OS 10.4 Release Notes

® Junos OS 10.4 Release Notes

Release 10.4R2 11 February 2011 Revision 6 These release notes accompany Release 10.4R2 of the Junos operating system (Junos OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.

You can also find these release notes on the Juniper Networks Junos OS Documentation Web page, which is located at http://www.juniper.net/techpubs/software/junos.

Contents Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers ...... 6 New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers ...... 6 Class of Service ...... 6 Interfaces and Chassis ...... 9 Junos OS XML API and Scripting ...... 15 Layer 2 Ethernet Services ...... 18 MPLS Applications ...... 19 Multicast ...... 19 MX Series ...... 19 Routing Policy and Firewall Filters ...... 21 Routing Protocols ...... 21 Services Applications ...... 23 Subscriber Access Management ...... 28 System Logging ...... 39 VPNs ...... 40 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers ...... 42 Class of Service ...... 42 Forwarding and Sampling ...... 43 Interfaces and Chassis ...... 43 Junos OS XML API and Scripting ...... 45 MPLS Application ...... 46 Platform and Infrastructure ...... 47 Routing Protocols ...... 47

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Services Applications ...... 49 Subscriber Access Management ...... 51 User Interface and Configuration ...... 53 VPNs ...... 54 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers ...... 55 Current Software Release ...... 55 Previous Releases ...... 67 Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers ...... 77 Changes to the Junos OS Documentation Set ...... 77 Errata ...... 79 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers ...... 83 Basic Procedure for Upgrading to Release 10.4 ...... 83 Upgrading a Router with Redundant Routing Engines ...... 86 Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 ...... 86 Upgrading the Software for a Routing Matrix ...... 88 Upgrading Using ISSU ...... 89 Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR ...... 89 Upgrade Policy for Junos OS Extended End-Of-Life Releases ...... 90 Downgrade from Release 10.4 ...... 91 Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers ...... 92 New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 92 Software Features ...... 93 Hardware Features—SRX210, SRX220, and SRX240 Services Gateways ...... 115 Hardware Features—SRX220 Services Gateway with Power Over Ethernet ...... 116 Hardware Features—SRX1400 Services Gateway ...... 119 Hardware Features—SRX3400 and SRX3600 Services Gateways . . . . 122 Advertising Bandwidth for Neighbors on a Broadcast Link Support ...... 123 Group VPN Interoperability with Cisco’s GET VPN ...... 123 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 124 Application Identification ...... 125 Application Layer Gateways (ALGs) ...... 126 AppSecure ...... 126 Chassis Cluster ...... 126 Command-Line Interface (CLI) ...... 127 Configuration ...... 129 Dynamic VPN ...... 130 Flow and Processing ...... 130 Installation ...... 132 Integrated Convergence Services ...... 132

Downloaded from www.Manualslib.com manuals search engine Interfaces and Routing ...... 132 Intrusion Detection and Prevention (IDP) ...... 133 J-Web ...... 134 Management and Administration ...... 136 Multilink ...... 137 Power over Ethernet (PoE) ...... 138 Security ...... 138 Virtual LANs (VLANs) ...... 138 Wireless LAN (WLAN) ...... 139 Unsupported CLI ...... 139 Accounting-Options Hierarchy ...... 139 AX411 Access Point Hierarchy ...... 139 Chassis Hierarchy ...... 139 Class-of-Service Hierarchy ...... 140 Ethernet-Switching Hierarchy ...... 140 Firewall Hierarchy ...... 140 Interfaces CLI Hierarchy ...... 140 Protocols Hierarchy ...... 144 Routing Hierarchy ...... 145 Services Hierarchy ...... 145 SNMP Hierarchy ...... 145 System Hierarchy ...... 146 IPv6 and MVPN CLI ...... 146 Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 148 AppSecure ...... 148 Chassis Cluster ...... 148 Command-Line Interface (CLI) ...... 149 DOCSIS Mini-PIM ...... 150 Dynamic Host Configuration Protocol (DHCP) ...... 150 Dynamic VPN ...... 150 Flow and Processing ...... 150 Hardware ...... 151 Interfaces and Routing ...... 152 Intrusion Detection and Prevention (IDP) ...... 154 IPv6 support ...... 154 J-Web ...... 154 NetScreen-Remote ...... 155 Network Address Translation (NAT) ...... 155 Point-to-Point Protocol over Ethernet (PPPoE) ...... 156 Security ...... 156 SNMP ...... 156 Switching ...... 156 Unified Threat Management (UTM) ...... 157 VPNs ...... 157 Wireless LAN (WLAN) ...... 157

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 158 Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 158 Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 175 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 178 Changes to the Junos OS Documentation Set ...... 178 Errata for the Junos OS Documentation ...... 179 Errata for the Junos OS Hardware Documentation ...... 186 Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 189 Transceiver Compatibility for SRX Series and J Series Devices ...... 189 Power and Heat Dissipation Requirements for J Series PIMs ...... 189 Supported Third-Party Hardware ...... 190 J Series CompactFlash and Memory Requirements ...... 190 Maximizing ALG Sessions ...... 191 Integrated Convergence Services Not Supported ...... 192 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ...... 192 Upgrade Policy for Junos OS Extended End-Of-Life Releases ...... 192 Junos OS Release Notes for EX Series Switches ...... 194 New Features in Junos OS Release 10.4 for EX Series Switches ...... 194 Hardware ...... 194 Bridging, VLANs, and Spanning Trees ...... 195 Class of Service (CoS) ...... 195 Fibre Channel over Ethernet ...... 195 High Availability ...... 195 Infrastructure ...... 195 Management and RMON ...... 195 Packet Filters ...... 196 Virtual Chassis ...... 196 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches ...... 196 Bridging, VLANs, and Spanning Trees ...... 196 Class of Service ...... 196 Limitations in Junos OS Release 10.4 for EX Series Switches ...... 197 Access Control and Port Security ...... 197 Bridging, VLANs, and Spanning Trees ...... 197 Class of Service ...... 198 Ethernet Switching ...... 198 Firewall Filters ...... 198 Hardware ...... 198 High Availability ...... 199 Infrastructure ...... 199 Interfaces ...... 200 J-Web Interface ...... 201 Layer 2 and Layer 3 Protocols ...... 201

Downloaded from www.Manualslib.com manuals search engine Spanning Tree Protocols ...... 201 Virtual Chassis ...... 201 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches . . . . . 202 Access Control and Port Security ...... 202 Bridging, VLANs, and Spanning Trees ...... 202 Ethernet Switching ...... 202 Firewall Filters ...... 203 Hardware ...... 203 Infrastructure ...... 203 J-Web Interface ...... 204 Layer 2 and Layer 3 Protocols ...... 205 Management and RMON ...... 206 Virtual Chassis ...... 206 Resolved Issues in Junos OS Release 10.4 for EX Series Switches ...... 206 Access Control and Port Security ...... 207 Ethernet Switching ...... 207 Hardware ...... 207 Infrastructure ...... 207 Interfaces ...... 208 J-Web Interface ...... 209 Layer 2 and Layer 3 Protocols ...... 210 Management and RMON ...... 210 Virtual Chassis ...... 210 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches ...... 210 J-Web Interface ...... 210 Virtual Chassis ...... 211 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches ...... 211 Upgrading Software ...... 211 Upgrade Policy for Junos OS Extended End-Of-Life Releases ...... 212 Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches ...... 213 Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches ...... 213 Junos OS Documentation and Release Notes ...... 214 Documentation Feedback ...... 214 Requesting Technical Support ...... 214 Revision History ...... 216

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers

• New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 42

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55

• Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 77

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 83

New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

Class of Service

• Hierarchical policer functionality extended to Modular Interface Cards (MICs) (MX Series routers)—Provides hierarchical policer feature parity with Enhanced Intelligent Queuing (IQE) PICs. This is useful in provider edge applications using aggregate policing for general traffic and when applying a separate policer for premium traffic on a logical or physical interface.

Hierarchical policing on MICs supports the following features:

• Ingress traffic is first classified into premium and non-premium traffic before a policer is applied.

• The hierarchical policer contains two policers: premium and aggregate.

Premium traffic is policed by both the premium policer and the aggregate policer. While the premium policer rate-limits premium traffic, the aggregate policer only decrements the credits but does not drop packets. Non-premium traffic is rate-limited by the aggregate policer only, resulting in the following behavior:

• Premium traffic is assured to have the bandwidth configured for the premium policer.

• Non-premium traffic is policed to the specified rate limit.

For a list of supported MICs, refer to: http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/ general/mic-mx-series-supported.html.

The logical-interface-policer and physical-interface-policer statements provide additional hierarchical policer parameters beyond those of the IQE PICs.

You can apply the policer at the inet, inet6, or mpls family level, as follows:

[edit interfaces ge-0/1/0 unit 0 family (inet | inet6 | mpls)] input-hierarchical-policer Test-HP;

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

By making a hierarchical policer a logical-interface-policer, you can achieve aggregation within a logical interface. A hierarchical policer configured as a physical-interface-policer supports aggregation within a physical interface. Please note that you still apply the hierarchical policer at the interface and traffic of the families that do not have the hierarchical policer will be policer. This is different from IQE PICs, where you apply a hierarchical policer at the logical or physical interface.

For hierarchical policing of all traffic through a logical interface, a hierarchical policer can be made a logical-interface-policer and applied to all families in the logical interface. Similarly, you can achieve aggregation at the physical interface level.

[Network Interfaces, Class of Service, Policy]

• DSCP classification for VPLS at the ingress PE (M320 with Enhanced Type III FPC and M120)—Enables you to configure DSCP classification for VPLS at an ingress PE for encapsulation types vlan-vpls (IQ2 or IQ2E PICs) or ATM II IQ PIC. To configure, define the DSCP classifier at the [edit class-of-service classifiers dscp dscp-name] hierarchy level and apply the DSCP classifier at the [edit interfaces at-fpc-pic-port unit-logical-unit-number classifiers] hierarchy level. The ATM interface must be included in the routing instance.

[Class of Service]

• Traffic Control Profile (TCP) support at the FRF.16 physical interface level—FRF.16 bundle interfaces support multiple data-link connection identifiers (DLCIs). The bandwidth of each of these DLCIs was previously limited to one of the following:

• An aggregate value based on the number of DLCIs under the FRF.16 interface

• A specific percentage through a traffic control profile (TCP) configuration applied at the logical interface level

When there is a small proportion of traffic or no traffic on an individual DLCI, the respective member link interface bandwidth is underutilized. Support for TCP features on the FRF.16 bundle (physical) interface level in Junos OS Release 10.4R2 addresses this limitation. The supported features include:

• Peak Information Rate (PIR)

• scheduler-map

• delay-buffer

To enable traffic control profiles to be applied at FRF.16 bundle (physical) interface level, disable the per-unit scheduler, which is enabled by default, by including the no-per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level.

To specify traffic control profile features applicable to FRF.16 bundle physical interfaces, include the shaping-rate, delay-buffer-rate, and scheduler-map statements at the [edit class-of-service traffic-control-profiles profile-name] hierarchy level. The shaping-rate and delay-buffer-rate must be specified as a percentage.

To apply the TCP configuration to an FRF.16 bundle (physical) interface, include the output-traffic-control-profile statement at the [edit class-of-service interfaces interface-name] hierarchy level.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

To view the TCP configuration for an FRF.16 bundle, enter the show class-of-service traffic-control-profile command.

user@host> show class-of-service traffic-control-profile

Traffic control profile: lsq-2/1/0:0, Index: 35757

Shaping rate: 30 percent

Scheduler map: sched_0

Delay Buffer rate: 30 percent

The following is a complete configuration example:

interfaces { lsq-0/2/0:0 { no-per-unit-scheduler; encapsulation multilink-frame-relay-uni-nni; unit 0 { dlci 100; family inet { address 18.18.18.2/24; } } } class-of-service { traffic-control-profiles { rlsq_tc { scheduler-map rlsq; shaping-rate percent 60; delay-buffer-rate percent 10; } } interfaces { lsq-0/2/0:0 { output-traffic-control-profile rlsq_tc; } } } scheduler-maps { rlsq { forwarding-class best-effort scheduler rlsq_scheduler; forwarding-class expedited-forwarding scheduler rlsq_scheduler1; } } schedulers { rlsq_scheduler { transmit-rate percent 20; priority low; } rlsq_scheduler1 { transmit-rate percent 40; priority high; } }

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

[Class of Service]

Interfaces and Chassis

• Extend support for 64-bit Junos OS to include RE-1800 Series Routing Engines (M120, M320, MX960, MX480, and MX240 routers)—Supported Routing Engines include:

• RE-1800x2-A—Supports 64-bit Junos OS on M120 and M320 routers.

• RE-1800x2-S—Supports 64-bit Junos OS on MX240, MX480, and MX960 routers.

• RE-1800x4-S—Supports 64-bit Junos OS on MX240, MX480, and MX960 routers.

[System Basics]

• Ethernet encapsulation for ATM scheduler (M7i, M10i, M120, and M320 [with Enhanced III FPC] routers)—Enables support for the configuration of an ATM scheduler map on an Ethernet VPLS over a bridged ATM interface.

[Network Interfaces]

• Synchronous Ethernet (SyncE) on MX80 routers and MX Series routers with MPCs—Supports the Ethernet synchronization messaging channel (ESMC), G.8264-like clock selection mechanism, and external clocking on MX80 routers and MX Series routers with MPCs. Wireless backhaul and wireline transport services are the primary applications for these features.

The following features are supported:

• On MX80 routers and MX Series routers, MPCs based on G.8261 and G.8262. This feature does not work on the fixed configuration version of the MX80 routers.

• All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs

• ESMC support as per G.8264

• CLI command selection of clock sources

• Monitoring clock sources (maximum of two clock sources can be monitored simultaneously)

• Revertive and nonrevertive modes

To configure SyncE, include the synchronization statement and its substatements at the [edit chassis] hierarchy level.

[Network Interfaces, Interfaces Command Reference]

• Enhanced container interface allows ATM children for containers—M Series and T Series routers with ATM2 PICs automatically copy the parent container interface configuration to the children interfaces. Container interfaces do not go down during APS switchovers, thereby shielding upper layers. This feature allows the various ATM features to work over the container ATM for APS.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

To specify ATM children within a container interface, use the container-list cin statement and (primary | standby) option at the [edit interface at-fpc/pic/slot container] hierarchy level.

To configure a container interface, including its children, use the cin statement and its options at the [edit interface ci-n] hierarchy level.

Container ATM APS does not support inter-chassis APS. MLPPP over ATM CI is also not supported.

[Network Interfaces]

• Signaling neighboring routers of fabric down on T1600 and T640 routers—The signaling of neighboring routers is supported when a T640 or T1600 router is unable to carry traffic due to all fabric planes being taken offline for one of the following reasons:

• CLI or offline button pressed

• Automatically taken offline by the SPMB due to high temperature.

• PIO errors and voltage errors detected by the SPMB CPU to the SIBs.

The following scenarios are not supported by this feature:

• All PFEs get destination errors on all planes to all destinations, even with the SIBs staying online.

• Complete fabric loss caused by destination timeouts, with the SIBs still online.

When chassisd detects that all fabric planes are down, the router reboots all FPCs in the system. When the FPCs come back up, the interfaces will not be created again, since all fabric planes are down.

Once you diagnose and fix the cause of all fabric planes going down, you must then bring the SIBs back online. Bringing the SIBs back online brings up the interfaces.

Fabric down signaling to neighboring routers offers the following benefits:

• FPCs reboot when the control plane connection to the Routing Engine times out.

• Extends a simple approach to reboot FPCs when the dataplane blacks out.

When the router transitions from a state where SIBs are online or spare to a state where there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG indicates if all fabric planes are down, and the FPCs will reboot if any fabric planes do not come up in 2 minutes.

An ERRMSG indicates the reason for FPC reboot on fabric connectivity loss.

The chassisd daemon traces when an FPC comes online, but a PIC attach is not done because no fabric plane is present.

A CLI warning that the FPCs will reboot is issued when the last fabric plane is taken offline.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

You will need to bring the SIBs online after determining why the SIBs were not online. When the first SIB goes online, and link training with the FPCs completes, the interfaces will be created.

Fabric down signaling to neighboring routers functionality is available by default, and no user configuration is required to enable it.

No new CLI commands or alarms are introduced for this feature. Alarms are already implemented for when the SIBs are not online.

[Network Interfaces, System Basics]

• New enterprise-specific MIB to support digital optical monitoring (MX960, MX480, MX240, and 10-Gigabit Ethernet LAN/WAN PIC with XFP on T640 and T1600 routers)—Junos OS Release 10.4 introduces JUNIPER-DOM-MIB, a new enterprise-specific MIB to extend MIB support for digital optical monitoring. JUNIPER-DOM-MIB supports the SNMP Get request for statistics and SNMP Trap notifications for alarms.

JUNIPER-DOM-MIB is part of the JUNIPER-SMI MIB hierarchy level.

The following MIB objects are supported by JUNIPER-DOM-MIB for digital optical monitoring:

• jnxDomCurrentTable

• jnxDomAlarmSet

• jnxDomAlarmCleared

[SNMP MIBs and Traps Reference]

• Logging improvements—You can now control logging speed at the interface level. To rate-limit the syslogs generated from a service PIC, include the message-rate-limit statement at the [edit interfaces interface-name services-options syslog] hierarchy level. This option configures the maximum number of syslog messages per second that can formatted and sent from the PIC to either the Routing Engine (local) or to an external server (remote). The default rates are 10,00 for the Routing Engine and 200,00 for an external server.

[Network Interfaces]

• Support for SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320, MX240, MX480, MX960, T640 and T1600 routers)Supports a 4-port SONET/SDH OC48 Enhanced IQ (IQE) PIC (Type 3) with per data-link connection identifier (DLCI) queuing. Supported FPCs include T640-FPC3-ES, M320-FPC3-E3, and MX-FPC3. Class of service (CoS) enables enhanced egress queuing, buffering, and traffic shaping.

CoS supports eight queues per logical interface, a per-unit scheduler, and two shaping rates: a Committed Information Rate (CIR) and Peak Information Rate (PIR) per data-link connection identifier (DLCI). Other CoS features include, but are not restricted to, sharing of excess bandwidth among logical interfaces, five levels of priorities (including Strict High), ingress behavior aggregate (BA) classification, queue rate-limit policer, ingress rewrite, egress rewrite, and a forwarding class to queue remapping per DLCI.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

The SONET/SDH OC48/STM 16 PIC supports CoS features similar to those in IQ2E PICs, in terms of behavior and configuration statements. This PIC supports the following Layer 2 protocols: PPP, Frame Relay, and Cisco HDLC encapsulations.

For more information, see the PC-4OC48-STM16-IQE-SFP documentation for your router:

• SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T1600 Router)

• SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (T640 Router)

• SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (MX Series Routers)

• SONET/SDH OC48/STM16 Enhanced IQ (IQE) PIC with SFP (M320 Router)

[PIC Guide, Network Interfaces, Class of Service]

• IPv6 statistics from IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers—Support statistical accounting for IPv6 traffic traversing the IQ2 and IQ2E PICs on M320 routers with Enhanced III FPCs and T Series routers.

For IQ2 and IQ2E PIC interfaces, the IPv6 traffic that is reported will be the total statistics (sum of local and transit IPv6 traffic) in the ingress and egress direction. The IPv6 traffic in the ingress direction will be accounted separately only if the IPv6 family is configured for the logical interface.

Statistics are maintained for routed IPv6 packets in the egress direction.

Byte and packet counters are maintained in the ingress and egress direction.

Differences in IPv6 statistics for IQ2 interfaces and all other interfaces are as follows:

• IQ2 and IQ2E PIC interfaces report the total statistics for the IPv6 traffic. For other interfaces, the transit statistics are reported.

• IQ2 and IQ2E PIC interfaces report all IPv6 traffic received on the logical interface. For all other interfaces, only the routed traffic is accounted.

• IQ2 and IQ2E PIC interfaces report IPv6 statistics for the Layer 2 frame size. For all other interfaces, the Layer 3 packet size is accounted.

The IPv6 statistics can be viewed by logging in to the individual IQ2 PIC or IQ2E PIC, or by using the CLI.

Local statistics are not accounted separately.

To display total IPv6 statistics for IQ2 and IQ2E PICs, use the show interfaces extensive command.

NOTE: The reported IPv6 statistics do not account for the traffic manager drops in egress direction or the Packet Forwarding Engine/traffic manager drops in the ingress direction. Transit statistics are not accounted separately because the IQ2 and IQ2E PICs cannot differentiate between transit and local statistics.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

[Network Interfaces]

• 100-Gigabit Ethernet PIC interoperability with VLAN steering—Supports interoperability with similar PICs from other vendors using a VLAN steering forwarding option. Previously, the PICs required interconnection to the same model PIC. Interoperability with interfaces from other vendors was not supported. Junos OS Release 10.4 introduces a new VLAN steering algorithm to configure 100-Gigabit Ethernet PIC interoperation with similar interfaces from other vendors.

Two packet forwarding modes exist under the forwarding-mode statement. SA multicast mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment. On ingress, the PIC compares the outer VLAN ID against a user-defined VLAN ID and VLAN mask combination and steers the packet accordingly. Modifying the forwarding mode config reboots the PIC.

VLAN steering overview:

• In VLAN steering mode, the SA multicast bit is not used for packet steering.

• In SA multicast bit steering mode, VLAN ID and VLAN mask configuration is not used for packet steering.

• Configuration of packet forwarding mode and VLAN steering mode uses CLI commands that result in a PIC reboot.

• There are three tag types for ingress packets:

• Untagged ingress packet–The packet is sent to PFE1.

• Ingress packet with one VLAN–The packet forwards based on the VLAN ID.

• Ingress packet with two VLANs–The packet forwards based on the outer VLAN ID.

• VLAN rules describe how the router forwards packets. For VLAN steering, you must use one of the two rules available in the CLI:

• Odd-even rule–Odd number VLAN IDs go to PFE1; even number VLAN IDs go to PFE0.

• High-low rule–1 through 2047 VLAN IDs go to PFE0; 2048 through 4096 VLAN IDs go to PFE1.

• When configured in VLAN steering mode, the PIC can be configured in two physical interface mode or in aggregated Ethernet (AE) mode:

• Two physical interface mode–When the PIC is in two physical interface mode, it creates physical interfaces et-x/0/0:0 and et-x/0/0:1. Each physical interface can configure its own logical interface and VLAN. CLI enforces the following restrictions on commit:

• The VLAN ID configuration must comply with the selected VLAN rule.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• The previous restriction implies that the same VLAN ID cannot be configured on both physical interfaces.

• AE mode–In AE mode, the two physical interfaces on the same PIC are aggregated into one AE physical interface. PIC egress traffic is based on the AE internal hash algorithm. PIC ingress traffic steering is based on the customized VLAN ID rule. CLI enforces the following restrictions on commit:

• The PIC AE working in VLAN steering mode includes both links of this PIC, and only the links of this PIC.

• The PIC AE working in SA multicast steering mode can include more than one PIC to achieve more than 100-gigabit capacity.

To configure the PIC forwarding mode, include the forwarding-mode statement and its options at the [edit chassis fpc number pic number] hierarchy level.

[Network Interfaces]

• New control queue disable feature (T Series routers with 10-Gigabit Ethernet PIC with oversubscription)—Provides a new CLI statement for disabling the control queue feature for the 10-Gigabit Ethernet PIC with oversubscription. To disable the control queue, use the no-pre-classifier statement at the [chassis] hierarchy level.

When the no-pre-classifier statement is set, the control queue feature will be disabled for all ports on that 10-Gigabit Ethernet PIC with oversubscription. Deleting this configuration results in the control queue feature being re-enabled on all the ports of that PIC.

[edit chassis] fpc 2 { pic 0 { no-pre-classifier; } }

NOTE: 1. This feature is applicable in both oversubscribed and line-rate modes.

2. The control queue feature is enabled by default in both oversubscribed and line-rate modes, which can be overridden by the user configuration.

3. CLI show commands remain unchanged. When the control queue is disabled, various show queue commands continue to show the control queue in the output. However, all control queue counters are reported as zeros.

4. Enabling or disabling the control queue feature results in the PIC being bounced (offline/online).

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Once the control queue feature is disabled, then the Layer 2 and Layer 3 control packets are subject to queue selection based on the BA classification. However, the following control protocol packets are not classified using BA classification, as they might not have a VLAN, MPLS, or IP header:

• Untagged ARP packets

• Untagged Layer 2 control packets such as LACP or Ethernet OAM

• Untagged IS-IS packets

When the control queue feature is disabled, untagged ARP/IS-IS and other untagged Layer 2 control packets will go to the restricted queue corresponding to the forwarding class associated with queue 0.

[Network Interfaces]

• Microcode remap (M320 and M120 routers)—M320 routers with E3 type-1 FPCs and M120 routers with a single type-1 FPC mapped to an FEB, support a new microcode map to resolve microcode overflow resulting in bad PIC combinations.

On M320 routers, the new microcode map is enabled by default and is the only option available.

On M120 routers, you can enable the new microcode map by using the ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On M120 routers, the default microcode map remains configured if the ucode-imem-remap statement is not configured.

[edit chassis] feb slot number ucode-imem-remap { }

NOTE: On M120 routers, the FEB is automatically restarted once the ucode-imem-remap statement is configured and committed.

[System Basics]

Junos OS XML API and Scripting

New Junos OS XML API operational request tag elements—Table 1 on page 16 shows the Junos OS Extensible Markup Language (XML) operational request tag elements that are new in Junos OS Release 10.4 along with the corresponding CLI command and response tag element for each one.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4

Request Tag Element CLI Command Response Tag Element

request_dhcpv6_ server_reconfigure_information

request system license update NONE request_license_update

request system software nonstop-upgrade NONE request_package_nonstop_upgrade

get_amt_statistics show amt statistics

get_amt_summary show amt summary

show amt tunnel get_amt_tunnel_information

show chassis redundant-power-supply get_rps_chassis_information

show chassis routing-engine bios NONE get_bios_version_information

congestion- notification- information> get_cos_congestion_notification_information

show firewall filter version get_firewall_log_information

show ingress-replication get_interface_information

identifier-origin- information> get_isis_context_ identifier_origin_information

show isis context-identifier identifier get_isis_database_information

show mpls context-identifier get_mpls_cspf_information

show network-access domain- map statistics get_authentication_pending_table

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4 (continued)

Request Tag Element CLI Command Response Tag Element

show ospf context-identifier get_ospf_database_information

show redundant-power-supply led get_rps_power_supply_information

show redundant-power-supply power-supply get_rps_status_information

show redundant-power-supply status get_rps_version_information

show redundant-power-supply version get_rip_general_statistics_information

show security idp policy-commit-status get_idp_policy_template_information

gateway-charging-status> charging statistics get_service_border_signaling_ gateway_charging_status

show services border-signaling-gateway get_service_bsg_denied_messages charging status

accounting-statistics-information> get_services_l2tp_radius_acco unting_statistics_information

show services sessions get_service_softwire_statistics _information

conversation_ information> get_service_sfw_conversation _information

information> get_service_sfw_flow_analysi s_information

flow_table_information> get_service_sfw_flow_table_i nformation

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Table 1: Junos OS XML Tag Elements and CLI Command Equivalents New in Junos OS Release 10.4 (continued)

Request Tag Element CLI Command Response Tag Element

information> get_service_sfw_sip_register_i nformation

show synchronous-ethernet esmc statistics get_synchronous_ethernet_esmc-statistics

show synchronous-ethernet esmc transmit

show synchronous-ethernet NONE get_-synchronous_ethernet_global_information global-information

processes_information> get_system_resource_cleanup_ processes_information

show system relay member get_rollback_information

show system relay summary get_dhcp_binding_information

statistics>clear_synchronous_ statistics ethernet_e smc_ statistics

Layer 2 Ethernet Services

• Feature support for Trio 3D MPCs and MICs (MX Series routers)—Enables you to configure the following features through Junos OS Release 9.1: load balancing, Ethernet OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding.

[Layer 2 Configuration]

• Ethernet CFM support on Trio 3D MPCs and MICs (MX Series routers)—Enables support for Ethernet connectivity fault management (CFM) defined by IEEE 802.1ag for family bridge interfaces. However, MEP configuration is not supported on aggregated Ethernet interfaces.

[Layer 2 Configuration]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

MPLS Applications

• MPLS support on services PICs—Adds MPLS label pop support for services PICs on Junos OS routers. Previously all MPLS traffic would be dropped at the services PIC. No changes are required to CLI configurations for this enhancement. In-service software upgrade (unified ISSU) is supported for tag next hops for MPLS on services PIC traffic, but no support is provided for tags over IPv6 packets or labels on multiple gateways.

[MPLS]

• Adding descriptions for bypass LSP—You can now add a text describing a bypass LSP using the description option at the [edit protocols rsvp interface interface-name link-protection bypass bypass-lsp-name] hierarchy level. Enclose any descriptive text that includes spaces in quotation marks (" "). Any descriptive text you include is displayed in the output of the show rsvp session bypass command and has no effect on the operation of the bypass LSP.

[MPLS]

Multicast

• Nonstop active routing PIM support for IPv6—Starting with Release 10.4, Junos OS extends the nonstop active routing support for Protocol Independent Multicast (PIM), which is already supported on IPv4, to include the IPv6 address families. The extension of nonstop active routing PIM support to IPv6 enables IPv6 routers to maintain self-generation IDs, multicast session states, dynamic interface states, list of neighbors, and RPSets across Routing Engine switchovers.

The nonstop active routing support for PIM on IPv6 is similar to the nonstop active routing PIM support on IPv4 except for the following:

• Nonstop active routing support for PIM on IPv6 supports an embedded rendezvous point (RP) on non-RP routers.

• Nonstop active routing support for PIM on IPv6 does not support auto-RP, as auto-RP is not supported on IPv6.

For more information about nonstop active routing PIM support on IPv4 and IPv6, see the Junos OS High Availability Configuration Guide.

[High Availability, Multicast]

MX Series

• Support for MX Series—While these features have been available on the MX Series routers in the past, we have now qualified the following features on the Trio chipset.

For MPLS, RSVP, and LDP:

• BFD session failure action for LDP LSPs (including ECMP)

• RSVP Graceful Restart interop with Cisco using Nodal Hello support

• Failure action on BFD session down of RSVP LSPs in JUNOS

• RSVP transit

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• L3VPN testing using RSVP

• NSR: RSVP ingress

• BFD via LDP

For Multicast:

• OSPF

• OSPF Database Protection

• RFC 4136 OSPF Refresh and Flooding Reduction in Stable Topologies

• PIM SSM in provider space (Draft-Rosen 7)

• NG MVPN - PIM-SSM I-PMSI and deployment scenario testing

• MVPN C-PIM in plain ASM mode

• NGEN MVPN hub and spoke support with GRE S-PMSI transport

• PIM Join suppression support

• Translating PIM states to IGMP/MLD messages

• Disable PIM for IPv6 via CLI

• IPv6 multicast support over L3VPNs

• PIM neighbor should be maintained wherever possible

• Data MDT SAFI (draft-rosen-l3vpn-mvpn-profiles)

• Inter-provider Option A support with Rosen 7

• Rosen 7 interoperability with Cisco IOS

For VPNs:

• VPLS: Configurable label block size (min 2)

• Interoperate LDP-VPLS and BGP-VPLS with FEC 128

• LDP-VPLS

• Interprovider VPLS Option "E": EBGP redistribution of labeled routes

Miscellaneous:

• Support to commit configuration from op/event scripts

• Per PFE per packet load balancing

• Next Hop Handling Enhancements (Phase 3)

• Support local-as alias hidden command

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• MIB Enhancements for Manual Bypass Tunnel Management

• ISIS LFA

• Improve IGMPv3 performance using bulk updates

• Improve IGMPv3 performance using bulk updates - with snooping

• Allow ASM group override of SSM ranges

Routing Policy and Firewall Filters

• Point-to-multipoint (P2MP) LSP load balancing across aggregated Ethernet links (M Series except M320)—Enables you to load-balance VPLS multicast and P2MP multicast traffic over link aggregation. This feature also re-load-balances traffic after a change in the next-hop topology. Next-hop topology changes might include but are not limited to:

• Layer 2 membership change in the link aggregation

• Indirect next-hop change

• Composite next-hop change

No new configuration is required to configure this feature. The load balancing over aggregated links is automatically enabled with this release. For a sample topology and configuration example, see Junos OS Policy Framework Configuration Guide.

[Policy]

• New routing policy system log message—Junos OS Release 10.3 supports a new routing policy system log message. The RPD_PLCY_CFG_NH_NETMASK system log message provides information about ignored netmasks. If you have a policy statement with a term that contains a next-hop address with a netmask, the netmask is ignored. The following sample shows the new system log message (depending on your network configuration, the type of message you see might be different):

Jun 18 11:22:43 pro5-d rpd[1403]: RPD_PLCY_CFG_NH_NETMASK: Netmask ignored for next hop: 10.0.0.1/24.

[System Log Messages Reference]

• Support for displaying the firewall filter version information—You can display the version number of the firewall filter installed in the Routing Engine. The initial version number is 1 and increments by one when you modify the firewall filter settings or an associated prefix action. To show the version number of the installed firewall filter, use the show firewall filter version operational mode command.

[Routing Protocols and Policies Command Reference]

Routing Protocols

• Support for disabling traps for passive OSPFv2 interfaces—You can now disable interface state change traps for passive OSPF interfaces. Passive OSPF interfaces advertise address information as an internal OSPF route, but do not run the actual protocol. If you are only interested in receiving notifications for active OSPF interfaces,

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

disabling traps for passive OSPF interfaces reduces the number of notifications received and processed by the SNMP server. This allows you to more quickly and easily scan the logs for potential issues on active OSPF interfaces.

To disable and stop receiving notifications for state changes in a passive OSPF interface, include the no-interface-state-traps statement at the following hierarchy levels:

• [edit logical-systems logical-system-name protocols ospf area area-id interface interface-name]

• [edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id interface interface-name]

• [edit protocols ospf area area-id interface interface-name]

• [edit routing-instances routing-instance-name protocols ospf area area-id interface interface-name]

[Routing Protocols]

• Behavior change for BGP-independent AS domains—Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. In Junos OS Release 10.3 and later, if you have not configured an independent domain in any routing instance, BGP treats the received attribute 128 message as an unknown attribute. The AS path field in the show route command has been updated to display an unrecognized attribute and associated hexadecimal value if you have not configured an independent domain. The following is a sample output of the AS path field (depending on your network configuration, the output might be different):

AS path: [12345] I Unrecognized Attributes: 40 bytes AS path: Attr flags e0 code 80: 00 09 eb 1a 40 01 01 00 40 02 08 02 03 fd e9 fd e9 01 2d 40 05 04 00 00 00 64 c0

[Routing Protocols]

• Support for disabling the attribute set messages on independent AS domains for BGP loop detection—BGP loop detection for a specific route uses the local autonomous system (AS) domain for the routing instance. By default, all routing instances belong to a single primary routing instance domain. Therefore, BGP loop detection uses the local ASs configured on all of the routing instances. Depending on your network configuration, this default behavior can cause routes to be looped and hidden.

To limit the local ASs in the primary routing instance, configure an independent AS domain for a routing instance. Independent domains use the transitive path attribute 128 (attribute set) messages to tunnel the independent domain’s BGP attributes through the internal BGP (IBGP) core. If you want to configure independent domains to maintain the independence of local ASs in the routing instance and perform BGP loop detection only for the specified local ASs in the routing instance, disable attribute set messages on the independent domain. To disable attribute set messages, include the independent-domain no-attrset statement at the following hierarchy levels:

• [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options autonomous-system autonomous-system]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• [edit routing-instances routing-instance-name routing-options autonomous-system autonomous-system]

[Routing Protocols]

Services Applications

• NAT-PT with DNS ALG support (M Series and T Series routers)—You can configure Domain Name Service (DNS) application-level gateways (ALGs) using NAT with protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in RFC 2766 and RFC 2694.

When you configure NAT-PT with DNS ALG support, you must configure two NAT rules. The first NAT rule ensures that the DNS query and response packets are translated correctly. For this rule to work, you must configure a DNS ALG application and reference it in the rule. The second rule is required to ensure that NAT sessions are destined to the address mapped by the DNS ALG.

• To configure the correct translation of the DNS query and response packets, include the dns-alg-pool dns-alg-pool or dns-alg-prefix dns-alg-prefix statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level.

• To configure the DNS ALG application, include the application application-name statement at the [edit applications] hierarchy level, then reference it at the [edit services nat rule rule-name term term-name from] hierarchy level.

• To configure destination translation with the DNS ALG address map, use the use-dns-map-for-destination-translation statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. This statement correlates the DNS query or response processing done by the first rule with the actual data sessions processed by the second rule.

You can also control the translation of IPv6 and IPv4 DNS queries in the following ways.

• For translation control of IPv6 DNS queries, use the do-not-translate-AAAA-query-to-A-query statement at the [edit applications application application-name] hierarchy level.

• For translation control of IPv4 queries, use the do-not-translate-A-query-to-AAAA-query statement at the [edit applications application application-name] hierarchy level.

NOTE: The above two statements cannot be configured together. You can only configure one at a time, but not both.

To check that the flows are established properly, use the show services stateful-firewall flows command or the show services stateful-firewall conversations command.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

[Services Interfaces]

• Enhancements to active flow monitoring—Add support for extraction of bandwidth usage information for billing purposes in PIC-based sampling configurations. This capability is supported on M Series, MX Series, and T Series routers and applies only to IPv4 and IPv6 traffic. It is enabled only at the global instance hierarchy level and is not available for per Packet Forwarding Engine instances. To configure the sampling of traffic for billing purposes, include the template as-peer-billing-template-name statement at the [edit forwarding-options sampling family (inet | inet6) output flow-server server-name version version-number] hierarchy level. To define the peer-AS billing functionality, include the peer-as-billing-template statement at the [edit services flow-monitoring version9 template template-name] hierarchy level. For a list of the template fields, see the Junos OS Services Interfaces Configuration Guide. You can apply the existing destination class usage (DCU) policy option configuration for use with this feature.

In addition, the MPLS top label IP address is added as a new field in the existing MPLS-IPv4 flow template. You can use this field to gather MPLS forwarding equivalence class (FEC) -based traffic information for MPLS network capacity planning. These ALGs that use Junos Services Framework (JSF) (M Series) is a PIC-only feature applied on sampled traffic and collected by the services PIC or DPC. You can define it for either global or per Packet Forwarding Engine instances for MPLS traffic.

The show services accounting aggregation template operational command has been updated to include new output fields that reflect the additional functionality.

[Services Interfaces, System Basics and Services Command Reference]

• Support for the RPM timestamp on the Services SDK (M Series, MX Series, and T Series)—Real-time performance monitoring (RPM), which has been supported on the Adaptive Services (AS) interface, is now supported by the Services SDK. RPM is supported on all platforms and service PICs that support the Services SDK.

RPM timestamping is needed to account for any latency in packet communications. You can apply timestamps on the client, the server, or both the client and server. RPM timestamping is supported only with the icmp-ping, icmp-ping-timestamp, udp-ping, and udp-ping-timestamp probe types.

To specify the Services SDK interface, include the destination-interface statement at the [edit services rpm probe probe-owner test test-name] hierarchy level:

destination-interface ms-fpc/pic/port.logical-unit-number;

To specify the RPM client router and the RPM server router, include the rpm statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:

rpm (client | server);

To enable RPM on the Services SDK on the AS interface, configure the object-cache-size, policy-db-size, and package statements at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level. For the Services SDK, package-name in the package package-name statement is jservices-rpm.

user@host# show chassis

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

fpc 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 1; object-cache-size 512; policy-db-size 64; package jservices-rpm; syslog daemon any; } } } } }

[Services Interfaces]

• ALGs using Junos OS Services Framework (JSF) (M Series with Multiservices PICs and MX Series with MS DPCs)—Application-level gateways (ALGs) intercept and analyze specified traffic, allocate resources, and define dynamic policies to permit traffic to pass securely through a device. Beginning with Junos OS Release 10.4 on the specified routers, you can use JSF ALGs with the following services:

• Stateful firewall

• Network Address Translation (NAT)

To use JSF to run ALGs, you must configure the jservices-alg package at the [edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure the ALG application at the [edit applications application application-name] hierarchy level, and reference the application in the stateful firewall rule or the NAT rule in those respective configurations.

[Services Interfaces]

• Enhancements to port mirroring with next-hop groups (MX Series only)—Adds support for binding up to two port-mirroring instances to the same MX Series Packet Fowarding Engine. This enables you to choose multiple mirror destinations by specifying different port-mirroring instances in the filters. Filters must include the port-mirror-instance instance-name statement at the [edit firewall filter filter-name term term-name then] hierarchy level. You must also include the port-mirror-instance instance-name statement at the [edit chassis fpc number] hierarchy level to specify the FPC to be used.

Inline port mirroring allows you to configure instances that are not bound to the FPC specified in the firewall filter then port-mirror-instance instance-name action. Instead, you can define the then next-hop-group action. Inline port-mirroring aims to decouple the port-mirror destination from the input parameters, such as rate. While the input parameters are programmed in the Switch Interface Board (SIB), the next-hop destination for the mirrored packet is available in the packet itself.

A port-mirroring instance can now inherit input parameters from another instance that specifies it. To configure this option, include the input-parameters-instance

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

instance-name statement at the [edit forwarding-options port-mirror instance instance-name] hierarchy level.

You can also now configure port mirroring to next-hop groups using a tunnel interface.

[Services Interfaces]

• Multiple IDP detector support (MX Series routers, M120 routers, and Enhanced III FPCs in M320 routers)—The IDP detector provides information about services, contexts, and anomalies that are supported by the associated protocol decoder.

The specified routers now support loading multiple IDP detectors simultaneously. When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already being used by the existing policy, the new detector is not loaded and both policies use a single associated detector. However, if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection. Note that with the specified routers, a maximum of four detectors can be loaded at any given time.

Multiple IDP detector support for the specified routers functions in a similar way to the existing IDP detector support on J Series and SRX Series devices, except for the maximum number of decoder binary instances that are loaded into the process space.

To view the current policy and the corresponding detector version, use the show security idp status detail command.

For more information, see the Junos OS Security Configuration Guide.

[Services Interfaces]

• NAT using Junos OS Services Framework (JSF) (M Series and T Series with Multiservices PICs and MX Series with Multiservices DPCs)—The Junos OS Services Framework (JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run NAT on the specified routers.

To use JSF to run NAT, you must configure the jservices-nat package at the [edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure NAT rules and a service set with a Multiservice interface. To check the configuration, use the show configuration services nat command. To show the run time (dynamic state) information on the interface, use the show services sessions and show services nat pool commands.

[Services Interfaces]

• Stateful firewall using Junos OS Services Framework (JSF) (M Series with Multiservices PICs, MX Series with Multiservices DPCs, and T Series routers)—The Junos OS Services Framework (JSF) is a unified framework for Junos OS services integration. JSF Services integration will allow the option of running Junos OS services on services PICs or DPCs in any M Series, MX Series, or T Series routers. Beginning with Junos OS Release 10.4, you can use JSF to run stateful firewall on the specified routers.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To use JSF to run stateful firewall, you must configure the jservices-sfw package at the [edit chassis fpc slot pic slot adaptive-services service-package extension-provider package] hierarchy level. In addition, you must configure stateful firewall rules and a service set with a Multiservice interface. To check the configuration, use the show configuration services stateful-firewall command. To show the run time (dynamic state) information on the interface, use the show services sessions command.

[Services Interfaces]

• Transition of IPv4 traffic to IPv6 addresses using Dual Stack Lite (DS-Lite)—Adds support for DS-Lite, a means for transitioning IPv4 traffic to IPv6 addresses. This transition will become necessary as the supply of unique IPv4 addresses nears exhaustion. New subscriber homes are allocated IPv6 addresses and IPv6-capable equipment; DS-Lite provides a method for the private IPv4 addresses behind the IPv6 equipment to reach the IPv4 network. An IPv4 host communicates with a NAT endpoint over an IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them.

[Services Interfaces, System Basics and Services Command Reference]

• Round-robin allocation for NATP addresses—You can now specify round-robin address allocation from NAT pools when you use NATP. In the default method of address-allocation, NAT addresses are allocated sequentially. All of the addresses in a given range must be allocated before addresses from a different range are allocated. The following example illustrates the sequential (legacy) implementation, which is still available to provide backward compatibility.

pool napt { address-range low 9.9.99.1 high 9.9.99.3; address-range low 9.9.99.4 high 9.9.99.6; address-range low 9.9.99.8 high 9.9.99.10; address-range low 9.9.99.12 high 9.9.99.13; port { range low 3333 high 3334; } }

In this example, for each unique source address, a new address range is used for allocation only when there are no ports available in the previous address range. Address 9.9.99.4:3333 is picked only when all ports for addresses in the first range are exhausted.

• The first connection is allocated NAT address 9.9.99.1:3333.

• The second connection is allocated 9.9.99.1:3334.

• The third connection is allocated 9.9.99.2:3333.

• The fourth connection is allocated 9.9.99.2:3334, and so on.

To configure round-robin allocation for NAT pools, include the address-allocation round-robin configuration statement at the [edit services nat pool pool-name] hierarchy level. When you use round-robin allocation, one port is allocated from each address in a range before repeating the process for each address in the next range. After ports

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

have been allocated for all addresses in the last range, the allocation process wraps around and allocates the next unused port for addresses in the first range.

• The first connection is allocated NAT address 9.9.99.1:3333.

• The second connection is allocated 9.9.99.2:3333.

• The third connection is allocated 9.9.99.3:3333.

• The fourth connection is allocated 9.9.99.4:3333.

• The fifth connection is allocated address 9.9.99.5:3333.

• The sixth connection is allocated address 9.9.99.6:3333.

• The seventh connection is allocated address 9.9.99.7:3333.

• The eighth connection is allocated address 9.9.99.8:3333.

• The ninth connection is allocated address 9.9.99.9:3333.

• The tenth connection is allocated address 9.9.99.10:3333.

• The eleventh connection is allocated address 9.9.99.11:3333.

• The twelfth connection is allocated address 9.9.99.12:3333.

• Wraparound occurs and the thirteenth connection is allocated address 9.9.99.1:3334.

[Services Interfaces]

Subscriber Access Management

• Enhancement to the show services l2tp destination command—The show services l2tp destination command has been extended to display the lockout state of the destination from the LAC. A destination that is reachable is not locked. An unreachable destination is locked out. L2TP makes no further attempts to connect to this destination until the timeout period (300 seconds) expires, unless the unreachable destination is the only destination in the tunnel configuration list. In that case, L2TP ignores the lockout and continues trying to connect to the destination.

[Subscriber Access]

• Redirecting HTTP redirect requests (MX Series routers)—Enables support for HTTP traffic requests from subscribers to be aggregated from access networks onto a BRAS router, where HTTP traffic can be intercepted and redirected to a captive portal. A captive portal provides authentication and authorization services for redirected subscribers before granting access to protected servers outside of a walled garden. A walled garden defines a group of servers where access is provided to subscribers without reauthorization through a captive portal. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources. An HTTP redirect remote server that resides in a walled garden behind Junos OS routers processes HTTP requests redirected to it and responds with a redirect URL to a captive portal.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To configure HTTP redirect, include the captive-portal-content-delivery statement at the [edit services] hierarchy level.

[Subscriber Access]

• Filter support for service packet counting—You can count service packets, applying them to a specific named counter (__junos-dyn-service-counter), for use by RADIUS.

To enable service packet accounting, specify the service-accounting action at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.

[Policy Framework, Subscriber Access]

• Support for domain maps that apply configuration options based on subscriber domain names (MX Series and M Series routers)—You use domain maps to apply access options and session-specific parameters to subscribers whose domain name corresponds to the domain map name. You can also create a default domain map that the router uses for subscribers whose username does not include a domain name or has a non-matching domain name.

Domain maps apply subscriber-related characteristics such as profiles (access, dynamic, and tunnel), target and AAA logical system mapping, address pool usage, and PADN routing information.

You configure domain maps at the [edit access domain] hierarchy level.

[Subscriber Access]

• L2TP LAC support for subscriber management (MX Series routers)—You can now configure an L2TP access concentrator (LAC) on MPC-equipped MX Series routers.

As part of the new L2TP LAC support, you can configure how the router selects a tunnel for a PPP subscriber from among a set of available tunnels. The default tunnel selection method is to fail over between tunnel preference levels. When a PPP user tries to log in to a domain, the router attempts to connect to a destination in that domain by means of the associated tunnel with the highest preference level. If the destination is unreachable, the router then moves to the next lower preference level and repeats the process. No configuration is required for this tunnel selection method.

You can include the fail-over-within-preference statement at the [edit services l2tp] hierarchy level to configure tunnel selection failover within a preference level. With this method, when the router tries to connect to a destination and is unsuccessful, it selects a new destination at the same preference level. If all destinations at a preference level are marked as unreachable, the router does not attempt to connect to a destination at that level. It drops to the next lower preference level to select a destination. If all destinations at all preference levels are marked as unreachable, the router chooses the destination that failed first and tries to make a connection. If the connection fails, the router rejects the PPP user session without attempting to contact the remote router.

By default, the router uses a round-robin selection process among tunnels at the same preference level. Include the weighted-load-balancing statement at the statement at the [edit services l2tp] hierarchy level to specify that the tunnel with the highest weight within a preference is selected until its maximum sessions limit is reached. Then the

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

tunnel with the next highest weight is selected until its limit is reached, and so on. The tunnel with the highest configured maximum sessions value has the greatest weight.

Another feature of L2TP LACs on MX Series routers is the ability to control whether the LAC sends the Calling Number AVP 22 to the LNS. The AVP value is derived from the Calling-Station-Id and identifies the interface that is connected to the customer in the access network. By default, the LAC includes this AVP in ICRQ packets it sends to the LNS. In some networks you may wish to conceal your network access information. To prevent the LAC from sending the Calling Number AVP to the LNS, include the disable-calling-number-avp statement at the [edit services l2tp] hierarchy level.

[Subscriber Access]

• Support for dynamic interface sets (M120, M320, and MX Series routers)—Enables you to configure sets of subscriber interfaces in dynamic profiles. Interface sets are used for providing hierarchical scheduling. Previously, interface sets were supported for interfaces configured in the static hierarchies only.

Supported subscriber interfaces include static and dynamic demux, static and dynamic PPPoE, and static and dynamic VLAN interfaces.

To configure an interface set in a dynamic profile, include the interface-set interface-set-name statement at the [edit dynamic-profiles interfaces] hierarchy level. To add a subscriber interface to the set, include the interface interface-name unit logical-unit-number statement at the [edit dynamic-profiles interfaces interface-set interface-set-name] hierarchy level. You apply traffic shaping and scheduling parameters to the interface-set by including the interface-set interface-set-name and output-traffic-control-profile profile-name statements at the static [edit class-of-service interfaces] hierarchy level.

A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, $junos-interface-set-name. The VSA is supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.

[Subscriber Access]

• Support for service session accounting statistics (MX Series routers)—You can now capture accounting statistics for subscriber service sessions. Subscriber management supports service session accounting based on service activation and deactivation, as well as interim accounting. Time-based accounting is supported for all service sessions. Time and volume-based accounting is supported for classic firewall filter and fast update firewall filter service sessions only.

To provide volume service accounting, the well-known accounting counter (junos-dyn-service-counter) must also be configured for the classic firewall filter and fast update firewall filter service. You define the counter at the [edit firewall family family filter filter term term then] hierarchy level.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following VSAs (vendor ID 4874) are used for service accounting:

Attribute Number Attribute Name Description Value

26-69 Service-Statistics Enable or disable • 0 = disable

statistics for the • 1 = enable time statistics service. • 2 = enable time and volume statistics

26-83 Acct-Service-Session Name of the string: service-name service.

26-140 Service-Interim-Acct-Interval Amount of time • range = 600–86400 between interim seconds

accounting • 0 = disabled updates for this service.

[Subscriber Access]

• Subscriber secure policy traffic mirroring supported for L2TP sessions on the LAC (MX Series routers)—The L2TP access concentrator (LAC) implementation supports RADIUS-initiated per-subscriber traffic mirroring. Both subscriber ingress traffic (from the subscriber into the tunnel) and subscriber egress traffic (from the tunnel to the subscriber) is mirrored at the (subscriber-facing) ingress interface on the LAC. The ingress traffic is mirrored after PPPoE decapsulation and before L2TP encapsulation. The egress traffic is mirrored after L2TP decapsulation. The mirrored packet includes the complete HDLC frame sent to the LNS.

[Subscriber Access]

• Support for static and dynamic CoS on L2TP LAC subscriber interfaces (M120, M320, and MX Series routers)—Enables you to configure static and dynamic CoS for L2TP access concentrator (LAC) tunnels that transport PPP subscribers at Layer 2 and Layer 3 of the network.

IP and L2TP headers are added to packets arriving at the LAC from a subscriber before being tunneled to the L2TP network server (LNS). Classifiers and rewrite-rules enable you to properly transfer the type-of-service (ToS) value or the 802.1p value from the inner IP header to the outer IP header of the L2TP packet.

For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3 classifiers for a family of PPP interfaces. Layer 2 and Layer 3 classifiers can co-exist for a PPP subscriber.

For example, to classify incoming packets for a PPP subscriber, include the classifier type classifier-name statement at the [edit class-of-service interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level.

On egress tunnels, you configure rewrite rules to set the ToS or 802.1p value of the outer header. For example, to configure a rewrite-rule definition for an interface with

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

802.1p encapsulation, include the [rewrite-rule ieee-802.1 (rewrite-name | default) statement at the edit class-of-service interfaces interface-name unit logical-unit-number] hierarchy level or the [edit dynamic-profiles class-of-service interfaces pp0 unit logical-unit-number] hierarchy level.

Rewrite rules are applied accordingly to the forwarding class, packet loss priority (PLP), and code point. The proper transfer of the inner IP header to the outer IP header of the L2TP packet depends on the classifier and rewrite rule configurations.

The following table shows how the classifier and rewrite-rule values transfer from the inner IP header to the outer IP header. The inner IP header (ob001) is classified with assured-forwarding and low loss priority at the ingress interface. Based on the assured-forwarding class and low loss priority in the rewrite rule, the outer IP header is set to ob001 at the egress interface.

Inner IP Header Forwarding Class Loss Priority Code Point Outer IP Header

ob001 assured-forwarding low 001 ob001

[Subscriber Access, Class of Service]

• L2TP tunnel profiles and AAA support for tunnels in subscriber management (MX Series routers)—You can configure a set of attributes to define an L2TP tunnel for PPP subscribers. More than one tunnel can be defined for a tunnel profile. Tunnel profiles are applied by a domain map before RADIUS authentication. When the RADIUS Tunnel-Group VSA [26-64] is specified in the RADIUS login, then the RADIUS tunnel profile (group) overrides a tunnel profile specified by the domain map. The tunnel is then configured according to RADIUS tunnel attributes and VSAs.

To configure a tunnel profile, include the tunnel-profile profile-name statement at the [edit access] hierarchy level. To define a tunnel for a profile, include the tunnel tunnel-id statement at the [edit access tunnel-profile profile-name] hierarchy level.

Define the attributes of the tunnel at the [edit access tunnel-profile profile-name tunnel tunnel-id] hierarchy level. You must configure a preference for the tunnel and the IP address of the LNS tunnel endpoint; all other attributes are optional. Include the preference number statement to configure the preference. Include the remote-gateway address server-ip-address statement to configure the LNS address.

You can optionally configure the remaining tunnel attributes. Include the remote-gateway name server-name statement to configure the LNS hostname. Include the source -gateway address client-ip-address statement and the source-gateway name client-name statements to configure the local (LAC) tunnel endpoint. Although you can configure a medium type (medium type) and protocol type (tunnel tunnel-type) for the tunnel, only the default values of ipv4 and l2tp are supported in this release. Include the identification name statement to configure an assignment ID for the tunnel. Include the max-sessions number statement to configure the maximum number of sessions permitted for the tunnel. Include the secret password statement to configure a cleartext password for authentication by the remote tunnel endpoint (LNS). Finally, you can configure a logical system and routing instance for the tunnel by including the logical-system logical-system-name and routing-instance routing-instance-name statements.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The following table shows the RADIUS attributes that are now supported for defining a tunnel.

Attribute Number Attribute Name Description

64 Tunnel-Type • The tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator).

• Only L2TP tunnels are currently supported.

65 Tunnel-Medium-Type • Transport medium to use when creating a tunnel for protocols that can operate over multiple transports.

• Only IPv4 is currently supported.

66 Tunnel-Client-Endpoint Address of the initiator end of the tunnel.

67 Tunnel-Server-Endpoint Address of the server end of the tunnel.

69 Tunnel-Password Password used to authenticate to a remote server.

82 Tunnel-Assignment -Id Indicates to the tunnel initiator the particular tunnel to which a session is assigned.

83 Tunnel-Preference • If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.

• Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).

90 Tunnel-Client-Auth-Id Name used by the tunnel initiator during the authentication phase of tunnel establishment.

91 Tunnel-Server-Auth-Id Name used by the tunnel terminator during the authentication phase of tunnel establishment.

The following table shows the RADIUS VSAs that are now supported for defining a tunnel.

Attribute Number Attribute Name Description Value

26-8 Tunnel-Virtual-Router Virtual router name for tunnel string: connection. tunnel-virtual-router

26-9 Tunnel-Password Tunnel password in clear text. string: tunnel-password

26-33 Tunnel-Max-Sessions Maximum number of sessions integer: 4-octet allowed in a tunnel.

26-64 Tunnel-Group Name of the tunnel group string: (profile) assigned to a domain tunnel-group-name map.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

[Subscriber Access]

• Dynamic reconfiguration of extended DHCPv6 local server clients (MX Series routers)—You can enable dynamic reconfiguration of DHCPv6 clients to enable the extended DHCPv6 local server to initiate a client update without waiting for the client to initiate a request. In subscriber management scenarios, a client may need to be quickly updated with its network address and configuration in the event of server changes, such as a restructuring of the service provider’s addressing scheme or a change in the local server IP addresses that were provided to the clients. Include the reconfigure statement to enable dynamic reconfiguration with default values for all DHCPv6 clients at the [edit system services dhcp-local-server dhcpv6] hierarchy level, and for DHCPv6 clients serviced by a specified group of interfaces at the [edit system services dhcp-local-server dhcpv6 group group-name] hierarchy level.

Optional statements enable you to modify default reconfiguration values: The number of reconfiguration attempts, the interval between the first and second attempts, what happens to the client if all reconfiguration attempts fail, what happens to the client in the event of a RADIUS-initiated disconnect, whether to bind clients that do not support reconfiguration, and whether to send an authentication token. Issue the request dhcpv6 server reconfigure command to initiate reconfiguration. Use the show dhcpv6 server binding and show dhcpv6 server statistics commands to monitor client-server interactions.

[Subscriber Access]

• Support for ascend data filters (RADIUS attribute 242) in subscriber firewall filters (MX Series routers)—You can now configure subscriber management to use ascend data filters (ADFs) to create and apply firewall filters to subscriber traffic. The ADF creates a rule that specifies match conditions on the source and destination IP address, the protocol, and the source and destination port, and also specifies the action to perform (such as accept or discard). The ADF rule also specifies the filter direction, and can optionally provide traffic class and policer information. The router supports ADF rules for family types inet and inet6.

Subscriber management uses dynamic profiles to obtain the ADF rules from the RADIUS server. You can use the new Junos OS predefined variables ($junos-adf-rule-v4 for family inet and $junos-adf-rule-v6 for inet6) to map ADF rules to Junos OS functionality, or you can statically create ADF rules.

To configure ADF support, use the following stanza at the [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number family family] hierarchy level:

filter { adf { counter; input-precedence precedence; output-precedence precedence; rule rule-value; } }

[Subscriber Access, System Basics and Services Command Reference]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Per-interface DHCP tracing operations (MX Series routers)—In addition to the existing global DHCP tracing operation, you can now trace DHCP operations for a specific interface or a range of interfaces.

Configuring interface-based tracing is a two-step procedure. First configure the tracing options that you want to use, such as the file used for the trace operation and the trace flags. In the second step, enable the tracing operation on the specific interface or range of interfaces.

• To configure the per-interface tracing options, use the interface-traceoptions statement at the [edit system services dhcp-local-server] hierarchy level for the DHCP local server or at the [edit forwarding-options dhcp-relay] hierarchy level for the DHCP relay agent.

• To enable tracing on an interface or interface range, use the trace statement at the [edit system services dhcp-local-server group group-name interface interface-name] hierarchy level for the DHCP local server, or the [edit forwarding-options dhcp-relay group group-name interface interface-name] hierarchy level for the DHCP relay agent. You can also enable tracing for DHCPv6 at the [edit system services dhcp-local-server dhcpv6 group group-name interface interface-name] hierarchy level.

[Subscriber Access]

• Automatic binding of stray DHCP requests (MX Series routers)—The default behavior has changed for handling DHCP requests that are received but which have no entry in the database (stray requests). Beginning with Junos OS Release 10.4, automatic binding of stray requests is enabled by default. In Junos OS Release 10.3 and earlier releases, automatic binding of stray requests is disabled by default.

By default, DHCP relay and DHCP relay proxy now attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured.

In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay attempts to bind the requesting client. In those releases, DHCP relay proxy always drops stray requests and forwards a NAK to the client, regardless of the authentication configuration.

You can override the new default configuration to cause DHCP relay and DHCP relay proxy to drop all stray requests instead of attempting to bind the clients. To disable automatic binding behavior globally, include the no-bind-on-request statement at the [edit forwarding-options dhcp-relay overrides] hierarchy level. To disable automatic binding behavior for a group, include the statement at the [edit forwarding-options dhcp-relay overrides group group-name] hierarchy level. To disable automatic binding behavior for a specific interface in a group, include the statement at the [edit forwarding-options dhcp-relay overrides group group-name interface interface-name] hierarchy level.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

[Subscriber Access]

• Support for VPLS Layer 2 wholesale configuration in a subscriber access network—Enables you to configure Layer 2 wholesaling within a subscriber access network. Wholesale access is the process by which an access network provider (wholesaler) partitions the access network into separately manageable and accountable subscriber segments for resale to other network providers. An access network provider may elect to wholesale all or part of its network to one or more service providers (retailers).

NOTE: In this release, Layer 2 wholesaling supports the use of only the default logical system using multiple routing instances.

The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2 wholesale solution, keep the following in mind:

• No Layer 3 components (address assignment, Layer 3 interfaces, and so on) are involved.

• S-VLANs must be unique to any Gigabit Ethernet or Aggregated Ethernet interfaces within the entire network (not just unique to one router).

• Layer 2 wholesale supports only CoA disconnect and variable modification; CoA service activation is not supported.

NOTE: For general information about configuring dynamic wholesale for your subscriber access network, see the Broadband Subscriber Management Solutions Guide.

To configure Layer 2 wholesale for a subscriber access network:

• Configure a VLAN dynamic profile. See the Subscriber Access Configuration Guide for details.

• Include the routing-instances statement along with the $junos-routing-instance dynamic variable at the [edit dynamic-profiles profile-name interface $junos-interface-name] hierarchy level.

• Include the interfaces statement along with the $junos-interface-name dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-name” routing-instances “$junos-routing-instance”] hierarchy level.

• Include the interfaces statement along with the $junos-interface-ifd-name dynamic variable at the [edit dynamic-profiles profile-name] hierarchy level.

• Include the unit statement along with the $junos-interface-unit dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name”] hierarchy level.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• (Optional) Include the encapsulation statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and specify the unit encapsulation as vlan-vpls or vlan-ccc.

NOTE: If you choose not to specify an encapsulation for the logical interface, you must specify encapsulation for the physical interface.

• Include the vlan-tags statement and define the outer VLAN tag using the $junos-stacked-vlan-id dynamic variable and the inner VLAN tag using the $junos-vlan-id dynamic variable at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

• Include the input-vlan-map statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and define the map settings as follows:

NOTE: You configure the input-vlan-map statement only when there is a need to either push an outer tag on a single-tagged subscriber packet or modify the outer tag in a subscriber dual-tagged packet.

• Specify the action that you want the input VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure input-vlan-map statement options.

• Include the vlan-id statement along with the $junos-vlan-map-id dynamic variable.

• Include the output-vlan-map statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and specify the action that you want the output VLAN map to take. See the Network Interfaces Configuration Guide for details on how to configure output-vlan-map statement options.

NOTE: You configure the output-vlan-map statement only when there is a need to either pop or modify the outer tag found in a dual-tagged packet meant for the subscriber.

• Specify the unit family as vpls at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit family] hierarchy level.

• Include the flexible-vlan-tagging statement for any interfaces you plan to use at the [edit interfaces interface-name] hierarchy level.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Include the encapsulation statement for any interfaces you plan to use at the [edit interfaces interface-name] hierarchy level and specify the encapsulation as follows: flexible-ethernet-services.

• Use the vlan-vpls or flexible-ethernet-services options if you specified the vlan-vpls option for the encapsulation statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: Using the vlan-vpls encapsulation option in both the dynamic profile and when configuring the physical interface limits the VLAN ID value to a number greater than or equal to 512. Using the flexible-ethernet-services encapsulation option does not result in a limitation to the VLAN ID value.

• Use the flexible-ethernet-services option if you plan to configure logical interfaces with different encapsulations at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type does not have a VLAN ID limitation.

• Use the extended-vlan-vpls option if you chose not to specify an option for the encapsulation statement at the [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level.

NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation.

• Specify the vpls option for the instance-type statement for any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

• Include the qualified-bum-pruning-mode statement in any retailer routing instances you plan to use at the [edit routing-instances instance-name] hierarchy level.

• Specify the permanent option for the connectivity-type statement at the [edit routing-instances instance-nameprotocols vpls] hierarchy level to ensure that the routing instance (pseudo-wire) remains operational.

• Configure the VLAN Interfaces to use the dynamic profile. See the Subscriber Access Configuration Guide for details.

• Define access to your RADIUS server and specify the access profile at the [edit access] hierarchy level.

To view the logical system and routing instance for each subscriber, use the show subscriber operational command.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

[Subscriber Access]

System Logging

• New and deprecated system log tags—The following system log messages are new in this release:

• ASP_SFW_DELETE_FLOW

• CHASSISD_FM_FABRIC_DOWN

• CHASSISD_FPC_FABRIC_DOWN_REBOOT

• CHASSISD_FRU_INTEROP_UNSUPPORTED

• CHASSISD_RE_CONSOLE_FE_STORM

• RPD_AMT_CFG_ADDR_FMLY_INVALID

• RPD_AMT_CFG_ANYCAST_INVALID

• RPD_AMT_CFG_ANYCAST_MCAST

• RPD_AMT_CFG_LOC_ADDR_INVALID

• RPD_AMT_CFG_LOC_ADDR_MCAST

• RPD_AMT_CFG_PREFIX_LEN_SHORT

• RPD_AMT_CFG_RELAY_INVALID

• RPD_BGP_CFG_ADDR_INVALID

• RPD_BGP_CFG_LOCAL_ASNUM_WARN

• RPD_CFG_TRACE_FILE_MISSING

• RPD_LDP_GR_CFG_IGNORED

• RPD_MC_CFG_FWDCACHE_CONFLICT

• RPD_MC_CFG_PREFIX_LEN_SHORT

• RPD_MSDP_CFG_SA_LIMITS_CONFLICT

• RPD_MSDP_CFG_SRC_INVALID

• RPD_MVPN_CFG_PREFIX_LEN_SHORT

• RPD_PLCY_CFG_COMMUNITY_FAIL

• RPD_PLCY_CFG_FWDCLASS_OVERRIDDEN

• RPD_PLCY_CFG_IFALL_NOMATCH

• RPD_PLCY_CFG_PARSE_GEN_FAIL

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• RPD_PLCY_CFG_PREFIX_LEN_SHORT

• RPD_RSVP_COS_CFG_WARN

• RPD_RT_INST_IMPORT_PLCY_WARNING

• RPD_OSPF_IF_COST_CHANGE

• RPD_OSPF_TOPO_IF_COST_CHANGE

• RPD_VPLS_INTF_NOT_IN_SITE

[System Log]

• Added interface information to BFD session up/down system log tags—Added peer address information for BFDD_TRAP_MHOP_STATE_DOWN and BFDD_TRAP_MHOP_STATE_UP.

[System Log]

VPNs

• Disable TTL propagation behavior for the routes in a VRF routing instance—Enables you to control TTL decrementing for individual VPNs. In prior releases, Junos OS enabled control of TTL behavior only at the router level for all LDP-signaled and all RSVP-signaled label-switched paths. With this feature, you can control the behavior on individual VPN routes. To configure, include the vrf-propagate-ttl or no-vrf-propagate-ttl statement at the [edit routing-instances instance-name] hierarchy level. The instance-specific behavior overrides the router behavior configured at the [edit protocols mpls] hierarchy level with the no-propagate-ttl statement. The show route extensive and show route detail commands display the TTL action for each VRF routing instance.

[VPNs]

• Support for Layer 3 VPN composite next hops and a larger number of Layer 3 VPN labels on T Series routers—Layer 3 VPN composite next hops can now be enabled on T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] or [edit logical-systems logical-system-name routing options] hierarchy levels. This statement enables BGP to accept larger numbers of Layer 3 VPN BGP updates with unique inner VPN labels. Including the l3vpn-composite-nexthop statement in the configuration enhances scaling and convergence performance of PE routers participating in a Layer 3 VPN in a multivendor environment.

The Junos OS provides the configuration statement memory-enhanced to reallocate the jtree memory for routes and Layer 3 VPNs. This statement has the following options:

• route—Include this statement when you want to support larger routing tables (with more routes) over firewall filters. For example, you can enable this option when you want to support a large number of routes for Layer 3 VPNs implemented using MPLS. However, we recommend enabling this option only if you do not have a very large firewall configuration.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

To allocate more memory for routing tables, include the route statement at the [edit chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] route;

• vpn-label—Include this statement when you want to enhance memory to support a larger number of Layer 3 VPN labels accepted by the l3vpn-composite-nexhop statement.

To allocate more memory for Layer 3 VPN labels, include the vpn-label statement at the [edit chassis memory-enhanced] hierarchy level:

[edit chassis memory-enhanced] vpn-label;

NOTE: • With Junos Release 10.4, the memory-enhanced route statement at the [edit chassis] hierarchy level replaces the route-memory-enhanced statement at the [edit chassis] hierarchy level.

[VPNs, System Basics]

• Egress protection LSPs—If there is a link or node failure in the core network, a protection mechanism such as MPLS fast reroute can be triggered on the transport LSPs between the PE routers to repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device).

To enable an egress protection LSP, you need to configure the following statements:

• context-identifier—Specifies an IPv4 address used to define the pair of PE routers participating in the egress protection LSP. The context identifier is used to assign an identifier to the protector PE router. The identifier is propagated to the other PE routers participating in the network, making it possible for the protected egress PE router to signal the egress protection LSP to the protector PE router. Configure the context-identifier statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name egress-protection protector-pe] and the [edit protocols mpls egress-protection] hierarchy levels.

• egress-protection—Configures the protector information for the protected Layer 2 circuit and also configures the protector Layer 2 circuit itself at the [edit protocols l2circuit] hierarchy level. Configures an LSP as an egress protection LSP at the [edit protocols mpls label-switched-path lsp-name] hierarchy level. It also configures the context identifier at the [edit protocols mpls] hierarchy level.

• protected-l2circuit—Specifies which Layer 2 circuit is to be protected by the egress protect LSP. This statement includes the following sub-statements: ingress-pe, egress-pe, and virtual-circuit-id. These sub-statements specify the address of the PE router at the ingress of the Layer 2 circuit, the address of the PE router at the egress of the Layer 2 circuit, and the Layer 2 circuit’s identifier respectively. Configure

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

the protected-l2circuit statement at the [edit protocols l2circuit neighbor address interface interface-name] hierarchy level.

• protector-pe—Specify the IPv4 address of the protector PE router. The protector PE router must have a connection to the same CE device as the protected PE router for the egress protect LSP to function. This statement includes the following sub-statements: context-identifier and lsp. The lsp statement specifies the LSP to be used as the actual egress protection LSP. Configure the protector-pe statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name egress-protection] hierarchy level.

[VPNs]

• Local switching support for the ignore-encapsulation-mismatch statement—The ignore-encapsulation-mismatch statement has been extended to support local switching. You can now configure this statement at the [edit protocols l2circuit local-switching interface interface-name] hierarchy level. This statement allows a Layer 2 circuit to be established even though the encapsulation configured on the CE device interface does not match the encapsulation configured on the Layer 2 circuit interface. Local switching allows you to configure a Layer 2 circuit entirely on the local router, terminating the circuit on a local interface.

[VPNs]

Related • Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Documentation Series, and T Series Routers on page 42

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 77

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Class of Service

• Changes to the output of the show interfaces queue command—Previously, the output of the show interfaces queue interface-name displayed the max-queues-per-interface information HW supported queues, as shown below:

Egress queues: 4 supported, 4 in use

The first value indicates either the default or the value specified through the max-queues-per-interface statement. Now this is changed to HW supported queues. The first value does not change with respect to the changes to max-queues-per-interface as before.

[Class of Service]

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Forwarding and Sampling

• APR packet policing on TCC Ethernet interfaces—In Junos OS Release 10.4, the APR packet policing is effective on the TCC Ethernet interfaces.

• High CPU utilization of the DFWD process—You might notice a high CPU utilization by the DFWD process if the interface lo0 is configured as part of the interface group 0.

• Bridge domain naming (Layer 2 platforms)—You cannot include the slash mark (/) in a bridge domain name at the [edit bridge-domains bridge-domain-name] hierarchy level.

[Layer 2]

Interfaces and Chassis

• SFC and LCC Routing Engine (RE) name changes—The SFC Routing Engine name is changed from RE-TXP-SFC to RE-DUO-2600, and the LCC Routing Engine name is changed from RE-TXP-LCC to RE-DUO-1800.

[Software Installation and Upgrade]

• Enhancement to show oam ethernet link-fault-management detail command—The output of the show oam ethernet link-fault-management detail command now includes the following two new fields: OAM total symbol error event information and OAM total frame error event information. These fields display the total number of errored symbols and errored frames, respectively, and are updated at every interval regardless of whether the threshold for sending event TLVs has been crossed. Previously, the show oam ethernet link-fault management detail command displayed only the number of errored symbols reported in TLV events transmitted since the OAM layer was reset and displays the number of errored frames detected since the OAM layer was reset.

[Interfaces Command Reference]

• Enhancement to show oam ethernet connectivity-fault-management commands—The output of the show oam ethernet connectivity-fault-management mep-statistics, show oam ethernet connectivity-fault-management interfaces, and show oam ethernet connectivity-fault-management mep-database commands includes the following three new fields: Out of sync 1DMs received, which displays the number of out-of-sync one-way delay measurement packets received; Valid DMMs received, which displays the number of valid two-way delay measurement request packets received, and Invalid DMMs received, which displays the number of invalid two-way delay measurement request packets received.

[Interfaces Command Reference]

• New command to clear ETH-DM delay-statistics (MX Series routers)—A new command, clear oam ethernet connectivity-fault-management delay-statistics, enables you to clear ITU-T Y.1731 Ethernet frame delay measurement (ETH-DM) delay-statistics and ETH-DM frame counts. Use the maintenance-association maintenance-association-name and maintenance-domain maintenance-domain-name options to clear delay-statistics and frame counts for specific maintenance associations

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

and maintenance domains. You can also use the one-way and two-way options to clear only one-way delay statistics or two-way delay statistics, respectively.

[Interfaces Command Reference]

• Circuit Emulation (CE) interfaces firmware compatibility for ATM IMA on M7i, M10i, M40e, M120, and M320 routers—Provides a Firmware mismatch syslog message and a show interface command output message in the IMA Group state and IMA Link state if the PIC's firmware is not compatible in Junos OS Release 10.0 and later releases.

NOTE: CE PICs require firmware version rom-ce-9.3.pbin or rom-ce-10.0.pbin for ATM IMA functionality on M7i, M10i, M40e, M120, and M320 routers with Junos OS Release 10.0R1 or later.

CE PICs manufactured with the 560-028081.pbin firmware will produce the following entry in /var/log/messages when Junos OS is upgraded to Release 10.0R1 or newer releases:

Firmware mismatch. Need to upgrade PIC PROM Binary CPU firmware for IMA.

If you configure IMA with this combination of Junos OS and CE PIC firmware, the following entry will be seen.

Firmware error. Need to upgrade PIC PROM Binary CPU firmware for IMA.

The show interfaces ce-fpc/pic/port command output will show the following:

Physical link is Down IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error

The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA.

[Interfaces Command Reference, System Log Messages Reference]

• Support for configuring shaping overhead—Support for CLI based configuration of shaping overhead has been added to the PD-5-10XGE-SFPP Type 4 PIC.

• Set bandwidth value on aggregated Ethernet interfaces—You can now set the bandwidth value by using the bandwidth value statement at the [edit interfaces aggregate-interface unit number] hierarchy level.

Additionally, the show interfaces aggregate-inteface extensive and the show interfaces aggregate.logical-interface commands now show the bandwidth of the aggregate when it is configured. Also, the SNMP OID ifSpeed/ifHighSpeed of the aggregate logical interface shows the corresponding bandwidth, when it is configured. When it is not configured, the command shows it as the sum of the bandwidths of the member links of the aggregate, as before.

• Network interfaces show command output (All platforms)—The output of the show interfaces detail/extensive command now adds a table that shows complete (not truncated) names of the forwarding classes associated with queues.

[Network Interfaces]

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Negotiate IP address option removed—The negotiate IP address option is no longer allowed in the MLFR and MFR encapsulations.

• Hardware restrictions in the output of the show interfaces extensive command—When using the show interfaces extensive command with a 100-Gigabit Ethernet PIC, the “Filter statistics” section will not be displayed because the hardware does not include those counters.

• New command to clear Link Aggregation Control Protocol statistics—A new command, clear lacp statistics, enables you to clear Link Aggregation Control Protocol (LACP) statistics. Use the interfaces option to clear interface statistics. You can also clear interface statistics for a specific interface only by using the interfaces interface-name option.

[Interfaces Command Reference]

• Change to the show interfaces aenumber extensive command—The output of the show interfaces aenumber extensive command no longer displays Link Aggregation Control Protocol (LACP) statistics. To display LACP statistics, use the show lacp statistics interfaces command.

[Interfaces Command Reference]

• Increase in unit numbering for demux0 and pp0 interfaces—The unit numbering for demux0 and pp0 interfaces has been increased to 1,073,741,823.

• Support for Diffie-Hellman 2048-bit encryption—You can now configure Diffie-Hellman 2048-bit encryption (group14) for IPsec communications on Multiservices PICs.

To use Diffie-Hellman 2048-bit encryption, include the dhgroup group14 statement at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level.

To configure 2048-bit encryption for an IPsec policy, include the keys group14 option at the [edit services ipsec-vpn ipsec policy policy-name perfect-forward-secrecy] hierarchy level.

[Services Interfaces]

• Show chassis environment cb command on MX80 routers—The show chassis environment cb command is now available for the MX80 routers.

Junos OS XML API and Scripting

• The jcs:load-configuration template now accepts the $commit-options parameter—The jcs:load-configuration template, included in the import file junos.xsl, now accepts the $commit-options parameter to customize the commit operation. The parameter must be passed to the jcs:load-configuration template as a node-set.

The default value for $commit-options is null. Supported options are:

• check—Check the correctness of the candidate configuration syntax, but do not commit the changes.

• force-synchronize—Force the commit on the other Routing Engine (ignore any warnings).

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• log—Write the specified message to the commit log. This is identical to the CLI configuration mode command commit comment.

• synchronize—Synchronize the commit on both Routing Engines.

To specify commit options, include the desired options within the tag. Use the := operator to create a node-set and assign it to a variable. Pass this variable as the argument for the $commit-options parameter when you call the jcs:load-configuration template.

For example, to commit the configuration with the synchronize and log options, use the following syntax for the node-set:

var $options := { { ; "synchronizing commit"; } }

[Configuration and Operations Automation Guide]

• Junos XML management protocol support for the interface-ranges attribute of the operation—By default, the Junos XML protocol operation parallels the default behavior of the CLI configuration mode show command, which displays the [edit interfaces interface-range] hierarchy as a separate hierarchy in the configuration. To display the inherited tag elements of each interface range as children of the interface elements that are members of that range, a client application combines the interface-ranges="interface-ranges" attribute with the inherit="inherit" attribute in the tag of a remote procedure call (RPC).

If the inherit and interface-ranges attributes are included in the tag and the client application requests Junos XML-tagged output (the format="xml" attribute is included or the format attribute is omitted), the Junos XML protocol server includes the junos:interface-range="source-interface-range" attribute in the opening tags of configuration elements that are inherited from an interface range. The attribute does not appear if the client application requests formatted ASCII output by including the format="text" attribute in the tag.

[XML Management Protocol]

MPLS Application

• Disable RSVP local revertive mode—Configure the no-local-reversion statement at the [edit protocols rsvp] hierarchy level to disable RSVP local revertive mode (local revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead. You might need to disable RSVP local revertive mode on Juniper Networks routers if your network includes equipment that does not support this mode.

[MPLS]

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Enhancement to the show mpls lsp extensive command—In Junos OS Release 10.3 and later, the show mpls lsp extensive command displays more detailed Constrained Shortest Path First (CSPF) messages. You can now see the reason(s) for the CSPF path computation and rejection. The following list shows some of the enhanced CSPF messages (depending on your network configuration, the type of messages you see might be different):

• 17 Aug 3 13:17:33.601 CSPF: computation result ignored, new path less avail bw[3 times]

• 16 Aug 3 13:02:51.283 CSPF: computation result ignored, new path no benefit[2 times]

[Routing Protocols and Policies Command Reference]

• Enhancement to CSPF traceoptions—In Junos OS Release 10.3 and later, the Constrained Shortest Path First (CSPF) trace messages have been updated to provide more detailed information about CSPF path computation and rejection. You configure the CSPF traceoptions by including the cspf flag at the [edit protocols mpls traceoptions flag] hierarchy level. The following list shows some of the enhanced CSPF trace messages (depending on your network configuration, the type of messages you see might be different):

• Aug 3 13:26:06.844628 New avail bw 0.91% 100.00% 100.00% 100.00% without rounding

• Aug 3 13:26:06.844676 Old avail bw 0.91% 100.00% 100.00% 100.00% without rounding

• Aug 3 13:26:06.844697 CSPF reoptimize: Avail bw gain on new path 0 (without rounding 0.00%)

• Aug 3 13:26:06.844714 CSPF reoptimize: new path is safe but no benefit

• Aug 3 13:26:06.844731 CSPF reoptimize: result rejected, new path no benefit

• Aug 3 13:26:06.844765 mpls lsp blue-to-green primary CSPF: computation result ignored, new path no benefit

[MPLS]

Platform and Infrastructure

• Enhancement to show interfaces command—The show interfaces command includes a new field, INET6 Address flags, that displays a flag for any IPv6 address that is in a state other than “permanent” or “ready-to-use.”

[Interfaces Command Reference]

Routing Protocols

• New community-count routing policy match condition for BGP routes—You can now configure the number of BGP community entries required for an incoming route to match. This allows you to accept BGP routes based on a specific number of or range of BGP community entries. To configure the number of community entries, specify the

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

from statement and include the community-count value (equal | orhigher | orlower) match condition statement at the following hierarchy levels:

• [edit policy-options policy-statement policy-name term term-name]

• [edit logical-systems logical-system-name policy-options policy-statement policy-name term term-name]

If you configure multiple community-count match condition statements, the matching is effectively a logical AND operation. The following example accepts BGP routes with two, three, or four communities. If a route contains three communities, it is considered a match and is accepted. If a route contains one community, it is not considered a match and is rejected.

[edit] policy-options { policy-statement import-bgp { term community { from { community-count 2 orhigher; community-count 4 orlower; } then { accept; } } } }

[Routing Policy]

• Enhancement to the PIM system log messages—The RPD_PIM_NBRDOWN and the RPD_PIM_NBRUP system log messages have been updated to include the name of the routing instance. This enhancement is also applicable to Junos OS Release 10.0R4, 10.1R4, 10.2R2, and 10.3R1. The following sample shows the enhanced PIM system log messages (depending on your network configuration, the type of messages you see might be different):

Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2 (so-0/1/3.0) removed due to: the interface is purged Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2 interface so-0/1/3.0

[System Log Messages Reference]

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Services Applications

• New configuration to avoid IDP traffic loss (M120, M320, MX240, MX480, and MX960 routers)—When the Multiservices PIC or DPC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level and (for TCP traffic only) the ignore-errors tcp statement at the [edit interfaces interface-name services-options] hierarchy level. When you configure these statements, the affected packets are forwarded, in the event of a Multiservices PIC or DPC failure or offlining, as though interface-style services were not configured. This issue applies only to M120, M320, and MX Series routers.

[Services Interfaces]

• Enhancements to the show services pgcp statistics extensive command—Two new fields have been added to the output of the show services pgcp statistics extensive command: the number of Add commands received that have emergency status, and the number of inactivity notifications (it/ito) on the root termination.

The following is a sample of the section of the output showing Add commands with emergency status:

Received Commands Total Wildcard Success Error

Add 0 0 0 0 Add (emergency) 0 0 0 0

AuditValue 1 0 1 0 Modify 1 0 1 0 ServiceChange 0 0 0 0 Subtract 0 0 0 0

The following is a sample of the section of the output showing inactivity notifications on the root termination:

ROOT Notify Total Wildcard Success Error

ocp/mg_overloaded 0 0 0 0 it/ito 1404 0 1404 0

[Border Gateway Function (BGF), System Basics and Services Command Reference]

• Support for softwire rules—The match direction output command is now supported for softwire rules.

[Services Interfaces]

• Summary option for the show services nat mapping command—You can now display summary statistics for Network Address Translation (NAT) mapping by using the show services nat mapping summary command. The following example shows the new output.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Total number of address mappings: 500000 Total number of endpoint independent port mappings: 500000 Total number of endpoint independent filters: 0

[System Basics and Services Command Reference]

• Command to manage the behavior for reserved ports allocation and port parity—Port allocation in a NAT pool can now be controlled with the preserve-parity and preserve-range commands. Preserve-parity allocates even ports for packets with even destination ports, and odd ports for packets with odd destination ports. Preserve-range allocates ports within a range of 0 through 1023 assuming the original packet contains a destination port in the reserved range. This behavior is applicable to control sessions and not to data sessions.

[Services Interfaces]

• Increase in address-only source dynamic pool addresses—The number of address ranges in a NAT pool has increased to 32. The total number of addresses in an address-only source dynamic NAT has increased to 16,777,216.

[Services Interfaces]

• Border Gateway Function (BGF) apply implicit latching on TCP gates when the gate is created.—By default, latching of gates is done by explicit latch requests. You can configure implicit latching of gates by entering the set implicit-tcp-latch and set implicit-tcp-source-filter configuration statements at the [edit services pgcp gateway gateway-name h248-options] hierarchy level.

The new configuration statements result in the following actions:

• implicit-tcp-latch—If explicit latching has been applied (using using ipnapt/latch) on either gate of a gate pair, implicit latching is not applied. If explicit latching has not been applied on either gate:

• Latching is applied to both gates of the gate pair.

• When either of the gates latches, latching is automatically disabled on the other gate.

• implicit-tcp-source-filter—Applies source address (but not source port) filtering on incoming packets, using the current remote destination address under the following conditions:

• Explicit source filtering has not been applied by use of gm/saf.

• Explicit latching has not been applied by use of ipnapt/latch.

[Border Gateway Function (BGF), Services Interfaces]

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber Access Management

• Modification to the interface-description-format statement—The interface-description-format statement has been modified for Junos OS Release 10.4. As in previous releases, the router includes both the adapter and subinterface as part of the interface description by default. You can now optionally exclude either or both the adapter and subinterface from the description.

[Subscriber Access]

• Modification to the show pppoe interfaces command (M120, M320, MX Series, and J Series routers)—In Junos OS Release 9.5 and later, the extensive option for the show pppoe interfaces command is supported only for J Series routers, which can be configured as Point-to-Point Protocol over Ethernet (PPPoE) clients. The show pppoe interfaces command no longer supports the extensive option for M120, M320, and MX Series routers in Junos OS Release 9.5 and later. When an M120, M320, or MX Series router is configured as an access concentrator server, the statistics for the PPPoE server interfaces do not increment. As a result, when you issue the show pppoe interfaces extensive command on an M120, M320, or MX Series router, the statistics are always displayed as zeros.

[Interfaces Command Reference]

• Enhancement to the clear pppoe statistics command (M120, M320, MX Series, J Series routers)—The clear pppoe statistics command includes a new option, underlying-interface-name, for M120, M320, and MX Series routers in Junos OS Release 9.5 and later. The option enables you to reset the statistics of the underlying PPPoE interface for static and dynamic PPPoE interfaces. In Junos OS Release 9.5 and later, the interface interface-name option for the clear pppoe statistics command is supported only for J Series routers. The clear pppoe statistics command no longer supports the interface interface-name option for the M120, M320 and MX Series routers in Junos OS Release 9.5 and later.

[Interfaces Command Reference]

• Support for DSL Forum VSAs (MX Series routers)—Digital Subscriber Line (DSL) attributes are RADIUS VSAs that are defined by the DSL Forum. The attributes transport DSL information that is not supported by standard RADIUS attributes and which convey information about the associated DSL subscriber and data rate. The attributes are defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA), for the DSL Forum VSAs.

Subscriber management supports DSL Forum VSAs in pass-through mode. In pass-through mode, the router does not process DSL values, but rather passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation.

[Subscriber Access]

• Required pppoe-options subhierarchy for configuring static and dynamic PPPoE interfaces (M120, M320, MX Series routers)—When you configure a static or dynamic pp0 (PPPoE) logical interface, you must include the pppoe-options subhierarchy in the

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

configuration. Failure to include the pppoe-options subhierarchy causes the commit operation to fail.

This requirement is in effect for configuration of static PPPoE logical interfaces as of Junos OS Release 10.2 and later, and has always been in effect for configuration of dynamic PPPoE subscriber interfaces in a PPPoE dynamic profile. For example, the following configuration now causes the commit operation to fail for both static and dynamic PPPoE logical interfaces:

pp0 { unit 0 { }

To configure a static PPPoE logical interface in Junos OS Release 10.2 and higher-numbered releases, you must include the pppoe-options subhierarchy at the [edit interfaces pp0 unit logical-unit-number] hierarchy level or at the [edit logical-systems logical-system-name interfaces pp0 unit logical-unit-number] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the PPPoE underlying interface and the server statement, which configures the router to act as a PPPoE server. For example:

[edit interfaces] ... pp0 { unit 0 { pppoe-options { underlying-interface ge-1/0/0.0; server; } ... } }

To configure a dynamic PPPoE subscriber interface in a PPPoE dynamic profile, you must include the pppoe-options subhierarchy at the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit”] hierarchy level. At a minimum, the pppoe-options subhierarchy must include the name of the underlying Ethernet interface, represented by the $junos-underlying-interface predefined dynamic variable, and the server statement. For example:

[edit] dynamic-profiles { pppoe-profile { interfaces { pp0 { unit "$junos-interface-unit" { pppoe-options { underlying-interface "$junos-underlying-interface"; server; } ... } } } }

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

}

[Network Interfaces, Subscriber Access]

• Subscriber access statistics—RADIUS reports subscriber statistics as an aggregate of both IPv4 statistics and IPv6 statistics.

• For an IPv4-only configuration, the standard RADIUS attributes report the IPv4 statistics and the IPv6 VSA results are all reported as 0.

• For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA statistics are identical, both reporting the IPv6 statistics.

• When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.

[Subscriber Access]

• Change to operation of RADIUS attribute Framed-IPv6-Prefix [97] (M120, M320, MX Series routers)—The operation of the standard RADIUS attribute Framed-IPv6-Prefix [97] has been modified in Junos OS Release 10.4 and later. In these releases, the Framed-IPv6-Prefix attribute communicates the router advertisement prefix from RADIUS to the network access server (NAS). In Junos OS Release 10.3 and earlier, the Framed-IPv6-Prefix attribute communicated the DHCPv6 delegated prefix from RADIUS to the NAS.

[Subscriber Access]

User Interface and Configuration

• Change in the commit | display detail option—If the number of commit messages exceeds a page when the commit command is used with the | display detail pipe option, the more pagination option on the screen is no longer available. Instead, the messages roll up on the screen by default, just like using the commit command with the | no more pipe option.

[CLI User Guide]

• New configuration statement to configure retry attempts for checking the keepalive status of a Point-to-Point (PPP) protocol session—Junos OS introduces the keepalive-retries number-of-retries statement at the [edit access profile profile-name client client-name ppp] hierarchy level. Include this statement in the configuration to reduce the detection time for PPP client session timeouts or failures if you have configured the keepalive timeout interval (using the keepalive statement).

[System Basics]

• New configuration statement to enable the processing of IPv4-mapped IPv6 addresses—Junos OS introduces the allow-v4mapped-packets configuration statement at the [edit system] hierarchy level. By default, the Junos OS disables the processing of IPv4-mapped IPv6 packets to protect against malicious packets from entering the network. To enable the processing of such IPv4-mapped IPv6 packets, include the allow-v4mapped-packets statement in the CLI configuration.

[System Basics]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• New option introduced for the show | display inheritance operational mode command—Junos OS now provides the no-comments option for the show | display inheritance command. This option enables you to view CLI configuration details without inline comments marked with ##.

[CLI User Guide]

• Enhancement to the show chassis sibs command—The show chassis sibs command now displays an appropriate reason when a SIB transitions to the Offline state. For instance, if ths SIB is taken offline using the request chassis sib command, the output of the show chassis sibs command displays --- Offlined by cli command --- in the output.

[System Basics and Services Command Reference]

• New option for the ping mpls l2vpn and ping mpls l2circuit commands—The ping mpls l2vpn and ping mpls l2circuit commands provide a new option reply-mode that enables you to specify the reply mode for the ping request. The reply-mode option provides the application-level-control-channel, ip-udp, and no-reply options.

[System Basics and Services Command Reference]

• Enhancement to the output of the show chassis hardware detail command—The show chassis hardware detail command now displays DIMM information for the following Routing Engines: Table 2: Routing Engines Displaying DIMM Information

Routing Engines Routers

RE-S-1800x2 and RE-S-1800x4 MX240, MX480, and MX960 routers

RE-A-1800x2 M120 and M320 routers

[System Basics and Services Command Reference]

• Enhancement to the show chassis fpc command—The show chassis fpc command now displays accurate temperature readings for the FPC.

[System Basics and Services Command Reference]

VPNs

• SCU support for VRF routing instances with vrf-table-label configured—You can now configure source class usage (SCU) to count packets on Layer 3 VPNs configured with the vrf-table-label statement. Include the source-class-usage statement at the [edit routing-instances routing-instance-name vrf-table-label] hierarchy level. The source-class-usage statement at this hierarchy level is supported only for the virtual routing and forward (VRF) instance type. Previously, you could not enable SCU when the vrf-table-label statement was configured. Destination class usage (DCU) is not supported when the vrf-table-label is configured.

[VPNs, Network Interfaces]

Related • New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 77

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 83

Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The current software release is Release 10.4R2. For information about obtaining the software packages, see “Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 83.

• Current Software Release on page 55

• Previous Releases on page 67

Current Software Release Outstanding Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Class of Service

• When a valid rate limit is configured on an interface from a DPCE-R-Q-20GE-2XGE card, the router might log a message incorrectly that the configuration is not supported. The rate-limit functionality is, however, correctly implemented in the hardware. [PR/574764]

Forwarding and Sampling

• A high CPU utilization by the DFWD process might occur if the interface lo0 is configured as part of the interface group 0. [PR/497242]

• When a VPN routing and forwarding table (VRF table) is configured in a logical system, and there is no loopback filter configured in the VRF table while it is configured on the logical system and the default router, the packets destined for VRF table reach the filter configured in the logical system. However, they are expected to reach the filter configured in the default route table. [PR/575060]

• On M Series, T Series, and J Series routers, when the installation of a filter that contains a logical interface policer or a physical interface policer fails (for example, due to insufficient jtree memory), the FPC might crash. [PR/579271]

High Availability

• The SSH keys are not in sync between the master and backup Routing Engine when SSH is enabled after a graceful Routing Engine switchover (GRES). [PR/455062]

Interfaces and Chassis

• When the Rx power level is a negative value, the SFP diagnostics output displays an invalid receiver power level reading. [PR/235771]

• Upon a link up event, old packets from the previous link down are still dequeued. This leads to huge latency reports. [PR/515842]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Discrepancies exist in MAC and filter statistics between Trio MPC and Enhanced DPCs. [PR/517926]

• The multipoint-destination configuration statement is not supported on IQE PICs. While the configuration of this statement is accepted without problems initially, subsequent reconfiguration of the interface might cause the FPC and Packet Forwarding Engine to reboot. [PR/529423]

• When a configuration contains a large number of logical interfaces, and graceful Routing Engine switchover is not configured, the restart chassis-control command might result in some of the FPCs staying offline. As a workaround, enable graceful Routing Engine switchover (set chassis redundancy graceful-switchover). [PR/532030]

• When the show interfaces command is used, no service set attachment information is displayed. This information is visible under the interfaces hierarchy (configuration). [PR/541574]

• On a 20-port Gigabit Ethernet Enhanced Queuing IP Services DPC and a 2-port 10-Gigabit Ethernet Enhanced DPC, the link status of the interface goes down when the TX router towards the peer is removed. [PR/542668]

• On MX Series routers, the following syslog error messages appear when a configuration change is made and committed:

UI_DBASE_LOGIN_EVENT: User 'regress' entering configuration mode UI_COMMIT: User 'regress' requested 'commit synchronize' operation (comment: none) Shared memory release vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 5123 vcdb_extract_db_from_file reading file /config/vchassis/vc.tlv.db vcdb_extract_db_from_file Error opening file. errno = 2 vcdb_extract_db_from_file reading file /config/vchassis/vc.db vcdb_extract_db_from_file: DB Files couldn't be read. vccpd_platform_get_serial_num: read s/n JN10C843EAFA success, task_state 7171 Shared memory release sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param

[PR/548853]

• After an MX80 router is upgraded to Junos OS Release 10.3, the "Front Panel Alarm Indicators" LEDs do not show any status in the output of the show chassis craft-interface command, even when there is chassis alarm set on the router. [PR/558046]

• Under certain conditions, both the primary and the secondary sections of the interface might get disabled. To recover from this condition, deactivate and activate the interface configuration. [PR/559656]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• On MPC-3D-x Gigabit Ethernet FPCs, the following IDMEM parity error messages appear:

MX960-LAB fpc3 LU 2 RD_NACK 2 AP[0x04] TOE Write 0x002913a0 MX960-LAB fpc3 LU 2 IDMEM Parity error in Bank 3, Count 10, IDMEM Bank 3 Offset 0x00014899 IDMEM[0x00052274]

These messages repeat as long as the software encounters the error. These error messages occur within uninitialized memory locations. [PR/569887]

• Incorrect K2 bytes might be transmitted if the mode bits are not set correctly by the apsd process. [PR/569903]

• When the maximum transmission unit (MTU) is set on an AE interface, the AE logical interfaces inherit an MTU value that is equal to the Ethernet’s MTU value excluding the Ethernet header. When a VLAN demultiplexing (demux) logical interface is created with an underlying AE interface, the VLAN demux logical interface inherits an MTU value equal to the full Ethernet MTU. This is because the MTU on demux interfaces is not set correctly. As a workaround, set the proper MTU value when the family is configured on these interfaces. [PR/579957]

Layer 2 Ethernet Services

• The release message is not sent to the DHCP server even though the send-release-on-delete flag is set under the DHCP relay configuration. As a workaround, to deactivate or deconfigure an interface, clear all the bindings on the interface before you deactivate or delete the interface. To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920]

MPLS Applications

• On M Series and T Series routers, the MPLS label-switched path (LSP) log messages are not logged for nonstandby secondary MPLS LSPs. [PR/560069]

• The routing protocol process crashes when an MVPN routing instance is activated and deactivated. [PR/571131]

Network Management

• The value of IfHighSpeed for the current bandwidth of an interface is in units of 1,000,000 bits per seconds. According to RFC 2683, the ifHighSpeed must be rounded to the nearest whole value on both the physical interfaces and logical interfaces. [PR/507004]

Platform and Infrastructure

• The SFC management interface em0 is often displayed as fxp0 in several warning messages. [PR/454074]

• On restarting with a large-scale configuration (16,000 logical interfaces per MPC), the MPC-3D-16XGE-SFPP card may take up to 15 minutes to come up. [PR/478548]

• The dynamic auto-sensed VPLS interfaces fail after modifications are made to the routing instance. Before making configuration changes to any routing instance, clear any active logical interfaces that are part of the routing instance using the clear auto-configuration interfaces operational command. Modifying a routing instance

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

configuration when the configuration is actively being used by subscribers can result in an unpredictable behavior. [PR/512902]

• An NTP server might not reply to clients with a source address that is explicitly configured. [PR/540430]

• The IPv6 BGP neighbors might not come back to the up state when an FPC associated with that session is manually taken offline, removed, and re-inserted. [PR/552376]

• No ICMP host redirect messages are generated when there are multiple VLANs configured on an interface (multiple logical interfaces on a single physical interface). [PR/559317]

• When the same local link address is configured on two interfaces, the message "/kernel: ip6_getpmtu: Invalid Stored MTU" is displayed continuously. [PR/560079]

• When IPv6 packets have a size greater than 1232 bytes, the packets get fragmented. [PR/571596]

• After a few graceful Routing Engine switchover, the firewall filter applied on the loopback interface might affect the internal control packets from the PICs to the Routing Engine. The PICs might fail to come back online if the packets are blocked. [PR/578049]

Routing Protocols

• When aggregate interfaces are used for VPN applications, load balancing may not occur with a Layer 2 circuit configuration. [PR/471935]

• Under certain circumstances, the BGP path selection does not follow the local preference. This might lead to incorrect BGP path selections. [PR/513233]

• When an interface is added to a routing instance with rpf-check enabled, the routing protocol process might crash if a route-distinguisher is also changed at the same time. [PR/539321]

• In Junos OS Release 10.0 and later, a direct route to a VRF with a rib-group is not advertised as an inet-vpn route to the IBGP neighbor due to the error "BGP label allocation failure: Need a nexthop address on LAN." [PR/552377]

• In some cases, MX Series routers might not send the Link Layer Discovery Protocol (LLDP) notification trap when the LLDP is disabled on the remote neighbor. [PR/560855]

• When a routing protocol process is restarted after a crash or a mastership switch, the kernel and the reference counters for the routing protocol process flood branch next hop might not be in sync anymore. The exposure is high in NGEN-MVPN with many local receivers and constant churn of joins and prunes of multicast groups. The routing protocol process might assert and restart while deleting a flooded next hop. As a workaround, restart the system, or deactivate all MVPN instances to get the kernel and the routing protocol process to be in sync upon a routing protocol process restart. [PR/561127]

• The 3D Packet Forwarding Engines might experience a rare transient error that temporarily corrupts one of the lookup engines, resulting in packet loss. A set of messages similar to the following is displayed:

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

fpc0 LU 0 PPE_7 Errors ucode data error 0x00000184 fpc0 PPE Thread Timeout Trap: Count 3, PC 20, 0x0020: entry_index_nh 0x0020: entry_index_nh PPE PPE HW Fault Trap: Count 10831395, PC 2c, 0x002c: entry_policer_nh

Restart the Packet Forwarding Engine to clear this error state. [PR/564998]

• The configuration of DSCP ReWrite rules on a 10-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ might overwrite the DSCP value coming from the Routing Engine for a host-generated traffic. [PR/575259]

• When a core-facing DPC is restarted, the message "mcsn: cannot perform nh operation ADDANDGET nhop (null) type indirect index 0 errno 22" appears. A trigger also moves the interfaces from bridge domains to VPLS instances. To clear this issue, restart multicast snooping. [PR/576058]

• When local AS and auto-export are configured in a hub-spoke environment, hidden routes might exist. [PR/578833]

Services Applications

• The output of the show services ids destination-table command might not display any flow and related statistics in the IDS anomaly table for a certain period of time after the flows are activated. [PR/490584]

• The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server, but the corresponding data application junos:system:ftp-data is not in any group. [PR/507865]

• On M Series and MX Series routers, after a hot-standby RMS, all existing flows are dropped and it takes some time for new flows to appear with the state. This is due to the limitation of the RMS. All existing traffic is dropped, and RPC is most impacted as it has a long retry timer and takes a long time to recover. [PR/535597]

• When unit 0 of the Multiservices PIC interface is not specified, the monitor interface traffic command does not display the input packet’s number properly for that particular ms-I/F interface. [PR/544318]

• When an Snmpwalk operation is performed on the jnxSpSvcSetSvcType object or any of its subobjects, the “SPD_DB_SVC_SET_ADD_FAILURE” log message appears. [PR/546808]

• FTP sessions that last long periods (several minutes or hours) are suddenly disconnected when traffic is still flowing on the data channel. [PR/579475]

User Interface and Configuration

• In the J-Web interface , the “Generate Report” option under Monitor Event and Alarms opens the report in the same web page. [PR/433883]

• Selecting the monitor port for any port in the Chassis Viewer page displays the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. [PR/446890]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On MX Series routers, J-Web does not display the USB-related information under Monitor>SystemView>System Information>Storage. [PR/465147]

• When a new-line character (\n) is used within the op script argument descriptions, the help output might display incorrectly, and could result in extra output being displayed when the op script executes. [PR/485253]

• In the J-Web interface, the options Access Concentrator, Idle Timeout, and Service Name for PPPoE logical interfaces are not supported on MX Series routers. [PR/493451]

• The J-Web interface does not display the drop-profile-map, excess-priority, excess-rate, and rate-limit (transmit rate) parameters which are supported for the schedulers configuration. Use these parameters using the CLI. [PR/495947]

• Warning messages related to pending commits are not triggered when the following operations are performed:

• Software->Upload

• Software->Install Package

• Maintain->Reboot

As a workaround, commit all pending commits before performing the operations listed above. [PR/514853]

• The annotate option does not appear when it is used with the edit private command for class of service. [PR/535574]

• When a HTTPS connection is used for the J-Web interface in the Internet Explorer to save a report from the View Events page (Monitor->Events and Alarms->View events), the following error message is displayed “Internet Explorer was not able to open the Internet site.”

This issue also appears in the following places on the J-Web interface:

• maintain->config management->history

• maintain->customer support->support information->Generate Reports

• Troubleshoot port->Generate Reports

• maintain->files

• Monitor->Routing->Route Information->Generate Reports

[PR/542887]

• The J-Web pages loads inconsistently when Add IPv4 or IPv6 filters are used in the Internet Explorer and Firefox Web browsers. [PR/543607]

• After the "delete:" action is performed, the "replace" actions do not take effect in the "load replace terminal" operation. [PR/556971]

• The javascript error, "Object Expected" occurs when J-Web pages are navigated before the page loads completely. [PR/567756]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• A commit script that activates an apply group might fail to pass the commit check logic. [PR/576384]

• The show system rollback command does not work in the configuration mode, while the command works from the operational mode. [PR/580645]

Resolved Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Class of Service

• On T Series routers, when the class of service scheduling or queueing parameters on an interface with a high traffic utilization (close to the line rate or oversubscribed) is changed, the FPC which hosts the interface might restart. This issue is specific to non-ES type FPCs. [PR/565307: This issue has been resolved.]

• When a firewall filter containing the packet loss priority (PLP) rewrite references a policer that also contains the PLP rewrite, a two time PLP rewrite occurs with the PLP bits of the packets matching the filter condition set on the PLP set action in the policer, and later the PLP set action is set on the firewall filter. [PR/566896: This issue has been resolved.]

Forwarding and Sampling

• When a Routing Engine sampling is configured, and each flow server corresponds to a different autonomous system type, the packet size of the exported cflowd v5/8/500 packets might increase. [PR/530008: This issue has been resolved.]

• On a sampled traffic on a multi services PIC, the multicast convergence slows down with the message "RPD_KRT_Q_RETRIES: Indirect Next Hop Update: No buffer space available." [PR/554363: This issue has been resolved.]

• Making any circuit cross-connect (CCC) filter changes might render the Packet Forwarding Engine busy which might cause a slow statistics response. [PR/554722: This issue has been resolved.]

• When a loopback filter is configured, packets sent by the ASIC to the Packet Forwarding Engine’s CPU for generation of TTL expiry notification are dropped. [PR/555028: This issue has been resolved.]

• The mib2d process might crash when a race condition exists between the mib2d process and the dfwd process. [PR/563419: This issue has been resolved.]

• When a firewall filter with multiple terms references the same three color policer and has the same count variable configured, any IP packets that match the second or later terms might get corrupted. Use different count variables in each term to prevent this issue. [PR/567546: This issue has been resolved.]

• The Radius Accounting Interim message might not be sent immediately after a Change of Authorization (CoA), even if the CoA is successfully processed and the coa-immediate-update option is present in the configuration. [PR/570058: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

High Availability

• When a container interface (used in AE interfaces) is freed in the memory, the child nexthop (member link) on the master Routing Engine is also freed. However, in some cases, the child nexthop on the backup Routing Engine is not freed resulting in a crash. [PR/562295: This issue has been resolved.]

Interfaces and Chassis

• On TX Matrix Plus routers, the message "fru_is_present: out of range slot 1 for CIP" is continuously sent on all the LCCs. [PR/48311: This issue has been resolved.]

• During initialization, some garbage data can flow into the unused SONET interface. This data is small in size and does not contain any SOP or EOP information. This data consumes some D4P buffer memory. The D4P buffer does not remove this data until more data comes into the buffer. Periodic health check reports the following status: “D4P-10/1: FROML tx48 stream 1 data path stuck.” To resolve this issue, purge the D4P buffer. [PR/424326: This issue has been resolved.]

• The queue counter of the aggregated Ethernet is counted up after the statistics are cleared and the FPC is restarted. [PR/528027: This issue has been resolved.]

• On an MX Series router with a mixed MPC and DPC environment, the first and subsequent cell drops occur at the DPC. [PR/540283: This issue has been resolved.]

• When a large OID registration traffic exists from the subagent to the master agent, the registration packets encounter random errors during transmission. This affects the registration process. [PR/555345: This issue has been resolved.]

• When a member link is added to an existing aggregated interface, a multicast distribution tree (MDT) mismatch might occur among the FPCs. This issue occurs only when graceful Routing Engine switchover (GRES) is enabled. [PR/558745: This issue has been resolved.]

• A Layer 2 instability and rapid VRRP mastership change might cause MPC-3D-16XGE-SFPP to restart. [PR/560716: This issue has been resolved.]

• When a MAC address list is moved, the resulting flush process might be interrupted when the list is processed. [PR/560730: This issue has been resolved.]

• If the cable of a TX router is removed from the interface on an MIC-3D-20GE-SFP, the state of the interface remains in the "up up" state. [PR/561254: This issue has been resolved.]

• When multiple physical interfaces exist in a 4x Channelized DS3 IQ PIC PIC, errors might occur when each controller physical interface is deleted while the PIC is taken offline. [PR/561841: This issue has been resolved.]

• In some cases, when a DPC or MPC is restarted, a wrong physical interface index is assigned to the interface which might cause the MPC to crash. [PR/563056: This issue has been resolved.]

• When a change in the bridge domain membership occurs, and the bridge domain has an IRB interface and a vt-x/y/z interface, the Packet Forwarding Engine that does not have any local interfaces on that bridge domain might restart. [PR/566878: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• When the chassisd process receives a temporary error code (such as Device Busy, Try Again, No Buffer Space, or No Memory), while trying to add both the PIC and physical interfaces present in the PIC to the kernel, the chassisd process may not retry adding the physical interface back to the kernel until it succeeds. The device or physical interface will not recover. It is recommended to restart the router or the FPC when this issue is encountered. [PR/570206: This issue has been resolved.]

• On TX Matrix Plus routers, the set craft-lockout command might cause an FPM interrupt flooding. [PR/571270: This issue has been resolved.]

• On any Junos OS device that supports Ethernet OAM, the cfmd process might crash when a malformed delay measurement message (DMM) is received. [PR/571673: This issue has been resolved.]

Layer 2 Ethernet Services

• The PIM neighborship does not appear over the IRB interface after the dense port concentrator (DPC) is restarted. [PR/559101: This issue has been resolved.]

MPLS Applications

• Under certain circumstances, the routing protocol process might crash when configuration changes are made to label-switched paths at the [edit protocol mpls] hierarchy level. [PR/550699: This issue has been resolved.]

• When the no-decrement-ttl statement is included at the [edit protocols mpls] or the [edit protocols mpls label-switched-path path-name] hierarchy level, the VPN Label TTL action field in the output of the show route extensive command displays vrf-propagate-ttl as the action. This is a display issue only and has no operational impact on the forwarding behavior. This is relevant to Layer 3 VPN scenarios where BGP routes resolve over RSVP LSPs and the no-propagate-ttl statement is not configured at the [edit protocols mpls] hierarchy level. [PR/563505: This issue has been resolved.]

• A point-to-multipoint LSP with bandwidth requirement might fail to retrace the original path after a graceful restart, and might not come up until the end of the recovery period. [PR/574308: This issue has been resolved.]

Network Management

• SNMP might stop working after a router, a DPC, an FPC, or an MPC is restarted, or after a graceful Routing Engine switchover. [PR/525002: This issue has been resolved.]

Platform and Infrastructure

• Under certain circumstances, the message “NH: Failed to find nh (xxxx) for deletion” appears for the child links of an aggregate interface. However, this message should appear only when the child next hop is not found. This message is only cosmetic. [PR/494528: This issue has been resolved.]

• In a Layer 2 circuit setup with a link services intelligent queuing interface (LSQ) in the core, and the control-word option is enabled, a ping between two CE interfaces fails. As a workaround, use the no-control-word option. [PR/551207: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• A DPC or an MPC may reset when Aggregate Ethernet (AE) interfaces are provisioned with IRB. In some case, a DPC may also reset when a member link of an AE interface flaps. [PR/559887: This issue has been resolved.]

• With the IRB and AE interfaces in a bridge-domain, the old nexthop data is not cleared from the Packet Forwarding Engines when they are updated. This causes the Packet Forwarding Engine to crash when that nexthop is later referenced. [PR/560813: This issue has been resolved.]

• On an MX960 router, when an MPC is installed and OSPF and IS-IS is activated simultaneously, the "jtree memory free using incorrect value 8 correct 0" message is displayed for all DPCs. [PR/562719: This issue has been resolved.]

• On standalone routers with GRES enabled (using the set chassis redundancy graceful-switchover command), or on multichassis platforms (TX and TXP routers), FPCs can crash creating a core file when interfaces are moved from one aggregate bundle to another aggregate bundle in a single configuration commit operation. As a workaround, split the operation into two commits. Remove the interface from one bundle and perform a commit, and later add it to another bundle and perform another commit. [PR/563473: This issue has been resolved.]

• The MPC might crash when multicast traffic is forwarded and interfaces are deactivated. [PR/565454: This issue has been resolved.]

• In Junos OS Release 10.2 and later, the Packet Forwarding Engine process tracing is enabled by default. This results in the MIB2D process not being able to communicate with the Packet Forwarding Engine process. [PR/566681: This issue has been resolved.]

• On MX Series routers running Junos OS Release 10.2 and later, when a new link from a newly inserted FPC is configured to an existing aggregate configuration, the newly added link information might not appear in the Link:, LACP info:, LACP Statistics:, and Marker Statistics: fields in the output of the show interface aex extensive command. Deactivate and then activate the aggregate interface to resolve this issue. [PR/571245: This issue has been resolved.]

Routing Protocols

• In rare situations, the routing protocol process might restart due to a software validation failure. [PR/476143: This issue has been resolved.]

• With a large number of peers in a single BGP group, continuous large route churn may trigger scheduler slips in the routing protocol process. [PR/544573: This issue has been resolved.]

• In instances with scaled LACP configurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]

• When a policy matching an extended community using a 4-byte AS and a wildcard is configured, the match condition might fail to match the relevant communities. As a workaround, configure exact matches. [PR/550539: This issue has been resolved.]

• A rare race condition might cause the routing protocol process to crash when an (s,g)/(*,g) entry is removed. [PR/551949: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• On an NSR LDP, an LDP database entry mismatch exists between the master and the backup Routing Engines. The backup Routing Engine does not replicate the LDP socket with the error "jsr_sdrl_set_data: No space dlen." [PR/552945: This issue has been resolved.]

• When a default route target is sent by a BGP peer, th eBGP does not track the VPN routes covered by this route target. When the default route target goes away, the BGP does not withdraw the VPN routes that were previously covered by that default route target. [PR/556432: This issue has been resolved.]

• On a 3D MPC, the load balance might be broken when a BGP multipath is configured. [PR/557099: This issue has been resolved.]

• On M Series, MX Series, and T Series routers, the Virtual Router Redundancy Protocol (VRRP) process might become unresponsive when processing is delegated to the Packet Forwarding Engine. As a workaround, remove the delegate-processing option from the [protocols vrrp] hierarchy level. [PR/559033: This issue has been resolved.]

• When the advertise-default option is used with the route-target family, and a new VPN is added, the necessary route refresh is not sent. [PR/561211: This issue has been resolved.]

• When the Link Layer Discovery Protocol (LLDP) advertisement interval value is changed from 30 seconds to 60 seconds, and the show lldp detail command is executed, the output shows 60 seconds. However, the Routing Engine forwards the LLDP packet every 30 seconds. When the interface is deactivated and activated again, the LLDP packets are forwarded every 60 seconds correctly. [PR/560857: This issue has been resolved.]

• Under certain circumstances, the routing protocol process crashes while receiving the IGMP SNMP GetNext request. [PR/561842: This issue has been resolved.]

• The multicast snooping process might crash and prevent a commit when the apply-group statement is used at the bridge-domain <*> hierarchy level. [PR/562776: This issue has been resolved.]

• The routing protocol process might crash in the following environments:

• Auto-export is configured for route leaking between VRFs.

• Communities are added in the import policy of the second VPN routing and forwarding (VRF) table.

[PR/563231: This issue has been resolved.]

• Packets might not be correctly evaluated by a filter in an MPC that contains noncontiguous prefixes. As a workaround, replace the noncontiguous prefixes with equivalent sets of contiguous prefixes. [PR/564286: This issue has been resolved.]

• On M10i and M7i routers, the distributed PPMD process is disabled by default. However, it should be enabled by default since it is supported by the Enhanced CFEB (CFEB-E). [PR/565957: This issue has been resolved.]

• IS-IS might not use the MPLS label-switched paths (LSPs) if the names of the label-switched paths are similar in the first 32 characters. [PR/568093: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• If the always-compare-med option is configured when a route change occurs, the routing protocol process might occasionally crash due to a soft assertion. However, the soft assertion does not impact the user traffic. [PR/568725: This issue has been resolved.]

• During a nonstop active routing (NSR) switchover with a large number of remote Layer 3 VPN prefixes, and a local eBGP session with short hold timers, routing protocol process scheduler slips might occur, which causes the BGP session to flap. [PR/568756: This issue has been resolved.]

• Under certain circumstances, processing of links with maximum metric set by IS-IS shortest path first (SPF) computation algorithm might lead to suboptimal routing decisions. [PR/569649: This issue has been resolved.]

Services Applications

• In scaled environments, the thread in the Multiservices PIC or DPC for cflow might run too long. This causes the PIC or DPC to crash. [PR/494457: This issue has been resolved.]

• On Multiservices 500 PICs with graceful Routing Engine switchover, wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records does not get installed. [PR/545422: This issue has been resolved.]

• The Multiservice 400 PIC crashes due to a memory allocation failure when the PIC tries to respond to a Routing Engine CLI request. [PR/558237: This issue has been resolved.]

• The Multiservices PIC might crash when traffic is received on a Layer 2 Tunneling Protocol (L2TP) session (MLPPP bundle), and a teardown request is also received at the same time. [PR/561039: This issue has been resolved.]

• If Bidirectional Forwarding Detection protocol (BFD) protection for BGP sessions is configured on a BGP session in a nonmaster routing instance, the BFD might start for that session before the kernel ID of the routing instance is set. This might cause the BFD session to freeze. As a workaround, if the BFD session has the routing table value of 4294967295, use the clear bfd session command to start a new session that will address the issue as long as the routing instance's kernel table is allocated. [PR/563161: This issue has been resolved.]

• If a class-of-service rule is applied to a service set, the inactive timeout under the user-configured application does not take effect. As a workaround, match the application in the class-of-service rule. [PR/571304: This issue has been resolved.]

User Interface and Configuration

• Under certain circumstances, a nested Junos OS configuration group with a wildcard match might not have the desired effect. [PR/556379: This issue has been resolved.]

• When a "validate" RPC is executed using a NETCONF session, some essential information about the session is not populated in the configuration database. [PR/570778: This issue has been resolved.]

VPNs

• In MVPN routing-instances with local receivers, a flood next hop is created for each S,G entry for multicast traffic received from the CE. After the local receivers are joined

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

or pruned, a new flood next hop is created. However, old flood nexthops are not deleted. This leads to a memory leak within the routing protocol process. When this routing protocol process reaches a size of 2 GB, it triggers an assertion and a restart. [PR/569621: This issue has been resolved.]

• In local-switched Layer 2 Virtual Circuit scenario, the control and forwarding plane might not be properly updated by the routing protocol process when one of the logical interfaces forming an Layer 2 Virtual Circuit is taken down. [PR/572780: This issue has been resolved.]

Previous Releases

Release 10.3R2 The following issues have been resolved since Junos OS Release 10.3R2. The identifier following the description is the tracking number in our bug database.

Class of Service

• When a VLAN ID is changed, the following message appears in the messages log: "COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 74. Reason: File exists.” This log message appears when the configuration is committed with VPLS configured on the Gigabit Ethernet interface, and a class-of-service classifier or rewrite rules that contain IEEE 802.1P on the interface are used. [PR/408552: This issue has been resolved.]

• When a logical interface set has a shaping-rate less than the sum of transmit-rates of its queues and when the configuration is corrected so that the logical interface set gets the correct shaping-rate, ADPC might crash. [PR/523507: This issue has been resolved.]

• During a graceful Routing Engine switchover, the traffic control profile might not be applied on the interfaces. As a workaround, deactivate and reactivate class of service. [PR/533862: This issue has been resolved.]

• When per-unit-scheduler is applied under the interfaces hierarchy level, and shaping rate is applied under the class-of-service interface hierarchy level in the same commit operation, port shaping rate does not work and the total logical interface transmitted byte rate exceeds the physical interface shaping rate. As a workaround, configure shaping-rate within a traffic-control-profile and apply that to an interface, or deactivate and activate shaping-rate using the class-of-service interface interface-name shaping-rate command. [PR/539590: This issue has been resolved.]

• Under certain conditions, the class of service configuration might not take effect on an IQ2 PIC. [PR/541814: This issue has been resolved.]

• When the rate-limit option is configured on a physical interface on IQ2 PICs, the show interface queue command might not display the RL-dropped counters. [PR/547218: This issue has been resolved.]

• The egress rate limit over a logical interface may drop large packets. [PR/547506: This issue has been resolved.]

• In Junos OS Release 10.2 and later, the cosd process might crash while a configured commit is processed, as this process accesses a memory location that has already been freed. However, this issue is encountered rarely. [PR/548367: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Forwarding and Sampling

• Port mirroring does not work under the bridge-domain forwarding-option filter. [PR/529272: This issue has been resolved.]

• The policer counter might be missing in the SNMP walk. Reboot the router to solve this problem. [PR/535715: This issue has been resolved.]

• When logical systems are configured, the show bridge-domains command might time out and return the following error message: “error: timeout communicating with l2-learning daemon.” [PR/536604: This issue has been resolved.]

• A scheduler is associated with a forwarding class, and when a forwarding class is mapped to a different queue, the associated scheduler is not applied to the new queue. [PR/540568: This issue has been resolved.]

• In Junos OS Release 10.2, the Routing Engine-based sampling might not work if the routing table inet.0 has a route for 128.0.0.1. The issue occurs when this route points to an external interface. [PR/540891: This issue has been resolved.]

• A GRE interface might experience an incoming packet loss if a firewall filter is configured on the forwarding table. [PR/541901: This issue has been resolved.]

High Availability

• On M120 routers, the message: "stream blocked detected message" displays when an FEB is switched from the backup to the primary. [PR/540644: This issue has been resolved.]

Interfaces and Chassis

• The output of the monitor interface interface-name command is misaligned. [PR/70077: This issue has been resolved.]

• An OAM trace displays an incorrect next-hop MAC value. [PR/494588: This issue has been resolved.]

• When traffic flows into the MPC on which a bridge-domain configuration is being changed or the card is booting up, the forwarding software tries to access uninitialized memory for a short duration. This is a cosmetic issue and does not have any functional impact. [PR/506344: This issue has been resolved.]

• On M7i routers with Junos OS Release 8.5 or later, the output of the show interfaces fxp0 command shows the fxp0 interface to be in the link up state even when the interface is disabled with no cables connected. [PR/508261: This issue has been resolved.]

• When the VRRP6 master changes, there is no log output for VRRP IPv6. [PR/514821: This issue has been resolved.]

• When the PIC is configured with encapsulation atm-ccc-cell-relay psuedowires, and the PIC throughput exceeds 152 Mbps, data loss occurs and the following error message is displayed: “[Warning] ce_wp_poll_hspi_stats:2006: PF/Winpath SPI interface error, rx_err_sm 243.” This error message is not seen when encapsulation atm-ccc-vc-mux is used.

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

As a workaround, use the atm-ccc-vc-mux encapsulation (AAL5 ATM PW), or use atm-ccc-cell-relay and configure a larger cell bundle size. When the cell bundle size is 5, the PIC passes 190 Mbps without error. [PR/515632: This issue has been resolved.]

• When a SIB is taken offline via a CLI command, the output of the show chassis sibs command does not display the message “Offlined by cli command.” However, this message is correctly displayed for the FPCs. [PR/519842: This issue has been resolved.]

• The statistics get for LSQ interfaces fails in a scaled LSQ configuration when the show interfaces queue lsq-w/x/y:z command is executed. [PR/523260: This issue has been resolved.]

• When MLPPP interfaces of an MS-PIC are taken offline, the following syslog message displays: “RT: itable unset idx 372 to proto MLPPP iftable failed (Invalid arguments) on FE -1.” [PR/528649: This issue has been resolved.]

• In Junos OS Release 10.0 and later, a significantly large number of the following messages appear on the MX960 and SRX5800 routers:

MX960 /kernel: PCF8584(WR): transmit failure on byte 1 MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54) MX960 /kernel: PCF8584(WR): busy at start, attempting to clear MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54) MX960 /kernel: PCF8584(RD): ack failure on 2nd last byte

These messages are not an indication of a fan failure. They are cosmetic and can be ignored. [PR/531253: This issue has been resolved.]

• On Trio MPCs, multiple changes to a single term in quick succession results in an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/532791: This issue has been resolved.]

• An XE circuit on the MPC-3D-16XGE-SFPP might cause a high CPU utilization on the MPC. [PR/535057: This issue has been resolved.]

• On MX960 routers, the link status stays in the "Link ok" state when the SCB is removed without taking it offline using the CLI or switch. [PR/536860: This issue has been resolved.]

• The SCB displays an incorrect state when it is removed without taking it offline using the CLI or buttons. This is not a cosmetic error and might impact the traffic. [PR/536866: This issue has been resolved.]

• The "frame-relay-ether-type" encapsulation is not programmed to the hardware properly. Because of this, the incoming packet parsing fails and the packets are discarded. [PR/539484: This issue has been resolved.]

• On MX Series routers with 10.x Power Budget, after a “Power Budget: Chassis experiencing power shortage” alarm occurs, the alarm does not clear even after the power budget problem is cleared. [PR/540522: This issue has been resolved.]

• The MX-MPC1-3D-Q accepts VLAN tagged packets even when the interface is not configured with VLAN tagging. [PR/540620: This issue has been resolved.]

• The link-up time on a 16x 10-Gigabit Ethernet MPC is not less than the other platforms (ADPC and other MPCs) due to the emission dispersion compensation (EDC)

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

functionality of the PHY device on the MPC. This causes a delay of 50 mS to 150 mS and cannot be changed. [PR/540694: This issue has been resolved.]

• The sonet-options raise-rdi-on-rei and trigger options do not work well together. Turning the raise-rdi-on-rei option on and off again requires the trigger option to flap in order to assert or clear the RDI-L alarm. As a workaround, when both sonet-options raise-rdi-on-rei and trigger options are configured, flap the sonet-options trigger as well. [PR/540745: This issue has been resolved.]

• With Junos OS Release 10.2 and later, when a logical interface on an ATM-II IQ PIC is disabled, the FPC is taken offline and brought back online, and the PIC is reenabled, the logical interface stays down with atm_maker_check_indq error messages. [PR/541688: This issue has been resolved.]

• When a Gigabit Ethernet or an XE interface on IQ2 PICs is disabled, and the link status is up, the traffic received from the interface might still be forwarded. [PR/543388: This issue has been resolved.]

• When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a physical interface and the physical interface has the overhead-accounting bytes configured, it does not take effect. [PR/544608: This issue has been resolved.]

• When logical interfaces are created, the NPC crashes and the FPC goes down. [PR/545314: This issue has been resolved.]

• Chassisd crashes when the show chassis clocks command is executed. [PR/545510: This issue has been resolved.]

• When configuration changes are made that are unrelated to the interfaces, interface sets, or PICs, a commit failure occurs with the following error message: "error: iflset xxxx configured for nonexisting ifd ge-x/x/x." [PR/546184: This issue has been resolved.]

• On a 10-Gigabit Ethernet PIC, a log is generated when the SFP is plugged in. However, no log is generated when the SFP is not plugged in. [PR/548251: This issue has been resolved.]

• A CFM ping command fails when the maintenance domain or maintenance association is longer than 32 characters. [PR/550014: This issue has been resolved.]

• If a bridge-domain contains more than one Aggregated Ethernet, and the IRB interfaces experiences the right sequence of MAC moves, the FPC might restart. [PR/550824: This issue has been resolved.]

• On a 10-port oversubscribed 10-Gigabit Ethernet PIC for T Series routers (PD-5-10XGE-SFPP), the reactions configured under the [optics-options] stanza do not take effect for "low-light" conditions. [PR/550851: This issue has been resolved.]

• If the number of VPLS connection exceeds 31, frequent FPC and NPC crashes might occur. [PR/552099]

• The EOA family configurations over a container ATM interface might be deleted and added again upon every commit (including unrelated commits). [PR/553077: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• When a remote PE's address is configured on a local loopback interface, the MVPN PIM neighborship to that PE in a different VRF might be affected. [PR/558584]

• On MX960 routers with PWR-MX960-4100-AC PEMs (high capacity AC PEMs), the MPCs and DPCs do not power up when the system boots with only HC-AC PEM2,PEM3 being switched on, and PEM0,PEM1 being present but switched off. [PR/562125]

Layer 2 Ethernet Services

• On MX Series routers, when both the top and bottom fan trays are enhanced and a mastership switch is performed, the alarm "craftd[1337]: Minor alarm set, Mix of FAN-TRAYS" displays. This only occurs after a switchover or an upgrade. This alarm is temporary, is cleared within a few seconds, and does not cause any routing or forwarding issues on the chassis. [PR/541617: This issue has been resolved.]

• The AE interface does not show the system identifier for the attached interfaces in actor role. Because of this, the AE interface gets stuck in the detached state after it is rebooted from both ends. Additionally, the AE interface flaps when the backup Routing Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed. [PR/547739: This issue has been resolved.]

• The DHCP relay bindings remain in a release state with a negative lease time. [PR/549520: This issue has been resolved.]

• The L2CPD might have a memory leak when LLDP is enabled. [PR/549531: This issue has been resolved.]

MPLS Applications

• With BFD enabled over IGP and an RSVP session built across it, when the RSVP peer does not support RSVP Hello (or is disabled), the BFD session down event triggers only the IGP neighbor to go down. The RSVP session remains up until a session timeout occurs. [PR/302921: This issue has been resolved.]

• The rlist entry corresponding to the previously existing rlist is not removed, which causes the routing protocol process to crash. [PR/513160: This issue has been resolved.]

• When a protected link flaps, certain RSVP routes do not lose association with the p2mp_nh. [PR/530750: This issue has been resolved.]

• Under NGEN-MVPN with vrf-table-label configured on the provider edge, the provider router connecting to that provider edge might keep an old P2MP MPLS label entry upon label-switched path optimization or reroute. There is no workaround. [PR/538144: This issue has been resolved.]

• An LSP with auto-bw might stay down for approximately 30 minutes after a Routing Engine switchover or a Routing Engine restart when graceful restart fails. As a workaround, disable and reenable the MPLS or OSPF stanza. [PR/539524: This issue has been resolved.]

• When RSVP path-mtu allow-fragmentation is configured, traffic redirection away from its intended destination might occur. [PR/544365: This issue has been resolved.]

• On a P2MP LSP setup, the routing protocol process of the transit router might core when the topology changes with respect to the ingress sub-LSP router. There is no workaround. [PR/549778: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• In Junos OS Release 10.2, when the clear mpls lsp autobandwidth command is executed at the ingress router, the updated Maximum AvgBW Utilization field displays a value that is much higher than the actual bandwidth. [PR/550289: This issue has been resolved.]

• On MX80 routers, the MPLS LSP statistics do not record the transit traffic on a single-hop LSP with an implicit NULL label. [PR/551124: This issue has been resolved.]

• When a large number of P2MP LSPs exist during periods of high network instability with many links flapping, and MBB re-routing of a P2MP LSP occurs, an MPLS route can become stale. This can cause a routing protocol process assertion failure on a transit router. [PR/555219: This issue has been resolved.]

Network Management

• The SNMP process might restart when a core dump is generated. [PR/517230: This issue has been resolved.]

• In Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks. This causes the MIB2D process to crash as it reaches its maximum permitted size. [PR/546872: This issue has been resolved.]

• In Junos OS Release 9.2 and later, a memory leak occurs in the subagent in a scenario where the snmpd process is not running, or there are issues in communication with a subagent and traps are being generated by the subagent. [PR/547003: This issue has been resolved.]

• When the firewall filter policer configuration is changed, the SNMP MIBs might not update correctly. As a result, the counters are inaccessible. [PR/555719: This issue has been resolved.]

Platform and Infrastructure

• Redirect drops that are not real errors is taken into account for "Iwo HDRF" error statistics that is reported in the output of the show pfe statistics errors command on I-chip based routers. Since redirect drops are expected in a VPLS (and Ethernet in general) environment, this behavior could be misleading. [PR/430344: This issue has been resolved.]

• After an 8216 Routing Engine upgrade to Junos OS Release 9.6 with "chassis" deactivated, the backup Routing Engine starts to reboot with the panic message "panic: filter_idx_alloc: invalid filter index," and crashes when the chassis configuration is enabled and committed. After the Routing Engine finally comes online, the CLI response is slow and the Routing Engine reboots again after approximately three minutes. To stop these reboots, deactivate the chassis on the backup Routing Engine. [PR/489029: This issue has been resolved.]

• On T Series routers, the FPC might continuously reboot upon installation. [PR/510414: This issue has been resolved.]

• When the system default-router a.b.c.d command is used, the default route is not installed in the Packet Forwarding Engine. [PR/523663: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• In an MPLS environment, the source NAT or PAT for traffic between two remote VPNs does not work when the vrf-table-label option is removed from the VRF where the inside-service interfaces are located. [PR/524294: This issue has been resolved.]

• When VPLS is configured on the router, the following log messages will appear when the interface goes down:

RT-HAL,rt_entry_delete_msg_proc,XXX: route add posthandler failed RT-HAL,rt_msg_handler,XXX: route process failed

These messages can be ignored. [PR/524548: This issue has been resolved.]

• After the MS-PIC’s homing PE interfaces used for MVPN are taken offline and brought back online, the following message may be logged: “flip-re0 fpc3 SLCHIP(0): %PFE-3: Channel 8189 (iif=701) on stream 32 already exists.” [PR/527813: This issue has been resolved.]

• The Packet Forwarding Engine incorrectly imposes a rate limit function for the host-bound virtual LAN tagged packets with IEEE 802.1p value of 1. There is no workaround. [PR/529862: This issue has been resolved.]

• A router might send raw IPv6 host-generated packets over the Ethernet towards its BGP IPv6 peers. [PR/536336: This issue has been resolved.]

• BGP authentication does not work with the 64-bit Junos OS BGP route reflector on a JCS platform. BGP sessions fail to establish, and the following error message is observed: "... /kernel: tck_auth_ok Packet from XXX.XXX.XXX.XXX:XXXXX wrong MD5 digest." [PR/538076: This issue has been resolved.]

• On M10i routers, an upgrade to Junos OS Release 10.2 fails and aborts when the PIC combinations are verified. As a workaround, first verify the PIC combinations manually against PSN-2010-06-777, then use the force option to override the warnings and force the upgrade. [PR/540468: This issue has been resolved.]

• In Junos OS Release 10.3, the following messages may be seen in the syslog: “/kernel: sysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of paramsysctl_nd6_mmaxtries: 3, max solicit testing setting of param /kernel: sysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of paramsysctl_nd6_prune: 1, retrans timer testing setting of param.” These messages are cosmetic. [PR/540808: This issue has been resolved.]

• During SNMP queries in Junos OS Release 10.2 and later, the size of the MIB2D process might increase as a result of memory leaks in a statistics-associated library routine (libstats). This causes the MIB2D process to crash as it reaches its maximum permitted size. [PR/541251: This issue has been resolved.]

• During router bootup, the error messages: "can't re-use a leaf (nd6_prune)!" and "can't re-use a leaf (nd6_mmaxtries)!" display. [PR/543422: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• The backup Routing Engine might cause the kernel to crash when a configuration change occurs on the AE bundle during a next-hop index allocation. [PR/544092: This issue has been resolved.]

• On TX Matrix routers with T640-FPC3 FPCs and a large number of routes, when an AE interface in an ECMP path is taken down, small packet drops might occur in the traffic on the other ECMP link. This issue does not occur when an indirect next hop is used. [PR/545166: This issue has been resolved.]

• In Junos OS Release 10.0 and later, the FPCs in M320 and T Series routers might crash when the error “PFE: Detected error next-hop” (corrupted next-hop) is encountered. [PR/546606: This issue has been resolved.]

• On M120 routers, multicast packet drops occur when both the Fast Ethernet and the SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine. [PR/546835: This issue has been resolved.]

• In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate interfaces, a jtree corruption might occur when a flap from a member link in the aggregate occurs on the remote end, or the FPC of the remote router is rebooted. To avoid this issue, use the indirect-next-hop option (routing-options forwarding-table indirect-next-hop). The error message “PFE: Detected error nexthop:" indicates a jtree corruption. [PR/548436: This issue has been resolved.]

• In a multicast VPN scenario, if the default-vpn-source is configured under protocol PIM, then the FPC holding is configured, the MS-PIC might core when it is taken offline. [PR/550061: This issue has been resolved.]

• A kernel core is generated when a logical interface that is a member of an AE bundle is activated and deactivated. [PR/553392: This issue has been resolved.]

Routing Protocols

• The output of the show ospf statistics command does not display the hello packet statistics. [PR/427725: This issue has been resolved.]

• The mirror receive task variable may not be cleared when the routing protocol process is heavily scaled. Hence, the NSR replication for RIP status stays in the "InProgress" state indefinitely. [PR/516003: This issue has been resolved.]

• Under rare circumstances, multiple commits might crash both Routing Engines. The routing protocol process dumps core and restarts only on the master Routing Engine. This issue occurs when commits are executed within one minute. [PR/516479: This issue has been resolved.]

• Upon an NSR mastership switch or ISSU upgrade, the multicast resolve route for IPv4 224/4 or inet6 ff00::/8 might be missing within the forwarding-table. To recover from this condition, deactivate and activate the protocol pim stanza, or restart the routing protocol process. [PR/522605: This issue has been resolved.]

• For Junos OS Release 9.5 and above, the BGP parse community begins with “0” as the octal value. This behavior is different in earlier releases. [PR/530086: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• The overload bit in the ISIS LSP MT-TLV may trigger the IS-IS to install a default route to the overload bit advertiser. And the output of the show isis database extensive command displays an unknown TLV. [PR/533680: This issue has been resolved.]

• The routing protocol process might crash due to an invalid prefix-length value in one of the flow-spec routes. [PR/534757: This issue has been resolved.]

• If there is enough join state associated with a neighbor and that neighbor goes down and comes back up quickly, then that join state may be stranded in an unresolved state until the clear pim join command is issued. [PR/539962: This issue has been resolved.]

• On Type 2 Trio MPC, multiple changes to a single term in quick succession can cause an incorrect filter state in the Packet Forwarding Engine. This causes the MPC to crash. [PR/540674: This issue has been resolved.]

• The routing protocol process might crash when a BGP connection attempt meets with an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue has been resolved.]

• Under certain timing conditions, an interior gateway protocol topology change can result in the BGP routes referencing an incorrect egress interface. This problem can occur when active and inactive BGP routes are learned from the same peer and the inactive BGP routes are deleted at the time of the topology change. [PR/543911: This issue has been resolved.]

• In instances with scaled LACP configurations, the periodic packet management process (ppmd) might experience memory leaks. [PR/547484: This issue has been resolved.]

• When two identical local interface addresses are shared between two VRFs via auto-export, the routing protocol process might cause a high CPU utilization. [PR/547897: This issue has been resolved.]

• When the primary loopback address changes, the routing protocol process might crash when a new data mdt is created. [PR/549483: This issue has been resolved.]

• If a PIM join arrives when there is no route to the source, PIM RPF checking is disabled, and a matching multicast route is present, the output interfaces associated with the PIM join are not added to the multicast route. [PR/550703: This issue has been resolved.]

• The IPv6 entries are removed from the output of the show pim interfaces command when the corresponding interface is in the down state. This is a cosmetic issue. [PR/550799: This issue has been resolved.]

• On MX80 routers, even when static routes are configured, the management port does not forward traffic to the user ports. [PR/552952: This issue has been resolved.]

• When an interface-based IPv6 BGP session with a 2-byte AS format is used, the system might crash. [PR/553772: This issue has been resolved.]

• An IS-IS adjacency flap at a precise interval can cause the routing protocol process to restart on a neighbor, as it is in the process of purging the LSAs of the previously down node from the local database. [PR/554233: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Services Applications

• In Junos OS Release 10.0 and later, the routing instance name is restricted to 63 characters. [PR/533882: This issue has been resolved.]

• The BGP_IPV4_NEXT_HOP field on the jflow v9 record matches the originator ID instead of the BGP next hop. [PR/534598: This issue has been resolved.]

• When traffic is forwarded in an L2TP session and a teardown request is received, the ASPIC crashes with a memory access violation in mlppp_output. [PR/537225: This issue has been resolved.]

• On M Series routers configured for L2TP tunneling with several thousands of PPP connections, when all the PPP sessions expire at the same time, the Multiservices PIC might hang and become unusable. To recover the service, restart the PIC. [PR/541793: This issue has been resolved.]

• On Multiservices 500 PICs with graceful Routing Engine switchover (GRES), wrong record values are seen for the IPv4 netflow export packets. This error occurs when the route records are not installed. [PR/545422: This issue has been resolved.]

• The IPv6 and MPLS route counts are not reflected in the output of the show service accounting status command. [PR/550793: This issue has been resolved.]

User Interface and Configuration

• In a router configured with a large number of interfaces, when few interfaces are constantly added and deleted, a minor memory leak may be observed in the "pfed" process. [PR/522346: This issue has been resolved.]

• While a configuration with a long as-path is displayed in XML format using the show configuration | display xml | no-more command, the closing tag for the as-path is wrongly displayed as . [PR/525772: This issue has been resolved.]

• The xnm service currently does not support logging of remote-host addresses in system accounting. [PR/535534: This issue has been resolved.]

• It is possible to login to J-Web from a web browser having a cipher strength of 40 and 56 bits. This could create a security issue. As a workaround, use a web browser that supports 128 bit of cipher strength. [PR/539477: This issue has been resolved.]

• The system continues to use the TACACS server configuration even after it is removed. As a workaround, deactivate and reactivate the accounting configuration. [PR/544770: This issue has been resolved.]

• When the load set command is used to refresh a script file, the script does not refresh, and exits from the CLI after displaying the rpc-related errors. [PR/555316: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

VPNs

• When two MVPN routing instances and at least one L2VPN routing instance are configured, the commit fails with the following message: “RPD_RT_DUPLICATE_RD: routing-instance xxx has duplicate route-distinguisher." As a workaround, configure the route-distinguisher-id for each instance manually. [PR/511514: This issue has been resolved.]

• If a VPN routing and forwarding (VRF) instance contains a static route that is resolved via a route that is auto-exported from another routing instance, the static route may not be removed when the physical interface goes down. [PR/531540: This issue has been resolved.]

• When a CE-facing interface in a VPLS instance is deactivated, the routing protocol process may get into a loop leading to a high CPU utilization. [PR/531987: This issue has been resolved.]

• Under certain circumstances, the container interfaces might not send the proper martini modes to the routing protocol process. This results in incorrect control-word-related information sent to the Packet Forwarding Engine. [PR/541998: This issue has been resolved.]

• In a Live/Standby MVPN extranet setup, with the primary provider on PE1, the backup provider on PE2, and a receiver on PE3 and receivers also on PE1 and PE2, traffic drops occur for 25 seconds after every 35 seconds. [PR/542984: This issue has been resolved.]

Related • New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 42

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 77

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 83

Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Changes to the Junos OS Documentation Set

The following are the changes made to the Junos OS documentation set:

• The new index pages launched for Junos OS technical documentation present documentation links in categories and include brief descriptions of the content of each link. Related links to platform documentation pages are included in the right-hand navigation. The new pages contain all of the content on previous versions of the pages, only the formatting has changed.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Here are the URLs:

• Software documentation for Junos M, MX, and T Series: http://www.juniper.net/techpubs/en_US/junos10.4/information-products/ pathway-pages/product/m-t-mx/10.4/index.html

• Hardware documentation for M Series Multiservice Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/m-series/

• Hardware documentation for MX Series 3D Universal Edge Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/mx-series/

• Hardware documentation for T Series Core Routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/t-series/

• Hardware documentation for the JCS 1200 platform: http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/ pathway-pages/jcs/

• The term “Multiplay” has been replaced with “Session Border Control” in the Junos OS Release Notes.

• The Integrated Multi-Service Gateway (IMSG) pathway page now includes three complete configuration examples:

• IMSG—Basic Configuration

• IMSG—Dual BGFs

• IMSG—Server Clusters

The configuration examples are applicable to Junos OS Release 10.2 and later.

• The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications. This material was formerly covered in the Junos OS MX Series Ethernet Services Routers Layer 2 Configuration Guide.

• Documentation for the extended DHCP relay agent feature is no longer included in the Policy Framework Configuration Guide. For DHCP relay agent documentation, see the

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Subscriber Access Configuration Guide or the documentation for subscriber access management.

• In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML pages in the Junos OS documentation set. PDF files are available for the complete Junos OS Release 10.3 configuration guides at http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the complete hardware guides are accessible at the following URLs:

• For M Series routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/m-series/

• For MX Series routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/mx-series/

• For T Series and TX Matrix routers: http://www.juniper.net/techpubs/en_US/release-independent/junos/informa tion-products/pathway-pages/t-series/

In addition, individual HTML pages have a Print link in the upper left corner of the text area on the page.

Errata

This section lists outstanding issues with the documentation.

High Availability

• TX Matrix Plus routers and T1600 routers that are configured as part of a routing matrix do not currently support nonstop active routing. [High Availability]

Interfaces and Chassis

• For the T320, T640, and T1600 routers, external clock synchronization is not supported on sonic clock generators (SCG) with DB-9 external clock interfaces.

[System Basics, Hardware Guides]

• The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces Configuration Guide states the following:

• For Layer 2 circuit cell relay and Layer 2 trunk modes, include the atm-l2circuit-mode cell statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name] hierarchy level.

This configuration is correct and interoperates with routers running all versions of Junos OS.

However, the chapter does not mention that you can also include the encapsulation atm-ccc-cell-relay statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level. when you include the statement at the [edit interfaces interface-name unit logical-unit-number]] hierarchy level, keep the following points in mind:

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier.

• This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same use-null-cw statement.

• For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the router running Junos OS Release 8.3 or later, include the use-null-cw statement at the [edit interfaces interface-name atm-options] hierarchy level.

• The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic) an extra null control word in the MPLS packet.

• The use-null-cw statement is not supported on a router running Junos OS Release 8.2 or earlier.

[Network Interfaces]

• With Junos OS Release 10.1 and later, you need not include the tunnel option or the clear-dont-fragment-bit statement when configuring allow-fragmentation on a tunnel.

[Services Interfaces]

J-Web Interface

• To access the J-Web interface, your management device requires the following software:

• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0

• Language support—English-version browsers

• Supported OS—Microsoft Windows XP Service Pack 3

MX Series 3D Universal Edge Routers

• Some features marked as supported on MX Series 3D Universal Edge Routers are not currently supported on MX80 routers. For a complete list of available features on MX80 routers please contact your sales engineer or the Juniper Technical Assistance Center.

• The MX Series 3D Universal Edge Routers are sometimes referred to as MX Series Ethernet Services Routers. Both names refer to the same MX Series routers. This will be standardized to MX Series 3D Universal Edge Routers in the documentation in later releases.

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

Services Applications

• The rate statement for packet sampling is now configured at the following hierarchy level: [edit forwarding options sampling input family family].

[Services Interfaces]

Subscriber Access Management The Subscriber Access Configuration Guide contains the following errors:

• The Configuring a Dynamic Profile for Client Access topic erroneously uses the $junos-underlying-interface variable when a IGMP interface is configured in the client access dynamic profile. The following example provides the appropriate use of the $junos-interface-name variable:

[edit dynamic-profiles access-profile] user@host# set protocols igmp interface $junos-interface-name

• Table 25 in the Dynamic Variables Overview topic neglects to define the $junos-igmp-version predefined dynamic variable. This variable is defined as follows:

$junos-igmp-version—IGMP version configured in a client access profile. The Junos OS obtains this information from the RADIUS server when a subscriber accesses the router. The version is applied to the accessing subscriber when the profile is instantiated. You specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy level for the interface statement.

In addition, the Subscriber Access Configuration Guide erroneously specifies the use of a colon (:) when you configure the dynamic profile to define the IGMP version for client interfaces. The following example provides the appropriate syntax for setting the IGMP interface to obtain the IGMP version from RADIUS:

[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name] user@host# set version $junos-igmp-version

• The Subscriber Access Configuration Guide and the System Basics Configuration Guide contain information about the override-nas-information statement. This statement does not appear in the CLI and is not supported.

[Subscriber Access, System Basics]

• When you modify dynamic CoS parameters with a RADIUS change of authorization (CoA) message, the Junos OS accepts invalid configurations. For example, if you specify that a transmit rate that exceeds the allowed 100 percent, the system does not reject the configuration and returns unexpected shaping behavior.

[Subscriber Access]

• We do not support multicast RIF mapping and ANCP when configured simultaneously on the same logical interface. For example, we do not support when a multicast VLAN and ANCP are configured on the same logical interface, and the subscriber VLANs are the same for both ANCP and multicast.

[Subscriber Access]

• The Guidelines for Configuring Dynamic CoS for Subscriber Access topic in the Subscriber Access Configuration Guide erroneously states that dynamic CoS is supported for

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

dynamic VLANs on the Trio MPC/MIC family of products. In the current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.

[Subscriber Access]

• The Subscriber Access Configuration Guide incorrectly describes the authentication-order statement as it is used for subscriber access management. When configuring the authentication-order statement for subscriber access management, you must always specify the radius method. Subscriber access management does not support the password keyword (the default), and authentication fails when you do not specify an authentication method.

[Subscriber Access]

• In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework topic and the Specifying an Address Pool in a Domain Map topic incorrectly indicate that VSA 26-2 (Local-Address-Pool) is supported. Subscriber management does not support this VSA.

[Subscriber Access]

• In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table incorrectly describe VSA 26-59. The correct description is as follows:

Attribute Number Attribute Name Description

26-59 Med-Dev-Handle Identifier that associates mirrored traffic to a specific subscriber.

[Subscriber Access]

User Interface and Configuration

• The show system statistics bridge command displays system statistics on MX Series routers. [System Basics Command Reference]

VPNs

• In Chapter 19, Configuring VPLS of the VPNs Configuration Guide, an incorrect statement that caused contradictory information about which platforms support LDP BGP interworking has been removed. The M7i router was also omitted from the list of supported platforms. The M7i router does support LDP BGP interworking.

[VPNs]

Related • New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 42

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 83

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 83

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

This section discusses the following topics:

• Basic Procedure for Upgrading to Release 10.4 on page 83

• Upgrading a Router with Redundant Routing Engines on page 86

• Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 on page 86

• Upgrading the Software for a Routing Matrix on page 88

• Upgrading Using ISSU on page 89

• Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 89

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 90

• Downgrade from Release 10.4 on page 91

Basic Procedure for Upgrading to Release 10.4

In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1, 9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate option on the request system software install command.

When upgrading or downgrading the Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.

NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber= PSN-2007-10-001&actionBtn=Search.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

NOTE: Before upgrading, back up the file system and the currently active Junos configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command:

user@host> request system snapshot

The installation process rebuilds the file system and completely reinstalls the Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS System Basics Configuration Guide.

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

The download and installation process for Junos OS Release 10.4 is the same as for previous Junos OS releases.

If you are not familiar with the download and installation process, follow these steps:

1. Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. Choose either Canada and U.S. Version or Worldwide Version:

• https://www.juniper.net/support/csc/swdist-domestic/ (customers in the United States and Canada)

• https://www.juniper.net/support/csc/swdist-ww/ (all other customers)

2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.

3. Download the software to a local host.

4. Copy the software to the routing platform or to your internal software distribution site.

5. Install the new jinstall package on the routing platform.

NOTE: We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process.

Customers in the United States and Canada use the following command:

user@host> request system software add validate reboot source/jinstall-10.4R2.6-domestic-signed.tgz

All other customers use the following command:

user@host> request system software add validate reboot source/jinstall-10.4R2.6-export-signed.tgz

Replace source with one of the following values:

• /pathname—For a software package that is installed from a local directory on the router.

• For software packages that are downloaded and installed from a remote location:

• ftp://hostname/pathname

• http://hostname/pathname

• scp://hostname/pathname (available only for Canada and U.S. version)

The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a Junos OS Release 10.4 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software.

NOTE: Before you upgrade a router that you are using for voice traffic, you should monitor call traffic on each virtual BGF. Confirm that no emergency calls are active. When you have determined that no emergency calls are active, you can wait for nonemergency call traffic to drain as a result of graceful shutdown, or you can force a shutdown. For detailed information on how to monitor call traffic before upgrading, see the Junos OS Multiplay Solutions Guide.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine.

3. After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software.

4. Install the new software on the original master Routing Engine that is now active as the backup Routing Engine.

For the detailed procedure, see the Junos OS Installation and Upgrade Guide.

Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1

In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature implements the unicast lo0.x address configured within that instance as the source address used to establish PIM neighbors and create the multicast tunnel. In this mode, the multicast VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages.

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

In Junos OS Release 10.1 and later, you can use the router’s main instance loopback (lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM state for the multicast VPN. We strongly recommend that you perform the following procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN network includes both Juniper Network routers and other vendors’ routers functioning as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout the upgrade process.

Because Junos OS Release 10.1 supports using the router’s main instance loopback (lo0.0) address, it is no longer necessary for the multicast VPN loopback address to match the main instance loopback adddress lo0.0 to maintain interoperability.

NOTE: You might want to maintain a multicast VPN instance lo0.x address to use for protocol peering (such as IBGP sessions), or as a stable router identifier, or to support the PIM bootstrap server function within the VPN instance.

Complete the following steps when upgrading routers in your draft-rosen multicast VPN network to Junos OS Release 10.1 if you want to configure the routers’s main instance loopback address for draft-rosen multicast VPN:

1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the loopback address for draft-rosen Multicast VPN.

NOTE: Do not configure the new feature until all the M7i and M10i routers in the network have been upgraded to Junos OS Release 10.1.

2. After you have upgraded all routers, configure each router’s main instance loopback address as the source address for multicast interfaces. Include the default-vpn-source interface-name loopback-interface-name] statement at the [edit protocols pim] hierarchy level.

3. After you have configured the router’s main loopback address on each PE router, delete the multicast VPN loopback address (lo0.x) from all routers.

We also recommend that you remove the multicast VPN loopback address from all PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure interoperability with other vendors’ routers in a draft-rosen multicast VPN network, you had to perform additional configuration. Remove that configuration from both the Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address.

This configuration is not required when you upgrade to Junos OS Release 10.1 and use the main loopback address as the source address for multicast interfaces.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

NOTE: To maintain a loopback address for a specific instance, configure a loopback address value that does not match the main instance address (lo0.0).

For more information about configuring the draft-rosen Multicast VPN feature, see the Junos OS Multicast Configuration Guide.

Upgrading the Software for a Routing Matrix

A routing matrix can use either a TX Matrix router as the switch-card chassis (SCC) or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or sfc option) and distributed to all T640 routers or T1600 routers in the routing matrix (specified in the Junos OS CLI by using the lcc option). To avoid network disruption during the upgrade, ensure the following conditions before beginning the upgrade process:

• A minimum of free disk space and DRAM on each Routing Engine. The software upgrade will fail on any Routing Engine without the required amount of free disk space and DRAM. To determine the amount of disk space currently available on all Routing Engines of the routing matrix, use the CLI show system storage command. To determine the amount of DRAM currently available on all the Routing Engines in the routing matrix, use the CLI show chassis routing-engine command.

• The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re0 or are all re1.

• The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and T640 routers or T1600 routers (LCC) are all re1 or are all re0.

• All master Routing Engines in all routers run the same version of software. This is necessary for the routing matrix to operate.

• All master and backup Routing Engines run the same version of software before beginning the upgrade procedure. Different versions of the Junos OS can have incompatible message formats especially if you turn on GRES. Because the steps in the process include changing mastership, running the same version of software is recommended.

• For a routing matrix with a TX Matrix router, the same Routing Engine model is used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix. For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using two RE-1600s is supported. However, an SCC or an LCC with two different Routing Engine models is not supported. We suggest that all Routing Engines be the same model throughout all routers in the routing matrix. To determine the Routing Engine type, use the CLI show chassis hardware | match routing command.

• For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines.

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

NOTE: It is considered best practice to make sure that all master Routing Engines are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of this document, the master Routing Engine is re0 and the backup Routing Engine is re1.

To upgrade the software for a routing matrix, perform the following steps:

1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine (re0) and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping the currently running software version on the master Routing Engine (re0).

3. Load the new Junos OS on the backup Routing Engine. After making sure that the new software version is running correctly on the backup Routing Engine (re1), switch mastership back to the original master Routing Engine (re0) to activate the new software.

4. Install the new software on the new backup Routing Engine (re0).

For the detailed procedure, see the Routing Matrix with a TX Matrix Feature Guide or the Routing Matrix with a TX Matrix Plus Feature Guide.

Upgrading Using ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the Junos High Availability Configuration Guide.

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR

Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features:

• Anycast RP

• Draft-Rosen multicast VPNs (MVPNs)

• Local RP

• Next-generation MVPNs with PIM provider tunnels

• PIM join load balancing

Junos OS 9.3 Release introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features, not only incompatible features.)

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions.

Because the nonstop-routing disable statement was not available in Junos OS Release 9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable PIM before the upgrade and reenable it after the router is running the upgraded Junos OS and you have entered the nonstop-routing disable statement. If your router is running Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIM–simply use the standard reboot or ISSU procedures described in the other sections of these instructions.

To disable and reenable PIM:

1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and disable PIM:

[edit]

user@host# deactivate protocols pim

user@host# commit

2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate for the router type. You can either use the standard procedure with reboot or use ISSU.

3. After the router reboots and is running the upgraded Junos OS, enter configuration mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable PIM:

[edit]

user@host# set protocols pim nonstop-routing disable

user@host# activate protocols pim

user@host# commit

Upgrade Policy for Junos OS Extended End-Of-Life Releases

An expanded upgrade and downgrade path is now available for the Junos OS Extended End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of two adjacent later EEOL releases. You can also downgrade directly from one EEOL release to one of two adjacent earlier EEOL releases.

For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5.

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for M Series, MX Series, and T Series Routers

For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged.

For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html.

Downgrade from Release 10.4

To downgrade from Release 10.4 to another supported release, follow the procedure for upgrading, but replace the 10.4 jinstall package with one that corresponds to the appropriate release.

For more information, see the Junos OS Installation and Upgrade Guide.

Related • New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers Documentation on page 6

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 42

• Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 55

• Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 77

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers

Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services. SRX Series Services Gateways range from lower-end devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms. The SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, SRX650, SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Juniper Networks J Series Services Routers running Junos OS provide stable, reliable, and efficient IP routing, WAN and LAN connectivity, and management services for small to medium-sized enterprise networks. These routers also provide network security features, including a stateful firewall with access control policies and screens to protect against attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320, J2350, J4350, and J6350 devices.

• New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 92

• Advertising Bandwidth for Neighbors on a Broadcast Link Support on page 123

• Group VPN Interoperability with Cisco’s GET VPN on page 123

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 124

• Unsupported CLI on page 139

• Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 148

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

• Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 189

• Maximizing ALG Sessions on page 191

• Integrated Convergence Services Not Supported on page 192

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 192

New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following features have been added to Junos OS Release 10.4. Following the description is the title of the manual or manuals to consult for further information.

• Software Features on page 93

• Hardware Features—SRX210, SRX220, and SRX240 Services Gateways on page 115

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Hardware Features—SRX220 Services Gateway with Power Over Ethernet on page 116

• Hardware Features—SRX1400 Services Gateway on page 119

• Hardware Features—SRX3400 and SRX3600 Services Gateways on page 122

Software Features

Application Layer Gateways (ALGs)

• Rewrite rule for DSCP at VoIP ALGs—This feature is supported on all SRX Series and J Series devices.

Differentiated Services Code Point (DSCP) is a modification of the type-of-service byte for class of service (CoS). Six bits of this byte are reallocated for use as the DSCP field, where each DSCP specifies a particular per-hop behavior that is applied to a packet.

A rewrite rule modifies the appropriate CoS bits in an outgoing packet to meet the requirements of the targeted peer. Each rewrite rule reads the current CosS value that is configured at the voice over IP (VoIP) Application Layer Gateway (ALG) level. Every packet that hits the VoIP ALG is marked by this CoS value.

You can configure a rewrite rule for a DSCP Differentiated Services (DiffServ) marker at the VoIP ALG level to address VoIP signaling and its respective Real-Time Transport Protocol (RTP) streams. You can configure the rewrite rule such that all VoIP traffic hitting the ALG gets a rewrite marker while its respective RTP/Real-Time Control Protocol (RTP/RTCP) traffic gets a different rewrite marker.

[Junos OS CLI Reference, Junos OS Integrated Convergence Services Configuration and Administration Guide]

Chassis Cluster Increasing the number of zones and virtual routers—This feature is supported on SRX5600 and SRX5800 devices.

The maximum number of zones, virtual routers, and IFLs (IFLs only for chassis cluster mode) that can be configured on an SRX5800 device has been increased to 2000.

In a chassis cluster environment, as the number of logical interfaces is scaled upward, the time before triggering a failover needs to be increased accordingly. At maximum capacity on an SRX5600 or SRX5800 device, we recommend that you increase the configured time for failover detection to at least 5 seconds. [Junos OS CLI Reference]

Configuration Wizards This feature is supported on SRX100, SRX210, SRX240, and SRX650 devices.

The J-Web interface now has a set of wizards that simplify the basic configuration of the SRX Series devices. The Setup wizard automatically appears when you first start the device or when it is in factory default mode and you point to the Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Flow and Processing

• J-Flow V9 support —This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

J-Flow Services Export Version 9 (J-Flow V9) provides an extensible and flexible method for using templates to observe packets on a router. Each template indicates the format in which the device exports data.

In Junos OS Release 10.4, PIC-based J-Flow V9 is introduced along with J-Flow V5 and V8, which were disabled in Junos OS Release 9.4.

[Junos OS CLI User Guide, Junos OS Interfaces Configuration Guide for Security Devices]

• Packet capture—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

Packet capture is a datapath-debugging feature that helps you effectively create a filter for specific traffic and apply an action profile to the traffic. The action profile specifies a variety of actions at different processing units. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in propriety form. You can view the packets by entering the show security datapath-debug capture command.

The performance of packet capture is improved and is comparable to the trace performance.

[Junos OS Security Configuration Guide]

• Screen logs—Screen log enhancement is supported on all SRX Series and J Series devices.

The new log format captures all required information in the screen log. This allows you to view all log information for a device instead of having to search through device-specific logs.

The new log structure is as follows:<67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS - RT_SCREEN_TCP [[email protected] attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"]

[Junos OS Security Configuration Guide]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Integrated Convergence Services The Integrated Convergence Services features listed in this section are supported on SRX210 and SRX240 devices with Voice capability.

• Accounting feature—You can configure Integrated Convergence Services to collect and generate accounting information for successful and unsuccessful voice subscriber transactions. The voice daemon generates and collects accounting data about calls made and received between Session Initiation Protocol (SIP), Foreign Exchange Station (FXS), and Foreign Exchange Office (FXO) stations.

You can use the accounting feature for calls made when the SRX Series media gateway (SRX Series MGW) is in control or when the SRX Series survivable call server (SRX Series SCS) is in control.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Call park—The call park feature allows users to park an active call and pick up their call or that of another user later. To use the call park feature, you configure a primary logical extension, which you can think of as a parking lot. You must also configure a range of logical extensions following the primary one that are used to park individual calls.

When you handle a call, you can transfer it to the parking lot without the caller hearing the transfer process. When you park the call, you are told the logical extension number of the parking slot before your connection to the call is dropped. You or another user can pick up the call and resume the conversation from any phone by calling the extension number of the parking slot.

This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Defining a SIP registrar address separate from the peer call server—By default, the SIP registrar and the peer call server (SIP server) are handled by the same service and therefore have the same address. Under these circumstances, the SRX Series MGW sends SIP REGISTRAR and INVITE messages to the IP address configured for the peer call server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Direct inward dialing lists—You can associate a list of direct inward dialing (DID) numbers with a trunk to be used for assignment to stations. You do not need to assign these DIDs to stations directly. The software assigns a DID number to a single station exclusively. If an incoming call is made to an unassigned DID number, it is directed to and handled by auto-attendant.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Disabling SIP registration to the peer call server—The SRX Series MGW sends registration messages to the peer call server. For some network environments in which all media gateways are known to the peer call server, the SRX Series MGW is not required to register to it. To do so could cause complications. For example, the peer call server could drop the registration message “silently,” that is, without informing the

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

SRX Series MGW. In this case, the SRX Series MGW might retransmit the message, incurring unnecessary processing and adding to the network load.

When you configure peer call server information, you can disable transmission of the registration message to the peer call server to avoid these problems.

NOTE: Disabling transmission of the SRX Series MGW registration to the peer call server does not disable registration of an FXS station to the SRX Series MGW on the device running Integrated Convergence Services.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Disabling SIP registration to the proxy server—By default, Integrated Convergence Services SIP trunks register to the SIP service provider’s peer proxy server. For some SIP networks, the peer proxy server is informed about all SIP trunks that communicate with it. In such network environments, the SIP trunk does not need to send a REGISTER message to the peer proxy server. To do so would increase network load unnecessarily. To accommodate these network environments, you can configure the SIP trunk not to register to the peer proxy server.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• DSCP marking for RTP packets generated by SRX Series Integrated Convergence Services—Configure DSCP marking to set the desired DSCP bits for Real-Time Transport Protocol (RTP) packets generated by SRX Series Integrated Convergence Services.

Differentiated Services code point (DSCP) bits are the 6-bit bitmap in the IP header used by devices to decide the forwarding priority of packet routing. When the DSCP bits of RTP packets generated by Integrated Convergence Services are configured, the downstream device can then classify the RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.

Note that the Integrated Convergence Services DSCP marking feature marks only RTP packets of calls that it terminates, which include calls to peer call servers and to peer proxy servers that provide SIP trunks. If a call is not terminated by Integrated Convergence Services, then DSCP marking does not apply.

To configure the DSCP marking bitmap for calls terminated by Integrated Convergence Services and the address of the peer call server or peer proxy server to which these calls are routed, use the media-policy statement at the [edit services converged-services] hierarchy level. set services convergence-service service-class < name > dscp < bitmap > set services convergence-service service-class media-policy < name > term < term-name > from peer-address [< addresses >] set services convergence-service service-class media-policy < name > term then service-class < name >

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Hunt group—A hunt group enables a group of users to handle calls collectively. A hunt group specifies a logical extension that outside parties can call. Member stations belonging to the hunt group are specified in a preconfigured station group. When a call comes in on the logical extension, the call is directed to the phone whose station is specified first in the preconfigured station group, and that phone rings. The next incoming call is directed to the second station specified in the station group and its phone rings, and so on.

To connect the call, the system hunts through the configured stations in order one at a time. It rings a phone up to the time limit that you specify before it tries the next phone in the configured order

This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Interoperability with Microsoft and Cisco call servers and IP phones—This feature addresses SRX Series media gateway (SRX Series MGW) interoperability with Microsoft and Cisco call servers and IP phones, in addition to the current support for Avaya call servers and IP phones. This feature helps to provide a comprehensive joint enterprise communications offering.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Pickup group—Pickup groups enable users to handle incoming calls collectively, as a group. Members of the same pickup group can answer incoming calls directed at any phone extension number within the group. When a phone is called, the first available agent takes the call, whether it comes in on their phone or another phone within the group. To pick up a call, the user dials the digits *8. After the user takes the call, the phone whose number was called no longer rings. Users can belong to one or more pickup groups concurrently.

The pickup group feature rings only one phone at a time. If the first phone tried is busy, the next one is tried, and so on. A pickup group can include up to 20 members, whose phones can be either analog or SIP, but not a mix of both.

This feature is supported when the SRX Series survivable call server (SRX Series SCS) is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

• Ring group—A ring group can include up to five members. A ring group allows incoming calls to be handled by any member of the group. You configure a ring group with a logical extension that outside parties can call. Calls coming into the logical extension are forwarded to all phones simultaneously. The first member to answer the call takes it, and the phones of other members of the group stop ringing. A ring group can include both SIP and analog stations.

This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported.

[Junos OS Integrated Convergence Services Configuration and Administration Guide]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Interfaces and Routing

• 1-Port Gigabit Ethernet SFP Mini-PIM—This feature is supported on SRX210, SRX220, and SRX240 devices.

Small form-factor pluggables (SFPs) are hot-pluggable modular interface transceivers for Gigabit and Fast Ethernet connections. Gigabit Ethernet SFP Mini-PIMs can be used in copper and optical environments.

The 1-Port Gigabit Ethernet SFP Mini-PIM interfaces a single Gigabit Ethernet device or a network. It supports a variety of transceivers with data speeds of 10 Mbps/100 Mbps/1 Gbps with extended LAN or WAN connectivity.

The 1-Port SFP Gigabit Ethernet mini-PIM supports the following features:

• 10 Mbps/100 Mbps/1 Gbps link speed

• Half-duplex/full-duplex support

• Autonegotiation

• Encapsulations

• MTU size of 1514 bytes (default) and 9010 bytes (jumbo frames)

• Loopback

• Online insertion and removal of transceivers

[Junos OS Interfaces Configuration Guide for Security Devices]

IPsec

• Virtual router support for route-based VPNs—This feature is supported on all SRX Series and J Series devices.

This feature includes routing-instance support for route-based VPNs. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:

NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway external interface must reside in the default virtual router (inet.0).

• Manual key management

• Transit traffic

• Self-traffic

• VPN monitoring

• Hub-and-spoke VPNs

• Encapsulating Security Payload (ESP) protocol

• Authentication Header (AH) protocol

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Aggressive mode or main mode

• st0 anchored on the loopback (lo0) interface

• Maximum number of virtual routers supported on an SRX Series device

• Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Unified Threat Management (UTM)

• Dead peer detection (DPD)

• Chassis cluster active/backup

• OSPF over st0

• RIP over st0

[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference, Junos OS Security Configuration Guide]

IPv6 Support

• Active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive (failover) chassis cluster configurations. [Junos OS Security Configuration Guide]

• Address books and address sets in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

SRX Series and J Series devices running IP version 6 (IPv6) deployed in active/active (failover) chassis cluster configurations, the address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.

To configure IPv6 address entries, specify an IPv6 address when you use the address statement at the [edit security zones security-zone name address-book] hierarchy level.

The address set configuration considers names of the address book entries, and not the IP addresses, so there are no additional considerations related to IPv6 traffic. [Junos OS Security Configuration Guide]

• Advanced flow—This feature is supported on all SRX Series and J Series devices.

IPv6 advanced flow adds IPv6 support for firewall, NAT, NAT-PT, multicast (local link and transit), IDP, Junos framework, TCP proxy, and session manager on SRX Series and J Series devices. MIBs are not used in the IPv6 flow.

IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

gates are used to store the index of extended sessions or gates. If IPv6 security is disabled, the IPv6 security related resources are not allocated.

New logs are used for IPv6 flow traffic to prevent impact on performance in the existing IPv4 system.

The behavior and implementation of the IPv6 advanced flow are the same as those of the IPv4 flow.

Some of the differences are as follows:

• Header parse—IPv6 advanced flow stops parsing the headers and interprets the packet as the corresponding protocol packet if it encounters the following extension headers:

• TCP/UDP

• ESP/AH

• ICMPv6

IPv6 advanced flow continues parsing headers if it encounters the following extension headers:

• Hop-by-Hop

• Routing and Destination, Fragment

IPv6 advanced flow interprets the packets as an unknown protocol packet if it encounters the extension header No Next Header.

• Sanity checks—IPv6 advanced flow supports the following sanity checks:

• TCP Length

• UDP Length

• Hop-by-Hop

• IP data length error

• Layer 3 sanity checks (for example, IP version and IP length)

• ICMPv6 packets—In IPv6 advanced flow, the ICMPv6 packets share the same behavior as normal IPv6 traffic with the following exceptions:

• Embedded ICMPv6 Packet

• Path MTU message

• Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow.

• Tunnel traffic—IPv6 advanced flow supports the following tunnel types:

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• IPv4 IPIP

• IPv4 GRE

• IPv4 IPsec

• Dual-stack lite

[Junos OS Security Configuration Guide]

• DNS ALG for routing, NAT, and NAT-PT—This feature is supported on all SRX Series and J Series devices.

Domain Name System (DNS) is the part of the ALG that handles DNS traffic. The DNS ALG module has been working as expected for IPv4. In Junos OS Release 10.4, this feature implements IPv6 support on DNS ALG for routing, NAT, and NAT-PT.

When the DNS ALG receives a DNS query from the DNS client, a security check is done on the DNS packet. When the DNS ALG receives a DNS reply from the DNS server, a similar security check is done, and then the session for the DNS traffic closes.

When the DNS traffic works in NAT mode, the DNS ALG translates the public address in a DNS reply to a private address when the DNS client is on a private network, and similarly translates a private address to a public address when the DNS client is on a public network. When DNS traffic works in NAT-PT mode, the DNS ALG translates the IP address in a DNS reply packet between the IPv4 address and the IPv6 address when the DNS client is in an IPv6 network and the server is in an IPv4 network, and vice versa.

To support NAT-PT mode in a DNS ALG, the NAT module should support NAT-PT. [Junos OS Security Configuration Guide]

• Dual-stack lite—This feature is supported on SRX650, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

IPv6 dual-stack lite (DS Lite) is a technology for maintaining connectivity between legacy IPv4 devices and networks despite a depleted IPv4 address pool and as a service provider networks transition to IPv6-only deployments.

DS Lite allows IPv4 customers to continue accessing IPv4 internet content with minimum disruption to their home networks, while enabling IPv6 customers to access IPv6 content.

The DS Lite deployment model consists of the following components:

• Softwire Initiator (SI) in the DS Lite home router (SI is not available in Junos release 10.4)

• Softwire Concentrator (SC) in the DS Lite carrier-grade Network Address Translation (NAT)

A softwire is a tunnel-over-IPv6 network. The SI finds the SC address, encapsulates an IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

The DS Lite carrier-grade NAT performs IPv4-IPv4 address translations to multiple subscribers through a single global IPv4 address. Overlapping address spaces used by subscribers are disambiguated through the identification of tunnel endpoints.

A new command for displaying information on softwires, show security softwires, is available in Junos OS Release 10.4.

[Junos OS Security Configuration Guide Junos OS CLI Reference]

• Firewall security policy in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

This feature is now supported in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

The matching criteria for security policy rules is based on zones, address objects, and applications. To support security policy rules for IPv6 traffic, you have to configure zone and address objects with IPv6 values. You can also select IPv6 applications.

Note that in security policy rules, the meaning of the wildcard any has changed. When flow support is enabled for IPv6 traffic, the wildcard any matches any IPv4 or IPv6 address. In Junos OS Release 10.4, new wildcards are introduced to match any IPv4 or any IPv6 address: any-ipv4 and any-ipv6 in active/active chassis cluster. When flow support is not enabled for IPv6 traffic, any matches IPv4 addresses.

IPv6 support for IDP and UTM are not included in Junos OS Release 10.4. If your current security policy uses rules with any IP address wildcards and IDP and UTM features enabled, you will encounter configuration commit errors because IDP and UTM features do not support IPv6 addresses. To resolve these errors, modify the rule returning the error so that it uses the any-ipv4 wildcard, and create separate rules for IPv6 traffic that do not include IDP or UTM features. [Junos OS Security Configuration Guide]

• Flow-based processing in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, we support IPv6 flow-based processing in active/active (failover) chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

IPv6 flow support enables processing of IPv6 traffic by the security features of SRX Series and J Series devices. IPv6 flow support is disabled by default, and IPv6 packets are dropped.

To enable flow-based processing for IPv6 traffic, modify the mode statement at the [edit security forwarding-options family inet6] hierarchy level.

The [show security flow session source-prefix] and [show security flow session destination-prefix] commands you use to monitor session statistics now take IPv6 address arguments. In addition, the [show security flow session family (inet|inet6)] option is added to filter session statistics by protocol family.

[Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide]

• FTP ALG for routing—This feature is supported on all SRX Series and J Series devices.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.

EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.

In Junos OS Release 10.4, EPRT/EPSV/229 commands are updated to support both IPv4 and IPv6 addresses.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

• ICMP ALG for routing, NAT, and NAT-PT—This feature is supported on all SRX Series and J Series devices. ALGs support Internet Control Message Protocol version 6 (ICMPv6) an integral part of IPv6 that must be fully implemented by every IPv6 node. The ICMP ALG handles ICMP traffic by monitoring all ICMP messages and then performing the following actions:

• Closes the session

• Modifies the payload

In routing mode, the ICMP ALG closes a session if it receives one of the following message types:

• Echo reply (type 129) message

• Destination unreachable (type 1) error message

In Network Address Translation (NAT mode), the ICMP ALG performs the following actions:

• Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

• Modifies the identifier or sequence number of the echo request

• Retains the original identifier and sequence number for the echo reply

• Translates the embedded IPv6 packet for the ICMPv6 error message

In a Network Address Translation-Protocol Translation (NAT-PT) environment, the ALG performs the following actions:

• Closes the session if it receives an echo reply (type 129) message or a destination unreachable (type 1) error message

• Translates an ICMPv4 ping message to an ICMPv6 ping message

• Translates an ICMPv6 ping message to an ICMPv4 ping message

• Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet

• Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

ICMP ALG drops ICMP traffic when translation from IPv4 and IPv6 is not possible. Note that ICMP ALG is always enabled and cannot be disabled by means of the command-line interface (CLI).

[Junos OS Security Configuration Guide]

• Interfaces in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

A logical interface can be configured with an IPv4 address, IPv6 address, or both in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations.

To configure an IPv6 address for a logical interface, use the inet6 statement at the [edit interfaces interface-name unit logical-unit family] hierarchy level. [Junos OS Interfaces Configuration Guide for Security Devices]

• Multicast flow—This feature is supported on all SRX Series and J Series devices.

The IPv6 multicast flow adds or enhances the following features:

• IPv6 transit multicast, which includes the following packet functions:

• Normal packet handling

• Fragment handling

• Packet reordering

• Protocol-Independent Multicast version 6 (PIMv6) flow handling

• Other multicast routing protocols such as Multicast Listener Discover (MLD)

The structure and processing of IPv6 multicast data session are the same as that of IPv4. Each data session has the following:

• One template session

• Several sessions

The reverse path forwarding (RPF) check behavior for IPv6 is the same as that of IPv4. Incoming multicast data is accepted only if RPF check succeeds. In IPv6 multicast flow, incoming Multicast Listener Discovery (MLD) protocol packets are accepted only if MLD or PIM is enabled in the security zone for the incoming interface. Sessions for multicast protocol packets have a default timeout value of 300 seconds. This value cannot be configured. The null register packet is sent to the rendezvous point.

In IPv6 multicast flow, a mulitcast router has the following three roles:

• Designated router

• Intermediate router

• Rendezvous point

[Junos OS Class of Service Configuration Guide]

• NAT—This feature is supported on all SRX Series and J Series devices.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

IPv6 Network Address Translation (IPv6 NAT) provides address translation between IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and for similar purposes as IPv4 NAT. IPv6 NAT in Junos OS provides the following NAT types:

• Source NAT

• Destination NAT

• Static NAT

[Junos OS Security Configuration Guide]

• NAT-PT—This feature is supported on all SRX Series and J Series devices.

IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address and protocol translation between IPv4 and IPv6 addressed network devices. IPv6 NAT-PT supports both traditional NAT-PT and bidirectional NAT-PT. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP), TCP, and UDP protocol packets. [Junos OS Security Configuration Guide]

• Packet filtering—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The packet-filtering options for IPv6 addresses and IPv6 style source prefix, destination prefix, and interface is supported in addition to the existing functionality of IPv4 datapath-debug.

[Junos OS Security Configuration Guide, Junos OS CLI Reference]

• Screens—This feature is now supported on all SRX Series and J Series devices.

IPv6 support is extended for the following screen features:

• Syn-flood/syn-proxy/syn-cookie

• Syn-ack-ack-proxy

• Ip-spoofing

[Junos OS Security Configuration Guide]

• Zone configuration in active/active chassis cluster—This feature is supported on all SRX Series and J Series devices.

In Junos OS Release 10.4, SRX Series and J Series devices running IP version 6 (IPv6) can be deployed in active/active chassis cluster configurations with security zone configuration in addition to the existing support of active/passive chassis cluster configurations.

The security zone configuration considers names of the interfaces, and not the IP addresses, hence there are no additional considerations related to the zone interface configuration.

You can also use the zone configuration to explictly permit inbound traffic from network system services and system protocols. Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

J-Web

• IPv6 addressing support for J-Web—This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

J-Web now supports IPv6 addressing configuring security features such as policies, zones, screens, address books, host inbound system services, protocols, and flow-forwarding options.

The following pages have been enhanced:

• Zones/Screens Configuration page

• Security Policy Configuration page

• Security Policy Element Configuration page

• Security Flow Element Configuration page

• J-Web Chassis View—The changes and enhancements to the J-Web Chassis View apply to SRX1400 devices.

The following enhancements have been made to the J-Web Chassis View on the Dashboard:

• Displays the front or rear panel view of the device and shows which slots are occupied. When you insert or remove a card, the Chassis View reflects the change immediately.

• Port colors change to indicate the port link status. For example, the ge port lights steadily green when the port is up and red when the port is down.

• Displays Help tips when your hover the mouse over a port.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

MAC limiting

• MAC limiting—This feature is supported on SRX100, SRX210, SRX220, and SRX650 devices.

MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on access interfaces. You enable this feature on VLANs.

MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces on the switch.

You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses are treated as specified by the configuration.

You can choose to have one of the following actions performed when the limit of MAC addresses or the limit of MAC moves is exceeded:

• drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry. This is the default.

• log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

• none—Take no action.

• shutdown—Disable the interface and generate an alarm. If you have configured the switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.

NOTE: MAC limit is only applied to new MAC learning requests. If you already have 10 MACs learned and you configure the limit as 5, all the MACs will remain in the FDB table. Once the MACs are cleared by the user (using the clear ethernet-switching table command), or they age out, they will not be relearned.

MAC limiting does not apply to static MACs. Users can configure any number of static MACs independent of the MAC limit, and all of them will be added to FDB.

[Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

R2CP radio-to-router protocol support

• R2CP radio-to-router protocol support—This feature is supported on all SRX Series and J Series devices.

Junos OS Release 10.4 supports the Network Centric Waveform (NCW) radio-specific radio-to-router control protocol (R2CP), which is similar to the PPPoE radio-to-router protocol. Both of these protocols exchange dynamic metric changes in the network that the routers use to update the OSPF topologies.

In radio-router topologies, the router connects to the radio over a Gigabit Ethernet link and the radio transmits packets over the radio frequency (RF) link. The radio periodically sends metrics to the router, which uses RF link characteristics and other data to inform the router on the shaping and OSPF link capacity. The router uses this information to shape the data traffic and provide the OSPF link cost for its SPF calculations. The radio functions like a Layer 2 switch and can only identify remote radio-router pairs using Layer 2 MAC addresses. With R2CP the router receives metrics for each neighboring router, identified by the MAC address of the remote router. The R2CP daemon translates the MAC addresses to link the local IPv6 addresses and sends the metrics for each neighbor to OSPF. Processing these metrics is similar to the handling of PPPoE PADQ metrics. Unlike PPPoE, which is a point-to-point link, these R2CP neighbors are treated as nodes in a broadcast LAN.

You must configure each neighbor node with a per-unit scheduler for CoS. The scheduler context defines the attributes of Junos class-of-service(CoS). To define CoS for each radio, you can configure virtual channels to limit traffic. You need to configure virtual channels for as many remote radio-router pairs as there are in the network. You configure virtual channels on a logical interface. You can configure each virtual channel to have a set of eight queues with a scheduler and an optional shaper. When the radio initiates the session with a peer radio-router pair, a new session is created with the remote MAC address of the router and the VLAN over which the traffic flows. Junos OS chooses from the list of free virtual channels and assigns the remote MAC and the eight CoS queues and the scheduler to this remote MAC address. All traffic destined to this remote MAC address is subjected to the CoS that is defined in the virtual channel.

A virtual channel group is a collection of virtual channels. Each radio can have only one virtual channel group assigned uniquely. If you have more than one radio connected to the router, you must have one virtual channel group for each local radio-to-router pair.

Although a virtual channel group is assigned to a logical interface, a virtual channel is not the same as a logical interface. The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface.

[LN1000 Mobile Secure Router User Guide]

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Security

• Display multiple policy matches—This feature is supported on all SRX Series and J Series devices.

The addition of the result-count option in Junos OS Release 10.4 extends the functionality of the show security match-policies command and lets you display up to 16 policy matches for the given set of criteria. The first policy in the list is the policy applied to all matching traffic. All policies after the first one are shadow policies (shadowed by the first one) and are not encountered. [Junos OS Security Configuration Guide]

• DHCPv6 server—This feature is supported on all SRX Series and J Series devices.

Dynamic Host Configuration Protocol version 6 (DHCPv6) local server is now supported on all SRX Series and J Series devices to provide addressing for IPv6 clients.

Some features include:

• Configuration for a specific interface or a group of interfaces

• Stateless Address Autoconfiguration (SLAAC)

• Prefix delegation, including access-internal route installation

• DHCPv6 server groups

To configure DHCPv6 local server on a device, you include the DHCPv6 statement at the [edit system services dhcp-local-server] hierarchy level. The DHCPv6 address pool is configured in the [edit access address-assignment pool] hierarchy level using the family inet6 statement.

NOTE: Existing DHCPv4 configurations in the [edit system services dchp] hierarchy will not be impacted when upgrading to 10.4, or by adding a DCHPv6 configuration.

[Junos OS Administration Guide for Security Devices, Junos OS CLI Reference]

• On-box reporting—This feature is supported on SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices.

On-box reporting offers a comprehensive reporting facility where your security management team can spot a security event when it occurs, immediately access and review pertinent details about the event, and quickly decide appropriate remedial action.

J-Web reports provide summary graphics of current security events, Web traffic, and resource utilization. When event activity occurs, you can quickly drill down to detailed information about the specific item.

In Junos OS Release 10.4, on-box reporting capabilities include:

• Real-time threat event monitoring

• Dynamic visuals for quick threat identification, tracking, and analysis

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Event-specific drill-down to determine traffic characteristics and policy rule matches

• Composite reports of recent threats or traffic

[Junos OS Administration Guide for Security Devices]

• Optional CP Session Capacity Expansion on Fully Configured Devices—This feature is supported on SRX3400, SRX3600, and SRX5800 devices.

The session capacity for the central point (CP) for fully configured SRX3400, SRX3600, and SRX5800 devices can be expanded as shown in the following list.

Maximum Concurrent CP Sessions on a Fully Loaded System

SRX Series Devices Default With Expanded Capacity

SRX3400 2.25 million 3 million

SRX3600 2.25 million 6 million

SRX5800 12.5 million 14.0 million

On an SRX3400 or SRX3600 device, you expand the maximum CP session capacity by installing the SRX3K-EXTREME-LTU license.

On an SRX5800 device, you expand the maximum CP session capacity by specifying the maximize-cp-sessions optimization option in the edit security forwarding-process application-services command. Using this optimization technique precludes other optimization methods, disables advanced GTP processing, and reduces routing capacity to 100K prefixes.

[Junos OS Security Configuration Guide]

SNMP

• SNMP enterprise-specific MIBs—This feature is supported on all SRX Series and J Series devices.

Junos OS Release 10.4 adds support for enterprise-specific MIBs for the SRX1400 device.

[SRX1400, SRX3400, and SRX3600 Services Gateways MIB Reference]

SRX Series Image Upgrade Using a USB Device

• This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The SRX Series Image Upgrade using a USB device feature simplifies the upgrading of Junos OS images in cases where there is no console access to an SRX Series device located at a remote site. This feature allows you to upgrade the Junos OS image with minimum configuration effort by simply inserting a USB flash drive into the USB port of the SRX Series device and performing a few simple steps.

NOTE: USB upgrades are not supported on chassis clusters.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Before you begin the installation, ensure the following prerequisites are met:

• Junos OS upgrade image and autoinstall.conf file are copied to the USB device.

• Adequate space is available on the SRX Series device to install the software image.

To use a USB flash drive to install the Junos OS image on an SRX Series device:

1. Insert the USB flash drive into the USB port of the SRX Series device and wait for the LEDs to blink amber, then steadily light amber, indicating that the SRX Series device detects the Junos OS image.

If the LEDs do not turn amber, press the Power button or power-cycle the device and wait for the LEDs to steadily light amber.

2. Press the Reset Config button on the SRX Series device and wait for the LEDs to turn green, indicating that the Junos OS upgrade image has successfully installed.

If the USB device is plugged in, the Reset Config button always performs as an image upgrade button. Any other functionality of this button is overridden until you remove the USB flash drive.

3. Remove the USB flash drive. The SRX Series device restarts automatically and loads the new Junos OS version.

NOTE: If an installation error occurs, the LEDs light red, which might indicate that the Junos OS image on the USB flash drive is corrupted. An installation error can also occur if the current configuration on the SRX Series device is not compatible with the new Junos OS version on the USB. You must have console access to the SRX Series device to troubleshoot an installation error.

[Junos OS Administration Guide for Security Devices]

TCP Session

• TCP Session Check Per Policy—This feature is supported on all SRX Series devices.

By default, TCP SYN check and TCP sequence check options are enabled on all TCP sessions. The Junos operating system (Junos OS) performs the following operations during TCP sessions:

• Checks for SYN flags in the first packet of a session and rejects any TCP segments with non- SYN flags attempting to initiate a session.

• Validates the TCP sequence numbers during stateful inspection.

The TCP session check per-policy feature enables you to configure SYN checks and sequence checks for each policy. Currently, the TCP options flags, no-sequence-check and no-syn-check, are available at a global level to control the behavior of services gateways. To support per-policy TCP options, the following two options are available:

• sequence-check-required: The sequence-check-required value will override the global value no-sequence-check.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• syn-check-required: The syn-check-required value will override the global value no-syn-check.

To configure per-policy TCP options, the respective global options must be turned off; otherwise, the commit check will fail. If global TCP options are disabled and SYN flood protection permits the first packet, then the per-policy TCP options will control whether SYN check and/or sequence check are performed.

NOTE:

• The per-policy SYN check required option will not override the behavior of the set security flow tcp-session no-syn-check-in-tunnel CLI command.

• Disabling the global SYN check reduces the effectiveness of the device In defending against packet flooding.

VPNs

• IKE and IPsec predefined proposals for dynamic VPN—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

In earlier releases, the administrators had to configure individual Internet Key Exchange (IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This procedure was tedious and time consuming when the administrators had to configure many VPN policies because they had to configure custom proposals for all IKE and IPsec configurations.

Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the administrator can select basic, compatible, or standard proposal sets for dynamic VPN clients. Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set configured and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection.

The default values for IKE and IPsec security association (SA) rekey timeout are as follows:

• For IKE SA, the rekey timeout is 28800 seconds.

• For IPsec SA, the rekey timeout is 3600 seconds.

The basic use cases of proposals are as follows:

• IKE and IPsec both use proposal sets.

The server selects a predefined proposal from the proposal set and sends it to the client, along with the default rekey timeout value.

• IKE uses a proposal set, and IPsec uses a custom proposal.

The server sends a predefined IKE proposal from the configured IKE proposal set to the client, along with the default rekey timeout value. For IPsec, the server sends the setting that is configured in the IPsec proposal.

• IKE uses a custom proposal, and IPsec uses a proposal set.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The server sends a predefined IPsec proposal from the configured IPsec proposal set to the client, along with the default rekey timeout value. For IKE, the server sends the setting that is configured in the IKE proposal.

NOTE: If IPsec uses the standard proposal set and perfect forward secrecy (PFS) is not configured, then the default PFS is set as group2. For other proposal sets, PFS will not be set because it is not configured.

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

• Local authentication and IP address assignment for dynamic VPN—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

A client application sends an authentication request and a request for an IP address on behalf of an unauthenticated client at the same time. The communication between the client and AUTHD is minimized because the IP address request is not sent as a separate message.

After successful local authentication, AUTHD performs the following tasks:

• Assigns the address from the predefined (or statically assigned) address pools if the address matches the criteria specified by the client application.

• Assigns attributes such as wins server and name-server address.

• Updates the associated client entry in the session database.

Note: For client applications that rely on a RADIUS or other external server for authentication, AUTHD might not assign IP addresses.

This feature is used to perform the following:

• Assign an IP address to the client after successful authentication.

• Provide a mechanism in AUTHD for linking an address pool to a client profile and assigning an IP address to the client from the pool.

• Provide a mechanism in AUTHD for assigning IP version 4 (IPv4) addresses to the users.

• Provide different IP addresses for multiple logins by the same user.

• Allow configuration changes in the address pool after address assignment.

Address pools are defined at the [edit access address-assignment] hierarchy.

[Junos OS CLI Reference, Junos OS Administration Guide for Security Devices]

• Local IP address management for VPN XAuth support—This feature is supported on SRX100, SRX210, SRX240, SRX650, J4350, and J6350 devices.

When you configure extended authentication (XAuth), you must enter the username and password, after the Internet Key Exchange (IKE) phase 1 security association (SA) is established. AUTHD verifies the credentials received from you.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

After successful authentication, AUTHD sends the following network parameters to IKE or XAuth:

• IP address

• Domain Name System (DNS)

• Windows Internet Naming Service (WINS)

The IP address can be drawn from a locally configured IP address pool. AUTHD requires IKE or XAuth to release the IP address when it is no longer in use.

IKE provides a mechanism for establishing IP Security (IPsec) tunnels.

[Junos OS CLI User Guide, Junos OS Security Configuration Guide]

• Support group Internet Key Exchange (IKE) IDs for dynamic VPN configuration —This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

The existing design of the dynamic virtual private network (VPN) uses unique Internet Key Exchange (IKE) ID for each user connection. For each user, VPN needs to be configured with an individual IKE gateway, an IPsec VPN, and a security policy using the IPsec VPN. This is cumbersome when there are a large number of users. The design is modified to allow a number of users to share a set of IKE or IPsec VPN (or policy configuration) using shared-ike-id or group-ike-id. This reduces the number of times the VPN needs to be configured.

The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users.

All users connecting through a shared-ike-id configuration use the same IKE ID and preshared key. The user credentials are verified in the extended authentication (XAuth) phase of AUTHD. The credential of a user is configured either in Radius or in the access database of AUTHD.

When using group-ike-id or shared-ike-id for user connection management and licensing, the users on the client PC must use the same user credentials for both WebAuth and XAuth login (that is, the two client login windows) to prevent undesirable behavior and incorrect CLI output on the server.

NOTE: We recommend that you use group-ike-id whenever possible.

For group-ike-id, a part of the configuration for a user IKE ID is common to the group. The IKE ID is the concatenation of an individual part and the common part of IKE ID. For example, a user can use a group-ike-id configuration with a common part ".juniper.net" and the individual part “X”. The IKE ID can be "X.juniper.net". Httpd-gk generates the individual part of the IKE ID.

The group-ike-id does not require extended authentication (XAuth). However, for dynamic VPN, XAuth is needed to retrieve the network attributes such as IP address for the client. Therefore, if XAuth is not configured for group-ike-id and the administrator uses the IKE gateway in a dynamic VPN client, a warning message appears.

This feature introduces new commands for ike sa and dynamic-vpn and new options in the IKE Gateway Add/Edit page of J-Web.

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

[Junos OS CLI Reference, Junos OS Security Configuration Guide]

• Dynamic VPN access through the Junos Pulse client—This feature is supported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

Junos Pulse enables secure authenticated network connections to protected resources and services over LANs and WANs. Junos Pulses is a remote access client developed to replace the earlier access client called Juniper Networks Access Manager. You must uninstall Access Manager before you install the Junos Pulse client.

Junos Pulse supports remote virtual private network tunnel connectivity to SRX Series Services Gateways that are running Junos OS. To configure a firewall access environment for Junos Pulse clients, you must configure the VPN settings on the SRX Series device and create and deploy a firewall connection on the Junos Pulse client.

For SRX Series devices running Junos OS Releases 10.2 through 10.4, Junos Pulse is supported but must be deployed separately. In Junos OS Release 11.1 and later releases, if the Pulse client does not exist on the client machine, the Pulse client is automatically downloaded and installed when you log in to an SRX Series device. If the Pulse client exists on the client machine, you must launch the Pulse client.

[Junos OS Security Configuration Guide]

Hardware Features—SRX210, SRX220, and SRX240 Services Gateways AX411 Access Point Support on SRX220 Services Gateways SRX220 Services Gateways running Junos OS Release 10.4R1 or later releases support the AX411 Access Point in the same manner as do the SRX210, SRX240, and SRX650 Services Gateways. Support for the SRX220 Services Gateway is not documented in the AX411 Access Point Hardware Guide or in the WLAN Configuration and Administration Guide, but wherever those guides indicate support for the SRX210 Services Gateway, that support applies to the SRX220 Services Gateway as well.

1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM) The 1-Port Small Form-Factor Pluggable (SFP) Gigabit Ethernet Mini-Physical Interface Module (Mini-PIM) complements the on-board 10/100/1000 Mbps Ethernet interfaces with extended LAN or WAN connectivity. It offers support for a variety of transceivers.

This Mini-PIM can be used in copper and optical environments to provide maximum flexibility when upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM is supported on the following devices:

• SRX210 Services Gateway

• SRX220 Services Gateway

• SRX240 Services Gateway

The following key features are supported on the 1-Port SFP Gigabit Ethernet Mini-PIM:

• Online insertion and removal of transceivers

• Real-time visual status of connectivity and traffic flows

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Link Up/Down status

• Half/full duplex support

• Autonegotiation

For more information on the 1-Port SFP Gigabit Ethernet Mini-PIM, see the SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide.

For information on configuring the 1-Port SFP Gigabit Ethernet Mini-PIM, see the Junos OS Interfaces Configuration Guide for Security Devices.

Hardware Features—SRX220 Services Gateway with Power Over Ethernet

Overview The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers complete functionality and flexibility for delivering secure, reliable data over IP, along with multiple interfaces that support WAN and LAN connectivity.

The device provides Internet Protocol Security (IPsec), virtual private network (VPN), and firewall services for small-sized and medium-sized companies and enterprise branch and remote offices.

Accessing the SRX220 Services Gateway Two user interfaces are available for monitoring, configuring, troubleshooting, and managing the SRX220 Services Gateway:

• J-Web interface: Web-based graphical interface that allows you to operate a services gateway without commands. The J-Web interface provides access to all Junos OS functionality and features.

• Junos OS command-line interface (CLI): Juniper Networks command shell that runs on top of a UNIX-based operating system kernel. The CLI is a straightforward command interface. On a single line, you type commands that are executed when you press the Enter key. The CLI provides command Help and command completion.

Hardware Features Table 3 on page 116 lists the hardware features supported on the SRX220 Services Gateway.

Table 3: SRX220 Services Gateway Hardware Features

SRX220 Services Gateway Feature SRX220 Services Gateway (SRX220H) with PoE (SRX220H-POE)

DDR memory 1 GB 1 GB

SIP/analog voice support No No

PoE support No 120 watts supported across eight ports (0/0 through 0/7)

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Table 3: SRX220 Services Gateway Hardware Features (continued)

SRX220 Services Gateway Feature SRX220 Services Gateway (SRX220H) with PoE (SRX220H-POE)

Power supply adapter 100 to 240 VAC input 100 to 240 VAC input

60 W, 12V DC output 200 W, 54V DC output

Average power consumption (no Mini-PIMs 28 W 35 W installed, no PoE power draw)

Gigabit Ethernet ports 8 8

Console port 1 1

USB ports 2 2

Mini-PIM slots 2 2

LEDs Status, Alarm, HA, Power, Mini-PIMs, Port Status, Alarm, HA, Power, (TX/RX) Mini-PIMs, Port (TX/RX and PoE)

CompactFlash 1 externally accessible 1 externally accessible

NOTE: The PoE LED is enabled only on the SRX220H-POE model of the SRX220 Services Gateway. For the SRX220H model, the PoE LED remains off.

For more details on the SRX220 Services Gateway software features and licenses, see the Junos OS Administration Guide for Security Devices.

Hardware Interfaces Table 4 on page 118 summarizes the interface ports supported on the SRX220 Services Gateway.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Table 4: SRX220 Services Gateway Built-In Hardware Interfaces

Interface Type Specifications Description

Gigabit Ethernet Eight ports that: The Gigabit Ethernet ports can be used as follows: • Are labeled 0/0 through 0/7 on the front panel • To function as front-end network ports • Use RJ-45 connectors • To provide LAN and WAN connectivity • Provide link speeds of 10/100/1000 Mbps to hubs, switches, local servers, and workstations • Operate in full-duplex and half-duplex modes • To forward incoming data packets to the device • Support flow control • To receive outgoing data packets from Support autonegotiation and • the device autosensing • To connect power devices to receive All Gigabit Ethernet ports support Power network connectivity and electric over Ethernet on the PoE and media power (PoE functionality) (For the gateway model of the SRX220 Services PoE and media gateway model of the Gateway. SRX220 Services Gateway)

Universal Serial Bus (USB) Two ports that: The USB ports can be used as follows:

• Function in full speed and high speed • To support a USB storage device that functions as a secondary boot device • Comply with USB revision 2.0 in case of CompactFlash failure on startup (if the USB storage device is installed and configured).

NOTE: You must install and configure the USB storage device on the USB port to use it as secondary boot device. Additionally, the USB device must have Junos OS installed.

• To provide the USB interfaces that are used to communicate with many types of USB storage devices supported by Juniper Networks.

Contact your Juniper Networks customer service representative for more information.

Console One port that: The console port can be used as follows:

• Uses an RJ-45 serial cable connector • To provide the console interface

• Supports the RS-232 (EIA-232) • To function as a management port to standard log into a device directly

• To configure the device using the CLI

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Table 4: SRX220 Services Gateway Built-In Hardware Interfaces (continued)

Interface Type Specifications Description

Mini-Physical Interface Module Two slots for Mini-PIMs The Mini-PIM slots can be used to (Mini-PIM) provide LAN and WAN functionality along with connectivity to various media types.

For more information about the supported Mini-PIMs, see the SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide.

NOTE: We strongly recommend that only transceivers provided by Juniper Networks be used on an SRX220 Services Gateway. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Contact Juniper Networks for the correct transceiver part number for your device.

Hardware Features—SRX1400 Services Gateway

• Introduction on page 119

• Supported Models on page 120

• Hardware Features on page 120

• Physical Specifications on page 121

Introduction This release supports the SRX1400 Services Gateway.

Juniper Networks SRX1400 Services Gateway expands the SRX Series family of next-generation security platforms, delivering market-leading performance and extensive service integration to 10 gigabits per second (10 Gbps) environments that require the features without the massive scalability and aggregated throughput provided by Juniper Networks SRX3000 line and SRX5000 line. The SRX1400 Services Gateway provides firewall support with key features such as IP Security (IPsec), virtual private network (VPN), and high-speed deep packet inspection features such as intrusion detection and prevention (IDP).

The SRX1400 is ideally suited for small to medium-size data centers, enterprise, and service provider network security deployments where consolidation of security functionality, uncompromised 10 Gbps performance, compact environmental footprint, and affordability are key requirements.

The SRX1400 Services Gateway is three rack units (U) tall. Sixteen devices can be stacked in a single floor-to-ceiling rack, for increased port density per unit of floor space. The device provides common form-factor module (CFM) slots that can be populated with Network and Services Processing Card (NSPC), and I/O cards (IOCs). The device also

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

has one dedicated slot for System I/O card (SYSIOC), one dedicated slot for the Routing Engine, two slots for power supplies, and one slot for the fan tray and air filter.

The SRX1400 Services Gateway runs Junos OS. You can use the Junos OS command-line interface (CLI) or J-Web (Web-based graphical interface) to monitor, configure, troubleshoot, and manage the SRX1400 Services Gateway.

Supported Models The SRX1400 Services Gateway is available in four models, which are listed in Table 5 on page 120.

Table 5: SRX1400 Services Gateway Models

Model Number Device Type

SRX1400BASE-GE-AC SRX1400 Services Gateway with 1-Gigabit Ethernet SYSIOC and AC power supply

SRX1400BASE-GE-DC SRX1400 Services Gateway with 1-Gigabit Ethernet SYSIOC and DC power supply

SRX1400BASE-XGE-AC SRX1400 Services Gateway with 10-Gigabit Ethernet SYSIOC and AC power supply

SRX1400BASE-XGE-DC SRX1400 Services Gateway with 10-Gigabit Ethernet SYSIOC and DC power supply

Hardware Features Table 6 on page 120 lists the hardware features supported on the SRX1400 Services Gateway.

Table 6: SRX1400 Services Gateway Hardware Features

Feature Description

Input voltage • 100 to 240 V AC

• -40 to -72 V DC

Power supplies 2

The SRX1400 Services Gateway allows two power supplies for redundancy. The following types of power supplies are supported:

• AC power supply (for AC-powered devices)

• DC power supply (for DC-powered devices)

Ethernet port (10/100/1000 Mbps) 1

Console port 1

Universal Serial Bus (USB) ports 2

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Table 6: SRX1400 Services Gateway Hardware Features (continued)

Feature Description

Auxiliary port 1

Fans 2

Fan tray 1

Air filter 1

Physical Specifications Table 7 on page 121 summarizes the physical specifications of the SRX1400 Services Gateway chassis.

Table 7: SRX1400 Services Gateway Physical Specifications

Specification Value

Chassis height 5.25 in. (13.3 cm), 3 rack units (3 U)

Chassis width 17.5 in. (44.5 cm)

Chassis depth 13.8 in. (35.05 cm)

Chassis weight (base chassis [Chassis with Routing 29.3 lb (13.3 kg) Engine, SYSIOC, and power supply] )

Routing Engine weight 2.9 lb (1.3 kg)

NSPC weight 7.71 lb (3.5 kg)

SYSIOC weight 2.42 lb (1.102 kg)

IOC weight 2.4 lb (1.1 kg)

Fan tray weight 2.93 lb (1.33 kg)

Air filter weight 0.11 lb (0.054 kg)

DC power supply weight 2.9 lb (1.3 kg)

AC power supply weight 3.1 lb (1.4 kg)

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Hardware Features—SRX3400 and SRX3600 Services Gateways

Enhanced DC Power Supply The enhanced DC power supply for the SRX3400 and SRX3600 Services Gateways is an alternative to the standard DC power supply. The enhanced DC power supply helps your services gateway meet the following NEBS and ETSI standards:

• GR-63-CORE

• ETSI 300019-2-1

• ETSI 300019-2-2

• ETSI 300019-2-3

• GR-1089-CORE

Each enhanced DC power supply provides up to 1200 watts of power. In the SRX3400 Services Gateway, the enhanced DC power supply lets you configure your device with more Services Processing Cards (SPCs), Network Processing Cards (NPCs), or I/O cards (IOCs) than is possible with the standard 850-watt DC power supply.

NOTE: Mixing of standard and enhanced DC power supplies within the same chassis is not supported. All installed DC power supplies must be either of standard or enhanced types.

Table 8 on page 122 shows the different SPC, NPC, and IOC configurations applicable to the standard and enhanced DC power supplies in the SRX3400 Services Gateway.

Table 8: Supported Combinations of SPCs, NPCs, and IOCs for Standard and Enhanced DC Power Supplies

Enhanced DC Power Supplies (SKU SRX3K-PWR-DC2) or Standard DC Power Supplies (SKU AC Power Supplies (SKU SRX3K-PWR-AC) SRX3K-PWR-DC)

NPCs NPCs

1 2 1 2

SPCs 1 4 IOCs 4 IOCs SPCs 1 4 IOCs 4 IOCs

2 4 IOCs 3 IOCs 2 4 IOCs 3 IOCs

3 3 IOCs 2 IOCs 3 2 IOCs 1 IOCs

4 2 IOCs 1 IOC 4 0 IOCs Not supported

In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are the same for both the standard and the enhanced DC power supply.

Downloaded from www.Manualslib.com manuals search engine Advertising Bandwidth for Neighbors on a Broadcast Link Support

See the SRX3400 Services Gateway Hardware Guide or the SRX3600 Services Gateway Hardware Guide for detailed information about the enhanced DC power supply and additional requirements for NEBS and ETSI compliance.

Related • Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Documentation Series Services Routers on page 148

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

Advertising Bandwidth for Neighbors on a Broadcast Link Support

This feature is supported on all SRX Series and J Series devices.

You can now advertise bandwidth for neighbors on a broadcast link. The network link is a point-to-multipoint (P2MP) link in the OSPFv3 link state database. This feature uses existing OSPF neighbor discovery to provide automatic discovery without configuration. It allows each node to advertise a different metric to every other node in the network to accurately represent the cost of communication. To support this feature, a new interface-type under the OSPFv3 interface configuration has been added to configure the interface as p2mp-over-lan. OSPFv3 then uses LAN procedures for neighbor discovery and flooding, but represents the interface as P2MP in the link state database.

The interface type and router LSA are available under the following hierarchies:

• [protocols ospf3 area area-id interface interface-name]

• [routing-instances routing-instances-name protocols ospf3 area area-id interface interface-name]

[LN1000 Mobile Secure Router User Guide]

Group VPN Interoperability with Cisco’s GET VPN

Cisco’s implementation of GDOI is called Group Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are both based on RFC 3547, The Group Domain of Interpretation, there are some implementation differences that you need to be aware of when deploying GDOI in a networking environment that includes both Juniper Networks security devices and Cisco routers. This topic discusses important items to note when using Cisco routers with GET VPN and Juniper Networks security devices with group VPN.

Cisco GET VPN members and Juniper Group VPN members can interoperate as long as the server role is played by a Cisco GET VPN server, Juniper Networks security devices are group members, and with the following caveats:

The group VPN in Release 10.4 of Junos OS has been tested with Cisco GET VPN servers running Version 12.4(22)T and Version 12.4(24)T.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group includes a Juniper Networks security device. The Cisco GET VPN server implements a proprietary ACK for unicast rekey messages. If a group member does not respond to the unicast rekey messages, the group member is removed from the group and is not able to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as bad SPIs. The Juniper Networks security device can recover from this situation by reregistering with the server to download the new key.

Antireplay must be disabled on the Cisco server when a VPN group of more than two members includes a Juniper security device. The Cisco server supports time-based antireplay by default. A Juniper Networks security device will not be able to interoperate with a Cisco group member if time-based antireplay is used since the timestamp in the IPsec packet is proprietary. Juniper Networks security devices are not able to synchronize time with the Cisco GET VPN server and Cisco GET VPN members as the sync payload is also proprietary. Counter-based antireplay can be enabled if there are only two group members.

According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member would match Cisco behavior.

A Cisco GET VPN member accepts all keys downloaded from the GET VPN server. Policies associated with the keys are dynamically installed. A policy does not have to be configured on a Cisco GET VPN member locally, but a deny policy can optionally be configured to prevent certain traffic from passing through the security policies set by the server. For example, the server can set a policy to have traffic between subnet A and subnet B be encrypted by key 1. The member can set a deny policy to allow OSPF traffic between subnet A and subnet B not be encrypted by key 1. However, the member cannot set a permit policy to allow more traffic to be protected by the key. The centralized security policy configuration does not apply to the Juniper Networks security device.

On a Juniper Networks security device, the ipsec-group-vpn configuration statement in the permit tunnel rule in a scope policy references the group VPN. This allows multiple policies referencing a VPN to share an SA. This configuration is required to interoperate with Cisco GET VPN servers.

Logical key hierarchy (LKH), a method for adding and removing group members, is not supported with group VPN on Juniper Networks security devices.

GET VPN members can be configured for cooperative key servers (COOP KSs), an ordered list of servers with which the member can register or reregister. Multiple group servers cannot be configured on group VPN members.

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following current system behavior, configuration statement usage, and operational mode command usage might not yet be documented in the Junos OS documentation:

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Application Identification

• Improved uninstall options for predefined and custom application objects—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

The following options have been added to the request services applciation-identificaiton uninstall command to uninstall the predefined application definition package, all custom application definitions, or both at one time.

all—Uninstall from your configuration both the predefined application definition package and all custom application definitions that you have created.

customer-defined—Uninstall from your configuration all custom application definitions that you created, but maintain the predefined application definition package.

predefined—(Default) Uninstall from your configuration the predefined application definition package, but maintain all custom application definitions that you have created.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Application Layer Gateways (ALGs)

• The show security alg msrpc object-id-map CLI command has a chassis cluster node option to permit the output to be restricted to a particular node or to query the entire cluster. The show security alg msrpc object-id-map node CLI command options are .

AppSecure

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application-matching priority of the application signature.

NOTE: The order value range for predefined signatures is 1 through 32,767. We recommend that you use an order range higher than 32,767 for custom signatures.

The order value is set with the set services application-identification application application-name signature order command. You can also view all signature order values by entering the show services application-identification | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature.

Chassis Cluster

• For SRX Series branch devices (SRX100, SRX210, SRX240, and SRX650), The values for default cluster heartbeat interval and threshold were changed to 1000ms and 3 respectively from R10.4 branch platforms. In the prior releases the values for cluster heartbeat interval and threshold defaulted to 2000ms and 8 respectively.

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Command-Line Interface (CLI)

• On AX411 Access Points, the possible completions available for the CLI command set wlan access-point < ap_name > radio < radio_num > radio-options channel number ? have changed from previous implementations.

Now this CLI command displays the following possible completions:

Example 1: user@host# set wlan access-point ap6 radio 1 radio-options channel number ? Possible completions: 36 Channel 36 40 Channel 40 44 Channel 44 48 Channel 48 52 Channel 52 56 Channel 56 60 Channel 60 64 Channel 64 100 Channel 100 108 Channel 108 112 Channel 112 116 Channel 116 120 Channel 120 124 Channel 124 128 Channel 128 132 Channel 132 136 Channel 136 140 Channel 140 149 Channel 149 153 Channel 153 157 Channel 157 161 Channel 161 165 Channel 165 auto Automatically selected

Example 2: user@host# set wlan access-point ap6 radio 2 radio-options channel number ? 1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Channel 9 10 Channel 10 11 Channel 11 12 Channel 12

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

13 Channel 13 14 Channel 14 auto Automatically selected

• On SRX210 devices, packet drop might be seen while prioritizing multiple data streams configured with the same multilink class on single-member-link ML bundles that are configured between SRX Series and J Series devices and other types of devices. As a workaround, ensure that each forwarding class is configured with one multilink class on multilink bundles on SRX Series and J Series devices. This will avoid out-of-order transmission of multilink fragments for a given multilink class. This is not applicable to LFI traffic; also, when Q is marked for LFI, do not change the Q configuration.

• On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change.

• On SRX210 devices with Integrated Convergence Services, registrations do not work when PCS is configured and removed through the CLI. The dial tone disappears when the analog station calls the SIP station. As a workaround, either run the restart rtmd command or restart the device.

• On SRX5600 and SRX5800 devices, the set security end-to-end-debug CLI hierarchy command has been changed to set security datapath-debug

• On AX411 Access Points, the possible completions available for the CLI command set wlan access-point mav0 radio 1 radio-options mode? have changed from previous implementations.

Now this CLI command displays the following possible completions:

• Example 1: user@host# set wlan access-point mav0 radio 1 radio-options mode ? Possible completions: 5GHz Radio Frequency -5GHz-n a Radio Frequency -a an Radio Frequency -an [edit]

• Example 2: user@host# set wlan access-point mav0 radio 2 radio-options mode ? Possible completions: 2.4GHz Radio Frequency --2.4GHz-n bg Radio Frequency -bg bgn Radio Frequency -bgn

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On SRX Series devices, the show system storage partitions command now displays the partitioning scheme details on SRX Series devices.

• Example 1: show system storage partitions (dual root partitioning) user@host# show system storage partitions Boot Media: internal (da0) Active Partition: da0s2a Backup Partition: da0s1a Currently booted from: active (da0s2a) Partitions Information: Partition Size Mountpoint s1a 293M altroot s2a 293M / s3e 24M /config s3f 342M /var s4a 30M recovery

• Example 2: show system storage partitions (single root partitioning) user@host# show system storage partitions Boot Media: internal (da0) Partitions Information: Partition Size Mountpoint s1a 898M / s1e 24M /config s1f 61M /var show system storage partitions (USB)

• Example 3: show system storage partitions (usb) user@host# show system storage partitions Boot Media: usb (da1) Active Partition: da1s1a Backup Partition: da1s2a Currently booted from: active (da1s1a) Partitions Information: Partition Size Mountpoint s1a 293M / s2a 293M altroot s3e 24M /config s3f 342M /var s4a 30M recovery

Configuration

• J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On SRX100, SRX210, SRX240, and SRX650 devices, the current Junos OS default configuration is inconsistent with the one in Secure Services Gateways, thus causing problems when users migrate to SRX Series devices. As a workaround, users should ensure the following steps are taken:

• The ge-0/0/0 interface should be configured as the Untrust port (with the DHCP client enabled).

• The rest of the on-board ports should be bridged together, with a VLAN IFL and DHCP server enabled (where applicable).

• Default policies should allow trust->untrust traffic.

• Default NAT rules should apply interface-nat for all trust->untrust traffic.

• DNS/Wins parameters should be passed from server to client and, if not available, users should preconfigure a DNS server (required for download of security packages).

Dynamic VPN

• Working with the Pulse client —Junos Pulse enables secure authenticated network connections to protected resources and services over LANs and WANs. Junos Pulse is a remote access client developed to replace the earlier access client called Juniper Networks Access Manager. You must uninstall Access Manager before you install the Junos Pulse client.

For SRX100, SRX210, SRX220, SRX240, and SRX650 devices running Junos OS Release 10.2 and later, Junos Pulse is supported but must be deployed separately. Users can download and install the pulse client manually from Juniper support site.

Flow and Processing

• For the flow session log on all SRX Series devices, policy configuration has been enhanced. Information on the packet incoming interface parameter in the session log for session-init and session-close and when a session is denied by a policy or by the application firewall is provided to meet Common Criteria (CC) Medium Robustness Protection Profiles (MRPP) compliance:

Policy configuration—To configure the policy for the session for which you want to log matches as log session-init or session-close and to record sessions in syslog:

• set security policies from-zone untrustZone to-zone trustZone policy policy13 match source-address extHost1

• set security policies from-zone untrustZone to-zone trustZone policy policy13 match destination-address intHost1

• set security policies from-zone untrustZone to-zone trustZone policy policy13 match application junos-ping

• set security policies from-zone untrustZone to-zone trustZone policy policy13 then permit

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• set security policies from-zone untrustZone to-zone trustZone policy policy13 then log session-init

• set security policies from-zone untrustZone to-zone trustZone policy policy13 then log session-close

flow match policy13 will record the following information in the log:

<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx650-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2" destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] session created 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 ge-0/0/1.0 <14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx650-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="response received" source-address="1.1.1.2" source-port="1" destination-address="2.2.2.2" destination-port="46384" service-name="icmp" nat-source-address="1.1.1.2" nat-source-port="1" nat-destination-address="2.2.2.2" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] session closed response received: 1.1.1.2/1-->2.2.2.2/46384 icmp 1.1.1.2/1-->2.2.2.2/46384 None None 1 policy1 trustZone untrustZone 41 1(84) 1(84) 0 ge-0/0/1.0

• On SRX Series devices, the factory default for the maximum number of backup configurations allowed is five. Therefore, you can have one active configuration and a maximum of five rollback configurations. Increasing this backup configuration number will result in increased memory usage on disk and increased commit time.

To modify the factory defaults, use the following commands:

root@host# set system max-configurations-on-flash number

root@host# set system max-configuration-rollbacks number

where max-configurations-on-flash indicates backup configurations to be stored in the configuration partition and max-configuration-rollbacks indicates the maximum number of backup configurations.

• On J Series devices, the following configuration changes must be done after rollback or upgrade from Junos OS Release 10.4 to 9.6 and earlier releases.

• Rename lsq-0/0/0 to ls-0/0/0 in all its occurrences.

• Remove fragmentation-map from the [class-of-service] hierarchy level and from [class-of-service interfaces lsq-0/0/0], if configured.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Remove multilink-max-classes from [ls-0/0/0 unit 0], if configured.

• Remove link-layer-overhead from [ls-0/0/0 unit 0], if configured.

• If the LFI forwarding class is mapped to no-fragmentation in fragmentation-map and the configuration hierarchy is enabled on lsq-0/0/0 in Junos OS Release 10.4, then

• Add interleave-fragments under [ls-0/0/0 unit 0]

• Adjust classifier configured for LFI on lsq-0/0/0 under [class-of-service] to classify packets to Q2

If the aforementioned instructions are not followed, the bundle will be incorrectly processed.

• On SRX Series devices, as per the new behavior, on configuring identical IPs on a single interface users no longer see a warning message; instead, a syslog message appears.

• On SRX210 Low Memory devices, ICMP messages generated in flow mode are now rate-limited to 20 messages every 10 seconds. This rate limit is calculated on a per-CPU basis.

Installation

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB auto-installation is added. This feature simplifies the upgrading of Junos OS images in cases where there is no console access to an SRX Series device located at a remote site. This feature allows you to upgrade the Junos OS image with minimum configuration effort by simply inserting a USB flash drive into the USB port of the SRX Series device and performing a few simple steps. This feature can also be used for reformatting boot devices and recovering SRX Series devices after a boot media corruption.

Integrated Convergence Services

• On SRX210 device with Integrated Convergence Services, users cannot clone the existing configuration for Integrated Convergence Services. The clone option has been removed from all Convergence Services pages on J-Web.

Interfaces and Routing

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, support for USB auto-installation is added.

• On SRX Series devices, to minimize the size of system logs, the default logging level in the factory configuration has been changed from any any to any critical.

• On SRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set routing-options flow CLI statements are no longer available, because BGP flow spec functionality is not supported on these devices.

• On SRX100, SRX210, SRX240, and SRX650 devices, the autoinstallation functionality on an interface enables a DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server.

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On SRX3000 and SRX5000 line devices, the maximum number of traffic-shaping simple filter rules and policing rules has been changed. For SRX3000 line devices, the number of simple filter and policing rules is 2000 per I/O card (IOC) for each rule type. For SRX5000 line devices, the number of simple filter and policing rules is 2000 for each rule type per PIM on flex I/O cards (FIOCs). This change does not affect ordinary IOCs on SRX5000 line devices. The previous maximum of 4000 for each rule type is not achievable because of a hardware limitation.

• On T1/E1 Mini-Physical Interface Module installed on SRX210 and SRX240 devices, the Loopback LED is turned ON based on the Loopback configuration as well as when the FDL loopback commands are executed from the remote-end. The Loopback LED remains OFF when no FDL Loopback commands are executed from the remote-end, even though remote-loopback-respond is configured on the HOST.

• On J4350 devices, ping does not go through even if the ISDN call is connected and the dialer watch is configured. This issue occurs only when media MTU on Cisco devices is bigger than the MTU configured on J Series devices. As a workaround, keep MTU configured on the J Series device equal to or greater than the one set on the Cisco device.

• On SRX and J Series devices, the help description for the set interface arp-resp command incorrectly states the default value as unrestricted. The default value is actually restricted.

Intrusion Detection and Prevention (IDP)

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you want to change to maximize-idp-sessions mode, you should configure the security forwarding-process application-services maximize-idp-sessions command before you reboot the device to avoid recompiling IDP policies during every commit. [PR/426575]

• On SRX3400 devices, FTP traffic does not go through expedited-forwarding queue class for FTP control connections. All other traffic like http, telnet and ping goes through expedited-forwarding queue class as expected.

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the application identification CLI commands have been moved from the [security idp sensor-configuration application-identification] hierarchy to the [edit services application-identification] hierarchy.

• On SRX Series and J Series devices, for brute force and time-binding-related attacks, the logging is to be done only when the match count is equal to the threshold. That is, only one log is generated within the 60-second period in which the threshold is measured. This process prevents repetitive logs from being generated and ensures consistency with other IDP platforms like IDP-standalone.

When no attack is seen within the 60-second period and the BFQ entry is flushed out, the match count starts afresh, and the new attack match shows up in the attack table, and the log is generated as explained above.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

J-Web

• On SRX100, SRX210, SRX220, and SRX240 devices, the commit fails when you configure an interface under security zone - junos-global. In Junos OS Release 10.4, the junos-global CLI option is deprecated and is therefore not supported.

NOTE: Junos OS Release 10.3 and earlier releases still support the junos-global CLI option.

• The J-Web login page has been updated with the new Juniper Logo and Trademark.

• URL separation for J-Web and dynamic VPN—This feature prevents the dynamic VPN users from accessing J-Web accidentally or intentionally. Unique URLs for J-Web and dynamic VPN add support to the webserver for parsing all the HTTP requests it receives. The webserver also provides access permission based on the interfaces enabled for J-Web and dynamic VPN.

• CLI changes: A new configuration attribute management-url is introduced at the [edit system services web-management] hierarchy level to control J-Web access when both J-Web and dynamic VPN are enabled on the same interface. The following example describes the configuration of the new attribute:

web-management { traceoptions { level all; flag dynamic-vpn; flag all; } management-url my-jweb; http; https { system-generated-certificate; } limits { debug-level 9; } session { session-limit 7; } }

• Enabling only Dynamic VPN: Dynamic VPN must have the configured HTTPS certificate and the webserver to communicate with the client. Therefore, the configuration at the [edit system services web-management] hierarchy level required to start the appweb webserver cannot be deleted or deactivated. To disable J-Web, the administrator must configure a loopback interface of lo0 for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests.

web-management { traceoptions { level all; flag dynamic-vpn; flag all;

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

} management-url my-jweb; http { interface lo0.0; } https { system-generated-certificate; } limits { debug-level 9; } session { session-limit 7; } }

• Changes in the Web access behavior: The following section illustrates the changes in the Web access behavior when J-Web and dynamic VPN do not share and do share the same interface.

Case 1: J-Web and dynamic VPN do not share the same interface.

Scenario http(s)://server host http(s)://server http(s)://server host//configured host//dynamic-vpn attribute

J-Web is enabled, Navigates to the J-Web Navigates to the J-Web Navigates to the and dynamic VPN login page on the login page if the J-Web dynamic VPN login is configured. J-Web enabled attribute is configured; page interface or to the otherwise, navigates to dynamic VPN login the Page Not Found page page on the dynamic VPN enabled interface depending on the server host chosen

J-Web is not Navigates to the Page Navigates to the Page Navigates to the enabled, and Not Found page Not Found page Page Not Found page dynamic VPN is not configured.

J-Web is enabled, Navigates to the J-Web Navigates to the J-Web Navigates to the and dynamic VPN login page login page if the J-Web Page Not Found page is not configured. attribute is configured; otherwise, navigates to the Page Not Found page

J-Web is not Navigates to the Navigates to the Page Navigates to the enabled, and dynamic VPN login Not Found page dynamic VPN login dynamic VPN is page page configured.

Case 2: J-Web and dynamic VPN do share the same interface.

Scenario http(s)://server http(s)://server http(s)://server host host//configured attribute host//dynamic-vpn

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

J-Web is enabled, Navigates to the Navigates to the J-Web Navigates to the and dynamic VPN is dynamic VPN login page if the attribute is dynamic VPN login configured. login page configured; otherwise, page navigates to the Page Not Found page

J-Web is not Navigates to the Navigates to the Page Not Navigates to the enabled, and Page Not Found Found page Page Not Found page dynamic VPN is not page configured.

J-Web is enabled, Navigates to the Navigates to the J-Web Navigates to the and dynamic VPN is J-Web login page login page if the J-Web Page Not Found page not configured. attribute is configured; otherwise, navigates to the Page Not Found page

J-Web is not Navigates to the Navigates to the Page Not Navigates to the enabled, and dynamic VPN Found page dynamic VPN login dynamic VPN is login page page configured.

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, to add the Predefined Attacks and Predefined Attack Groups, users do not need to type the attack names. Instead, users can select attacks from the Predefined Attacks and Predefined Attack Group lists and click the left arrow to add them.

• The options to configure the Custom Attacks, Custom Attack Groups, and Dynamic Attack Groups are disabled because they cannot be configured from J-Web.

Management and Administration

• On SRX5600 and SRX5800 devices running a previous release of Junos OS, security logs were always timestamped using the UTC time zone. In Junos OS Release 10.4, you can use the set system time-zone CLI command to specify the local time zone that the system should use when timestamping the security logs. If you want to timestamp logs using the UTC time zone, use the set system time-zone utc and set security log utc-timestamp CLI statements.

• Configuring the external CompactFlash card on SRX650 Services Gateways:

The SRX650 Services Gateway includes 2-GB CompactFlash storage devices:

• The Services and Routing Engine (SRE) contains a hot-pluggable CompactFlash (external CompactFlash) storage device used to upload and download files.

• The chassis contains an internal CompactFlash used to store the operating system.

By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device.

Downloaded from www.Manualslib.com manuals search engine Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

To take a snapshot on the external CompactFlash:

1. Take a snapshot from the internal CompactFlash to the USB storage device by using the request system snapshot media usb CLI command.

2. Reboot the device from the USB storage device by using the request system reboot media usb command.

3. Go to the U-boot prompt. For more information, see the Accessing the U-Boot Prompt section in the Junos OS Administration guide.

4. At the U-boot prompt, set the following variables: set ext.cf.pref 1 save reset

5. Once the system is booted from the USB storage device, take a snapshot on the external CompactFlash by using the request system snapshot media external command.

NOTE: Once the snapshot has been taken on the external CompactFlash, we recommend you set the ext.cf.pref to 0 at the U-boot prompt.

Multilink

• When data and LFI streams are present, we recommend the following configuration to get less latency for LFI traffic and to avoid out-of-range transmission of data traffic:

Configure the following schedulers

• set class-of-service schedulers S0 buffer-size temporal 20K

• set class-of-service schedulers S0 priority low

• set class-of-service schedulers S2 priority high

• set class-of-service schedulers S3 priority high

Configure the following scheduler map

• set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler S0

• set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding scheduler S2

• set class-of-service scheduler-maps lsqlink_map forwarding-class network-control scheduler S3

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Attach the scheduler map to all member links

• set class-of-service interfaces t1-2/0/0 unit 0 scheduler-map lsqlink_map

Even after this configuration, if out-of-range sequence number drops are observed on reassembly side, increase the drop-timeout of the bundle to 200 ms.

Power over Ethernet (PoE)

• On SRX210-PoE devices, SDK packages might not work.

Security

• J Series devices do not support the authentication order password radius or password ldap in the edit access profile profile-name authentication-order command. Instead, use the order radius password or ldap password.

• Any change in the Unified Access Control’s (UAC) contact interval and timeout values in the SRX Series or J Series device will be effective only after the next reconnection of the SRX Series or J Series device with the Infranet Controller.

• The maximum size of a redirect payload is 1450 bytes. The size of the redirect URL is restricted to 1407 bytes (excluding a few HTTP headers). If a user accesses a destination URL that is larger than 1407 bytes, the Infranet Controller authenticates the payload, the exact length of the redirect URL is calculated, and the destination URL is trimmed such that it can fit into the redirect URL. The destination URL can be fewer than 1407 bytes based on what else is present in the redirect URL, for example, policy ID. The destination URL in the default redirect URL is trimmed such that the redirect packet payload size is limited to 1450 bytes, and if the length of the payload is larger than 1450 bytes, the excess length is trimmed and the user is directed to the destination URL that has been resized to 1450 bytes.

Virtual LANs (VLANs)

• Native-vlan-id can be configured only when either flexible-vlan-tagging mode or interface-mode trunk is configured. The commit error has been corrected, which was previously indicating vlan-tagging mode instead of flexible-vlan-tagging mode.

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following VLAN IDs are reserved for internal use and cannot be used on customer-facing interfaces: Table 9: VLAN IDs Reserved for Internal Use

VLAN IDs Reservations

SRX100 SRX210 SRX220 SRX240 SRX650

3968-4047 ——— ——— ——— Reserved Reserved

4093 Reserved Reserved Reserved Reserved Reserved

4094 Reserved* Reserved* Reserved* Reserved* Reserved*

Downloaded from www.Manualslib.com manuals search engine Unsupported CLI

This default TAG reservation can be configured to use an alternative tag number or not to use VLAN tagging at all

Wireless LAN (WLAN)

• While configuring the AX411 Access Point on your SRX Series devices, you must enter the WLAN admin password using the set wlan admin-authentication password command. This command prompts for the password and the password entered is stored in encrypted form.

NOTE: • Without wlan config option enabled, the AX411 Access Points will be managed with the default password.

• Changing the wlan admin-authentication password when the wlan subsystem option is disabled might result in mismanagement of Access Points . You might have to power cycle the Access Points manually to avoid this issue.

• The SRX Series devices that are not using the AX411 Access Point can optionally delete the wlan config option.

• Accessing the AX411 Access Point through SSH is disabled by default. You can enable the SSH access using the set wlan access-point < name > external system services enable-ssh command.

Unsupported CLI

This section lists unsupported CLI statements and commands.

Accounting-Options Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the accounting, source-class, and destination-class statements in the [accounting-options] hierarchy level are not supported.

AX411 Access Point Hierarchy

• On SRX100 devices, there are CLI commands for wireless LAN configurations related to the AX411 Access Point. However, at this time the SRX100 devices do not support the AX411 Access Point.

Chassis Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following chassis hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set chassis craft-lockout

set chassis routing-engine on-disk-failure

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Class-of-Service Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following class-of-service hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set class-of-service classifiers ieee-802.1ad

set class-of-service interfaces interface-name unit 0 adaptive-shaper

Ethernet-Switching Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following ethernet-switching hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set ethernet-switching-options bpdu-block disable-timeout

set ethernet-switching-options bpdu-block interface

set ethernet-switching-options mac-notification

set ethernet-switching-options voip interface access-ports

set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class

Firewall Hierarchy

• On SRX100, SRX210, SRX220, SRX240 SRX650, and all J Series devices, the following Firewall hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set firewall family vpls filter

set firewall family mpls dialer-filter d1 term

Interfaces CLI Hierarchy

On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following interface hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

• Aggregated Interface CLI on page 141

• ATM Interface CLI on page 141

• Ethernet Interfaces on page 142

• GRE Interface CLI on page 142

• IP Interface CLI on page 143

Downloaded from www.Manualslib.com manuals search engine Unsupported CLI

• LSQ Interface CLI on page 143

• PT Interface CLI on page 143

• T1 Interface CLI on page 143

• VLAN Interface CLI on page 144

Aggregated Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

request lacp link-switchover ae0

set interfaces ae0 aggregated-ether-options lacp link-protection

set interfaces ae0 aggregated-ether-options link-protection

ATM Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces at-1/0/0 container-options

set interfaces at-1/0/0 atm-options ilmi

set interfaces at-1/0/0 atm-options linear-red-profiles

set interfaces at-1/0/0 atm-options no-payload-scrambler

set interfaces at-1/0/0 atm-options payload-scrambler

set interfaces at-1/0/0 atm-options plp-to-clp

set interfaces at-1/0/0 atm-options scheduler-maps

set interfaces at-1/0/0 unit 0 atm-l2circuit-mode

set interfaces at-1/0/0 unit 0 atm-scheduler-map

set interfaces at-1/0/0 unit 0 cell-bundle-size

set interfaces at-1/0/0 unit 0 compression-device

set interfaces at-1/0/0 unit 0 epd-threshold

set interfaces at-1/0/0 unit 0 inverse-arp

set interfaces at-1/0/0 unit 0 layer2-policer

set interfaces at-1/0/0 unit 0 multicast-vci

set interfaces at-1/0/0 unit 0 multipoint

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

set interfaces at-1/0/0 unit 0 plp-to-clp

set interfaces at-1/0/0 unit 0 point-to-point

set interfaces at-1/0/0 unit 0 radio-router

set interfaces at-1/0/0 unit 0 transmit-weight

set interfaces at-1/0/0 unit 0 trunk-bandwidth

Ethernet Interfaces

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes

set interfaces ge-0/0/1 gigether-options mpls

set interfaces ge-0/0/0 stacked-vlan-tagging

set interfaces ge-0/0/0 native-vlan-id

set interfaces ge-0/0/0 radio-router

set interfaces ge-0/0/0 unit 0 interface-shared-with

set interfaces ge-0/0/0 unit 0 input-vlan-map

set interfaces ge-0/0/0 unit 0 output-vlan-map

set interfaces ge-0/0/0 unit 0 layer2-policer

set interfaces ge-0/0/0 unit 0 accept-source-mac

set interfaces fe-0/0/2 fastether-options source-address-filter

set interfaces fe-0/0/2 fastether-options source-filtering

set interfaces ge-0/0/1 passive-monitor-mode

GRE Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces gr-0/0/0 unit 0 ppp-options

set interfaces gr-0/0/0 unit 0 layer2-policer

Downloaded from www.Manualslib.com manuals search engine Unsupported CLI

IP Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces ip-0/0/0 unit 0 layer2-policer

set interfaces ip-0/0/0 unit 0 ppp-options

set interfaces ip-0/0/0 unit 0 radio-router

LSQ Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces lsq-0/0/0 unit 0 layer2-policer

set interfaces lsq-0/0/0 unit 0 family ccc

set interfaces lsq-0/0/0 unit 0 family tcc

set interfaces lsq-0/0/0 unit 0 family vpls

set interfaces lsq-0/0/0 unit 0 multipoint

set interfaces lsq-0/0/0 unit 0 point-to-point

set interfaces lsq-0/0/0 unit 0 radio-router

PT Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces pt-1/0/0 gratuitous-arp-reply

set interfaces pt-1/0/0 link-mode

set interfaces pt-1/0/0 no-gratuitous-arp-reply

set interfaces pt-1/0/0 no-gratuitous-arp-request

set interfaces pt-1/0/0 vlan-tagging

set interfaces pt-1/0/0 unit 0 radio-router

set interfaces pt-1/0/0 unit 0 vlan-id

T1 Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces t1-1/0/0 receive-bucket

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

set interfaces t1-1/0/0 transmit-bucket

set interfaces t1-1/0/0 encapsulation ether-vpls-ppp

set interfaces t1-1/0/0 encapsulation extended-frame-relay

set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc

set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc

set interfaces t1-1/0/0 encapsulation satop

set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr

set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp

set interfaces t1-1/0/0 unit 0 layer2-policer

set interfaces t1-1/0/0 unit 0 radio-router

set interfaces t1-1/0/0 unit 0 family inet dhcp

set interfaces t1-1/0/0 unit 0 inverse-arp

set interfaces t1-1/0/0 unit 0 multicast-dlci

VLAN Interface CLI

• The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set interfaces vlan unit 0 family tcc

set interfaces vlan unit 0 family vpls

set interfaces vlan unit 0 accounting-profile

set interfaces vlan unit 0 layer2-policer

set interfaces vlan unit 0 ppp-options

set interfaces vlan unit 0 radio-router

Protocols Hierarchy

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.

set protocols bfd no-issu-timer-negotiation

set protocols bgp idle-after-switch-over

Downloaded from www.Manualslib.com manuals search engine Unsupported CLI

set protocols l2iw

set protocols bgp family inet flow

set protocols bgp family inet-vpn flow

set protocols igmp-snooping vlan all proxy

Routing Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following routing hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set routing-instances p1 services

set routing-instances p1 multicast-snooping-options

set routing-instances p1 protocols amt

set routing-options bmp

set routing-options flow

Services Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following services hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set services service-interface-pools

SNMP Hierarchy

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set snmp community 90 logical-system

set snmp logical-system-trap-filter

set snmp trap-options logical-system

set snmp trap-group d1 logical-system

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

System Hierarchy

• On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message.

set system diag-port-authentication

IPv6 and MVPN CLI

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following multicast IPv6 and MVPN CLI commands are not supported. However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message.

• show pim interfaces inet6

• show pim neighbors inet6

• show pim source inet6

• show pim rps inet6

• show pim join inet6

• show pim mvpn

• show multicast next-hops inet6

• show multicast rpf inet6

• show multicast route inet6

• show multicast scope inet6

• show multicast pim-to-mld-proxy

• show multicast statistics inet6

• show multicast usage inet6

• show msdp sa group group

• set protocols pim interface interface family inet6

• set protocols pim disable interface interface family inet6

• set protocols pim family inet6

• set protocols pim disable family inet6

• set protocols pim apply-groups group disable family inet6

• set protocols pim apply-groups group family inet6

• set protocols pim apply-groups-except group disable family inet6

Downloaded from www.Manualslib.com manuals search engine Unsupported CLI

• set protocols pim apply-groups group interface interface family inet6

• set protocols pim apply-groups group apply-groups-except group family inet6

• set protocols pim apply-groups group apply-groups-except group disable family inet6

• set protocols pim assert-timeout timeout-value family inet6

• set protocols pim disable apply-groups group family inet6

• set protocols pim disable apply-groups-except group family inet6

• set protocols pim disable export export-join-policy family inet6

• set protocols pim disable dr-election-on-p2p family inet6

• set protocols pim dr-election-on-p2p family inet6

• set protocols pim export export-join-policy family inet6

• set protocols pim import export-join-policy family inet6

• set protocols pim disable import export-join-policy family inet6

Related • New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

AppSecure

• Junos OS application identification—When you create custom application or nested application signatures for Junos OS application identification, the order value must be unique among all predefined and custom application signatures. The order value determines the application matching priority of the application signature.

Chassis Cluster

• On SRX650 devices in a chassis cluster, ping packets sent from the forward node to the active node are dropped intermittently.

• On SRX650 devices in a chassis cluster, the T1/E1 PIC goes offline and does not come online.

• In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to increase the wait time before triggering failover. In a full-capacity implementation, we recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and heartbeat-interval values in the [edit chassis cluster] hierarchy.

The product of the heartbeat-threshold and heartbeat-interval values defines the time before failover. The default values (heartbeat-threshold of 3 beats and heartbeat-interval of 1000 milliseconds) produce a wait time of 3 seconds.

To change the wait time, modify the option values so that the product equals the desired setting. For example, setting the heartbeat-threshold to 8 and maintaining the default value for the heartbeat-interval (1000 milliseconds) yields a wait time of 8 seconds. Similarly, setting the heartbeat-threshold to 4 and the heartbeat-interval to 2000 milliseconds also yields a wait time of 8 seconds.

• SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster limitations:

• Virtual Router Redundancy Protocol (VRRP) is not supported.

• In-service software upgrade (ISSU) is not supported.

• The 3G dialer interface is not supported.

• On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes.

• On VDSL mini-PIM, chassis cluster is not supported for VDSL mode.

• Queuing on aggregated Ethernet (ae) interface is not supported.

Downloaded from www.Manualslib.com manuals search engine Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Group VPN is not supported.

• Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported.

• IDP is not supported for active/active chassis cluster. IDP is supported for active/backup chassis cluster in Junos OS Release 10.2R2 and later.

• Switching is not supported in chassis cluster mode.

• Any packet-based services like MPLS and CLNS are not supported.

• lsq-0/0/0—Link services Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not supported.

• gr-0/0/0—Generic routing encapsulation (GRE) and tunneling are not supported.

• ip-0/0/0—IP-over-IP (IP-IP) encapsulation is not supported.

• lt-0/0/0—CoS for real-time performance monitoring (RPM) is not supported.

• PP0: PPPoE, PPPoEoA is not supported.

• ISDN and WXC are not supported in standalone mode.

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, UTM is supported only for active/backup chassis cluster configuration with both RG0 and RG1 active on the same node. It is not supported for active/active chassis cluster configuration.

For other limitations in chassis cluster, see “Limitations of Chassis Clustering” in the Junos OS Security Configuration Guide.

Command-Line Interface (CLI)

• On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the device by using the CLI. The number of users allowed to access the device is limited as follows:

• For SRX210 devices: four CLI users and three J-Web users

• For SRX240 devices: six CLI users and five J-Web users

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

DOCSIS Mini-PIM

• On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to a maximum of 100 Mbps throughput in each direction.

Dynamic Host Configuration Protocol (DHCP)

• SRX Series and J Series devices do not support DHCPv6 client authentication.

NOTE: Existing DHCPv4 configurations in the [edit system services dhcp] hierarchy are not affected when you upgrade to Junos OS Release 10.4 from an earlier version or enable DHCPv6 server.

Dynamic VPN

SRX100, SRX210, and SRX240 devices have the following limitations:

• The IKE configuration for the dynamic VPN client does not support the hexadecimal preshared key.

• The dynamic VPN client IPsec does not support the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol with NULL authentication.

• When you log in through the Web browser (instead of logging in through the dynamic VPN client) and a new client is available, you are prompted for a client upgrade even if the force-upgrade option is configured. Conversely, if you log in using the dynamic VPN client with the force-upgrade option configured, the client upgrade occurs automatically (without a prompt).

Flow and Processing

• On SRX Series devices, data plane logs generated in event mode (under set security log mode options) or logs sent via NSM (under set system syslog) can increase CPU utilization dramatically, impacting the system stability, especially in chassis cluster mode.

• On SRX100 devices, multicast data traffic is not supported on IRB interfaces.

• The service-point zone parameter for the SRX Series MGW configuration is not supported in Junos OS Release 10.4.

• You cannot configure route policies and route patterns in the same dial plan.

• You can configure no more than four members in a station group. Station groups are used for hunt groups and ring groups.

• On J Series devices, even when forwarding options are set to drop packets for the ISO protocol family, the device forms End System-to-Intermediate System (ES-IS) adjacencies and transmits packets because ES-IS packets are Layer 2 terminating packets.

Downloaded from www.Manualslib.com manuals search engine Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On SRX Series and J Series devices, high CPU utilization triggered due to various reasons like CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing large BGP updates.

For other limitations in flow and processing, see “Limitations of Flow and Processing” in the Junos OS Security Configuration Guide.

Hardware

This section covers filter and policing limitations.

• On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported by a simple filter:

• Forwarding class as match condition

• On SRX1400, SRX3400 and SRX3600 devices, the following features are not supported by a policer or a three-color-policer:

• Color-aware mode of a three-color-policer

• Filter-specific policer

• Forwarding class as action of a policer

• Logical interface policer

• Logical interface three-color policer

• Logical interface bandwidth policer

• Packet loss priority as action of a policer

• Packet loss priority as action of a three-color-policer

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following features are not supported by a firewall filter:

• Policer action

• Egress FBF

• FTF

• SRX1400, SRX3400, and SRX3600 devices have the following limitations of a simple filter:

• In the packet processor on an IOC, up to 100 logical interfaces can be applied with simple filters.

• In the packet processor on an IOC, the maximum number of terms of all simple filters is 4000.

• In the packet processor on an IOC, the maximum number of policers is 4000.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• In the packet processor on an IOC, the maximum number of three-color-policers is 2000.

• The maximum burst size of a policer or three-color-policer is 16 MB.

• 1G half-duplex mode of operation is not supported in the autonegotiation mode for the following devices:

• SRX650 Services Gateway

• 16-port GPIM

• 24-port GPIMs

• On SRX650 devices, the T1/E1 GPIMs (2 or 4 port version) do not work in Junos OS release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases, but if you roll back to the 9.6R1 image, this issue is still seen.

• The SRX220 Services Gateway does not support the 1-port SFP Mini-PIM.

Interfaces and Routing

• On SRX210 devices, the link goes down after an FPGA upgrade is performed. As a workaround, run the restart fpc command.

• On SRX240 High Memory devices, traffic might stop between SRX240 device and CISCO switch due to link mode mismatch. As a workaround, Juniper Networks recommends setting auto-negotiation parameters on both ends to the same value.

• On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the restart fpc command and restart the FPC.

• On SRX210 devices with VDLS2, ATM COS VBR-related functionality cannot be tested because of lack of support from the vendor.

• On SRX210 High Memory devices, IGMP v2 JOINS messages are dropped on an IRB interface. As a workaround, enable IGMP snooping to use IGMP over IRB interfaces.

• On J Series devices, the DS3 interface do not have an option to configure multilink-frame-relay-uni-nni (MFR).

• On SRX210, SRX220 and SRX240 devices, every time the VDSL2 PIM is restarted in the ADSL mode, the first packet passing through the PIM is dropped.

• On SRX240 Low Memory devices and SRX240 High Memory devices, the RPM server operation does not work when the probe is configured with the option destination-interface.

• Link Layer Discovery Protocol (LLDP)—The following are the LLDP limitations:

• On J Series devices, LLDP is not supported on routed ports.

• On SRX Series and J Series devices, LLDP over ae interfaces is not supported.

• On SRX Series and J Series devices, LLDP is supported only on interface unit 0.

Downloaded from www.Manualslib.com manuals search engine Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper matching the ATM CoS rate must be configured to avoid congestion drops in SAR.

Example: set interfaces at-5/0/0 unit 0 vci 1.110 set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATM COS set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER

• On SRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFP mini-PIM does not support switching in Junos OS Release 10.4.

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.

• On SRX650 devices, MAC pause frame and FCS error frame counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.

• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the reserved VLAN address range, and the user is not allowed any configured VLANs from this range.

• On SRX650 devices, the last 4 ports of a 24-Gigabit Ethernet switch GPIM can be used either as RJ-45 or SFP ports. If both are present and providing power, the SFP media is preferred. If the SFP media is removed or the link is brought down, then the interface will switch to the RJ-45 medium. This can take up to 15 seconds, during which the LED for the RJ-45 port might go up and down intermittently. Similarly when the RJ-45 medium is active and an SFP link is brought up, the interface will transition to the SFP medium, and this transition could also take a few seconds.

• On SRX210 devices, the USB modem interface can handle bidirectional traffic of up to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged, and the interface goes down.

• On SRX3400 and SRX3600 devices, BGP based VPLS over aggregated ethernet (ae) interfaces does not work because it is not supported. It works on child ports and physical interfaces.

• On SRX100, SRX210, SRX240 and SRX650 devices, on the Level 3 ae interface, the following features are not supported:

• Encapsulations (such as CCC, VLAN CCC, VPLS, and PPPOE) on Level 3 ae interfaces

• J-Web

• Level 3 ae for 10-Gigabit Ethernet

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Intrusion Detection and Prevention (IDP)

• If SRX series device that are configured for IDP and are upgraded to Junos OS Release 10.4, administrators must install the new security database as old IDP detector might not be compatible.

Administrators must update the detector by using the request security idp security-package download full-update command followed by request security idp security-package install command.

• IDP does not allow header checks for nonpacket contexts.

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, maximum supported entries in ASC table for is 100,000 entries. However, since the user land buffer has fix size of 1MB as a limitation, therefore it displays maximum 38837 cache entries.

• On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long time because:

• Software DFA is now used for attack signature compilation

• IDPD daemon gets lesser CPU time slice during compilation

For all other limitations in IDP, see “Limitations of IDP” in the Junos OS Security Configuration Guide.

IPv6 support

NOTE: Concerning NSM support, do not follow the information presented in the Junos OS Security Configuration Guide. Please consult the NSM release notes for version compatibility, required schema updates, and up-to-date support information.

For limitations in IPv6, see “Limitations of IPv6” in the Junos OS Security Configuration Guide.

J-Web

• J-Web browser support for Dell PowerConnect SRX Series and J Series devices—To access J-Web for all platforms, your device requires the following supported browsers and OS:

• Browser: Microsoft Internet Explorer version 6.0, 7.0, and Mozilla Firefox version above 3.0 and below 3.5.

NOTE: Other browser versions might not provide access to J-Web and only English-version browsers are supported.

• OS: Microsoft Windows XP Service Pack 3

• SRX Series and J Series browser compatibility

Downloaded from www.Manualslib.com manuals search engine Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• If the device is running the worldwide version of the Junos OS and you are using the Microsoft Internet Explorer Web browser, you must disable the Use SSL 3.0 option in the Web browser to access the device.

• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed by default on the Dashboard page. You can enable or disable it using options in the Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed.

• On SRX Series devices, in the J-Web interface, there is no support to change the T1 interface to an E1 interface or vice versa. As a workaround, use the CLI to convert from T1 to E1 and vice versa.

• On SRX Series and J Series devices, users cannot differentiate between Active and Inactive configurations on the System Identity, Management Access, User Management, and Date & Time pages.

• On SRX210, SRX240, and SRX650 devices, the complete contents of the ToolTips are not displayed in the J-Web Chassis View. As a workaround, drag the Chassis View image down to see the complete ToolTip.

• On SRX210 devices, there is no maximum length when the user commits the hostname in CLI mode; however, only 58 characters maximum are displayed in the J-Web System Identification panel.

• On J Series devices, some J-Web pages for new features (for example, the Quick Configuration page for the switching features on J Series devices) display content in one or more modal pop-up windows. In the modal pop-up windows, you can interact only with the content in the window and not with the rest of the J-Web page. As a result, online Help is not available when modal pop-up windows are displayed. You can access the online Help for a feature only by clicking the Help button on a J-Web page.

• On SRX Series devices, you cannot use J-Web to configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently supported to be used as IKE external-interfaces.

NetScreen-Remote

• On SRX Series devices, NetScreen-Remote is not supported in Junos OS Release 10.4.

Network Address Translation (NAT)

• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edge of the carrier network, the device-wide NAT rule capacity has been changed.

The number of destination and static NAT rules has been incremented as shown in Table 10 on page 156. The limitation on the number of destination-rule-set and static-rule-set has been increased.

Table 10 on page 156 provides the requirements per device to increase the configuration limitation as well as scale the capacity for each device.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Table 10: Number of Rules on SRX Series and J Series Devices

NAT Rule SRX3400 SRX5600 Type SRX100 SRX210 SRX240 SRX650 SRX3600 SRX5800 J Series

Source NAT 512 512 1024 1024 8192 8192 512 rule

Destination 512 512 1024 1024 8192 8192 512 NAT rule

Static NAT 512 512 1024 1024 8192 8192 512 rule

The restriction on the number of rules per rule set has been increased so that there is only a device-wide limitation on how many rules a device can support. This restriction is provided to help you better plan and configure the NAT rules for the device.

• IKE negotiations involving NAT-T—On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from 500 to 4500.

Point-to-Point Protocol over Ethernet (PPPoE)

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices in a chassis cluster, the reth interface cannot be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE).

Security

For all other limitations in security, see “Addresses and Address Sets” in the Junos OS Security Configuration Guide.

SNMP

• On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release 10.4.

Switching

• On SRX100, SRX210, SRX240, and SRX650 devices, CoA is not supported with 802.1x.

• On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported:

• IPv6 (family inet6)

• ISIS (family ISO)

Downloaded from www.Manualslib.com manuals search engine Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Class-of-service

• Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces

• CLNS

• PIM

• DVMRP

• VLAN interface MAC change

• Gratuitous ARP

• Change VLAN-Id for VLAN interface

Unified Threat Management (UTM)

• UTM requires 1 GB of memory. If your J2320, J2350, or J4350 device has only 512 MB of memory, you must upgrade the memory to 1 GB to run UTM.

VPNs

• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the IPsec NAT-T tunnels scaling and sustaining issues are as follows:

• For a given private IP address, the NAT device should translate both 500 and 4500 private ports to the same public IP address.

• The total number of tunnels from a given public translated IP cannot exceed 1000 tunnels.

• On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN using PULSE client, when you select the authentication-algorithm as sha-256 in IKE proposal, IPsec session might not get established.

Wireless LAN (WLAN)

• The following are the maximum numbers of access points that can be configured and managed from SRX Series devices:

• SRX210—4 access points

• SRX240—8 access points

• SRX650—16 access points

NOTE: The number of licensed access points can exceed the maximum number of supported access points. However, you can only configure and manage the maximum number of access points.

Related • New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 175

Outstanding Issues In Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following problems currently exist in SRX Series and J Series devices. The identifier following the description is the tracking number in our bug database.

Application Layer Gateways (ALGs)

• On SRX5600 devices, if you run the show security alg sip counters command while doing a bulk call generation, it might bring down the SPU with a flowd core file error. [PR/292956]

• On SRX Series devices, SIP server protection does not work. The set security alg sip application-screen protect deny command does not work. [PR/512202]

Authentication

• On J Series devices, after the user is authenticated, if the webauth-policy is deleted or changed and an entry exists in the firewall authentication table, then an authentication entry created as a result of webauth will be deleted only if a traffic flow session exists for that entry. Otherwise, the webauth entry will not get deleted and will only age out. This behavior will not cause a security breach. [PR/309534]

AX411 Access Point

• On SRX210 PoE devices, the access point reboots when 100 clients are associated simultaneously and each one is transmitting 512-byte packets at 100 pps. [PR/469418]

• On SRX650 devices, when an access point is part of the default cluster and you change the default cluster after the access point is connected to it, the changes might not be reflected. As a workaround, restart the wireless LAN service. [PR/497752]

Chassis Cluster

• On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in some call leaks in active resource manager groups and gates on the backup router. [PR/268613]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the iflset functionality is not supported for aggregated interfaces like reth. [PR/391377]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On an SRX210 device in a chassis cluster, sometimes the reth interface MAC address might not make it to the switch filter table. This results in the dropping of traffic sent to the reth interface. As a workaround, restart the Packet Forwarding Engine. [PR/401139]

• On an SRX210 device in a chassis cluster, the restart forwarding method is not recommended because restart forwarding on primary node will cause all RGs failover to other node. [PR/408436]

• On SRX5800 devices, SNMP traps might not be generated for the ineligible-primary state. [PR/434144]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices in chassis cluster active/active mode, the J-Flow samplings do not occur and the records are not exported to the cflowd server. [PR/436739]

• On SRX240 Low Memory and High Memory devices, binding the same IKE policy to a dynamic gateway and a site-to-site gateway is not allowed. [PR/440833]

• On SRX650 devices, the following message appears on the new primary node after a reboot or an RG0 failover:

WARNING: cli has been replaced by an updated version: CLI release 9.6B1.5 built by builder on 2009-04-29 08:24:20 UTC Restart cli using the new version ? [yes,no] (yes) yes

[PR/444470]

• On SRX240 devices, the cluster might become destabilized when the file system is full and logging is configured on JSRPD and chassisd. The log file size for the various modules should be appropriately set to prevent the file system from getting full. [PR/454926]

• On SRX3600 devices, track IPs on the secondary node remain unreachable after you disable and enable the corresponding reth interface’s primary and secondary child interfaces [PR/488890]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, LACP does not work in Layer 2 transparent mode. [PR/503171]

• During a manual failover, a system crash might occur if the nodes have not completely recovered from a previous failover. To determine if a device is ready for repeated failovers, perform these recommended best-practice steps before doing a manual failover.

The best-practice steps we recommend to ensure a proper failover are as follows:

• Use the show chassis cluster status command to verify the following for all redundancy groups:

• One node is primary; the other node is secondary.

• Both nodes have nonzero priority values unless a monitored interface is down.

• Use the show chassis fpc pic-status command to verify that the PIC status is Online.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Use the show pfe terse command to verify that the Packet Forwarding Engine status is Ready and to verify the following:

• All slots on the RG0 primary node have the status Online.

• All slots on the RG0 secondary node, except the Routing Engine slots, have the status Valid.

[PR/503389, PR/520093]

• On SRX650 devices, when the primary node is synchronizing heavy routes to the secondary node and the secondary node is rebooted, FPCs on the secondary node come up very slowly. PICs will not come up until all the routes are synchronized to the secondary node. [PR/545429]

Class of Service (CoS)

• J4350 and J6350 devices might not have the requisite data buffers needed to meet expected delay-bandwidth requirements. Lack of data buffers might degrade CoS performance with smaller (500 bytes or less) packets. [PR/73054]

• On J Series devices with a CoS configuration, when you try to delete all the flow sessions using the clear security flow session command, the WXC application acceleration platform might fail over with heavy traffic. [PR/273843]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Command-Line Interface (CLI)

• On SRX650 devices, tail drops and keepalive losses are seen at high load on multilink bundles when queue 3 (out of queue 0 to queue 7) is oversubscribed. As a workaround, use only queue 3 for keepalive packets, and use other queues for data or voice transmission. [PR/539353]

Dual-Stack Lite

• On SRX650, SRX3400, SRX3600, SRX5600 and SRX5800 devices, if the interface address is changed to a new address which is also the concentrator address with the background traffic target to the address, you should manually clear the IPIP clear text sessions with the concentrator address as the destination address, if there are any, so that the dual-stack lite concentrator could take effect on the traffic flow. [PR/541516]

Dynamic Host Configuration Protocol (DHCP)

• On SRX210 and SRX240 devices, when autoinstallation is configured to run on a particular interface and the default static route is set with the options discard, retain, and no-advertise, the DHCP client running on the interface tries fetching the configuration files from the TFTP server. During this process, the UDP data port on the TFTP server might be unreachable. Because the TFTP server is unreachable, the autoinstallation process might remain in the configuration acquisition state. When autoinstallation is disabled, the TFTP might fail. In this case, you should manually fetch the file from the server or the client through the relay.

As a workaround, remove the static route discard, retain, and no-advertise options from the configuration. [PR/454189]

Enhanced Switching

• On J Series devices, if the access port is tagged with the same VLAN that is configured at the port, the access port accepts tagged packets and determines the MAC. [PR/302635]

Flow and Processing

• On SRX Series devices, the show security flow session command currently does not display aggregate session information. Instead, it displays sessions on a per-SPU basis. [PR/264439]

• On J Series devices, OSPF over a multipoint interface connected as a hub-and-spoke network does not restart when a new path is found to the same destination. [PR/280771]

• On J Series devices, outbound filters will be applied twice for host-generated IPv4 traffic. [PR/301199]

• On SRX Series devices, configuring the flow filter with the all flag might result in traces that are not related to the configured filter. As a workaround, use the flow trace flag basic with the command set security flow traceoptions flag.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

NOTE: Be sure to disable flow traceoptions after debugging has been completed. Flow traceoptions might cause high CPU utilization in the Routing Engine.

[PR/304083]

• On SRX240 devices, traffic flooding occurs when multiple multicast (MC) IP group addresses are mapped to the same MAC address because multicast switching is based on the Layer 2 address. [PR/418519]

• On SRX650 devices, the input DA errors are not updated when packets are dropped because of MAC filtering on the following:

• SRX240 device

• SRX210 device

• 16-port and 24-port GPIMs

• SRX650 front-end port

This is because of MAC filtering implemented in hardware.

[PR/423777]

• On SRX5600 and SRX5800 devices, the network processing bundle configuration CLI does not check whether PICs in the bundle are valid. [PR/429780]

• On SRX650 devices, packet loss is observed when the device interoperates with an SSG20 with AMI line encoding. [PR/430475]

• On an SRX210 onboard Ethernet port, an IPv6 multicast packet received is duplicated at the ingress. This happens only for IPv6 multicast traffic in ingress. [PR/432834]

• On SRX3400 and SRX3600 devices, the ramp rate of session creation is slow at times for fragmented UDP traffic. [PR/434508]

• On SRX5800 devices, when there are nonexistent PICs in the network processing bundle, the traffic is sent out to the PICs and is lost. [PR/434976]

• The SRX5600 and SRX5800 devices create more than the expected number of flow sessions with NAT traffic. [PR/437481]

• On J Series devices, NAT traffic that goes to the WXC ISM 200 and returns clear (that is, not accelerated by the WXC ISM 200) does not work. [PR/438152]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, there is missing information in the jnxJsFwAuthMultipleFailure trap message. The trap message is required to contain the username, IP address, application, and trap name, but the username is missing. [PR/439314]

• On SRX5800 devices, for any network processing bundle configuration change to take effect, a reboot is needed. Currently there is no message displayed after a bundle configuration change. [PR/441546]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On SRX5800 devices, the IOC hot swap is not supported with network processing bundling. If an IOC configured with network processing bundling is unplugged, all traffic to that network processor bundle will be lost. [PR/441961]

• On SRX5800 devices with interfaces in a network processing bundle, the ICMP flood or UDP flood cannot be detected at the threshold rate. However, it can be detected at a higher rate when the per-network processor rate reaches the threshold. [PR/442376]

• On an SRX3400 device in combo mode with two SPCs and one NPC, not all sessions are created under the stress test. [PR/450482]

• On J Series devices, there is a drop in throughput on the 64-byte packet size T3 link when bidirectional traffic is directed. [PR/452652]

• On SRX240 PoE and J4350 devices, the first packet on each multilink class is dropped on reassembly. [PR/455023]

• On SRX5600 and SRX5800 devices, system log messages are not generated when CPU utilization returns to normal. [PR/456304]

• On SRX210, SRX240, and J6350 devices, the serial interface goes down for long-duration traffic when FPGA version 2.3 is loaded in the device. As a result, the multilink goes down. This issue is not seen when downgrading the FPGA version from 2.3 to 1.14. [PR/461471]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in end-to-end debugging, the cp-lbt event actions are not working. There is no change in behavior with or without the cp-lbt event. [PR/462288]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, during end-to-end debugging with the jexec event, packet summary trace messages have unknown IP addresses in the packet summary field. [PR/463534]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, data path-debug rate-limit does not work properly. When users configure a low rate limit for a large number of trace messages, the system should suspend the trace messages after the configured maximum is reached. The system is not suspending the trace messages. [PR/464151]

• On SRX5800 devices, the GPRS tunneling protocol (GTP) application is supported only on well-known ports. Customized application on other ports is not supported. [PR/464357]

• On J Series devices, interfaces with different bandwidths (even if they are of same interface type, for example, serial interfaces with different clock rates or channelized T1/E1 interfaces with different time slots) should not be bundled under one multilink bundle. [PR/464410]

• SRX3400 and SRX3600 devices with one Services Processing Card and two Network Processing Cards operating under heavy traffic produce fewer flow sessions. [PR/478939]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the input packets and bytes counter shows random values both in traffic statistics and IPv6 transit statistics, when VLAN tagging is added or removed from the IPv6 address configured interface. [PR/489171]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On SRX Series devices, the software upload and install package does not show a warning message when there are pending changes to be committed. [PR/514853]

• On SRX240 Low Memory devices, the LSQ interface transmitting both LLQ and non-LLQ traffic drops out-of-profile packets of the LLQ traffic faster than it was dropping out earlier. [PR/536588]

• On SRX5800 devices, address overlapping is not supported when dual-stack lite works with the source NAT and enables any of the following options:

• persistent-nat

• port no-translation

• host-address-base (IP shifting)

[PR/540816]

• On SRX3600 devices, if the interface address is changed to a new address that is also the dual-stack lite concentrator address with the background traffic target to the address, the user should manually clear the ipip cleartext sessions with the concentrator address. The dual-stack lite concentrator will affect the traffic flow. [PR/541747]

• On SRX5800 devices, in NAT mode, when SIP traffic is sent from the device packet drop is seen at the beginning and later processing of traffic stops. [554685]

• On SRX3400 and SRX3600 devices, when external radius server is down or terminated, the mass of authentication requests could cause authd to generate a core file. [PR/568659]

Hardware

• On SRX210 devices, the MTU size is limited to 1518 bytes for the 1-port SFP Mini-PIM. [PR/296498]

• On SRX240 devices, the Mini-PIM LEDs glow red for a short duration (1 second) when the device is powered on. [PR/429942]

• On SRX240 devices, the file installation fails on the right USB slot when both of the USB slots have USB storage devices installed. [PR/437563]

• On SRX240 devices, the combinations of Mini-PIMs cause SFP-copper links to go down in some instances during bootup, restarting fwdd, and restarting chassisd. As a workaround, reboot the device and the link will be up. [PR/437788]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Infrastructure

• On J Series devices, you cannot use a USB device that provides U3 features (such as the U3 Titanium device from SanDisk Corporation) as the media device during system boot. You must remove the U3 support before using the device as a boot medium. For the U3 Titanium device, you can use the U3 Launchpad Removal Tool on a Windows-based system to remove the U3 features. The tool is available for download at http://www.sandisk.com/Retail/Default.aspx?CatID=1415 . (To restore the U3 features, use the U3 Launchpad Installer Tool accessible at http://www.sandisk.com/Retail/Default.aspx?CatID=1411). [PR/102645]

• On J Series devices, if the device does not have an ARP entry for an IP address, the device drops the first packet from itself to that IP address. [PR/233867]

• On J Series devices, when you press the F10 key to save and exit from BIOS configuration mode, the operation might not work as expected. As a workaround, use the Save and Exit option from the Exit menu. This issue can be seen on the J4350 and J6350 devices with BIOS Version 080011 and on the J2320 and J2350 devices with BIOS Version 080012. [PR/237721]

• On J Series devices, the Clear NVRAM option in the BIOS configuration mode does not work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To help mitigate this issue, note any changes you make to the BIOS configuration so that you can revert to the default BIOS configuration as needed. [PR/237722]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the SNMP set for the MIB object usmUserPrivKeyChange does not work. [PR/482475]

Installation

• On SRX100, SRX210, SRX240, or SRX650 devices with 1-GB storage flash, when you use the file copy command to copy the Junos OS package from ftp:// to a local directory, you might get a message saying that the file system is full. Do not use the file copy command to get the Junos OS package for software upgrade.

The file copy command copies the Junos OS package as a temporary file in/cf/var/tmp and then copies the file with a package name in a local directory under the /cf/var partition. This means that a Junos OS package of size X needs 2X space in the /cf/var partition. For example, a Junos OS package of 197 MB will need 394 MB, whereas the /cf/var partition is less than 350 MB on a 1-GB storage flash. Thus, the file copy command will fail. [PR/526030]

Integrated Convergence Services The following issues currently exist in SRX210 and SRX240 devices with Integrated Convergence Services:

• SNMP does not provide support for survivable call server (SRX Series SCS) statistics. [PR/456454]

• On SRX210 devices with voice capability, SIP trunking or FXS trunking calls do not work if the called party supports only the G729AB/G711-Mu-law codec. [PR/504135]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On SRX240 devices with Integrated Convergence Services, the call-pickup feature does not work in survivable mode. If an analog station in a station group rings, another analog phone belonging to the same station group cannot pick up the call. As a workaround, configure three SIP phones (S1, S2, and S3), and add them to the pickup group (use a station group with S1, S2, and S3) because the pickup group works for SIP phones, but it does not work for analog phones. [PR/505237]

• On SRX210 and SRX240 devices with Integrated Convergence Services, if the transport method for the peer call server is TCP, the SRX Series devices do not support SIP messages of more than 2048 bytes. [PR/510291]

• On SRX210 and SRX240 devices with voice capability, the T1PRI calls do not work when multiple trunk-groups or trunks are created. [PR/514784]

• On SRX210 and SRX240 devices with voice capability, the caller ID of the calling party is displayed as a four-digit local extension number instead of a 7-or 10-digit local or international number for outgoing calls from PRI. [PR/516021]

• On SRX210 and SRX240 devices with Integrated Convergence Services, if you have the accounting feature configured (Services>Convergence services>Features), you cannot configure the account code on a per-station basis. [PR/516681]

• On SRX240 devices with voice capability, the restart rtdm command is required after changing the Max-concurrent-value from x to 0, to allow unlimited calls through SIP trunk or PCS. [PR/536849]

• On SRX240 devices with voice capability, the restart rtdm command is required to make PRI calls successful when both PRI and T1CAS lines are active. [PR/537551]

Interfaces and Routing

• On SRX650 devices, the following loopback features are not implemented for quad T1/E1 GPIMs:

• Line

• FDL payload

• In-band line

• In-band payload

[PR/425040]

• On SRX650 devices, configuring dual and quad T1/E1 framing at the chassis level has no effect. [PR/432071]

• On SRX Series devices, incorrect Layer 2 circuit replication on the backup Routing Engine might occur when you:

• Configure nonstop active routing (NSR) and Layer 2 circuit standby simultaneously and commit them

• Delete the NSR configuration and then add the configuration back when both the NSR and the Layer 2 circuits are up

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

As a workaround:

1. Configure the Layer 2 circuit for a nonstandby connection.

2. Change the configuration to a standby connection.

3. Add the NSR configuration.

[PR/440743]

• On SRX210 Low Memory devices, the E1 interface flaps and traffic does not pass through the interface if you restart forwarding while traffic is passing through the interface. [PR/441312]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you configure the SAP listen option using the protocol sap listen command in the CLI, listening fails in both sparse and sparse-dense modes. [PR/441833]

• On J Series devices, one member link goes down in a Multilink (ML) bundle during bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679]

• On SRX100, SRX210, and J Series devices, out-of-band dial-in access using a serial modem does not work. [PR/458114]

• On SRX100 and SRX200 devices with VDLS2, multiple carrier transitions (three to four) are seen during long-duration traffic testing with the ALU 7302 DSLAM. There is no impact on traffic except for the packet loss after long-duration traffic testing, which is also seen in the vendor CPE. [PR/467912]

• On SRX210 devices with VDLS2, the remote end ping operation fails to go above the packet size of 1480 because the packets are dropped for the default MTU, which is 1496 on an interface, and because the default MTU of the remote host Ethernet interface is 1514. [PR/469651]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you change the multicast scoping to a different multicast address, traffic other than which is configured for multicast scoping is not received. [PR/482957]

• On SRX210 High Memory devices, the physical interface module (PIM) shows time in ADSL2+ ANNEX-M, even though it is configured for ANNEX-M ADSL2. [PR/497129]

• On SRX100, SRX210, SRX240, and SRX650 devices, whenever radius-server is configured under the profile option, radius server is marked as dead permanently if radius times out. As a workaround, configure radius-server outside the profile option under the access option. [PR/503717]

• On SRX5600 and SRX5800 devices, load balance does not happen within the aggregated Ethernet (ae) interface when you prefix the length with /24 while incrementing the dst ip. [PR/505840]

• On SRX100, SRX210, SRX240, and SRX650 devices, egress queues do not function on VLAN or IRB interfaces. [PR/510568]

• On SRX650 devices, in the 2-port 10G XPIM, when the interface is linked with fiber, the activity LED does not blink when traffic enters the interface. However, the activity LED blinks properly when traffic goes out of the interface. [PR/513961]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if stress FTP traffic is sustained for several minutes, the device might begin to accept only limited new FTP connections. This situation might continue for one minute, and then the device returns to normal functioning. [PR/530142]

• On SRX650 devices, the speed for the ae interface shows the interface speed and not the negotiated speed. [PR/553339]

• On SRX220 devices, on multiple reboot or restart forwarding, a link might remain in a hard down state. [PR/556389]

• On SRX650 devices, sometimes quad T1/E1 generates a core file while the user is configuring it in T1 mode with the traffic sent continuously over the quad T1/E1. [PR/556716]

• On SRX220 devices, when oversubscribed traffic is sent through the gr interface (after tunnel queuing has been enabled and the shaper has been configured), there is an increase in tail-dropped packets at the egress of the gr interface. As a result of this, the output packet rate at the egress of the gr interface is much lower compared to that of the shaper. [PR/559378]

• On SRX1400 devices, the alarm indication is not available if a power supply is not functioning normally. The system creates log messages in /var/log/chassisd to indicate the power supply failure conditions. [PR/566210]

Intrusion Detection and Prevention (IDP)

• The SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices support only one IDP policy at any given time. When you make changes to the IDP policy and commit, the current policy is completely removed before the new policy becomes effective. During the update, IDP will not inspect the traffic that is passing through the device for attacks. As a result, there is no IDP policy enforcement. [PR/392421]

• On SRX210 devices, when the IDP policy contains rules that have the match criteria for the same attacks, multiple attacks will be reported when the attacks are detected. No errors or warnings appear during policy compilation. [PR/414416]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you configure a policy containing more than 200 rules, with each rule containing the predefined attack groups (Critical, Major, and Minor), the memory constraint of the Routing Engine (500 MB) is reached. [PR/449731]

• On SRX Series devices, the maximum supported sessions count is not displayed when you run the show security flow session idp summary command. [PR/503721]

• On SRX100 and SRX210 devices, depending on configuration, peak performance level drops up to 30 percent have been observed for IDP and UTM features. This issue impacts only customers who deploy these devices with peak performance level requirements for IDP and UTM services. [PR/503446, PR/506500, PR/518737]

• On SRX5600 devices, when using a 4096-bit SSL private key for IDP HTTPS traffic processing, the watchdog aborts the flowd process and reboots the SPC. This is primarily because of the watchdog timer expiration. The IDP function takes a long time to decrypt the session when you use a 4096-bit key.

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The SSL function is known to take an exponentially large amount of time when the key size is increased. Key sizes of 1024 bits and 2096 bits are OK to process because their processing time is below the watchdog threshold, but the key size of 4096 bits should not be used when sending stress traffic. Also, IDP uses SSL hardware for <= 1024-bit keys. The throughput is much higher for the traffic using <= 1024-bit SSL private keys. [PR/524452 ]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when packet-logging functionality is configured with an improved pre-attack configuration parameter value, the resource usage increases proportionally and might affect the performance. [PR/526155]

• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, IDP policies greater than 19 MB do not get loaded. [PR/540856]

• On SRX100 and SRX240 High Memory devices, whenever the folder /var/db/idpd is deleted or any folder /var/db/idpd/db that is under the folder var/db/idpd is deleted, the system must be rebooted for proper functioning of idpd. [PR/551412]

IPv6

• Proxy-ndp does not work in IPv6. Hence, the following issues exist:

• proxy-ndp cannot be configured under Security>NAT

• publish MAC for specific IPv6 addresses will not work under Interfaces>set interfaces

[PR/549969]

ISSU

• In-service software upgrade (ISSU) is not supported for upgrading VPN, NAT, IPv6, FTP ALG, TFTP ALG, or IDP functionality. If ISSU is used while the noted functionality is enabled, SRX Series devices might be left in an invalid state. The upgrade options are either to disable unsupported ISSU features prior to the upgrade or to use a standard upgrade procedure with a reboot. [PR/558566, PR/530035].

J-Flow

• SRX3400, SRX3600, SRX5600, and SRX5800 devices support the 4-byte autonomous system (AS) for BGP configuration. However, J-Flow template versions 5 and 8 do not support 4-byte AS because these J-Flow templates have 2 bytes for the SRC/DST AS field. [PR/416497]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, J-Flow sampling on the virtual router interface does not show the values of autonomous system (AS) and mask length. The AS or mask length values of cflowd packets show 0 while sampling the packet on the virtual router interface. [PR/419563]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

J-Web

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the LEDs on the Routing Engine and PICs are not shown as green when they are up and online on the J-Web Chassis View. [PR/297693]

• On SRX100, SRX210, SRX240, and SRX650 devices, the LED status in the Chassis View is not in sync with the LED status on the device. [PR/397392]

• On SRX210 Low Memory devices, in the rear view of the Chassis View image, the image of the ExpressCard remains the same whether a 3G card is present or not. [PR/407916]

• On SRX Series devices, the CLI Terminal feature does not work in J-Web over IPv6. [PR/409939]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, the Generate Report option under Monitor Event and Alarms opens the report in the same webpage. [PR/433883]

• On SRX100, SRX210, SRX240, SRX650, and all J Series devices, in J-Web, the options Input filter and Output filter are displayed in the VLAN configuration page. These options are not supported, and the user cannot obtain or configure any value under these filter options. [PR/460244]

• On SRX100, SRX210, SRX240, SRX650, and all J Series devices, when you have a large number of static routes configured, and if you have navigated to pages other than to page 1 in the Route Information table in the J-Web interface (Monitor>Routing>Route Information), changing the Route Table to query other routes refreshes the page but does not return you to page 1. For example, if you run the query from page 3 and the new query returns very few results, the Route Information table continues to display page 3 with no results. To view the results, navigate to page 1 manually. [PR/476338]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the entry registered into RIB is not shown in J-Web. [PR/483885]

• On SRX210 Low Memory, SRX210 High Memory, and SRX210 PoE devices, in the J-Web interface, Configuration>Routing>Static Routing does not display the IPv4 static route configured in rib inet.0. [PR/487597]

• On SRX100 (Low Memory and High Memory), SRX210 (Low Memory, High Memory, and PoE), SRX240 (Low Memory and High Memory), SRX650, J2350, J4350, and J6350 devices, CoS feature commits occur without validation messages, even if you have not made any changes. [PR/495603]

• On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, after a session expires, a relogin page appears in the wizard window. As a workaround, close the wizard window when the session expires and log in again. [PR/537475]

• On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, a matching destination port configured in the NAT wizard is not pushed to the CLI configuration. As a workaround, use the CLI. [PR/547630]

• On SRX100, SRX210, SRX220, and SRX240 devices, wizards take more time to commit the configuration setup and to load the page. [PR/548530]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, the candidate configuration should be removed from the CLI configuration when validation or commit from the wizard fails. [PR/549202]

• On SRX100, SRX210, SRX220, and SRX240 devices, in J-Web, policies configured under group global cannot be edited or deleted in the NAT and firewall wizards. [PR/552519]

Management and Administration

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the queue statistics are not correct after deletion and re-creation of a logical interface (IFL) or creation of a new IFL. IFL statistics are not cleared for 15 minutes after chassis-control is restarted. [PR/417947]

• On SRX5600 devices, when the system is in an unstable state (for example SPU reboot), NFS might generate residual.nfs files under the /var/tmp directory, which can occupy the disk space for a very long time. As a workaround, run the request sys storage cleanup command to clean up when the system has low disk space. [PR/420553]

• On SRX650 devices, the kernel crashes when the link goes down during TFTP installation of the srxsme image. [PR/425419]

• On SRX650 devices, continuous messages are displayed from syslogd when ports are in switching mode. [PR/426815]

• On SRX240 devices, if a timeout occurs during the TFTP installation, booting the existing kernel using the boot command might crash the kernel. As a workaround, use the reboot command from the loader prompt. [PR/431955]

• On SRX240 devices, when you configure the system log hostname as 1 or 2, the device goes to the shell prompt. [PR/435570]

• On SRX240 devices, the Scheduler Oinker messages are seen on the console at various instances with various Mini-PIM combinations. These messages are seen during bootup, while restarting fwdd, while restarting chassisd, and during configuration commits. [PR/437553]

• On SRX5800 devices, rebooting is required for any NP bundle configuration change to take effect. Currently there is no notification displayed after the bundle configuration change to notify that a reboot is required for the change to take effect. [PR/441546]

• On SRX5600 and SRX5800 devices, data path debug trace messages are dropped at above 1000 packets per second (pps). [PR/446098]

• On J2350, J4350, and J6350 devices, extended bit error rate test (BERT) takes an additional 3 hours to complete even though a BERT period of 24 hours is set. [PR/447636]

Network Address Translation (NAT)

• On J4350 devices, when you place internal calls, interface-based persistent NAT displays only one active hairpinning session instead of two, even after the call is established. [PR/504932]

• On SRX5600 devices, only network addresses are allowed in IPv6 NAT configuration from Junos OS Release 10.3 onward. This is enforced in commit check. [PR/545330]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• Under certain stress conditions, SRX1400 will not be able to reach max supported NAT sessions. [PR/568660]

Power over Ethernet (PoE)

• On SRX240 and SRX210 devices, the output of the PoE operational commands takes roughly 20 seconds to reflect a new configuration or a change in status of the ports. [PR/419920]

• On SRX210 PoE devices managing AX411 Access Points, the device might not be able to synchronize time with the configured NTP server. [PR/460111]

• On SRX210 devices, the fourth access point connected to the services gateway fails to boot with the default PoE configuration. As a workaround, configure all the PoE ports to a maximum power of 12.4 watts. Use the following command to configure the ports: root# set poe interface all maximum-power 12.4 [PR/465307]

• On SRX210, SRX220, SRX240, and SRX650 devices with factory default configurations, the device is not able to manage the AX411 Access Point. This might be because of the DHCP default gateway is not set. [PR/468090]

• On SRX210 PoE devices managing AX411 Access Points, traffic of 64 bytes at a speed of more than 45 megabits per second (Mbps), might result in loss of keepalives and reboot of the AX411 Access Point. [PR/471357]

• On SRX210 PoE devices, high latencies might be observed for the Internet Control Message Protocol (ICMP) pings between two wireless clients when 32 virtual access points (VAPs) are configured. [PR/472131]

• On SRX210 PoE devices, when AX411 Access Points managed by the SRX Series devices reboot, the configuration might not be reflected onto the AX411 Access Points. As a result, the AX411 Access Points retain the factory default configuration. [PR/476850]

• On SRX240 PoE devices, during failover, on the secondary node the ADSL Mini-PIM restarts and takes about 3 to 4 minutes to come up. [PR/528949]

Security

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the egress filter-based forwarding (FBF) feature is not supported. [PR/396849]

• On SRX210, SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, if the Infranet Controller auth table mapping action is configured as provision auth table as needed, UAC terminates the existing sessions after Routing Engine failover. You might have to initiate new sessions. Existing sessions are not affected after Routing Engine failover if the Infranet Controller auth table mapping action is configured as always provision auth table. [PR/416843]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you should not configure rulebase-DDoS rules that have two different application-DDoS objects to run on one destination service because the traffic destined to one application server can encounter more than one rule. Essentially, for each protected application server, you have to configure a single application-level DDoS rule. [PR/467326]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Unified Access Control (UAC)

• On J Series devices, MAC address-based authentication does not work when the router is configured as a UAC Layer 2 Enforcer. [PR/431595]

Unified Threat Management (UTM)

• On SRX210 High Memory devices, content filtering provides the ability to block protocol commands. In some cases, blocking these commands interferes with protocol continuity, causing the session to hang. For instance, blocking the FETCH command for the IMAP protocol causes the client to hang without receiving any response. [PR/303584]

• On SRX210 High Memory devices, when the content filtering message type is set to protocol-only, customized messages appear in the log file. [PR/403602]

• On SRX210 High Memory devices, the express antivirus feature does not send a replacement block message for HTTP upload (POST) transactions if the current antivirus status is engine-not-ready and the fallback setting for this state is block. An empty file is generated on the HTTP server that contains no block message. [PR/412632]

• On SRX240, SRX650, and J Series devices, Eudora 7 (through DUT) and Outlook Express (directly, not through DUT) downloads infected mail (with an EICAR test file) to the mail server because of which the mail retrieval is slow. [PR/424797]

• On SRX650 devices operating under stress conditions, the UTM subsystem file partition might fill up faster than UTM can process and clean up existing temporary files. In that case, the user might see error messages. As a workaround, reboot the system. [PR/435124]

• On SRX240 High Memory devices, FTP download for large files (> 4 MB) does not work in a two-device topology. [PR/435366]

• On SRX210, SRX240, and SRX650 devices, the Websense server stops taking new connections after HTTP stress. All new sessions get blocked. As a workaround, reboot the Websense server. [PR/435425]

• On SRX240 devices, if the device is under UTM stress traffic for several hours, users might see the following error while using a UTM command:

the utmd subsystem is not responding to management requests.

As a workaround, restart the utmd process. [PR/436029]

• On SRX100 High Memory, SRX210 High Memory, SRX240 High Memory, and SRX650 devices, more than 1500 antispam requests are not supported because of system limitation. [PR/451329]

• On SRX240 High Memory devices, during UTM web traffic stress test, some leak of AV scanner contexts is observed in some error pages. [PR/538470]

• On SRX650 devices, when express AV is enabled, traffic from the server and client are buffered at the device. Sometimes, the buffer resource runs out because the traffic arrives faster than the buffer resource are released and results in the device detecting

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

an out-of-resource state and takes fallback action. This happens only if a burst of traffic exceeding 20 MB arrives at the device within a very short duration. [PR/556309]

Upgrade

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, if you are running a previous Junos OS Release and are already using more than 70 percent of the memory on your device, we recommended you do not upgrade to Junos OS Release 10.4. New functionality in Junos OS release 10.4 might use more memory, meaning that you might run out of memory with a configuration that worked on a previous release. [PR/546069]

USB Modem

• On SRX210 High Memory devices and J6350 devices, packet loss is seen during rapid ping operations between the dialer interfaces when packet size is more than 512 Kbps. [PR/484507]

• On SRX210 High Memory devices, the modem interface can handle bidirectional traffic of up to 19 Kbps. During oversubscription of 20 Kbps or higher traffic, the keepalive packets are not exchanged and the interface goes down. [PR/487258]

• On SRX210 High Memory devices, IPv6 is not supported on dialer interfaces with a USB modem. [PR/489960]

• On SRX210 High Memory devices, HTTP traffic is very slow through the umd0 interface. [PR/489961]

• On SRX210 High Memory devices and J6350 devices, the D10 link flaps during long-duration traffic of 15 Kbps and also when the packet size is 256 Kbps or more. [PR/493943]

Virtual LANs (VLANs)

• On SRX240, SRX650, J4350, and J6350 devices, tagged frames on an access port with the same VLAN tag are not dropped. [PR/414856]

• On SRX100, SRX210, and SRX240 devices, the packets are not sent out of the physical interface when the VLAN ID associated with the VLAN interface is changed. As a workaround, you need to clear the ARP. [PR/438151]

• On SRX100 Low Memory, SRX100 High Memory, SRX210 Low Memory, SRX210 High Memory, SRX240 High Memory, and SRX650 devices, the Link Layer Discovery Protocol (LLDP) organization-specific Type Length Value (TLV), medium attachment unit (MAU) information always propagates as Unknown. [PR/480361]

• On SRX100 High Memory devices and SRX210 Low Memory devices, dot1x unauthenticated ports accept Link Layer Discovery Protocol (LLDP) Protocol Data Units (PDUs) from neighbors. [PR/485845]

• For SRX210 High Memory devices, during configuration of access and trunk ports, the individual VLANs from the vlan-range are not listed. [PR/489872]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

VPNs

• On SRX210 and SRX240 devices, concurrent login to the device from different management systems (for example, laptop or desktop computers) is not supported. The first user session is diconnected when a second user session is started from a different management system. Also, the status for the first user system is displayed incorrectly as Connected. [PR/434447]

• On SRX Series and J Series devices, the site-to-site policy-based VPNs in a 3 or more zone scenario will not work if the policies match the address “any” instead of specific addresses, and all cross-zone traffic policies point to the single site-to-site VPN tunnel. As a workaround, configure address books in different zones to match the source and destination, and use the address book name in the policy to match the source and destination. [PR/441967]

• On SRX100, SRX210, SRX240, and SRX650 devices, Routing Engine level redundancy for dynamic VPN fails because the tunnels need to renegotiate after RG0 failover. [PR/513884]

• On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN server always pushes the last configured dynamic client configuration to the client. If the VPN configuration bound to this dynamic VPN client is not bound to a policy, IKE negotiation fails when you try to connect to the server. [PR/514033]

• On SRX100, SRX210, SRX240, and SRX650 devices, the dynamic VPN client is not downloaded if there is not enough space in the /jail/var directory in the dynamic VPN server. [PR/515261]

• On SRX3400 and SRX3600 devices, the VPN monitor status in the DEP server side stays down for some time after RG0 and RG1 failover because there is no active state sync up for VPN monitoring. [PR/532952]

WLAN

• On SRX210, SRX240, and SRX650 devices, J-Web online Help displays the list of all the countries and is not based on the regulatory domain within which the access point is deployed. [PR/469941]

WXC Integrated Services Module

• When two J Series devices with WXC Integrated Services Modules (WXC ISM 200s) installed are configured as peers, traceroute fails if redirect-wx is configured on both peers. [PR/227958]

• On J6350 devices, Junos OS does not support policy-based VPN with WXC Integrated Services Modules (WXC ISM 200s). [PR/281822]

Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

The following are the issues that have been resolved since Junos OS Release 10.4R1 for Juniper Networks SRX Series Services Gateways and J Series Services Routers. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Application Layer Gateways (ALGs)

• On J4350 devices in a NAT-PT environment, when the client was in an IPv6 environment and the DNS server was in an IPv4 environment, the DNS server had only the IPv4 address record. When the client looked up the IPv6 address of the record in the DNS server, DUT performed NAT-PT on the DNS ALG. When the client executed the lookup action several times, a core file error was returned. [PR/533345: This issue has been resolved.]

Chassis Cluster

• On SRX5600 and SRX5800 devices, the IOC card reset unexpectedly when the monitored IP addresses under the chassis cluster IP-monitoring configuration was deleted. In addition, the monitored IP was not deleted from the data plane when it was specified without the secondary interface. [PR/557687: This issue has been resolved.]

• On SRX3600 devices, RG failover to Node0 failed because the FPCs went offline during the failover. [PR/563391: This issue has been resolved.]

• On SRX3600 devices, RG0 failovers caused interface flapping when LACP was used on reth interfaces. [PR/565617: This issue has been resolved.]

Dual-Stack Lite

• On SRX5600 devices, with heavy DS Lite traffic, flowd stopped responding with flow table corruption because of a function related to flow table operation (for example, flow_table_find_flow_v6). [PR/548790: This issue has been resolved.]

Flow and Processing

• On SRX210 High Memory devices, the error message “JMDX: Thread timed out waiting for smi write” was continuously displayed. [PR/ 536586: This issue has been resolved.]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices under high traffic load, some part of FTP and TFTP control sessions did not get timed out even after two hours of stopping the traffic. [PR/548250: This issue has been resolved.]

• On SRX5800 devices, TCP out-of-order packets occurred with the SRX Series device acting as a GRE pass-through device. [PR/558923: This issue has been resolved.]

Integrated Convergence Services

• On SRX240 devices with Integrated Convergence Services running in survivable mode, if two SIP stations were in a call and if either of the SIP stations made an attempt to park the call by dialing the parking number 7000, the call was not parked. [PR/505240: This issue has been resolved.]

Interfaces and Routing

• On SRX210 devices, the modem moved to the dial-out pending state while connecting or disconnecting the call. [PR/454996: This issue has been resolved.]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show datapath-debug counter command gave error messages from the secondary node. [PR/477017: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• On all SRX Series devices, the destination and destination-profile options for address and unnumbered-address within family inet and inet6 were allowed to be specified within a dynamic profile but were not supported. [PR/493279: This issue has been resolved.]

• On SRX240 and SRX650 devices, IGMP reports were flooded on all ports that were part of the same multicast group instead of being sent on only the router interface. [PR/546444: This issue has been resolved.]

• On SRX650 devices, IGMP snooping did not work in q-in-q mode on a trunk port when the Ethernet type was set to any value other than 0x8100. [PR/554992: This issue has been resolved.]

• On SRX100 devices, the maximum number of MTUs that could be configured on the Fast Ethernet interface was 1624. Also, MTU configuration from J-Web was not recommended if you were running Junos OS Release 10.1 or 10.2. [PR/566592: This issue has been resolved.]

• On SRX5800 devices, under certain circumstances, zone screening setting was not applied properly. [PR/569678: this issue has been resolved.]

Intrusion Detection and Prevention (IDP)

• On SRX210 High Memory and SRX240 High Memory devices, IDP scaling drop occurred. [PR/525732: This issue has been resolved.]

• On SRX240 High Memory devices, with IDP policy template, policy load failed while changing the active policy from the recommended option to the IDP_Default policy. This was because there was not enough memory for IDP to load the IDP_Default policy. [PR/539486: This issue has been resolved.]

J-Web

• On SRX100 devices, in J-Web, users could configure the scheduler without entering any stop date. The device submitted the scheduler successfully, but the submitted value was not displayed on the screen or saved in the device. [PR/439636: This issue has been resolved.]

• On J2350 and SRX210 High Memory devices, you could not use the Move/edit button for moving the IPS rule in IDP policy page. [PR/499499: This issue has been resolved.]

• On SRX Series and J Series devices, in the J-Web interface, the Move/edit button did not work for the exempt rulebase on the IDP Policy configuration page. [PR/503451: This issue has been resolved.]

• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in J-Web, when you tried to commit a candidate configuration in the CLI using the Point and Click CLI, an error was displayed on the configuration page. [PR/514771: This issue has been resolved.]

• On SRX220 devices, you could not edit the physical properties of a LAN interface in J-Web without entering the MAC address. [PR/519818: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• On SRX and J Series devices, the user was unable to configure the IPS-Exempt rule only with attacks. J-Web forced the user to select the address and zones. [PR/ 522197: This issue has been resolved.]

• On SRX100, SRX210, and SRX240 devices, in J-Web, the resource utilization did not load any data in the dashboard page using Firefox 3.0. [PR/564165: This issue has been resolved.]

Unified Threat Management (UTM)

• On SRX100 High Memory devices, when you used antispam and antivirus in the same UTM-policy, spam were not tagged correctly. [PR/575296: This issue has been resolved.]

Virtual LANs (VLANs)

• On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the IRB (VLAN) interface could not be used as the underlying interface for Point-to-Point Protocol over Ethernet (PPPoE). [PR/528624: This issue has been resolved.]

VPNs

• SRX5800 devices in Layer 2 transparent mode, did not allow the IPsec pass-through VPNs to build. [PR/566160: This issue has been resolved.]

Related • New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92

• Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 148

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Changes to the Junos OS Documentation Set

This section lists changes in the documentation.

Single Commit on J-Web The following information pertains to SRX Series devices:

• For all J-Web procedures, follow these instructions to commit a configuration:

• If Commit Preference is Validate and commit configuration changes, click OK.

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• If Commit Preference is Validate configuration changes, click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.

J-Web Online Help

• Previously, J-Web online Help instructions were available both in the Help and in the administration and configuration guides. These topics have been removed from the guides and are now available only in the online Help.

Errata for the Junos OS Documentation

This section lists outstanding issues with the software documentation.

Feature Support Reference

• For SRX200 devices, the following support information is missing from the Junos OS Feature Support Reference for SRX Series and J Series Devices:

Table 11: Chassis Cluster Support

Feature SRX220 Support

Active/active chassis cluster (that is, cross-box data forwarding over the fabric interface) Yes

Application Layer Gateways (ALGs) Yes

Chassis cluster formation Yes

Control plane failover Yes

Dampening time between back-to-back redundancy group failovers Yes

Data plane failover Yes

Dual control links No

Dual fabric links Yes

Junos OS flow-based routing functionality Yes

Low-impact cluster upgrade (ISSU light) No

Multicast routing Yes

Redundancy group 0 (backup for Routing Engine) Yes

Redundancy groups 1 through 128 Yes

Redundant Ethernet interfaces Yes

Redundant Ethernet interface link aggregation groups (LAGs) No

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Table 11: Chassis Cluster Support (continued)

Feature SRX220 Support

Upstream device IP address monitoring No

Upstream device IP address monitoring on a backup interface No

Table 12: IPv6 Support

Feature SRX220 Support

Security policy (IDP) Yes

Table 13: PoE Support

Feature SRX220 Support

IEEE 802.3 AT standard Yes

IEEE legacy SRX210 and SRX240 only (pre-standards) Yes

Table 14: Routing Support

Feature SRX220 Support

Internet Group Management Protocol (IGMP) Yes

Table 15: Wireless LAN Support

Feature SRX220 Support

Wireless LAN Yes

AX411 Access Point clustering Yes

Enterprise-Specific MIBs and Traps Guides

• The SRX100, SRX210, SRX220, SRX240, and SRX650 Services Gateways MIB Reference, the SRX1400, SRX3400, and the SRX3600 Services Gateways MIB Reference, and SRX5600 and SRX5800 Services Gateways MIB Reference incorrectly state the downloadable version of the Real-Time Media (RTM) and SIP Common MIBs.

The correct URLs are as follows:

• RTM MIB—http://www.juniper.net/techpubs/en_US/junos10.4/topics/ reference/mibs/mib-jnx-rtm.txt

• SIP Common MIB—http://www.juniper.net/techpubs/en_US/

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

junos10.4/topics/reference/mibs/mib-jnx-sipcommon.txt

JUNOS OS Administration Guide for Security Devices

• In Chapter 13, “Performing Software Upgrades and Reboots for the SRX Series Services Gateways,” of the Junos OS Administration Guide for Security Devices, the word "install" was duplicated. It has been corrected.

Junos OS CLI Reference

• On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport Layer Security (TLS) option for the SIP transport is not supported in Junos OS Release 10.4. However, it is documented in the Integrated Convergence Services entries of the Junos OS CLI Reference.

• The Junos OS CLI Reference contains Integrated Convergence Services statement entries for the music-on-hold feature, which is not supported for Junos OS Release 10.4.

• The Junos OS CLI Reference incorrectly shows the show security idp status and clear security idp status logs. The logs should be as follows:

• Correct show security idp status log

user@host> show security idp status State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago) Packets/second: 5 Peak: 11 @ 2010-02-05 06:51:58 UTC KBits/second : 2 Peak: 5 @ 2010-02-05 06:52:06 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]

TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC] UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0] Policy Name : sample Running Detector Version : 10.4.160091104

• Correct clear security idp status log

user@host> clear security idp status State of IDP: 2-default, Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago) Packets/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC KBits/second: 0 Peak: 0 @ 2010-02-05 06:49:51 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]

TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name: sample Running Detector Version: 10.4.160091104

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• The Junos OS CLI Reference states that the maximum timeout range for IDP policy is 0 through 65,535 seconds, whereas the ip-action timeout range has been modified to 0 through 64,800 seconds.

• The Junos OS CLI Reference has missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout value to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the automatic signature update is aborted.

user@host# set security idp security-package automatic download-timeout ?

Possible completions: Maximum time for download to complete (1 - 60 minutes) [edit] user@host# set security idp security-package automatic download-timeout Range: 1 – 60 minutes Default: 1 minute

• The Junos OS CLI Reference is missing information about the operational CLI command show security ike active-peer, which is used to list connected active users with peer address and port details.

user@host> show security ike active-peer

Remote Address Port Peer IKE-ID XAUTH username Assigned IP 172.27.6.136 8034 tleungjtac@650a tleung 10.123.80.225

Junos OS Interfaces Configuration Guide for Security Devices

• The Junos OS Interfaces Configuration Guide for Security Devices incorrectly states that the following protocols are supported in Point-to-Point Protocol(PPP) Network Control Protocols (NCPs). These protocols are not supported:

• BCP151: Bridging Control Protocol

• BVCP151: Banyan Vines Control Protocol

• DNCP151: DECnet Phase IV Control Protocol

• IPXCP151: Novell IPX Control Protocol

• LECP151: LAN Extension Control Protocol

• NBFCP151: NetBIOS Frames Control Protocol

• SDTP151: Serial Data Transport Protocol

• SNACP151: Systems Network Architecture (SNA) Control Protocol

• XNSCP151: Xerox Network Systems (XNS) Internet Datagram Protocol (IDP) Control Protocol

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• The ADSL2+ and ADSL2+ Annex M upstream values given in the Junos OS Interfaces Configuration Guide for Security Devices are displayed incorrectly. The correct values are as follows: Table 16: Standard Bandwidths of DSL Operating Modes

Operating Modes Upstream Values

ADSL2+ 1—1.5 Mbps

ADSL2+ Annex M 2.5—3 Mbps

Junos OS Integrated Convergence Services Configuration and Administration Guide

• The Junos OS Integrated Convergence Services Configuration and Administration Guide does not include show commands for Junos OS Release 10.4.

J-Web

• J-Web security package update Help page—The J-Web Security Package Update Help page does not contain information about download status.

• J-Web pages for stateless firewall filters—There is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to Interfaces to assign your configured filters to interfaces.

• There is no documentation describing the J-Web pages for media gateways. To find these pages in J-Web, go to Monitor>Media Gateway.

• J-Web Configuration Instructions— Because of ongoing J-Web interface enhancements, some of the J-Web configuration example instructions in the Junos administration and configuration guides became obsolete and thus were removed. For examples that are missing J-Web instructions, use the provided CLI instructions.

Junos OS Security Configuration Guide

• The Junos OS Security Configuration Guide contains outdated information about NSM support for IPv6. Please consult the NSM release notes for version compatibility, required schema updates, and up-to-date support information.

• ALG configuration examples in the Junos OS Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based.

• The Junos OS Security Configuration Guide does not state that custom attacks and custom attack groups in IDP policies can now be configured and installed even when a valid license and signature database are not installed on the device.

• The “Verifying the Policy Compilation and Load Status” section of the Junos OS Security Configuration Guide has a missing empty/new line before the IDPD Trace file heading, in the second sample output.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• The Junos OS Security Configuration Guide states that the following aggressive aging statements are supported on all SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices:

• [edit security flow aging early-ageout]

• [edit security flow aging high-watermark]

• [edit security flow aging low-watermark

• The Junos OS Security Configuration Guide states that the maximum acceptable timeout range for an IDP policy is 0 through 65,535 seconds, whereas the ipaction timeout range has been modified to 0 through 64,800 seconds.

• The Junos OS Security Configuration Guide is missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout < value > to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the auto signature update is aborted.

user@host# set security idp security-package automatic download-timeout ?

Possible completions: < download-timeout > Maximum time for download to complete (1 - 60 minutes) [edit] user@host# set security idp security-package automatic download-timeout Range: 1 – 60 seconds Default: 1 second

• The Junos OS Security Configuration Guide states the following limitations in the “Limitations of IDP” section:

On SRX Series and J Series devices, IP actions do not work when you select a timeout value greater than 65,535 in the IDP policy.

This issue has been fixed and is no longer a limitation.

• The Junos OS Security Configuration Guide incorrectly states the following limitations in the “Limtations of IDP” section:

On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000.

The correct information is as follows:

The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000 on SRX240 devices, and 128,000 on SRX650 devices.

• When specifying a forwarding target after authentication on a captive portal, use the ?target= option followed by either the %dest-url% variable or a specific URL. The %dest-url% variable forwards authenticated users to the protected resource they originally specified. A URL forwards authenticated users to a specific site.

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

Note that when entering a URL with the ?target= option, you must substitute escape characters for any special characters in the URL. Use the following escape characters for these common special characters:

• Replace : with %3A

• Replace / with %2F

• Replace - with %2D

• Replace . with %2E

In the section “Example: Configuring a Redirect URL for Captive Portal (CLI)” in the Junos OS Security Configuration Guide, the procedure description states that, after authentication, users will be forwarded to the specified URL. Step 2 of the configuration procedure, however, is incorrect. This command would forward users to my-website.com before authentication, not after.

To redirect users after authentication, the command must include:

• The IP address of the Infranet Controller to be used for authentication

• The ?target= option and URL to distinguish a forwarding address to be used after authentication

• Escape characters substituted for any special characters in the URL name

The following text in Step 2 is incorrect:

[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://my-website.com

The correct text for Step 2 is as follows:

[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://192.168.0.100/?target=my%2Dwebsite%2Ecom

• The “Disabling Switching on SRX100, SRX210, SRX220, and SRX240 Devices Before Enabling Chassis Clustering” section of the Junos OS Security Configuration Guide incorrectly states the command to set the root user password. The following set of commands must be used to set the password:

1. Enter configuration mode.

2. Enter the following commands:

user@host# set system root-authentication plain-text-password

This setting is required if a root user password was not set.

user@host# delete vlans

user@host# delete interfaces

user@host# delete security zones security-zone trust interfaces

user@host# delete security zones security-zone untrust interfaces

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

user@host# commit

• In Chapter 9, "Understanding ALG Types," of the Junos OS Security Configuration Guide, an incorrect statement for configuring FTP_NO_GET and FTP_NO_PUT in the FTP ALG has been removed.

• In Chapter 38, "Reconnaissance Deterrence," of the Junos OS Security Configuration Guide, the graphics showed the sync check as being done after policy checking, which is incorrect. The graphics have been corrected.

WLAN

• The Junos OS WLAN Configuration and Administration Guide provides information on AX411 access point clustering. Access point clustering is no longer supported.

Errata for the Junos OS Hardware Documentation

This section lists outstanding issues with the hardware documentation.

J Series Services Routers Hardware Guide

• In the J Series Services Routers Hardware Guide, the procedure “Installing a DRAM Module” omit the following condition:

All DRAM modules installed in the router must be the same size (in megabytes), type, and manufacturer. The router might not work properly when DRAM modules of different sizes, types, or manufacturer are installed.

SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide

• In the “SRX Series Services Gateway Interfaces Power and Heat requirements” section, the PIM Power Consumption Values table contains the power consumption value for the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM value as: 3:18 W

The correct power consumption value for the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP) Mini-PIM is 4:4 W

SRX1400 Services Gateway Hardware Guide

• The SRX1400 Services Gateway Hardware Guide includes the following caution:

CAUTION: To comply with intrabuilding lightning/surge requirements, intrabuilding wiring must be shielded, and the shield for the wiring must be grounded at both ends.

This caution is not applicable.

• The SRX1400 Services Gateway Hardware Guide includes information about the following DC-powered SRX1400 Services Gateways:

• SRX1400BASE-XGE-DC

• SRX1400BASE-GE-DC

These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models.

Downloaded from www.Manualslib.com manuals search engine Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Fan tray LED table in the “Replacing the Fan Tray on the SRX1400 Services Gateway” section of the SRX1400 Services Gateway Hardware Guide erroneously documents that:

The Amber (On Steadily): Fan tray LED cannot detect fan failure.

The correct information for this section is as follows: Amber LED (on steadily): Fan tray LED does not indicate fan failure .

• Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the grounding lug attached to the front panel of the device. However, the SRX1400 Services Gateway is not shipped with grounding lug attached to it.

• In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously document "RE ETHERNET" port as "ETHERNET" port.

• Connecting the SRX1400 Services Gateway to a Network for Out-of-Band Management

• SRX1400 Services Gateway Software Configuration Overview

• The SRX1400 Services Gateway Hardware Guide and the SRX1400 Services Gateway Getting Started Guide are missing the following note:

NOTE: AC and DC power supply units are not interoperable between the SRX1400 Services Gateway and the SRX3000 and SRX5000 lines.

SRX1400 Services Gateway Getting Started Guide

• The SRX1400 Services Gateway Getting Started Guide includes information about the following DC-powered SRX1400 Services Gateways:

• SRX1400BASE-GE-DC

• SRX1400BASE-XGE-DC

These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models.

• In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown with grounding lug attached on the front panel of the device. However, the SRX1400 Services Gateway is not shipped with grounding lug attached to it.

• Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show graphics with the grounding lug attached to the device front panel. The grounding lug is not attached to the device at the time of shipment.

• The SRX1400 Services Gateway Getting Started Guide should document the following statement:

You can replace the Network and Services Processing Card (NSPC) with the SRX3000 line Services Gateway Network Processing Card (NPC) and Services Processing Card (SPC). To install the NPC and SPC on the SRX1400 Services Gateway, you must order the Twin CFM holder tray (SRX1K3K-2CFM-TRAY) to hold two single-wide CFMs (NPC

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

and SPC) separately. Contact your Juniper Networks customer service representative for more information.

• In the SRX1400 Services Gateway Getting Started Guide, the following sections erroneously documents "RE ETHERNET" port as "ETHERNET" port.

• Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services Gateway

• Step 7: Perform the Initial Software Configuration on the SRX1400 Services Gateway

These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models.

Quick Start Guides

• The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick Start incorrectly document the specified order of the default set of codecs as 711-μ, G711-A, G729AB in the “Peer Call Server” section. The correct values are G711-μ, G711-A, G729AB.

• The SRX210 Services Gateway Quick Start and the SRX240 Services Gateway Quick Start are missing the following warning in the “Powering Off the Device” section:

WARNING: Use the graceful shutdown method to halt, power off, or reboot the services gateway. Use the forced shutdown method as a last resort to recover the services gateway if the services gateway operating system is not responding to the graceful shutdown method.

• In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in the wrong order. “Task 6: Connect the External Antenna” should appear before “Task 3: Check the 3G ExpressCard Status,” because the user needs to connect the antenna before checking the status of the 3G ExpressCard. The correct order of the tasks is as follows:

• Before You Begin

• Install the 3G ExpressCard

• Connect the External Antenna

• Check the 3G ExpressCard Status

• Configure the 3G ExpressCard

• Activate the 3G ExpressCard Options

• In the SRX210 Services Gateway 3G ExpressCard Quick Start, in “Task 6: Connect the External Antenna,” the following sentence is incorrect and redundant:

Downloaded from www.Manualslib.com manuals search engine Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

"The antenna has a magnetic mount, so it must be placed far away from radio frequency noise sources including network components."

• In the SRX210 Services Gateway 3G ExpressCard Quick Start, in the “Frequently Asked Questions” section, the answer to the following question contains an inaccurate and redundant statement:

Q: Is an antenna required? How much does it cost?

A: The required antenna is packaged with the ExpressCard in the SRX210 Services Gateway 3G ExpressCard kit at no additional charge. The antenna will have a magnetic mount with ceiling and wall mount kits within the package.

In the answer, the sentence "The antenna will have a magnetic mount with ceiling and wall mount kits within the package" is incorrect and redundant.

Related • New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92

• Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 148

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

Hardware Requirements for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

• Transceiver Compatibility for SRX Series and J Series Devices on page 189

• Power and Heat Dissipation Requirements for J Series PIMs on page 189

• Supported Third-Party Hardware on page 190

• J Series CompactFlash and Memory Requirements on page 190

Transceiver Compatibility for SRX Series and J Series Devices

We strongly recommend that only transceivers provided by Juniper Networks be used on SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.

Please contact Juniper Networks for the correct transceiver part number for your device.

Power and Heat Dissipation Requirements for J Series PIMs

On J Series Services Routers, the system monitors the PIMs and verifies that the PIMs fall within the power and heat dissipation capacity of the chassis. If power management is enabled and the capacity is exceeded, the system prevents one or more of the PIMs from becoming active.

CAUTION: Disabling power management can result in hardware damage if you overload the chassis capacities.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

You can also use CLI commands to choose which PIMs are disabled. For details about calculating the power and heat dissipation capacity of each PIM and troubleshooting procedures, see the J Series Services Routers Hardware Guide.

Supported Third-Party Hardware

The following third-party hardware is supported for use with J Series Services Routers running Junos OS.

USB Modem We recommend using a U.S. Robotics USB 56K V.92 Modem, model number USR 5637.

Storage Devices The USB slots on J Series Services Routers accept a USB storage device or USB storage device adapter with a CompactFlash card installed, as defined in the CompactFlash Specification published by the CompactFlash Association. When the USB device is installed and configured, it automatically acts as a secondary boot device if the primary CompactFlash card fails on startup. Depending on the size of the USB storage device, you can also configure it to receive any core files generated during a router failure. The USB device must have a storage capacity of at least 256 MB.

Table 17 on page 190 lists the USB and CompactFlash card devices supported for use with the J Series Services Routers.

Table 17: Supported Storage Devices on the J Series Services Routers

Manufacturer Storage Capacity Third-Party Part Number

SanDisk—Cruzer Mini 2.0 256 MB SDCZ2-256-A10

SanDisk 512 MB SDCZ3-512-A10

SanDisk 1024 MB SDCZ7-1024-A10

Kingston 512 MB DTI/512KR

Kingston 1024 MB DTI/1GBKR

SanDisk—ImageMate USB 2.0 N/A SDDR-91-A15 Reader/Writer for CompactFlash Type I and II

SanDisk CompactFlash 512 MB SDCFB-512-455

SanDisk CompactFlash 1 GB SDCFB-1000.A10

J Series CompactFlash and Memory Requirements

Table 18 on page 191 lists the CompactFlash card and DRAM requirements for J Series Services Routers.

Downloaded from www.Manualslib.com manuals search engine Maximizing ALG Sessions

Table 18: J Series CompactFlash Card and DRAM Requirements

Minimum CompactFlash Minimum DRAM Maximum DRAM Model Card Required Required Supported

J2320 512 MB 512 MB 1 GB

J2350 512 MB 512 MB 1 GB

J4350 512 MB 512 MB 2 GB

J6350 512 MB 1 GB 2 GB

Related • New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 92

• Known Limitations in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 148

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 124

• Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 158

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 192

• Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 178

Maximizing ALG Sessions

On SRX3400, SRX3600, SRX5600, and SRX5800 devices, by default, the session capacity number for RTSP, FTP, and TFTP ALG sessions is 10,000 per flow SPU. The maximize-alg-sessions option enables you to increase defaults as follows:

• RTSP, FTP, and TFTP ALG session capacity: 25,000 sessions per flow SPU

• TCP Proxy connection capacity: 40,000 sessions per flow SPU

NOTE: Flow session capacity will be reduced to half per flow SPU and the above capacity numbers will not change on the central point SPU.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

You can configure maximum ALG sessions as follows:

security { forwarding-process { application-services { maximize-alg-sessions; } } }

You must reboot the device (and its peer in the chassis cluster) for the configuration to take effect.

Integrated Convergence Services Not Supported

Integrated Convergence Services is no longer supported. The Media-Gateway (MGW) versions of SRX Series low-end devices have been discontinued and are no longer supported. If you have an ICS-supported SKU, please contact Juniper Networks for further guidance.

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

In order to upgrade to Junos OS Release 10.4 or later, your device must be running one of the following Junos OS Releases:

• 9.1S1

• 9.2R4

• 9.3R3

• 9.4R3

• 9.5R1 or later

If your device is running an earlier release, upgrade to one of these releases and then to the 10.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release 9.2R4 and then to Release 10.4.

For additional upgrade and download information, see the Junos OS Administration Guide for Security Devices and the Junos OS Migration Guide.

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 192

Upgrade Policy for Junos OS Extended End-Of-Life Releases

For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers

10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5.

For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged.

For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Junos OS Release Notes for EX Series Switches

• New Features in Junos OS Release 10.4 for EX Series Switches on page 194

• Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 196

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

New Features in Junos OS Release 10.4 for EX Series Switches

New features in Release 10.4 of the Junos operating system (Junos OS) for EX Series switches are described in this section.

Not all EX Series software features are supported on all EX Series switches in the current release. For a list of all EX Series software features and their platform support, see EX Series Switch Software Features Overview.

New features are described on the following pages:

• Hardware on page 194

• Bridging, VLANs, and Spanning Trees on page 195

• Class of Service (CoS) on page 195

• Fibre Channel over Ethernet on page 195

• High Availability on page 195

• Infrastructure on page 195

• Management and RMON on page 195

• Packet Filters on page 196

• Virtual Chassis on page 196

Hardware

• XRE200 External Routing Engine—The XRE200 External Routing Engine is used to create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop-prevention protocols such as Spanning Tree Protocol (STP).

• New optical transceiver support—The SFP+ uplink module in EX4500 switches now supports one new optical transceiver: EX-SFP-10GE-LRM (10GBase-LRM, 220 m).

Downloaded from www.Manualslib.com manuals search engine New Features in Junos OS Release 10.4 for EX Series Switches

Bridging, VLANs, and Spanning Trees

• PVLAN configuration—A private VLAN (PVLAN) can be configured to span multiple switches.

Class of Service (CoS)

• IPv6 CoS support on EX8200 switches—Classification of IPv6 packets is now supported on EX8200 switches. You can configure rewrite rules for IPv6 packets.

Fibre Channel over Ethernet

• FIP snooping—FIP snooping is supported on EX4500 switches. FIP snooping is a security feature that can be used to prevent man-in-the-middle attacks when the switch is being used as a Fibre Channel over Ethernet (FCoE) transit switch.

• Priority-based flow control—Priority-based flow control (PFC) is supported on EX4500 switches. PFC, IEEE standard 802.1Qbb, is a link-level flow-control mechanism that allows you to selectively pause traffic according to its class. PFC must be used for Fibre Channel over Ethernet (FCoE) traffic.

High Availability

• Nonstop active routing (NSR)—Nonstop active routing (NSR) is now supported on EX8200 switches that have multiple Routing Engines installed. You can configure nonstop active routing to enable the transparent switchover of the Routing Engines without restart of supported routing protocols. In this Junos OS release, NSR supports only the OSPFv2 protocol. Other protocols might also work but are not supported.

• Nonstop software upgrade (NSSU)—Nonstop software upgrade (NSSU) is a new high availability feature supported on EX8200 switches with redundant Routing Engines. An NSSU upgrades the software running on both Routing Engines with a single command and with minimal traffic disruption.

Infrastructure

• Distributed Periodic Packet Management (PPM) Bidirection Forwarding Detection (BFD) Support—PPM processing of BFD traffic is now supported on EX3200, EX4200, and EX8200 switches.

• IPv6 support on EX4500 switches—EX4500 switches support IPv6 addresses for in-band management on the management interface and on network interfaces.

• Multicast storm control—On EX Series switches, storm control, when enabled on an interface, applies to multicast traffic in addition to broadcast and unknown unicast traffic. On EX8200 switches, you can selectively disable storm control on registered multicast traffic, unregistered multicast traffic, or both types of multicast traffic.

Management and RMON

• J-Web interface support for the 40-port SFP+ line card for EX8200 switches—J-Web interface support has been added for the 40-port SFP+ line card for EX8200 switches.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• sFlow technology enhancements—You can now specify an egress or ingress rate at which packets can be sampled.

Packet Filters

• Firewall filters on a management interface—You can now configure a firewall filter on a management interface on an EX Series switch to filter ingress or egress traffic on the interface.

• Support for VLAN and router (Layer 3) firewall filters on EX4500 switches—On EX4500 switches, VLAN and router (Layer 3) firewall filters are supported for IPv4 traffic.

Virtual Chassis

• EX8200 Virtual Chassis—EX8200 switches can now be connected to form a Virtual Chassis. The EX8200 Virtual Chassis is formed by connecting EX8200 switches to an XRE200 External Routing Engine. An EX8200 Virtual Chassis is multiple EX8200 switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include better-managed bandwidth at a network layer, simplified configuration and maintenance because multiple devices can be managed as a single device, and a simplified Layer 2 network topology that minimizes or eliminates the need for loop-prevention protocols such as Spanning Tree Protocol (STP).

Related • Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches Documentation on page 196

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches

The following changes in system behavior, configuration statement usage, or operational mode command usage have occurred since the previous release and might not yet be documented in the JUNOS OS for EX Series switches documentation:

Bridging, VLANs, and Spanning Trees

Layer 2 protocol tunneling (L2PT) on EX Series switches now supports the Unidirectional Link Detection (UDLD) protocol.

Class of Service

Beginning in Junos OS Release 10.2, you can configure multiple class-of-service (CoS) rewrite rules for DSCP, IP precedence, and IEEE 802.1p. Rewrite rules are not assigned to interfaces by default, and for rewrites to occur, you must assign a user-defined rewrite

Downloaded from www.Manualslib.com manuals search engine Limitations in Junos OS Release 10.4 for EX Series Switches

rule or system-defined rewrite rule to an interface. For releases earlier than Junos OS Release 10.2, EX8200 switches supported a single global rewrite rule assigned to all Layer 2 interfaces and routed VLAN interfaces (RVIs).

When you upgrade from Junos OS releases earlier than Release 10.2 to Junos OS Release 10.2 or later, you must configure custom rewrite rules and assign them to an interface or assign the system-defined rewrite rules to an interface for rewrites to occur.

Related • New Features in Junos OS Release 10.4 for EX Series Switches on page 194 Documentation • Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Limitations in Junos OS Release 10.4 for EX Series Switches

This section lists the limitations in Junos OS Release 10.4R2 for EX Series switches.

Access Control and Port Security

• When you have configured more than 1024 supplicants on a single interface, 802.1X authentication might not work as expected and the 802.1X process (dot1xd) might fail.

• The RADIUS request sent by an EX Series switch contains both Extensible Authentication Protocol (EAP) Identity Response and State attributes.

• When an external RADIUS server goes offline and comes back online after some time (perhaps about 30 minutes), subsequent captive portal authentication requests might fail until the authd daemon is restarted. As a workaround, configure the revert interval—the time after which to revert to the primary server—and restart the authd daemon.

• On EX4200 switches, if you have used the EAP-TTLS authentication protocol to authenticate 802.1X supplicants when configuring the RADIUS server, and if the supplicant sends invalid credentials, the host never starts because the RADIUS server does not send a failure message to the switch.

Bridging, VLANs, and Spanning Trees

• On EX4200 switches, if you have configured bridge protocol data unit (BPDU) protection on all interfaces and disabled the panning-tree protocol, BPDU protection might not work.

• When a switch is running Virtual Routing Redundancy Protocol (VRRP) and you enable or disable a large number (on the order of 50 or more) of routed VLAN interfaces (RVIs), the STP topology might change for a short period of time during the commit process.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Class of Service

• On EX8200 switches, classification of packets using ingress firewall filter rules with forwarding-class and loss-priority configurations does not rewrite the DSCP or 802.1p bits. Rewriting of packets is determined by the forwarding-class and loss-priority values set in the DSCP classifier applied on the interface.

• On EX4200 switches, traffic is shaped at rates above 500 Kbps, even when the shaping rate configured is less than 500 Kbps.

Ethernet Switching

• If you perform graceful Routing Engine switchover (GRES) on an EX4200 or an EX8200 switch, the Ethernet switching table might not refresh because the Packet Forwarding Engine retains the forwarding database (FDB) entries. The result is that traffic is flooded to the affected MAC addresses. As a workaround, refresh the Ethernet switching table by issuing the clear ethernet-switching table command.

Firewall Filters

• On EX3200 and EX4200 switches, when interface ranges or VLAN ranges are used in configuring firewall filters, egress firewall filter rules take more than five minutes to install.

• On EX3200 and EX4200 switches, IGMP packets are not matched by user-configured firewall filters.

• When you enable the filter-id attribute on the RADIUS server for a particular client, one of the required 802.1X authentication rules is not inserted in the IPv6 database. IPv6 traffic on the authenticated interface is not filtered; only IPv4 traffic is filtered on that interface.

• On EX8200 switches and the XRE200 External Routing Engine, if you apply different firewall filters to different VLANs, only the filter applied to the first VLAN is applied correctly. For example, if you issue commands to apply filter f1 to VLAN1, filter f2 to VLAN2, and filter f3 to VLAN3, filter f1 applies correctly, but filters f2 and f3 are not applied to any VLANs. As a workaround, merge all the VLAN filters into one single filter and apply that filter to all the VLANs. You can use the vlan match condition in the firewall filter terms to differentiate the rules for each of the VLANs.

Hardware

• On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network ports do not blink to indicate that there is link activity if you set the speed of the network ports to 10/100/1000 Mbps. However, if you set the speed to 10 Gbps, the LEDs blink.

• If you press the reset button on the Switch Fabric and Routing Engine (SRE) module in an EX8208 switch without taking the module offline first (by using the CLI), the fabric planes in the module might not come back online.

Downloaded from www.Manualslib.com manuals search engine Limitations in Junos OS Release 10.4 for EX Series Switches

• On 40-port SFP+ line cards installed in EX8200 switches, it takes about 10 seconds for the network ports to come up after you reboot the switch or restart a line card.

• On the LCD Panel, in the Menu Options, under the MAINT (Maintenance Menu), the option Request VC Port with the further option Set FPC 0?, is not supported on standalone EX4500 switches even though these options are displayed on the LCD Panel.

High Availability

• On EX8216 switches on which nonstop active routing (NSR) is configured, after a graceful Routing Engine switchover (GRES), the routing protocol process (rpd) might be delayed until state replication finishes. The duration of the delay depends on the scale of the setup. During this delay, operational mode commands for the rpd process do not provide current information.

Infrastructure

• If you configure interface parameters on an EX3200 or an EX4200 switch running Junos OS Release 9.2 or Release 9.3 for EX Series switches and then attempt to upgrade to a later release or a later version of Release 9.3 than the one that is currently installed, the switch might display the following error message: “init: interface-control is thrashing , not restarted”. As a workaround, on the interfaces you had previously configured, configure no-auto-negotiation and set the link mode to full-duplex, then commit the revised configuration.

• On EX Series switches, an SNMP query fails when the SNMP index size of a table is greater than 128 bytes, because the Net SNMP tool does not support SNMP index sizes greater than 128 bytes.

• On EX Series switches, the show snmp mib walk etherMIB command does not display any output, even though the etherMIB is supported. This occurs because the values are not populated at the module level—they are populated at the table level only. You can issue show snmp mib walk dot3StatsTable, show snmp mib walk dot3PauseTable, and show snmp mib walk dot3ControlTable commands to display the output at the table level.

• When you issue the request system power-off command, the switch halts instead of turning off power.

• In the J-Web interface, the Ethernet Switching Monitor page might not display monitoring details if the switch has more than 13,000 MAC entries..

• In the J-Web interface, changing the port role from Desktop, Desktop and Phone, or Layer 2 Uplink to another port role might not remove the configurations for enabling dynamic ARP inspection and DHCP snooping.

• On EX3200 and EX4200 switches that are configured with the factory default configuration, if you use the command set date to change the date, the switches accept the date but display the following error message: “date: connect: Can't assign requested address”.

• On EX8208 switches, when a line card that has no interface configurations and is not connected to any device is taken offline using the command request chassis fpc-slot

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

slot-number offline, the Bidirectional Forwarding Detection process (bfd) starts and stops repeatedly. The same bfd process behavior occurs on a line card that is connected to a Layer 3 domain when another line card that is on the same switch and is connected to a Layer 2 domain is taken offline.

• If you install a large configuration (more than 5 MB)—for example, if you install more than four 40-port SFP+ line cards—in an EX8200 switch, the error message “Configuration on the Switch is too large for JWeb to handle. Please use the CLI to manipulate the configuration" is displayed in the Support Information page (Maintain > Customer Support > Support Information) in the J-Web interface.

• If you perform a graceful Routing Engine switchover (GRES) on an EX Series switch that has a large number (on the order of 1000 or more) of unresolved ARP entries, core files are created on the backup Routing Engine.

• On EX8200 switches, if IS-IS is enabled on routed VLAN interfaces (RVIs), IS-IS adjacency states go down and come up after a graceful Routing Engine switchover (GRES).

• Momentary loss of an inter-Routing Engine IPC message might trigger the alarm that displays the message “Loss of communication with Backup RE”. However, no functionality is affected.

• On EX4500 switches running IPv6, when you send a large number of pings to the switch in quick succession, packet loss might occur because of low values configured for rate limiting.

Interfaces

• EX Series switches do not support queued packet counters. Therefore, the queued packet counter in the output of the show interfaces interface-name extensive command always displays a count of 0 and is never updated.

• On EX3200 and EX4200 switches, when port mirroring is configured on any interface, the mirrored packets leaving a tagged interface might contain an incorrect VLAN ID.

• On EX8200 switches, port mirroring configuration is not supported on a Layer 3 interface with the output configured to a VLAN.

• On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for a port mirroring analyzer, the analyzer incorrectly appends a dot1q (802.1Q) header to the mirrored packets or does not mirror any packets at all. As a workaround, configure a port mirroring analyzer with each port of the VLAN as egress input.

• The following interface counters are not supported on routed VLAN interfaces (RVIs): local statistics, traffic statistics, and transit statistics.

Downloaded from www.Manualslib.com manuals search engine Limitations in Junos OS Release 10.4 for EX Series Switches

• EX Series switches do not support IPv6 interface statistics. Therefore, all values in the output of the show snmp mib walk ipv6IfStatsTable command always display a count of 0.

• On EX Series switches, when a firewall filter is applied on the loopback (lo0) interface, the switch stops generating local ARP requests for transit traffic.

• The show interfaces interface-name detail | extensive command might display double counting of packets or bytes for the transit statistics and traffic statistics counters. You can use the counter information displayed under the Physical interface section of the output.

• When MVRP is configured on a trunk interface, you cannot configure connectivity fault management (CFM) on that interface.

• On EX Series switches, if you clear LAG interface statistics while the LAG is down, then bring up the LAG and pass traffic without checking for statistics, and finally bring the LAG interface down and check interface statistics again, the statistics might be inaccurate. As a workaround, use the show interfaces interface-name command to check LAG interface statistics before bringing down the interface. [PR/542018]

• If you insert Gigabit Ethernet transceivers in 40-port SFP+ line cards installed in EX8200 switches, the transceivers are incorrectly shown as copper transceivers in the image of the switch in the Dashboard page in the J-Web interface.

• When you are editing an interface-range configuration in the private mode, if you change the end of the range of the member-range statement, the configuration might fail. As a workaround, edit the end of the range of the member-range statement in the configuration mode.

J-Web Interface

• If you try to commit a candidate configuration in the CLI using the Point and Click CLI in the J-Web interface, an error is displayed on the configuration page.

Layer 2 and Layer 3 Protocols

• IGMP snooping is not supported on a VLAN that includes a routed VLAN interface (RVI) that is configured as part of a virtual routing instance.

Spanning Tree Protocols

• If you delete multiple spanning-tree protocol interfaces from a configuration using a single commit command and then add the interfaces back to the configuration, the spanning-tree protocol packets might be dropped. As a workaround, use a separate commit command to delete each spanning-tree protocol interface.

Virtual Chassis

• On EX8200 Virtual Chassis systems, ECMP might not work for links present between Virtual Chassis.

• On an EX8200 Virtual Chassis with a single hard disk, the hard disk might not boot. The error message is "TIMEOUT - WRITE_DMA retrying".

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• After you reboot or upgrade the software on members of an EX8200 Virtual Chassis, the FPCs might not come up for more than eight minutes when the Virtual Chassis has a square topology. (This is a topology in which the Routing Engines of member 0 connect to those of member 8, the Routing Engines of member 1 connect to those of member 9, member 8 connects to member 9, and a VCP LAG forms between members 0 and 1.)

Related • New Features in Junos OS Release 10.4 for EX Series Switches on page 194 Documentation • Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 196

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Outstanding Issues in Junos OS Release 10.4 for EX Series Switches

The following are outstanding issues in Junos OS Release 10.4R2 for EX Series switches. The identifier following the description is the tracking number in our bug database.

NOTE: Other software issues that are common to both EX Series switches and M, MX, and T Series routers are listed in “Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers” on page 55.

Access Control and Port Security

• When you configure 802.1X bypass, the client becomes unreachable each time the MAC age time interval increments. [PR/536316]

Bridging, VLANs, and Spanning Trees

• When the primary redundant trunk group (RTG) interface is disabled, causing an RTG switchover, MAC entries on the upstream switches are refreshed. However, when the primary RTG link is enabled, the MAC entries are not refreshed on the upstream switches. [PR/555158]

• If you enable all VRRP sessions simultaneously on a switch with a large number (on the order of 200 or more) of VRRP configurations, RSTP convergence might not occur. As a workaround, do not enable all VRRP sessions simultaneously if the switch’s VRRP configuration is large. [PR/556114]

Ethernet Switching

• When the pfem restarts, EX Series switches cannot receive any Q-in-Q frames and drops them all. [PR/527117]

Downloaded from www.Manualslib.com manuals search engine Outstanding Issues in Junos OS Release 10.4 for EX Series Switches

• On EX4500 switches, if you activate and then deactivate a firewall filter configuration, VSTP convergence might not occur properly. As a workaround, restart the Ethernet switching process (eswd). [PR/548446]

• On an interface that is receiving storm traffic, if you use the set ethernet-switching-options storm-control action-shutdown command to disable the interface, it can take up to 30 seconds for the interface to shut down. [PR/556107]

Firewall Filters

• On EX4200 switches, if you configure a firewall filter with the match condition tcp-established, the error message "not supported" is displayed. [PR/543316]

Hardware

• On EX4200 switches, the uplink port status LED on the 4-port Gigabit Ethernet SFP does not properly indicate the status of the uplink port. [PR/528070]

• If no Intraconnect module or Virtual Chassis module is installed in EX4500 switches, the switch boots but is not fully functional. Traffic loss can occur during packet forwarding. [PR/544628]

Infrastructure

• On EX8200 switches, when IGMP snooping is enabled on an interface, the IPv6 multicast Layer 2 control frame is not forwarded to other interfaces in the same VLAN. The result is that IPv6 and VRRP for IPv6 neighbor solicitation fails. [PR/456700]

• On EX8200 switches, when you perform a graceful Routing Engine switchover (GRES) or when you restart Ethernet switching on any spanning-tree protocol domain, a loop might occur. [PR/516611]

• On EX8200 switches, if a log or a syslog action is configured along with an interface action in a firewall filter configuration, logging does not work. [PR/540097]

• On EX8200 switches, the LACP process (lacpd) might start and stop repeatedly when traffic to the Routing Engine is heavy. [PR/542897]

• On EX4200 switches, the SFP+ uplink module might not work correctly even though the link status is UP. [PR/569307]

• On EX4500 switches, if more than 14 ports in the switch are subscribed to a 10-gigabit full-duplex rate of traffic, the switch might not be able to achieve a 10-gigabit wire rate for 64 and 128 byte packets. There is no impact on performance if the number of ports actively involved in 10-gigabit wire-rate traffic is 14 or fewer or if the packet size is greater than 150 bytes. [PR/573319]

• If you set a custom chassis display message with the set chassis display message message command, the message might remain on the LCD panel indefinitely even though you did not include the permanent option in your command. [PR/579234]

• On EX8200 switches, when you are upgrading the line cards, the nonstop software upgrade (NSSU) process might abort. The system generates a core file when this happens. [PR/580494]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

J-Web Interface

• In the J-Web interface, you cannot commit some configuration changes in the Port Configuration page and the VLAN Configuration page because of the following limitations for port mirroring ports and port mirroring VLANs:

• A port configured as the output port for an analyzer cannot be a member of any VLAN other than the default VLAN.

• A VLAN configured to receive analyzer output can be associated with only one port.

[PR/400814]

• When you use the Microsoft Internet Explorer browser to open a report from the following pages in the J-Web interface, the report opens in the same browser session:

• Files page (Maintain > Files)

• History page (Maintain > Config Management > History)

• Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)

• Static Routing page (Monitor > Routing > Route Information)

• Support Information page (Maintain > Customer Support > Support Information)

• View Events page (Monitor > Events and Alarms > View Events)

As a workaround, save the report and then open it.

[PR/433883]

• In the J-Web interface, in the Port Security Configuration page, you are required to configure action when you configure MAC limit even though configuring an action value is not mandatory in the CLI. [PR/434836]

• In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration page, the Global Information table in the BGP Configuration page, or the Add Interface window in the LACP Configuration page, if you try to change the position of columns using the drag-and-drop method, only the column header moves to the new position instead of the entire column. [PR/465030]

• If a large number of static routes are configured and if you have navigated to pages other than page 1 in the Route Information table in the J-Web interface (Monitor > Routing > Route Information), changing the Route Table to query other routes refreshes the page but does not return to page 1. For example, if you run a query from page 3 and the new query returns very few results, the Results table continues to display page 3 and shows no results. To view the results, navigate to page 1 manually. [PR/476338]

• In the J-Web interface, the dashboard does not display the uplink ports or uplink module ports unless transceivers are plugged into the ports. [PR/477549]

• The J-Web interface Static Routing page might not display details on entries registered in the routing table. [PR/483885]

• In the J-Web interface, the Software Upload and Install Package option might not display a warning message when there are pending changes to be committed. [PR/514853]

Downloaded from www.Manualslib.com manuals search engine Outstanding Issues in Junos OS Release 10.4 for EX Series Switches

• On EX4500 switches, the J-Web interface might display the following as valid options although these options are not supported on EX4500 switches:

• DHCP snooping in the Edit Port Role window in the Ports Configuration page

• Input filter association in the VLAN Configuration page

[PR/525671]

• When you use an HTTPS connection in the Microsoft Internet Explorer browser to save a report from the following pages in the J-Web interface, the error message “Internet Explorer was not able to open the Internet site” is displayed:

• Files page (Maintain > Files)

• History page (Maintain > Config Management > History)

• Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)

• Static Routing page (Monitor > Routing > Route Information)

• Support Information page (Maintain > Customer Support > Support Information)

• View Events page (Monitor > Events and Alarms > View Events)

[PR/542887]

• If you configure 802.1X on an EX Series switch, the J-Web interface performance slows down. [PR/543298]

• On EX4500 switches and on EX4200-24F switches, the total number of ports displayed in the dashboard (Dashboard > Capacity Utilization > Total number of ports) in the J-Web interface increases every 2 seconds, each time an automatic refresh occurs. [PR/543913]

• When you open a J-Web session using HTTPS, then enter a username and password and click on the Login button, the J-Web interface takes 20 seconds longer to launch and load the Dashboard page than it does if you use HTTP. [PR/549934]

• If you navigate to a new page before all the components of a page in the J-Web interface are loaded, a pop-up window with the error message “Object Expected” is displayed. [PR/567756]

• In the J-Web interface, aggregated Ethernet interfaces are not populated in the Port Association table. [PR/579555]

Layer 2 and Layer 3 Protocols

• On EX8200 switches, if you take a line card offline when GRES and IGMP snooping are enabled, existing multicast traffic might be affected because indexes are not updated correctly. [PR/569637]

• On an EX4200 Virtual Chassis, when you configure the RPM hardware timestamp with the hardware-timestamp configuration statement, the show services rpm probe-results command displays the hardware timestamp status as "No hardware timestamps". As a workaround, do not configure a source address for RPM probes. Packets are sent

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

and received on the same interface. This problem does not occur if both egress and ingress interfaces are on the same Virtual Chassis member. [PR/578734]

Management and RMON

• On EX8200 switches, when an egress VLAN that belongs to a routed VLAN interface (RVI) is configured as the input for a port mirroring analyzer, the analyzer appends an incorrect dot1q (802.1Q) header to the mirrored packets on the routed traffic or does not mirror any packets on the routed traffic. As a workaround, configure a port mirroring analyzer with each port of the VLAN as egress input. [PR/445393]

Virtual Chassis

• On an EX4200 Virtual Chassis, an automatic software update fails if you have configured preprovisioning or mastership priority. [PR/557981]

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Resolved Issues in Junos OS Release 10.4 for EX Series Switches

The following are the issues that have been resolved since Junos OS Release 10.3 for EX Series switches. The identifier following the descriptions is the tracking number in our bug database.

Downloaded from www.Manualslib.com manuals search engine Resolved Issues in Junos OS Release 10.4 for EX Series Switches

Access Control and Port Security

• If you connect a computer to a phone that is connected to an interface supporting multiple supplicants on an EX2200 switch, the Telecommunications Industry Association (TIA) network policy in the LLDP-MED packets from the EX2200 switch reports an incorrect VLAN and the phone might lose connectivity. [PR/542810: This issue has been resolved.]

Ethernet Switching

• A LAG between an EX4200 Virtual Chassis and Cisco 6500 switch might not recover when the EX Virtual Chassis master switch is power-cycled. [PR/505069: This issue has been resolved.]

Hardware

• EX8200 switches might not detect the front-panel LCD display. [PR/553144: This issue has been resolved.]

• After you have disabled an interface on an EX2200 switch, the LED is still lit on that interface. [PR/553219: This issue has been resolved.]

Infrastructure

• If an SRE module, RE module, SF module, line card, or Virtual Chassis member is in offline mode, the J-Web interface might not update the dashboard image accordingly. [PR/431441: This issue has been resolved.]

• On EX Series switches, MAC addresses not present in the forwarding database (FDB) because of hash collision are not removed from the Ethernet switching process (eswd). These MAC addresses do not age out of the Ethernet switching table even if traffic is stopped completely and are never relearned when traffic is sent to these MAC addresses, even when there is no hash collision. As a workaround, clear those MAC addresses from the Ethernet switching table. [PR/451431: This issue has been resolved.]

• When multicast packets are transmitted from interfaces on which PIM is not enabled, VRRP might flap. [PR/520194: This issue has been resolved.]

• On EX8200 switches, packets with unregistered Layer 2 multicast MAC addresses are not dropped on interfaces in the STP blocked state, resulting in some traffic loops that might impact network performance. [PR/541123: This issue has been resolved.]

• On EX2200, EX3200, EX4200, and EX4500 switches, if you configure a large number of VLANS and aggregated Ethernet interfaces and commit the configuration, the forwarding process (pfem) utilization stays at 80 percent for more than 60 minutes. As a result, the aggregated Ethernet interfaces cannot be used until the pfem usage reduces to normal limits. [PR/544433: This issue has been resolved.]

• On EX4200 switches, spurious packets (packets with unsupported fields) arriving at the backup Routing Engine while a GRES operation is in progress can cause a kernel crash (vmcore). [PR/546314: This issue has been resolved]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

• When the configured DNS server is not reachable, name resolution for localhost takes a long time and the output of the show ntp association command takes a long time to appear. [PR/551739: This issue has been resolved.]

• During a nonstop software upgrade (NSSU) on EX8200 switches, if the number of routes is greater than about 100,000, the graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) synchronization might take longer than two minutes. The result is that the NSSU timers expire and the NSSU operation aborts. [PR/559223: This issue has been resolved.]

• If a Routing Engine fails over to the backup Routing Engine, not all multicast groups that were active on the switch recover. [PR/563030: This issue has been resolved.]

• During the TFTP transfer portion of an automatic software download procedure, the software package might be truncated or corrupted. [PR/570901: This issue has been resolved.]

• The Ethernet switching process (eswd) might crash and then recover when the following change is made in CLI (either in a single commit or in separate commits):

• First, you remove an interface from interface range on which VoIP is configured.

• Then, you either delete the removed interface or change its address family to a family other than ethernet-switching.

[PR/571863: This issue has been resolved.]

• On an EX4200 Virtual Chassis, a pfem core file might be created if all the 802.1x (dot1x) interfaces are in the held state or the connecting state. [PR/571865: This issue has been resolved.]

• On an EX4200 Virtual Chassis, a large number of awk processes and defunct processes might be running. [PR/576621: This issue has been resolved.]

Interfaces

• On a 40-port SFP+ line card in an EX8200 switch, if you assign different shaping rates to different ports in a port group, you do not receive an error message when you commit the configuration, and no error is logged in the system log. As a workaround, configure the same shaping rate on all ports in a port group. [PR/524073: This issue has been resolved.]

• In a Q-in-Q tunneling configuration that includes aggregated Ethernet interfaces (LAGs), after a pfem process restart, the member interfaces in the VLAN might be incorrectly set. [PR/527117: This issue has been resolved.]

• On EX Series switches, the configured interface hold time does not work. [PR/537477: This issue has been resolved.]

• On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the command-line interface (CLI), automatic command completion does not work. [PR/561565: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine Resolved Issues in Junos OS Release 10.4 for EX Series Switches

• On EX4500 switches, when you are configuring Gigabit Ethernet interfaces from the command-line interface (CLI), automatic command completion does not work. [PR/561695]

• On EX4200 switches, autonegotiation bypass on an EX4200 switch, which allows a link in Gigabit Ethernet SFPs to begin operation even if autonegotiation on the link partner is disabled, fails to bring up the link. [PR/571198: This issue has been resolved.]

J-Web Interface

• In the J-Web interface, the automatic command-completion feature might not be disabled in the password field. As a workaround, you can disable the automatic command-completion feature in the browser. [PR/508425: This issue has been resolved.]

• If you have a candidate configuration in the CLI and you try to commit configuration changes using the Point and Click CLI in the J-Web interface, the configuration page displays an error. [PR/514771: This issue has been resolved.]

• In the J-Web interface, when you select the Ethernet Switching Monitor page (Monitor > Switching > Ethernet Switching), the MAC learning log might not display information. [PR/535200: This issue has been resolved.]

• In the LACP (Link Aggregation Control Protocol) Configuration page in the J-Web interface (Configure > Interfaces > Link Aggregation), the Delete button is disabled even when you select an aggregated Ethernet interface configured with a physical interface, VLAN, and IP option. As a workaround, delete the physical interface, VLAN, and IP option from the aggregated Ethernet interface using the CLI. [PR/546411: This issue has been resolved.]

• In the J-Web interface, when you use an HTTPS connection in the Microsoft Internet Explorer browser, you cannot upload (Maintain > Config Management > Upload) or download (Maintain > Config Management > History > Configuration History) a configuration file. As a workaround, use an HTTP connection. [PR/551200: This issue has been resolved.]

• When no line card is installed in an EX8208 switch, if you:

• Navigate to the Port Monitoring page (Monitor > Interfaces) in the J-Web interface, a pop-up window with the error message “'gridData.0' is null or not an object” is displayed.

• Select the displayed interface and click the Show Graph button, a pop-up window with the error message “'selected FpcName' is undefined” is displayed.

[PR/562454: This issue has been resolved.]

• The dashboard in the J-Web interface might not refresh automatically if you navigate back and forth between the Dashboard page and other pages. [PR/566359: This issue has been resolved.]

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Layer 2 and Layer 3 Protocols

• If there are many joins associated with a neighbor and that neighbor goes down and comes back up quickly, then those joins might be stranded in an unresolved state until the clear pim join command is issued. [PR/539962: This issue has been resolved.]

• PIM join messages sent from an EX8208 switch to a Cisco RP using Auto-RP show the upstream neighbor as being the EX8208 switch itself and not the Cisco RP. [PR/557130: This issue has been resolved.]

Management and RMON

• On EX4200 switches, the LACP process (lacpd) creates core files when an SNMP MIB lookup is performed. [PR/533226: This issue has been resolved.]

Virtual Chassis

• On an EX4200 Virtual Chassis, after you run the request system reboot member master-member-id member-id command, the master Virtual Chassis member fails to reboot. That is, you cannot reboot only the master switch on the Virtual Chassis. [PR/572936: This issue has been resolved.]

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Errata in Documentation for Junos OS Release 10.4 for EX Series Switches

This section lists outstanding issues with the documentation.

J-Web Interface

• To access the J-Web interface, your management device requires the following software:

• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox version 3.0

• Language support—English-version browsers

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches

• Supported OS—Microsoft Windows XP Service Pack 3

Virtual Chassis

• The EX Series Switch Software Features Overview topic in the EX Series Junos OS Release 10.4R1 documentation incorrectly states that, on EX8200 Virtual Chassis, the IP source guard feature is supported in Junos OS Release 10.3R1 and that the multicast storm control feature is supported in Junos OS Release 10.3R2. These features are not supported on EX8200 Virtual Chassis.

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 211

Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches

The following pages list the issues in Junos OS Release 10.4R2 for EX Series switches regarding software upgrade or downgrade:

• Upgrading Software on page 211

• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 212

• Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches on page 213

• Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches on page 213

Upgrading Software

You can use this procedure to upgrade Junos OS on an EX Series switch with a single Routing Engine, including an individual member of an EX4200 Virtual Chassis or all members of an EX4200 Virtual Chassis or an EX8200 switch using a single Routing Engine. To upgrade software on an EX8200 switch running two Routing Engines, see Installing Software on an EX8200 Switch with Redundant Routing Engines (CLI Procedure) or Upgrading Software Using Nonstop Software Upgrade (CLI Procedure).

To install software upgrades on a switch with a single Routing Engine:

1. Download the software package as described in Downloading Software Packages from Juniper Networks.

2. (Optional) Back up the current software configuration to a second storage option. See the Junos OS Installation and Upgrade Guide at http://www.juniper.net/techpubs/software/junos/index.html for instructions.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

3. (Optional) Copy the software package to the switch. We recommend that you use FTP to copy the file to the /var/tmp directory.

This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location.

4. Install the new package on the switch:

user@switch> request system software add package Replace package with one of the following paths:

• For a software package in a local directory on the switch—/var/tmp/package.tgz.

• For a software package on a remote server:

• ftp://hostname/pathname/package.tgz

• http://hostname/pathname/package.tgz

where package.tgz is, for example, jinstall-ex-4200-10.3R1.8-domestic-signed.tgz.

Include the optional member option to install the software package on only one member of an EX4200 Virtual Chassis:

user@switch> request system software add source member member-id reboot

Other members of the Virtual Chassis are not affected. To install the software on all members of the Virtual Chassis, do not include the member option.

NOTE: To abort the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-ex-8200-10.2R1.8-domestic-signed.tgz. This is your last chance to stop the installation.

5. Reboot to start the new software:

user@switch> request system reboot

6. After the reboot has completed, log in and verify that the new version of the software is properly installed:

user@switch> show version

Upgrade Policy for Junos OS Extended End-Of-Life Releases

For example, Junos OS Releases 9.3, 10.0, and 10.4 are all EEOL releases. You can upgrade from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to 10.4, you first need to upgrade to Junos OS Release 9.3 or 10.0, and then upgrade a second time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either

Downloaded from www.Manualslib.com manuals search engine Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches

10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5.

For upgrades and downgrades to or from a non-EEOL release, the current policy is that you can upgrade and downgrade by no more than three releases at a time. This policy remains unchanged.

For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html.

Upgrading or Downgrading from Junos OS Release 9.4R1 for EX Series Switches

The ARP aging time configuration in the system configuration stanza in Junos OS Release 9.4R1 is incompatible with the ARP aging time configuration in Junos OS Release 9.3R1 or earlier and Junos OS Release 9.4R2 or later. If you have configured system arp aging-timer aging-time on EX Series switches running Junos OS Release 9.4R1 and upgrade to Junos OS Release 9.4R2 or later or downgrade to Junos OS Release 9.3R1 or earlier, the switch will display configuration errors on booting up after the upgrade or downgrade. As a workaround, delete the arp aging-timer aging-time configuration in the system configuration stanza and reapply the configuration after you complete the upgrade or downgrade.

The format of the file in which the EX4200 Virtual Chassis topology information is stored was changed in Junos OS Release 9.4. When you downgrade Junos OS Release 9.4 or later running on EX4200 switches in a Virtual Chassis to Junos OS Release 9.3 or earlier, make topology changes, and then upgrade to Junos OS Release 9.4 or later, the topology changes you have made using Junos OS Release 9.3 or earlier are not retained. The switch restores the last topology change you have made using Junos OS Release 9.4.

Upgrading from Junos OS Release 9.3R1 to Release 10.4 for EX Series Switches

If you are upgrading from Junos OS Release 9.3R1 and have voice over IP (VoIP) enabled on a private VLAN (PVLAN), you must remove this configuration before upgrading, to prevent upgrade problems. VoIP on PVLAN interfaces is not supported in releases later than Junos OS Release 9.3R1.

• Limitations in Junos OS Release 10.4 for EX Series Switches on page 197

• Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 202

• Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 206

• Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 210

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see http://www.juniper.net/techpubs/software/junos/ .

If the information in the latest release notes differs from the information in the documentation, follow the Junos OS Release Notes.

To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ .

Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to [email protected], or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf.

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/.

Downloaded from www.Manualslib.com manuals search engine Requesting Technical Support

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html.

If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support:

user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net:pub/incoming. Then send the filename, along with software version information (the output of the show version command) and the configuration, to [email protected]. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/.

Downloaded from www.Manualslib.com manuals search engine JUNOS OS 10.4 Release Notes

Revision History

11 February 2011—Revision 6, JUNOS Release 10.4R2

04 February 2011—Revision 5, JUNOS Release 10.4R1

25 January 2011—Revision 4, JUNOS Release 10.4R1

14 January 2011—Revision 3, JUNOS Release 10.4R1

21 December 2010—Revision 2, JUNOS Release 10.4R1

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Downloaded from www.Manualslib.com manuals search engine