaces<br />
• Connectionless network Service (CLNS)<br />
• Distance Vector Multicast Routing Protocol (DVMRP)<br />
• Gateway-Address Resolution Protocol (G-ARP))<br />
• Change VLAN-Id for VLAN interface<br />
Upgrade and Downgrade<br />
• On all J Series devices, the Junos OS upgrade might fail due to insufficient disk space<br />
if the CompactFlash is smaller than 1 GB in size. We recommend using a 1GB compact<br />
flash for Junos OS <strong>Release</strong> 10.0 and later.<br />
• On SRX100, SRX110, SRX210, SRX220, SRX240, and SRX650 devices, when you connect<br />
a client running Junos Pulse 1.0 to an SRX Series device that is a running a later version<br />
of Junos Pulse, the client will not be upgraded automatically to the later version. You<br />
must uninstall Junos Pulse 1.0 from the client and then download the later version of<br />
Junos Pulse from the SRX Series device.<br />
372<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
• On SRX100, SRX110, SRX210, SRX240, and SRX650 devices, while configuring dynamic<br />
VPN using the Junos Pulse client, when you select the authentication-algorithm as<br />
sha-256 in the IKE proposal, the IPsec session might not get established.<br />
Unsupported CLI for Branch SRX Series Services Gateways and J Series Services<br />
Routers<br />
Accounting-Options Hierarchy<br />
• On SRX100, SRX110, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the<br />
accounting, source-class, and destination-class statements in the [accounting-options]<br />
hierarchy level are not supported.<br />
Chassis Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
chassis hierarchy CLI commands are not supported. However, if you enter these<br />
commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set chassis craft-lockout<br />
set chassis routing-engine on-disk-failure<br />
Class-of-Service Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following<br />
class-of-service hierarchy CLI commands are not supported. However, if you enter<br />
these commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set class-of-service classifiers ieee-802.1ad<br />
set class-of-service interfaces interface-name unit 0 adaptive-shaper<br />
Ethernet-Switching Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
Ethernet-switching hierarchy CLI commands are not supported. However, if you enter<br />
these commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set ethernet-switching-options bpdu-block disable-timeout<br />
set ethernet-switching-options bpdu-block interface<br />
set ethernet-switching-options mac-notification<br />
set ethernet-switching-options voip interface access-ports<br />
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class<br />
Firewall Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following<br />
Firewall hierarchy CLI commands are not supported. However, if you enter these<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
373
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set firewall family vpls filter<br />
set firewall family mpls dialer-filter d1 term<br />
Interfaces CLI Hierarchy<br />
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
interface hierarchy CLI commands are not supported. However, if you enter these<br />
commands in the CLI editor, they appear to succeed and do not display an error message.<br />
• Aggregated Interface CLI on page 374<br />
• ATM Interface CLI on page 374<br />
• Ethernet Interfaces on page 375<br />
• GRE Interface CLI on page 375<br />
• IP Interface CLI on page 375<br />
• LSQ Interface CLI on page 376<br />
• PT Interface CLI on page 376<br />
• T1 Interface CLI on page 376<br />
• VLAN Interface CLI on page 377<br />
Aggregated Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
request lacp link-switchover ae0<br />
set interfaces ae0 aggregated-ether-options lacp link-protection<br />
set interfaces ae0 aggregated-ether-options link-protection<br />
ATM Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces at-1/0/0 container-options<br />
set interfaces at-1/0/0 atm-options ilmi<br />
set interfaces at-1/0/0 atm-options linear-red-profiles<br />
set interfaces at-1/0/0 atm-options no-payload-scrambler<br />
set interfaces at-1/0/0 atm-options payload-scrambler<br />
set interfaces at-1/0/0 atm-options plp-to-clp<br />
set interfaces at-1/0/0 atm-options scheduler-maps<br />
set interfaces at-1/0/0 unit 0 atm-l2circuit-mode<br />
set interfaces at-1/0/0 unit 0 atm-scheduler-map<br />
set interfaces at-1/0/0 unit 0 cell-bundle-size<br />
374<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
set interfaces at-1/0/0 unit 0 compression-device<br />
set interfaces at-1/0/0 unit 0 epd-threshold<br />
set interfaces at-1/0/0 unit 0 inverse-arp<br />
set interfaces at-1/0/0 unit 0 layer2-policer<br />
set interfaces at-1/0/0 unit 0 multicast-vci<br />
set interfaces at-1/0/0 unit 0 multipoint<br />
set interfaces at-1/0/0 unit 0 plp-to-clp<br />
set interfaces at-1/0/0 unit 0 point-to-point<br />
set interfaces at-1/0/0 unit 0 radio-router<br />
set interfaces at-1/0/0 unit 0 transmit-weight<br />
set interfaces at-1/0/0 unit 0 trunk-bandwidth<br />
Ethernet Interfaces<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes<br />
set interfaces ge-0/0/1 gigether-options mpls<br />
set interfaces ge-0/0/0 stacked-vlan-tagging<br />
set interfaces ge-0/0/0 native-vlan-id<br />
set interfaces ge-0/0/0 radio-router<br />
set interfaces ge-0/0/0 unit 0 interface-shared-with<br />
set interfaces ge-0/0/0 unit 0 input-vlan-map<br />
set interfaces ge-0/0/0 unit 0 output-vlan-map<br />
set interfaces ge-0/0/0 unit 0 layer2-policer<br />
set interfaces ge-0/0/0 unit 0 accept-source-mac<br />
set interfaces fe-0/0/2 fastether-options source-address-filter<br />
set interfaces fe-0/0/2 fastether-options source-filtering<br />
set interfaces ge-0/0/1 passive-monitor-mode<br />
GRE Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces gr-0/0/0 unit 0 ppp-options<br />
set interfaces gr-0/0/0 unit 0 layer2-policer<br />
IP Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces ip-0/0/0 unit 0 layer2-policer<br />
set interfaces ip-0/0/0 unit 0 ppp-options<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
375
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
set interfaces ip-0/0/0 unit 0 radio-router<br />
LSQ Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces lsq-0/0/0 unit 0 layer2-policer<br />
set interfaces lsq-0/0/0 unit 0 family ccc<br />
set interfaces lsq-0/0/0 unit 0 family tcc<br />
set interfaces lsq-0/0/0 unit 0 family vpls<br />
set interfaces lsq-0/0/0 unit 0 multipoint<br />
set interfaces lsq-0/0/0 unit 0 point-to-point<br />
set interfaces lsq-0/0/0 unit 0 radio-router<br />
PT Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces pt-1/0/0 gratuitous-arp-reply<br />
set interfaces pt-1/0/0 link-mode<br />
set interfaces pt-1/0/0 no-gratuitous-arp-reply<br />
set interfaces pt-1/0/0 no-gratuitous-arp-request<br />
set interfaces pt-1/0/0 vlan-tagging<br />
set interfaces pt-1/0/0 unit 0 radio-router<br />
set interfaces pt-1/0/0 unit 0 vlan-id<br />
T1 Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces t1-1/0/0 receive-bucket<br />
set interfaces t1-1/0/0 transmit-bucket<br />
set interfaces t1-1/0/0 encapsulation ether-vpls-ppp<br />
set interfaces t1-1/0/0 encapsulation extended-frame-relay<br />
set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc<br />
set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc<br />
set interfaces t1-1/0/0 encapsulation satop<br />
set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr<br />
set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp<br />
set interfaces t1-1/0/0 unit 0 layer2-policer<br />
set interfaces t1-1/0/0 unit 0 radio-router<br />
set interfaces t1-1/0/0 unit 0 family inet dhcp<br />
set interfaces t1-1/0/0 unit 0 inverse-arp<br />
376<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
set interfaces t1-1/0/0 unit 0 multicast-dlci<br />
VLAN Interface CLI<br />
• The following CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set interfaces vlan unit 0 family tcc<br />
set interfaces vlan unit 0 family vpls<br />
set interfaces vlan unit 0 accounting-profile<br />
set interfaces vlan unit 0 layer2-policer<br />
set interfaces vlan unit 0 ppp-options<br />
set interfaces vlan unit 0 radio-router<br />
Protocols Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI<br />
commands are not supported. However, if you enter these commands in the CLI editor,<br />
they will appear to succeed and will not display an error message.<br />
set protocols bfd no-issu-timer-negotiation<br />
set protocols bgp idle-after-switch-over<br />
set protocols l2iw<br />
set protocols bgp family inet flow<br />
set protocols bgp family inet-vpn flow<br />
set protocols igmp-snooping vlan all proxy<br />
Routing Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
routing hierarchy CLI commands are not supported. However, if you enter these<br />
commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set routing-instances < instance_name > services<br />
set routing-instances < instance_name > multicast-snooping-options<br />
set routing-instances < instance_name > protocols amt<br />
set routing-options bmp<br />
set routing-options flow<br />
Services Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
services hierarchy CLI commands are not supported. However, if you enter these<br />
commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set services service-interface-pools<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
377
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
SNMP Hierarchy<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following<br />
SNMP hierarchy CLI commands are not supported. However, if you enter these<br />
commands in the CLI editor, they appear to succeed and do not display an error<br />
message.<br />
set snmp community < community_name > logical-system<br />
set snmp logical-system-trap-filter<br />
set snmp trap-options logical-system<br />
set snmp trap-group d1 logical-system<br />
System Hierarchy<br />
• On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system<br />
hierarchy CLI commands are not supported. However, if you enter these commands<br />
in the CLI editor, they appear to succeed and do not display an error message.<br />
set system diag-port-authentication<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 401<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series Services Gateways and<br />
J Series Services Routers<br />
The following problems currently exist in <strong>Juniper</strong> <strong>Networks</strong> branch SRX Series Services<br />
Gateways and J Series Services Routers. The identifier following the description is the<br />
tracking number in the <strong>Juniper</strong> <strong>Networks</strong> Problem Report (PR) tracking system.<br />
NOTE: For the latest, most complete information about outstanding and<br />
resolved issues with the Junos OS software, see the <strong>Juniper</strong> <strong>Networks</strong> online<br />
software defect search application at http://www.juniper.net/prsearch.<br />
Command-Line Interface (CLI)<br />
• When you upgrade an SRX Series device to Junos OS <strong>Release</strong> 11.4, NSM shows an error<br />
that a space in the full-name parameter of the set system login user test-name full-name<br />
test name command statement is not accepted. [PR806750]<br />
Flow and Processing<br />
• When a hardware timestamp is enabled, RPM probes go over the network control<br />
queue instead of the configured forwarding class. [PR487948]<br />
• Reduced flow and packet performance, and a drop in gre and gre_ipsec are observed.<br />
[PR682501]<br />
378<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• The collector-bound exported data record might show random source port or<br />
destination port numbers. [PR853567]<br />
• Customer edge (CE)-to-CE Connectionless Network Service (CLNS) ping does not<br />
work even when the routing table lists the destination as the IS-IS (family iso) route.<br />
[PR859735]<br />
Interfaces and Routing<br />
• Updates to firmware from version 6.02.00.12 to 7.03.01.00 on asymmetric digital<br />
subscriber line (ADSL) Mini-PIM and on Operation, Administration, and Management<br />
(OAM) do not function correctly. The Asynchronous Transfer Mode OAM feature is not<br />
supported. [PR835677]<br />
• When there is high CPU utilization, Link Aggregation Control Protocol (LACP) might<br />
flap and consequently aggregated Ethernet (ae) interface link might sometimes go<br />
down. [PR860129]<br />
J-Web<br />
• In J-Web, an incorrect confirmation message is displayed for the download and install<br />
application on the package in Appsecure Settings configuration page. [PR728992]<br />
• The Global options > Proxy screen is blank for the first time when you access it using<br />
Internet Explorer version 7.0. [PR737675]<br />
• The Layer 2 Transparent Mode feature does not work with the group configuration.<br />
[PR815225]<br />
• In J-Web, custom-defined applications are presented as predefined. [PR837820]<br />
• In J-Web, when you configure using the CLI or J-Web, you cannot to see the value of<br />
POL0. [PR839749]<br />
• In J-Web, when you add or delete the Junos-self zone and check the configuration<br />
using the CLI, you cannot delete the policy. [PR839950]<br />
Security Policies<br />
• A security policy with antivirus shows incorrect count of bytes and packets the in policy<br />
statistics. [PR841923]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 357<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 401<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
379
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series<br />
Services Routers<br />
The following are the issues that have been resolved since Junos OS <strong>Release</strong> 11.4 for<br />
<strong>Juniper</strong> <strong>Networks</strong> branch SRX Series Services Gateways and J Series Services Routers.<br />
The identifier following the description is the tracking number in the <strong>Juniper</strong> <strong>Networks</strong><br />
Problem Report (PR) tracking system.<br />
NOTE: For the latest, most complete information about outstanding and<br />
resolved issues with the Junos OS software, see the <strong>Juniper</strong> <strong>Networks</strong> online<br />
software defect search application at http://www.juniper.net/prsearch.<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R7 for Branch SRX Series Services<br />
Gateways<br />
Chassis Cluster<br />
• On devices in a chassis cluster, the child link of the link aggregation group (LAG)<br />
redundant Ethernet (reth) interface flapped frequently which caused memory corruption<br />
on the next hop pointer and caused the Routing Engine to generate a vmcore file.<br />
[PR821833: This issue has been resolved.]<br />
• On devices in a chassis cluster, the timeout value within which the request system<br />
snapshot media internal slice alternate command was expected to complete was<br />
increased from 10 minutes to 15 minutes. [PR822975: This issue has been resolved.]<br />
• On devices in a chassis cluster, when you accessed J-Web using Internet Explorer the<br />
following message was displayed:<br />
Configuring chassis cluster in non-cluster mode is not allowed<br />
PR825952: [This issue has been resolved.]<br />
Command-Line Interface (CLI)<br />
• When you executed the request system zeroize the rescue command, the configuration<br />
was not deleted. As a result, the rescue configuration was loaded instead of the factory<br />
default configuration. [PR835687: This issue has been resolved.]<br />
Interfaces and Routing<br />
• When you attempted to create a dial backup interface, * and # symbols were not<br />
accepted. [PR834042: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• A new filter was added in dynamic attack groups in the CLI. The two flags under filters<br />
are recommended (which means true) and not-recommended (which means false).<br />
Only the recommended=true flag was supported. [PR828494: This issue has been<br />
resolved.]<br />
380<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On J Series devices, IDP initialization failed and the policy did not load. As a result, IDP<br />
inspection did not work. [PR833071: This issue has been resolved.]<br />
J-Web<br />
• Sometime the firewall policy wizard did not run. [PR816393: This issue has been<br />
resolved.]<br />
• The dashboard refresh rate changed. Refresh rates of 15, 30, and 60 seconds were<br />
removed. The minimum refresh rate available was 2 minutes. [PR826053: This issue<br />
has been resolved.]<br />
• In J-Web, the session expired when the idle-timeout value was set too low. [PR830644:<br />
This issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• IKE SA failed to install the responder during Phase 2 rekey. [PR809219: This issue has<br />
been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R6 for Branch SRX Series Services<br />
Gateways<br />
Application Layer Gateways (ALGs)<br />
• On all branch SRX Series devices, when the TNS RESEND (type 11) was 8 bytes long,<br />
the SQL ALG did not work properly. [PR806893: This issue has been resolved.]<br />
Command-Line Interface (CLI)<br />
• On SRX240 High Memory devices, the services ip-monitoring CLI command was not<br />
working. [PR771344: This issue has been resolved.]<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On SRX240 High Memory devices, when the DHCP client was configured with VLAN,<br />
the DHCP leases were not acquired by the client and unicast messages were dropped.<br />
[PR776525: This issue has been resolved.]<br />
Flow and Processing<br />
• On branch SRX Series devices, the httpd task was high. [PR768952: This issue has<br />
been resolved.]<br />
• On SRX650 devices, the nas-ip-address might not be set correctly using the system<br />
radius-options attributes nas-ip-address command followed by a commit. [PR786467:<br />
This issue has been resolved.]<br />
• On SRX220 PoE devices, the smtp-profile junos-as-defaults command was not loaded.<br />
[PR791575: This issue has been resolved.]<br />
• On SRX240 devices, when the ingress and egress interfaces are located on different<br />
nodes of a chassis cluster (or are active, in the case of redundant Ethernet interfaces),<br />
filter-based forwarding (FBF) might not work correctly. [PR793057: This issue has been<br />
resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
381
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX210 High Memory devices, flowd core files are generated during the IDP<br />
security-package update. [PR793417: This issue has been resolved.]<br />
• On all branch SRX Series devices, when multicast sessions were closed, an<br />
RT_FLOW_SESSION_CLOSE entry were not entered into the syslog file. [PR804569:<br />
This issue has been resolved.]<br />
• On all branch SRX Series devices, generation of a flowd core file was triggered by cache<br />
errors. [PR805975: This issue has been resolved.]<br />
• On SRX650 devices, routing engine failover occurred due to possible out-of-sync<br />
information about already allocated SNMP interface index values, and duplicate SNMP<br />
interface index values might be allocated. As a result, the mib2d process might crash<br />
or the SNMP interface index value of zero might be allocated for newly created<br />
interfaces. [PR806098: This issue has been resolved.]<br />
• On all branch SRX Series devices, while upgrading cluster nodes and RG1 failover, one<br />
reth member was struck in STP learn state, and the link remains in a hard down state<br />
and do not recover. [PR811002: This issue has been resolved.]<br />
• On all branch SRX Series devices, the MSRPC ALG dropped some big packets under<br />
the Kerberos authentication environment, because the Kerberos ticket token size and<br />
the MS-RPC bind packet were too large for ALG to handle. [PR817453: This issue has<br />
been resolved.]<br />
• On SRX210 and SRX240 devices, reboot due to a kernel issue occurred. [PR818905:<br />
This issue has been resolved.]<br />
• On all branch SRX Series devices, after upgrading to Junos OS <strong>Release</strong> 11.4R5, if OSPF<br />
was enabled for any of the st0 interfaces, an internal processing error prevented the<br />
default route from being advertised out. [PR822352: This issue has been resolved.]<br />
• On all branch SRX Series devices, there used to be a requirement for the support of<br />
both “STARTTLS” and “X-ANONYMOUSTLS” cases for the SMTP parser. [PR824027:<br />
This issue has been resolved.]<br />
• On all branch SRX Series devices, erroneous messages were printed from liblicense<br />
during commit. [PR826158: This issue has been resolved.]<br />
382<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Intrusion Detection and Prevention (IDP)<br />
• On all branch SRX Series devices, A new filter was added in dynamic attack groups in<br />
the CLI. The two flags under filters are recommended (which means true) and<br />
no-recommended (which means false). Only the recommended=true flag was supported.<br />
[PR828494: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX210 devices, there was an unexpectedly lower bandwidth through a scheduler<br />
queue that was configured with a small buffer size on an interface faster than 2 Mbps.<br />
[PR806745: This issue has been resolved.]<br />
J-Web<br />
• On SRX210 devices, the error “Failed to connect to server” was displayed when multiple<br />
clients were connected to the device through dynamic VPN and when some<br />
configurations related to IKE negotiation changed on the device. [PR737787: This issue<br />
has been resolved.]<br />
• On all branch SRX Series devices, the Help page was not available for the Configure<br />
>Interface> Ports page. [PR792544: This issue has been resolved].<br />
• On SRX650 devices, you were unable to view the application set in J-Web if you had<br />
added it using the CLI. [PR804176: This issue has been resolved.]<br />
• On SRX110 devices, the J-Web security logging tab was not working. [PR806442: This<br />
issue has been resolved.]<br />
• On SRX240 High Memory devices, the httpd task was high. [PR809061: This issue has<br />
been resolved.]<br />
• On all branch SRX Series devices, in J-Web, the dashboard refresh rate changed. Refresh<br />
rates of 15, 30, and 60 seconds were removed. The minimum refresh rate available<br />
was 2 minutes. [PR826053: This issue has been resolved.]<br />
Logging<br />
• On SRX650 devices, destination port information was missing for IPv6 packets when<br />
the firewall was in packet mode. [PR805986: This issue has been resolved.]<br />
Aug 9 19:39:17 SRX100-1 SRX100-1 PFE_FW_SYSLOG_IP6_TCP_UDP: FW: fe-0/0/3.0<br />
A tcp SA 2002:0:0:0:0:0:1414:1402 DA 2002:0:0:0:0:0:1414:1401 sport:58962 dport:<br />
Aug 9 19:39:18 SRX100-1 SRX100-1 PFE_FW_SYSLOG_IP6_TCP_UDP: FW: fe-0/0/3.0<br />
A tcp SA 2002:0:0:0:0:0:1414:1402 DA 2002:0:0:0:0:0:1414:1401 sport:56506 dport:<br />
Aug 9 19:39:19 SRX100-1 SRX100-1 PFE_FW_SYSLOG_IP6_TCP_UDP: FW: fe-0/0/3.0<br />
A tcp SA 2002:0:0:0:0:0:1414:1402 DA 2002:0:0:0:0:0:1414:1401 sport:57265 dport:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
383
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
SNMP MIBs<br />
• On all branch SRX Series devices in a chassis cluster, long pauses and timeout were<br />
seen during SNMP walk or query of the device. A delay occurred in the kernel’s query<br />
of the gr-0/0/0 (GRE) interface. [PR800735: This issue has been resolved.]<br />
Unified Threat Management (UTM)<br />
• On SRX220 High Memory devices, the help and system logs on the terminal did not<br />
match. [PR794743: This issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• On all branch SRX Series devices, the IPsec Phase 2 negotiation failed when you used<br />
authentication-algorithm hmac-sha-256-128 command. [PR793760: This issue has<br />
been resolved.]<br />
• On SRX650 devices, when you used hmac-sha-256-128 at the group VPN server for<br />
the IPsec authentication-algorithm, a gkmd core file was generated for the group VPN<br />
member. [PR800719: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R5 for Branch SRX Series Services<br />
Gateways<br />
Authentication<br />
• On SRX240 devices, the Web authentication page was not displayed properly when<br />
you tried to reauthenticate after an idle time [PR741973: This issue has been resolved.]<br />
• On SRX220 devices, when the local or radius user password contained a percent<br />
character (%), firewall authentication through the Web portal failed due to an issue<br />
in processing the percent sign. [PR778891: This issue has been resolved.]<br />
Command-Line Interface (CLI)<br />
• On all branch SRX Series and J Series devices, the set chassis usb storage disable<br />
command did not work. [PR793844: This issue has been resolved.]<br />
Flow and Processing<br />
• On SRX devices, when the syn-cookie feature was enabled along with the syn-flood<br />
screen with a low timeout value, high-latency TCP sessions failed to establish<br />
successfully. The client sessions received unresponsive connections because the SRX<br />
Series device timed out the flow for the session. The device also dropped subsequent<br />
packets from the client due to the state not being found [PR692484: This issue has<br />
been resolved.]<br />
• On all branch SRX Series devices, the commands after STARTTLS were encrypted<br />
and could not be understood by the SMTP parser. These commands caused the session<br />
to hang until the TCP session was closed and no packets were forwarded. [PR750047:<br />
This issue has been resolved.]<br />
384<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On SRX220 devices, when the device sent a broadcast ARP to a Layer 3 VLAN interface<br />
that was restarting, it caused the forwarding to restart, resulting in traffic loss and<br />
generation of a flowd_octeon_hm core file. [PR755204: This issue has been resolved.]<br />
• On SRX650 devices in a chassis cluster, the forwarding module became unresponsive<br />
when the redundant Ethernet (reth) interface was deleted while traffic was flowing<br />
through the device. Sometimes flowd generated a core file. [PR771273: This issue has<br />
been resolved.]<br />
• On SRX650 devices, the dot1x:mode:Multiple:Supplicants are authenticated even after<br />
sending the disconnect message from the radius server. [PR786731: This issue has been<br />
resolved.]<br />
• On SRX240 devices, when the DHCP client was configured on a routing instance in<br />
JSRP setup, after failover, device remained in secondary hold indefinitely. [PR790872:<br />
This issue has been resolved.]<br />
• On SRX210 High Memory devices, the flowd core files were generated during the IDP<br />
security-package update. [PR793417: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX210 devices, changes made to the VPI and VCI values of ADSL interfaces did<br />
not take effect until the chassis was rebooted. [PR783992: This issue has been resolved.]<br />
• On SRX210HE devices, after reboot, sometimes the VLAN interface was down while<br />
its physical interface member was up. [PR791610: This issue has been resolved.]<br />
• On SRX240H devices, after reboot, sometimes the interface VLAN was down when<br />
the member physical interface was up. [PR795363: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On all branch SRX Series devices, IDP had the listed issues:<br />
• The detector was not updated in the control plane when the<br />
update-attack-database-only flag was used during security package installation.<br />
• IDP memory leak during IDP policy load, which causes ukernel heap fragmentation<br />
issue.<br />
[PR778816: This issue has been resolved.]<br />
• On SRX210 High Memory devices, during IDP policy compile, the failure message “idp<br />
policy parser compile failed” was displayed due to a memory leak in the application<br />
identification configuration load. [PR787970: This issue has been resolved.]<br />
• On SRX240 High Memory devices, IDP policy load failed though there was sufficient<br />
memory (heap) available. This issue occurred when there was not enough contiguous<br />
memory block available in kernel heap memory. [PR789146: This issue has been<br />
resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
385
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX240 High Memory devices, when you changed the configuration, the show<br />
security idp policy-commit-status command showed the message “Failed to add<br />
connection for dataplane”. [PR789542: This issue has been resolved.]<br />
• On SRX210 High Memory devices, when the device was in low-memory condition on<br />
the control plane, it rebooted suddenly during the IDP security-package update.<br />
[PR776947: This issue has been resolved.]<br />
J-Web<br />
• On SRX210 devices, Junos OS failed to import node configurations when chassis cluster<br />
setup was configured using J-Web. [PR753533: This issue has been resolved.]<br />
• On all branch SRX Series devices, using J-Web, when you clicked Enable Log on the<br />
Monitor > Security > IDP > Attacks page, the page was disabled and not accessible.<br />
[PR768559: This issue has been resolved.]<br />
• On SRX210 HE, BE, and HE-PoE devices, logging in to J-Web resulted in the following<br />
error message: “JWEB is not supported on this platform”. [PR781659: This issue has<br />
been resolved.]<br />
• On all branch SRX Series devices in J-Web, when the device was in cluster mode after<br />
RG failover the primary node was displayed as a secondary hold in the Dashboard ><br />
System-identification > Cluster details. This was due to an RPC get data error.<br />
[PR786700: This issue has been resolved.]<br />
• On all branch SRX devices, the default radio buttons did not work after you configured<br />
the Configure > Security > UTM > Web Filtering > Add profile > Fallback options.<br />
[PR794441: This issue has been resolved.]<br />
Network Address Translation (NAT)<br />
• On SRX240 devices, Static NAT rules were not being enforced when Ethernet switching<br />
family was used. [PR785106: This issue has been resolved.]<br />
Unified Threat Management (UTM)<br />
• On SRX240 High Memory devices, The SMTP session was suspended, and the AV<br />
counters showed incorrect increments when a 20-MB file was transferred. [PR792518:<br />
This issue has been resolved.]<br />
• On SRX240 High Memory devices, UTM mbuf leaks were observed after several hours<br />
of traffic load. [PR795681: This issue has been resolved.]<br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
• On SRX650 devices, when there were many IKE SAs, the SNMP MIB<br />
“jnxIpSecFlowMonPhaseOne” returned only the first IKE SA. [PR734797: This issue has<br />
been resolved.]<br />
• On SRX650 devices, IKE Phase 1 and Phase 2 logs erroneously reported that the<br />
renegotiation retry limit had been reached, even though the VPN build succeeded.<br />
[PR741751: This issue has been resolved.]<br />
386<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On All branch SRX Series devices, When using IPsec VPN, the “IKE Phase-2 Failure: IKE<br />
Phase-2 negotiation retry limit reached?” message was logged even though no failure<br />
had actually occurred. [PR768466: This issue has been resolved.]<br />
• On all branch SRX devices, when using SIP on a dynamic VPN client, the voice stream<br />
did not reach the client. [PR776883: This issue has been resolved.]<br />
• On SRX210 High Memory devices, the IPsec Phase 2 negotiation failed when you used<br />
authentication-algorithm hmac-sha-256-128. [PR793760: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R4 for Branch SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On J2350 devices, the ALG module did not initialize properly due to a last-minute<br />
regression, preventing protocols such as FTP, RTSP, SIP, and RPC from working properly.<br />
This caused traffic drop and affected all the ALG related features. [PR749366: This<br />
issue has been resolved.]<br />
• On all branch SRC Series devices, multiple TFTP requests with same source Ip and<br />
port may fail because only one gate will be opened. [PR750834: This issue has been<br />
resolved.]<br />
• On SRX240 devices, the EPRT command did not work with FTP ALGs on port 0, which<br />
were not valid. [PR769444: This issue has been resolved.]<br />
• On SRX240 devices, during ALG traffic processing, the device generated a core file.<br />
[PR780007: This issue has been resolved.]<br />
Command-Line Interface (CLI)<br />
• On SRX210 devices, the show interface at extensive command did not display the<br />
correct value when the at interface was up on the SHDSL Mini-PIM. [PR738322: This<br />
issue has been resolved.]<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On SRX210 and SRX240 devices, when the devices acted as DHCP servers and the<br />
DHCP requests were forwarded to the SRX Series devices by a DHCP relay, the devices<br />
sent responses to DHCP requests to an incorrect UDP destination port. [PR774541: This<br />
issue has been resolved.]<br />
Flow and Processing<br />
• On SRX240 devices, Changes to CoS drop-profiles don't get applied with commit.<br />
[PR690273: This issue has been resolved.]<br />
• On SRX240, and SRX650 devices, when the device processed a large amount of traffic,<br />
performing an AppID security package update caused the flowd process to generate<br />
a core file. [PR769832: This issue has been resolved. ]<br />
• On SRX650 devices in a chassis cluster,the forwarding module became unresponsive<br />
when the redundant Ethernet (reth) interface was deleted while traffic was flowing<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
387
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
through the device. Sometimes flowd generated a core file. [PR771273: This issue has<br />
been resolved.]<br />
• On SRX100, SRX210, SRX240, and SRX650 devices, for IKEv2, when the device<br />
attempted a dpd exchange during an existing exchange, a core file was generated.<br />
[PR771234 : This issue has been resolved.]<br />
• On SRX240 devices, when passing GVPN multicast traffic, flowd core files were<br />
generated when the GVPN packet was encapsulated in the PIM register message.<br />
[PR774133: This issue has been resolved.]<br />
J-Web<br />
• On J Series devices, the EZ-Setup (J-Web Initialization setup) failed with the following<br />
error: “Fetching setup configuration....Please wait”. [PR748173: This issue has been<br />
resolved.]<br />
• On SRX210 HE, BE, and HE-PoE devices, logging in to J-Web resulted in the following<br />
error message: “JWEB is not supported on this platform”. [PR781659: This issue has<br />
been resolved.]<br />
Interface and routing<br />
• On SRX240, and SRX650 devices in a chassis cluster, the Track IP (ipmon) feature<br />
was not working for VLAN tagged redundant Ethernet interfaces. [PR575754: This issue<br />
has been resolved.]<br />
• On J2320 devices, when you used ISDN connections, an error appeared stating that a<br />
BAD_PAGE_FAULT had occurred and the ISDN connection had stopped working.<br />
[PR669297: This issue has been resolved.]<br />
• On SRX240 devices, the routing protocol daemon (rpd) generated a core file while<br />
processing a malformed RIP or RIP message from a neighbor during adjacency<br />
establishment. [PR772601: This issue has been resolved.]<br />
Network Address Translation (NAT)<br />
• On all branch SRX and J Series devices, the Commit of static NAT rules might fail when<br />
you committed interfaces, security zone, and NAT at same time in the root or logical<br />
system. In addition, the commit of static NAT rules might fail when you committed for<br />
security zone and NAT at the same time. [PR756240: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R3 for Branch SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On SRX240 devices, In certain circumstances, memory objects used by H323 ALG does<br />
not release properly once its is used. It is fixed by enforcing the releasing logic when<br />
memory object is not needed. [PR746367: This issue has been resolved.]<br />
• On J2350 devices, the ALG module did not initialize properly due to a last-minute<br />
regression, preventing protocols such as FTP, RTSP, SIP, and RPC from working properly.<br />
388<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
This caused traffic drop and affected all the ALG related features. [PR749366: This<br />
issue has been resolved.]<br />
Chassis Cluster<br />
• On all branch SRX Series devices, the chassis cluster setup, primary node does not<br />
show security resource details on Dashboard page due to which the following message<br />
log is generated: "Security Resources:error: invalid value: firewall-policies". [PR720435:<br />
This issue has been resolved.]<br />
• On SRX210, SRX220, and SRX240 devices, the system crashed while changing the<br />
MTU of the redundant Ethernet interface. [PR720927: This issue has been resolved.]<br />
• On SRX650 devices, upgrade validation fails on SRX Clusters when using 'validate'<br />
option when attempting to upgrade from 10.3 or earlier versions to 10.4 or higher version.<br />
[PR735150: This issue has been resolved.]<br />
DHCP<br />
• On SRX220 devices, Only the first three options present in the Options Request of a<br />
DHCPv6 Solicit/Request will be correctly populated from the dhcp-attributes specified<br />
within a local inet6 pool. [PR741823: This issue has been resolved.]<br />
• On SRX210 devices, after adding or deleting some vlan configurations, if an interface<br />
is made a member of vlan 1 and that interface also serves as a DHCP server, it is<br />
sometimes observed that the interface fails to respond to incoming DHCP requests.<br />
[PR746382: This issue has been resolved.]<br />
Flow and processing<br />
• On SRX100 devices, when there is no static route configured in the routing-option, the<br />
inline-jflow v9 OutputInt and Src/DstMask information are displayed incorrectly.<br />
[PR678302: This issue has been resolved.]<br />
• On J4350, SRX550, and SRX650 devices, when the peers are connected directly<br />
through the t1 link and the ge link, pinging to the peer link local address of the t1 link<br />
interface does not go through the t1 link, but through the ge link instead. [PR684159:<br />
This issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, activating and<br />
deactivating logical interfaces a number of times resulted in flowd core files. [PR691907:<br />
This issue has been resolved.]<br />
• On SRX110 devices, When certificate key size was 2048 bytes and total combined<br />
certificate request size was greater than 4096 bytes, the PKID service might crash on<br />
certificate enrollment. [PR698846: This issue has been resolved.]<br />
• On all branch SRX Series devices, in Internet Explorer, the dashboard panels did not<br />
show any data until they were refreshed. [PR703958: This issue has been resolved.]<br />
• On SRX220 devices, GRE and GRE-IPsec performance drop was seen. [PR70642: This<br />
issue has been resolved.]<br />
• On SRX650 devices, "kern.maxfiles limit exceeded by uid 0" messages is displayed.<br />
[PR721715: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
389
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all branch SRX Series devices, the spoofing screen was dropping IPv6 packets<br />
sourced from the unspecified source address (example: 0:0:0:0:0:0:0:0/128 or ::/128).<br />
[PR721913: This issue has been resolved.]<br />
• On all branch SRX Series devices, the following message is displayed when the<br />
ntp-related show commands are not working:<br />
ntpq: socket: Protocol not supported<br />
[PR722528: This issue has been resolved.]<br />
• On SRX100 devices, UTM/Av was not working with only 1 PC search from yahoo.co.jp,<br />
it failed to load when content size setting is set to 20. [PR722652: This issue has been<br />
resolved.]<br />
• On all branch SRX Series devices, changes to URL category value caused value deletion<br />
in the Web-filtering profile. [PR723884: This issue has been resolved.]<br />
• On SRX240 devices, Flowd core occurred after upgrading to 11.2R5 due to mbuf not<br />
being cleaned up. [PR734885: This issue has been resolved.]<br />
• On SRX220, SRX550, SRX650, J2320, and J4350 devices, NSD core files were<br />
generated. [PR735152: This issue has been resolved.]<br />
• On all branch SRX Series devices, the application groups statistics were shown as<br />
“unassigned” and “unknown” for the show services application-identification statistics<br />
application-groups command output without displaying the details. [PR740014: This<br />
issue has been resolved.]<br />
• On SRX240 devices, when "Change password every time the user logs out" is enabled<br />
on the active directory, and user tries to change the password on SRX series platforms,<br />
it did not work. [PR740869: This issue has been resolved.]<br />
• On SRX220 devices, Enhanced Web Filtering requests to Websense TSC may go to<br />
connectivity/timeout fallback due to TSC only serving 10,000 requests per connection.<br />
A new method of juggling multiple connections are introduced in 12.1R1 and 11.4R3 and<br />
later releases. [PR741697: This issue has been resolved.]<br />
• On SRX220 devices, IKE SA fails to establish occasionally when there are two VPN<br />
destined to same IKE gateway. [PR743897: This issue has been resolved.]<br />
• On all branch SRX and J Series devices, the TCP initial timeout minimal limitation in<br />
CLI 'set security flow tcp-session tcp-initial-timeout' was changed from 20 seconds<br />
to 4 seconds. The new range is 4..300 seconds. Setting this timeout to a small value<br />
may increase the possibility of failing to create TCP sessions. [PR747769: This issue<br />
has been resolved.]<br />
Interfaces and Routing<br />
• On all branch SRX Series devices, additional neighbor solicitation packets sent were<br />
corrupted. The packet had zeroed destination MAC address and the entire packet was<br />
prefixed by two random bytes. [PR671658: This issue has been resolved.]<br />
• On SRX650 devices, BGP flaps intermittently and takes 1 hour to re-establish over vpn.<br />
[PR731290: This issue has been resolved.]<br />
390<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
IPv6<br />
• On all branch SRX Series devices, the flow bytes counters tracked on a per-interface<br />
basis were incorrect for IPv6 flows, and flow output bytes statistics were reversed to<br />
the source or destination interfaces. [PR740911: This issue has been resolved.]<br />
J-Web<br />
• On all branch SRX Series devices, after performing any configuration change in the CLI<br />
, the pending commit pop-up window does not appear in J-Web interface. [PR670459:<br />
This issue has been resolved.]<br />
• On all branch SRX Series devices, in J-Web, Configure tab > Interface page, edit SHDSL<br />
interface pop-up is blank. [PR671487: This issue has been resolved.]<br />
• On SRX210 devices, when you enter the destination port range as 1112 to some invalid<br />
value, it displays the following error message: Please enter valid ending port 0-65535.<br />
This error message conflicts with the available range (1024 through 64387). [PR673840:<br />
This issue has been resolved.]<br />
• On all branch SRX devices, you cannot view the access point details of an active access<br />
point from the J-Web Monitor > Wireless LAN page. [PR700513: This issue is resolved.]<br />
• On SRX210 and SRX240 devices in J-Web, the commit operation failed when the proxy<br />
server value was cleared in AV global options tab. [PR721248: This issue has been<br />
resolved.]<br />
• On all branch SRX Series devices, after you configured the interface speed and duplex<br />
on the J-Web interface, the page showed the speed and duplex values as following:<br />
• Speed:10Mbps/100Mbps/1Gbps<br />
• Duplex:Full Duplex/Half Duplex<br />
When you went to another page and then returned back to this page, the display<br />
changed as following:<br />
• Speed:10m/100m/1g<br />
• Duplex:full duplex/half duplex<br />
[PR721679: This issue has been resolved.]<br />
• On all branch SRX Series devices, the Application Tracking monitor page does not<br />
display the warning "no data to display", when there is no data to display in the table.<br />
[PR724985: This issue has been resolved.]<br />
• On SRX650 devices, in J-Web IDP Active policy page was displaying "none" instead<br />
of "Recommended" on IDP monitor page in longevity or stress setup in Internet Explorer<br />
browser. [PR725929: This issue is resolved.]<br />
• On SRX650 devices, in J-Web Add, Edit, Delete, Clone, and Deactivate tags are grayed<br />
out for some of the security policies. [PR729153: This issue has been resolved.]<br />
• On all branch SRX Series devices in J-Web, the configuration page lists the surf control<br />
categories in the enhanced Web filter category. [PR729643: This issue has been<br />
resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
391
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all branch SRX Series devices, on the Configure > Security > Logging page, the<br />
Apply button remained disabled even after changing the configuration. [PR730861:<br />
This issue has been resolved.]<br />
• On SRX210 devices, in the Login or Splash screen and the Help mapping file, the<br />
copyright date is set to 2011. [PR731790: This issue has been resolved.]<br />
• On SRX100 devices, in J-Web, when SRX is configured in 'Transparent' mode, the<br />
'Reports' tab is not present in Monitor section. Now it is fixed latest release for 11.4,12.1<br />
and 12.2. [PR734365: This issue has been resolved.]<br />
• On all branch SRX Series devices, J-Web user cannot configure Proxy server port range<br />
from 0-1023 due to incorrect port range error message. [PR736789: This issue has been<br />
resolved.]<br />
• On all branch SRX Series devices, The "security screen ids-options" that checks tcp<br />
flags may drop IPv6 TCP flows, when the IPv6 fragmentation extension header is<br />
present. [PR740840: This issue has been resolved.]<br />
• On SRX550 and SRX650 devices, reboot did not work. [PR741014: This issue has been<br />
resolved.]<br />
• On all branch SRX Series devices, the Application Tracking monitor page does not work<br />
fine for non default intervals with cumulative statistics. [PR747271: This issue has been<br />
resolved.]<br />
Network Address Translation (NAT)<br />
• On SRX240 devices, when an IP or Port pair in message payload is matched to a known<br />
NAT entry, it will ship the NAT process that caused the payload not to be rewritten.<br />
[PR70619: This issue has been resolved.]<br />
Switching<br />
• On SRX650 devices, though the MTU value is configured to 9192 bytes, the packets<br />
of payload size ranging between 9147 to 9150 were dropped. [PR742310: This issue<br />
has been resolved.]<br />
UTM<br />
• On SRX 650 devices, with AV enabled, an FTP connection would hang when trying to<br />
access a folder with "quit" in the name. [PR739635: This issue is resolved.]<br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
• On all branch SRX Series devices, occasionally, when keys are generated incorrectly<br />
for IPsec, VPN to go down due to encapsulation security payload (ESP) failures.<br />
[PR717969: This issue has been resolved.]<br />
• On all branch SRX Series devices, Occasionally, policy-based IPSec VPN that has been<br />
established successfully does not allow traffic to the protected resources. [PR718057:<br />
This issue has been resolved.]<br />
392<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R2 for Branch SRX Series Services<br />
Gateways<br />
Application Layer Gateway(ALG)<br />
• On SRX650 devices, when MGCP ALG is enabled and the MGCP traffic traverses the<br />
device, the device crashes and generates core files. [PR602694: This issue has been<br />
resolved.]<br />
Chassis Cluster<br />
• On SRX240 devices in a chassis cluster, switching did not work. [PR701539: This issue<br />
has been resolved.]<br />
Flow and Processing<br />
• On SRX 210 devices, an issue of IKE renegotiation when an RG0 failover is initiated on<br />
chassis cluster setup. [PR513884: This issue has been resolved.]<br />
• On all branch SRX Series devices, changes in policer, filter, or sampling configuration<br />
caused a core file to be generated during receipt of multicast traffic [PR613782: This<br />
issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when the LDP based<br />
signalling was used for VPLS neighbor discovery, a restart of routing was required for<br />
the LDP based signalling to work properly (after configuration is committed).<br />
[PR668555 : This issue has been resolved.]<br />
• On J4350, SRX550, and SRX650 devices, when the peers are connected directly<br />
through the t1 link and the ge link, pinging to the peer link local address of the t1 link<br />
interface does not go through the t1 link, but through the ge link instead. [PR684159:<br />
This issue has been resolved.]<br />
• On SRX650 devices, built in ports did not count the FCS error statistics. [PR690726:<br />
This issue has been resolved.]<br />
• On SRX210 devices, UTM EAV status shows Engine not ready (Database Loading)<br />
even after successfully loading the database. This issue occurs occasionally after the<br />
image upgrade or downgrade, and on a system reboot. [PR693530: This issue has been<br />
resolved.]<br />
• On all branch SRX series devices, If an aggregate bundle goes down due to<br />
minimum-links 2 or higher configured, bundle member links might not attach to the<br />
bundle once the aggregate bundle comes back up. Outbound traffic does not use this<br />
member link (no blackholing) and inbound traffic for this member link was properly<br />
processed and forwarded. The same symptom might also be visible after system reboot<br />
without the need of member link flaps. [PR695895: This issue has been resolved.]<br />
• On SRX210 devices, core files for pfe daemons were observed. [PR697032: This issue<br />
has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, a memory leak occurred<br />
during the audit event processing. [PR698907: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
393
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX240 and SRX650 devices, policer was not policing configured rates at high<br />
bandwidths. [PR703003: This issue has been resolved.]<br />
• On SRX240 devices, when heavy traffic was sent through GRE interface during RG-0<br />
(Redundancy Group 0) switch over, there was a chance that flowd daemon might core<br />
on node that became primary (after switchover). [PR703295: This issue has been<br />
resolved.]<br />
• On SRX210, SRX220, and SRX240 devices, the DSL line started re-negotiation with<br />
DSLAM after configuring MTU on VDSL interface in VDSL mode. After configuring MTU<br />
on VDSL interface, the line might take some time to train with DSLAM and to come up.<br />
[PR706795: This issue has been resolved.]<br />
• On all branch SRX Series devices, when you add or change policy configuration within<br />
groups, the policies may not get applied correctly. The applied configuration might be<br />
valid and therefore will pass the configuration check but the process uses that policy<br />
(depending on configuration) might terminate and restart. [PR707817: This issue has<br />
been resolved.]<br />
• On all branch SRX Series devices, the chassis cluster setup, primary node does not<br />
show security resource details on Dashboard page due to which the following message<br />
log is generated: "Security Resources:error: invalid value: firewall-policies". [PR720435:<br />
This issue has been resolved.]<br />
Infrastructure<br />
• On all branch SRX devices, the In-band Cluster Upgrade (ICU) with mount method<br />
will not function properly in release 12.1B2. You can use ICU with local copy of the image<br />
or use FTP URL method. [PR708412: This issue has been resolved.]<br />
Installation<br />
• On all branch SRX Series devices, while downgrading from Junos <strong>Release</strong> 11.4 or a later<br />
image to Junos <strong>Release</strong> 11.1 or an earlier image, the security package was deleted.<br />
Although it was automatically installed when the IDP daemon came up, this automatic<br />
installation sometimes failed due to application identification (AI) installation error.<br />
[PR705113: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX210 High Memory devices, a remote end ping will not check for the presence<br />
of a packet size of more than 1480 because the packets are dropped for the default<br />
MTU, which is 1496 at the interface and the default MTU of the remote host Ethernet<br />
intf is 1514. [PR469651: This issue has been resolved.]<br />
• On J4350 devices, the routed interface (inet family) is not supported on the UPIMs<br />
when PIC mode is configured as “switching”. Only the switching functionality is<br />
supported in this mode. [PR590771: This issue has been resolved.]<br />
• On SRX210, SRX220, and SRX240 devices, with an at-x/x/x interface (ADSL, VDSL<br />
operating in at mode, and SHDSL), the difference between the MTU values on the<br />
logical interface and the MTU values on the physical interface have to be exactly 40<br />
bytes. If this is not the case, the IP information will not be displayed by the show<br />
interfaces command output. [PR591585: This issue has been resolved.]<br />
394<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On SRX220 devices, the throughput dropped to 20 Mbps on a 100 Mbps interface (only<br />
in Gigabit Ethernet-to-100 Mbps direction) when a bi-directional traffic was sent<br />
between Gigabit Ethernet interface and 100 Mbps interface. [PR671248: This issue has<br />
been resolved.]<br />
• On all branch SRX and J Series devices, when the peers are connected directly through<br />
T1 link and Ge link, pinging to the peer link local address of T1 link interface is not going<br />
through T1 link, instead it was going through Ge link. [PR684159: This issue has been<br />
resolved.]<br />
• On SRX Series devices, a memory leak occurred during the audit event processing.<br />
[PR698907: This issue has been resolved.]<br />
• On SRX220 devices, when using IP monitoring when more than one route location was<br />
added upon RPM probe failure that upon recovery not all routes are removed. Even if<br />
the ip-monitoring observe the default static route was failed, system still had the<br />
routing entry in the routing-table. [PR699072: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX210 devices, the IDPD daemon caused core files to be generated, if PFE went<br />
offline during policy load operation. [PR702321: This issue has been resolved.]<br />
• On all branch SRX devices, the custom attacks are not getting detected on branch<br />
devices even if there was no IDP signature database license, the expected behavior<br />
which was broken earlier. [PR710147: This issue has been resolved.]<br />
J-Web<br />
• On SRX100 devices, if node 0 is down, you must use the CLI to see chassis information.<br />
[PR598228: This issue has been resolved.]<br />
• On all branch SRX Series devices, J-Web shows invalid page while editing ppd0 and<br />
ppe0 interfaces. [PR660575: This issue has been resolved.]<br />
• On SRX650 devices, in J-Web, the configuration change cannot pass the commit check;<br />
therefore, you cannot delete the domain name of an address book. [PR662618: This<br />
issue has been resolved.]<br />
• On SRX110 devices, the J-Web interface did not work on the SRX110H-VB models.<br />
[PR689614: This issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the Layer 2 Transparent<br />
mode is working through J-Web. [PR691530: This issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, while editing an<br />
uncommitted PPPoE connection, which had a zone without firewall policy, the J-Web<br />
page gets blocked in zone page of PPPoE wizard, and warning dialog box was displayed<br />
to convey the message. [PR697891: This issue has been resolved.]<br />
• On all branch SRX devices, you cannot view the access point details of an active access<br />
point from the J-Web Monitor > Wireless LAN page. [PR700513: This issue has been<br />
resolved.]<br />
• On all branch SRX devices, CPU data graph was not reflecting cli data on Dashboard<br />
> Resource Utilization. [PR719042: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
395
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX210 and SRX240 devices, commit failed when proxy server value was cleared<br />
from J-Web in AV global options tab. [PR721248: This issue has been resolved.]<br />
• On SRX210 devices, when the CLI option to delete a DHCP pool was used, the J-Web<br />
interface Monitor page (Monitor > Services > DHCP > Pools) did not display the correct<br />
value in the "Excluded address" field. It displayed the text "[objec object]" in the table.<br />
[PR723555: This issue has been resolved.]<br />
License<br />
• On SRX210, SRX220, SRX240, and SRX650 devices, at times after a software upgrade<br />
of the device, while committing the configuration changes through J-Web interface in<br />
Configure > Wireless Lan > Settings page, the following message is displayed: warning:<br />
requires 'ax411-wlan-ap' license. [PR697531: This issue has been resolved.]<br />
Switching<br />
• On SRX650 devices, when layer 2 link aggregation (4 x 1 Gbps) was configured, traffic<br />
was limited to 1 Gbps. [PR677656: This issue has been resolved.]<br />
UTM<br />
• On SRX100, SRX210, SRX220, SRX240 and SRX650 devices, the throughput<br />
performance of Surf Control Web Filter dropped for Junos OS 11.4R1 release. [PR671777:<br />
This issue has been resolved.]<br />
• On SRX210 devices, UTM EAV status shows Engine not ready (Database Loading)<br />
even after successfully loading the database. This issue occured at times even after<br />
the image upgrade or downgrade, and on a system reboot. [PR693530: This issue has<br />
been resolved.]<br />
• On all branch SRX devices, in a chassis cluster, the status of the UTM Surf Control CPA<br />
web filtering server in the primary node was down when the server is reachable.<br />
[PR701479: This issue has been resolved.]<br />
• In UTM, sometimes anti-virus pattern database update notification mail might not go<br />
to the administrator if configured due to a bug in mail message parsing. [PR703403:<br />
This issue has been resolved.]<br />
• On J Series devices, do not upgrade UTM feature to <strong>Release</strong> 11.4R1. [PR707622: This<br />
issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when using an UTM<br />
antivirus for SMTP email and if the email is using X-ANONYMOUS option, the email<br />
might get blocked. [PR717066: This issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• On SRX240 devices, on reboot “mgd commit” fails when you configure Static Next hop<br />
tunnel bundling. [PR695671: This issue has been resolved.]<br />
• On SRX240 devices, an access to the Dynamic-VPN portal was denied with a following<br />
error in httpd.log: Error: "Unauthorized", code 401 for URI "/dynamic-vpn", file<br />
"/html/dynamic-vpn": Interface is not authorized for HTTP access. [PR712179: This<br />
issue has been resolved.]<br />
396<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R1 for Branch SRX Series Services<br />
Gateways<br />
Application Layer Gateways (ALGs)<br />
• On SRX210 devices, when you used OpenPhone in fast start/slow start tunnel mode<br />
and another phone in normal mode, the call failed. [PR684951: This issue has been<br />
resolved.]<br />
Authentication<br />
• On SRX650 devices, when a new user was added the authentication failed. [PR661720:<br />
This issue has been resolved.]<br />
Chassis Cluster<br />
• On SRX240 and SRX650 devices in a chassis cluster, telnet/ssh to RVI traffic through<br />
secondary node ports timed out within 20 seconds. [PR567805: This issue has been<br />
resolved.]<br />
• On SRX650 devices in a chassis cluster, some interfaces on node0 showed unspecified<br />
speed and half-duplex. [PR597575: This issue has been resolved.]<br />
• On SRX650 devices, the antivirus feature caused forwarding slowness at traffic peaks<br />
due to a memory issue related to scanning of SMTP traffic. [PR610336: This issue has<br />
been resolved.]<br />
• On SRX650 devices in a chassis cluster, failover took more than 5 seconds when the<br />
monitored interface flapped. [PR664851: This issue has been resolved.]<br />
• On SRX210, SRX220, SRX240, and SRX650 devices, when the ISSU failed and only<br />
one device in the cluster was upgraded, rollback to the previous configuration on that<br />
device was achieved only by using the following commands on the upgraded device:<br />
• request chassis cluster in-service-upgrade abort<br />
• request system software rollback<br />
• request system reboot<br />
[PR670955: This issue has been resolved.]<br />
• On SRX650 devices, when a second node was not present in a chassis cluster<br />
configuration, any new provision of redundancy group got stuck in secondary state.<br />
[PR685322: This issue has been resolved.]<br />
• On SRX650 devices, for switching deployment in chassis cluster, multicast traffic was<br />
duplicated. [PR689153: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
397
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
DHCP<br />
• On J4350 devices, the DHCP client lease did not have the correct attributes during<br />
static lease renewal by the DHCP server to the client. [PR665084: This issue has been<br />
resolved.]<br />
Flow and Processing<br />
• On SRX210, SRX220, SRX240, SRX650, and J Series devices, the TCP connections per<br />
second drop was anticipated. [PR550444: This issue has been resolved.]<br />
• On SRX210, SRX240, and SRX650 devices, handling traffic required fragmentation of<br />
packets that were not passing or had large latency. [PR590480: This issue has been<br />
released.]<br />
• On SRX100 devices, when the device was switched from Layer 3 to Layer 2 mode, the<br />
user was prompted to reboot the device. If the device was not rebooted and was<br />
switched back to Layer 3 mode, a core file was generated. [PR605293: This issue has<br />
been resolved.]<br />
• On SRX210 High Memory devices, when the anchor interface of GRE tunnel interface<br />
was configured to get IP by CX111, the GRE tunnel was not created and the CX111 was<br />
restarted. [PR605529: This issue has been resolved.]<br />
• On J6350 devices in a chassis cluster, when the restart forwarding gracefully command<br />
was executed, the FPC remained offline. [PR605657: This issue has been resolved.]<br />
• On SRX220 devices, the show security policy command inconsistently<br />
showed the possible objects (security policy names) in the operation and configuration<br />
modes. [PR608664: This issue has been resolved.]<br />
• On J2320 devices, the E1 connection interface dropped traffic and a core file was<br />
generated. [PR609720: The issue has been resolved.]<br />
• On SRX210, SRX220, and J6350 devices, when the interface configuration changed<br />
continuously, the OSPF got stuck at the init state over the E1/T1 link. [PR660264: This<br />
issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, and SRX240 Low Memory devices, due to memory<br />
allocations, traffic stopped passing when ALG-based traffic was used. [PR664378:<br />
This issue has been resolved.]<br />
• On SRX240 devices, packet mode reordering of packets failed in multithreaded<br />
platforms for multicast flows that had to go out on a single egress interface. [PR669046:<br />
This issue has been resolved.]<br />
• On SRX210 devices, the 80th, 160th, 240th, and so on characters of the message were<br />
lost while sending messages using the request message command. [PR670106: This<br />
issue has been resolved.]<br />
• On J2350 devices, the vrf-table-label could not be used when you used the<br />
encapsulation type flexible-ethernet-services. [PR671286: This issue has been resolved.]<br />
398<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
• On SRX240 devices, when host-originated packets were sent out through the<br />
gr-interface, both local and transit counters did not increment for this interface.<br />
[PR676970: This issue has been resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, SRX650 and J Series devices, Remote MAC<br />
Learning for VPLS did not work. [PR687956: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX650 devices, when you rebooted the secondary node, the multicast session<br />
was rebuilt, and there were extra leaves sessions with local0 as the outgoing interface<br />
setup. [PR604084: This issue has been resolved.]<br />
• On SRX650 and J4350 devices, when OSPF was used over IPsec, a core file was<br />
generated when the routing process was restarted. [PR606272: This issue has been<br />
resolved.]<br />
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, VLAN to interface<br />
disassociation did not work properly. [PR662942: This issue has been resolved.]<br />
• On SRX240 devices, no optical diagnostics were available for the Gigabit Ethernet<br />
interface on the 1x GE High-Performance SFP Mini-PIM PIC. [PR666315: This issue has<br />
been resolved.]<br />
• On SRX210 devices, monitor traffic disabled the VPLS service. [PR670230: This issue<br />
has been resolved.]<br />
• On SRX210 devices, when processing traffic from SRX devices or to the SRX devices<br />
(host-bound traffic), GRE interface counters showed incorrect values and decremented<br />
occasionally. This was a display issue, as traffic was still being processed normally and<br />
no packets were lost. [PR672302: This issue has been resolved.]<br />
• On SRX240 devices, an error message was displayed when committing a DNAT pool<br />
configuration with an IP address of 0.0.0.0/0 even though the commit executed<br />
successfully. [PR682915: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX650 devices, VRRP hello packets were lost during IDP pattern update.<br />
[PR590838: This issue has been resolved.]<br />
J-Web<br />
• On the Security >Filters >IPv4 page and IPv6 firewall filters page, when users added<br />
a new IPv4 filter name and clicked the Add button, the change was not reflected on<br />
the pages. In addition, the configure firewall filter page did not appear. [PR576194: This<br />
issue has been resolved.]<br />
• On SRX210 devices in the J-Web interface, when you discard any available MIB profile,<br />
file, or predefined object from accounting-options on the Point and Click CLI<br />
Configuration page (Configure > CLI Tools > Point and Click CLI), the J-Web session<br />
timed out. [PR689261: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
399
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all branch SRX Series devices, when you configure the wireless LAN access point<br />
on the Configure >Wireless LAN > Setting page, you could not set Bolivia as a country.<br />
[PR691824: This issue has been resolved.]<br />
License<br />
• The SRX210, SRX220, SRX240, and SRX650 devices had two free dynamic VPN user<br />
licenses, but the LICENSE_EXPIRED alarm was generated if less than two users<br />
connected to the VPN. [PR661417: This issue has been resolved.]<br />
• On SRX210 and SRX240 devices with DC Power Supply, the default licenses did not<br />
work. [PR667526: This issue has been resolved.]<br />
NAT<br />
• On SRX240 devices, when you configure IP addresses for proxy-ARP under the “Security<br />
NAT” configuration, the device failed to respond to ARP-probe packets. [PR663507:<br />
This issue has been resolved]<br />
Switching<br />
• On SRX210, SRX220, and J Series devices, the Dot1x-enabled port flooded traffic<br />
without authentication. [PR687053: This issue has been resolved.]<br />
UTM<br />
• On SRX650 devices, a commit error occurred when the policy used UTM:<br />
“application-services' warning: license not installed for”. [PR600941: This issue has<br />
been resolved.]<br />
• On all branch SRX Series devices, when you added a date-based license, the device<br />
accepted the license. but the output for the show system license command did not<br />
display this information in the licenses installed field. [PR665111: This issue has been<br />
resolved.]<br />
• On SRX210 devices, the http downloading connection for UTM antivirus was dropped<br />
when the file exceeded 2 GB. [PR668818: This issue has been resolved.]<br />
• On all branch SRX Series devices, you could enable the Enhanced Web Filtering feature<br />
of UTM with a license for the Surf Control Web Filtering feature. [PR686290: This issue<br />
has been resolved.]<br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
• On SRX210 devices, when the "@" sign was included in the dynamic hostname, the<br />
clear security dynamic-vpn user returned an error:<br />
"Invalid username or ike id for user xxxx. No entry was cleared." [PR608342: This issue<br />
has been resolved.]<br />
• On SRX650 devices, the DSCP tagged packets coming in from a VPN tunnel were not<br />
classified and were placed in the default best-effort queue on the egress interface.<br />
[PR664820: This issue has been resolved.]<br />
400<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 357<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 401<br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers<br />
Errata for the Junos OS Software Documentation<br />
This section lists outstanding issues with the software documentation.<br />
Junos OS CLI Reference<br />
• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in<br />
proposal-set (IPsec) section. The IPsec proposals should be as follows:<br />
• basic—nopfs-esp-des-sha and nopfs-esp-des-md5<br />
• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and<br />
nopfs-esp-des-md5<br />
• standard—g2-esp-3des-sha and g2-esp-aes128-sha<br />
• The Junos OS CLI Reference is missing information about the operational CLI command<br />
show pppoe interfaces, which is used to display session-specific information about<br />
PPPoE interfaces.<br />
user@host>show pppoe interfaces<br />
pp0.0 Index 71<br />
State: Session up, Session ID: 4,<br />
Service name: None,<br />
Session AC name: srx-pppoe-ac, Configured AC name: None,<br />
Remote MAC address: b0:c6:9a:74:5e:c1,<br />
Session uptime: 5d 15:21 ago,<br />
Auto-reconnect timeout: Never, Idle timeout: Never,<br />
Underlying interface: ge-0/0/1.0 Index 70<br />
• The Junos OS CLI Reference is missing information about the operational CLI command<br />
show pppoe statistics, which is used to display statistics information about PPPoE<br />
interfaces.<br />
user@host>show pppoe statistics<br />
Active PPPoE sessions: 0<br />
PacketType Sent Received<br />
PADI 0 0<br />
PADO 0 0<br />
PADR 0 0<br />
PADS 0 0<br />
PADT 0 0<br />
Service name error 0 0<br />
AC system error 0 0<br />
Generic error 0 0<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
401
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Malformed packets 0 0<br />
Unknown packets 0 0<br />
Timeout<br />
PADI 0<br />
PADO 0<br />
PADR 0<br />
Receive Error Counters<br />
PADI 0<br />
PADO 0<br />
PADR 0<br />
PADS 0<br />
• The Junos OS CLI Reference is missing information about the value for the messages<br />
received field in too-many-requests (Security Antivirus Fallback Options) command<br />
the following statement is updated with a value for the limit as:<br />
If the total number of messages received concurrently exceeds 4000.<br />
J Series Services Router Advanced WAN Access Configuration Guide<br />
• The example given in the “Configuring Full-Cone NAT” section in the J Series Services<br />
Router Advanced WAN Access Configuration Guide available at<br />
http://www.juniper.net/techpubs/software/jseries/junos85/index.html is incorrect. The<br />
correct and updated example is given in the J Series Services Router Advanced WAN<br />
Access Configuration Guide available at<br />
http://www.juniper.net/techpubs/software/jseries/junos90/) .<br />
J2320, J2350, J4350, and J6350 Services Router Getting Started Guide<br />
• The “Connecting to the CLI Locally” section in the J2320, J2350, J4350, and J6350<br />
Services Router Getting Started Guide states that the required adapter type is DB-9<br />
female to DB-25 male. This is incorrect; the correct adapter type is DB-9 male to DB-25<br />
male.<br />
Junos OS Feature Support Reference for SRX Series and J Series Devices<br />
• Junos OS Feature Support Reference for SRX Series and J Series Devices chapter 2<br />
’Feature Support Tables’, row 1 of Table 50: Transparent Mode Support, incorrectly<br />
states that bridge domain and transparent mode feature is not supported on SRX100,<br />
SRX210, SRX220, SRX240, and SRX650 devices. Bridge domain and transparent mode<br />
feature is supported on all the listed devices from Junos OS <strong>Release</strong> 11.1.<br />
• In Junos OS Feature Support Reference for SRX Series and J Series Devices, the DHCPv6<br />
support listed in Chapter 2, Table 14 is incorrect. The DHCPv6 client is not supported<br />
on SRX100, SRX110, SRX210, SRX220, SRX240, and SRX650 devices. The DHCPv6<br />
server is supported on SRX100, SRX110, SRX210, SRX220, SRX240, and SRX650<br />
devices.<br />
• In Junos OS Feature Support Reference for SRX Series and J Series Devices, the Chassis<br />
Cluster table incorrectly indicates that Layer 2 Ethernet switching capability in chassis<br />
cluster mode is supported on SRX100 devices. Layer 2 Ethernet switching capability<br />
in chassis cluster mode is not supported on SRX100 devices.<br />
402<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Junos OS Interfaces Configuration Guide for Security Devices<br />
• In this guide, Table 11, "MTU Values for the SRX Series Services Gateways PIMs," does<br />
not specify the maximum MTU and default IPMTU values for the following PIMs:<br />
• 2-Port 10 Gigabit Ethernet XPIM<br />
• 16-Port Gigabit Ethernet XPIM<br />
• 24-Port Gigabit Ethernet XPIM<br />
The following table lists these values:<br />
Table 21: MTU Values for the SRX Series Services Gateways PIMs<br />
PIM<br />
DefaultMediaMTU(Bytes)<br />
MaximumMTU (Bytes)<br />
DefaultIPMTU (Bytes)<br />
2-Port 10 Gigabit Ethernet XPIM<br />
1514<br />
9192<br />
1500<br />
16-PortGigabitEthernetXPIM<br />
1514<br />
9192<br />
1500<br />
24-Port Gigabit Ethernet XPIM<br />
1514<br />
9192<br />
1500<br />
J-Web<br />
• J-Web security package update Help page—The J-Web Security Package Update<br />
Help page does not contain information about the download status.<br />
• J-Web pages for stateless firewall filters—There is no documentation describing the<br />
J-Web pages for stateless firewall filters. To find these pages in J-Web, go to<br />
Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6<br />
Firewall Filters. After configuring the filters, select Assign to Interfaces to assign your<br />
configured filters to interfaces.<br />
• J-Web Configuration Instructions— Because of ongoing J-Web interface enhancements,<br />
some of the J-Web configuration example instructions in the Junos administration and<br />
configuration guides became obsolete and thus were removed. For examples that are<br />
missing J-Web instructions, use the provided CLI instructions.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
403
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Junos OS Monitoring and Troubleshooting Guide for Security Devices<br />
• In the “Example: Enabling Packet Capture on a Device” section, the CLI quick<br />
configuration shows an incorrect set command. The correct set command is set<br />
forwarding-options packet-capture file filename pcap-file files 100 size 1024<br />
world-readable.<br />
Junos OS Security Configuration Guide<br />
• In “Example: Configuring IP Monitoring” of the IP Monitoring section, the CLI Quick<br />
Configuration incorrectly lists the set services rpm probe Probe-Payment-Server test<br />
paysvr thresholds total-loss configuration command. The command has been removed.<br />
The set services ip-monitoring Payment-Server-Tracking then preferred-route route<br />
1.1.1.0/24 next-hop 1.1.1.99 configuration command listed in the CLI Quick Configuration<br />
and in Step 8 of the step-by-step procedure is incorrect. The correct command is set<br />
services ip-monitoring policy Payment-Server-Tracking then preferred-route route<br />
1.1.1.0/24 next-hop 1.1.1.99.<br />
• In this guide, the “Understanding Chassis Cluster Redundancy Group Interface<br />
Monitoring” section includes a note that states interface monitoring is not supported<br />
on Redundancy Group 0 (RG0) for branch SRX Series devices. This note should also<br />
state that it is not supported for J Series devices.<br />
• In this guide, the section “Understanding Chassis Cluster Redundancy Group Interface<br />
Monitoring” has a misleading statement in the steps describing the “Policy Lookup for<br />
a User” figure. It states that the device forwards the packet from its buffer to its<br />
destination IP address 1.2.2.2. However, this is true only for HTTP and Telnet traffic.<br />
For FTP traffic, after successful authentication the device closes the session and the<br />
user must reconnect to the FTP server at IP address 1.2.2.2.<br />
• In Chapter 48, “AppTrack Application Tracking,” of the Junos OS Security Configuration<br />
Guide for Security Devices, the operational command show security application-tracking<br />
statistics applications is incorrect. The operational command to display all application<br />
identification statistics, including application tracking statistics, is show services<br />
application-identification statistics applications.<br />
The operational command show application-tracking counters is incorrect. The<br />
command should be show security application-tracking counters.<br />
• In Chapter 1, “Understanding Flow-Based Processing,” of the Junos OS Security<br />
Configuration Guide a figure showed incorrect placement of static, destination, and<br />
source NAT. The figure has been corrected in Junos OS <strong>Release</strong> 11.4.<br />
• The Junos OS Security Configuration Guide incorrectly states that the release supports<br />
security chains, which validate a certificate path upward through eight levels of CA<br />
authorities in the PKI hierarchy. The release does not support security chains.<br />
• The Junos OS Security Configuration Guide incorrectly states that “For SRX Series chassis<br />
clusters made up of SRX100,SRX210,SRX220,SRX240, or SRX650 devices, SFP<br />
interfaces on Mini-PIMs cannot be used as the fabric link”. However, the SFP interfaces<br />
on Mini-PIMs can be used as the fabric link with the following limitation:<br />
404<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
“During node failover, sometimes primary node goes to disabled state and fabric probes<br />
are not received”.<br />
• In the “Internet Protocol Security” chapter of theJunos OS Security Configuration Guide,<br />
“Understanding Virtual Router Limitations" incorrectly lists “Internet Key Exchange<br />
(IKE) inside VR” as not being supported. Support for IKE in multiple virtual routers<br />
(VRs) was added in the Junos OS 11.1R1 release for all SRX Series and J Series devices.<br />
Also, “Virtual Router Support for Route-Based VPNs” incorrectly includes a note that<br />
for VPN traffic to work in a nondefault VR, the IKE listener must be placed in the default<br />
VR.<br />
• In chapter 4, “Understanding Selective Stateless Packet Based Services,”Junos OS<br />
Security Configuration Guide previously contained the following incorrect statement:<br />
A defined set of stateless services is available with selective stateless packet based<br />
services:<br />
• IPv4 and IPv6 routing (unicast and multicast protocols)<br />
• Class of service (CoS)<br />
• Link fragmentation and interleaving (LFI)<br />
• Generic routing encapsulation (GRE)<br />
• Layer 2 switching<br />
• Multiprotocol Label Switching (MPLS)<br />
• Stateless firewall filters<br />
• Compressed Real Time Transport Protocol (CRTP)<br />
The list includes “IPv6” which is not available with selective stateless packet based<br />
services. The guide has been updated with the correct statement, as follows:<br />
A defined set of stateless services is available with selective stateless packet based<br />
services:<br />
• IPv4 routing (unicast and multicast protocols)<br />
• Class of service (CoS)<br />
• Link fragmentation and interleaving (LFI)<br />
• Generic routing encapsulation (GRE)<br />
• Layer 2 switching<br />
• Multiprotocol Label Switching (MPLS)<br />
• Stateless firewall filters<br />
• Compressed Real Time Transport Protocol (CRTP)<br />
• The “Understanding Enhanced Web Filtering Functionality,” section of Junos OS Security<br />
Configuration Guide has the following incorrect statement:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
405
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The license key for the Surf Control integrated solution is not valid for the Enhanced<br />
Web Filtering solution. You need to install a new license to upgrade to the Enhanced<br />
Web Filtering solution.<br />
The correct information is as follows:<br />
The license key for the Surf Control integrated solution is also valid for the Enhanced<br />
Web Filtering as long as it is not expired. You need not install a new license to upgrade<br />
to the Enhanced Web Filtering solution.<br />
NOTE: You can ignore the warning message "requires<br />
'wf_key_websense_ewf' license” because it is generated by routine EWF<br />
license validation check.<br />
• The “Understanding DNS Doctoring” section incorrectly states that the DNS ALG will<br />
not drop traffic if the DNS message length exceeds the configured maximum, if the<br />
domain name is more than 255 bytes, or if the label length is more than 63 bytes.<br />
This section has been corrected as follows: The DNS ALG will not drop traffic if the<br />
DNS message length exceeds the configured maximum. However, the DNS ALG will<br />
check the length of the domain name and label, and it will drop packets if either the<br />
domain name is more than 255 bytes or the label length is more than 63 bytes.<br />
• The following sections were removed from the guide as they were causing confusion:<br />
“H.323 ALG Endpoint Registration Timeouts,” “Understanding H.323 ALG Endpoint<br />
Registration Timeouts,” and “Example: Setting H.323 ALG Endpoint Registration<br />
Timeouts.”<br />
• The “Understanding Internet-Related Predefined Policy Applications” section of Junos<br />
OS Security Configuration guide incorrectly specifies the HTTP port value as 80 in<br />
Predefined Applications table. The correct port value for HTTP is 8080.<br />
Junos OS System Log Messages Reference<br />
• The Junos 11.4 System Log Messages Reference is missing the following AV system log<br />
messages:<br />
This list below are messages with the AV prefix They are generated by the antivirus<br />
scanning process (avd):<br />
• AV_HUGE_FILE_DROPPED_MT<br />
• AV_HUGE_FILE_NOT_SCANNED_MT<br />
• AV_MANY_MSGS_DROPPED_MT<br />
• AV_MANY_MSGS_NOT_SCANNED_MT<br />
• AV_SCANNER_DROP_FILE_MT<br />
• AV_SCANNER_ERROR_SKIPPED_MT<br />
• AV_VIRUS_DETECTED_MT<br />
• The AV System Log Messages topic lists incorrect facilities for the systems logs.<br />
406<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
On all SRX Series devices, antivirus (AV) system logs are generated with the facility<br />
LOG_USER or LOG_DAEMON.<br />
Table 22 on page 407 shows the correct facilities for the system logs.<br />
Table 22: Antivirus System Logs<br />
System Logs<br />
Incorrect Facility<br />
Correct Facility<br />
AV_PATTERN_GET_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_KEY_EXPIRED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_KL_CHECK_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_TOO_BIG<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_UPDATED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_WRITE_FS_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_SCANNER_READY<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_VIRUS_DETECTED_MT<br />
LOG_PFE<br />
LOG_USER<br />
Junos OS WLAN Configuration and Administration Guide<br />
• This guide is missing information that on all branch SRX Series devices, managing<br />
AX411 access points through aggregated Ethernet (ae) interface is not supported.<br />
Various Guides<br />
• Some Junos OS user, reference, and configuration guides—for example the Junos<br />
Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos OS<br />
System Basics Configuration Guide—mistakenly do not indicate SRX Series device<br />
support in the “Supported Platforms” list and other related support information;<br />
however, many of those documented Junos OS features are supported on SRX Series<br />
devices. For full, confirmed support information about SRX Series devices, please refer<br />
to the Junos OS Feature Support Reference for SRX Series and J Series Devices.<br />
Errata for the Junos OS Hardware Documentation<br />
This section lists outstanding issues with the hardware documentation.<br />
AX411 Access Point Hardware Guide<br />
• This guide is missing information that the AX411 Access Point can be managed from<br />
SRX100 and SRX110 devices.<br />
J Series Services Routers Hardware Guide<br />
• In the J Series Services Routers Hardware Guide, the procedure “Installing a DRAM<br />
Module” omits the following condition:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
407
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
All DRAM modules installed in the router must be the same size (in megabytes), type,<br />
and manufacturer. The router might not work properly when DRAM modules of different<br />
sizes, types, or manufacturer are installed.<br />
• The J Series Services Routers Hardware Guide incorrectly states that only the J2350<br />
Services Router complies with Network Equipment Building System (NEBS) criteria.<br />
The document should state that the J2350, J4350, and J6350 routers comply with<br />
NEBS criteria.<br />
• The J Series Services Routers Hardware Guide is missing adding information about<br />
100Base-LX connector support for 1-port and 6-port Gigabit Ethernet uPIMs.<br />
Quick Start Guides<br />
• In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in<br />
the wrong order. “Task 6: Connect the External Antenna” should appear before “Task<br />
3: Check the 3G ExpressCard Status,” because the user needs to connect the antenna<br />
before checking the status of the 3G ExpressCard. The correct order of the tasks is as<br />
follows:<br />
1. Install the 3G ExpressCard<br />
2. Connect the External Antenna<br />
3. Check the 3G ExpressCard Status<br />
4. Configure the 3G ExpressCard<br />
5. Activate the 3G ExpressCard Options<br />
• In the SRX210 Services Gateway 3G ExpressCard Quick Start, in “Task 6: Connect the<br />
External Antenna,” the following sentence is incorrect and redundant: “The antenna<br />
has a magnetic mount, so it must be placed far away from radio frequency noise sources<br />
including network components.”<br />
• In the SRX210 3G Quick Start Guide, in the “Frequently Asked Questions” section, the<br />
answer to the following question contains an inaccurate and redundant statement:<br />
Q: Is an antenna required? How much does it cost?<br />
A: The required antenna is packaged with the ExpressCard in the SRX210 Services<br />
Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic<br />
mount with ceiling and wall mount kits within the package.<br />
In the answer, the sentence “The antenna will have a magnetic mount with ceiling and<br />
wall mount kits within the package” is incorrect and redundant.<br />
408<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
SRX210 Services Gateway Quick Start Guide<br />
• Installing Software Packages—The SRX210 Services Gateway Quick Start Guide is<br />
missing the following information:<br />
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the<br />
root partition). If Junos OS installation fails as a result of insufficient space:<br />
1. Use the request system storage cleanup command to delete temporary files.<br />
2. Delete any user-created files both in the root partition and under the /var hierarchy.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 357<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services<br />
Gateways and J Series Services Routers<br />
• Upgrading and Downgrading among Junos OS <strong>Release</strong>s on page 409<br />
• Upgrading an AppSecure Device on page 411<br />
• Upgrade and Downgrade Scripts for Address Book Configuration on page 411<br />
• Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s on page 414<br />
• Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for SRX Series Services Gateways<br />
and J Series Services Routers on page 414<br />
Upgrading and Downgrading among Junos OS <strong>Release</strong>s<br />
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones<br />
webpage:<br />
http://www.juniper.net/support/eol/junos.html<br />
To help in understanding the examples that are presented in this section, a portion of<br />
that table is replicated here. Note that releases footnoted with a 1 are Extended<br />
End-of-Life (EEOL) releases.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
409
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
You can directly upgrade or downgrade between any two Junos OS releases that are<br />
within three releases of each other.<br />
• Example: Direct release upgrade<br />
<strong>Release</strong> 10.3 → (bypassing <strong>Release</strong>s 10.4 and 11.1) <strong>Release</strong> 11.2<br />
To upgrade or downgrade between Junos OS releases that are more than three releases<br />
apart, you can upgrade or downgrade first to an intermediate release that is within three<br />
releases of the desired release, and then upgrade or downgrade from that release to the<br />
desired release.<br />
• Example: Multistep release downgrade<br />
<strong>Release</strong> 11.3 → (bypassing <strong>Release</strong>s 11.2 and 11.1) <strong>Release</strong> 10.4 → <strong>Release</strong> 10.3<br />
<strong>Juniper</strong> <strong>Networks</strong> has also provided an even more efficient method of upgrading and<br />
downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a<br />
calendar year and can be more than three releases apart. For a list of, EEOL releases, go<br />
to http://www.juniper.net/support/eol/junos.html<br />
410<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
You can directly upgrade or downgrade between any two Junos OS EEOL releases that<br />
are within three EEOL releases of each other.<br />
• Example: Direct EEOL release upgrade<br />
<strong>Release</strong> 9.3 (EEOL) → (bypassing <strong>Release</strong>s 10.0 [EEOL] and 10.4 [EEOL]) <strong>Release</strong> 11.4<br />
(EEOL)<br />
To upgrade or downgrade between Junos OS EEOL releases that are more than three<br />
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within<br />
three EEOL releases of the desired EEOL release, and then upgrade from that EEOL<br />
release to the desired EEOL release.<br />
• Example: Multistep release upgrade using intermediate EEOL release<br />
<strong>Release</strong> 8.5 (EEOL) → (bypassing <strong>Release</strong>s 9.3 [EEOL] and 10.0 [EEOL]) <strong>Release</strong> 10.4<br />
(EEOL) → <strong>Release</strong> 11.4 (EEOL)<br />
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade<br />
step if your desired release is several releases later than your current release.<br />
• Example: Multistep release upgrade using intermediate EEOL release<br />
<strong>Release</strong> 9.6 → <strong>Release</strong> 10.0 (EEOL) → <strong>Release</strong> 10.2<br />
For additional information about how to upgrade and downgrade, see the Junos OS<br />
Installation and Upgrade Guide.<br />
Upgrading an AppSecure Device<br />
Use the no-validate Option for AppSecure Devices.<br />
For devices implementing AppSecure services, use the no-validate option when upgrading<br />
from Junos OS <strong>Release</strong> 11.2 or earlier to Junos OS 11.4R1 or later. The application signature<br />
package used with AppSecure services in previous releases has been moved from the<br />
configuration file to a signature database. This change in location can trigger an error<br />
during the validation step and interrupt the Junos OS upgrade. The no-validate option<br />
bypasses this step.<br />
Upgrade and Downgrade Scripts for Address Book Configuration<br />
Beginning with Junos OS <strong>Release</strong> 11.4, you can configure address books under the [security]<br />
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS<br />
<strong>Release</strong> 11.1 and earlier, address books were defined under the [security zones] hierarchy<br />
(zone-defined configuration).<br />
You can either define all address books under the [security] hierarchy in a zone-attached<br />
configuration format or under the [security zones] hierarchy in a zone-defined configuration<br />
format; the CLI displays an error and fails to commit the configuration if you configure<br />
both configuration formats on one system.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
411
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Juniper</strong> <strong>Networks</strong> provides Junos operation scripts that allow you to work in either of the<br />
address book configuration formats (see Figure 1 on page 413).<br />
• About Upgrade and Downgrade Scripts on page 412<br />
• Running Upgrade and Downgrade Scripts on page 413<br />
• Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s on page 414<br />
About Upgrade and Downgrade Scripts<br />
After downloading Junos OS <strong>Release</strong> 11.4, you have the following options for configuring<br />
the address book feature:<br />
• Use the default address book configuration—You can configure address books using<br />
the zone-defined configuration format, which is available by default. For information<br />
on how to configure zone-defined address books, see the Junos OS <strong>Release</strong> 11.1<br />
documentation.<br />
• Use the upgrade script—You can run the upgrade script available on the <strong>Juniper</strong> <strong>Networks</strong><br />
support site to configure address books using the new zone-attached configuration<br />
format. When upgrading, the system uses the zone names to create address books.<br />
For example, addresses in the trust zone are created in an address book named<br />
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules<br />
remain unaffected.<br />
After upgrading to the zone-attached address book configuration:<br />
• You cannot configure address books using the zone-defined address book<br />
configuration format; the CLI displays an error and fails to commit.<br />
• You cannot configure address books using the J-Web interface.<br />
For information on how to configure zone-attached address books, see the Junos OS<br />
<strong>Release</strong> 11.4 documentation.<br />
• Use the downgrade script—After upgrading to the zone-attached configuration, if you<br />
want to revert to the zone-defined configuration, use the downgrade script available<br />
on the <strong>Juniper</strong> <strong>Networks</strong> support site. For information on how to configure zone-defined<br />
address books, see the Junos OS <strong>Release</strong> 11.1 documentation.<br />
NOTE: Before running the downgrade script, make sure to revert any<br />
configuration that uses addresses from the global address book.<br />
412<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
Figure 1: Upgrade and Downgrade Scripts for Address Books<br />
Download Junos OS<br />
<strong>Release</strong> 11.2 or later.<br />
zone-defined<br />
address book<br />
Run the upgrade script.<br />
zone-attached<br />
address book<br />
configuration<br />
- Global address book is<br />
available by default.<br />
- Address book is defined under<br />
the security hierarchy.<br />
- Zones need to be attached<br />
to address books.<br />
Run the downgrade script.<br />
Note: Make sure to revert any<br />
configuration that uses addresses<br />
from the global address book.<br />
g030699<br />
Running Upgrade and Downgrade Scripts<br />
The following restrictions apply to the address book upgrade and downgrade scripts:<br />
• The scripts cannot run unless the configuration on your system has been committed.<br />
Thus, if the zone-defined address book and zone-attached address book configurations<br />
are present on your system at the same time, the scripts will not run.<br />
• The scripts cannot run when the global address book exists on your system.<br />
• If you upgrade your device to Junos OS <strong>Release</strong> 11.4 and configure logical systems, the<br />
master logical system retains any previously-configured zone-defined address book<br />
configuration. The master administrator can run the address book upgrade script to<br />
convert the existing zone-defined configuration to the zone-attached configuration.<br />
The upgrade script converts all zone-defined configurations in the master logical system<br />
and user logical systems.<br />
NOTE: You cannot run the downgrade script on logical systems.<br />
For information about implementing and executing Junos operation scripts, see the Junos<br />
OS Configuration and Operations Automation Guide.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
413
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Upgrade and Downgrade Support Policy for Junos OS <strong>Release</strong>s<br />
Support for upgrades and downgrades that span more than three Junos OS releases at<br />
a time is not provided, except for releases that are designated as Extended End-of-Life<br />
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can<br />
upgrade directly from one EEOL release to the next EEOL release even though EEOL<br />
releases generally occur in increments beyond three releases.<br />
You can upgrade or downgrade to the EEOL release that occurs directly before or after<br />
the currently installed EEOL release, or to two EEOL releases before or after. For example,<br />
Junos OS <strong>Release</strong>s 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS<br />
<strong>Release</strong> 10.0 to <strong>Release</strong> 10.4 or even from Junos OS <strong>Release</strong> 10.0 to <strong>Release</strong> 11.4. However,<br />
you cannot upgrade directly from a non-EEOL release that is more than three releases<br />
ahead or behind. For example, you cannot directly upgrade from Junos OS <strong>Release</strong> 10.3<br />
(a non-EEOL release) to Junos OS <strong>Release</strong> 11.4 or directly downgrade from Junos OS<br />
<strong>Release</strong> 11.4 to Junos OS <strong>Release</strong> 10.3.<br />
To upgrade or downgrade from a non-EEOL release to a release more than three releases<br />
before or after, first upgrade to the next EEOL release and then upgrade or downgrade<br />
from that EEOL release to your target release.<br />
For more information about EEOL releases and to review a list of EEOL releases, see<br />
http://www.juniper.net/support/eol/junos.html .<br />
Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s<br />
An expanded upgrade and downgrade path is now available for the Junos OS Extended<br />
End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of<br />
two adjacent later EEOL releases. You can also downgrade directly from one EEOL release<br />
to one of two adjacent earlier EEOL releases.<br />
For example, Junos OS <strong>Release</strong>s 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade<br />
from Junos OS <strong>Release</strong> 8.5 directly to either 9.3 or 10.0. To upgrade from <strong>Release</strong> 8.5 to<br />
10.4, you first need to upgrade to Junos OS <strong>Release</strong> 9.3 or 10.0, and then upgrade a second<br />
time to 10.4. Similarly, you can downgrade directly from Junos OS <strong>Release</strong> 10.4 to either<br />
10.0 or 9.3. To downgrade from <strong>Release</strong> 10.4 to 8.5, you first need to downgrade to 10.0<br />
or 9.3, and then perform a second downgrade to <strong>Release</strong> 8.5.<br />
For upgrades and downgrades to or from a non-EEOL release, the current policy is that<br />
you can upgrade and downgrade by no more than three releases at a time. This policy<br />
remains unchanged.<br />
For more information on EEOL releases and to review a list of EEOL releases, see<br />
http://www.juniper.net/support/eol/junos.html .<br />
Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for SRX Series Services<br />
Gateways and J Series Services Routers<br />
Transceiver Compatibility for SRX Series and J Series Devices<br />
We strongly recommend that only transceivers provided by <strong>Juniper</strong> <strong>Networks</strong> be used<br />
on SRX Series and J Series interface modules. Different transceiver types (long-range,<br />
short-range, copper, and others) can be used together on multiport SFP interface modules<br />
414<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and J Series Services Routers<br />
as long as they are provided by <strong>Juniper</strong> <strong>Networks</strong>. We cannot guarantee that the interface<br />
module will operate correctly if third-party transceivers are used.<br />
Please contact <strong>Juniper</strong> <strong>Networks</strong> for the correct transceiver part number for your device.<br />
Power and Heat Dissipation Requirements for J Series PIMs<br />
On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs<br />
fall within the power and heat dissipation capacity of the chassis. If power management<br />
is enabled and the capacity is exceeded, the system prevents one or more of the PIMs<br />
from becoming active.<br />
CAUTION: Disabling the power management can result in hardware damage<br />
if you overload the chassis capacities.<br />
You can also use CLI commands to choose which PIMs are disabled. For details about<br />
calculating the power and heat dissipation capacity of each PIM and for troubleshooting<br />
procedures, see the J Series Services Routers Hardware Guide.<br />
Supported Third-Party Hardware<br />
The following third-party hardware is supported for use with J Series Services Routers<br />
running Junos OS.<br />
• USB Modem<br />
We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.<br />
• Storage Devices<br />
The USB slots on J Series Services Routers accept a USB storage device or USB storage<br />
device adapter with a CompactFlash card installed, as defined in the CompactFlash<br />
Specification published by the CompactFlash Association. When the USB device is<br />
installed and configured, it automatically acts as a secondary boot device if the primary<br />
CompactFlash card fails on startup. Depending on the size of the USB storage device,<br />
you can also configure it to receive any core files generated during a router failure. The<br />
USB device must have a storage capacity of at least 256 MB.<br />
Table 23 on page 415 lists the USB and CompactFlash card devices supported for use<br />
with the J Series Services Routers.<br />
Table 23: Supported Storage Devices on the J Series Services Routers<br />
Manufacturer<br />
Storage Capacity<br />
Third-Party Part Number<br />
SanDisk—Cruzer Mini 2.0<br />
256 MB<br />
SDCZ2-256-A10<br />
SanDisk<br />
512 MB<br />
SDCZ3-512-A10<br />
SanDisk<br />
1024 MB<br />
SDCZ7-1024-A10<br />
Kingston<br />
512 MB<br />
DTI/512KR<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
415
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 23: Supported Storage Devices on the J Series Services<br />
Routers (continued)<br />
Manufacturer<br />
Storage Capacity<br />
Third-Party Part Number<br />
Kingston<br />
1024 MB<br />
DTI/1GBKR<br />
SanDisk—ImageMate USB 2.0<br />
Reader/Writer for CompactFlash Type I<br />
and II<br />
N/A<br />
SDDR-91-A15<br />
SanDisk CompactFlash<br />
512 MB<br />
SDCFB-512-455<br />
SanDisk CompactFlash<br />
1 GB<br />
SDCFB-1000.A10<br />
J Series CompactFlash and Memory Requirements<br />
Table 24 on page 416 lists the CompactFlash card and DRAM requirements for J Series<br />
Services Routers.<br />
Table 24: J Series CompactFlash Card and DRAM Requirements<br />
Model<br />
Minimum CompactFlash<br />
Card Required<br />
Minimum DRAM<br />
Required<br />
Maximum DRAM<br />
Supported<br />
J2320<br />
1 GB<br />
1 GB<br />
1 GB<br />
J2350<br />
1 GB<br />
1 GB<br />
1 GB<br />
J4350<br />
1 GB<br />
1 GB<br />
2 GB<br />
J6350<br />
1 GB<br />
1 GB<br />
2 GB<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways and<br />
J Series Services Routers on page 331<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for Branch SRX Series Services Gateways<br />
and J Series Services Routers on page 357<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for Branch SRX Series<br />
Services Gateways and J Series Services Routers on page 401<br />
416<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Junos OS <strong>Release</strong> <strong>Notes</strong> for High-End SRX Series Services Gateways<br />
Junos OS <strong>Release</strong> <strong>Notes</strong> for High-End SRX Series Services Gateways<br />
Powered by Junos OS, <strong>Juniper</strong> <strong>Networks</strong> high-end SRX Series Services Gateways provide<br />
robust networking and security services. They are designed to secure enterprise<br />
infrastructure, data centers, and server farms. The high-end SRX Series Services Gateways<br />
include the SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways on page 417<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 436<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways on page 443<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 458<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways on page 459<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
• Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series<br />
Services Gateways on page 489<br />
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
The following features have been added to Junos OS <strong>Release</strong> 11.4. Following the<br />
description is the title of the manual or manuals to consult for further information.<br />
NOTE: For the latest updates about support and issues on Junos Pulse, see<br />
the Junos Pulse <strong>Release</strong> <strong>Notes</strong> at<br />
http://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/<br />
pathway-pages/junos-pulse/index.html .<br />
• <strong>Release</strong> 11.4R5 New Features on page 417<br />
• <strong>Release</strong> 11.4R4 New Features on page 422<br />
• <strong>Release</strong> 11.4R3 New Features on page 422<br />
• <strong>Release</strong> 11.4R2 New Features on page 423<br />
• Software Features on page 424<br />
<strong>Release</strong> 11.4R5 New Features<br />
Network Address Translation (NAT)<br />
• Network Address Translation support port mapping for static NAT—This feature is<br />
supported on all high-end SRX Series devices.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
417
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Network Address Translation (NAT) now provides destination-port low to high and<br />
mapped-port low to high statements to allow static NAT to map ports as follows:<br />
• To map multiple IP addresses to the same IP addresses on a specified range of ports<br />
• To map a specific IP address and port to a different IP address and port<br />
Examples of configuring static NAT with port mapping:<br />
set security nat static rule-set rs from zone trust rule r1 match destination-address 1.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r1 destination-port 100 to 200<br />
set security nat static rule-set rs from zone trust rule r1 then static-nat prefix 10.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r1 then static-nat prefix mapped-port 300<br />
to 400<br />
set security nat static rule-set rs from zone trust rule r2 match destination-address 1.1.1.1/32<br />
set security nat static rule-set rs from zone trust rule r2 destination-port 300 to 400<br />
set security nat static rule-set rs from zone trust rule r2 then static-nat prefix 10.1.1.2/32<br />
set security nat static rule-set rs from zone trust rule r2 then static-nat prefix mapped-port 300<br />
to 400<br />
set security nat static rule-set rs from zone trust rule r3 match destination-address 1.1.1.3/32<br />
set security nat static rule-set rs from zone trust rule r3 destination-port 300<br />
set security nat static rule-set rs from zone trust rule r3 then static-nat prefix 10.1.1.2/32<br />
set security nat static rule-set rs from zone trust rule r3 then static-nat prefix mapped-port 200<br />
Virtual Private Network (VPN)<br />
• VPN session affinity—This feature is supported on SRX3400, SRX3600, SRX5600,<br />
and SRX5800 devices.<br />
VPN session affinity occurs when a clear-text session is located in a Services Processing<br />
Unit (SPU) that is different from the SPU where the IPsec tunnel session is located.<br />
The goal of VPN session affinity is to locate the clear-text and IPsec tunnel session in<br />
the same SPU.<br />
Without VPN session affinity, a clear-text session created by a flow might be located<br />
in one SPU and the tunnel session created by IPsec might be located in another SPU.<br />
An SPU to SPU forward or hop is needed to route clear-text packets to the IPsec tunnel.<br />
By default, VPN session affinity is disabled on SRX Series devices. Enabling VPN session<br />
affinity causes a clear-text session to be placed on the same SPU as the IPsec tunnel<br />
session.<br />
Enabling VPN session affinity can improve VPN throughput under the following traffic<br />
conditions:<br />
• A number of IPsec tunnels are needed and they are distributed evenly among SPUs.<br />
If IPsec tunnels are already concentrated on several SPUs, then enabling VPN session<br />
affinity allows all clear-text SPUs to also use those SPUs. This can cause those SPUs<br />
to be overutilized while other SPUs might be underutilized.<br />
To display active tunnel sessions on SPUs, use the show security ipsec<br />
security-association command and specify the Flexible PIC Concentrator (FPC) and<br />
Physical Interface Card (PIC) slots that contain the SPU. For example:<br />
user@host> show security ipsec security-association fpc 3 pic 0<br />
Total active tunnels: 1<br />
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway<br />
418<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
131073 ESP:aes-128/sha1 188c0750 491/ 128000 - root 500 23.0.21.11<br />
• Clear-text sessions passing through the tunnels should be at the highest volume for<br />
the longest periods of time as possible. Applying VPN session affinity to clear-text<br />
sessions of small volumes and short periods (for example, DNS sessions) will not<br />
improve VPN throughput.<br />
NOTE: You need to evaluate the tunnel distribution and traffic patterns in<br />
your network to determine if VPN session affinity should be enabled.<br />
The VPN session affinity limitations are as follows:<br />
• Multicast traffic is not supported.<br />
• Traffic across logical systems is not supported.<br />
• VPN session affinity does not operate on a hub in a hub-and-spoke topology.<br />
• If there is a route change, established clear-text sessions remain on an SPU and<br />
traffic is rerouted if possible. Sessions created after the route change may be set up<br />
on a different SPU.<br />
• VPN session affinity only affects self traffic that terminates on the device (also<br />
known as host-inbound traffic); self traffic that originates from the device (also<br />
known as host-outbound traffic) is not affected.<br />
• VPN session affinity can be enabled on an SRX1400 device; however, because the<br />
device only has one SPU there is no affect on VPN throughput.<br />
Enabling VPN Session Affinity—By default, VPN session affinity is disabled on SRX<br />
Series devices. Enabling VPN session affinity can improve VPN throughput under certain<br />
conditions. This section describes how to use the CLI to enable VPN session affinity.<br />
Determine if clear-text sessions are being forwarded to IPsec tunnel sessions on a<br />
different SPU. Use the show security flow session command to display session<br />
information about clear-text sessions.<br />
user@host> show security flow session<br />
Flow Sessions on FPC3 PIC0:<br />
Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/6204 --> 23.0.21.6/41264;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 58, Valid<br />
In: 23.0.21.6/500 --> 23.0.21.11/500;udp, If: .local..0, Pkts: 105386, Bytes: 12026528<br />
Out: 23.0.21.11/500 --> 23.0.21.6/500;udp, If: ge-0/0/2.0, Pkts: 106462, Bytes: 12105912<br />
Session ID: 60017354, Policy name: N/A, Timeout: 1784, Valid<br />
In: 0.0.0.0/0 --> 0.0.0.0/0;0, If: N/A, Pkts: 0, Bytes: 0<br />
Out: 26.0.20.156/23 --> 22.0.20.155/53051;tcp, If: N/A, Pkts: 0, Bytes: 0<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
419
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Total sessions: 4<br />
Flow Sessions on FPC6 PIC0:<br />
Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 120031730, Policy name: default-policy-00/2, Timeout: 1764, Valid<br />
In: 22.0.20.155/53051 --> 26.0.20.156/23;tcp, If: ge-0/0/1.0, Pkts: 44, Bytes: 2399<br />
Out: 26.0.20.156/23 --> 22.0.20.155/53051;tcp, If: st0.0, Pkts: 35, Bytes: 2449<br />
Total sessions: 3<br />
In the example, there is a tunnel session on FPC 3, PIC 0 and a clear-text session on<br />
FPC 6, PIC 0. A forwarding session (session ID 60017354) is set up on FPC 3, PIC 0.<br />
To enable VPN session affinity:<br />
1. In configuration mode, use the set command to enable VPN session affinity.<br />
[edit]<br />
user@host# set security flow load-distribution session-affinity ipsec<br />
2. Check your changes to the configuration before committing.<br />
[edit]<br />
user@host# commit check<br />
3. Commit the configuration.<br />
[edit]<br />
user@host# commit<br />
After enabling VPN session affinity, use the show security flow session command to<br />
display session information about clear-text sessions.<br />
user@host> show security flow session<br />
Flow Sessions on FPC3 PIC0:<br />
Session ID: 60000001, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/6352 --> 23.0.21.6/7927;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 60000002, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 60000003, Policy name: self-traffic-policy/1, Timeout: 56, Valid<br />
In: 23.0.21.6/500 --> 23.0.21.11/500;udp, If: .local..0, Pkts: 105425, Bytes: 12031144<br />
Out: 23.0.21.11/500 --> 23.0.21.6/500;udp, If: ge-0/0/2.0, Pkts: 106503, Bytes:<br />
12110680<br />
Session ID: 60017387, Policy name: default-policy-00/2, Timeout: 1796, Valid<br />
In: 22.0.20.155/53053 --> 26.0.20.156/23;tcp, If: ge-0/0/1.0, Pkts: 10, Bytes: 610<br />
Out: 26.0.20.156/23 --> 22.0.20.155/53053;tcp, If: st0.0, Pkts: 9, Bytes: 602<br />
Total sessions: 4<br />
Flow Sessions on FPC6 PIC0:<br />
420<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Session ID: 120000001, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Session ID: 120000002, Policy name: N/A, Timeout: N/A, Valid<br />
In: 23.0.21.11/0 --> 23.0.21.6/0;esp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0<br />
Total sessions: 2<br />
After VPN session affinity is enabled, the clear-text session is always located on FPC<br />
3, PIC 0.<br />
CLI Reference Information<br />
load-distribution<br />
• Syntax<br />
session-affinity ipsec<br />
• Hierarchy Level<br />
[edit security flow load-distribution]<br />
• <strong>Release</strong> Information<br />
Statement introduced in Junos OS <strong>Release</strong> 11.4R5.<br />
• Description<br />
Enable VPN session affinity.<br />
• Required Privilege Level<br />
security—To view this statement in the configuration.<br />
security-control—To add this statement to the configuration.<br />
session-affinity<br />
• Syntax<br />
session-affinity ipsec<br />
• Hierarchy Level<br />
[edit security flow load-distribution]<br />
• <strong>Release</strong> Information<br />
Statement introduced in Junos OS <strong>Release</strong> 11.4R5.<br />
• Description<br />
Enable VPN session affinity.<br />
• Required Privilege Level<br />
security—To view this statement in the configuration.<br />
security-control—To add this statement to the configuration.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
421
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Release</strong> 11.4R4 New Features<br />
For the 11.4R4 release, images for high-end SRX Series services gateways will not be<br />
available on the public download site.<br />
<strong>Release</strong> 11.4R3 New Features<br />
For information about the following 11.4R3 new features, please see New Features in Junos<br />
OS 11.4R3:<br />
• IMSI Filter Length Extension—This feature is supported on all high-end SRX Series<br />
devices.<br />
• IPv6 Flows in Transparent Mode—This feature is supported on SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
• Increase In the Maximum Sessions Allowed For a Persistent NAT Binding Overview—This<br />
feature is supported on all SRX Series devices.<br />
• SRX Series Chassis Cluster SPC Insert—This feature is supported on SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
• VPN Support for Inserting Services Processing Cards—This feature is supported on<br />
SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
• VPN Debugging Improvements—This feature is supported on all SRX Series devices.<br />
• VPN module hardening and stability improvements – These enhancements are<br />
applicable on all SRX Series devices.<br />
422<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
<strong>Release</strong> 11.4R2 New Features<br />
Class of Service (CoS)<br />
• High-priority queue on SPC—This feature is supported on all high-end SRX Series<br />
devices.<br />
<strong>Release</strong> 11.4R2 provides a configuration option to enable packets with specific<br />
Differentiated Services (DiffServ) code points (DSCP) precedence bits to enter a<br />
high-priority queue on the Services Processing Card (SPC) on high-end SRX Series<br />
devices. The Services Processing Unit (SPU) draws packets from the high-priority<br />
queue and only draws packets from the low-priority queue when the high-priority queue<br />
is empty. This feature can reduce overall latency for real-time traffic, such as voice<br />
traffic.<br />
To designate packets for the high-priority or low-priority queues, use the spu-priority<br />
configuration statement at the [edit class-of-service forwarding-classes class] hierarchy<br />
level. A value of high places packets into the high-priority queue, and a value of low<br />
places packets into the low-priority queue.<br />
Intrusion Detection and Prevention (IDP)<br />
• IDP policy compilation improvements—This feature is supported on all high-end SRX<br />
Series devices with IDP enabled.<br />
The IDP policy compilation process has been optimized to use less memory and compile<br />
faster. Policies that were too large to compile on smaller platforms running earlier<br />
Junos OS releases may compile successfully on this release.<br />
J-Web<br />
• Application Tracking—This feature is supported on all high-end SRX Series devices.<br />
The Application tracking feature is used to monitor sessions and bytes of a particular<br />
application or application group. The following page has been added to the J-Web<br />
user interface:<br />
• Application Tracking<br />
• Security Logging—This feature is supported on all high-end SRX Series devices.<br />
The following page has been added to the J-Web user interface:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
423
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Security Logging<br />
Software Features<br />
AppSecure<br />
• Application-aware quality of service (AppQoS )—This feature is supported on<br />
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
AppQoS, the application-aware quality-of-service module in AppSecure, provides a<br />
mechanism for prioritizing traffic utilizing the results of the Application Identification<br />
Engine. AppQoS provides application-level traffic control for administrators needing<br />
to ensure that business critical applications get preferential treatment.<br />
AppQoS enables the network administrator to meter, mark, and honor traffic priority<br />
based on application policies. It provides application-aware DSCP marking by<br />
implementing Layer-7 application-based DSCP rewriters. To apply different loss priority<br />
levels to different traffic groups, Layer 2- to Layer 4-based honoring has been expanded<br />
to Layer 7. AppQoS accomplishes application-aware rate limiting by setting the<br />
bandwidth limit and burst size limit for different applications.<br />
[Junos OS Security Configuration Guide]<br />
• Application groups—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
SRX Series devices allow consolidation of applications under a single group name.<br />
Predefined application groups are downloaded as part of the application signature<br />
database. User-defined groups can be created and deleted.<br />
[Junos OS Security Configuration Guide ]<br />
• Application group support for application firewall (AppFW)—This feature is supported<br />
on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
SRX Series devices allow you to configure application firewall policies using application<br />
group names. Application group names provide simplified, consistent reuse when<br />
defining application firewall policies.<br />
[Junos OS Security Configuration Guide ]<br />
• Application signature management and usability enhancements—This feature is<br />
supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
<strong>Juniper</strong> <strong>Networks</strong> provides improvements in the usability and management of predefined<br />
application signatures available through the Junos OS application signature package<br />
subscription service.<br />
• Previously, predefined application signature updates were downloaded to the Junos<br />
OS configuration file, resulting in an unnecessarily large file. To improve usability,<br />
application signature updates are now downloaded and installed in a separate<br />
application signature database on SRX1400, SRX3400, SRX3600, SRX5600, and<br />
SRX5800 devices.<br />
• Using CLI commands, users can manage predefined and custom application<br />
signatures and application signature groups, as follows:<br />
424<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• View detailed and summary information.<br />
• Copy, disable, and enable predefined application signatures for maximum flexibility<br />
in the use and reuse of predefined application signatures and custom application<br />
signatures.<br />
• Create custom application signatures by copying a predefined application signature<br />
and using it as a template.<br />
• CLI services application-identification commands provide more options for the display<br />
and configuration of custom application signatures and application signature groups.<br />
• A new option insert-before customer-signature-name has been added to allow you<br />
to move a custom application signature before a specific predefined application<br />
signature or another custom application signature.<br />
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS<br />
Security Configuration Guide]<br />
• Nested application identification enhancement—This feature is supported on<br />
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
New application identification contexts have been added for more extensive nested<br />
application matching.<br />
Several new HTTP contexts have been added for application detection:<br />
• http-get-url-parsed-param-parsed<br />
• http-post-url-parsed-param-parsed<br />
• http-post-variable-parsed<br />
• http-header-user-agent<br />
• http-header-cookie<br />
An SSL context is now supported that identifies a server name in a client or server hello<br />
message.<br />
• ssl-server-name<br />
[Junos OS Security Configuration Guide ]<br />
• Onbox application tracking statistics for AppTrack—This feature is supported on<br />
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
This feature adds application-level statistics to the AppSecure suite. Application<br />
statistics allow an administrator to access cumulative statistics as well as statistics<br />
accumulated over user-defined intervals. The administrator can clear the statistics<br />
and configure the interval values.<br />
Bytes and session count statistics are maintained. Because the statistics count occurs<br />
at AppTrack session close event time, the byte and session counts are not updated<br />
until the session closes.<br />
SRX Series devices support a history of 8 intervals that an administrator can use to<br />
display the application session and byte counts.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
425
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
Flow and Processing<br />
• Central point session scaling—This feature is supported on SRX5800 devices only.<br />
The central point was optimized to increase the total number of central point sessions<br />
to 20 million IPv4 sessions or 10 million IPv6 sessions. This optimization trades<br />
maximum attainable connections per second (CPS) for maximum number of central<br />
point sessions.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
• Global policy—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600,<br />
and SRX5800 devices.<br />
Unlike other security policies, global policies do not reference specific source and<br />
destination zones (from-zone and to-zone). Global policies allow you to regulate traffic<br />
with addresses and applications, regardless of their security zones. Global policies<br />
reference user-defined addresses or the predefined address “any.” These addresses<br />
can span multiple security zones.<br />
[Junos OS Security Configuration Guide]<br />
• Services offloading—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
Services offloading is a mechanism for processing fast-path packets in the network<br />
processor instead of in the Services Processing Unit (SPU). This method reduces the<br />
long packet processing latency that arises when packets are forwarded from network<br />
processors to SPUs for processing and back to I/O cards (IOCs) for transmission.<br />
Services offloading considerably reduces packet processing latency by 500–600<br />
percent.<br />
When the first packet arrives at the interface, the network processor forwards it to the<br />
SPU. If the SPU verifies that the traffic is qualified for services offloading, a<br />
services-offload session is created on the network processor. If the traffic does not<br />
qualify for services offloading, a normal session is created on the network processor.<br />
If a services-offload session is created, the subsequent fast-path packets are processed<br />
in the network processor itself.<br />
NOTE: A normal session forwards packets from the network processor to<br />
the SPU for fast-path processing, while a services-offload session processes<br />
fast-path packets in the network processor and the packets exit out of the<br />
network processor itself.<br />
When a services-offload session is created on the network processor, subsequent<br />
packets are matched with the session. The network processor then processes and<br />
forwards the packets based on the session information, such as TCP sequence check,<br />
time to live (TTL) processing, Network Address Translation (NAT), and Layer 2 header<br />
translation.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
426<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
General Packet Radio Service (GPRS)<br />
• GPRS tunneling protocol version 2 (GTPv2)—This feature is supported on SRX1400,<br />
SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
GPRS tunneling protocol (GTP) establishes a GTP tunnel between a Serving GPRS<br />
Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) for individual<br />
Mobile Stations (MS). Both GTP version 0 (GTPv0) and GTP version 1 (GTPv1) are<br />
implemented using SGSNs and GGSNs only. However, in GTPv2 the traditional SGSNs<br />
and GGSNs are replaced by three logical nodes—a serving gateway (SGW), a packet<br />
data network gateway (PGW), and a mobility management entity (MME).<br />
You can enable GTPv2 by using the following CLI configuration statement:<br />
set security gprs gtp enable<br />
After configuring the above statement, you must reboot the device for GTPv2 inspection<br />
to take effect. To disable GTPv2, delete the security gprs gtp enable configuration<br />
statement from the device.<br />
NOTE: All GTPv2 features are supported on the device only if the security<br />
gprs gtp enable command is configured on the device.<br />
You can use the show security gprs gtp tunnels operational mode command to display<br />
details about the existing GTPv2 tunnels configured on the device.<br />
NOTE: IPv6 GTPv2 and GTPv2 for logical systems are not supported in<br />
Junos OS <strong>Release</strong> 11.4.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
Intrusion Detection and Prevention (IDP) and AppSecure<br />
• IDP and application identification support for jumbo frames—This feature is supported<br />
on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
The Intrusion Detection and Prevention (IDP) and application identification security<br />
features support the larger jumbo frame size of 9192 bytes. Although jumbo frames<br />
are enabled by default, you can adjust the maximum transmission unit (MTU) size by<br />
using the set interfaces command.<br />
For logging purposes, the total number of packets captured relative to an IDP attack<br />
will decrease due to the larger packet size in a jumbo frame. The default value is five<br />
packets before and five packets after the packet on which an IDP attack is identified.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
427
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: Although CPU overhead can be reduced while processing jumbo<br />
frames, the IDP feature itself requires a minimum of 5 MB of memory for<br />
session inspection. If the required memory is not available, IDP will not<br />
inspect the applicable sessions. You can view IDP data plane memory by<br />
using the show security idp memory command.<br />
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS<br />
Security Configuration Guide]<br />
• IDP attack description—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices for both J-Web and the CLI.<br />
The IDP attack description feature enables users to use the CLI to learn more about<br />
IDP attack objects. Currently, users view IDP attack objects in the<br />
/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for<br />
users to investigate and manage IDP attack objects. Users can quickly and easily<br />
administer IDP attack objects when the details are displayed through the CLI.<br />
You can use the show security idp attack description and the show security idp attack<br />
detail operational mode commands to display details about IDP attack objects.<br />
[Junos OS CLI Reference]<br />
IPv6 Support<br />
• Junos OS application identifiction—This feature is supported on SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
Application firewall was previously supported in the IPv4 environment. Beginning with<br />
Junos OS <strong>Release</strong> 11.4, it is also supported on IPv6.<br />
SRX Series devices provide additional security protection against known dynamic<br />
applications that can send traffic that might not be adequately controlled by standard<br />
network firewall policies. The application firewall functionality enforces policies based<br />
on the results of the application identification process. The application identification<br />
process identifies applications using pattern matching, protocol decoding, and heuristics.<br />
To implement application firewall support:<br />
• Network security policy–Modify the policy configuration to support the application<br />
firewall rule set within the existing configuration.<br />
• Application firewall rule set–Define an application firewall rule set to be referenced<br />
by the network security policy.<br />
[Junos OS Security Configuration Guide]<br />
• Web authentication—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
Web authentication now supports IPv6 addresses.<br />
[Junos OS Security Configuration Guide]<br />
428<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• Firewall authentication—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
Firewall authentication now supports IPv6 addresses.<br />
[Junos OS Security Configuration Guide]<br />
J-Web<br />
• Customer branding of firewall authentication webpage —This feature is supported<br />
on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
<strong>Juniper</strong> <strong>Networks</strong> enables the administrator to replace the embedded <strong>Juniper</strong> <strong>Networks</strong><br />
logo present on the firewall authentication webpage with a customer graphic. It also<br />
provides the ability to create a different logo for different logical systems.<br />
• AppQoS monitoring—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices<br />
A new Application QoS Monitoring J-Web page allows you to view counters and<br />
statistics for AppQoS activity. The rate limiters statistics pane displays transfer rate<br />
information for recent traffic per PIC. The rules statistics pane displays the amount of<br />
traffic on each PIC broken down by the rule set and rule applied to each session.<br />
Counters for selected rule-sets display AppQoS session activity per PIC.<br />
• IDP monitoring—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600,<br />
and SRX5800 Services Gateways.<br />
The following pages have been added to the J-Web user interface:<br />
• Attacks Monitoring page<br />
• Applications Monitoring page<br />
• IDP performance in J-Web—IDP performance in J-Web has been improved for SRX1400,<br />
SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
Logical Systems<br />
• The logical systems feature is now supported on SRX1400 devices in addition to existing<br />
support on SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• J-Web user and interconnect logical systems configuration—This feature is supported<br />
on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
When you are logged in to the device as the master administrator, you can configure<br />
logical systems on the Logical System Configuration page. The Logical System<br />
Information page displays information about the logical systems configured on the<br />
device.<br />
When you are logged in to the device as a user logical system administrator, the<br />
following tabs are available to you:<br />
• Dashboard tab—Displays the resources allocated to the logical system.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
429
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Configure tab—Allows you to configure interfaces, NAT, and security features for<br />
the user logical system.<br />
• Monitor tab—Allows you to monitor the configured features of the user logical system.<br />
• CPU usage allocation and control—This feature is supported on SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
In Junos OS <strong>Release</strong> 11.4, the master administrator can configure and control CPU<br />
utilization by logical systems. The master administrator enables CPU utilization control<br />
with the cpu-control configuration statement at the [edit system security-profile<br />
resources] hierarchy level.<br />
When CPU utilization control is enabled, the master administrator can configure the<br />
following CPU utilization parameters:<br />
• Reserved quota of CPU utilization, in percent, is specified for each logical system.<br />
The reserved quota guarantees that a specified percentage of the CPU is always<br />
available to the logical system. The master administrator specifies the reserved CPU<br />
quota in a logical system security profile with the cpu reserved configuration<br />
statement at the [edit system security-profiles profile-name] hierarchy level. The<br />
security profile is applied to one or more logical systems.<br />
If CPU control is enabled and reserved CPU quotas are not configured, the default<br />
reserved quota for the master logical system is 1 percent and the default reserved<br />
quota for user logical systems is 0 percent.<br />
• CPU control target is the upper limit, in percent, for CPU utilization under normal<br />
operating conditions. If the overall CPU utilization surpasses the configured target<br />
value, the Junos OS software initiates controls to bring CPU utilization between the<br />
target value and 90 percent of the target value. During runtime, CPU utilization by<br />
each logical system is measured every two seconds. Dropping packets is used to<br />
reduce the CPU usage for a particular logical system. If the CPU usage of a logical<br />
system exceeds its quota, CPU utilization control drops the packets received on that<br />
logical system. The packet rate is calculated every two seconds based on CPU<br />
utilization of all logical systems.<br />
The master administrator configures the CPU control target with the<br />
cpu-control-target configuration statement at the [edit system security-profile<br />
resources] hierarchy level. The default CPU control target is 80 percent.<br />
The sum of the reserved CPU quotas for all logical systems on the device must be less<br />
than 90 percent of the CPU control target; the difference is a shared CPU resource<br />
that can be allocated among the logical systems that need additional CPU allocation.<br />
The actual CPU quota that a single logical system can use is the sum of its reserved<br />
CPU quota and its portion of the shared CPU resource.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• VPN tunnel—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600,<br />
and SRX5800 devices.<br />
This feature allows the master logical system and a user logical system to share a VPN<br />
tunnel in a route-based VPN. The master administrator must assign the security tunnel<br />
430<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
(st0) interface to a user logical system. The master administrator configures IKE and<br />
IPsec SA parameters at the root level. The user logical system administrator can change<br />
the attributes of the st0 interface. To send traffic into the tunnel, the user logical system<br />
administrator configures a security policy to permit traffic to a remote destination and<br />
a route with the st0 as the next hop.<br />
NOTE: Only route-based VPNs are supported for logical systems.<br />
Policy-based VPNs are not supported.<br />
The master administrator assigns an st0 interface to a user logical system with the<br />
st0 unit number configuration statement at the [edit logical-systems name interfaces]<br />
hierarchy level. The master administrator configures IKE and IPsec in the master logical<br />
system with the VPN configuration at the [edit security ipsec] hierarchy level. VPN<br />
monitoring can be configured by the master administrator at the root level. For the<br />
VPN monitor source interface, the master administrator must specify the st0 interface;<br />
a physical interface for a user logical system cannot be specified.<br />
The user logical system administrator can set attributes for the st0 interface, such as<br />
an IP address, at the [edit interfaces st0 unit number] hierarchy level. The user logical<br />
system administrator configures security policies with the policy configuration statement<br />
at the [edit security policies from-zone zone to-zone zone] hierarchy level and static<br />
routes with the static route configuration statement at the [edit routing-options]<br />
hierarchy level.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• IDP—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and<br />
SRX5800 devices.<br />
This feature allows the master administrator to configure IDP policies for user logical<br />
systems. The master administrator can create one or more IDP policies at the root<br />
level using intrusion prevention system (IPS) or application-level distributed<br />
denial-of-service (DDoS) rulebases. The master administrator specifies the IDP policy<br />
in a logical system security profile that is bound to one or more user logical systems.<br />
NOTE: In Junos OS <strong>Release</strong> 11.4, user logical system administrators cannot<br />
create or modify IDP policies for their user logical systems. Only the master<br />
administrator can create IDP policies.<br />
A single IDP security package is installed on the device for all logical systems. An idp-sig<br />
license must be installed at the root level.<br />
The master administrator configures an IDP policy at the root level using the idp-policy<br />
configuration statement at the [edit security idp] hierarchy level. To specify the IDP<br />
policy in a logical system security profile, the master administrator uses the idp-policy<br />
configuration statement at the [edit system security-profile profile-name] hierarchy<br />
level.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
431
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• IPv6 addresses in logical systems—This feature is supported on SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
In Junos OS <strong>Release</strong> 11.4, IPv6 addresses can be configured in logical systems for the<br />
following features:<br />
• Interfaces<br />
• Flows<br />
• Zones and security policies<br />
• Screen options<br />
• Network address translation (except for interface NAT)<br />
• Administrative operations with telnet, ssh, https, and other utilities<br />
• Chassis clusters<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• Logical system name in security logs—This feature is supported on SRX1400,<br />
SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
Security logs are system log messages that include security events. If a device is<br />
configured for logical systems, security logs generated within the context of a logical<br />
system use the name logname_LS (for example, IDP_ATTACK_LOG_EVENT_LS). The<br />
logical system version of a log has the same set of attributes as the log for devices that<br />
are not configured for logical systems, but it also includes logical-system-name as the<br />
first attribute. If a device is configured for logical systems, log parsing scripts might<br />
need to be modified because the log name includes the _LS suffix and the<br />
logical-system-name attribute can be used to segregate logs by logical system.<br />
If a device is not configured for logical systems, the security logs remain unchanged<br />
and scripts built to parse logs do not need any modification.<br />
NOTE: Only the master administrator can configure logging at the [edit<br />
security log] hierarchy level. User logical system administrators cannot<br />
configure logging for their logical systems.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• Data path debugging for traffic between logical systems—This feature is supported<br />
on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
Data path debugging provides tracing and debugging at multiple processing units along<br />
the packet-processing path. Data path debugging can also be performed on traffic<br />
between logical systems. Only the master administrator can configure data path<br />
debugging for logical systems at the [edit security datapath-debug] hierarchy level.<br />
User logical system administrators cannot configure data path debugging for their<br />
logical systems.<br />
When tracing is configured for the jexec event type, the trace output contains logical<br />
system information. The master administrator can also configure tracing for traffic<br />
432<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
between logical systems by specifying the lt-enter and lt-leave event types. The trace<br />
output shows traffic entering and leaving the logical tunnel between logical systems.<br />
The preserve-trace-order option can be configured to sort the output chronologically.<br />
In addition to the trace action, other actions such as packet-dump and packet-summary<br />
can be configured for the lt-enter and lt-leave events.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
• Multicast traffic—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
Multicast is a “one source, many destinations” method of traffic distribution, meaning<br />
that the destinations needing to receive the information from a particular source receive<br />
the traffic stream. In Junos OS <strong>Release</strong> 11.4, the master and user logical system<br />
administrators can configure a logical system to support multicast applications. The<br />
same multicast configurations to configure a device as a node in a multicast network<br />
can be used in a logical system.<br />
[Junos OS Routing Protocols and Policies Configuration Guide for Security Devices]<br />
• Application firewall support on logical systems—This feature is supported on<br />
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
The <strong>Juniper</strong> <strong>Networks</strong> application firewall enables administrators of logical systems<br />
to create security policies for traffic based on the results of the application identification<br />
engine. The application firewall policy provides additional security protection against<br />
dynamic application traffic that might not be adequately controlled by standard<br />
network firewall policies.<br />
Configuring an application firewall policy on a logical system is the same process as<br />
configuring an application firewall policy on a device that is not configured with logical<br />
systems. However, the application firewall policy applies only to the logical system for<br />
which it is configured. The master administrator can configure, enable, and monitor<br />
application firewall policies on the master logical system and all user logical systems<br />
on a device. The user logical system administrators can configure, enable, and monitor<br />
an application firewall policy only on the user logical systems for which they have<br />
access.<br />
To implement this feature:<br />
• Network security policy—The master administrator defines a security profile and<br />
allocates a number of system resources for use by logical systems on the device. In<br />
this case, the application firewall resources (appfw-rule-set and appfw-rule) are<br />
added to the security profile, and the security profile is bound to a logical system.<br />
The master administrator and user logical system administrators add the application<br />
firewall configuration to the security policy for their respective logical systems.<br />
• Application firewall—The master administrator and user logical system administrators<br />
configure and manage application firewall rule sets and rules for their respective<br />
logical systems.<br />
[Junos OS Logical Systems Configuration Guide for Security Devices]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
433
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Network Address Translation (NAT)<br />
• Configurable capacity for source NAT pools with PAT—On SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices, the capacity of source NAT pools and IP<br />
addresses has been increased to support more users. When Port Address Translations<br />
(PAT) are set for each IP address, automatic checks ensure memory limits are not<br />
exceeded.<br />
[Junos OS Security Configuration Guide, Junos OS CLI Reference]<br />
Security<br />
• GTP IE removal—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
The multiple versions of the Third-Generation Partnership Project (3GPP) create<br />
interoperability problems in the mobile network. Junos OS <strong>Release</strong> 11.4 supports removal<br />
of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows<br />
you to retain interoperability.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
• Aggressive session aging—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
The aggressive session aging mechanism accelerates the session timeout process<br />
when the number of sessions in the session table exceeds a specified high-watermark<br />
threshold. This minimizes the likelihood of the SRX Series devices rejecting new sessions<br />
when the session table is full.<br />
[Junos OS Security Configuration Guide]<br />
• EZchip low latency—This feature is supported on SRX1400, SRX3400, SRX3600,<br />
SRX5600, and SRX5800 devices.<br />
The high-end SRX Series devices currently have long packet-processing latency because<br />
of packet processing through the Services Processing Unit (SPU) and through several<br />
stages of buffers in the data path.<br />
This feature introduces a local forwarding solution where the fast-path packets are<br />
processed by the EZchip on the I/O Card (IOC), without going through the switch fabric<br />
or the SPU. This solution reduces latency. The user needs to have a permanent<br />
low-latency firewall license to enable this feature on the chassis.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
• Security policies for self-traffic—This feature is supported on SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
Users can now configure security policies for the self-traffic (the host inbound traffic<br />
or the host outbound traffic) of the device. The user can further apply relevant services<br />
to the new self-traffic policy.<br />
The security policies for the self-traffic are configured under the new default security<br />
zone called junos-host zone.<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
434<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
SNMP<br />
• <strong>Juniper</strong> <strong>Networks</strong> enterprise-specific License MIB—This feature is supported on<br />
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices. This feature extends<br />
SNMP support for licensing information.<br />
The enterprise-specific License MIB:<br />
• Contains information about license features and the expiration details to reduce the<br />
burden involved in managing licenses.<br />
• Generates traps to alert users. For example, an alert is generated when a license<br />
expires or when the total number of users exceeds the maximum number specified<br />
in the license.<br />
• Provides access to license-related information through the SNMP get and get-next<br />
operations.<br />
[Junos OS SNMP MIBs and Traps Reference; MIB Reference for SRX1400, SRX3400, and<br />
SRX3600 Services Gateways; MIB Reference for SRX5600 and SRX5800 Services<br />
Gateways]<br />
Virtual Private Network (VPN)<br />
• Internet Key Exchange version 2(IKEv2)—This feature is supported on SRX1400,<br />
SRX3400, SRX3600, SRX5600, and SRX5800 devices.<br />
IKEv2 is the next-generation standard for secure key exchange between peer devices,<br />
defined in RFC 4306. IKEv2 is available in Junos OS <strong>Release</strong> 11.4, for securing IPsec<br />
traffic. The initial release does not support all the capabilities described in the RFCs.<br />
The advantages of using version 2 over version 1 are as follows;<br />
• Simplifies the existing IKEv1<br />
• Single RFC, including NAT-T, EAP and remote address acquisition<br />
• Replaces the 8 initial exchanges with a single 4-message exchange<br />
• Reduces the latency for the IPsec SA setup and increases connection establishment<br />
speed<br />
• Increases robustness against DoS attack<br />
• Improves reliability through the use of sequence numbers, acknowledgements, and<br />
error correction<br />
• Provides forward compatibility<br />
• Provides simple cryptographic mechanisms<br />
IKEv2 includes support for:<br />
• Route-based VPN<br />
• Site-to-site VPN<br />
• Dead peer detection (liveness check)<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
435
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Chassis cluster<br />
• Certificate-based authentication<br />
• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange<br />
• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist<br />
without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if<br />
the child SAs are currently active, the corresponding IKE SA will be rekeyed.<br />
• IKE version 1 and IKE version 2<br />
[Junos OS CLI Reference, Junos OS Security Configuration Guide]<br />
• Site-to-site VPN support for NAT-T—This feature is supported on SRX1400, SRX3400,<br />
SRX3600, SRX5600, and SRX5800 devices.<br />
Site-to-site IKE gateway configuration for Network Address Translation-Traversal<br />
(NAT-T) is now supported on the server side (IKE responder). This is in addition to the<br />
current implementation of NAT-T support for dynamic IKE gateway configuration. A<br />
remote-identity value is used to validate a peer’s ike-id or id during Phase 1 of IKE tunnel<br />
negotiation.<br />
[Junos OS Security Configuration Guide]<br />
Related<br />
Documentation<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 458<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 459<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 436<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 443<br />
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series<br />
Services Gateways<br />
The following current system behavior, configuration statement usage, and operational<br />
mode command usage might not yet be documented in the Junos OS documentation:<br />
AppSecure Application Package Upgrade Changes<br />
• On all high-end SRX Series devices, application tracking is enabled by default. You can<br />
disable application tracking with the set security application-tracking disable command.<br />
This command disables application tracking without deleting the zone configuration.<br />
• Application signatures removed after upgrading to Junos OS <strong>Release</strong> 11.4—This<br />
change applies to all high-end SRX Series devices that use the application identification<br />
signature package.<br />
436<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
In Junos OS <strong>Release</strong> 11.4, the application signature package is downloaded and installed<br />
in a separate database, not in the Junos OS configuration file as in previous Junos OS<br />
releases.<br />
When you upgrade an SRX Series device from Junos OS <strong>Release</strong> 11.2 to Junos OS<br />
<strong>Release</strong> 11.4, any predefined application signatures and signature groups from the<br />
Junos OS <strong>Release</strong> 11.2 configuration will be removed when you install the latest<br />
predefined signatures and signature groups by using the request services<br />
application-identification install command. However, the upgrade will not remove<br />
custom signatures and signature groups from the Junos OS configuration.<br />
For information about using the request services application-identification download<br />
and request services application-identification install commands, see the Junos OS<br />
CLI Reference.<br />
Chassis Cluster<br />
• On all high-end SRX Series devices, the set chassis fpc pic <br />
services-offload command is not available for configuration and, as a consequence,<br />
the devices cannot be used in services-offload mode.<br />
Command-Line Interface (CLI)<br />
• In Junos OS <strong>Release</strong> 11.2 and 11.4 the set security zone security-zones tcp-rst<br />
command in the CLI Help displays an incorrect description as:<br />
tcp-rst—Send RST for TCP SYN packet not matching session<br />
The correct description is:<br />
tcp-rst—Send RST for NON-SYN packet not matching TCP session<br />
Deprecated Items for High-End SRX Series Services Gateways<br />
Table 25 on page 437 lists deprecated items (such as CLI statements, commands, options,<br />
and interfaces).<br />
CLI statements and commands are deprecated—rather than immediately removed—to<br />
provide backward compatibility and a chance to bring your configuration into compliance<br />
with the new configuration. We strongly recommend that you phase out deprecated<br />
items and replace them with supported alternatives.<br />
Table 25: Items Deprecated in <strong>Release</strong> 11.4R2<br />
Deprecated<br />
Item<br />
Replacement<br />
Hierarchy Level or<br />
Command Syntax<br />
Additional Information<br />
mcc-mnc<br />
imsi-prefix<br />
edit security gprs gtp profile<br />
profile-name apn<br />
pattern-string<br />
On all high-end SRX Series<br />
devices, the following<br />
mcc-mnc command is not<br />
supported.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
437
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 25: Items Deprecated in <strong>Release</strong> 11.4R2 (continued)<br />
Deprecated<br />
Item<br />
Replacement<br />
Hierarchy Level or<br />
Command Syntax<br />
Additional Information<br />
download-timeout<br />
-<br />
download-timeout timeout<br />
On all high-end SRX Series<br />
devices, download-timeout<br />
command is deprecated<br />
and if the configuration is<br />
present, it will be ignored.<br />
The idpd daemon<br />
internally triggers<br />
security-package to install<br />
when an automatic<br />
download completes.<br />
There is no need to<br />
configure any<br />
download-timeout.<br />
Flow and Processing<br />
• The minimum value you can configure for TCP session initialization is 4 seconds. The<br />
default value is 20 seconds; if required you can set the TCP session initialization value<br />
to less than 20 seconds.<br />
• On all high-end SRX Series devices, TCP session configuration has been enhanced. In<br />
earlier releases, the TCP session was only invalidated after 2 seconds of receiving a<br />
FIN or ACK packet. As a result, if there were new incoming SYN packets (with the same<br />
five tuples) within this 2 seconds, the packets would use the same TCP session, which<br />
would be terminated within 2 seconds. Therefore a new session could not be<br />
established.<br />
A new configuration attribute, fin-invalidate-session, has been introduced at the edit<br />
security flow tcp-session hierarchy level. This command invalidates a TCP session<br />
immediately on reception of a FIN or ACK packet. New incoming SYN packets will need<br />
to establish a new session.<br />
To end a session immediately on reception of a FIN or ACK packet, use the set security<br />
flow tcp-session fin-invalidate-session command.<br />
General Packet Radio Service (GPRS)<br />
• When GTP inspection is enabled, all UDP packets that use GTP port numbers (3386,<br />
2123, or 2152), but are not actually GTP packets, will be dropped.<br />
• When you receive a create request and a response request on a Services Processing<br />
Unit (SPU), the tunnel might be established on a different SPU. For example, suppose<br />
you have SPU x, y, and z. You create a packet data protocol (PDP) context<br />
request/response that is processed individually by SPU x and y. The tunnel, however,<br />
is created on SPU z.<br />
• When a tunnel reaches full capacity (250,000 tunnels) on an SPU, the clear tunnel all<br />
command takes approximately 25 seconds to process. The clear tunnel all command<br />
takes much less time to process on SPUs without tunnels. For example, suppose you<br />
438<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
have SPU x and y. The traffic distributed to SPU x is blocked by the clear tunnel all<br />
command. However, it has no impact on the traffic on SPU y.<br />
• The Create-PDP-Response packet must reach the devices within 5 seconds after the<br />
corresponding Create-PDP-Request was seen by the device; otherwise the request<br />
times out and the tunnel cannot be established.<br />
• When the restart counter value changes from its previous value, the tunnels that belong<br />
to the GSN device clear immediately. However, there is a 2-second delay to clear<br />
tunnels that belong to a security device.<br />
• On all high-end SRX Series devices in an active/active chassis cluster mode with GPRS<br />
enabled, the seq-number-validated command is disabled in GTP profile and no more<br />
available for configuration.<br />
In-Service Software Upgrade (ISSU)<br />
• On all high-end SRX Series devices, when an ISSU encounters an unexpected situation<br />
that necessitates an abort, the system message provides you with detailed information<br />
about when and why the upgrade stopped and recommendations for the next steps<br />
to take.<br />
The recommended steps that are displayed in the output have been modified. For the<br />
correct steps, see “Junos OS Security Configuration Guide” in “Errata and Changes in<br />
Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways”<br />
on page 482.<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, for a dynamic attack group<br />
using the direction filter, the expression AND should be used in the exclude values. As<br />
is the case with all filters, the default expression is OR. However, there is a choice of<br />
AND in the case of the direction filter.<br />
For example, if you want to choose all attacks with the direction client-to-server,<br />
configure the direction filter using the set security idp dynamic-attack-group dyn1 filters<br />
direction values client-to-server command.<br />
In the case of chain attacks, each of the multiple members has its own direction. If a<br />
policy includes chain attacks, a client-to-server filter selects all chain attacks that have<br />
any member with client-to-server as the direction. This means chain attacks that<br />
include members with server-to-client or ANY as the direction are selected if the chain<br />
has at least one member with client-to-server as the direction.<br />
To prevent these chain attacks from being added to the policy, configure the dynamic<br />
group as follows:<br />
• set security idp dynamic-attack-group dyn1 filters direction expression and<br />
• set security idp dynamic-attack-group dyn1 filters direction values client-to-server<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
439
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• set security idp dynamic-attack-group dyn1 filters direction values<br />
exclude-server-to-client<br />
• set security idp dynamic-attack-group dyn1 filters direction values exclude-any<br />
IPv6<br />
• On all SRX Series devices, a new configuration option for IPv6 Neighbor Discovery<br />
Protocol (NDP) is added. This option will prevent the device from responding to a<br />
Neighbor Solicitation (NS) from a prefix which was not included as one of the device<br />
interface prefixes.<br />
The new command is:<br />
set protocol neighbor-discovery onlink-subnet-only<br />
NOTE: The Routing Engine needs to be rebooted after setting this option<br />
to remove any possibility of a previous IPv6 entry from remaining in the<br />
forwarding-table.<br />
Logical Systems<br />
• The logical-systems all option can now be specified for the show security screen statistics<br />
operational command.<br />
Management Information Base (MIB)<br />
• On all high-end SRX Series devices in a chassis cluster environment, the calculation<br />
of the primary and secondary node sessions in the JnxJsSPUMonitoringObjectsTable<br />
object of the SPU monitoring MIB is incorrect. The MIB<br />
jnxJsSPUMonitoringCurrentTotalSession incorrectly displays total sessions.<br />
A doubled session count is displayed because the active and backup nodes are treated<br />
as separate sessions, although these nodes are not separate sessions.<br />
Count only the session numbers on the local node, thereby avoiding a double count,<br />
and local total sessions are displayed.<br />
The SPUMonitoringCurrentTotalSession object of the MIB adds information per each<br />
SPU from the local node.<br />
[MIB Reference for SRX1400, SRX3400, and SRX3600 Services Gateways; MIB Reference<br />
for SRX5600 and SRX5800 Services Gateways]<br />
440<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Multicast<br />
• On all high-end SRX Series devices, if the maximum number of leaves on a multicast<br />
distribution tree is exceeded, multicast sessions are created up to the maximum number<br />
of leaves, and any multicast sessions that exceed the maximum number of leaves are<br />
ignored. In previous releases, no multicast traffic was forwarded if the maximum number<br />
of leaves on the multicast distribution tree was exceeded. The maximum number of<br />
leaves on a multicast distribution tree is device specific.<br />
Security Policies<br />
• Public key infrastructure (PKI) objects include certificates, key pairs, and certificate<br />
revocation lists (CRLs). PKI objects are read from the PKI database when the PKI<br />
daemon (PKID) starts. The PKID database loads all certificates into memory at boot<br />
time.<br />
When an object is read into memory from the PKI database, the following new log<br />
message is created:<br />
PKID_PV_OBJECT_READ: A PKI object was read into memory from <br />
Security Policy Rules<br />
• If a policy is configured with multiple applications, and more than one of the applications<br />
match the traffic, then the application that best meets the match criteria is selected.<br />
System Log<br />
• The following system log messages have been introduced in Junos OS <strong>Release</strong> 11.4R6.<br />
• When sensor-configuration disable-low-memory-handling is not set and IPD receives<br />
a low-memory signal, the following message appears: Processing low memory signal<br />
• When sensor-configuration disable-low-memory-handling is set and IPD receives a<br />
low-memory signal, the following message appears: Ignoring low memory signal<br />
• IPsec System Log Enhancement<br />
IPsec system logs (sylogs) are generated for certain VPN scenarios. Junos OS <strong>Release</strong><br />
11.2R4 introduces IPsec sylogs enhancement. These system logs are supported on all<br />
SRX Series devices.<br />
NOTE: You need to use the set system syslog file vpn_syslog daemon any<br />
CLI command to capture these IPsec system logs.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
441
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
The newly introduced IPsec system logs are:<br />
• IKE Phase-1: Responder starts Main mode negotiations—The remote peer at the<br />
specified IP address has initiated Phase 1 negotiations in either Main or Aggressive<br />
mode, and the local security device (the Responder) has begun its response. No<br />
recommended action.<br />
• IKE Phase-1: (Initiator) symmetric crypto key has been generated successfully—The<br />
P1 or manual key used for encryption has been generated successfully. No<br />
recommended action.<br />
• IKE Phase-1: Negotiation completed—The local security device has sent the initial<br />
message for IKE Phase 2 negotiations to the specified peer. No recommended action.<br />
• IKE Phase-1 Failure: Main mode - no proposal chosen—There were no acceptable<br />
Phase 1 proposals. The specified negotiations to the identified IKE failed. Examine<br />
the local log and VPN configuration, and request the remote IKE user to examine<br />
the configuration on their VPN client for possible causes.<br />
• IKE Phase-1 Failure: ISAKMP negotiation retry limit reached—ISAKMP negotiation retry<br />
limit reached. No recommended action.<br />
• IKE Phase-1 Failure: Received delete notification—Received delete notification. No<br />
recommended action.<br />
• IKE Phase-2: (Responder) Quick mode - negotiation initiated—The local security device<br />
has sent the initial message for IKE Phase 2 negotiations to the specified peer. No<br />
recommended action.<br />
• IKE Phase-2: (Initiator) The symmetric crypto key has been generated successfully—The<br />
P2 or manual key used for encryption has been generated successfully. No<br />
recommended action.<br />
• IKE Phase-2: (Responder) Quick mode - Responded to the first peer message—The<br />
local security device has responded to the specified peer, which sent the first message<br />
for Phase 2 IKE negotiations. No recommended action.<br />
• IKE Phase-2: Completed negotiations—The local security device has successfully<br />
negotiated a Phase 2 session with the specified peer. The Phase 2 session consists<br />
of the specified attributes. No recommended action.<br />
• IKE Phase-2 Failure: Quick mode - no proposal chosen—There were no acceptable<br />
Phase 2 proposals. The specified negotiations to the identified IKE failed. Examine<br />
the local log and VPN configuration, and request the remote IKE user to examine<br />
the configuration on the VPN client for possible causes.<br />
• IKE Phase-2: (Responder) Policy lookup for Phase-2 failed—Received a message but<br />
did not check a policy because ID mode was set to IP or policy checking was disabled.<br />
When the local security device received an IKE Phase 2 message from the specified<br />
peer, it could not check for a policy because the ID mode was set to IP or policy<br />
checking was disabled. If the ID mode is set to IP, the remote peer does not send the<br />
proxy ID payload when initiating a Phase 2 session. The proxy ID consists of the local<br />
end entity's IP address and netmask, protocol, and port number, as well as those<br />
items for the remote end entity. Consequently, the local peer cannot use the<br />
442<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
information in the proxy ID to match the information in a local policy. If policy checking<br />
is disabled for IKE traffic with the specified peer, the IKE module builds security<br />
association (SA) without verifying the policy configuration.<br />
Verify if this behavior is intended. If not, set the ID mode to subnet (set IKE ID mode<br />
subnet) and enable policy checking ( set IKE policy checking ).<br />
• IKE Phase-2: Failed to match the peer proxy IDs—The peer sent a proxy ID that did not<br />
match the one in the SA configuration. An IKE Phase 2 quick mode message was<br />
received and a corresponding Phase 1 SA was found, but the proxy ID (local and<br />
remote subnets protected by this tunnel) within the message was not consistent<br />
with the proxy ID setting for this tunnel's configuration.<br />
Verify the proxy ID (local and remote subnets) setting for this tunnel and try again.<br />
• IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached—The local security<br />
device has reached the retransmission limit (10 failed attempts) during Phase 2<br />
negotiations with the specified remote peer because the local device has not received<br />
a response.<br />
NOTE: If the local device continues receiving outbound traffic for the<br />
remote peer after the first 10 failed attempts, it makes another 10<br />
attempts, and continues to do so until it either succeeds at contacting<br />
the remote gateway or it no longer receives traffic bound for that gateway.<br />
Verify network connectivity to the peer gateway. Request the remote gateway admin<br />
to consult the log to determine if the connection requests reached it and, if so, why<br />
the device did not respond.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 458<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 459<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 443<br />
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
AppSecure<br />
• J-Web pages for AppSecure are preliminary.<br />
• Custom application signatures and custom nested application signatures are not<br />
currently supported by J-Web.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
443
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not<br />
applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW<br />
counters.<br />
Chassis Cluster<br />
• On all high-end SRX Series devices, IPSec VPN is not supported in active/active chassis<br />
cluster configuration (that is, when there are multiple RG1+ redundancy-groups).<br />
• On SRX5800 and SRX5600 devices in chassis cluster, IP Monitoring is not supported<br />
on redundant Ethernet interface if bundle (LAG) redundant Ethernet is configured.<br />
• On all high-end SRX Series devices, the first recommended ISSU from release is Junos<br />
OS <strong>Release</strong> 10.4R4. If you intend to upgrade from a release earlier than <strong>Release</strong> 10.4R4,<br />
see the release notes for the release that you are upgrading from for information about<br />
limitations and issues related to upgrading.<br />
On all high-end SRX Series devices, ISSUs do not support the following features:<br />
• ALGs (MGCP and SCCP)<br />
• AppSecure<br />
• DHCP<br />
• GPRS, GTP, and SCTP<br />
• GRE or IP-IP<br />
• IDP<br />
• J-Flow<br />
• Logging<br />
• Multicast routing<br />
• PCAP<br />
• Port mirroring<br />
• VPN<br />
For the latest ISSU support status, go to the <strong>Juniper</strong> <strong>Networks</strong> Knowledge Base (KB):<br />
http://kb.juniper.net/ and search for KB17946.<br />
• On all high-end SRX Series devices in a chassis cluster, only four QoS queues are<br />
supported per ae interface.<br />
• In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to<br />
increase the wait time before triggering failover. In a full-capacity implementation, we<br />
recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and<br />
heartbeat-interval values in the [edit chassis cluster] hierarchy.<br />
The product of the heartbeat-threshold and heartbeat-interval values defines the time<br />
before failover. The default values (heartbeat-threshold of 3 beats and<br />
heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds.<br />
444<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
To change the wait time, modify the option values so that the product equals the<br />
desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the<br />
default value for the heartbeat-interval (1000 milliseconds) yields a wait time of<br />
8 seconds. Likewise, setting the heartbeat-threshold to 4 and the heartbeat-interval to<br />
2000 milliseconds also yields a wait time of 8 seconds.<br />
• Packet-based forwarding for MPLS and International Organization for Standardization<br />
(ISO) protocol families is not supported.<br />
• On SRX Series devices, only two of the 10 ports on each PIC of 40-port 1-Gigabit<br />
Ethernet I/O cards (IOCs) for SRX5600 and SRX5800 devices can simultaneously<br />
enable IP address monitoring. Because there are four PICs per IOC, this permits a total<br />
of eight ports per IOC to be monitored. If more than two ports per PIC on 40-port<br />
1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will<br />
succeed but a log entry will be generated, and the accuracy and stability of IP address<br />
monitoring cannot be ensured. This limitation does not apply to any other IOCs or<br />
devices.<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, IP address monitoring is<br />
not supported on redundant Ethernet interface link aggregation groups (LAGs) or on<br />
child interfaces of redundant Ethernet interface LAGs.<br />
• On SRX1400, SRX3000 and SRX5000 line chassis clusters, screen statistics data can<br />
be gathered on the primary device only.<br />
• On all high-end SRX Series devices, ISSU does not support version downgrading.<br />
• On all high-end SRX Series devices, only redundant Ethernet interfaces (reth) are<br />
supported for IKE external interface configuration in IPsec VPN. Other interface types<br />
can be configured, but IPsec VPN might not work.<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On all high-end SRX Series devices DHCP is not supported in a chassis cluster.<br />
• On all high-end SRX Series devices, DHCPv6 client authentication is not supported.<br />
Flow and Processing<br />
• On all high-end SRX Series devices, sessions going through GRE over IPsec are not<br />
marked as backup on backup node, instead, they are marked as active on backup node.<br />
This behavior causes the real active session to be deleted. Nesting tunnel, like GRE<br />
over IPsec, is not supported on chassis cluster.<br />
• On all high-end SRX Series, a mismatch between the Firewall Counter Packet and Byte<br />
Statistics values, and between the Interface Packet and Byte Statistics values, might<br />
occur when the rate of traffic increases above certain rates of traffic.<br />
• On all high-end SRX Series devices, when packet-logging functionality is configured<br />
with an improved pre-attack configuration parameter value, the resource usage<br />
increases proportionally and might affect the performance.<br />
• Services offloading has the following limitations on all high-end SRX Series devices:<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
445
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Transparent mode is not supported. If transparent mode is configured, a normal<br />
session is installed.<br />
• Link aggregation group (LAG) is not supported. If a LAG is configured, a normal<br />
session is installed.<br />
• Only multicast sessions with one fan-out are supported. If a multicast session with<br />
more than one fan-out exists, a normal session is installed.<br />
• Only active/passive chassis cluster (HA) configuration is supported. Active/active<br />
chassis cluster configuration is not supported.<br />
• Fragmented packets are not supported. If fragmented packets exist, a normal session<br />
is installed.<br />
• Ingress and egress interfaces on different network processors are not supported. If<br />
an ingress interface and the related egress interface do not belong to the same<br />
network processor, a normal session is installed on the network processor.<br />
• IP version 6 (IPv6) is not supported. If IPv6 is configured, a normal session is installed.<br />
NOTE: A normal session forwards packets from the network processor to<br />
the Services Processing Unit (SPU) for fast-path processing, while a<br />
services-offload session processes fast-path packets in the network<br />
processor and the packets exit out of the network processor itself.<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the default authentication<br />
table capacity is 45,000; the administrator can increase the capacity to a maximum<br />
of 50,000.<br />
• On SRX1400 devices, the default authentication table capacity is 10,000; the<br />
administrator can increase the capacity to a maximum of 15,000.<br />
• On all high-end SRX Series devices, when devices are operating in flow mode, the<br />
Routing Engine side cannot detect the path maximum transmission unit (PMTU) of<br />
an IPv6 multicast address (with a large size packet).<br />
• On all high-end SRX Series devices, you cannot configure route policies and route<br />
patterns in the same dial plan.<br />
• On all high-end SRX Series devices, high CPU utilization triggered for reasons such as<br />
CPU intensive commands and SNMP walks causes the Bidirectional Forwarding<br />
Detection protocol (BFD) to flap while processing large BGP updates.<br />
• On all high-end SRX Series devices, downgrading is not supported in low-impact ISSU<br />
chassis cluster upgrades (LICU).<br />
• On SRX5800 devices, network processing bundling is not supported in Layer 2<br />
transparent mode.<br />
446<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
General Packet Radio Service (GPRS)<br />
• In an chassis cluster scenario, the number of APN or IMSI filters must be limited to 600<br />
for each GTP profile. The number of filters is directly proportional to the number of<br />
IMSI prefix entries. For example, if one APN is configured with two IMSI prefix entries,<br />
then the number of filters is two.<br />
Hardware<br />
This section covers filter and policing limitations.<br />
• On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported<br />
by a simple filter:<br />
• Forwarding class as match condition<br />
• On SRX1400, SRX3400 and SRX3600 devices, the following features are not supported<br />
by a policer or a three-color-policer:<br />
• Color-aware mode of a three-color-policer<br />
• Filter-specific policer<br />
• Forwarding class as action of a policer<br />
• Logical interface policer<br />
• Logical interface three-color policer<br />
• Logical interface bandwidth policer<br />
• Packet loss priority as action of a policer<br />
• Packet loss priority as action of a three-color-policer<br />
• On all high-end SRX Series devices, the following features are not supported by a<br />
firewall filter:<br />
• Policer action<br />
• Egress filter-based forwarding (FBF)<br />
• Forwarding table filter (FTF)<br />
• SRX3400 and SRX3600 devices have the following limitations of a simple filter:<br />
• Forwarding class as match condition<br />
• In the packet processor on an IOC, up to 400 logical interfaces can be applied with<br />
simple filters.<br />
• In the packet processor on an IOC, the maximum number of terms of all simple filters<br />
is 2000.<br />
• In the packet processor on an IOC, the maximum number of policers is 2000.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
447
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• In the packet processor on an IOC, the maximum number of three-color-policers is<br />
2000.<br />
• The maximum burst size of a policer or three-color-policer is 16 MB.<br />
• On SRX3400 and SRX3600 devices, when you enable the monitor traffic option using<br />
the monitor traffic command to monitor the FXP interface traffic, interface bounce<br />
occurs. You must use the monitor traffic interface fxp0 no-promiscuous command to<br />
avoid the issue.<br />
Interfaces and Routing<br />
• On all high-end SRX Series devices,interfaces of redundant Ethernet interface it takes<br />
more than 5 minutes for ATM interface to show up when CPE is configured in ANSI-DMT<br />
mode and CO is configured in auto mode. This occurs only with ALU 7300 DSLAM, due<br />
to limitation in current firmware version running on ADSL Mini – PIM.<br />
• On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set<br />
routing-options flow CLI statements are no longer available, because BGP flow spec<br />
functionality is not supported on these devices.<br />
• On all high-end SRX Series devices, the Link Aggregation Control Protocol (LACP) is<br />
not supported on Layer 2 interfaces.<br />
• On all high-end SRX Series devices, BGP-based virtual private LAN service (VPLS)<br />
over aggregated Ethernet (ae) interfaces is not supported. It works on child ports and<br />
physical interfaces.<br />
Internet Key Exchange Version 2 (IKEv2)<br />
On all high-end SRX Series devices, IKEv2 does not include support for:<br />
• Policy-based tunnels<br />
• Dial-up tunnels<br />
• Network Address Translation-Traversal (NAT-T)<br />
• VPN monitoring<br />
• Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for<br />
multiple tunnels<br />
• Extensible Authentication Protocol (EAP)<br />
• IPv6<br />
• Multiple child SAs for the same traffic selectors for each QoS value<br />
• Proposal enhancement features<br />
• Reuse of Diffie-Hellman (DH) exponentials<br />
• Configuration payloads<br />
• IP Payload Compression Protocol (IPComp)<br />
• Dynamic Endpoint (DEP)<br />
448<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Intrusion Detection and Prevention (IDP)<br />
• On all high-end SRX Series devices, from Junos OS <strong>Release</strong> 11.2 and later, the IDP<br />
security package is based on the Berkeley database. Hence, when the Junos OS image<br />
is upgraded from Junos OS <strong>Release</strong> 11.1 or earlier to Junos OS 11.2 or later, a migration<br />
of IDP security package files needs to be performed. This is done automatically on<br />
upgrade when the IDP daemon comes up. Similarly, when the image is downgraded,<br />
a migration (secDb install) is automatically performed when the IDP daemon comes<br />
up, and previously installed database files get deleted.<br />
However, migration is dependent on the XML files for the installed database to be<br />
present on the device. For first-time installation, full update files are required. If the<br />
last update on the device was an incremental update, migration might fail. In such a<br />
case, you have to manually download and install the IDP security package using the<br />
download or install CLI command before using the IDP configuration with predefined<br />
attacks or groups.<br />
Workaround: Use the following CLI commands to manually download the individual<br />
components of the security package from the <strong>Juniper</strong> Security Engineering portal and<br />
install the full update:<br />
• request security idp security-package download full-update<br />
• request security idp security-package install<br />
• On all high-end SRX Series devices, the IDP policies for each user logical system are<br />
compiled together and stored on the data plane memory. To estimate adequate data<br />
plane memory for a configuration, consider these two factors:<br />
• IDP policies applied to each user logical system are considered unique instances<br />
because the ID and zones for each user logical system are different. Estimates need<br />
to take into account the combined memory requirements for all user logical systems.<br />
• As the application database increases, compiled policies will require more memory.<br />
Memory usage should be kept below the available data plane memory to allow for<br />
database increases.<br />
• On all high-end SRX Series devices, ingress as ge-0/0/2 and egress as ge-0/0/2.100<br />
works with flow showing both source and destination interface as ge-0/0/2.100.<br />
• IDP does not allow header checks for nonpacket contexts.<br />
• On all high-end SRX Series devices, application-level distributed denial-of-service<br />
(application-level DDoS) detection does not work if two rules with different<br />
application-level DDoS applications process traffic going to a single destination<br />
application server. When setting up application-level DDoS rules, make sure that you<br />
do not configure rulebase-ddos rules that have two different application-ddos objects<br />
when the traffic destined to one application server can process more than one rule.<br />
Essentially, for each protected application server, you have to configure the<br />
application-level DDoS rules so that traffic destined for one protected server processes<br />
only one application-level DDoS rule.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
449
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
NOTE: Application-level DDoS rules are terminal, which means that once<br />
traffic is processed by one rule, it will not be processed by other rules.<br />
The following configuration options can be committed, but they will not work properly:<br />
source-zone<br />
destination-zone<br />
destination-ip<br />
service<br />
application-ddos<br />
Application<br />
Server<br />
source-zone-1<br />
dst-1<br />
any<br />
http<br />
http-appddos1<br />
1.1.1.1:80<br />
source-zone-2<br />
dst-1<br />
any<br />
http<br />
http-appddos2<br />
1.1.1.1:80<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level DDoS<br />
rule base (rulebase-ddos) does not support port mapping. If you configure an<br />
application other than default, and if the application is from either predefined Junos<br />
OS applications or a custom application that maps an application service to a<br />
nonstandard port, application-level DDoS detection will not work.<br />
When you configure the application setting as default, intrusion detection and<br />
prevention (IDP) uses application identification to detect applications running on<br />
standard and nonstandard ports; thus, the application-level DDoS detection would<br />
work properly.<br />
• IDP deployed in both active/active and active/passive chassis clusters has the following<br />
limitations:<br />
• No inspection of sessions that fail over or fail back.<br />
• The IP action table is not synchronized across nodes.<br />
• The Routing Engine on the secondary node might not be able to reach networks that<br />
are reachable only through a Packet Forwarding Engine.<br />
• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses<br />
a session ID and it happens to be processed on a node other than the one on which<br />
the session ID is cached, the SSL session cannot be decrypted and will be bypassed<br />
for IDP inspection.<br />
• IDP deployed in active/active chassis clusters has a limitation that for time-binding<br />
scope source traffic, if attacks from a source (with more than one destination) have<br />
active sessions distributed across nodes, then the attack might not be detected because<br />
time-binding counting has a local-node-only view. Detecting this sort of attack requires<br />
an RTO synchronization of the time-binding state that is not currently supported.<br />
Internet Protocol Security (IPsec)<br />
• On SRX Series devices, when you enable VPN, overlapping of the IP addresses across<br />
virtual routers (VRs) is supported partially with following limitations:<br />
• An IKE external interface address cannot overlap with any other VR.<br />
• An internal/trust interface address can overlap across VRs.<br />
450<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• An st0 interface address cannot overlap in route-based VPN in point-to-multipoint<br />
tunnel such as NHTB.<br />
• An st0 interface address can overlap in route-based VPN in point-to-point tunnel.<br />
IPv6<br />
• SCTP - SCTP is not supported on IPv6. It is supported only on IPv4.<br />
• NSM—Consult the Network and Security Manager (NSM) release notes for version<br />
compatibility, required schema updates, platform limitations, and other specific details<br />
regarding NSM support for IPv6 addressing on SRX3400, SRX3600, SRX5600, and<br />
SRX5800 devices.<br />
• Security policy—IDP for IPv6 sessions is supported only for all high-end SRX Series<br />
devices. UTM for IPv6 sessions is not supported. If your current security policy uses<br />
rules with the IP address wildcard any, and UTM features are enabled, you will encounter<br />
configuration commit errors because UTM features do not yet support IPv6 addresses.<br />
To resolve the errors, modify the rule returning the error so that it uses the any-ipv4<br />
wildcard; and create separate rules for IPv6 traffic that do not include UTM features.<br />
J-Web<br />
• On all high-end SRX Series devices, to use the Chassis View, a recent version of Adobe<br />
Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note<br />
that the Chassis View is displayed by default on the Dashboard page. You can enable<br />
or disable it using options in the Dashboard Preference dialog box, but clearing cookies<br />
in Internet Explorer also causes the Chassis View to be displayed.<br />
•<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, users cannot differentiate<br />
between Active and Inactive configurations on the System Identity, Management<br />
Access, User Management, and Date & Time pages.<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you cannot use J-Web to<br />
configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently<br />
supported for use as IKE external interfaces.<br />
Logical Systems<br />
• On all high-end SRX Series devices, when more than one IDP policy is configured on<br />
the device, and if root logical systems and custom logical systems are referring to<br />
different policies, the referenced policies may not compile properly after a security<br />
package update. As a workaround, deactivate and activate the active policy of IDP and<br />
commit the configuration after installing the security package.<br />
• The master logical system must not be bound to a security profile that is configured<br />
with a 0 percent reserved CPU quota as traffic loss could occur. When upgrading an<br />
a high-end SRX Series devices from Junos OS <strong>Release</strong> 11.2, make sure that the reserved<br />
CPU quota in the security profile that is bound to the master logical system is configured<br />
for 1 percent or more. After upgrading from Junos OS <strong>Release</strong> 11.2, the reserved CPU<br />
quota is added to the default security profile with a value of 1 percent.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
451
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• Starting with Junos OS <strong>Release</strong> 11.2, address books can be defined under the [security]<br />
hierarchy level instead of the [security zones] hierarchy level. This enhancement makes<br />
configuring your network simpler by allowing you to share IP addresses in address<br />
books when configuring features such as security policies and NAT. You can attach<br />
zones to address books—this is known as zone-attached configuration.<br />
Junos OS <strong>Release</strong> 11.4 continues to support address book configuration under the<br />
[security zones] hierarchy level—this is known as zone-defined configuration. However,<br />
we recommend that zone-attached address book configuration be used in the master<br />
logical system and user logical systems.<br />
If you upgraded your SRX1400, SRX3400, SRX3600, SRX5600, or SRX5800 device<br />
to this Junos OS <strong>Release</strong> 11.4, and are configuring logical systems on the device, the<br />
master logical system retains any previously-configured zone-defined address book<br />
configuration. The master administrator can run the address book upgrade script to<br />
convert zone-defined configuration to zone-attached configuration. The upgrade script<br />
converts all zone-defined configurations in the master logical system and user logical<br />
systems. See section, “Upgrade and Downgrade Scripts for Address Book Configuration”<br />
of “Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways” on page 489.<br />
• On all high-end SRX Series devices, the logical systems feature does not support ALGs<br />
for user logical systems because ALGs are configured globally. If you enable ALGs at<br />
the root master logical system level, they are also enabled for user logical systems in<br />
this Junos OS <strong>Release</strong> 11.4. In this case, user logical system traffic is processed by the<br />
ALGs, and corresponding ALG flow sessions are initiated under the user logical system.<br />
You can only enable and disable ALGs at the root master logical system level.<br />
• On all high-end SRX Series devices, quality-of-service (QoS) classification across<br />
interconnected logical systems does not work.<br />
• On all high-end SRX Series devices, the number of logical system security profiles you<br />
can create is constrained by an internal limit on security profile IDs. The security profile<br />
ID range is from 1 through 32 with ID 0 reserved for the internally configured default<br />
security profile. When the maximum number of security profiles is reached, if you want<br />
to add a new security profile, you must first delete one or more existing security profiles,<br />
commit the configuration, and then create the new security profile and commit it. You<br />
cannot add a new security profile and remove an existing one within a single<br />
configuration commit.<br />
If you want to add more than one new security profile, the same rule is true. You must<br />
first delete the equivalent number of existing security profiles, commit the configuration,<br />
and then create the new security profiles and commit them.<br />
• User and administrator configuration for logical systems—Configuration for users<br />
for all logical systems and all user logical systems administrators must be done at the<br />
root level by the master administrator. A user logical system administrator cannot<br />
create other user logical system administrators or user accounts for their logical<br />
systems.<br />
• Name-space separation—The same name cannot be used in two logical systems. For<br />
example, if logical-system1 includes the username “Bob” then other logical systems<br />
on the device cannot include the username “Bob”.<br />
452<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• Commit rollback—Commit rollback is supported at the root level only.<br />
• Trace and debug—Trace and debug are supported at the root level only.<br />
• Class of service—You cannot configure class of service on logical tunnel (lt-0/0/0)<br />
interfaces.<br />
• ALGs—The master administrator can configure ALGs at the root level. The configuration<br />
is inherited by all user logical systems. It cannot be configured discretely for user logical<br />
systems.<br />
Network Address Translation (NAT)<br />
• Maximum capacities for source pools and IP addresses have been extended on all<br />
high-end SRX Series devices, as follows:<br />
Pool/PAT Maximum<br />
Address Capacity<br />
SRX1400<br />
SRX3400<br />
SRX3600<br />
SRX5600<br />
SRX5800<br />
Source NAT pools<br />
8192<br />
8192<br />
12288<br />
IP addresses supporting<br />
port translation<br />
8192<br />
8192<br />
12288<br />
PAT port number<br />
256M<br />
256M<br />
384M<br />
Increasing the capacity of source NAT pools consumes memory needed for port<br />
allocation. When source NAT pool and IP address limits are reached, port ranges should<br />
be reassigned. That is, the number of ports for each IP address should be decreased<br />
when the number of IP addresses and source NAT pools is increased. This ensures NAT<br />
does not consume too much memory. Use the port-range statement in configuration<br />
mode in the CLI to assign a new port range or the pool-default-port-range statement<br />
to override the specified default.<br />
Configuring port overloading should also be done carefully when source NAT pools<br />
are increased.<br />
For source pool with port address translation (PAT) in range (64,510 through 65,533),<br />
two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,<br />
and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports<br />
(64,512 through 65,535) for Application Layer Gateway (ALG) module use. On SRX5600<br />
and SRX5800 devices, if all of the 4096 source pool is configured, a port allocation<br />
of 8,388,608 is reserved for twin port use.<br />
• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge<br />
of the carrier network, the device-wide NAT rule capacity has been changed.<br />
The number of destination and static NAT rules has been incremented as shown in<br />
Table 26 on page 454. The limitation on the number of destination-rule-set and<br />
static-rule-set has been increased.<br />
Table 26 on page 454 provides the requirements per device to increase the configuration<br />
limitation as well as to scale the capacity for each device.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
453
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Table 26: Number of Rules on SRX3400, SRX3600, SRX5600, and<br />
SRX5800 Devices<br />
NAT Rule Type<br />
SRX3400<br />
SRX3600<br />
SRX5600<br />
SRX5800<br />
Source NAT rule<br />
8192<br />
8192<br />
Destination NAT rule<br />
8192<br />
8192<br />
Static NAT rule<br />
20480<br />
20480<br />
The restriction on the number of rules per rule set has been increased so that there is<br />
only a device-wide limitation on how many rules a device can support. This restriction<br />
is provided to help you better plan and configure the NAT rules for the device.<br />
• IKE negotiations involving NAT-T—On SRX1400, SRX3400, SRX3600, SRX5600,<br />
and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal<br />
do not work if the IKE peer is behind a NAT device that will change the source IP address<br />
of the IKE packets during the negotiation. For example, if the NAT device is configured<br />
with DIP, it changes the source IP because the IKE protocol switches the UDP port from<br />
500 to 4500.<br />
454<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Security<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the limitation on the number<br />
of addresses in an address-set has been increased. The number of addresses in an<br />
address-set now depends on the device and is equal to the number of addresses<br />
supported by the policy.<br />
Table 27: Number of Addresses in an address-set on SRX3400, SRX3600,<br />
SRX5600, and SRX5800 Devices<br />
Device<br />
address-set<br />
Default<br />
1024<br />
SRX3400<br />
1024<br />
SRX3600<br />
1024<br />
SRX5600<br />
1024<br />
SRX5800<br />
1024<br />
Simple Network Management Protocol (SNMP)<br />
• On all high-end SRX Series devices, the show snmp mib CLI command will not display<br />
the output for security related MIBs. We recommend that you use an SNMP client and<br />
prefix logical-system-name@ to the community name. For example, if the community<br />
is public, use default@public for default root logical system.<br />
Unsupported CLI<br />
• On all high-end SRX Series devices, the mvrp CLI option under set protocols CLI<br />
command is not supported but it is visible. However, if you enter these commands in<br />
the CLI editor, they will appear to succeed and will not display an error message.<br />
• On all high-end SRX Series devices, the command restart ipsec-key-management is<br />
not supported.<br />
• On all high-end SRX Series devices, the following multicast IPv6 and MVPN CLI<br />
commands are not supported. However, if you enter these commands in the CLI editor,<br />
they will appear to succeed and will not display an error message.<br />
• show multicast scope inet6<br />
• show msdp sa group group<br />
• show pim mvpn<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
455
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Virtual Private <strong>Networks</strong> (VPNs)<br />
IPv6 IPsec implementation has the following limitations:<br />
• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path<br />
maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6<br />
minimum MTU size of 1280 bytes.<br />
• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are<br />
32-bits long, IPv6 IPsec packet processing requires more resources. Therefore, a small<br />
performance degradation is observed.<br />
• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel<br />
scalability numbers might drop.<br />
• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel<br />
throughput performance.<br />
• The IPv6 IPsec VPN does not support the following functions:<br />
• 4in6 and 6in4 policy-based site-to-site VPN, IKE<br />
• 4in6 and 6in4 route-based site-to-site VPN, IKE<br />
• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key<br />
• 4in6 and 6in4 route-based site-to-site VPN, Manual Key<br />
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE<br />
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key<br />
• Remote Access—XAuth, config mode, and shared IKE identity with mandatory XAuth<br />
• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)<br />
• IKE peer type—Dynamic IP<br />
• Chassis cluster for basic VPN features<br />
• IKE authentication—PKI/RSA<br />
• NAT—Traversal<br />
• VPN monitoring<br />
• Hub-and-spoke VPNs<br />
• Next Hop Tunnel Binding Table (NHTB)<br />
• Dead Peer Detection (DPD)<br />
• Simple Network Management Protocol (SNMP) for IPsec VPN MIBs<br />
• Chassis cluster for advanced VPN features<br />
• IPv6 link-local address<br />
• SRX Series high-end devices (for example, SRX3000 and SRX5000 lines)<br />
dependency<br />
• On all high-end SRX Series devices, DH-group 14 is not supported for dynamic VPN.<br />
456<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• ST0 interface configuration change may result in permanent traffic loss. As a<br />
workaround:<br />
• Deactivate or delete security IPSec configuration before changing st0 interface<br />
configuration.<br />
• Adding new apply group causes VPN from existing apply group to go down.<br />
• The following list describes the limitations for inserting an SPC on a device in chassis<br />
cluster mode:<br />
• While inserting an SPC, the node must be powered off.<br />
• The chassis cluster must be in active/passive mode before and during the SPC insert<br />
procedure, that is, all redundancy groups are primary on one node.<br />
• A different number of SPCs cannot be inserted into two different nodes.<br />
• A new SPC must be inserted in a slot that is higher than the central point slot.<br />
NOTE: The existing Combo central point cannot be changed to Full<br />
central point after the new SPC is inserted. For SRX5000 and SRX3000<br />
devices with a Capacity Licence, two SPC cards per node must be already<br />
present before this feature can be used. For SRX3000 without Capacity<br />
Licence, this limitation does not apply, because the CP will always remain<br />
in combo-mode.<br />
• During an SPC insert procedure, the IKE and IPsec configurations cannot be modified.<br />
• Users cannot specify the SPU and the IKE instance to anchor a tunnel.<br />
• After a new SPC is inserted, the existing tunnels cannot use the processing power<br />
of the new SPC and redistribute it to the new SPC.<br />
• Dynamic tunnels cannot load-balance across different SPCs.<br />
• The manual VPN name and the site-to-site gateway name cannot be the same.<br />
• In an chassis cluster scaling environment, the heartbeat-threshold must always be<br />
set to 8.<br />
• Manual (static) NHTB with DEP is not supported.<br />
• The local-IP feature is not supported on the following:<br />
• On all high-end SRX Series devices.<br />
• On all high-end SRX Series devices in chassis cluster configuration.<br />
• On all high-end SRX Series devices, the IPsec NAT-T tunnel scaling and sustaining<br />
issues are as follows:<br />
• For a given private IP address, the NAT device should translate both 500 and 4500<br />
private ports to the same public IP address.<br />
• The total number of tunnels from a given public translated IP cannot exceed 1000<br />
tunnels.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
457
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 459<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 458<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 436<br />
Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services Gateways<br />
The following problems currently exist in <strong>Juniper</strong> <strong>Networks</strong> high-end SRX Series Services<br />
Gateways. The identifier following the descriptions is the tracking number in the <strong>Juniper</strong><br />
<strong>Networks</strong> Problem Report (PR) tracking system.<br />
NOTE: For the latest, most complete information about outstanding and<br />
resolved issues with the Junos OS software, see the <strong>Juniper</strong> <strong>Networks</strong> online<br />
software defect search application at http://www.juniper.net/prsearch.<br />
Chassis Cluster<br />
• On devices in a chassis cluster, IP monitoring is not supported on the redundant Ethernet<br />
(reth) interface when link aggregation group (LAG) redundant Ethernet is configured.<br />
[PR609266]<br />
• On devices in a chassis cluster, the secondary node might crash when there is multicast<br />
traffic flow in active/active mode. [PR745428]<br />
Command-Line Interface (CLI)<br />
• When you upgrade a device to Junos OS <strong>Release</strong> 11.4, NSM shows an error that a space<br />
in the full-name parameter of the set system login user test-name full-name test name<br />
command statement is not accepted. [PR806750]<br />
Flow and Processing<br />
• When a hardware timestamp is enabled, RPM probes go over the network control<br />
queue instead of the configured forwarding class. [PR487948]<br />
• Diagnostic test fails for the following functions:<br />
• mp_i2c_security_chip<br />
• fpga_configure_mode_bpi<br />
• fpga_configure_mode_spi<br />
458<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
[PR601296]<br />
• Data packets with errors that are dropped by the configured IDP policy will not increment<br />
the drop by error counter value. [PR769504]<br />
IPv6<br />
• After you reboot the device, the interface counters on the secondary node are not<br />
accurate. [PR790807]<br />
J-Web<br />
• In J-Web, the chassis view cannot be dragged under the Dashboard tab. [PR842034]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 443<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
The following are the issues that have been resolved in Junos OS <strong>Release</strong> 11.4 for <strong>Juniper</strong><br />
<strong>Networks</strong> high-end SRX Series Services Gateways. The identifier following the descriptions<br />
is the tracking number in the <strong>Juniper</strong> <strong>Networks</strong> Problem Report (PR) tracking system.<br />
NOTE: For the latest, most complete information about outstanding and<br />
resolved issues with the Junos OS software, see the <strong>Juniper</strong> <strong>Networks</strong> online<br />
software defect search application at http://www.juniper.net/prsearch.<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 460<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R6 for High-End SRX Series Services<br />
Gateways on page 461<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R5 for High-End SRX Series Services<br />
Gateways on page 464<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R4 for High-End SRX Series Services<br />
Gateways on page 466<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R3 for High-End SRX Series Services<br />
Gateways on page 468<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R2 for High-End SRX Series Services<br />
Gateways on page 472<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4R1 for High-End SRX Series Services<br />
Gateways on page 479<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
459
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways<br />
Chassis Cluster<br />
• On devices in a chassis cluster, the child link of the link aggregation group (LAG)<br />
redundant Ethernet (reth) interface flapped frequently which caused memory corruption<br />
on the next hop pointer and caused the Routing Engine to generate a vmcore file.<br />
[PR821833: This issue has been resolved.]<br />
• On devices in a chassis cluster, the timeout value within which the request system<br />
snapshot media internal slice alternate command was expected to complete was<br />
increased from 10 minutes to 15 minutes. [PR822975: This issue has been resolved.]<br />
Flow and Processing<br />
• On all high-end SRX Series devices, the XLR ingress paused condition caused traffic<br />
drop and latency to process traffic. [PR829714: This issue has been resolved.]<br />
Interfaces and Routing<br />
• In Junos OS <strong>Release</strong> 11.4, the Physical Interface Module (PIM) auto-rendezvous point<br />
feature did not work. [PR789943: This issue has been resolved.]<br />
• When the data size was smaller than 128 bytes, the certificate revocation list (CRL)<br />
failed to install using the Lightweight Directory Access Protocol (LDAP) server.<br />
[PR847868: This issue has been resolved.]<br />
Intrusion Detection Prevention (IDP)<br />
• In a high connections per second (CPS) traffic scenario, when some specific applications<br />
that required serialized packets were processed in IDP, attack leakage occurred.<br />
[PR823468].<br />
• A new filter was added in dynamic attack groups in the CLI. The two flags under filters<br />
are recommended (which means true) and not-recommended (which means false).<br />
Only the recommended=true flag was supported. [PR828494: This issue has been<br />
resolved.]<br />
J-Web<br />
• The dashboard refresh rate changed. Refresh rates of 15, 30, and 60 seconds were<br />
removed. The minimum refresh rate available was 2 minutes. [PR826053: This issue<br />
has been resolved.]<br />
• In J-Web, the session expired when the idle-timeout value was set too low. [PR830644:<br />
This issue has been resolved.]<br />
460<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Security Policies<br />
• When you configured a wildcard address and used it in more than seven security policies,<br />
the Services Processing Unit (SPU) crashed. [PR847632: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R6 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On all SRX Series devices, the SQL ALG did not work properly when TNS RESEND (type<br />
11) was 8 bytes long. [PR806893: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the MSRPC ALG dropped some large packets<br />
under the Kerberos authentication environment because the Kerberos ticket token size<br />
was too large and the MSRPC bind packet was too large for the ALG to handle.<br />
[PR817453: This issue has been resolved]<br />
Chassis Cluster<br />
• On all high-end SRX Series devices in a chassis cluster, long pauses and timeout were<br />
seen during SNMP walk/query of the device. A delay occurred in the kernel’s query of<br />
the gr-0/0/0 (GRE) interface. [PR800735: This issue has been resolved.]<br />
• On SRX5600 and SRX5800 devices in a chassis cluster, when the cluster was up and<br />
if an SPC with control link was pulled out (either one in dual control link), the node on<br />
which the SPC was pulled out would cause all the cards to go offline. The other node<br />
would become the primary node for both RG0 and RG1+ , and traffic loss was expected<br />
for 18 to 20 seconds. [PR819124: This issue has been resolved.]<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On SRX3600 devices, dhcp-option82 did not work. [PR794522: This issue has been<br />
resolved.]<br />
Dynamic Virtual Private Network (VPN)<br />
• On all high-end SRX Series devices, when multiple clients were connected to SRX<br />
Series devices through dynamic VPN, some configurations related to IKE negotiation<br />
changed. [PR737787: This issue has been resolved.]<br />
Flow and Processing<br />
• On all high-end SRX Series devices, an SPU message “Nexthop XXXX on ifl XXX.<br />
Ignoring…” was logged in some occasions. This message did not indicate the real issue<br />
and could be ignored. [PR726580: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the HTTPD task went high approximately once a<br />
month. [PR768952: This issue has been resolved.]<br />
• On SRX1400 devices, the number of GSN entries was expanded from 6,000 entries<br />
to 18,000 entries on each SPU. [PR787028: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
461
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all high-end SRX Series devices, when the ingress and egress interfaces were located<br />
(or active, in case of reth interfaces) on different nodes of a chassis cluster, filter-based<br />
forwarding (FBF) did not work correctly. [PR793057: This issue has been resolved.]<br />
• On SRX3600 devices, if a large number of tunnel routes were added, memory utilization<br />
could become very high. [PR797845: This issue has been resolved.]<br />
• On SRX5800 devices, in certain configurations, the following message was printed in<br />
the logs: "PFEMAN: Sent Resync request to Master." This message was not an indication<br />
of a problem, and did not require any action from the user. This message has been<br />
removed. [PR802355: This issue has been resolved.]<br />
• On SRX5800 devices, the following IKE traceoption messages might be printed while<br />
debugging VPN tunnels:<br />
Aug 2 09:27:03 srx-5800-1 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kmd[213]: IKE Phase-1<br />
Failure: (null) spi=75ffd1a8, src_ip=, dst_ip=A.A.A.A<br />
Aug 2 09:27:06 srx-5800-1 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kmd[214]: IKE Phase-1<br />
Failure: (null) spi=75ffd1a8, src_ip=, dst_ip=B.B>B>B><br />
NOTE: The same SPI value was printed for two different peer IP addresses<br />
and a memory address of SPI was printed instead of the SPI address itself.<br />
Also, an invalid cookie reason was not printed because of this message;<br />
instead, the text "null" was printed as shown in the preceding message.<br />
[PR803294: This issue has been resolved.]<br />
• On all high-end SRX Series devices, generation of a flowd core file was triggered by<br />
cache errors. [PR805975: This issue has been resolved.]<br />
• On all high-end SRX Series devices, Routing Engine failover occurred due to possible<br />
out-of-sync information about already allocated SNMP interface index values and<br />
duplicate SNMP interface index values might be allocated. As a result, the mib2d<br />
process might crash or the SNMP interface index value of zero might be allocated for<br />
newly created interfaces. [PR806098: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the performance monitor message format changed,<br />
beginning with Junos OS <strong>Release</strong> 11.1. In earlier releases, the message format caused<br />
rtlogd to generate a core file and rtlogd restarted automatically after 1 or 2 seconds.<br />
[PR819700: This issue has been resolved]<br />
• On SRX3600 devices, if any changes were committed under logical systems<br />
configuration, the security policy might fail to resolve DNS objects that were in the<br />
security address book. As a result, your traffic might hit other unexpected security<br />
policies, or if the traffic does not match any configured security policy, by default the<br />
traffic would be denied causing a traffic outage. [PR810723: This issue has been<br />
resolved.]<br />
• On SRX3400 devices, SCTP ALG dropped SCTP abort packets on half-open SCTP<br />
associations. [PR822829: This issue has been resolved.]<br />
462<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• On all high-end SRX Series devices, STARTTLS and X-ANONYMOUSTLS cases were<br />
not supported by the SMTP parser. [PR824027: This issue has been resolved.]<br />
• On all high-end SRX Series devices, a new filter was added in the dynamic attack<br />
groups, but recommended=flag was not supported. [PR828494: This issue has been<br />
resolved.]<br />
Interfaces and Routing<br />
• On all high-end SRX Series devices, the interface did not respond due to heavy traffic<br />
on the FIOC interface. [PR776179: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when the ge interface was down, it did not show<br />
linkup until the configuration had been removed and readded. [PR813616: This issue<br />
has been resolved]<br />
• On all high-end SRX Series devices, after you upgraded to Junos OS <strong>Release</strong> to 11.4R5,<br />
if OSPF was enabled for any of the st0 interfaces, an internal processing error prevented<br />
the default route from being advertised. [PR822352: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
463
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Intrusion Detection and Prevention<br />
• On all high-end SRX Series devices, when IDP was enabled application traffic was<br />
blocked due to a memory leak issue with IDP. [PR808202: This issue has been resolved.]<br />
Logical Systems<br />
• On SRX3600 devices, logical systems with the policy count option displayed the<br />
statistics after a show command, or the counter stopped incrementing if both redundant<br />
groups were not on the same node as a result of failover. [PR782546: This issue has<br />
been resolved.]<br />
Management and RMON<br />
• On all high-end SRX Series devices, after a Routing Engine switchover, LACP and MIB<br />
process core files might be generated. [PR790966: This issue has been resolved.]<br />
Qulaity of Service (QoS)<br />
• On SRX3600 devices, when Application QoS was configured and if traffic did not<br />
match the configured appqos rules, a flowd core was generated.. [PR805562: This<br />
issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• On all high-end SRX Series devices, gkmd core files were generated on the Group VPN<br />
member if hmac-sha-256-128 was used at the group VPN server for the IPsec<br />
authentication algorithm. [PR800735: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R5 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On SRX3600 devices, SIP ALG dropped SIP ACK messages if the messages used the<br />
folding format. [PR787879: This issue has been resolved.]<br />
Flow and Processing<br />
• On SRX5600 devices, when you swapped the members of a link aggregation group<br />
(LAG), a vmcore or ksyncd core file might be created on the backup Routing Engine.<br />
[PR711679: This issue has been resolved.]<br />
• On SRX3600 devices, high CPU utilization due to the mgd process could result if run<br />
show config was specified during configuration mode. Also, the HTTPD process went<br />
high. [PR729617: This issue has been resolved.]<br />
• On SRX Series devices, commands after STARTTLS were encrypted, and could not<br />
be understood by the SMTP parser, causing the session to hang until the TCP session<br />
was closed, and no packets were forwarded. [PR750047: This issue has been resolved.]<br />
• On SRX3600 devices, the graceful restart mechanism was not aborted even if the link<br />
to the upstream neighbor was detected as down. This lead to higher routing protocol<br />
464<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
convergence times because the device would not fail over to an alternate path until<br />
the graceful restart timer expired. [PR751640: This issue has been resolved.]<br />
• On SRX3400 devices, the message log is too granular, indicating blower speed changes<br />
frequently from normal to intermediate speed which is filling up logs and causing<br />
inability to troubleshoot using logs. [PR776254: This issue has been resolved.]<br />
• On SRX5800 devices, when multiple interfaces are bound to the same security zone,<br />
if the first fragmented packet and the second fragmented packet arrive in different<br />
interfaces, the second fragmented packet is dropped. [PR777343: This issue has been<br />
resolved.]<br />
• On SRX3400, SRX3600, SRX5600 and SRX5800 devices, detector does not get<br />
updated in control plane when update-attack-database-only flag is used during<br />
security-package install. [PR778816: This issue has been resolved.]<br />
• On SRX5800 devices, eventd core is triggered by an illegal pointer address. [PR784037:<br />
This issue has been resolved.]<br />
• On SRX3400 devices, set chassis fpc pic services-offload command doe not work. Due<br />
to this SRX cannot be used in LLFW mode. [PR787526: This issue has been resolved.]<br />
• On SRX3400 devices, if security policies are configured with a large number of<br />
applications using the same source/destination port, then policy configuration updates<br />
may not work as expected. [PR793151: This issue has been resolved.]<br />
• On SRX3600 devices, with a large number of tunnel routes added, memory utilization<br />
can become very high. [PR797845: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
465
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
In-Service Software Upgrade (ISSU)<br />
• On all high-end SRX Series devices, an RG-0 failover after ISSU completes (both nodes<br />
have been upgraded and have joined the cluster with priorities restored) caused the<br />
new RG-0 secondary node to restart all FPCs. This lead to an RG-1+ failover. [PR770710:<br />
This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX Series devices, when the syn-cookie feature is enabled along with syn-flood<br />
screen with a low timeout value, high latency TCP sessions may fail to establish<br />
successfully. The clients sessions receive unresponsive connections because the SRX<br />
device has timed out the flow for this session. The device will also drop subsequent<br />
packets from the client due to no state found. The workaround is to increase the timeout<br />
value to at least 6 seconds or more. [PR692484: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On all high-end SRX Series devices, when two or more IDP policies are configured in<br />
the root LSYS and one policy is active in the root LSYS and a different policy is active<br />
in the custom LSYS, the referenced LSYS policy may not get compiled properly after<br />
a signature update. [PR749126: This issue has been resolved.]<br />
J-Web<br />
• On all high-end SRX Series devices with more than one SPCs installed J-Web can only<br />
view the flow sessions from one SPC. Flow sessions on other SPCs can not be displayed.<br />
[PR777520: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when you login to J-web it displays 'JWEB is not<br />
supported on this platforms' message. [PR781659: This issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• On SRX5800 devices, when using IKE-ESP-NAT ALG for pass through for Cisco EZ-VPN<br />
client, the IKE handshake might not be successful because IKE packet coming from<br />
VPN server gets dropped. [PR791549: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R4 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On SRX5800 devices, fragmented packets with the DF bit set (do not fragment) were<br />
dropped by the device when processed by the DNS ALG. [PR754504: This issue has<br />
been resolved.]<br />
Chassis Cluster<br />
• On all high-end SRX Series devices, when devices operate in chassis cluster, a maximum<br />
8 queues per interface configuration is not getting reflected on interface part of the<br />
cluster setup. [PR389451: This issue has been resolved.]<br />
466<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• On all high-end SRX Series devices, when the secondary node reboots or shutdown,<br />
there could be a transient traffic drop on the primary node. The amount of drop depends<br />
on the number of active sessions. The drop is caused by route change and RTO cold<br />
synchronization during secondary reboot. After route change and RTO cold<br />
synchronization is complete, the traffic would be normal, the drop time window may<br />
be a few seconds. [PR734966: This issue has been resolved.]<br />
• On SRX3600 devices, when configuration is saved on a remote file server, absolute or<br />
relative path needs to be used where the file have to be stored. If the path is not used<br />
in a cluster, it fails to save. It works fine on standalone devices. [PR752363: This issue<br />
has been resolved.]<br />
Flow and Processing<br />
• On SRX3400 devices, flow sessions on backup node could not be cleared previously.<br />
[PR729967: This issue has been resolved.]<br />
• On SRX1400 devices, show security pki *-certificate command was showing time<br />
without time-zone. [PR746785: This issue has been resolved.]<br />
• On all high-end SRX Series devices, updating application-identification signatures<br />
might trigger a kernel heap memory corruption and generate flowd core dump while<br />
processing application traffic. [PR769832: This issue has been resolved.]<br />
• On all high-end SRX Series devices, for IKEv2, when SRX tries to do a dpd exchange<br />
when an existing exchange is in progress, a core may be seen. Please note that this is<br />
applicable to only IKEv2. [PR771234 : This issue has been resolved.]<br />
In-Service Software Upgrade (ISSU)<br />
• On SRX5600 devices, ISSU from 11.4R3.6 to 12.1R1.9 will not proceed on the 1k/3k and<br />
5k clusters. The upgrade will not occur due to the following error: 'ISSU not supported<br />
due to rt request TLV for target table address family'. [PR770478: This issue has been<br />
resolved.]<br />
• On all high-end SRX Series devices, an RG-0 failover after ISSU completes (both nodes<br />
have been upgraded and have joined the cluster with priorities restored) caused the<br />
new RG-0 secondary node to restart all FPCs. This lead to an RG-1+ failover. [PR770710:<br />
This issue has been resolved.]<br />
Interfaces and Routing<br />
• On all high-end SRX Series devices, track IP (ipmon) feature was not working for VLAN<br />
tagged reth interface. [PR575754: This issue has been resolved.]<br />
J-Web<br />
• On SRX3400 devices, if multiple J-Web clients are connected to a single device, it<br />
caused high CPU usage on the routing engine. [PR741432 : This issue has been resolved.]<br />
• On SRX3400 devices, the J-Web interface is vulnerable to HTML cross-site-scripting<br />
attacks, also called XST, or Cross-Site-Tracing. [PR752398: This issue has been<br />
resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
467
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On all high-end SRX Series devices, when you login to J-web it displays 'JWEB is not<br />
supported on this platforms' message. [PR781659: This issue has been resolved.]<br />
Network Address Translation (NAT)<br />
• On SRX5600 and SRX5800 devices, using the same source NAT pool by both NAT<br />
and NAT-PT traffic causes core dump. [PR736374: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the commit of static nat rules may fail when commit<br />
LSYS interfaces, security zone, and NAT are committed at the same time. Issue also<br />
occurs during the commit of static nat rules if you commit security zone and NAT at<br />
the same time. [PR756240: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R3 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On SRX3400 devices, for the application tracking services, the application statistics<br />
were not incremental when there was an already existing application cache entry for<br />
that specific application. [PR743449: This issue has been resolved.]<br />
Chassis Cluster<br />
• On all high-end SRX Series devices, in chassis cluster mode, when LACP is configured<br />
on a remote switch which is connected to a reth interface, and the control link between<br />
nodes is lost, it causes both nodes to become primary. [PR733335: This issue has been<br />
resolved.]<br />
• On all high-end SRX Series devices, when the secondary node reboots or shutdown,<br />
there could be a transient traffic drop on the primary node. The amount of drop depends<br />
on the number of active sessions. The drop is caused by route change and RTO cold<br />
synchronization during secondary reboot. After route change and RTO cold<br />
synchronization is complete, the traffic would be normal, the drop time window may<br />
be a few seconds. [PR734966: This issue has been resolved.]<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On SRX3400 devices, if BOOTP/DHCP relay is configured with the receiving or<br />
forwarding interfaces in an LSYS, the DHCP request packets are not forwarded to the<br />
DHCP server. [PR731723: This issue has been resolved.]<br />
Flow and Processing<br />
• On SRX5600 devices, some CP binding entries cannot age out in chassis cluster z<br />
mode after stress test. [PR611827: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the additional neighbor solicitation packets that<br />
are sent are corrupted in the form of zeroed destination MAC address and the entire<br />
packet is prefixed by two random bytes. [PR671658: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when a large number of inbound HTTP connections<br />
are established over an extended period of time, the HTTP process (httpd) might get<br />
trapped in a spinlock, resulting in high CPU utilization. The CPU load continues even<br />
468<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
after a stream of connection attempts is terminated. To reduce the CPU load, you<br />
must stop the process from the shell. [PR693434: This issue has been resolved.]<br />
• On SRX5600 devices, the Key Management Daemon (KMD) may restart when you<br />
change the configuration from Dynamic End Point (DEP) to shared IKE. [PR702222:<br />
This issue has been resolved.]<br />
• On SRX1400 devices in a chassis cluster, the primary control link heartbeats are not<br />
seen and are causing inconsistent system behavior. This happens when a 16-Port SFP<br />
Gigabit Ethernet I/O card or a 16-Port Copper Ethernet/Fast Ethernet/Gigabit Ethernet<br />
I/O card is installed on the device. [PR718054: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when you run NTP-related show commands, such<br />
as show ntp status, incorrect output might be displayed. [PR722528: This issue has<br />
been resolved.]<br />
• On all high-end SRX Series devices, on rare occasions, the CP session counter got an<br />
incorrect value, which triggered the CP/Flow session table full alarm. This was because,<br />
the flow table was not full and the alarm was incorrectly set due to the wrong session<br />
counter value. [PR725099: This issue has been resolved.]<br />
• On SRX5600 devices, NSD core file may be generated. [PR725908: This issue has been<br />
resolved.]<br />
• On SRX5600 devices, after commit involving re-ordering of security policies, it may be<br />
observed that a core dump is created in FWDD. [PR726791: This issue has been<br />
resolved.]<br />
• On SRX3600 devices, where large volume of firewall-authentication requests and<br />
changes of security policy happen at exactly same time, device may crash due to race<br />
condition. [PR726940: This issue has been resolved.]<br />
• On SRX3400 devices, when RTSP ALG is enabled, RTSP traffic might cause the flowd<br />
process to crash and generate core dump. [PR729296: This issue has been resolved.]<br />
• On SRX3400 devices, flow sessions on backup node could not be cleared previously.<br />
[PR729967: This issue has been resolved.]<br />
• On all high-end SRX Series devices, in certain circumstances when anti-spoofing screen<br />
is enabled, neighbor discovery messages may be dropped after a neighbor becomes<br />
unreachable and then reachable again. [PR734423: This issue has been resolved.]<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, sometimes, traffic sent<br />
by authenticated users (authenticated by web authentication) will not pass through<br />
the firewall. This is because, authentication entry created in CP was not getting passed<br />
along to SPU. [PR734869: This issue has been resolved.]<br />
• On all high-end SRX Series devices, flowd core occurred after upgrading to 11.2R5 as<br />
the mbuf was not cleaned up. [PR734885: This issue has been resolved.]<br />
• On SRX3600 devices, abnormal SQL traffic might cause the flowd process to crash<br />
when SQL ALG is enabled. [PR737468: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the application-groups statistics were displayed<br />
as unassigned and unknown for the show services application-identification statistics<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
469
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
application-groups command outputs without displaying the details. [PR740014: This<br />
issue has been resolved.]<br />
• On all high-end SRX Series devices, after 24 hours of slt4 stress run, with a huge number<br />
of sessions generated, IDP sessions were not increasing along with the flow sessions.<br />
[PR742882: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the TCP initial timeout minimal limitation in CLI<br />
set security flow tcp-session tcp-initial-timeout is changed from 20 seconds to 4 seconds.<br />
The new range is 4-300 seconds. Setting this timeout to a small value may increase<br />
the possibility of failing to create TCP sessions. [PR747769: This issue has been<br />
resolved.]<br />
• On all high-end SRX Series devices, with syn-flood and session limitation screen feature<br />
enabled, when there are 16k or more source/destination IP, the CPS data may drop<br />
50%. [PR773162: This issue has been resolved.]<br />
• On SRX5800 devices, with syn-flood and session limitation screen feature enabled,<br />
when there are 16k or more source or destination IP, the CPS data may drop 80%.<br />
[PR773164: This issue has been resolved.]<br />
Installation and Upgrade<br />
• On SRX3400 devices, if 11.4R2 is upgraded on a router which has a base image lower<br />
than 11.4R2 and a base image other than 10.4R10, then the validation fails and upgrade<br />
will be aborted. [PR698724: This issue has been resolved.]<br />
• On SRX3400 devices, inserting a defective SFP causes all SFPs to be unrecognized.<br />
[PR711461: This issue has been resolved.]<br />
• On SRX3600 devices, SFP-T port was not correctly detected when unplugged and<br />
reinserted [PR723844: This issue has been resolved.]<br />
• On SRX3600 and SRX5600 devices, the Network Security Daemon (NSD) core was<br />
resolved. [PR735152: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On all high-end SRX Series devices, track IP (ipmon) feature does not work for VLAN<br />
tagged reth interface. [PR575754: This issue has been resolved.]]<br />
• On SRX5800 devices, when RPF-check is enabled on reth interfaces, the data packets<br />
might get dropped. [PR697812: This issue has been resolved.]<br />
• On SRX5600 and SRX5800 devices, regarding the K2-RE (64-bit Routing Engine)<br />
when speed or link mode is statically configured on the router for the fxp0 interface,<br />
the driver for fxp0 accepts the configuration from DCD process, but does not propagate<br />
the setting to the hardware driver. Instead, the driver setting is forced to auto-negotiate.<br />
Thus, as the fxp0 interface is auto-negotiating, and the far end device is forced to<br />
100/full, the auto-negotiation on fxp0 will detect the speed but not the duplex and<br />
defaults that duplex to half-duplex. [PR704740: This issue has been resolved.]<br />
470<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Internet Protocol Security (IPsec)<br />
• On SRX5800 devices, when the device is processing several thousands of transit IPsec<br />
sessions through ike-esp-nat ALG, after sometime, new sessions might fail. [PR671074:<br />
This issue has been resolved.]<br />
• On all high-end SRX Series devices, occasionally, policy-based IPsec VPN, that has<br />
been established successfully does not allow traffic to the protected resources.<br />
[PR718057: This issue has been resolved.]<br />
• On SRX5800 devices, in some IPsec VPN scenarios where RG1+ failover happens<br />
consecutively and in short periods of time (less than 5 minutes), there is a chance that<br />
ESP sequence number will not be synchronized on the other cluster node. As a<br />
consequence, after the fail over traffic is sent inside the IPsec tunnel but with a wrong<br />
ESP sequence number. This can cause traffic blocking on the remote VPN , if the remote<br />
peer has anti-replay functionality enabled. [PR753683: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX3600 devices, IDP configured on Junos OS release 11.4R1, the output of the<br />
command show security idp policy-commit-status incorrectly displays “Active policy<br />
not configured” even when active policy is configured. [PR741736: This issue has been<br />
resolved.]<br />
IPv6<br />
• On all high-end SRX Series devices, the spoofing screen was dropping IPv6 packets<br />
sourced from unspecified addresses (0:0:0:0:0:0:0:0/128 or ::/128). [PR721913: This<br />
issue has been resolved.]<br />
• On SRX5800 devices, IPv6 packets are getting dropped when source or destination<br />
session limit screening is configured [screen ids-option XXX limit-session<br />
(source-ip-based | destination-ip-based)] and applied to the security zone. [PR728802:<br />
This issue has been resolved.]<br />
• On SRX5800 devices, the NP hash feature may not work with IPv6 for the cross virtual<br />
router (VR) traffic. [PR738812: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the flow bytes counters tracked on a per-interface<br />
basis are incorrect for IPv6 flows. The flow input bytes statistics are correct, but flow<br />
output bytes statistics are reversed to the source/destination interfaces. [PR740911:<br />
This issue has been resolved.]<br />
J-Web<br />
• On all high-end SRX Series devices, the Application Tracking monitor page does not<br />
display the warning no data to display, when there is no data to display in the table.<br />
[PR724985: This issue has been resolved.]<br />
• On SRX1400 devices, authentication through J-Web fails if the password contains any<br />
of the following special characters: ' " + \ . [PR725901: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
471
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX1400 devices, on the Configure>Security>Policy Elements>Address<br />
Book>Address Sets page in the J-Web interface, the nested address-sets are not<br />
displayed and cannot be configured. [PR726227: This issue has been resolved.]<br />
• On all high-end SRX Series devices, on the Configure>Security>Logging page in the<br />
J-Web interface, the Apply button will remain disabled even after changing the<br />
configuration. [PR730861: This issue has been resolved.]<br />
• On SRX3600 devices, an error is displayed when modifying an address object in the<br />
address book from IP prefix to domain name and domain name to IP prefix. [PR732799:<br />
This issue has been resolved.]<br />
• On SRX1400 devices, when you access J-Web -> Dashboard -> Chassis view, the<br />
SYSIO slot is blacked out or grayed out. [PR738772: This issue has been resolved.]<br />
Logical Systems<br />
• On SRX3600 devices, all keyword was not available in few logical systems related<br />
CLIs. [PR598032: This issue has been resolved.]<br />
Network Address Translation (NAT)<br />
• On all high-end SRX Series devices, flowd core files are generated when persistent<br />
NAT binding entries are cleared. [PR697856: This issue has been resolved.]<br />
• On SRX5600 and SRX5800 devices, using the same source NAT pool by both NAT<br />
and NAT-PT traffic causes core dump. [PR736374: This issue has been resolved.]<br />
• On SRX3600 devices, the SCTP packets are dropped when NAT is configured on the<br />
device. Use the srx-cprod.sh -s spu -c sh usp jsf counter gprs-sctp command to verify<br />
the packet drops. [PR738759: This issue has been resolved.]<br />
• On SRX3600 devices, under certain circumstance, reverse static NAT might not work<br />
correctly. Fix ported in 10.4R10, 11.2R7, 11.4R3, 12.1R2 and onwards. [PR739142: This issue<br />
has been resolved.]<br />
System Logging<br />
• On SRX3400 devices, if the certificate key size is 2048 bytes and the total combined<br />
certificate request size is greater than 4096 bytes, then the PKID service might crash<br />
on certificate enrollment. [PR698846: This issue has been resolved.]<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R2 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateway (ALG)<br />
• On SRX3400 devices, when the SCTP ALG receives an initial acknowledgment<br />
(INIT-ACK), we record the cookie_length in association. If the cookie length is not a<br />
multiple of four, the device pads it to a multiple of 4. For example, the length in the<br />
INIT-ACK is 183, but you save 184 in association. When the cookie echo comes, the<br />
device compares the cookie length in the packet with the recorded cookie length in<br />
association. However, it is a not padded value; that is, it is still 183 in the cookie length<br />
472<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
field of the cookie echo. Therefore, the comparison fails, and the log shows the cookie<br />
as invalid. [PR671238: This issue has been resolved.]<br />
• On SRX5600 devices in chassis cluster, if the ALG traffic is too high and twin ports are<br />
used up, some single ports on backup node might leak. [PR705799: This issue has been<br />
resolved.]<br />
Authentication<br />
• On all high-end SRX Series devices, firewall authentication supported a maximum of<br />
64 users or groups in policy “client-match”. [PR661587: This issue has been resolved.]<br />
Chassis Cluster<br />
• On SRX3400 devices in a chassis cluster, while monitoring the device through J-Web,<br />
the dashboard incorrectly displayed the session utilization value. The displayed value<br />
was above 100 percent and activated or maximum sessions were displayed as 3M or<br />
2.5M. The dashboard incorrectly displayed the combined values of both primary and<br />
secondary nodes. [PR666489: This issue has been resolved.]<br />
• On SRX1400 devices, a timing error is observed at the system I/O (sysio) interface,<br />
which connects to IOC in slot 2. You can enable chassis cluster on the sysio ports, but<br />
do not use the IOC card in slot 2 for Junos OS <strong>Release</strong> 11.4. [PR680832: This issue has<br />
been resolved.]<br />
• On SRX3400 devices, when chassis cluster failover route change is triggered and<br />
service-offload session will be reinstalled, if one service-offload session is multicast<br />
session in the master node, then that session will be synched and installed as normal<br />
session in backup node because the services-offload flag not being correctly sync to<br />
backup. [PR696819: This issue has been resolved.]<br />
• On SRX5800 devices in a chassis cluster, if ALG traffic was too high and both the ports<br />
were used, some single ports on backup caused traffic outflow. [PR705799: This issue<br />
has been resolved.]<br />
Dynamic Host Configuration Protocol (DHCP)<br />
• On SRX3600 devices, the DHCP relay server was required to have DNS configuration<br />
for DHCP clients. The DHCP daemon read the DNS configuration and the daemon was<br />
stopped when there was an invalid dns-server value (for example, 0.0.0.0). [PR706615:<br />
This issue has been resolved.]<br />
J-Web<br />
• On all high-end SRX Series devices, on the Configure>Security>Policy>Define AppFW<br />
Policy> Add Rule Set page in the J-Web interface , the Default Rule was getting<br />
displayed, leading to incorrect configurations. [PR593551: This issue has been resolved.]<br />
• On SRX3600 devices, policy validating pop-up window cannot be cleared after you<br />
drag on it. [PR675554: This issue has been resolved.]<br />
• On all high-end SRX Series devices, using CLI you can configure only an AppQoS rule<br />
set without configuring any other diff-services. However, in J-Web, you should configure<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
473
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
at least one diff-service for a new AppQoS rule set configuration. [PR686462: This<br />
issue has been resolved.]<br />
Flow and processing<br />
• On SRX3600 devices, preempt can occur to the designated primary node with priority<br />
0 on RG1+ if the designated secondary node is currently working as the primary node.<br />
[PR612753: This issue has been resolved.]<br />
• On all high-end SRX Series devices, changes in policer, filter, or sampling configuration<br />
results in generation of core files when receiving the multicast traffic. [PR613782: This<br />
issue has been resolved.]<br />
• On SRX5800 devices, memory usage on SPU by the KMD process might raise<br />
unexpectedly, causing VPN tunnel setup problems.<br />
Once the process reaches the memory usage limit, the following message will be<br />
logged:<br />
Jun 20 09:19:46 HOSTNAME (FPC Slot N, PIC Slot M) kernel: Process (176,kmd)<br />
attempted to exceed RLIMIT_DATA: attempted 262164 KB Max 262144 KB<br />
[PR664301: This issue has been resolved.]<br />
• On SRX3400 devices, failover with the RG0 and RG1 is resulting in vmcore file.<br />
[PR675860: This issue has been resolved.]<br />
• On SRX5600 devices, when GPRS tunneling protocol (GTP) is enabled and when there<br />
are GTP-wide conflicts hashed in the same buckets, a core file is generated. [PR680822:<br />
This issue has been resolved.]<br />
• On all high-end SRX Series devices, the Link failure happened for DPC%d PFE%d log<br />
message displayed an incorrect FPC number. [PR683371: This issue has been resolved.]<br />
• On all high-end SRX Series devices, a data plane failover resulted in a traffic loss for<br />
a short period when the device was active with a large number of routes. [PR690004:<br />
This issue has been resolved.]<br />
• On all high-end SRX Series devices, the show class-of-service application-traffic-control<br />
statistics rule command currently displays the number of packets that arrive in a session.<br />
The command should actually display the number of sessions. [PR690691: This issue<br />
has been resolved.]<br />
• On all high-end SRX Series devices, the option to manually recover policy mismatch<br />
between RE and SPU is not available. [PR691815: This issue has been resolved.]<br />
• On all high-end SRX Series devices, under some environments, the DIP4 errors are<br />
reported for SPCs, resulting in occasional packet drop. [PR695905: This issue has been<br />
resolved.]<br />
• On SRX3400 devices, when chassis cluster failover route change is triggered and<br />
service-offload session will be reinstalled, if one service-offload session is multicast<br />
session in the master node, then that session will be synched and installed as normal<br />
session in backup node because the services-offload flag not being correctly sync to<br />
backup. [PR696819: This issue has been resolved.]<br />
474<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• On SRX5600 devices, when IKE and IPsec configuration or security configuration is<br />
removed and added back frequently, KMD core files might be generated. [PR698718,<br />
PR698666: This issue has been resolved.]<br />
• On all high-end SRX Series devices, a memory leak occurs during the audit event<br />
processing. [PR698907: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the PIM register messages were dropped on the<br />
physical interfaces that hosted multiple unnumbered interfaces. [PR698943: This issue<br />
has been resolved.]<br />
• On SRX5600 devices, the message vector create_pdp_rsp changes tunnel state from<br />
half to active and inserts it into active timer wheel. These actions result in no tunnel<br />
lock protection. When del_pdp_rsp deletes the user tunnel or clear path, this leads to<br />
a change in both the aging flag and the timer wheel entry pointer. [PR699147: This<br />
issue has been resolved.]<br />
• On SRX3600 devices, when a client started a new TCP session using the same 5 tuples<br />
as the existing TCP session (which was terminated within 2 seconds) and FIN/ACK,<br />
the new TCP session was allowed for a short time and then the device dropped all<br />
subsequent packets from client or server. When this issue occurred, the device allowed<br />
only the new TCP handshake packets and then dropped all the subsequent traffic that<br />
belonged to newly created session. [PR700301: This issue has been resolved.]<br />
• On SRX3600 devices, when you configured services-offload and when IOC cards were<br />
plugged in slot 4 or above, the following warning message was not displayed:<br />
In services offload mode, IOC cards must be in the first four slots (slot0<br />
- slot3).<br />
[PR703114: This issue has been resolved.]<br />
• On SRX1400 devices in a chassis cluster, unwanted timed out data path trace messages<br />
were seen. [PR703272: This issue has been resolved.]<br />
• On SRX5600 devices, the JSRPD used the IIC device to set chassis cluster LED. The<br />
JSRPD, whose function is jsrpd_a2a10_set_led_color() function, was trigged when the<br />
ge-0/0/2 interface was down. The jsrpd_a2a10_set_led_color() function did not close<br />
when the LED color set function was done. This behavior caused the FD leak and<br />
eventually resulted in the generation of the JSRPD core file. [PR703799: This issue has<br />
been resolved.]<br />
• On all high-end SRX Series devices, flowd core files were generated during stress test.<br />
[PR704482: This issue has been resolved.]<br />
• On all high-end SRX Series devices, the following warning messages were not displayed:<br />
• When heap and/or arena memory utilization reached a certain critical level:<br />
• Warning: Heap utilization reaches critical level!<br />
• Warning: Arena utilization reaches critical level!<br />
• When the memory utilization fell back below the critical level:<br />
• Heap utilization falls back to normal level<br />
• Arena utilization falls back to normal level<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
475
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
[PR705118: This issue has been resolved.]<br />
• On SRX5600 devices, packets of packet-length 500 bytes get corrupted when only<br />
packet capture of data path debug is present without record-pic-history and event<br />
np-egress. [PR706858: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when you add or change policy configuration within<br />
groups, the policies may not get applied correctly. The applied configuration might be<br />
valid and therefore will pass the configuration check but the process uses that policy<br />
(depending on configuration) might terminate and restart. [PR707817: This issue has<br />
been resolved.]<br />
• On SRX1400 devices in a chassis cluster, the primary control link heartbeats are not<br />
seen and are causing inconsistent system behavior. This happens when a 16-Port SFP<br />
Gigabit Ethernet I/O card or a 16-Port Copper Ethernet/Fast Ethernet/Gigabit Ethernet<br />
I/O card is installed on the device. [PR718054: This issue has been resolved.]<br />
• On all high-end SRX Series devices, on rare occasions, the CP session counter got an<br />
incorrect value, which triggered the CP/Flow session table full alarm. This was because,<br />
the flow table was not full and the alarm was incorrectly set due to the wrong session<br />
counter value. [PR725099: This issue has been resolved.]<br />
• On SRX3600 devices, where large volume of firewall-authentication requests and<br />
changes of security policy happen at exactly same time, device may crash due to race<br />
condition. [PR726940: This issue has been resolved.]<br />
• On SRX3400, SRX3600, SRX5600, SRX5800 devices, sometimes, traffic sent by<br />
authenticated users (authenticated by web authentication) was not passing through<br />
the firewall. This is because, authentication entry created in CP was not passed along<br />
to SPU. [PR734869: This issue has been resolved.]<br />
Installation<br />
• On all high-end SRX Series devices, while downgrading from Junos <strong>Release</strong> 11.4 or a<br />
later image to Junos <strong>Release</strong> 11.1 or an earlier image, the security package was deleted.<br />
Although it was automatically installed when the IDP daemon came up, this automatic<br />
installation failed sometimes due to application identification (AI) installation error.<br />
[PR705113: This issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX3600 devices, when a firewall filter is configured on the lo0 interface, the<br />
firewall log might show incorrect address or port information for the IKE packets.<br />
[PR695288: This issue has been resolved.]<br />
• On SRX5800 devices, under certain conditions, deleting an fxp0 configuration and<br />
rolling it back, set the fxp0 forcefully to nonnegotiated, 100M/full duplex mode.<br />
[PR696733: This issue has been resolved.]<br />
• On SRX3400 devices, during failover, there is a small window of time in which the SPU<br />
does not detect whether an NP is in services-offload mode or not. This might cause a<br />
small number of the services-offload sessions to change to normal sessions. [PR697426:<br />
This issue has been resolved.]<br />
476<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• On SRX3400 and SRX3600 devices, the reth interface did not work properly when you<br />
changed the reth member interfaces to other interfaces using different speeds and the<br />
link speeds were mismatched. [PR698837: This issue has been resolved.]<br />
• On SRX3600 devices, a session drop due to not being authenticated was logged as<br />
RT_FLOW_SESSION_CLOSE and had the wrong close reason other than unset.<br />
[PR701971: This issue has been resolved.]<br />
• On SRX5600 devices, during GTP-in-GTP detection, the spare bytes in the GTPv0's<br />
packet header are 10, 11, and 12. These three bytes need to be set with 0xff, but it is not<br />
a mandatory requirement in 3GPP TS. You can set the GTP-in-GTP denied feature,<br />
and check these bytes as a mandatory field. If the value of all three bytes is not equal<br />
to 0xff, then the packet is not GTPv0 and is allowed to pass the firewall. As a result,<br />
some malform attack packets might get through the firewall. [PR703267: This issue<br />
has been resolved.]<br />
• On SRX1400 devices, RTSP interleave data packets cannot be passed when the RTP<br />
length is above 3K Bytes. [PR703663: This issue has been resolved.]<br />
• On SRX5600 and SRX5800 devices, using ftp to st0 interface for data transfer fails<br />
occasionally. [PR706827: This issue has been resolved.]<br />
Internet Protocol Security (IPsec)<br />
• On SRX3400 and SRX3600 devices, initial contact notification sent from peer for the<br />
IKEv1 protocol was not getting processed. Because of this, stale IKE and IPsec security<br />
association were displayed. However, functionality was not affected. [PR705123: This<br />
issue has been resolved.]<br />
• On all high-end SRX Series devices, occasionally, when keys are generated incorrectly<br />
for IPsec, VPN to go down due to encapsulation security payload (ESP) failures.<br />
[PR717969: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX5600 devices, loading the IDP detector might cause a flowd crash, showing<br />
memcpy as the top of the stack. [PR570361: This issue has been resolved.]<br />
J-Web<br />
• On SRX1400 devices, when modifying an existed policy or creating a new policy with<br />
junos-host zone in J-Web, there is no junos-host zone available in the from-zone or<br />
to-zone list. [PR697863: This issue has been resolved.]<br />
Logical Systems<br />
• On all high-end SRX Series devices, after a logical systems high availability ISSU, the<br />
application firewall rule matched session counter was set to an incorrect value (-1)<br />
when a new session triggered an application firewall rule lookup. [PR704979: This issue<br />
has been resolved.]<br />
• On SRX1400 devices, the LSYS capacity number for nat-rule-referenced-prefix lsys<br />
profile was displayed incorrectly. [PR707108: This issue has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
477
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Network Address Translation (NAT)<br />
• On SRX3600 devices, when there is heavy SIP traffic and share gate is involved, NAT<br />
translation-context might leak. [PR675869: This issue has been resolved.]<br />
• On all high-end SRX Series devices, static NAT with default routing instance does not<br />
work. [PR706183: This issue has been resolved.]<br />
• On all high-end SRX Series devices, when you configure two static NAT rules in default<br />
routing-instance with same prefix, one rule is configured without static-nat prefix<br />
routing-instance default, and the other rule is configured with static-nat prefix<br />
routing-instance default, the configuration is committed successfully without<br />
overlapped prompt information. [PR708433: This issue has been resolved.]<br />
• On SRX5600 devices, during high-rate NAT session creation, high CPU usage might<br />
be seen on the central point on the backup node. [PR720010: This issue has been<br />
resolved.]<br />
SNMP<br />
• On SRX3400, SRX3600, SRX5400, SRX5600 devices, health monitor feature under<br />
SNMP might send out false alarm of high CPU utilization. [PR610450: This issue has<br />
been resolved.]<br />
Upgrade and Downgrade<br />
• On all high-end SRX Series devices, upgrade failed for Junos OS <strong>Release</strong> 11.1R6.4 to<br />
11.4R2.3 build due to AI installation failure without xcommit result. [PR729625: This<br />
issue has been resolved.]<br />
Virtual Private Network (VPN)<br />
• On SRX3600 devices, after RG0 failover, packet loss is seen through VPNs. [PR604640:<br />
This issue has been resolved.]<br />
• On SRX5600 devices in a large configuration with heavy traffic, after reboot failover<br />
in chassis cluster, the Routing Engine on the new primary node becomes very busy. As<br />
a result, the FPC might detach, causing traffic to fail when passing through the firewall<br />
device. [PR698150: This issue has been resolved.]<br />
478<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Resolved Issues in Junos OS <strong>Release</strong> 11.4R1 for High-End SRX Series Services<br />
Gateways<br />
Application Layer Gateways (ALGs)<br />
• On SRX5600 devices in a chassis cluster, when 12-KB traffic was sent, RG1 and RG2<br />
failover occurred with a resource manage error. [PR601784: This issue has been<br />
resolved.]<br />
Chassis Cluster<br />
• On SRX5600 devices, ISSU took additional time when network traffic was heavy. If<br />
the ISSU process duration was longer than 1 hour, it aborted automatically without<br />
completing the upgrade. [PR585873: This issue has been resolved.]<br />
• On SRX3600 devices in a chassis cluster, some interfaces on node 0 showed<br />
unspecified speed and half-duplex. [PR597575: This issue has been resolved.]<br />
• On SRX5800 devices, chassis cluster was not failing over redundancy groups<br />
automatically when one node experienced certain hardware errors (HSL2 link CRC<br />
errors). [PR606594: This issue has been resolved.]<br />
• On SRX1400 devices, a timing error is observed at the system I/O (sysio) interface,<br />
which connects to IOC in slot 2. You can enable chassis cluster on the sysio ports, but<br />
do not use the IOC card in slot 2 for Junos OS <strong>Release</strong> 11.4. [PR680832: This issue has<br />
been resolved.]<br />
Flow and Processing<br />
• On all high-end SRX Series devices, predefined applications and application groups<br />
are editable. However, changes made to them were not persistent across application<br />
identification signature or IDP signature database upgrades, and commit failed.<br />
[PR560897: This issue has been resolved.]<br />
• On SRX5800 devices in NAT mode, flowd crashed due to kernel memory corruption<br />
that was triggered by a race condition when the IDP module was maintaining the ASC<br />
(application system cache) pool. [PR579242: This issue has been resolved.]<br />
• On SRX3400, SRX3600, and SRX5600 devices, hostbound traffic BFD session state<br />
did not change from the init state. [PR601310: This issue has been resolved.]<br />
• On SRX1400, SRX3400, and SRX3600 devices, when the receiver for a multicast group<br />
was in dense mode, no multicast traffic was observed. [PR601850: This issue has been<br />
resolved.]<br />
• On SRX5800 devices, data plane security logs sent in security log mode stream were<br />
emitted with the facility encoded to UUCP. The PRI value has been changed to correctly<br />
show the USER facility in the system logs sent directly from the data plane. This change<br />
does not effect logs sent from the Routing Engine. [PR663022: This issue has been<br />
resolved.]<br />
• On SRX3400 devices, the SIP datagrams were being reordered, resulting in a rejection<br />
of the INVITE message from the X-Lite client to the other user. [PR667420: This issue<br />
has been resolved.]<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
479
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• On SRX3400 devices, small packets were dropped when preserve-trace-order or<br />
record-packet-history was enabled during data path debugging. [PR671900: This issue<br />
has been resolved.]<br />
• On SRX3400 devices, in transparent mode EBGP session timeout was not updated,<br />
causing sessions to close after 20 seconds. [PR671942: This issue has been resolved.]<br />
Installation and Upgrade<br />
• On SRX1400 devices, when you upgraded or downgraded to an earlier or later Junos<br />
OS version and upgraded or downgraded the data path FPGA images, the traffic did<br />
not flow through the device immediately after the upgrade or downgrade was complete.<br />
The fabric (HSL2) links of the SPC and NPC cards were prematurely reported as being<br />
in fault, reset, or error state following an automatic upgrade or downgrade of the FPGAs.<br />
[PR608148: This issue has been resolved.]<br />
Intrusion Detection and Prevention (IDP)<br />
• On SRX5800 devices, removing the ip-block action statement from the IDP<br />
configuration blocked the applicable traffic. [PR599245: This issue has been resolved.]<br />
Infrastructure<br />
• On SRX5800 devices, when more than 10 member links were added to an aggregate<br />
bundle and then to a class-of-service process, sometimes core files were generated<br />
and devices restarted due to memory corruption and the process. [PR613422: This<br />
issue has been resolved.]<br />
Interfaces and Routing<br />
• On SRX5600 devices, there were issues with support for GTPv2 and GTP ISSU failure<br />
between Junos OS <strong>Release</strong> 11.2 and later releases. [PR664202: This issue has been<br />
resolved.]<br />
IPv6<br />
• On SRX3600 devices, the IPv6 self-traffic caused flowd_xlr files to be generated.<br />
[PR667592: This issue has been resolved.]<br />
• On SRX3400 devices, in some cases IPv6 flow sessions were overwriting other memory,<br />
causing incorrect statistics or memory corruption. The memory corruption triggered<br />
generation of a flowd core file. [PR672794: This issue has been resolved.]<br />
J-Web<br />
• On all high-end SRX Series devices, you were unable to make custom column alignment<br />
on the UTM policy and Zone configuration pages. [PR667207: This issue has been<br />
resolved.]<br />
• On SRX3400 devices, sometimes J-Web did not populate content properly. [PR671805:<br />
This issue has been resolved.]<br />
480<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Logical Systems<br />
• On SRX3400 devices, when NAT64 was used in logical system (LSYS), the binding<br />
did not age out and the reversed binding did not match successfully. The NAT64 in<br />
LSYS function did not work. [PR675052: This issue has been resolved.]<br />
• On SRX3400 devices, when you configure LSYS and then load override configuration<br />
with different LSYS (both having the old and new LSYS) configuration, the proxy-ndp<br />
route might fail to push to the Packet Forwarding Engine. If you delete old LSYS and<br />
add new LSYS in one commit, the proxy-ndp route might also fail to push to the Packet<br />
Forwarding Engine. [PR673930: This issue has been resolved.]<br />
• On SRX5600 devices in a chassis cluster, some NAT sessions might keep invalidated<br />
status after multiple failovers. [PR676385: This issue has been resolved.]]<br />
Network Address Translation (NAT)<br />
• On SRX3400 devices, when DUT was configured with the maximum reference number<br />
of address-books in source NAT or destination NAT, the Routing Engine and Packet<br />
Forwarding Engine were different. [PR580201: This issue has been resolved.]<br />
• SRX1400 devices supported only 256 destination NAT pools; this number did not<br />
match the specification sheet of 4096. [PR598474: This issue has been resolved.]<br />
• On SRX3600 devices, under certain specific circumstances, interface-based source<br />
NAT resources leaked. [PR613300: This issue has been resolved.]<br />
Management Information Base (MIB)<br />
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when polling the device<br />
with 5 SPC's and 3 SPC's, the device reports wrong number of sessions for the object<br />
ID jnxJsSPUMonitoringMaxTotalSession (1.3.6.1.4.1.2636.3.39.1.12.1.3.0). [PR488653<br />
This issue has been resolved.]<br />
• On SRX5800 devices, the NAT SNMP MIB snmp mib jnxJsNatSrcNumSessions counter<br />
was not refreshed until the walk command was issued. [PR663788: This issue has<br />
been resolved.]<br />
Virtual Private Network (VPN)<br />
• On SRX3600 devices, KMD core files were generated after users deleted and re-added<br />
VPN configurations. [PR560932: This issue has been resolved.]<br />
• On SRX3600 devices, the secondary node of the dynamic endpoint tunnel IP did not<br />
update correctly during cold synchronization. [PR604640: This issue has been resolved.]<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 443<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
481
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series<br />
Services Gateways<br />
Errata for the Junos OS Software Documentation<br />
This section lists outstanding issues with the software documentation.<br />
Feature Support Reference<br />
• Table 42: PKI Support in this guide incorrectly states that IKE Diffie-Hellman Group 14<br />
support and digital signature generation are not supported on the SRX1400 device.<br />
IKE Diffie-Hellman Group 14 support and digital signature generation are supported<br />
on all SRX Series devices.<br />
Junos OS CLI Reference<br />
• The Description for the limit (Security SCTP) option under the hierarchy edit security<br />
gprs sctp profile profile-name, incorrectly states you can set the global messages rate<br />
limit per session. The description should say that you can set the rate limit for local<br />
Services Processing Unit (SPU) packets.<br />
• In this guide, the apply-groups (Chassis Cluster) statement has been added to the<br />
“Chassis Hierarchy and Statements” section.<br />
• In the Security Hierarchy and Statements section, the edit security forwarding-options<br />
statements are missing the following:<br />
• A note indicating that packet-based processing is not supported on the following<br />
SRX Series devices: SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800.<br />
• A link in the Related Topics section to the Junos OS Feature Support Reference for<br />
SRX Series and J Series Devices.<br />
• The Junos OS CLI Reference is missing information about the value for the messages<br />
received field in too-many-requests (Security Antivirus Fallback Options) command<br />
the following statement is updated with a value for the limit as:<br />
If the total number of messages received concurrently exceeds 4000.<br />
• The Junos OS CLI Reference is missing information about the operational CLI command,<br />
show configuration chassis cluster traceoptions, which is used to display chassis cluster<br />
redundancy process trace options.<br />
user@host>show configuration chassis cluster traceoptions<br />
file chassis size 10k files 300;<br />
level all;<br />
• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in<br />
proposal-set (IPsec) section. The IPsec proposals should be as follows:<br />
• basic—nopfs-esp-des-sha and nopfs-esp-des-md5<br />
• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and<br />
nopfs-esp-des-md5<br />
• standard—g2-esp-3des-sha and g2-esp-aes128-sha<br />
482<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Junos OS Interfaces Configuration Guide for Security Devices<br />
• In this guide, Table 11, "MTU Values for the SRX Series Services Gateways PIMs," does<br />
not specify the maximum MTU and default IPMTU values for the following PIMs:<br />
• 2-Port 10 Gigabit Ethernet XPIM<br />
• 16-Port Gigabit Ethernet XPIM<br />
• 24-Port Gigabit Ethernet XPIM<br />
The following table lists these values:<br />
Table 28: MTU Values for the SRX Series Services Gateways PIMs<br />
PIM<br />
DefaultMediaMTU(Bytes)<br />
MaximumMTU(Bytes)<br />
DefaultIPMTU (Bytes)<br />
2-Port 10 Gigabit Ethernet XPIM<br />
1514<br />
9192<br />
1500<br />
16-PortGigabitEthernetXPIM<br />
1514<br />
9192<br />
1500<br />
24-Port Gigabit Ethernet XPIM<br />
1514<br />
9192<br />
1500<br />
Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices<br />
• In this guide, the section “Configuring Layer 2 Bridging and Transparent Mode” includes<br />
an incorrect example, "Example: Configuring Layer 2 Trunk Interfaces with Multiple<br />
Units." The example is in error because the SRX Series devices do not support multiple<br />
units.<br />
Junos OS Logical Systems Configuration Guide for Security Devices<br />
• The Junos OS Logical Systems Configuration Guide for Security Devices does not list the<br />
SRX1400 as a device that supports the logical systems feature. Starting with Junos<br />
OS <strong>Release</strong> 11.4R1, SRX1400 devices support the logical systems feature. This support<br />
is in addition to existing support on SRX3400, SRX3600, SRX5600, and SRX5800<br />
devices.<br />
Junos OS Monitoring and Troubleshooting Guide for Security Devices<br />
• In the “Example: Enabling Packet Capture on a Device” section, the CLI quick<br />
configuration shows an incorrect set command. The correct set command is set<br />
forwarding-options packet-capture file filename pcap-file files 100 size 1024<br />
world-readable.<br />
Junos OS Security Configuration Guide<br />
• In Junos OS <strong>Release</strong> 11.1 of this guide, “Figure 1: Traffic Flow for Flow-Based Processing”<br />
is incorrect. The correct flow diagram is available in Junos OS <strong>Release</strong> 12.1 of this guide.<br />
• In this guide, the section “Understanding Chassis Cluster Redundancy Group Interface<br />
Monitoring” has a misleading statement in the steps describing the “Policy Lookup for<br />
a User” figure. It states that the device forwards the packet from its buffer to its<br />
destination IP address 1.2.2.2. However, this is true only for HTTP and Telnet traffic.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
483
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
For FTP traffic, after successful authentication the device closes the session and the<br />
user must reconnect to the FTP server at IP address 1.2.2.2.<br />
• In Chapter 48, “AppTrack Application Tracking,” of the Junos OS Security Configuration<br />
Guide for Security Devices, the operational command show security application-tracking<br />
statistics applications is incorrect. The operational command to display all application<br />
identification statistics, including application tracking statistics, is show services<br />
application-identification statistics applications.<br />
The operational command show application-tracking counters is incorrect. The<br />
command should be show security application-tracking counters.<br />
• The “Understanding DNS Doctoring” section incorrectly states that the DNS ALG will<br />
not drop traffic if the DNS message length exceeds the configured maximum, if the<br />
domain name is more than 255 bytes, or if the label length is more than 63 bytes.<br />
This section has been corrected as follows: The DNS ALG will not drop traffic if the<br />
DNS message length exceeds the configured maximum. However, the DNS ALG will<br />
check the length of the domain name and label, and it will drop packets if either the<br />
domain name is more than 255 bytes or the label length is more than 63 bytes.<br />
• The following sections were removed from the guide as they were causing confusion:<br />
“H.323 ALG Endpoint Registration Timeouts,” “Understanding H.323 ALG Endpoint<br />
Registration Timeouts,” and “Example: Setting H.323 ALG Endpoint Registration<br />
Timeouts.”<br />
• The “Understanding Internet-Related Predefined Policy Applications” section of Junos<br />
OS Security Configuration guide incorrectly specifies the HTTP port value as 80 in<br />
Predefined Applications table. The correct port value for HTTP is 8080.<br />
• The following examples in this guide include erroneous information as explained below:<br />
• The “Example: Configuring an SRX Series Services Gateway for the High-End as a<br />
Chassis Cluster” section in this guide erroneously shows the backup router as being<br />
configured with a destination address of 0.0.0/0. Instead, you must use a nonzero<br />
prefix. Configuring the backup router destination address as x.x.x.0/0 is not allowed.<br />
• The “Example: Configuring an SRX Series Services Gateway for the High-End as a<br />
Chassis Cluster” section and several related chassis cluster sections in this guide<br />
contain incorrect information about how and when you configure control ports and<br />
assign cluster IDs and node IDs to both nodes of a cluster.<br />
The correct information is as follows:<br />
NOTE: Control port configuration is required for SRX5600 and SRX5800<br />
devices. No control port configuration is needed for SRX1400, SRX3400,<br />
or SRX3600 devices.<br />
• Before the cluster is formed, you must configure control ports for each device, as<br />
well as assign a cluster ID and node ID to each device, and then reboot. When the<br />
system boots, both the nodes come up as a cluster.<br />
484<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
• Now the devices are a pair. From this point forward, configuration of the cluster is<br />
synchronized between the node members, and the two separate devices function<br />
as one device.<br />
• In cluster mode, the cluster is synchronized between the nodes when you execute<br />
a commit command. All commands are applied to both nodes regardless of the<br />
device from which the command is configured.<br />
• The “Troubleshooting Chassis Cluster ISSU Failures” section of the Junos OS Security<br />
Configuration Guide contains incorrect information in the message that is issued when<br />
an ISSU encounters an unexpected situation that necessitates an abort. The message<br />
that shows the correct next steps for you to take is as follows:<br />
Rebooting Secondary Node<br />
Shutdown NOW!<br />
[pid 2120]<br />
ISSU: Backup RE Prepare Done<br />
Waiting for node1 to reboot.<br />
node1 booted up.<br />
Waiting for node1 to become secondary<br />
error: wait for node1 to become secondary failed (error-code: 5.1)<br />
ISSU aborted. But, both nodes are in ISSU window.<br />
Please do the following:<br />
1. Log on to the upgraded node.<br />
2. Rollback the image using rollback command with node option<br />
Note: Not using the 'node' option might cause<br />
the images on both nodes to be rolled back<br />
3. Make sure that both nodes (will) have the same image<br />
4. Ensure the node with older image is primary for all RGs<br />
5. Abort ISSU on both nodes<br />
6. Reboot the rolled back node<br />
{primary:node0}<br />
• In the “Internet Protocol Security” chapter of the Junos OS Security Configuration Guide,<br />
“Understanding Virtual Router Limitations” incorrectly lists “Internet Key Exchange<br />
(IKE) inside VR” as not being supported. Support for IKE in multiple virtual routers<br />
(VRs) was added in the Junos OS 11.1R1 release for all SRX Series and J Series devices.<br />
Also, “Virtual Router Support for Route-Based VPNs” incorrectly includes a note that<br />
for VPN traffic to work in a nondefault VR, the IKE listener must be placed in the default<br />
VR.<br />
• The Junos OS Security Configuration Guide incorrectly states that the release supports<br />
security chains, which validate a certificate path upward through eight levels of CA<br />
authorities in the PKI hierarchy. The release does not support security chains.<br />
J-Web<br />
• J-Web security package update Help page—The J-Web Security Package Update<br />
Help page does not contain information about the download status.<br />
• J-Web pages for stateless firewall filters—There is no documentation describing the<br />
J-Web pages for stateless firewall filters. To find these pages in J-Web, go to<br />
Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6 Firewall<br />
Filters. After configuring the filters, select Assign to Interfaces to assign your configured<br />
filters to interfaces.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
485
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• J-Web Configuration Instructions— Because of ongoing J-Web interface enhancements,<br />
some of the J-Web configuration example instructions in the Junos administration and<br />
configuration guides became obsolete and thus were removed. For examples that are<br />
missing J-Web instructions, use the provided CLI instructions.<br />
Junos OS System Log Messages Reference<br />
• The AV System Log Messages topic lists incorrect facilities for the systems logs.<br />
On all SRX Series devices, antivirus (AV) system logs are generated with the facility<br />
LOG_USER or LOG_DAEMON.<br />
Table 29 on page 486 shows the correct facilities for the system logs.<br />
Table 29: Antivirus System Logs<br />
System Logs<br />
Incorrect Facility<br />
Correct Facility<br />
AV_PATTERN_GET_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_KEY_EXPIRED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_KL_CHECK_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_TOO_BIG<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_UPDATED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_PATTERN_WRITE_FS_FAILED<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_SCANNER_READY<br />
LOG_FIREWALL<br />
LOG_DAEMON<br />
AV_VIRUS_DETECTED_MT<br />
LOG_PFE<br />
LOG_USER<br />
• The Junos 11.4 System Log Messages Reference is missing the following AV system log<br />
messages. The list below are messages with the AV prefix They are generated by the<br />
antivirus scanning process (avd).<br />
• AV_HUGE_FILE_DROPPED_MT<br />
• AV_HUGE_FILE_NOT_SCANNED_MT<br />
• AV_MANY_MSGS_DROPPED_MT<br />
• AV_MANY_MSGS_NOT_SCANNED_MT<br />
• AV_SCANNER_DROP_FILE_MT<br />
• AV_SCANNER_ERROR_SKIPPED_MT<br />
• AV_VIRUS_DETECTED_MT<br />
• The Junos 11.4 System Log Messages Reference is missing the following RT system log<br />
messages:<br />
486<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
This list below describes messages with the RT prefix. They are generated on routers<br />
running the Junos OS with enhanced services by the Packet Forwarding Engine as it<br />
processes packets for security control in real time.<br />
• RT_GTP_DEL_TUNNEL_V0— A GPRS tunneling protocol (GTP) version 0 tunnel<br />
was deleted. This message reports an event, not an error.<br />
• RT_GTP_DEL_TUNNEL_V1—A GPRS tunneling protocol (GTP) version 1 tunnel was<br />
deleted. This message reports an event, not an error.<br />
• RT_GTP_PKT_APN_IE—Displays the contents of the Access Point Name (APN)<br />
information element carried in the GPRS tunneling protocol (GTP) message. This<br />
message reports an event, not an error.<br />
• RT_GTP_PKT_DESCRIPTION_CHARGING—Displays the GPRS tunneling protocol<br />
(GTP) packet description for a GTP charging message. The description includes the<br />
source and destination address and version. This message reports an event, not an<br />
error.<br />
• RT_GTP_PKT_DESCRIPTION_V0—Displays the GPRS tunneling protocol (GTP)<br />
packet description for a GTP version 0 message. The description includes the source<br />
and destination address, 64-bit tunnel ID, and index. This message reports an event,<br />
not an error.<br />
• RT_GTP_PKT_DESCRIPTION_V1—Displays the GPRS tunneling protocol (GTP)<br />
packet description for a GTP version 1 message. The description includes the source<br />
and destination address, tunnel endpoint ID, and index. This message reports an<br />
event, not an error.<br />
• RT_GTP_PKT_ENDUSER_ADDR_IE_IPV4—Displays the contents of the IPv4 End<br />
User Address information element carried in the GPRS tunneling protocol (GTP)<br />
message. The content includes the end user IP address. This message reports an<br />
event, not an error.<br />
• RT_GTP_PKT_GSNADDR_IE—Displays the contents of the GPRS Support Node<br />
(GSN) Address information element carried in the GPRS tunneling protocol (GTP)<br />
message. The content includes the GSN IP address. This message reports an event,<br />
not an error.<br />
• RT_GTP_PKT_IMSI_IE—Displays the contents of the International Mobile Subscriber<br />
Identity (IMSI) information element carried in the GPRS tunneling protocol (GTP)<br />
message. The content includes the lower and higher halves of the GTP mobile ID.<br />
This message reports an event, not an error.<br />
• RT_GTP_PKT_MSISDN_IE—Displays the contents of the MS International PSTN/ISDN<br />
Number (MSISDN) information element carried in the GPRS tunneling protocol<br />
(GTP) message. The content includes the ISDN number. This message reports an<br />
event, not an error.<br />
• RT_GTP_PKT_RESULT—Displays the GPRS tunneling protocol (GTP) packet process<br />
result, providing information about whether the packet is passed or dropped. This<br />
message reports an event, not an error.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
487
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• RT_GTP_SANITY_EXTENSION_HEADER—The GPRS tunneling protocol (GTP)<br />
packet has an incorrect extension header and the packet will be dropped. This is an<br />
error message.<br />
• RT_GTP_SYSTEM_ERROR—The GPRS tunneling protocol (GTP) packet was dropped<br />
due to a firewall system error, as indicated by the error code.<br />
Various Guides<br />
• Some Junos OS user, reference, and configuration guides—for example the Junos<br />
Software Routing Protocols Configuration Guide, Junos OS CLI User Guide, and Junos<br />
OS System Basics Configuration Guide—mistakenly do not indicate SRX Series device<br />
support in the “Supported Platforms” list and other related support information;<br />
however, many of those documented Junos OS features are supported on SRX Series<br />
devices. For full, confirmed support information about SRX Series devices, please refer<br />
to the Junos OS Feature Support Reference for SRX Series and J Series Devices.<br />
Errata for the Junos OS Hardware Documentation<br />
This section lists outstanding issues with the hardware documentation.<br />
SRX1400 Services Gateway Hardware Guide<br />
• Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the<br />
grounding lug attached to the front panel of the device. However, the SRX1400 Services<br />
Gateway is not shipped with the grounding lug attached to it.<br />
• The SRX1400 Services Hardware Guide and the SRX1400 Services Getting Started Guide<br />
are missing the following note:<br />
NOTE: AC and DC Power Supply Units are not interoperable between the<br />
SRX1400 Services Gateway and the SRX3000 and SRX5000 lines.<br />
SRX1400 Services Gateway Getting Started Guide<br />
• In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown<br />
with the grounding lug attached on the front panel of the device. However, the SRX1400<br />
Services Gateway is not shipped with the grounding lug attached to it.<br />
• Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show<br />
graphics with the grounding lug attached to the device front panel. The grounding lug<br />
is not attached to the device at the time of shipment.<br />
• The SRX1400 Services Gateway Getting Started Guide should document the following<br />
statement:<br />
You can replace the Network and Services Processing Card (NSPC) with the SRX3000<br />
line Services Gateway Network Processing Card (NPC) and Services Processing Card<br />
(SPC). To install the NPC and SPC on the SRX1400 Services Gateway, you must order<br />
the Twin CFM holder tray (SRX1K3K-2CFM-TRAY) to hold two single-wide CFMs (NPC<br />
and SPC) separately. Contact your <strong>Juniper</strong> <strong>Networks</strong> customer service representative<br />
for more information.<br />
488<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Known Limitations in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 443<br />
• Outstanding Issues in Junos OS <strong>Release</strong> 11.4R7 for High-End SRX Series Services<br />
Gateways on page 458<br />
• Resolved Issues in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
on page 459<br />
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways<br />
This section includes the following topics:<br />
• Upgrading and Downgrading among Junos OS <strong>Release</strong>s on page 489<br />
• Upgrading an AppSecure Device on page 491<br />
• Upgrade and Downgrade Scripts for Address Book Configuration on page 491<br />
• Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s on page 494<br />
• Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services<br />
Gateways on page 494<br />
Upgrading and Downgrading among Junos OS <strong>Release</strong>s<br />
All Junos OS releases are listed in sequence on the JUNOS Software Dates & Milestones<br />
webpage:<br />
http://www.juniper.net/support/eol/junos.html<br />
To help in understanding the examples that are presented in this section, a portion of<br />
that table is replicated here. Note that releases footnoted with a 1 are Extended<br />
End-of-Life (EEOL) releases.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
489
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
You can directly upgrade or downgrade between any two Junos OS releases that are<br />
within three releases of each other.<br />
• Example: Direct release upgrade<br />
<strong>Release</strong> 10.3 → (bypassing <strong>Release</strong>s 10.4 and 11.1) <strong>Release</strong> 11.2<br />
To upgrade or downgrade between Junos OS releases that are more than three releases<br />
apart, you can upgrade or downgrade first to an intermediate release that is within three<br />
releases of the desired release, and then upgrade or downgrade from that release to the<br />
desired release.<br />
• Example: Multistep release downgrade<br />
<strong>Release</strong> 11.3 → (bypassing <strong>Release</strong>s 11.2 and 11.1) <strong>Release</strong> 10.4 → <strong>Release</strong> 10.3<br />
<strong>Juniper</strong> <strong>Networks</strong> has also provided an even more efficient method of upgrading and<br />
downgrading using the Junos OS EEOL releases. EEOL releases generally occur once a<br />
calendar year and can be more than three releases apart. For a list of, EEOL releases, go<br />
to http://www.juniper.net/support/eol/junos.html<br />
490<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
You can directly upgrade or downgrade between any two Junos OS EEOL releases that<br />
are within three EEOL releases of each other.<br />
• Example: Direct EEOL release upgrade<br />
<strong>Release</strong> 9.3 (EEOL) → (bypassing <strong>Release</strong>s 10.0 [EEOL] and 10.4 [EEOL]) <strong>Release</strong> 11.4<br />
(EEOL)<br />
To upgrade or downgrade between Junos OS EEOL releases that are more than three<br />
EEOL releases apart, you can upgrade first to an intermediate EEOL release that is within<br />
three EEOL releases of the desired EEOL release, and then upgrade from that EEOL<br />
release to the desired EEOL release.<br />
• Example: Multistep release upgrade using intermediate EEOL release<br />
<strong>Release</strong> 8.5 (EEOL) → (bypassing <strong>Release</strong>s 9.3 [EEOL] and 10.0 [EEOL]) <strong>Release</strong> 10.4<br />
(EEOL) → <strong>Release</strong> 11.4 (EEOL)<br />
You can even use a Junos OS EEOL release as an intermediate upgrade or downgrade<br />
step if your desired release is several releases later than your current release.<br />
• Example: Multistep release upgrade using intermediate EEOL release<br />
<strong>Release</strong> 9.6 → <strong>Release</strong> 10.0 (EEOL) → <strong>Release</strong> 10.2<br />
For additional information about how to upgrade and downgrade, see the Junos OS<br />
Installation and Upgrade Guide.<br />
Upgrading an AppSecure Device<br />
Use the no-validate Option for AppSecure Devices.<br />
For devices implementing AppSecure services, use the no-validate option when upgrading<br />
from Junos OS <strong>Release</strong> 11.2 or earlier to Junos OS 11.4R1 or later. The application signature<br />
package used with AppSecure services in previous releases has been moved from the<br />
configuration file to a signature database. This change in location can trigger an error<br />
during the validation step and interrupt the Junos OS upgrade. The no-validate option<br />
bypasses this step.<br />
Upgrade and Downgrade Scripts for Address Book Configuration<br />
Beginning with Junos OS <strong>Release</strong> 11.4, you can configure address books under the [security]<br />
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS<br />
<strong>Release</strong> 11.1 and earlier, address books were defined under the [security zones] hierarchy<br />
(zone-defined configuration).<br />
You can either define all address books under the [security] hierarchy in a zone-attached<br />
configuration format or under the [security zones] hierarchy in a zone-defined configuration<br />
format; the CLI displays an error and fails to commit the configuration if you configure<br />
both configuration formats on one system.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
491
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
<strong>Juniper</strong> <strong>Networks</strong> provides Junos operation scripts that allow you to work in either of the<br />
address book configuration formats (see Figure 2 on page 493).<br />
• About Upgrade and Downgrade Scripts on page 492<br />
• Running Upgrade and Downgrade Scripts on page 493<br />
About Upgrade and Downgrade Scripts<br />
After downloading the Junos OS <strong>Release</strong> 11.4, you have the following options for<br />
configuring the address book feature:<br />
• Use the default address book configuration—You can configure address books using<br />
the zone-defined configuration format, which is available by default. For information<br />
on how to configure zone-defined address books, see the Junos OS <strong>Release</strong> 11.1<br />
documentation.<br />
• Use the upgrade script—You can run the upgrade script available on the <strong>Juniper</strong> <strong>Networks</strong><br />
support site to configure address books using the new zone-attached configuration<br />
format. When upgrading, the system uses the zone names to create address books.<br />
For example, addresses in the trust zone are created in an address book named<br />
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules<br />
remain unaffected.<br />
After upgrading to the zone-attached address book configuration:<br />
• You cannot configure address books using the zone-defined address book<br />
configuration format; the CLI displays an error and fails to commit.<br />
• You cannot configure address books using the J-Web interface.<br />
For information on how to configure zone-attached address books, see the Junos OS<br />
<strong>Release</strong> 11.4 documentation.<br />
• Use the downgrade script—After upgrading to the zone-attached configuration, if you<br />
want to revert to the zone-defined configuration, use the downgrade script available<br />
on the <strong>Juniper</strong> <strong>Networks</strong> support site. For information on how to configure zone-defined<br />
address books, see the Junos OS <strong>Release</strong> 11.1 documentation.<br />
NOTE: Before running the downgrade script, make sure to revert any<br />
configuration that uses addresses from the global address book.<br />
492<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Upgrade and Downgrade Instructions for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways<br />
Figure 2: Upgrade and Downgrade Scripts for Address Books<br />
Download Junos OS<br />
<strong>Release</strong> 11.2 or later.<br />
zone-defined<br />
address book<br />
Run the upgrade script.<br />
zone-attached<br />
address book<br />
configuration<br />
- Global address book is<br />
available by default.<br />
- Address book is defined under<br />
the security hierarchy.<br />
- Zones need to be attached<br />
to address books.<br />
Run the downgrade script.<br />
Note: Make sure to revert any<br />
configuration that uses addresses<br />
from the global address book.<br />
g030699<br />
Running Upgrade and Downgrade Scripts<br />
The following restrictions apply to the address book upgrade and downgrade scripts:<br />
• The scripts cannot run unless the configuration on your system has been committed.<br />
Thus, if the zone-defined address book and zone-attached address book configurations<br />
are present on your system at the same time, the scripts will not run.<br />
• The scripts cannot run when the global address book exists on your system.<br />
• If you upgrade your device to Junos OS <strong>Release</strong> 11.4 and configure logical systems, the<br />
master logical system retains any previously configured zone-defined address book<br />
configuration. The master administrator can run the address book upgrade script to<br />
convert the existing zone-defined configuration to the zone-attached configuration.<br />
The upgrade script converts all zone-defined configurations in the master logical system<br />
and user logical systems.<br />
NOTE: You cannot run the downgrade script on logical systems.<br />
For information about implementing and executing Junos operation scripts, see the Junos<br />
OS Configuration and Operations Automation Guide.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
493
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
Upgrade Policy for Junos OS Extended End-Of-Life <strong>Release</strong>s<br />
An expanded upgrade and downgrade path is now available for the Junos OS Extended<br />
End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of<br />
two adjacent later EEOL releases. You can also downgrade directly from one EEOL release<br />
to one of two adjacent earlier EEOL releases.<br />
For example, Junos OS <strong>Release</strong>s 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade<br />
from Junos OS <strong>Release</strong> 8.5 directly to either 9.3 or 10.0. To upgrade from <strong>Release</strong> 8.5 to<br />
10.4, you first need to upgrade to Junos OS <strong>Release</strong> 9.3 or 10.0, and then upgrade a second<br />
time to 10.4. Similarly, you can downgrade directly from Junos OS <strong>Release</strong> 10.4 to either<br />
10.0 or 9.3. To downgrade from <strong>Release</strong> 10.4 to 8.5, you first need to downgrade to 10.0<br />
or 9.3, and then perform a second downgrade to <strong>Release</strong> 8.5.<br />
For upgrades and downgrades to or from a non-EEOL release, the current policy is that<br />
you can upgrade and downgrade by no more than three releases at a time. This policy<br />
remains unchanged.<br />
For more information on EEOL releases and to review a list of EEOL releases, see<br />
http://www.juniper.net/support/eol/junos.html .<br />
Hardware Requirements for Junos OS <strong>Release</strong> 11.4 for High-End SRX Series<br />
Services Gateways<br />
Transceiver Compatibility for SRX Series Devices<br />
We strongly recommend that only transceivers provided by <strong>Juniper</strong> <strong>Networks</strong> be used<br />
on high-end SRX Series Services Gateways interface modules. Different transceiver types<br />
(long-range, short-range, copper, and others) can be used together on multiport SFP<br />
interface modules as long as they are provided by <strong>Juniper</strong> <strong>Networks</strong>. We cannot guarantee<br />
that the interface module will operate correctly if third-party transceivers are used.<br />
Please contact <strong>Juniper</strong> <strong>Networks</strong> for the correct transceiver part number for your device.<br />
Related<br />
Documentation<br />
• New Features in Junos OS <strong>Release</strong> 11.4 for High-End SRX Series Services Gateways on<br />
page 417<br />
• Errata and Changes in Documentation for Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 482<br />
• Changes in Default Behavior and Syntax in Junos OS <strong>Release</strong> 11.4 for High-End SRX<br />
Series Services Gateways on page 436<br />
494<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Junos OS Documentation and <strong>Release</strong> <strong>Notes</strong><br />
Junos OS Documentation and <strong>Release</strong> <strong>Notes</strong><br />
Documentation Feedback<br />
For a list of related Junos OS documentation, see<br />
http://www.juniper.net/techpubs/software/junos/.<br />
If the information in the latest release notes differs from the information in the<br />
documentation, follow the Junos OS <strong>Release</strong> <strong>Notes</strong>.<br />
To obtain the most current version of all <strong>Juniper</strong> <strong>Networks</strong> ® technical documentation,<br />
see the product documentation page on the <strong>Juniper</strong> <strong>Networks</strong> website at<br />
http://www.juniper.net/techpubs/.<br />
<strong>Juniper</strong> <strong>Networks</strong> supports a technical book program to publish books by <strong>Juniper</strong> <strong>Networks</strong><br />
engineers and subject matter experts with book publishers around the world. These<br />
books go beyond the technical documentation to explore the nuances of network<br />
architecture, deployment, and administration using the Junos operating system (Junos<br />
OS) and <strong>Juniper</strong> <strong>Networks</strong> devices. In addition, the <strong>Juniper</strong> <strong>Networks</strong> Technical Library,<br />
published in conjunction with O'Reilly Media, explores improving network security,<br />
reliability, and availability using Junos OS configuration techniques. All the books are for<br />
sale at technical bookstores and book outlets around the world. The current list can be<br />
viewed at http://www.juniper.net/books.<br />
We encourage you to provide feedback, comments, and suggestions so that we can<br />
improve the documentation. You can send your comments to<br />
techpubs-comments@juniper.net, or fill out the documentation feedback form at<br />
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include<br />
the following information with your comments:<br />
• Document name<br />
• Document part number<br />
• Page number<br />
• Software release version<br />
Requesting Technical Support<br />
Technical product support is available through the <strong>Juniper</strong> <strong>Networks</strong> Technical Assistance<br />
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,<br />
or are covered under warranty, and need postsales technical support, you can access<br />
our tools and resources online or open a case with JTAC.<br />
• JTAC policies—For a complete understanding of our JTAC procedures and policies,<br />
review the JTAC User Guide located at<br />
http://www.juniper.net/customers/support/downloads/710059.pdf.<br />
• Product warranties—For product warranty information, visit<br />
http://www.juniper.net/support/warranty/.<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
495
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,<br />
7 days a week, 365 days a year.<br />
Self-Help Online Tools and Resources<br />
For quick and easy problem resolution, <strong>Juniper</strong> <strong>Networks</strong> has designed an online<br />
self-service portal called the Customer Support Center (CSC) that provides you with the<br />
following features:<br />
• Find CSC offerings: http://www.juniper.net/customers/support/<br />
• Search for known bugs: http://www2.juniper.net/kb/<br />
• Find product documentation: http://www.juniper.net/techpubs/<br />
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/<br />
• Download the latest versions of software and review release notes:<br />
http://www.juniper.net/customers/csc/software/<br />
• Search technical bulletins for relevant hardware and software notifications:<br />
https://www.juniper.net/alerts/<br />
• Join and participate in the <strong>Juniper</strong> <strong>Networks</strong> Community Forum:<br />
http://www.juniper.net/company/communities/<br />
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/<br />
To verify service entitlement by product serial number, use our Serial Number Entitlement<br />
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.<br />
Opening a Case with JTAC<br />
You can open a case with JTAC on the Web or by telephone.<br />
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .<br />
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).<br />
For international or direct-dial options in countries without toll-free numbers, visit us at<br />
http://www.juniper.net/support/requesting-support.html.<br />
If you are reporting a hardware or software problem, issue the following command from<br />
the CLI before contacting support:<br />
user@host> request support information | save filename<br />
To provide a core file to <strong>Juniper</strong> <strong>Networks</strong> for analysis, compress the file with the gzip<br />
utility, rename the file to include your company name, and copy it to<br />
ftp.juniper.net:pub/incoming. Then send the filename, along with software version<br />
information (the output of the show version command) and the configuration, to<br />
support@juniper.net. For documentation issues, fill out the bug report form located at<br />
https://www.juniper.net/cgi-bin/docbugreport/.<br />
496<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.
Requesting Technical Support<br />
Revision History<br />
05 March 2013—Revision 1, Junos OS 11.4.R7<br />
31 January 2013—Revision 4, Junos OS 11.4.R6<br />
08 January 2013—Revision 3, Junos OS 11.4.R6<br />
13 December 2012—Revision 2, Junos OS 11.4.R6<br />
04 December 2012—Revision 1, Junos OS 11.4.R6<br />
23 October 2012—Revision 23, Junos OS 11.4.R5<br />
27 September 2012—Revision 22, Junos OS 11.4.R5<br />
18 September 2012—Revision 21, Junos OS 11.4.R5<br />
31 August 2012—Revision 20, Junos OS 11.4.R5<br />
02 August 2012—Revision 19, Junos OS 11.4.R4<br />
26 July 2012—Revision 18, Junos OS 11.4.R4<br />
19 July 2012—Revision 17, Junos OS 11.4.R4<br />
05 July 2012—Revision 16, Junos OS 11.4.R4<br />
29 May 2012—Revision 15, Junos OS 11.4.R3<br />
18 May 2012—Revision 14, Junos OS 11.4.R3<br />
05 April 2012—Revision 13, Junos OS 11.4.R2<br />
29 March 2012—Revision 12, Junos OS 11.4.R2<br />
27 March 2012—Revision 11, Junos OS 11.4.R2<br />
22 March 2012—Revision 10, Junos OS 11.4.R2<br />
10 January 2012—Revision 9, Junos OS 11.4.R1 Phase 2<br />
27 December 2011—Revision 8, Junos OS 11.4.R1 Phase 2<br />
22 December 2011—Revision 7, Junos OS 11.4.R1 Phase 2<br />
21 December 2011—Revision 6, Junos OS 11.4.R1 Phase 2<br />
8 December 2011—Revision 5, Junos OS 11.4.R1 Phase 1<br />
6 December 2011—Revision 4, Junos OS 11.4.R1 Phase 1<br />
1 December 2011—Revision 3, Junos OS 11.4.R1 Phase 1<br />
21 November 2011—Revision 2, Junos OS 11.4.R1 Phase 1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.<br />
497
Junos OS 11.4 <strong>Release</strong> <strong>Notes</strong><br />
17 November 2011—Revision 1, Junos OS 11.4.R1 Phase 1<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc. All rights reserved.<br />
<strong>Juniper</strong> <strong>Networks</strong>, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of <strong>Juniper</strong> <strong>Networks</strong>, Inc. in the United<br />
States and other countries. The <strong>Juniper</strong> <strong>Networks</strong> Logo, the Junos logo, and JunosE are trademarks of <strong>Juniper</strong> <strong>Networks</strong>, Inc. All other<br />
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.<br />
<strong>Juniper</strong> <strong>Networks</strong> assumes no responsibility for any inaccuracies in this document. <strong>Juniper</strong> <strong>Networks</strong> reserves the right to change, modify,<br />
transfer, or otherwise revise this publication without notice.<br />
Products made or sold by <strong>Juniper</strong> <strong>Networks</strong> or components thereof might be covered by one or more of the following patents that are<br />
owned by or licensed to <strong>Juniper</strong> <strong>Networks</strong>: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,<br />
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.<br />
498<br />
Copyright © 2013, <strong>Juniper</strong> <strong>Networks</strong>, Inc.