Release Notes: Junos® OS Release 13.3R9 for the EX Series, M ...

ReleaseNotes: Junos®OSRelease 13.3R10

for the EX Series, M Series, MX Series,

PTX Series, and T Series

24 January 2017

Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

High Availability and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Infrastructure and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Layer 3 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13


OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15



1Copyright © 2017, Juniper Networks, Inc.







Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 24

Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 24

Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D

Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . . 26

New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Authentication, Authorization, and Accounting (AAA) (RADIUS) . . . . . . 35

Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48


OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Subscriber Management and Services (MX Series) . . . . . . . . . . . . . . . . 54

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Authentication Authorization and Accounting . . . . . . . . . . . . . . . . . . . . . 62


Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Copyright © 2017, Juniper Networks, Inc.2

Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series

Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78


General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79


MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80


Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82


Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84


Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Multiprotocol Label Switching (MPLS) . . . . . . . . . . . . . . . . . . . . . . . . . . 93


Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97


User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102


Resolved Issues: Release 13.3R8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132







Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Adaptive Services Interfaces Feature Guide for Routing Devices . . . . . . 218

Aggregated Ethernet Interfaces Feature Guide for Routing Devices . . . 218

Broadband Subscriber VLANs and Interfaces Feature Guide . . . . . . . . . 221

Chassis-Level Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Class of Service Library for Routing Devices . . . . . . . . . . . . . . . . . . . . . . 222

Dynamic Firewall Feature Guide for Subscriber Services . . . . . . . . . . . . 222

Ethernet Interfaces Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Ethernet Networking Feature Guide for MX Series Routers . . . . . . . . . . 224

Firewall Filters Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . 226


High Availability Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Interchassis Redundancy Using Virtual Chassis Feature Guide for MX

Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Interfaces Feature Guide for Subscriber Management . . . . . . . . . . . . . . 227

Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide . . . . 227

Junos OS High Availability Feature Guide for Routing Devices . . . . . . . 228

Layer 2 Configuration Guide, Bridging, Address Learning, and

Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Layer 2 VPNs Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . 229

Monitoring, Sampling, andCollectionServices InterfacesFeatureGuide

for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

MPLS Applications Feature Guide for Routing Devices . . . . . . . . . . . . . 229

Network Management Administration Guide for Routing Devices . . . . 230

Overview for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Release Notes: Junos OSRelease 13.3R1 for the EX Series, M Series, MX

Series, PTX Series, and T Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Services Interfaces Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . 231

Services Interfaces Overview for Routing Devices . . . . . . . . . . . . . . . . . 236

Standards Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Subscriber Management Access Network Guide . . . . . . . . . . . . . . . . . . 237

Subscriber Management Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . 238

Subscriber Management Provisioning Guide . . . . . . . . . . . . . . . . . . . . . 239

System Log Messages Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

System Services Administration Guide for Routing Devices . . . . . . . . . . 241

Tunnel and Encryption Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 241

User Access and Authentication Guide for Routing Devices . . . . . . . . . . 241

VPLS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . 241

VPNs Library for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

VPWS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . 242

Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 242

Basic Procedure for Upgrading to Release 13.3 . . . . . . . . . . . . . . . . . . . . 243

Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . 245

Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 245

Upgrading Juniper Network Routers Running Draft-Rosen Multicast

VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . 247

Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled

for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Downgrading from Release 13.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Changes Planned for Future Releases . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Junos OS Release Notes for PTX Series Packet Transport Routers . . . . . . . . . . . 252

New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 254



Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 259


IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 260


User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263


MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264


VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266









Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Network Management Administration Guide for Routing Devices . . . . 278

VPWS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . 278

Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 279

Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 279

Basic Procedure for Upgrading to Release 13.3 . . . . . . . . . . . . . . . . . . . . 279

Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286


Introduction

Junos OS runs on the following Juniper Networks®hardware: ACX Series, EX Series, J

Series,MSeries,MXSeries, PTXSeries,QFabric systems,QFXSeries, SRXSeries, TSeries

and Junos Fusion.

These release notes accompany Junos OS Release 13.3R10 for the EX Series, M Series,

MXSeries,PTXSeries, andTSeries.Theydescribenewandchanged features, limitations,

and known and resolved problems in the hardware and software.

Junos OS Release Notes for EX Series Switches

These releasenotesaccompany JunosOSRelease 13.3R10 for theEXSeries.Theydescribe

newandchanged features, limitations, andknownand resolvedproblems in thehardware

and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation

webpage, located at http://www.juniper.net/techpubs/software/junos/.

• New and Changed Features on page 6

• Changes in Behavior and Syntax on page 8

• Known Behavior on page 11

• Known Issues on page 14

• Resolved Issues on page 14

• Documentation Updates on page 23

• Migration, Upgrade, and Downgrade Instructions on page 24

• Product Compatibility on page 24

New and Changed Features

This section describes the new features and enhancements to existing features in Junos

OS Release 13.3R10 for the EX Series.

• Hardware

• Infrastructure

• Multicast

• NetworkManagement andMonitoring

• OpenFlow



http://www.juniper.net/techpubs/software/junos/

Hardware

• Extended cablemanager for EX9214 switches—An extended cable manager is nowavailable for EX9214 switches. The extended cable manager enables you to route

cables away from the front of the line cards and Switch Fabric modules and provides

easier access to the switch than the standard cable manager. To obtain the extended

cablemanager, order theMX960EnhancedCableManager,ECM-MX960. (Installation

of the extended cable manager must be done by a technician authorized by Juniper

Networks and that the service cost is in addition to the component cost.)

[SeeMX960 Cable Manager Description.]

Infrastructure

• Support for IPv6 for TACACS+ authentication (EX9200)—Starting with Junos OSRelease 13.3, Junos OS supports IPv6 along with the existing IPv4 support for user

authentication using TACACS+ servers.

Multicast

• MLD snooping on EX9200 switches—Starting with Junos OS Release 13.3, EX9200switchessupportMulticastListenerDiscovery(MLD)snooping.MLDsnoopingconstrains

the flooding of IPv6multicast traffic on VLANs on a switch. When MLD snooping is

enabled on aVLAN, the switch examinesMLDmessages between hosts andmulticast

routers and learns which hosts are interested in receiving traffic for a multicast group.

Based on what it learns, the switch then forwards multicast traffic only to those

interfaces in the VLAN that are connected to interested receivers instead of flooding

the traffic to all interfaces. You configure MLD snooping at either the [edit protocols]

hierarchy level or the [edit routing-instances routing-instance-nameprotocols]hierarchy

level.

[SeeUnderstanding MLD Snooping.]

NetworkManagement andMonitoring

• sFlowtechnologyonEX9200switches—Startingwith JunosOSRelease 13.3,EX9200switches support sFlow technology, a monitoring technology for high-speed switched

or routed networks. The sFlowmonitoring technology randomly samples network

packets and sends the samples to amonitoring station. You can configure sFlow

technology on an EX9200 switch to continuously monitor traffic at wire speed on all

interfaces simultaneously. The sFlow technology is configured at the [edit protocols

sflow] hierarchy level.

[SeeUnderstandingHowtoUsesFlowTechnology forNetworkMonitoringonanEXSeries

Switch.]



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/cable-management-system-mx960.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/mld-snooping-overview-l2.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/sflow-ex-series.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/sflow-ex-series.html

OpenFlow

• Support for OpenFlow v1.0—Starting with Junos OS Release 13.3, EX9200 switchessupport OpenFlow v1.0. You use the OpenFlow remote controller to control traffic in

an existing network by adding, deleting, andmodifying flows on switches. You can

configure oneOpenFlow virtual switch and one activeOpenFlow controller at the [edit

protocols openflow] hierarchy level on each device running Junos OS that supports

OpenFlow.

[See Understanding Support for OpenFlow on Devices Running Junos OS.]

RelatedDocumentation

Changes in Behavior and Syntax on page 8•







Changes in Behavior and Syntax

This section lists the changes in behavior of JunosOS features and changes in the syntax

of JunosOSstatementsandcommands fromJunosOSRelease 13.3R10 for theEXSeries.

• Dynamic Host Configuration Protocol

• High Availability and Resiliency on page 9

• Interfaces and Chassis on page 9

• Network Management and Monitoring on page 10

• User Interface and Configuration on page 10



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/junos-sdn-openflow-support-overview.html

Dynamic Host Configuration Protocol

• DHCPclientscansendpacketswithoutOption255(EX9200)—OnEX9200switches,starting with Junos OS Release 13.3R5, you can override the DHCP relay agent default

configurationandenableclients to sendDHCPpacketswithoutOption255.Thedefault

behavior in Junos OS is to drop packets that do not include Option 255. To override

that default behavior, configure the allow-no-end-options CLI statement under the

[edit forwarding-options dhcp-relay overrides] hierarchy level.

You can also override the DHCP local server configuration and enable clients to send

DHCPpacketswithoutOption 255 (end-of-options). The default behavior in JunosOS

is to drop packets that do not include Option 255. To override that default behavior,

configure the allow-no-end-options statement under the [system services

dhcp-local-server overrides] hierarchy level.

High Availability and Resiliency

• New redundancy failover CLI statement (EX Series)—Starting in Junos OS Release13.3R6, the chassis redundancy failover not-on-disk-underperform statement prevents

gstatd from causing failovers in the case of slow disks on the Routing Engine.

[See not-on-disk-underperform and Preventing Graceful Restart in the Case of Slow

Disks.]

Interfaces and Chassis

• Direct ARP entries to the correct next-hop interface in anMC-LAG scenario—OnEX9200 switches, the arp-l2-validate statement provides a workaround for issues

related to MAC and ARP entries going out of sync in an MC-LAG scenario. Use the

commandtocorrectmismatchesbetweenMACandARPentries related to thenext-hop

interface.

• Additional options for the request support information command—On EX9200switches, the following CLI commands have been added to the output of the request

support information CLI command:

• show ethernet-switching interface detail

• show ethernet-switching table

• show spanning-tree bridge detail

• show spanning-tree interface

• show vlans extensive

• show vrrp summary



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/not-on-disk-underperform-edit-chassis.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/gres-preventing-on-slow-disks.html



• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (EX9200)—Effective in Junos OS Release 13.3R4, if the counter valueof a Packet Forwarding Engine is reported lesser than its previous value, then the

residual counter value isadded to thenewly reportedvalueonly for that specific counter.

In that case, the CLI shows theMIB2D_COUNTER_DECREASING system logmessage

for that specific counter.

User Interface and Configuration

• Change in the show version command output on EX9200 switches—Starting withJunosOSRelease 13.3, the showversion command output includes the Junos field that

displays the Junos OS version running on the switch. This new field is in addition to the

existing field in the showversion command that displays a list of installed subpackages

running on the switch that display the JunosOSversion number of those subpackages.

The new field provides a consistentmeans of identifying the JunosOS version, instead

of extracting that information from the list of installed subpackages.

In Junos OS Release 13.2 and earlier, the show version command does not have the

Junos field in the output that displays the Junos OS version running on the device as

shown in the following samples. The only way to determine the Junos OS version

running on the device is to review the list of installed subpackages.

Junos OS Release 13.3 and Later ReleasesWith the JunosField

Junos OS Release 13.2 and Earlier ReleasesWithout theJunos Field

user@switch> show versionHostname: lab Model: ex9208 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...

user@switch> show versionHostname: lab Model: ex9208 JUNOS Base OS boot [12.3R2.5]JUNOS Base OS Software Suite [12.3R2.5]JUNOS Kernel Software Suite [12.3R2.5]JUNOS Crypto Software Suite [12.3R2.5]...

[See show version.]

• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in theCLI—JunosOS reserves theprefix junos- for the identifiers of configurationsdefinedwithin the junos-defaults configuration group. User-defined identifiers cannot

start with the string junos-. Starting with Junos OS Release 13.3, if you configure

user-defined identifiers using the reserved prefix through a NETCONF or Junos XML

protocol session, the commit correctly fails. In releases earlier than Junos OS Release

13.3, if you configured user-defined identifiers through theCLI using the reservedprefix,

the commit incorrectly succeeds. Junos OS Release 13.3R1 and later releases now

exhibit the correct behavior. Configurations that currently contain the reserved prefix

for user-defined identifiers other than junos-defaults configuration group identifiers

now correctly results in a commit error in the CLI.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-version.html

• Configuring regularexpressions(EX9200)—Inall supported JunosOSreleases, regularexpressions can no longer be configured if they require more than 64MB of memory

or more than 256 recursions for parsing.

This change in the behavior of Junos OS is in line with the FreeBSD limit. The change

wasmade in response to a known consumption vulnerability that enables an attacker

to cause a denial-of-service attack (resource exhaustion) by using regular expressions

containing adjacent repetition operators or adjacent bounded repetitions. Junos OS

uses regular expressions in several placeswithin theCLI. Exploitationof this vulnerability

can cause the Routing Engine to crash, leading to a partial denial of service. Repeated

exploitation can result in an extendedpartial outageof services providedby the routing

protocol process (rpd).


New and Changed Features on page 6•







Known Behavior

This section lists known behaviors, systemmaximums, and limitations in hardware and

software in Junos OS Release 13.3R10 for the EX Series.

For the most complete and latest information about known Junos OS defects, use the

Juniper Networks online Junos Problem Report Search application.

• Authentication and Access Control

• High Availability (HA) and Resiliency

• Infrastructure and Chassis

• Interfaces and Chassis

• Layer 3 Features

• Multicast


• OpenFlow


Known Behavior

http://prsearch.juniper.net

Authentication and Access Control

• DHCP relay might not work as expected even if an EX9200 switch is configured for

DHCP relay, if an IRB interface walks through a Layer 2 trunk interface and the

corresponding DHCP relay is configured in a routing instance, or if you deactivate or

activate (or deleteor add)ahierarchy that containsaDHCP relay-relatedconfiguration.

As a workaround, restart DHCP services after youmake any configuration changes

that are related to DHCP. PR935155

High Availability (HA) and Resiliency

• On EX9200 switches, during a unified ISSU, BGP and Layer 3 multicast traffic might

be dropped for approximately 30 seconds. PR1116299

Infrastructure and Chassis

• On EX9200 switches, in a Layer 2 environment, transit packets of size 1514 MTU or

moremight be dropped silentlywhen the packets exit a trunk interface forwhichVLAN

tagging or flexible VLAN tagging is not enabled. PR960638

• On EX9200 switches that are running any of the following images, if more than 1000

DHCP clients send DHCP requests and if the licensing grace period (30 days) expires,

new clients are not added:

• Junos OS Release 13.2R5 or earlier images

• Release 13.3R4 or earlier images



As a workaround, install an image from the following list and include the [--format]

option when you run the loader> install command, like this:

loader> install --format file:///junos-package-name

• Release 13.2R6 or later images




See KB20643 for details about using the loader install [--format] command.

Note that if you install the later imagebut do not include the [--format]option, an error

message such as the following appears: LICENSE_GRACE_PERIOD_EXPIRED: License

grace period for feature scale-subscriber(44) has expired. Ignore the error message; it

has no functional impact. PR1071594


• On EX9200 switches, an LLDP neighbor might not be formed for Layer 3-tagged

interfaces even though peer switches are able to form the neighbor. PR848721



http://prsearch.juniper.net/PR935155





• OnEX9200switches, if a 100-gigabit interface is configuredaspart of a linkaggregation

group (LAG), committing any configuration changemight cause the interface to flap.

PR1065512

Layer 3 Features

• On EX9200 switches, BFD on IRB interfaces flaps if BFD is configured for subsecond

timers. PR844951

• On EX9200 switches, analyzer configurations with analyzer input and output stanzas

containingmembersof the sameVLANor theVLAN itself arenot supported.With such

configurations, packets canmirror ina loop, resulting inLUchiperrors.Asaworkaround,

use themirror-once option if the input is for ingress mirroring. If it is for ingress and

egress mirroring, configure the output interface as an access interface. PR1068405

Multicast

• If you configure a large number of PIM source-specific multicast (SSM) groups on an

EX9200switch, the switchmight experienceperiodic IPv6 traffic loss. Asaworkaround,

configure the pim-join-prune-timeout value on the last-hop router as 250 seconds.

PR853586


• On EX9200 switches, the interface index value is incorrectly displayed as 0 on the

sFlow collector. PR1083226

OpenFlow

• OnEX9200switches, aBGPsessionmight flapwhenanOpenFlow interface is receiving

line-rate traffic and the traffic is notmatching any rule, and therefore thedefault action

of packet-in is applied. PR892310

• OnEX9200switches, configurationofa firewall filteronanOpenFlow-enabled interface

is not supported.

• OnEX9200 switches,minormemory leaksmight occur if you add anddelete the same

multi-VLAN flow on the order of 100,000 such add and delete operations. PR905620










Known Behavior








Known Issues

This section lists the known issues in hardware and software in JunosOSRelease 13.3R10

for the EX Series.



• Platform and Infrastructure

Platform and Infrastructure

• Themgd daemonmight crash after a load replace command in a configuration that

is not properly formatted.

For example:

root# load replace xxx.conferror: session failure: unexpected terminationerror: remote side unexpectedly closed connection

The incorrect configuration format is as follows:

/* annotating */delete: statement;

The correct configuration format should be as follows:

delete: statement;/* annotating */

PR1064036









Resolved Issues

This section lists the issues fixed in the Junos OS Release 13.3 main release and the

maintenance releases.


Juniper online Junos Problem Report Search application.

• Resolved Issues: Release 13.3R10 on page 15














Resolved Issues: Release 13.3R10

• Infrastructure


Infrastructure

• On EX9200 switches, the routing process (rpd) might continuously crash while

processing an (S,G) entry if that entry has beenmistakenly deleted. PR942561

• On EX9200 switches, attempts by line cards tomake unnecessary connections to the

Routing Engine might generate continuous debugging-level log messages, which

consume system resources. PR1113309

Network Management andMonitoring

• OnEX9200switches, even if youconfigureanegress sampling rate for sFlowmonitoring

technology, the switch uses the ingress sampling rate instead. PR686002





• On an EX Series switch acting as a DHCPv6 server, the server does not send a Reply

packet after receiving a Confirm packet from the client; the behavior is not compliant

with the RFC 3315 standard. PR1025019


• On EX9200 switches, after the show version detail command is executed, the syslog

message UI_OPEN_TIMEOUT: Timeout connecting to peermight appear. This message

is cosmetic only; you can ignore this message. PR895320

• On an EX9200-2C-8XS line card, when the flow-detection feature is enabled under

the [edit system ddos-protection] hierarchy, if suspicious control flows are received,

two issues might occur on the switch:

• The suspicious control flowmight not be detected on the line card.

• After suspicious control flows are detected, theymight never time out, even if traffic

flows no longer violate control parameters.


Resolved Issues






PR1102997



• Infrastructure and Chassis



• On EX9200 switches with DHCPv6 snooping configured, the enterprise ID field of the

DHCPv6 relay message is converted to hexadecimal format and encoded as a text

string when used as the value for the remote ID (DHCPv6 Option 37). This results in

an incorrect value for the enterprise ID. PR1052956

Infrastructure and Chassis

• On EX9200 switches, if you configure DHCP relaywith the DHCP server and the DHCP

client in separate routing instances, unicast DHCP reply packets (for example, a DHCP

ACK in response to a DHCP RENEW)might be dropped. PR1079980


• On EX9200 switches, if you configure an invalid SNMP source address, SNMP traps

might not be sent even after you change the SNMP source address to a valid interface

address. PR1099802




• Interfaces and Platform

• Software Installation and Upgrade








• OnEX9200 switches, when clients are authenticatedwith dynamic VLANassignment

onan802.1X-enabled interface, disabling802.1Xauthenticationon the interfacemight

cause the Layer 2 address learning daemon (l2ald) to generate a core file. PR1064491


• On EX9200 switches, when DHCP relay is configured using the forward-only and

forward-only-replies statements at the [edit forwarding-options dhcp-relay] hierarchy

level, if the DHCP local server is also configured with the forward-snooped-clients

statement at the [edit system services dhcp-local-server] hierarchy level, the

configuration for forward-snooped-clients takes precedence over the configuration for

forward-only and forward-only-replies. As a result, DHCPmessage exchange between

VRFsmight not work as expected. PR1077016

Interfaces and Platform

• OnEX9200switches, the showethernet-switching tablevlan-namevlan-name | display

xmlCLI commanddoesnothave thevlan-nameattribute in the<l2ng-l2ald-rtb-macdb>

xml tag. PR955910

• OnEX9200switches,when theswitch receivesLACPcontrolpackets froman interface

other than an aggregated Ethernet (AE) interface, it forwards the packets, causing

LACP peer devices that receive the packets to reset the LACP connections. This might

cause continuous flaps on all aggregated or multichassis aggregated Ethernet

interfaces. PR1034917

• OnEX9200 switches, a process that failsmultiple times in a short period of timemight

not generate a core file. PR1058192

• On EX9200 switches, the Dynamic Host Configuration Protocol (DHCP) relay feature,

which enables the client interface and the server interface to be in separate virtual

routing and forwarding (VRF) instances, does not work when the client interface has

been configured as an integrated routing and bridging (IRB) interface. PR1064889

• On EX9200 switches, the CLI command set interfaces interface-name speed

auto-10m-100m is not supported. PR1077020

• On EX9200 switches, if you configure a virtual private LAN service (VPLS), no

label-switched interface (LSI) belongs to a VLAN even though the VPLS connection

is in theUP state, and traffic does not flood to an LSI. As aworkaround, configure VPLS

on the routing instance rather than on the virtual-switch instance. PR1083561

• On EX9200 switches, when you add a VLAN on an existing virtual-switch instance for

virtual private LAN service (VPLS), the label-switched interface (LSI) might not be

associated with the new VLAN. PR1088541


Resolved Issues










Software Installation and Upgrade

• Because of a software defect in Junos OS Release 13.3R7.3, we strongly discourage

the use of Release 13.3R7.3 on switches that contain EX9200-40T and EX9200-40F

line cards. PR1108826


• Layer 2 Features

• Routing Protocols

• Spanning-Tree Protocols

Layer 2 Features

• OnEX9200switches, ifMVRP is configuredon the aggregatedEthernet (AE) interface,

MVRPmight become unstable when the CLI command no-attribute-length-in-pdu is

configured. PR1053664

Routing Protocols

• On EX9200 switches on which virtual private LAN service (VPLS) is enabled, if the

interfaces on the CE belong to multiple FPCs, when the links between the PE device

and the CE device flap, or when the administrator clears the VPLSMAC table, traffic

might keep flooding in the VPLS routing-instance for more than 2 seconds during the

MAC learning phase. PR1031791

Spanning-Tree Protocols

• On EX9200 switches running the VLAN Spanning Tree Protocol (VSTP), incoming

BPDUsmightnotbe included in theoutputof the showspanning-treestatistics interface

command. PR847405


• Dynamic Host Configuration Protocol (DHCP)

• Infrastructure


Dynamic Host Configuration Protocol (DHCP)

• OnEX9200switches,DynamicHostConfigurationProtocol (DHCP) relay functionality

might stop working and DHCP does not form new bindings when the number of

subscribers exceeds 1000 due to license restrictions. PR1033921

Infrastructure

• On EX9200 switches, when apply-groups is used in the configuration, the expansion

of interfaces <*> apply-groups is done against all interfaces during the configuration

validation process, even if apply-groups is configured only under a specific interface

stanza. This does not affect the configuration—if the configuration validation passes,

the apply-groups are expanded correctly only against the interfaces for which

apply-groups is configured. PR967233









• On EX9200 switches, if the disable-logging option is the only option configured at the

[edit system ddos-protection global] hierarchy level, and this option is deleted, the

kernel might generate a core file. PR1014219

• On EX9200 switches, if the switch receives an ARP packet when the Forwarding

Information Base (FIB) has exceeded the limit of 262,144 routes, the kernel might

generate a core file. PR1028714


• On EX9200 switches, in an MC-LAG scenario, a MAC address might incorrectly point

to an interchassis control link (ICL) after a MACmove from a single-home LAG to the

MC-LAG. PR1034347


• Dynamic Host Configuration Protocol (DHCP)

• Multicast




• On an EX9200 switch acting as a DHCP relay agent, DHCP_ACKmessages sent from

a DHCP server might not be forwarded to the client if the server identifier in the DHCP

packet is different from that in the DHCP relay agent’s binding table. PR994735

Multicast

• On EX9200 switches that are configured in a multicast scenario with PIM enabled, an

(S,G) discard route might stop programming if the switch receives resolve requests

from an incorrect reverse-path-forwarding (RPF) interface. After this issue occurs, the

(S,G) state might not be updated when the switch receives multicast traffic from the

correct RPF interfaces, andmulticast traffic might be dropped. PR1011098


• On EX9200 switches, the interface alias feature might not work as expected and

interfaces might go up and down after commit. PR981249

• Onan EX9200 switch, if the underlying Layer 2 interface of an IRB interface is changed

from accessmode to trunkmode and bi-directional traffic is sent from an interface on

the same switch that has been changed from IRB over Layer 2 to Layer 3 mode, the

Layer 3 traffic toward the IRB interface might be dropped and PPE thread timeout

errors might be displayed. PR995845


Resolved Issues








Routing Protocols

• On an EX9200 switch with an IGMP configuration in which two receivers are joined to

the same (S,G) and IGMP immediate-leave is configured, when one of the receivers

sends a leavemessage for the (S,G), the other receiver might not receive traffic for 1-2

minutes. PR979936



• Bridging and Learning



• OpenFlow



• Software Installation and Upgrade

• Spanning-Tree Protocols


• On an EX Series switch that has both 802.1X authentication (dot1x) and a dynamic

firewall filter enabled,when the server-timeout value is set toa short time (for example,

3 seconds) and a large number of clients try to authenticate simultaneously, a delay

success authentication successmessagemight be received on the switch because of

a RADIUS server timeout. This might cause the firewall filter to corrupt the interfaces

on which the authentication attempts were made, because of which client

authentications might fail. As a workaround, configure a server-timeout value that is

greater than 30 seconds. PR967922

Bridging and Learning

• OnEX9200 switches onwhich a native VLAN is configured on a link aggregation group

(LAG), if the native VLAN is changed, for example, if the native VLAN ID is changed or

if the native VLAN is disabled, a packet forwarding engine thread timeout might occur

and LU chip error messages might be displayed. Traffic might be affected. PR993080


• OnEX9200switches thatare configuredasaDHCP relayor server over an IRB interface,

the relay and server binding tables might incorrectly display the name of the IRB

interfaceas thenameof thephysical interface. Youcanuse the showdhcp relaybinding

detail and show dhcp server binding detail commands to display the correct name of

the physical interface. PR972346

• On an EX9200 switch where a binding already exists for a client, if the client sends a

DHCPdiscovermessage, the switchmight not relay DHCPoffers fromany server other

than the server used to establish the existing binding. PR974963









• On EX9200 switches, the configuration statementmcae-mac-flush is not available in

the CLI; it is missing from the [edit vlans] hierarchy level. PR984393

• OnEX9200switches thathavemultichassis linkaggregationgroup(MC-LAG) interfaces

configured by using themac-rewrite statement, the Layer 2 address learning process

(l2ald) might crash, creating a core file. PR997978

OpenFlow

• OpenFlow v1.0 running on an EX9200 switch does not respond reliably to interface up

or down events within a specified time interval. Per a fix implemented in Junos OS

Release 13.3R3.6, OpenFlow v1.0 running on an EX9200 switch responds reliably to

interface up or down events if the echo interval timeout is set to 11 seconds or more.

PR989308


• On an EX9200 switch working as a DHCP server, when you delete an IRB interface or

change the VLAN ID of a VLAN corresponding to an IRB interface, the DHCP process

(jdhcpd) might create a core file after a commit because a stale interface entry in the

jdhcpd database has been accessed. PR979565

Routing Protocols

• On EX9200 switches with IGMP snooping enabled on an IRB interface, some transit

TCP packets might be treated as IGMP packets, causing packets to be dropped.

PR979671


• Whenyouareupgrading JunosOSonanEX9200switch, the followingwarningmessage

might be displayed: Could not open requirements file for jroute-ex:

/etc/db/pkg/jroute-ex/+REQUIRE. You can ignore this message. PR924106

Spanning-Tree Protocols

• On EX9200 switches, the MSTI identifier range for MSTP is limited to 1 through 64

while it should be 1 through 4094. PR846878


• Bridging and Learning


• Infrastructure


• Virtual Chassis


Resolved Issues








Bridging and Learning

• On EX9200 switches, trunk configuration [edit interface interface-name unit 0 family

ethernet-switching interface-mode trunk]might not work as expected, causing traffic

loss. PR963175


• On an EX9200 switch that is configured for DHCP relay, with the switch acting as the

DHCPrelayagent, theswitchmightnotbeable to relaybroadcastDHCP informpackets,

which are used by the client to getmore information from theDHCP server.PR946038

• On EX9200 switches with Dynamic Host Configuration Protocol (DHCP) relay

configured, permanent Address Resolution Protocol (ARP) entries for relay clients are

installed. When the client is reachable by means of a different preferred path (due to

STP topology changes or MC-LAG changes and so on), the forwarding state is not

refreshed. This might cause packets to be dropped until the relay binding is cleared.

PR961479

• OnanEX9200switch thatworksasaDHCP relayagent, if the switch receivesbroadcast

DHCPACKpackets sentbyanotherDHCPrelay switch, thosepacketsmightbedropped

until the DHCPmax-hop limit is reached. PR961520

Infrastructure

• OnEX9200 switcheswith an EX9200-32XS line card or an EX9200-2C-8XS line card,

10-gigabit ports on the line card might stay offline if a link flaps or an SFP+ is inserted

after the links have been up for more than 3months. PR905589

• On an EX Series Virtual Chassis that is configured for DHCP services and configured

with a DHCP server, when a client sends DHCP INFORM packets and then the same

client sends the DHCP RELEASE packet, an IP address conflict might result because

the same IP address has been assigned to two clients. As a workaround:

• 1. Clear the binding table:

user@switch> clear system services dhcp binding

• 2. Restart the DHCP service:

user@switch> restart dhcp

PR953586

• On an EX9200 switch, when the SNMPmib2d daemon polls system statistics from

the kernel, the kernel might cause amemory leak (mbuf leak), which in turn might

cause packets such as ARP packets to be dropped at the kernel. PR953664

• On an EX9200 switch with scaled ARP entries (for example, 48K entries), in a normal

state, an ARP entry's current timemust be less than the expiry time. However, some

events might cause the current time to be greater than the expiry time, which then

leads to the ARP entry being flushed, resulting in connectivity issues. A possible trigger

event might be an Inter-Chassis Link flap in a multichassis link aggregation group

scenario. PR963588












• OnEX9200 switches, an inter-IRB routemight notwork if Q-in-Q tunneling is enabled,

because theTPID (0x9100) is not setonegressdual-taggedpackets, andotherdevices

that receive these untagged packets might drop them. PR942124

• On an EX Series switch, if you remove an SFP+ and then add it back or reboot the

switch, and the corresponding disabled 10-gigabit interface is amember of a LAG, the

link on that port might be activated. PR947683

Virtual Chassis

• OnEX9200Virtual Chassis, the showvirtual-chassis vc-portcommand showsa resync

flag as part of the Status column of the command. The resync flag indicates the

forwarding readinessof thePacket ForwardingEngine (onwhichVCPsare configured),

after it is up after a reboot. PR946920









Documentation Updates

There are no errata or changes in Junos OS Release 13.3R10 for the EX Series switches

documentation.














Migration, Upgrade, and Downgrade Instructions

This section contains upgrade and downgrade policies for Junos OS for the EX Series.

Upgrading or downgrading Junos OS can take several hours, depending on the size and

configuration of the network.

• Upgrade and Downgrade Support Policy for Junos OS Releases on page 24

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that spanmore than three Junos OS releases at

a time is not provided, except for releases that are designated as Extended End-of-Life

(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can

upgrade directly from one EEOL release to the next EEOL release, even though EEOL

releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after

the currently installed EEOL release, or to twoEEOL releases before or after. For example,

JunosOSReleases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from JunosOS

Release 10.0 toRelease 10.4 or even from JunosOSRelease 10.0 toRelease 11.4. However,

you cannot upgrade directly from a non-EEOL release that is more than three releases

ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3

(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS

Release 11.4 to Junos OS Release 10.3.

To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases

before or after, first upgrade to the next EEOL release and then upgrade or downgrade

from that EEOL release to your target release.

For more information about EEOL releases and to review a list of EEOL releases, see

http://www.juniper.net/support/eol/junos.html.

For information on software installation and upgrade, see the Installation and Upgrade

Guide.









Product Compatibility

• Hardware Compatibility on page 25



http://www.juniper.net/support/eol/junos.html

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/software-installation-and-upgrade/software-installation-and-upgrade.html


Hardware Compatibility

To obtain information about the components that are supported on the devices, and

special compatibility guidelineswith the release, see theHardwareGuide for theproduct.

Todetermine the features supportedonEXSeries switches in this release, use the Juniper

Networks Feature Explorer, a Web-based application that helps you to explore and

compare Junos OS feature information to find the right software release and hardware

platform for your network. Find Feature Explorer at

http://pathfinder.juniper.net/feature-explorer/.











http://pathfinder.juniper.net/feature-explorer/

JunosOSReleaseNotesforMSeriesMultiserviceEdgeRouters,MXSeries3DUniversalEdge Routers, and T Series Core Routers

These release notes accompany Junos OS Release 13.3R10 for the M Series, MX Series,

and T Series. They describe new and changed features, limitations, and known and

resolved problems in the hardware and software.













OS Release 13.3R10 for the M Series, MX Series, and T Series.

• Hardware on page 27

• Authentication, Authorization, and Accounting (AAA) (RADIUS) on page 35

• Class of Service (CoS) on page 35

• General Routing on page 37

• High Availability (HA) and Resiliency on page 38


• IPv6 on page 47

• Layer 2 Features on page 47

• MPLS on page 47

• Multicast on page 48


• OpenFlow on page 49

• Platform and Infrastructure on page 49

• Port Security on page 50

• Routing Policy and Firewall Filters on page 50

• Routing Protocols on page 51

• Services Applications on page 52

• Software Installation and Upgrade on page 53




• Subscriber Management and Services (MX Series) on page 54

• VPNs on page 60

Hardware

• MIC support (MX104)—Junos OS Release 13.3 and later releases extend support tothe following MICs on the MX104 3D Universal Edge Routers:

• ATMMICwith SFP (Model No: MIC-3D-8OC3-2OC12-ATM)

• DS3/E3MIC (Model No: MIC-3D-8DS3-E3)

• Channelized SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:

MIC-3D-4CHOC3-2CHOC12)

• Channelized SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:

MIC-3D-8CHOC3-4CHOC12)

• Multiservices MIC (Model No: MS-MIC-16G)

• SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:

MIC-3D-4OC3OC12-10C48)

• SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:

MIC-3D-8OC3OC12-4OC48)

• SONET/SDHOC192/STM64MICs with XFP (Model No: MIC-3D-10C192-XFP)

[SeeMICs Supported by MX Series Routers in theMX Series Interface Module Reference.]

• Support for MICs onMPC3E (MX240, MX480, andMX960)—Starting in Junos OSRelease 13.3, the following MICs are supported on the MPC3E (MX-MPC3E-3D):

• SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-8OC3OC12-4OC48)

• SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-4OC3OC12-1OC48)

• SONET/SDHOC192/STM64MIC with XFP (MIC-3D-1OC192-XFP)

• DS3/E3 MIC (MIC-3D-8DS3-E3)

The following encapsulations are supported on the aforementioned MICs on MPC3E:

• Cisco High-Level Data Link Control (cHDLC)

• Flexible Frame Relay

• Frame Relay

• Frame Relay for circuit cross-connect (CCC)

• Frame Relay for translational cross-connect (TCC)

• MPLS fast reroute

• MPLS CCC

• MPLS TCC

• Point-to-Point Protocol (PPP) (default)

• PPP for CCC



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-atm-oc3-oc12.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-ds3-e3.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-chan-sonet-sdh-oc3-multirate-sfp.html




http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-ms.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-sonet-sdh-oc3-multirate-sfp.html




http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-oc192-xfp.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-supported.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/topic-collections/hardware/mx-series/common/line-card-guide/mx-series-line-card-guide.pdf

• PPP for TCC

• PPP over Frame Relay

[SeeMPC3E onMX Series Routers Overview.]

• CFP-GEN2-CGE-ER4 (MX Series, T1600, and T4000)—The CFP-GEN2-CGE-ER4transceiver (part number: 740-049763) provides a duplex LC connector and supports

the 100GBASE-ER4 optical interface specification andmonitoring. Starting in Junos

OSRelease 13.3, theGEN2optics have been redesignedwith newer versions of internal

components for reducedpower consumption.The following interfacemodules support

the CFP-GEN2-CGE-ER4 transceiver. For more information about interface modules,

see the Interface Module Reference for your router.

MX Series routers:

• 100-Gigabit Ethernet MIC with CFP (model number:

MIC3-3D-1X100GE-CFP)—Supported in Junos OS Release 12.1R1 and later

• 2x100GE + 8x10GEMPC4E (model number: MPC4E-3D-2CGE-8XGE)—Supported

in Junos OS Release 12.3R2 and later

T1600 and T4000 routers:

• 100-Gigabit Ethernet PIC with CFP (model numbers: PD-1CE-CFP-FPC4 and

PD-1CGE-CFP)—Supported in Junos OS Releases 12.3R5, 13.2R3, 13.3R1, and later

[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications.]

• SFP-GE80KCW1470-ET, SFP-GE80KCW1490-ET, SFP-GE80KCW1510-ET,SFP-GE80KCW1530-ET, SFP-GE80KCW1550-ET, SFP-GE80KCW1570-ET,SFP-GE80KCW1590-ET, and SFP-GE80KCW1610-ET (MX Series)—Beginning withJunos OS Release 13.3, these transceivers provide a duplex LC connector and support

operationandmonitoringwith linksup toadistanceof80km.Each transceiver is tuned

to a different transmit wavelength for use in CWDM applications. These transceivers

are supported on the following interfacemodule. Formore information about interface

modules, see the Interface Module Reference for your router.

• Gigabit Ethernet MIC with SFP (model number: MIC-3D-20GE-SFP) in all versions

of MX-MPC1, MX-MPC2, and MX-MPC3—Supported in Junos OS Release 12.3R5,

13.2R3, 13.3R1, and later.

[See Gigabit Ethernet SFP CWDMOptical Interface Specification]

• CFP-GEN2-100GBASE-LR4 (T1600 and T4000)—The CFP-GEN2-100GBASE-LR4transceiver (part number: 740-047682) provides a duplex LC connector and supports

the 100GBASE-LR4 optical interface specification andmonitoring. Starting in Junos

OSRelease 13.3, the “GEN2”opticshavebeen redesignedwithnewer versionsof internal

components for reducedpower consumption.The following interfacemodules support

the CFP-GEN2-100GBASE-LR4 transceiver. For more information about interface

modules, see the Interface Module Reference for your router.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/chassis-mpc-100-gigabit-ethernet-mpc-overview.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/transceiver-m-mx-t-series-100gebase-optical-specifications.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/transceiver-mx-series-sfp-cwdm.html

• 100-Gigabit Ethernet PIC with CFP (model numbers: PD-1CE-CFP-FPC4 and

PD-1CGE-CFP)—Supported in Junos OS Releases 12.3R5, 13.2R3, 13.3R1, and later


• Software feature support on theMPC5E— Starting in Junos OS Release 13.3, MPC5E

supports the following key features:

• Basic Layer 2 features and virtual private LAN services (VPLS) functionality

• Class of service (CoS)

• Flexible Queuing option—By using an add-on license, MPC5E supports a limited

number of queues (32,000 queues per slot including ingress and egress)

• Hierarchical QoS

• Intelligent oversubscription services

• Interoperability with existing MPCs and DPCs

• MPLS

• MX Virtual Chassis

The following features are not supported on MPC5E:

• Active flowmonitoring and services

• Subscriber management features

[SeeProtocols andApplications Supported by theMX240,MX480,MX960,MX2010, and

MX2020MPC5E.]

• SoftwarefeaturesupportontheMPC5EQ—Starting in JunosOSRelease 13.3,MPC5EQ

supports 1 million queues per slot on all MX Series routers. All the other software

features supported on MPC5E are also supported on MPC5EQ.


MX2020MPC5E.]

• Support for new 520-gigabit full duplex Modular Port Concentrator (MPC6E) withtwoModular InterfaceCard (MIC) slots onMX2010andMX20203DUniversal EdgeRouters—In Junos OS Release 13.3R3 and later, MX2020 andMX2010 routers supportanewMPC,MPC6E(model number:MX2K-MPC6E).MPC6E is a 100-Gigabit Ethernet

MPC that provides increased density and performance to MX Series routers in

broadband access networks for services such as Layer 3 peering, VPLS and Layer 3

aggregation, and video distribution.

MPC6Eprovides packet-forwarding services that deliver up to 520Gbps of full-duplex

traffic. It has two separate slots forMICs and supports four Packet Forwarding Engines

with a throughput of 130Gbps per Packet Forwarding Engine. It also supports twoMIC

slots asWAN ports that provide physical interface flexibility.

MPC6E supports:

• Forwarding capability of up to 130 Gbps per Packet Forwarding Engine

• 100-Gigabit Ethernet interfaces




http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpc-mx-series-mpc5e-features-1.html




• Up to 560 Gbps of full-duplex traffic for the twoMIC slots

• WAN-PHYmode on 10-Gigabit Ethernet interfaces on a per port basis

• Two separate slots for MICs (MIC6-10G and MIC6-100G-CXP)

• Two Packet Forwarding Engines for each MIC slot



MX2020MPC5E.]

• FeaturesupportonMPC6E—MPC6Esupports the followingsoftware features in JunosOS Release 13.3R2:

• Basic Layer 2 features and virtual private LAN service (VPLS) functionality, except

for Operation, Administration, and Maintenance (OAM)

• Layer 3 routing protocols

• MPLS

• Multicast forwarding

• Firewall filters and policers

• Class of service (CoS)

• Tunnel service

• Interoperability with existing DPCs and MPCs

• Internet Group Management Protocol (IGMP) snooping with bridging, integrated

routing and bridging (IRB), or VPLS

• Intelligent hierarchical policers

• Layer 2 trunk port

• MPLS-fast reroute (FRR) VPLS instance prioritization

• Precision Time Protocol (PTP) (IEEE 1588)

• Synchronous Ethernet

The following features are not supported on MPC6E:

• Fine-grained queuing and input queuing

• Unified in-service software upgrade (ISSU)

• Active flowmonitoring and services

• Virtual Chassis support


MX2020MPC5E.]

• Support for fixed-configurationMPC onMX240, MX480, MX960, MX2010, andMX2020 routers—MX240, MX480, MX960, MX2010 and MX2020 routers support anewMPC, MPC5E (model number: MPC5E-40G10G). On the MX2010 and MX2020







routers, MPC5E is housed in an adapter card. MPC5E is a fixed-configurationMPCwith

four built-in PICs and does not contain separate slots for Modular Interface Cards

(MICs). MPC5E supports two Packet Forwarding Engines, PFEO and PFE1. PFE0 hosts

PIC0 and PIC2while PFE1 hosts PIC1 and PIC3. A maximum of two PICs can be kept

powered on (PIC0 or PIC2 and PIC1 or PIC3). The other PICs are required to be kept

powered off.

MPC5E supports:

• Flexible queuing option by using an add-on license

• Forwarding capability of up to 130 Gbps per Packet Forwarding Engine


• Quad small form-factor pluggable plus transceivers (QSFP+) and small form-factor

pluggable plus transceivers (SFP+) for connectivity

• Up to 240 Gbps of full-duplex traffic

• WAN-PHYmode on 10-Gigabit Ethernet Interfaces on a per-port basis

Formore informationabout thesupportedandunsupported JunosOSsoftware features

for this MPC, see Protocols and Applications Supported by the MX240, MX480, MX960,

MX2010, andMX2020MPC5E.

• Support for new fixed-configuration queuingMPC onMX240, MX480, MX960,MX2010, andMX2020 routers—MX240, MX480, MX960, MX2010, and MX2020routers support a new queuing MPC, MPC5EQ (model number: MPC5EQ-40G10G).

On theMX2010 andMX2020 routers, MPC5EQ is housed in an adapter card. MPC5EQ,

like MPC5E, is a fixed-configuration MPCwith four built-in PICs and does not contain

separate slots for Modular Interface Cards (MICs). MPC5EQ, like MPC5E supports two

Packet ForwardingEngines,PFEOandPFE1.PFE0hostsPIC0andPIC2whilePFE1hosts

PIC1 andPIC3. Amaximumof twoPICs can be kept powered on (PIC0 orPIC2 andPIC1

or PIC3). The other PICs are required to be kept powered off.

MPC5EQ supports 1 million queues per slot on all MX Series routers. All the other

software features supported on MPC5E are also supported on MPC5EQ.

Formore informationabout thesupportedandunsupported JunosOSsoftware features

for this MPC, see Protocols and Applications Supported by the MX240, MX480, MX960,

MX2010, andMX2020MPC5EProtocols and Applications Supported by the MX240,

MX480, MX960, MX2010, and MX2020 MPC5E.

• Support forOTNMIConMPC6E(MX2010andMX2020routers)—Startingwith JunosOS Release 13.3R3, the 24-port 10-Gigabit Ethernet OTNMIC with SFPP

(MIC6-10G-OTN) is supported on MPC6E on the MX2010 and MX2020 routers. The

OTNMIC supports both LAN PHY andWAN PHY framingmodes on a per-port basis.

The MIC supports the following features:

• Transparent transport of 24 10-Gigabit Ethernet signals with optical channel data

unit 2 (ODU2) and ODU2e framing on a per port basis

• ITU-standard optical transport network (OTN) performancemonitoring and alarm

management







• Pre-forwarderror correction (pre-FEC)-basedbit error rate (BER). Fast reroute (FRR)

uses the pre-FEC BER as an indication of the condition of an OTN link

To configure the OTN options for this MIC, use the set otn-options statement at the

[edit interfaces interfaceType-fpc/pic/port] hierarchy level.

• OTNsupport for 10-GigabitEthernetand 100-GigabitEthernet interfacesonMPC5EandMPC6E (MX240, MX480, MX960, MX2010, andMX2020 routers)—Junos OSRelease 13.3 extends optical transport network (OTN) support for 10-Gigabit Ethernet

and 100-Gigabit Ethernet interfaces on MPC5E and MPC6E. MPC5E-40G10G and

MPC5EQ-40G10GsupportOTNon10-GigabitEthernet interfaces,andMPC5E-100G10G

andMPC5EQ-100G10GsupportOTNon 10-GigabitEthernet interfacesand 100-Gigabit

Ethernet interfaces. The OTNMICs MIC6-10G-OTN and MIC6-100G-CFP2 on MPC6E

support OTN on 10-Gigabit Ethernet interfaces and 100-Gigabit Ethernet interfaces,

respectively.

OTN support includes:

• Transparent transport of 10-Gigabit Ethernet signals with optical channel transport

unit 2 (OTU2) framing

• Transparent transport of 100-Gigabit Ethernet signals with OTU4 framing

• ITU-T standard OTN performancemonitoring and alarmmanagement

Compared with SONET/SDH, OTN provides stronger forward error correction,

transparent transport of client signals, and switching scalability. To configure the OTN

options for the interfaces, use the set otn-options configuration statement at the [edit

interfaces interfaceType-fpc/pic/port] hierarchy level.

• Support for 100 Gigabit-Ethernet OTNMIC onMPC6E (MX2010 andMX2020routers)—Startingwith JunosOSRelease 13.3R3, the 2-port 100-Gigabit EthernetMICwith CFP2 (MIC6-100G-CFP2) is supported on MPC6E. The MIC supports optical

transport network (OTN) features on the 100-Gigabit Ethernet interfaces and also

supports line-rate throughput of 100 Gbps per port.

The following OTN features are supported:

• Transparent transport of 2-port 100-Gigabit Ethernet signals with optical channel

data unit 4 (ODU4) framing for each port

• ITU-standard OTN performancemonitoring and alarmmanagement

• Generic forward error correction (GFEC)

To configure OTN options for this MIC, use the set otn-options statement at the [edit

interfaces interfaceType-fpc/pic/port] hierarchy level.

• Support for MPC5E on SCBE2 (MX Series routers)—Starting with Junos OS Release13.3R3, MPC5E is supported on SCBE2 on MX240, MX480, and MX960 routers.

• Support for enhanced 20-port Gigabit Ethernet MIC (MX5, MX10, MX40, MX80,MX240,MX480,andMX960)—Starting in JunosOSRelease 13.3, anenhanced20-portGigabit EthernetMIC(modelnumberMIC-3D-20GE-SFP-E) is supportedonMXSeries

routers. This enhancedMIC supports up to 20 SFP optical transceiver modules, which

include the following:



• Fiber-optic small form-factor pluggable (SFP) transceivers:

• 1000BASE-LH (model number: SFP-1GE-LH)

• 1000BASE-LX (model number: SFP-1GE-LX)

• 1000BASE-SX (model number: SFP-1GE-SX)

• Copper SFP transceiver:

• 1000BASE-T (model number: SFP-1GE-T)

• Bidirectional SFP transceivers:

• 1000BASE-BX (model number pairs: SFP-GE10KT13R14 with SFP-GE10KT14R13,

SFP-GE10KT13R15 with SFP-GE10KT15R13, SFP-GE40KT13R15 with

SFP-GE40KT15R13)

These optical transceiver modules can be hot-swapped. You can view the enhanced

20-portGigabitEthernetMIC informationbyusing theshowchassishardwarecommand.

• Multiservices MIC support (MX104)—Starting with Junos OS Release 13.3R2, theMultiservices MIC (MS-MIC-16G) is supported on MX104 3D Universal Edge Routers.

TheMultiservicesMIChasanenhancedmemoryof 16GBandprovides improvedscaling

and high performance. Only oneMultiservicesMIC is supported on theMX104 chassis.

The Multiservices MIC supports the following software features:

• Active flowmonitoring and export of flowmonitoring version 9 records, based on

RFC 3954

• IP Security (IPsec) encryption

• Network Address Translation (NAT) for IP addresses

• Port Address Translation (PAT) for port numbers

• Stateful firewallwithpacket inspection—detectsSYNattacks, ICMPandUDPfloods,

and ping-of-death attacks

• Traffic sampling

[SeeMultiservices MIC.]

• SFPP-10G-ZR-OTN-XT (MX Series, T1600, and T4000)—Starting with Junos OSRelease 13.3R3, theSFPP-10G-ZR-OTN-XTdual-rateextendedtemperature transceiver

provides a duplex LC connector and supports the 10GBASE-Z optical interface

specification andmonitoring. The transceiver is not specified as part of the 10-Gigabit

Ethernet standard and is instead built according to ITU-T and Juniper Networks

specifications. In addition, the transceiver supports LAN-PHY andWAN-PHYmodes

and OTN rates and provides a NEBS-compliant 10-Gigabit Ethernet ZR transceiver for

the MX Series interface modules listed here. The following interface modules support

the SFPP-10G-ZR-OTN-XT transceiver:



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mic-mx-series-ms.html

MX Series:

• 10-Gigabit Ethernet MIC with SFP+ (model number:

MIC3-3D-10XGE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and

later

• 16-port 10-Gigabit Ethernet (model number: MPC-3D-16XGE-SFPP)—Supported in

Junos OS Release 12.3R5, 13.2R3, 13.3, and later

• 32-port 10-Gigabit Ethernet MPC4E (model number:

MPC4E-3D-32XGE-SFPP)—Supported in JunosOSRelease 12.3R5, 13.2R3, 13.3, and

later

• 2-port 100-Gigabit Ethernet + 8-port 10-Gigabit Ethernet MPC4E (model number:

MPC4E-3D-2CGE-8XGE)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and

later

T1600 and T4000 routers:

• 10-GigabitEthernetLAN/WANPICwithOversubscriptionandSFP+(modelnumbers:

PD-5-10XGE-SFPP and PF-24XGE-SFPP)—Supported in Junos OS Release 12.3R5,

13.2R3, 13.3, and later

• 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (model number:

PF-12XGE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and later

Formore informationabout interfacemodules, see the “CablesandConnectors” section

in the Interface Module Reference for your router.

[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications.]

• Support for hypermode to increase packet processing rate on enhancedMPCs(MX240, MX480, MX960, MX2010, andMX2020 routers)—Starting in Junos OSRelease 13.3R4,MPC3E,MPC4E,MPC5E, andMPC6E support the hyper-mode feature.

Enabling thehypermode feature increases the rateatwhichadatapacket is processed,

which results in the optimization of the lifetime of a data packet. Optimization of the

data packet lifetime enables better performance and throughput.

NOTE: You can enable hyper mode only if the network-servicemode onthe router is configured as either enhanced-ip or enhanced-ethernet. Also,

youcannotenable thehypermode feature foraspecificPacketForwardingEngine on anMPC—that is, when you enable the feature, it is applicablefor all Packet Forwarding Engines on the router.

When you enable the hyper mode feature, the following features are not supported:

• Creation of Virtual Chassis.

• Interoperability with legacy DPCs, including MS-DPCs. The MPC in hyper mode

accepts and transmits data packets only from other existing MPCs.

• Interoperability with non-Ethernet MICs and non-Ethernet Interfaces such as

channelized interfaces, multilink interfaces, and SONET interfaces.



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/transceiver-m-mx-t-series-10-gigabit-optical-specifications.html

• Padding of Ethernet Frames with VLAN.

• Sending Internet Control Message Protocol (ICMP) redirect messages.

• Termination or tunneling of all subscriber-based services.

• To configure the hyper mode feature, use the hyper-mode statement at the [edit

forwarding-options] hierarchy level. To view the changedconfiguration, use the show

forwarding-options hyper-mode command.

Authentication, Authorization, and Accounting (AAA) (RADIUS)

• RADIUS functionality over IPv6 for systemAAA—Startingwith Release 13.3R4, JunosOS supports RADIUS functionality over IPv6 for system AAA (authentication,

authorization, and accounting) in addition to the existing RADIUS functionality over

IPv4 for system AAA. With this feature, Junos OS users can log in to the router

authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now

configure both IPv4 and IPv6 RADIUS servers for AAA. To accept the IPv6 source

address, include the source-address statement at the [edit system radius-server IPv6]

hierarchy level. (If an IPv6 RADIUS server is configured without any source-address,

default ::0 is considered as the source address.)

Class of Service (CoS)

• CCCandTCCsupportonFRF.15,FRF.16,andMLPPP interfaces(MXSeries)—Startingwith Release 13.3, Junos OS supports Circuit Cross Connect (CCC) and Translational

Cross Connect (TCC) over Multilink Frame Relay (MLFR) UNI NNI (FRF.16) interface

and TCC over Multilink Frame Relay (MLFR) end-to-end (FRF.15) and Multilink

Point-to-Point Protocol (MLPPP) interfaces. You can implement the cross-connect

over anMPLSnetworkor a local-switchednetwork.Whenyouconfigure cross-connect

over these interfaces, thepeer interfacecanbeofanyof the interface types that support

cross-connect.

To configure CCC over FRF.16/MFR interfaces, include the following statements under

the [edit interfaces interface-name unit number] hierarchy level:

family ccc {translate-discard-eligible;translate-fecn-and-becn;translate-plp-control-word-de;no-asynchronous-notification;

}

To configure TCC over FRF.15/MLFR, FRF.16/MFR, or MLPPP interfaces, include the

followingconfigurationunder the [edit interfaces interface-nameunitnumber]hierarchy

level:

family tcc {protocols [inet isompls];no-asynchronous-notification;

}

To complete CCC or TCC configurations over the multilink Frame Relay interfaces, you

must also specify the interface name under one of the following hierarchies:



• [edit protocols l2circuit neighbor ip-address] if the switching is done over a Layer 2

circuit.

• [edit protocols connections remote-interface-switch remote-if-sw] if the switching

is done over a remote interface switch.

• [edit protocols connections interface-switch local-if-switch] if the switching is done

using a local switch.

• Support for IPv6 traffic over IPsec tunnels onMS-MICs andMS-MPCs (MXSeries)—Starting with Release 13.3, Junos OS extends IPsec support on MS-MICs andMS-MPCs to IPv6 traffic. IPsec support on MS-MICs and MS-MPCs is limited to the

ESP protocol, and now enables you to configure IPv4 and IPv6 tunnels that can carry

IPv6 as well as IPv4 traffic. To enable IPv6 traffic over an IPsec tunnel, configure an

IPv6 address for the local-gateway statement under the [edit services service-set

service-set-name ipsec-vpn-options] hierarchy level.

• CoS show command enhancements (MX Series)—Starting in Release 13.3, Junos OSextendssupport forCoS showcommandswith theadditionof the showclass-of-service

scheduler-hierarchy interfaceand showclass-of-servicescheduler-hierarchy interface-set

commands. These commands display subscriber class-of-service interface and

interface-set information.

[See show class-of-service scheduler-hierarchy interface and show class-of-service

scheduler-hierarchy interface-set.]

• Traffic schedulingandshaping support forGRE tunnel interfaceoutputqueues (MXSeries)—Beginning with Junos OS Release 13.3, you canmanage output queuing oftraffic entering GRE tunnel interfaces hosted on MIC or MPC line cards in MX Series

routers. Support for the output-traffic-control-profile configuration statement, which

applies an output traffic scheduling and shaping profile to the interface, is extended

to GRE tunnel physical and logical interfaces. Support for the

output-traffic-control-profile-remaining configuration statement, which applies an

output traffic scheduling and shaping profile for remaining traffic to the interface, is

extended to GRE tunnel physical interfaces.

NOTE: Interface sets (sets of interfaces used to configure hierarchical CoSschedulers on supported Ethernet interfaces) are not supported on GREtunnel interfaces.

[See Configuring Traffic Control Profiles for Shared Scheduling and Shaping.]

• New forwarding-class-accounting statement onMX Series routers—Starting in JunosOS Release 13.3R3, new forwarding class accounting statistics can be enabled at the

[edit interfaces interface-name] and the [edit interfaces interface-name unit

interface-unit-number] hierarchy levels. These statistics replace theneed touse firewall

filters for gathering accounting statistics. Statistics can be gathered and displayed for

IPv4, IPv6, MPLS, Layer 2 and Other families in ingress, egress, or both directions.

• Support for CoS hierarchical schedulers onMPC5E (MX240, MX480, MX960,MX2010,andMX2020routers)—Starting in JunosOSRelease 13.3R3, class-of-service



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-class-of-service-scheduler-hierarchy-interface.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-class-of-service-scheduler-hierarchy-interface-set.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-class-of-service-scheduler-hierarchy-interface-set.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/cos-configuring-traffic-control-profiles-for-shared-scheduling-and-shaping.html

(CoS) hierarchical schedulers can be configured on MPC5E interfaces. This feature is

supported on egress only.

You can use hierarchical schedulers to define traffic control profiles, which set the

following CoS parameters on a CoS interface:

• Delay buffer rate

• Excess bandwidth

• Guaranteed rate

• Overhead accounting

• Scheduler map

• Shaping rate

General Routing

• Nonstop active routing support for logical systems (MX Series)—Starting in JunosOSRelease 13.3, this featureenablesnonstopactive routing support for logical systems

using the nonstop-routing option under the [edit logical-systems logical-system-name

routing-options] hierarchy. As a result of extending nonstop active routing support for

logical systems, the logical-systems argument has been appended in some show

operational commands to allow display of status, process, and event details.

• Nonstopactive routing formultipoint labeldistributionprotocol (MSeries,MXSeries,and T Series)—Starting in Junos OS Release 13.3, this feature enables nonstop activerouting for the multipoint label distribution protocol, using the nonstop-routing option

at the [edit routing-options] hierarchy level. Themultipoint label distribution protocol

state, event, and process details can be viewed using the p2mp-nsr-synchronization

flag under trace-options.

[See p2mp-ldp-next-hop.]

The showldpdatabasecommanddisplays theentries in theLabelDistributionProtocol

(LDP) database for master and standby Routing Engines.

[See show ldp database.]

Theshowldpp2mptunnelcommanddisplays theLDPpoint-to-multipoint tunnel table

information.

[See show ldp p2mp tunnel.]



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/p2mp-ldp-next-hop.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-ldp-database.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-ldp-p2mp.html


• MXSeries Virtual Chassis support for multichassis link aggregation (MX Seriesrouters with MPCs)—Starting in Junos OS Release 13.3, an MX Series Virtual Chassissupports configuration of multichassis link aggregation (MC-LAG). MC-LAG enables

a device to form a logical link aggregation group interface with two or more other

devices. The MC-LAG devices use the Inter-Chassis Communication Protocol (ICCP)

to exchange control information between twoMC-LAG network devices.

When you configure MC-LAGwith an MX Series Virtual Chassis, the link aggregation

group spans links to two Virtual Chassis configurations. Each Virtual Chassis consists

of two MX Series member routers that form a logical systemmanaged as a single

network element. ICCP exchanges control information between the global master

router (VC-M) of the first Virtual Chassis and the VC-M of the second Virtual Chassis.

NOTE: Internet GroupManagement Protocol (IGMP) snooping is notsupported onMC-LAG interfaces in an MX Series Virtual Chassis.

[See Configuring Multichassis Link Aggregation.]

• TCPauto-merge support in nonstop active routing for short duration hold timers forprotocols (BGP, LDP) (kernel) (M Series, MX Series, and T Series)—Beginning withJunosOSRelease 13.3, TCPauto-merge support in nonstopactive routing for protocols

(BGP, LDP) (kernel) is enabledon theMSeries,MXSeries, andTSeries.Nonstopactive

routing automerge is one of the kernel components of the socket replication. On

switchover, this componentmerges the socket pairs automatically from the secondary

to the primary Routing Engine. Currently, nonstop active routing switchover from

secondary to primary happenswhen rpd issues amerge call for each secondary socket

pair to merge them to a single socket, which can result in a delay. To avoid this delay,

this feature introducesanautomergemodule in thekernel thatdecouples thesecondary

socket merge from rpd and automatically merges secondary sockets on switchover

so that the rpd high priority thread takes advantage of this and generates faster

keep-alive to sustain TCP connections on switchover.

• Nonstop active routing support for BGP addpath (M Series, MX Series, and TSeries)—Beginning in Junos OS Release 13.3, nonstop active routing support for BGPaddpath is available on the M Series, MX Series, and T Series. Nonstop active routing

support is enabled for the BGP addpath feature. After the nonstop active routing

switchover, addpath-enabled BGP sessions do not bounce. The secondary Routing

Engine maintains the addpath advertisement state before the nonstop active routing

switchover.

• Interchassis high availability provides stateful redundancy (MS-MPC andMS-MICinterface cards onMXSeries routers)—Starting with Release 13.3, Junos OS supportsstateful high availability (HA) to replicate flow states on an activeMS-MPCorMS-MIC

service card to a standby MS-MPC or MS-MIC service card on a different chassis. This

enables the preservation of the state of the existing flows in case of a planned or

unplanned switchover.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/interfaces-configuring-multi-chassis-link-aggregation.html

Services to be synchronized statefully include:

• Stateful firewall

• NAT (NAPT44 and APP only)

Both IPv4 and IPv6 sessions are synchronized.

Synchronizationoccurs for long-lived flowsasdefinedbyaconfigurable synchronization

threshold.

[See Inter-Chassis High Availability for MS-MIC andMS-MPC.]

• Support for unified in-service software upgrade onMX Series routers with MPC3andMPC4E (MX240, MX480, andMX960)—Starting in Release 13.3, Junos OSsupports unified in-service software upgrade (ISSU) on MX Series routers with MPC3

and MPC4E. Unified ISSU is a process to upgrade the system software with minimal

disruption of transit traffic and no disruption of the control plane. In this process, the

new system software version must be later than the version of the previous system

software. When unified ISSU completes, the new system software state is identical

to that of the system software when the system upgrade is performed through a cold

boot.

• MXSeriesVirtual Chassis support for inline flowmonitoring (MXSeries routerswithMPCs)—Starting in Junos OS Release 13.3R3, you can configure inline flowmonitoring

for anMXSeries Virtual Chassis. Inline flowmonitoring enables you to activelymonitor

the flow of traffic by means of a router participating in the network.

Inline flowmonitoring for an MX Series Virtual Chassis provides the following support:

• Active sampling and exporting of both IPv4 and IPv6 traffic flows

• Sampling traffic flows in both the ingress and egress directions

• Configuration of flow collection on either IPv4 or IPv6 devices

• Use of the IPFIX flow collection template for traffic sampling (both IPv4 and IPv6

export records)

• MXSeries Virtual Chassis support for L2TP LNS (MX Series)—Starting in Junos OSRelease 13.3R8,MXSeriesVirtualChassisconfigurationssupportL2TPLNSfunctionality.

[See L2TP for Subscriber Access Overview.]


• Transmit ESMC SSMquality level from synchronous Ethernetmode (MXSeries)—Starting in Junos OS Release 13.3, when an MX Series router is configured insynchronous Ethernet mode, the ESMC SSM quality level can be transmitted. The setchassis synchronizationmax-transmit-quality-level command sets a thresholdquality level for the entire system.

• Ethernet frame padding with VLAN (DPCs andMPCs running onMX Seriesrouters)—Starting in JunosOSRelease 13.3, DPCs andMPCs onMXSeries routers padthe Ethernet frame with 68 bytes if the packet is VLAN tagged and the frame length

is less than68bytesandgreater thanor equal to64bytesat theegressof the interface.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/topic-map/nat-interchassis-high-availability-msmic-msmpc.html

https://www.juniper.net/documentation/en_US/junos13.3/topics/concept/subscriber-management-l2tp-overview.html

• PTP redundancy support for line cards (MX Series andMSeries)—Beginning withJunos OS Release 13.3, line cards on MX Series and M Series routers support slave

redundancy. If multiple slave streams are configured across line cards and the active

slave line card crashes or all of the streams on that line card lose their timing packets,

another slave line card takes over if it has been primed to do so.

• Increased Layer 3 forwarding capabilities forMPCs andMultiservicesDPCs throughFIB localization(MXSeries)—Starting in JunosOSRelease 13.3, forwarding informationbase (FIB) localization characterizes the Packet Forwarding Engines in a router into

two types: FIB-Remote and FIB-Local. FIB-Local Packet Forwarding Engines install all

of the routes from the default route tables into Packet Forwarding Engine forwarding

hardware. FIB-Remote Packet Forwarding Engines create a default (0.0) route that

referencesanexthoporaunilist ofnexthops to indicate theFIB-Local that canperform

full IP table looks-ups for received packets. FIB-Remote Packet Forwarding Engines

forward received packets to the set of FIB-Local Packet Forwarding Engines.

The capacity of MPCs is much higher than that of Multiservices DPCs, so an MPC is

designatedas the localPacketForwardingEngine, andaMultiservicesDPC isdesignated

as the remote Packet Forwarding Engine. The remote Packet Forwarding Engine

forwards all network-bound traffic to the local Packet Forwarding Engine. If multiple

MPCs are designated as local Packet Forwarding Engines, then the Multiservices DPC

load balances the traffic using the unilist of next hops as the default route.

• Support for centralized clocking (MX2020)—Before Junos OS Release 13.3, theMX2020 supported SyncE (Synchronous Ethernet) in distributedmode, where the

clock module on a line card would lock to the SyncE source and distribute frequency

references to the entire chassis. Starting in Junos OS Release 13.3, the MX2020 uses

the centralized Stratum 3 clock module on the control board to lock onto SyncE and

distribute the frequency to the entire chassis. Supported features include:

• Clock monitoring, filtering, and holdover

• Hitless transition from a distributed to centralized clocking mode

• Distribution of the selected chassis clock source to downstream network elements

through supported line interfaces

You can view the centralized clock module information with the show chassis

synchronization clock-module command.

NOTE: PrecisionTimeProtocol/IEEE1588continuetooperate indistributedmode.

• Enhancements to commit check processing (M Series andMX Series)—Starting inJunos OS Release 13.3, the processing performance when you issue the commit check

command has been optimized for the following static and dynamic interface types:

• Logical demultiplexing (demux) interfaces (demux0)

• PPPoE logical interfaces (pp0)

• Inline services interfaces (si)



The improved performance for commit check enables the overall commit operation to

complete fasterwhennewdemux0, pp0, or si interfacesareadded to theconfiguration.

• Support for ATM virtual connectionmultiplexing and LLC encapsulation (MXSeries)—Starting in Junos OS Release 13.3, ATM virtual connection (VC) multiplexing

and logical link control (LLC) encapsulation are supported on the Channelized

OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP. ATM virtual connection

multiplexing and LLC are the twomethods for identifying the protocol carried in ATM

AdaptationLayer5 (AAL5) frames.Themethodsaredefined inRFC2684,Multiprotocol

Encapsulation over ATM Adaptation Layer 5.

In theATMvirtual connectionmultiplexingmethod, eachATMvirtual connectioncarries

protocol dataunits (PDUs)of exactly oneprotocol type.Whenmultipleprotocols need

to be transported, there is a separate virtual connection for each protocol.

TheLLCencapsulationmethodenablesmultiplexingofmultipleprotocolsoverasingle

ATM virtual connection. The protocol type of each PDU is identified by a prefixed IEEE

802.2 LLC header.

[See ATMSupport on Circuit Emulation PICs Overview.]

• Support for MPLS-signaled LSPs to use GRE tunnels (MXSeries)—Starting in JunosOS Release 13.3, MPLS label-switched paths (LSPs) can use generic routing

encapsulation(GRE) tunnels to traverse routingareas, autonomoussystems,and ISPs.

Bridging MPLS LSPs over an intervening IP domain is possible without disrupting the

outlying MPLS domain. This feature is supported on the Channelized OC3/STM1

(Multi-Rate) Circuit Emulation MIC with SFP and is defined in the RFC 4023,

Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE).

[See Configuring MPLS-Signaled LSPs to Use GRE Tunnels.]

• Support for SCBE2 (MX240, MX480, andMX960)—Starting in Junos OS Release13.3, the Enhanced SCB—SCBE2 supports the following features:

• Increased fabric bandwidth per slot

• Improved external clock redundancy

• Dynamic multicast replication only

• GRES

The following scenarios are to be noted when you are using an MX Series router with

an SCBE2:

• Youmust configure the set chassis network-services (enhanced-ip |

enhanced-ethernet) configuration command and reboot the router to bring up the

FPCs on the router. However, after the router reboots, the MS DPC, the MX FPC, and

the ADPC are powered off.

• All the FPCs and DPCs in the router are powered off when you reboot the router

without configuring either the enhanced-ip option or the enhanced-ethernet option

at the [edit chassis network-services] hierarchy level.

• Youmust reboot the router when you configure or delete the enhanced-ip option or

the enhanced-ethernet option at the [edit chassis network-services] hierarchy level.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-atm-support-on-circuit-emulation-pics-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/mpls-configuring-mpls-signaled-lsps-to-use-gre-tunnels.html

[See Centralized Clocking Overview and Network Services Mode Overview.]

• Support for GPS external clock interface on the SCBE (MX240, MX480, andMX960)—Starting with Junos OS Release 13.3, you can configure the EnhancedSCB—SCBE—external clock interface to a GPS timing source, which enables you to

select a GPS external source as the chassis clock source. You can also configure the

external clock interface tooutput either the selectedchassis clock sourceor a recovered

line clock source with GPS timing signals of 1 MHz, 5 MHz, or 10 MHz with 1 pulse per

second (PPS).

[See Centralized Clocking Overview and Understanding Clock Synchronization onMX

Series Routers.]

• Support for mixed-ratemode (T4000 and TXMatrix Plus with 3D SIBs)—Startingwith Junos OS Release 13.3, dual-rate mode or mixed-rate mode for PF-24XGE-SFPP

allows you to configure a mix of port speeds of 1 Gigabit and 10 Gigabit. However, on

PF-12XGE-SFPP, note that youcanconfigureport speedsof either 1Gigabit or 10Gigabit

when the PIC is in line rate mode.

You can enable mixed-rate-mode and set port speeds with themixed-rate-mode

statement and the speed 1G |10G statement, respectively, at the [edit chassis fpc x pic

y] hierarchy level. You can disable themixed-ratemode by using the delete chassis fpc

x pic ymixed-rate-mode statement.

[See Configuring Mixed-Rate Mode Operation.]

• ExtendedMPC support for per-unit schedulers (MX Series)—Starting in Junos OSRelease 13.3, you can configure per-unit schedulers on the non-queuing 16x10GEMPC,

MPC3E, andMPC4E,meaning you can include the per-unit-scheduler statement at the

[edit interfaces interface name] hierarchy level. When per-unit schedulers are enabled,

you can define dedicated schedulers for the logical interfaces.

Enablingper-unit schedulerson the 16x10GEMPC,MPC3E, andMPC4Eaddsadditional

output to the show interfaces interface name [detail | extensive] command. This

additional output lists themaximumresourcesavailableand thenumberof configured

resources for schedulers.

[See Scheduler Maps and Shaping Rate to DLCIs and VLANs.]

• Provider edge link protection for BGP labeled unicast paths (M Series, MX Series,and T Series)—Starting in Junos OS Release 13.3, a precomputed protection path canbe configured in a Layer 3 VPN such that if a BGP labeled-unicast path between an

edge router in oneASand an edge router in another AS goes down, the protection path

(also known as the backup path) between alternate edge routers in the two ASs can

be used. This is useful in carrier-of-carriers deployments, where a carrier can have

multiple labeled-unicast paths to another carrier. In this case, the protection path

avoids disruption of service if one of the labeled-unicast paths goes down.

[See Understanding Provider Edge Link Protection for BGP Labeled Unicast Paths.]

• Redundant logical tunnels (MXSeries)—Beginningwith JunosOSRelease 13.3, whenyouconnect twodevices through logical tunnels, you cancreateandconfiguremultiple

physical logical tunnels and add them to a virtual redundant logical tunnel to provide

redundancy.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/chassis_centralized_clocking_overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/network-services-mode-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/chassis_centralized_clocking_overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/chassis-external-clock-synchronization-interface-understanding-mx.html


http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/configure-mixed-mode-operation-10ge-pic.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/cos-applying-scheduler-maps-and-shaping-rate-to-dlcis-and-vlans.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/labeled-unicast-provider-edge-link-protection-overview.html

• License support to activate ports (MX104)—Starting with Junos OS Release 13.3,license support has been extended for activating the ports on MX104 3D Universal

Edge Routers. MX104 routers have four built-in ports. By default, in the absence of any

valid licenses, all four built-in ports are deactivated. The upgrade license model with

the feature IDs is described in Table 1 on page 43.

Table 1: Port LicenseModel for theMX104

FunctionalityFeature NameFeature ID

Ability to activate the first two built-in ports (xe-2/0/0 andxe-2/0/1)

MX104 2X10G Port Activate (0 and 1)F1

Ability to activate the next two built-in ports (xe-2/0/2 andxe-2/0/3)

MX104 2X10G Port Activate (2 and 3)F2

Both features are also provided in a single license key for ease of use. MX104 routers

do not support the graceful license expiry policy.

• Enhanced load-balancing for MIC andMPC interfaces (MX Series)—Starting withJunos OS Release 13.3, the following load-balancing solutions are supported on

aggregate Ethernet bundles to correct genuine traffic imbalance among themember

links:

• Adaptive—Uses real-time feedback and controlmechanism tomonitor andmanage

traffic imbalances.

• Per-packet randomspray—Randomly sprays thepackets to theaggregate next hops

to ensure that the next hops are equally loaded, resulting in packet reordering.

TheaggregatedEthernet load-balancing solutionsaremutually exclusive. Toconfigure,

use the adaptive or per-packet statement at the [edit interfaces aex

aggregated-ether-options load-balance] hierarchy level.

[See Example: Configuring Aggregated Ethernet Load Balancing.]

• Support for configuring interface alias names—Starting in JunosOSRelease 13.3, youcan configure a textual description of a logical unit on a physical interface to be the

alias of an interface name. Interface aliasing is supported only at the unit level. If you

configure an alias name, the alias name is displayed instead of the interface name in

the output of all show, show interfaces, and other operational mode commands.

Configuring an alias for a logical unit of an interface has no effect on how the interface

on the router or switch operates. To specify an interface alias, you can use the alias

statement at the [edit interfaces interface-name unit logical-unit-number] and [edit

logical-systems logical-system-name interfaces interface-nameunit logical-unit-number]

hierarchy levels.

[See Interface Alias NameOverview.]

• The request support informationcommand(MXSeries)—Starting in JunosOSRelease13.3, when you enter the request support information command with or without the

brief statement, the output includes the showsystemcommit commandoutput,which

displays the commit history and pending commits.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/topic-map/aggregated-ethernet-load-balanicng.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-alias-name-overview.html

• Pseudowire logical interfacedeviceMACaddressconfiguration(MXSeries)—Startingin Junos OS Release 13.3, you can configure a MAC address for a pseudowire logical

interface device that is used for subscriber interfaces over point-to-point MPLS

pseudowires. This feature enables you to specify the MAC address of your choice in

situations in which network constraints require the use of an explicit MAC address.

[See Configuring a Pseudowire Subscriber Logical Interface Device.]

• Support for synchronizing the CB of anMX2020 router with external BITS timingsources (MX2020)—Starting in Junos OS Release 13.3, this feature providesbuilding-integrated timing supply (BITS) input and output support to the two external

clock interfaces (ECI) on the Control Board. You can configure the ECIs for both input

and output BITS. In the absence of any configuration, the ECI is inactive.

You can configure the BITS ECI by using the synchronization statement at the [edit

chassis] hierarchy level. You can view the BITS ECI information by using the show

chassis synchronization extensive command.

[See Understanding Clock Synchronization onMX Series Routers.]

• Distribution of Ethernet connectivity fault management sessions (MXSeries)—Starting with Junos OS Release 13.3, connectivity fault management (CFM)sessions operate in distributedmode and can be processed on the Flexible PIC

Concentrator (FPC) on aggregated Ethernet interfaces. As a result, graceful Routing

Engine switchover (GRES) is supported on aggregated Ethernet interfaces. In releases

before Junos OS Release 13.3, CFM sessions operate in centralizedmode and are

processed on the Routing Engine. However, CFM sessions are not supported on

aggregated Ethernet interfaces if the interfaces that form the aggregated Ethernet

bundle are in mixedmode.

CFM sessions are distributed by default. To disable the distribution of CFM sessions

andtooperate incentralizedmode, include theppmno-delegate-processingstatement

at the [edit routing-options ppm] hierarchy level. However, all CFM sessions should

operate in either only distributed or only centralizedmode. Amixed operation of

distributed and centralizedmodes for CFM sessions is not supported.

[See IEEE 802.1ag OAMConnectivity Fault Management Overview.]

• Redundant logical tunnels (MXSeries)—Beginningwith JunosOSRelease 13.3, whenyouconnect twodevices through logical tunnels, you cancreateandconfiguremultiple

physical logical tunnels and add them to a virtual redundant logical tunnel to provide

redundancy.

[See Example: Configuring Redundant Logical Tunnels.]

• Source class accounting (T4000)—Starting with Junos OS Release 13.3R2, sourceclass usage (SCU) accounting is performed at ingress on a T4000 Type 5 FPC.

• SFPP-10G-CT50-ZR (MX Series)—Beginning in Junos OS Release 13.3R3, theSPFF-10G-CT50-ZR tunable transceiver provides a duplex LC connector and supports

the 10GBASE-Z optical interface specification andmonitoring. The transceiver is not

specified as part of the 10-Gigabit Ethernet standard and is instead built according to

Juniper Networks specifications. OnlyWAN-PHY and LAN-PHYmodes are supported.

To configure the wavelength on the transceiver, use thewavelength statement at the



http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/pseudowire-interfaces-configuring.html


http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-ieee-802-1ag-oam-connectivity-fault-management-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/redundant-logical-tunnel.html

[edit interfaces interface-name optics-options] hierarchy level. The following interface

module supports the SPFF-10G-CT50-ZR transceiver:

MX Series:

• 16-port 10-GigabitEthernetMPC(modelnumber:MPC-3D-16XGE-SFPP)—Supported

in Junos OS Release 12.3R6, 13.2R3, 13.3R2, 14.1, and later.



[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications andwavelength.]

• PTP path tracemechanism onMX Series—Starting with Junos OS Release 13.3R4,you can use a path trace mechanism to detect PTP loops in a PTP ring topology over

an IPv4 network. A path trace is the route that aPTPannouncemessage takes through

the network trail of boundary clocks and is tracked through the path trace TLV in the

announcemessage. The path trace sequence contains the clock ID of each boundary

clock that an announcemessage traverses. To view the path trace, use the show ptp

path-trace detail operational mode command.

• Software feature support (MX104)—Starting in Junos OS Release 13.3, support isextended for the following software features on theMX1043DUniversal EdgeRouters:

• IP features—IPv6ProviderEdge(6PE),AccessNodeControlProtocol (ANCP),DHCP

snooping, DHCPOption-82, Multicast Listener Discovery (MLD), and Domain Name

System (DNS).

• MPLS features—MPLS Transport Profile (MPLS-TP), ATM Single Cell Relay over

MPLS (CRoMPLS) VCMode, Generalized MPLS (GMPLS), and VPNv6.

• Multicast features—Distance VectorMulticast Routing Protocol (DVMRP), Multicast

Listener Discovery (MLD), Multicast Listener Discovery (MLD) Snooping, draft

rosen-multicast VPNs, Multicast version 6, and DHCPv6.

• Layer 2 features—802.1ag threshold negotiation, 802.1X, and Media Access Control

Security (MACsec).

• Resiliency features—Lawful intercept, Inline J-Flow, dynamic ARP inspection (DAI),

reception of dying-gasp protocol data units (PDU), DHCP snooping for port security,

and nonstop active routing (NSR).

[See Protocols and Applications Supported by MX104 Routers.]

• Support for fabric black-hole detection and recovery in TXMatrix Plusrouters—Starting in Junos OS Release 13.3R7, TX Matrix Plus routers can detect andrecover from fabric faults that are not caused by hardware failure butmight be a result

of a fabric black-hole condition.

To recover from a fabric black-hole condition, the routing matrix uses the following

options:

• SIB reboot

• FPC reboot




http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/wavelength-edit-interfaces.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mx104-features.html

• Destination reprogramming

• Related faults recovery

You can disable the automatic recovery feature by using the auto-recovery-disable

statement at the [edit chassis fabric degraded] hierarchy level. You can configure the

FPCs to go offline when a traffic black-hole condition is detected in the routingmatrix

by using the fpc-offline-on-blackholing statement at the [edit chassis fabric degraded]

hierarchy level.

You can configure the FPCs to restart when a traffic black-hole condition is detected

in the routing matrix by using the fpc-restart statement at the [edit chassis fabric

degraded] hierarchy level.

[See auto-recovery-disable and fpc-offline-on-blackholing.]

• CFP-100GBASE-ZR (MX Series)—In Junos OS Release 13.3R6, 14.1R4, 14.2R3, and15.1R1 and later, the CFP-100GBASE-ZR transceiver provides advanced dual

polarization-quadraturephaseshift keying(DP-QPSK)coherentdigital signalprocessing

(DSP) and forward error correction (FEC)-enabled robust tolerance to optical

impairments and supports 80 km reach over single-mode fiber. The transceiver is not

specifiedaspart of IEEE802.3but is built according to JuniperNetworks specifications.

The following interface modules support the CFP-100GBASE-ZR transceiver:

• 2x100GE + 8x10GEMPC4E (MPC4E-3D-2CGE-8XGE)

• 100-Gigabit Ethernet MIC with CFP (MIC3-3D-1X100GE-CFP)

For more information about the interface modules, see the “Cables and Connectors”

section in theMXSeries Interface Module Reference.

[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported

Network Interface Standards by Transceiver for ACX, M, MX, and T Series Routers.]

• Maximum generation rate for ICMP and ICMPv6messages is configurable (MXSeries)—Starting in Junos OS Release 13.3R5, you can configure the maximum rate at

which ICMP and ICMPv6messages that are not ttl-expired are generated by using the

icmp rate limit and icmp6 rate limit configuration statements at the [edit chassis]

hierarchy level.

• VLAN demux support added toMS-DPC (MX Series)—Starting in Junos OS Release13.3R7, the MS-DPC supports VLAN demux interfaces.



http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/autorecovery-disable-edit-chassis-fabric-degraded.html

http://www.juniper.net/techpubs/en_US/junos/topics/reference/configuration-statement/fpc-offline-on-blackholing-edit-chassis-fabric-degraded.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/mx-series/mx-module-index.html


http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/transceiver-m-mx-t-series-standards-by-model.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/transceiver-m-mx-t-series-standards-by-model.html

IPv6

• New forwarding-class-accountingstatement(MXSeries)—Starting in JunosOSRelease13.3R3, new forwardingclassaccounting statistics canbeenabledat the [edit interfaces

interface-name] and [edit interfaces interface-nameunit interface-unit-number] hierarchy

levels. These statistics replace the need to use firewall filters for gathering accounting

statistics. Statistics can be gathered in ingress, egress, or both directions. Statistics

are displayed for IPv4, IPv6, MPLS, Layer 2, and Other families.

NOTE: If you implement this feature inRelease 13.3R3,contact JTACbeforeupgrading to Release 14.1R1 or later.

Layer 2 Features

• Computation of the Layer 2 overhead attribute in interface statistics (TSeries)—Starting in Junos OS Release 13.3, on T Series routers, you can configure anattribute at the PIC level to include the Layer 2 overhead (header and trailer bytes) in

the physical interface and logical interface statistics for both ingress and egress

directions. Both the transit and total statistical information includes the Layer 2

overhead in theoutputof theshowinterfaces interface-namecommandforeachphysical

or logical interface on that PIC.

The ifInOctets and ifOutOctets MIB objects display statistics that include Layer 2

overhead bytes.

MPLS

• Multisegment pseudowire for FEC 129 (M Series, MX Series, and T Series)—JunosOS Release 13.3 and later releases provide support for establishing a dynamic

multisegmentpseudowire (MS-PW)withFEC129 inanMPLSpacket-switchednetwork

(PSN). The stitching provider edge (S-PE) devices in anMS-PWare automatically and

dynamically discovered by BGP, and the pseudowire is signaled by LDP using FEC 129.

This arrangement requires minimum provisioning on the S-PEs, thereby reducing the

configuration burden that is associatedwith statically configured Layer 2 circuits while

still using LDP as the underlying signaling protocol.

TheMS-PW feature also provides operation, administration, andmanagement (OAM)

capabilities, such as ping, traceroute, and Bidirectional Forwarding Detection (BFD),

from the terminating PE (T-PE) devices of an MS-PW.

[See Example: Configuring a Multisegment Pseudowire.]

• Control word for BGP VPLS (M320 andMX Series)—For hash calculation, transitrouters must determine the payload. While parsing an MPLS encapsulated packet for

hashing, a transit router can incorrectly calculate an Ethernet payload as an IPv4 or

IPv6 payload if the first nibble of the DAMAC is 0x4 or 0x6, respectively. This false

positive can cause out-of-order packet delivery over a pseudowire. Starting in Junos

OS Release 13.3R3, this issue can be avoided by configuring a BGP VPLS PE router to



http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/example-configuring-multisegment-pseudowire.html

request that other BGP VPLS PE routers insert a control word between the label stack

and the MPLS payload.

Multicast

• IGMP and PIM snooping support (MPC3E andMPC4E onMX240, MX480, andMX960)—Starting with Junos OS Release 13.3, IGMP snooping and PIM snooping are

supported on the MX240, MX480, and MX960 and with Modular Port Concentrators

(MPC) MPC3E and MPC4E.


• System logmessages to indicate checksum errors on the DDR3 interface—Startingin Junos OS Release 13.3R9, two new system logmessages,

XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR and

XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR, are added to indicate

memory-related problems on the interfaces to the double data rate type 3 (DDR3)

memory. These error messages indicate that an FPC has detected a checksum error,

which is causing packet drops.

The following error threshold values classify the error as amajor error or a minor error:

• Minor error— 6-254 errors per second

• Major error—255 andmore errors per second

• Configuring SNMP tomatch jnxNatObjects values for MS-DPC andMS-MIC (MXSeries)—Starting in Junos OS Release 13.3R7, you can configure thesnmp-value-match-msmic statement at the [edit services service-set service-set-name

nat-options] hierarchy level.

In networks where both MS-DPC and MS-MIC are deployed, you can configure this

statement to ensure that the values for MS-MIC-specific objects in the jnxNatObjects

MIB table match the values for MS-DPC objects. By default, this feature is disabled.

You can use the deactivate services service-set service-set-name nat-options

snmp-value-match-msmic configuration mode command to disable this feature.

• BFD session enhancements (MX Series routers with MPCs or MICs)—Starting inJunosOSRelease 13.3, the followingBFDsessionenhancementshavebeen introduced:

• enhanced-ip option—For BFD over aggregated Ethernet (ae) interfaces, configuringtheenhanced-ipoptionat the [editchassisnetwork-services]hierarchy level increases

the number of BFD sessions. When you activate or deactivate this option, the router

must be rebooted.

• Inlinemode—This enables the router to transmit and receive BFD packets from the

FPChardware. Currently, for BFDover aggregated Ethernet (ae) interfaces, the inline

mode is supported only on MX Series routers with MPCs/MICs that have configured

theenhanced-ipoption. ForBFDoverGigabit Ethernet interfacesandVLAN interfaces,

the inlinemode is supportedbydefault onall theMXSeries routerswithMPCs/MICs.

• Unified ISSU timer negotiation—During unified ISSU, the timer for BFD sessions isincreased from the configured value to 60 seconds.



• Support for BFD over child links of AE or LAG bundle (cross-functional PacketForwarding Engine/kernel/rpd) (M Series, MX Series, and T Series)—Beginning inJunos OS Release 13.3, BFD over child links of an AE or LAG bundle is supported. This

feature provides a Layer 3 BFD liveness detection mechanism for child links of the

Ethernet LAG interface. You can enable BFD to run on individual member links of the

LAG tomonitor the Layer 3 or Layer 2 forwarding capabilities of individual member

links. Thesemicro BFD sessions are independent of each other despite having a single

client that manages the LAG interface. To enable failure detection for aggregated

Ethernet interfaces, include thebfd-liveness-detection statementat the [edit interfaces

aex aggregated-ether-options bfd-liveness-detection] hierarchy level.

[See Understanding Independent Micro BFD Sessions for LAG.]

• Support for the interface-setSNMP index(MXSeries)—StartingwithRelease 13.3R5,Junos OS supports the interface-set SNMP index that provides information about

interface-set queue statistics. The following interface-set SNMP index MIBs are

introduced in the Juniper Networks enterprise-specific Class-of-Service MIB:

• jnxCosIfTable in jnxCosMIB

• jnxCosIfsetQstatTable in jnxCosMIB

[See jnxCosIfTable and jnxCosIfsetQstatTable.]

OpenFlow

• Support for OpenFlow v1.0 (MX80, MX240, MX480, andMX960)—Starting withJunos OS Release 13.3, the MX80, MX240, MX480, and MX960 routers support

OpenFlow v1.0. OpenFlow enables you to control traffic in an existing network using

a remote controller by adding, deleting, andmodifying flows on a switch. You can

configure oneOpenFlow virtual switch and one activeOpenFlow controller at the [edit

protocols openflow] hierarchy level on each device running Junos OS that supports

OpenFlow. On MX Series routers that support OpenFlow, you can also direct traffic

fromOpenFlow networks over MPLS networks by using logical tunnel interfaces and

MPLS LSP tunnel cross-connects.

[SeeOpenFlow Feature Guide.]


• VirtualRouteReflector(VRR)—Starting in JunosOSRelease 13.3R3, youcan implementroute reflector capabilityusingageneralpurposevirtualmachineona64-bit Intel-based

blade server or appliance. Benefits of the VRR are:

• Improved scalability (depending on the server core hardware use)

• Scalability of the BGP network with lower cost using VRR at multiple locations in

the network



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/bfd-for-lag-overview.html

http://contentapps.juniper.net/mib-explorer/search.jsp#object=jnxCosIfTable&product=Junos+OS&release=13.3R6

http://contentapps.juniper.net/mib-explorer/search.jsp#object=jnxCosIfsetQstatTable&product=Junos+OS&release=13.3R6

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/junos-sdn/junos-sdn-openflow.html

• Fast andmore flexible deployment using Intel servers rather than router hardware

• Space savings through elimination of router hardware

Port Security

• Static ARPwithmulticast MAC address for an IRB interface—Starting in Junos OSRelease 13.3, you can configure a static ARP entry with a multicast MAC address for

an IRB interface that acts as the gateway to the network load balancing (NLB) servers.

Earlier, the NLB servers dropped packets with a unicast IP address and amulticast

MAC address. Junos OS Release 13.3 supports the configuration of a static ARP with

amulticast MAC address.

To configure a static ARP entry with a multicast MAC address for an IRB interface,

configure the ARP entry at the [edit interfaces irb unit logical-unit-number family inet

address address] hierarchy level.

irb {unit logical-unit-number{family inet {address address{arp addressmulticast-macmac-add;

}}

}}

Routing Policy and Firewall Filters

• Using a firewall filter to prevent or allow datagram fragmentation (MXSeries)—Starting in Junos OS Release 13.3, you can define a firewall filter term to

prevent or allow datagram fragmentation by setting or clearing the Don’t Fragment

flag in the IPv4 header of packets that are matched by the filter. Specify the desired

action at the [edit firewall family inet filter filter-name term term-name then action]

hierarchy level.

• To prevent fragmentation of the IP datagram, include the dont-fragment set action

in a term to set the dont-fragment bit to one.

• To allow fragmentation of the IP datagram, include the dont-fragment clear action

in a term to clear the dont-fragment bit to zero.

[See Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation and

Firewall Filter Nonterminating Actions.]

• Newfirewall filtergre-keyfieldmatchcondition—Starting in JunosOSRelease 13.3R3,there is a new gre-key match condition at the [edit firewall family inet filter filter-name

term term-name from] hierarchy level. The gre-key match condition allows a user to

match against the gre key field which is an optional field in gre encapsulated packets.

The key can bematched as a single key value and or a range of key values.

• Support for consistent load balancing for ECMP groups (MX Series routers withMPCs)—Starting in Junos OS Release 13.3R3, onMX Series 3D Universal Edge Routerswithmodular port concentrators (MPCs) only, you can prevent the reordering of flows



http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/firewall-filter-dont-fragment-set-clear.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/general/firewall-filter-actions-nonterminating.html

to active paths in an ECMP group when one or more paths fail. Only flows that are

inactive are redirected. This feature applies only to Layer 3 adjacencies learned through

external BGP connections. It overrides the default behavior of disrupting all existing,

includingactive, TCPconnectionswhenanactivepath fails. Include the consistent-hash

statement at the [edit policy-options policy-statement policy-statement-name then

load-balance] hierarchy level. Youmust also configure a global per-packet

load-balancing policy.

[See Actions in Routing Policy Terms. ]

• New fast-lookup-filterstatementonMX240,MX480,MX960,MX2010,andMX2020routerswithMPC5E,MPC5EQ, andMPC6EMPCs and compatibleMICs—Starting inJunos OS Release 13.3R3, the fast-lookup-filter option is available at the [edit firewall

family (inet | inet6) filter filter-name] hierarchy level. This allows for hardware assist

from compatible MPCs in the firewall filter lookup. There are 4096 hardware filters

available for thispurpose, eachofwhichcansupport up to255 terms.Within the firewall

filters and their terms, ranges, prefix lists, and the except keyword are all supported.Only the inet and inet6 protocol families are supported.

• Newaction settings for firewall filter termwhen next-interface is down—In previousversions of JunosOS, if the then clause of a firewall filter termwas set to next-interface

and that next interface went down, traffic was lost because the default action is to

drop the packet.

Starting in Junos OS Release 13.3R3, the actions accept and next term are available at

the [edit firewall family inet filter filter-name term term-name then next-interface

interface-name] hierarchy level. There is no new configuration option available if the

firewall filter term action is set to next-ip, meaning that if the next-ip is down, traffic is

still dropped.

The action configured at this level only becomes active if the next-interface is down

and the ARP on the interface is cleared. If not configured, the default action is to drop

the packet.

Routing Protocols

• Support forBMPversion3—Starting in JunosOSRelease 13.3, BGPmonitoringprotocol(BMP)version3 is supported.BMPallowsa remotedevice (theBMPstation) tomonitor

BGP as it is running on a router or group of routers. BMP version 3 includes substantial

additional functionality versusversion 1. TheBMPversion3configuration is incompatible

with the old version. If you are running BMP version 1 on your Juniper Networks devices,

be sure to update your BMP configurationwhen you upgrade to JunosOSRelease 13.3.

[See Configuring BGPMonitoring Protocol Version 3.]

• Support for consistent load balancing for ECMP groups (MX Series routers withMPCs)—Effective in JunosOSRelease 13.3R3, onMXSeries 3DUniversal EdgeRouterswithmodular port concentrators (MPCs) only, you can prevent the reordering of flows

to active paths in an ECMP group when one or more paths fail. Only flows that are

inactive are redirected. This feature applies only to Layer 3 adjacencies learned through

external BGP connections. It overrides the default behavior of disrupting all existing,

includingactive, TCPconnectionswhenanactivepath fails. Include the consistent-hash

statement at the [edit policy-options policy-statement policy-statement-name then



http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/policy-configuring-actions-in-routing-policy-terms.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/bgp-monitoring-protocol-v3.html

load-balance] hierarchy level. Youmust also configure a global per-packet

load-balancing policy.

[See Actions in Routing Policy Terms. ]

• Recursive DNS server ICMPv6 router advertisement option support (M Series, MXSeries, and T Series)—Beginning with Junos OS Release 13.3R4, you can configure amaximum of three recursive DNS server addresses and their respective lifetimes via

static configuration at interface level for IPv6 hosts. Previously, rpd supported only

link-local address information, prefix information, and the link MTU. The router

advertisement-based DNS configuration is useful in networks where an IPv6 host’s

address is auto-configured through an IPv6 stateless address and where there is no

DHCPv6 infrastructure available.

Toconfigure the recursiveDNSserveraddress, include thedns-server-addressstatement

at the [edit protocols router-advertisement interface interface-name] hierarchy level.

[See Example: Configuring Recursive DNS Address.]

Services Applications

• EnablingLayer2ProtocolTunneling(L2PT)support forVLANSpanningTreeProtocol(VSTP) and per-VSTP (MX Series routers with MPC/MICs)—Starting in Junos OSRelease 13.3, this feature enables L2PT support for VSTP/PVSTP.

[See layer2-control.]

You can also enable rewriting of the MAC address for an interface using the

enable-all-ifl option.

[Seemac-rewrite.]

• Chainedcompositenexthops(MXSeriesandTSeries)—Starting in JunosOSRelease13.3, the support of chained composite next hops for directly connected provider edge

(PE) routers varies fromoneplatform toanother.OnMXSeries routers containingboth

DPC and MPC FPCs, chained composite next hops are disabled by default. To enable

chained composite next hops on the MX240, MX480, and MX960, the chassis must

be configured to use the enhanced-ip option in network services mode. On T4000

routers containingMPCandFPCs, chainedcompositenexthopsaredisabledbydefault.

To enable chained composite next hops on a T4000 router, the chassis must be

configured to use the enhanced-mode option in network services mode.

• Data plane inline support added for 6rd and 6to4 tunnels connecting IPv6 clientsto IPv4 networks onMX Series routers with MPC line cards—Starting with Release13.3R3, Junos OS supports inline 6rd and 6to4 on Modular Port Concentrator (MPC)

line cards with Trio chipsets, saving customers the cost of using MS-DPCs for the

required tunneling, encapsulation, and decapsulation processes. Anycast is supported

for 6to4 (next-hop service interfaces only). Hairpinning is also supported for traffic

between 6rd domains.

There are no CLI changes for 6rd and 6to4 configurations. To implement the inline

functionality, configure service interfaces on theMPC card as inline services interfaces

(si-) rather than as MultiServices (ms-) interfaces.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/policy-configuring-actions-in-routing-policy-terms.html

http://www.juniper.net/techpubs/en_US/junos14.1/topics/topic-map/recursive-dns-server.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/layer2-control-edit-protocols.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/mac-rewrite-edit-protocols-layer2-control.html

Two new operational commands have been added: show services inline softwire

statistics and clear services inline softwire statistics.

• IPsec invalid SPI notification (MXSeries and T Series)—Starting in Junos OS release13.3R4, you can enable automatic recovery when peers in a security association (SA)

become unsynchronized. When peers become unsynchronized, this can cause the

transmission of packets with invalid security parameter index (SPI) values and the

dropping of those packets by the receiving peer. You can enable automatic recovery

by using the new respond-bad-spi max-responses configuration statement, which

appears under the hierarchy level [edit services ipsec-vpn ike policy]. This statement

results in a resynchronization of the SAs.

The max-responses value has a default of 5 and a range of 1 through 30.

• Support forRPMprobeswith IPv6sourcesanddestinations (MXSeries routerswithMPCs)—Starting with Junos OS Release 13.3R5, the RPM client router (the router or

switch that originates the RPM probes) can send probe packets to the RPM probe

server (the device that receives the RPM probes) that contains an IPv6 address. To

specify thedestination IPv6address used for theprobes, include the target (url ipv6-url

| address ipv6-address) statement at the [edit services rpmprobeowner test test-name]

hierarchy level. You canalsodefine theRPMclient or the source that sentsRPMprobes

to containan IPv6address. To specify the IPv6protocol-related settingsand the source

IPv6addressof theclient fromwhich theRPMprobesaresent, include the inet6-options

source-address ipv6-address statement at the [edit services rpm probe owner test

test-name] hierarchy level.


• Support for autoinstallation of satellite devices in a JNU group—In a Junos NodeUnifier (JNU) topology that contains anMX Series router as a controller that manages

satellite devices, such as EX Series Ethernet Switches, QFX Series devices, and ACX

Series Universal Access Routers, the autoinstallation functionality is supported for the

satellite devices. Starting in Junos OS Release 13.3, JNU has an autoinstallation

mechanism that enables a satellite device to configure itself out-of-the-box with no

manual intervention, using the configuration available either on the network or locally

through a removable media, or using a combination of both. This autoinstallation

method is also called the zero-touch facility.

A JNU factory default file, jnu-factory.conf, is present in the /etc/config/ directory and

contains the configuration to perform autoinstallation on satellite devices. The

zero-touch configuration can be disabled by including the delete-after-commit

statement at the [edit system autoinstallation] hierarchy level and committing the

configuration.

[See Autoinstallation of Satellite Devices in a Junos Node Unifier Group and Configuring

Autoinstallation on JNU Satellite Devices.]

• Validate system software against running configuration on remote host—Beginningwith Junos OS Release 13.3R8, you can use the on (host host <username username> |

routing-engine routing-engine) option with the request system software validate

package-name command to verify candidate system software against the running

configuration on the specified remote host or Routing Engine.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/autoinstallation-jnu-satellites-overviw.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/autoinstallation-jnu-satellites-configuring.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/autoinstallation-jnu-satellites-configuring.html

• Validate system software add against running configuration on remote host orrouting engine—Beginning with Junos OS Release 13.3R8, you can use thevalidate-on-host hostname and validate-on-routing-engine routing-engine optionswith

the requestsystemsoftwareaddpackage-namecommandtoverifyacandidatesoftware

bundle against the running configuration on the specified remote host or Routing

Engine.

Subscriber Management and Services (MX Series)

• Pseudowire subscriber logical interfacesMPCsupport—Starting in JunosOSRelease13.3, pseudowire subscriber logical interfaces are supported on MPCs with Ethernet

MICs only.

• Service packet counting (MX Series)—Starting in Junos OS Release 13.3, you canconfigure the counters that subscriber management uses when capturing volume

statistics for subscribers on a per-service session basis.

• Inline countersare capturedwhen theeventoccurs, anddonot includeanyadditional

packet processing events that occur after the event.

• Deferred counters are not incremented until the packet is queued for transmission,

and therefore include theentirepacketprocessing.Deferredcountersprovideamore

accurate packet count than inline counters, and are more useful for subscriber

accounting and billing.

NOTE: Fast update filters do not support deferred counters.

[See Configuring Service Packet Counting.]

• RADIUS logical line identifier (MX Series)—Starting in Junos OS Release 13.3, serviceproviders can use a virtual port feature, known as the logical line ID (LLID), tomaintain

a reliable and up-to-date customer database for those subscribers whomove from

one physical line to another. The LLID, which is based on the subscriber's user name

and circuit ID, is mapped to the subscriber's physical line. When the subscriber moves

to a different physical line, the service provider database is updated to map the LLID

to the new physical line. Subscriber management supports the LLID feature for PPP

subscribers over PPPoE, PPPoA, and LAC.

[See RADIUS Logical Line Identifier (LLID) Overview.]

• Configurable timers for DHCPv6 address-assignment pools (MX Series)—Startingin Junos OS Release 13.3, subscriber management on MX Series routers supports

configurable timers for address-assignment pools that are used by a DHCPv6 local

server. In addition to the previously supportedmaximum-lease-time timer, you can

configure the valid-lifetime and preferred-lifetime timers to manage address leases

provided by address-assignment pools. You can also configure the renew (T1) and

rebind(T2) times thatsubscribermanagementuses toextendthe lifetimesofaddresses

obtained from an address-assignment pool.

[See DHCPv6 Lease Timers.]



http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/firewall-filter-service-accounting.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/subscriber-management-llid-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/dhcpv6-lease-timers.html

• DHCP statements and options (MX Series)—Starting in Junos OS Release 13.3, youcan use the following statements and options for DHCP subscriber management

support:

• delay-authentication—New statement that conserves managed resources on the

router by delaying subscriber authentication until the DHCP request processing

phase.

• duplicate-clients-in-subnet—New statement that configures how the router

distinguishes between duplicate clients in the same subnet. This replaces the

duplicate-clients-on-interface statement, which is now obsolete.

• incoming-interface—Newoption thatprovides secondary identificationmatchcriteria

for the DHCP auto logout feature when there are duplicate clients.

• option hex-string—New option that enables the use of the hex-string option type for

user-defined DHCP attribute options that are added to client packets.

• server-response-time—New statement that configures the timeframe during which

the router monitors DHCP server responsiveness. The router generates a system log

message when the DHCP server does not respond to relayed packets during the

specified time.

[See client-discover-match, delay-authentication, server-response-time, option, and

duplicate-clients-in-subnet.]

• Support for agent circuit identifier filtering in PPPoE subscriber session lockout(M120, M320, andMX Series)—Starting in Junos OS Release 13.3, extend PPPoEsubscriber session lockout has been extended to support identification and filtering of

PPPoEsubscriber sessionsbyeither theagent circuit identifier (ACI) valueor theunique

MAC source address on static or dynamic VLAN and static or dynamic VLAN demux

underlying interfaces. In earlier Junos OS releases, PPPoE subscriber session lockout

identified and filtered subscriber sessions only by their unique MAC source address.

ACI-based or MAC-based PPPoE subscriber session lockout prevents a failed or

short-lived PPPoE subscriber session from reconnecting to the router for a default or

configurable time period. ACI-based PPPoE subscriber session lockout is useful for

configurations such as PPPoE interworking in which MAC source addresses are not

unique on the PPPoE underlying interface.

ToconfigureACI-basedPPPoEsubscriber session lockout, use theshort-cycle-protection

statement with the filter aci option. To clear an ACI-based lockout condition, issue the

clear pppoe lockout command with the aci option.

[See PPPoE Subscriber Session Lockout Overview.]

• Subscriber management and services feature parity (MX80)—Starting in Junos OSRelease 13.3, the MX80 supports all subscriber management and services features

that are supported by the MX240, MX480, and MX960 routers. Previously, the MX80

router matched feature support for these routers as of Junos OS Release 11.4.

• Subscriber management and services feature and scaling parity (MX2010 andMX2020)—Starting in Junos OS Release 13.3, the MX2010 and the MX2020 supportall subscriber management and services features that are supported by the MX240,



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/client-discover-match-edit-system-services.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/delay-authentication-edit-forwarding-options.html

www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/server-response-time-edit-forwarding-options.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/option-edit-access.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/duplicate-clients-in-subnet-edit-forwarding-options.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/duplicate-clients-in-subnet-edit-forwarding-options.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/subscriber-management-pppoe-lockout.html

MX480, and MX960 routers. In addition, the scaling and performance values for the

MX2010 and the MX2020match those of MX960 routers.

[See Protocols and Applications Supported by MX240, MX480, MX960, MX2010, and

MX2020MPCs,ProtocolsandApplicationsSupportedbyMX240,MX480,MX960,MX2010,

andMX2020 EnhancedMPCs (MPCEs), Protocols and Applications Supported by the

MX240, MX480, MX960, MX2010, andMX2020MPC3E, and Protocols and Applications

Supported by the MX240, MX480, MX960, MX2010, andMX2020MPC4Es.]

• Per-subscriber support for multiple instances of the same service with differentparameters (MX Series routers with MPCs or MICs)—Starting In Junos OS Release13.3, a subscriber can havemultiple instances of the same service, provided that each

service instance has a different set of parameters. In earlier Junos OS releases, each

subscriber was limited to only a single instance of each service.

You can configure a specific service instance for a particular subscriber by specifying

a service name and unique service parameters for that instance. Each service instance

is uniquely identified by the combination of its service name and service parameters.

Use the request network-access aaa subscriber delete command to deactivate all

instances of a subscriber service by specifying only the service name, or to deactivate

a specific instance of a service by specifying both the service nameand its parameters.

In earlier Junos OS releases, you deactivated a service by specifying only its service

name, but not its service parameters.

[See Subscriber Services with Multiple Instances Overview.]

• RADIUS accountingmessages for dual-stack subscribers (MX Series)—Starting inJunos OS Release 13.3, when an IPv6 address is assigned using DHCPv6, the RADIUS

interimaccountingmessage includes theassigned IPv6address. If thedelegatedprefix

is provided to the client using DHCPv6-PD, the RADIUS interim accounting message

includes the delegated prefix (IA_PD, such as /56). The

address-change-immediate-updatestatement isnoweffective foranyaddressallocation

changeafteranAcct-Startmessage is issued(for IPv6NCPandDHCPv6).An immediate

Interim-Acctmessage is sentuponanysubsequentDHCPv6negotiationandallocation

whennewallocatedaddressesareadded.After IPv6NCPnegotiation,DHCPv6address

allocation and negotiation occurs.

[See RADIUS Accounting Messages for Dual-Stack Subscribers.]

• Support for IPv6 for TACACS+ authentication (MSeries, MX Series, and T Series)—StartingwithRelease 13.3, JunosOSsupports IPv6alongwith theexisting IPv4 support

for user authentication using TACACS+ servers.

• Configurable L2TP receive window size (MX Series)—Starting in Junos OS Release13.3, the new rx-window-size statement at the [edit services l2tp tunnel] hierarchy level

enables you to specify the size of the receive window in the range 4 through 128 on an

L2TP LAC or LNS. The default value is 4. The ReceiveWindow Size AVP (Attribute

Type 10) is not sent in the SCCRQmessage when the default value is configured on a

LAC or in the SCCRPmessage when configured on an LNS.

[See Setting the L2TP ReceiveWindow Size.]



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpc-mx-series-features.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpc-mx-series-features.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpce-mx-series-features.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpce-mx-series-features.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/mpc-mx-series-mpc3e-features.html




http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/subscriber-management-multi-instance-services-oview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/subscriber-management-dual-stack-accounting-messages.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/subscriber-management-l2tp-lac-receive-window-size.html

• Clearing ANCP statistics (MX Series)—Starting in Junos OS Release 13.3, you canclear all ANCPstatisticswith the clearancpstatistics command.Youcanclear statistics

for a particular neighbor identified by the neighbor’s IP address with the clear ancp

statistics ip-address ip-address command. You can clear statistics for a particular

neighbor identified by the neighbor’s IP address with the clear ancp statistics

system-namemac-address command.

[See Clearing and Verifying ANCP Statistics.]

• ANCP agent support for nonzero partition IDs (MX Series)—Starting in Junos OSRelease 13.3, the ANCP agent on the router can form adjacencies with multiple logical

partitions on a neighbor when you enable the agent to learn partition IDs during

adjacency negotiation with the neighbor. If the agent receives a SYNmessage from

the neighbor within a configurable period, the agent learns the partition IDs and can

form adjacencies with the partitions. The agent can form an adjacency only with the

neighbor if the SYN is not receivedwithin the period, the partition ID is zero, or learning

is not enabled.

[See Configuring the ANCP Agent to Learn ANCP Partition IDs.]

• Dynamic protocol version detection for ANCP (MX Series)—Starting in Junos OSRelease 13.3, when an ANCP neighbor opens adjacency negotiations, it indicates the

highest version of ANCP that it supports. ANCP neighborsmust be able to identify the

supported versions because ANCP Version 1, defined in RFC 6320, Protocol for Access

Node Control Mechanism in Broadband Networks, is not interoperable with the earlier

version based on GSMPv3.

During negotiation, the receiving neighbor returns the value sent by the other neighbor

if it supports that version, or drops the message if it does not. You can still configure

the router to operate in pre-ietf mode for interoperability with neighbors that support

only GMSPv2.

[See ANCP Topology Discovery and Traffic Reporting Overview.]

• Support forANCPgeneric responsemessagesandresultcodes(MXSeries)—Startingin Junos OS Release 13.3, the ANCP agent supports receipt of generic response

messages. Upon receipt, the router generates a system log, increments the generic

messagecounters,and increments the resultcodecounters.Generic responsemessages

(GRMs) are typically sent instead of specific responsemessageswhen no information

needs to be sent other than a result of success or failure. When themessage reports

a failure, it must include one of eight result codes to indicate the cause. A GRM can

also be sent independent of a request when the failure causes the adjacency to be

shut down.


• Support for sending and receiving the ANCP Status-Info TLV (MX Series)—Startingin Junos OS Release 13.3, the Status-Info TLV supplements the generic response

message result codes and provides information about a warning or error condition.

Although usually included in generic responsemessages, the TLV can also be included

inotherANCPmessage types.TheStatus-InfoTLVmustbe included ingeneric response

messages when the result code indicates a port is down, a port does not exist, a

mandatory TLV is missing, or a TLV is invalid.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/verification/ancp-subscriber-access-statistics-clearing-verifying.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/ancp-partition-id-learning.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/ancp-overview.html



• DNS address assignment in DHCPv6 IA_NA and IA_PD environments (MXSeries)—Starting in Junos OS Release 12.3R3 and Release 13.3 (but not in Releases13.1 and 13.2), the DHCPv6 local server returns the DNS server address (DHCPv6

attribute 23) as a global DHCPv6 option, rather than as an IA_NA or IA_PD suboption.

DHCPv6 returns theDNSserveraddress that is specified in the IA_PDor IA_NApools—if

both address pools are requested, DHCPv6 returns the address specified in the IA_PD

pool only, and ignores any DNS address in the IA_NA pool.

In releases earlier than 12.3R3, and in Releases 13.1 and 13.2, DHCPv6 returns the DNS

server address as a suboption inside the respective DHCPv6 IA_NA or IA_PD header.

You can use themulti-address-embedded-option-response statement at the [edit

systemservicesdhcp-local-serverdhcpv6overrides]hierarchy level to revert to theprior

behavior. However, returning the DNS server address as a suboption can create

interoperability issues for some CPE equipment that cannot recognize the suboption

information.

[See DHCPv6 Options in a DHCPv6Multiple Address Environment.]

• Support for filtering trace results by subscribers for AAA, L2TP, and PPP (MXSeries)—Starting in Junos OS Release 13.3, you can filter trace results for someprocesses by subscriber. The reduced set of results simplifies troubleshooting in a

scaled environment. Specify the useruser@domain option at the appropriate hierarchy

level:

• AAA (authd)—[edit system processes general-authentication-service traceoptions

filter]

• L2TP (jl2tpd)—[edit services l2tp traceoptions filter]

• PPP (jpppd)—[edit protocols ppp-service traceoptions filter]

You can filter on the user, the domain, or both. You can use a wildcard (*) at the

beginningor endof each term, as in the following examples: [email protected], tom*,

*tom, *ample.com, tom@ex*, tom*@*example.com.

You cannot filter results using a wildcard in the middle of the user or domain, as in the

following examples: tom*[email protected], tom125@ex*.com.

Traces that have insufficient information to determine the subscriber username are

automatically excluded from the results.

• Overriding the preferred source address as the source address of NeighborSolicitation/Neighbor Advertisement (NS/NA) on unnumbered interfaces (MXSeries)—By default, if a preferred source address is configured on an unnumberedinterface, thatpreferredaddress is usedas the sourceaddressofNS/NA. If nopreferred

sourceaddress is configured, the routerusesasuitableaddressbasedon thedestination

address scope. Starting in Junos OS Release 13.3, you can configure the router to

override the default configuration of using the preferred source address for NS/NA.

The router ignores thepreferred sourceaddressandusesanappropriateaddressbased

on the destination address scope.

• DHCPv6 local server and relay agent usernameandoption 37 (MXSeries)—Startingin Junos OS Releases 12.3R7, 13.2R4, and 13.3R2, the router supports the generation of




http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/dhcpv6-dns-server-address.html

an ASCII version of the authentication username. When you configure DHCPv6 local

server or relay agent to concatenate the authentication username with the Agent

Remote-IDoption37, the router usesonly the remote-idportionofoption37and ignores

the enterprise number.

The router no longer supports the enterprise-id and remote-id options for the

relay-agent–remote-id statement.

• Subscribermanagement and services feature and scaling parity (MX104)—Startingin Junos OS Release 13.3R3, the MX104 router supports all subscriber management

and services features that are supported by the MX80 router. In addition, the scaling

and performance values for the MX104 router match those of the MX80 router.

• DHCPrelayagent forclients indifferentVRFthanDHCPserver (MXSeries)—Startingin JunosOSRelease 13.3R3, subscribermanagementprovides enhanced securitywhen

exchanging DHCPmessages between a DHCP server and DHCP clients that reside in

different virtual routing instances (VRFs). The DHCP cross-VRFmessage exchange

uses the DHCP relay agent to ensure that there is no direct routing between the client

VRF and the DHCP server VRF.

To exchange DHCPmessages between the two VRFs, you configure both the server

side and the client side of the DHCP relay to permit traffic based on the Agent Circuit

ID (DHCP option 82 suboption 1) in DHCPv4 packets and the Relay Agent Interface-ID

(DHCPv6 option 18) in DHCPv6 packets.

• Subscriber management and services feature and scaling parity (MX2010 andMX2020)—Starting in Junos OS Release 13.3, the MX2010 and the MX2020 supportall subscriber management and services features that are supported by the MX240,

MX480, and MX960 routers. In addition, the scaling and performance values for the

MX2010 and the MX2020match those of MX960 routers.

• Support for up to 256L2TP tunnel groups (MXSeries)—Starting in JunosOSRelease13.3R7, you can configure and commit up to 256 tunnel groups. In earlier releases, the

CLI prevents you from committing the configuration when you create more than 32

groups.

• Support for PPPoE-Description VSA (MX Series)—Starting in Junos OS Release13.3R8, you can use Juniper Networks VSA 26-24 (PPPoE Description) when using

RADIUS to authenticate subscribers based on the client MAC address.

Juniper Networks VSA 26-24 is supported for Access-Request, Accounting-Start,

Accounting-Stop, and Interim-accounting messages.



VPNs

• Enhancedmulticast VPNs traceoptions statement (M Series, MX Series, and TSeries)—Starting in JunosOSRelease 13.3, themulticastVPNs traceoptions statementhasbeen enhanced. You cannowconfigure this statement at the [edit protocolsmpvn]

hierarchy level. Inaddition, the following traceoption flagshavebeenadded:cmcast-join,

inter-as-ad, intra-as-ad, leaf-ad,mdt-safi-ad, source-active, spmsi-ad, tunnel, and umh.

[See Tracing MBGPMVPN Traffic and Operations.]

• Enhanced egress protection in Layer 3 VPNs (M Series, MX Series, and TSeries)—Starting in Junos OS Release 13.3, enhanced point-of-local-repair (PLR)functionality is available, in which the PLR reroutes service traffic during an egress

failure. As part of this enhancement, the PLR router no longer needs to be directly

connected to the protector router. Previously, if the PLR was not directly connected

to the protector router, the loop-free alternate route did not find the backup path to

the protector. A new configuration statement, advertise-mode, enables you to set the

method for the interior gateway protocol (IGP) to advertise egress protection

availability.

[See Configuring Layer 3 VPN Egress Protection with RSVP and LDP.]

• Control word for BGP VPLS (M320 andMX Series)—For hash calculation, transitrouters must determine the payload. While parsing an MPLS encapsulated packet for

hashing, a transit router can incorrectly calculate an Ethernet payload as an IPv4 or

IPv6 payload if the first nibble of the DAMAC is 0x4 or 0x6, respectively. This false

positive can cause out-of-order packet delivery over a pseudowire. Starting in Junos

OS Release 13.3R3, this issue can be avoided by configuring a BGP VPLS PE router to

request that other BGP VPLS PE routers insert a control word between the label stack

and the MPLS payload.

• Loop prevention in VPLS network due toMACmoves (MX Series)—Starting withJunos OS Release 13.3R3, the base learning interface approach and the statistical

approach can be used to prevent a loop in a VPLS network by disabling the suspect

customer facing interface that is connected to the loop. Some virtual MACs can

genuinely move between different interfaces and you can configure such MACs to

ignore themoves.Thecooloff timeandstatistical approachwait timeareused internally

to find out the looped interface. You can configure the interface recovery time to

auto-enable the interface that gets disabled due to a loop in the network. To configure

these parameters of VPLSMACmoves, include the vpls-mac-move statement at the

[edit protocols l2-learning] hierarchy level. The show vplsmac-move-action instance

instance-name command displays the learning interfaces that are disabled, in a VPLS

instance due to a MACmove. The clear vplsmac-move-action interface ifl-name

command enables an interface disabled due to a MACmove.








http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/troubleshooting/mvpn-traceoptions-configuring.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/l3vpn-service-mirroring-rsvp.html






of JunosOS statements and commands from JunosOSRelease 13.3R10 for theMSeries,

MX Series, and T Series.

• Authentication Authorization and Accounting on page 62



• IPv6 on page 64

• Junos OS XML API and Scripting on page 64

• Management on page 65

• MPLS on page 65





• Security on page 68



• Subscriber Management and Services on page 72




Authentication Authorization and Accounting

• Statement introduced to enforce strict authorization—Starting in Junos OS Release13.3, customers can use the set system tacplus-options strict-authorization statement

to enforce strict authorization to the users. When a user is logging in, Junos OS issues

twoTACACS+ requests—first the authentication request followedby the authorization

request. By default, when the authorization request is rejected by the TACACS+ server,

Junos OS ignores this and allows full access to the user. When the set system

tacplus-options strict-authorization statement is set, Junos OS denies access to the

user even on failure of the authorization request.


• Newredundancy failoverCLI statement(MSeries,MXSeries,TSeries, andTXMatrixPlus)—Starting in Junos OS Release 13.3R6, the chassis redundancy failovernot-on-disk-underperform statement prevents gstatd from causing failovers in the

case of slow disks on the Routing Engine.


Disks.]


• Validation of deactivated inline services MLPPP bundle interfaces—Starting withJunos OS Release 13.3, if you attempt to delete or deactivate a static inline service (si)

MLPPPbundle interface that is still referencedby amember link interface,which could

be PPPoE (pp0) or silogical interfaces, and commit the configuration, the commit

operation fails. Youmust reactivate such MLPPP bundle interface before committing

the settings. Alternatively, youmust ensure that member links do not refer a static

MLPPPbundlebefore youdeleteordeactivate thebundle. Thismethodofdeactivation

and reactivation of an MLPPP bundle is not applicable for interfaces other than si-

interfaces, suchas link services IQ (lsq-) and virtual LSQ redundancy (rlsq-) interfaces.

[See Understanding MLPPP Bundles and Link Fragmentation and Interleaving (LFI) on

Serial Links.]

• Changes to DDoS protection policers for PIM and PIMv6 (MX Series with MPCs,T4000with FPC5)—Starting in Junos OS Release 13.3R2, the default values forbandwidth and burst limits have been reduced for PIM and PIMv6 aggregate policers

to prevent starvation of OSPF and other protocols in the presence of high-rate PIM

activity.

Old ValueNew ValuePolicer Limit

20,0008000Bandwidth (pps)

20,00016,000Burst (pps)






http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/mlppp-link-services-understanding-mx.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/mlppp-link-services-understanding-mx.html

To see thedefault andmodified values for DDoSprotection packet-typepolicers, issue

one of the following commands:

• show ddos-protection protocols parameters brief—Displays all packet-type policers.

• show ddos-protection protocols protocol-group parameters brief—Displays only

packet-type policers with the specified protocol group.

An asterisk (*) indicates that a value has beenmodified from the default.

• Changes to distributed denial of service statement and command syntax—Startingin Junos OS Release 13.3R2, the protocol group and packet type syntax has changed

for the protocols statement at the [edit system ddos-protection] hierarchy level and

for the various show ddos-protection protocols commands.

The filter-v4and filter-v6packet typeshavebeenmoved fromtheunclassifiedprotocol

group to the new filter-action protocol group.

• filter-actionprotocol group—The followingpacket typesareavailable for unclassified

firewall filter action packets, which are sent to the host because of reject terms in

firewall filters:

• aggregate—Aggregate of all unclassified filter action packets.

• filter-v4—Unclassified IPv4 filter action packets.

• filter-v6—Unclassified IPv6 filter action packets.

• other—All other unclassified filter action packets that are not IPv4 or IPv6.

The resolve-v4 and resolve-v6 packet types have been removed from the unclassified

protocol group. They are replaced by the newmcast-v4,mcast-v6, ucast-v4, and

ucast-v6 packet types in the new resolve protocol group.

• resolve protocol group—The following packet types are available for unclassified

resolvepackets,whichare sent to thehostbecauseof a traffic request resolveaction:

• aggregate—Aggregate of all unclassified resolve packets.

• mcast-v4—Unclassified IPv4multicast resolve packets.

• mcast-v6—Unclassified IPv6multicast resolve packets.

• other—All other unclassified resolve packets.

• ucast-v4—Unclassified IPv4 unicast resolve packets.

• ucast-v6—Unclassified IPv6 unicast resolve packets.

• Deleting PTP clock client (MX104)—Starting with Junos OS Release 13.2, on MX104routers, when you toggle from a secure slave to an automatic slave or vice versa in the

configuration of a Precision Timing Protocol (PTP) boundary clock, youmust first

delete the existing PTP clock client or slave clock settings and then commit the

configuration. You can delete the existing PTP clock client or slave clock settings by

using the delete clock-client ip-address local-ip-address local-ip-address statement at

the [edit protocols ptpmaster interface interface-name unicast-mode] hierarchy level.

You can then addnewclock client configuration by using the set clock-client ip-address



local-ip-address local-ip-address statement at the [edit protocols ptpmaster interface

interface-name unicast-mode] hierarchy level and committing the configuration.

However, if you attempt to delete the existing PTP clock client and add the new clock

client before committing the configuration, the PTP slave clock remains in the free-run

state and does not operate in the auto-select state (to select the best clock source).

This behavior is expected when PTP client or slave settings are modified.

• Preventing the filtering of packets by ARP policers (MX Series routers)—Beginningin Junos OS Release 13.3R3, you can configure the router to disable the processing of

the specified ARP policers on the received ARP packets. Disabling ARP policers can

cause denial-of-service (DoS) attacks on the system. Due to this possibility, we

recommend that you exercise caution while disabling ARP policers. To prevent the

processing of ARPpolicers on the arriving ARPpackets, include the disable-arp-policer

statement at the [edit interfaces interface-name unit logical-unit-number family inet

policer] or the [edit logical-systems logical-system-name interfaces interface-name unit

logical-unit-number family inetpolicer]hierarchy level. Youcanconfigure this statement

only for interfaces with inet address families and on MX Series routers with MPCs.

When you disable ARP policers per interface, the packets are continued to be policed

by the distributed DoS (DDoS) ARP policer. Themaximum rate of is 10000 pps per

FPC.

[See Applying Policers.]

IPv6

• Support for interim logging with NAT64—Starting with Junos OS Release 11.4R11,interim-logging is supported with NAT64 onmicrokernel (MS-DPC) platforms. The

configuration statement pba-interim-logging-interval under the [interfaces

services-options] hierarchy level enables the feature for NAT64.

• IPv6 support for SNMP traps (MSeries, MXSeries, and T Series)—In Release 13.3R4and later, Junos OS supports IPv6 source addresses for the SNMP traps.

Junos OS XML API and Scripting

• XML output change for show subscribers summary port command (MXSeries)—Starting in Junos OS Release 13.3R10, the display format has changed for theshow subscribers summary port command tomake parsing the output easier. The

output is now displayed as in the following example:

user@host> show subscribers summary port | display xml<rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos"> <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers"> <counters junos:style="port-summary"> <port-name>ge-1/2/0</port-name> <port-count>1</port-count> </counters> <counters junos:style="port-summary"> <port-name>ge-1/2/1</port-name> <port-count>1</port-count> </counters></rpc-reply>



http://www.juniper.net/techpubs/en_US/junos13.3/topics/usage-guidelines/interfaces-applying-policers.html

In earlier releases, that output is displayed as in the following example:

user@host> show subscribers summary port | display xml<rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos"> <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers"> <counters junos:style="port-summary"> <port-name>ge-1/2/0</port-name> <port-count>1</port-count> <port-name>ge-1/2/1</port-name> <port-count>1</port-count> </counters></rpc-reply>

Management

• Restrictions forcryptoalgorithmsforFIPS inOpenSSH—Starting in JunosOSRelease13.3, the following options are not allowed on systems operating in FIPSmode:

[edit system services ssh]set macs <algorithm>

Not allowed: hmac-md5, hmac-md5-96, [email protected],

[email protected], hmac-ripemd160,

[email protected], [email protected],

[email protected], [email protected], and

[email protected].

[edit system services ssh]set key-exchange <algorithm>

Not allowed: group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1.

[edit system services]set hostkey-algorithm <algorithm | no-algorithm>

Not allowed: ssh-dss and ssh-rsa.

In releases earlier than Junos OS Release 13.3, the options were available but should

have been disallowed.

MPLS

• Enhanced support for GRE interfaces for GMPLS (MX Series)—Starting in Junos OSRelease 12.3R7, 13.1R5, 13.2R5, 13.3R3and later, onGRE interfaces forGeneralizedMPLS

control channels, you can enable the inner IP header’s ToS bits to be copied to the

outer IP packet header. Include the copy-tos-to-outer-ip-header statement at the [edit

interfaces gre unit logical-unit-number] hierarchy level. Previously, the

copy-tos-to-outer-ip-header statement was supported for GRE tunnel interfaces only.

[See copy-tos-to-outer-ip-header.]

• Enhanced transit LSP statistics collection—Starting in Junos OS Release 13.3R4,RSVP no longer periodically polls for transit LSP statistics. This change does not affect

the showmpls lsp statistics command or automatic bandwidth operations for ingress

LSPs. To enable the polling and display of transit LSP statistics, include the

transit-statistics-polling statement at the [edit protocolsmpls statistics] hierarchy



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/copy-tos-to-outer-ip-header-edit-interfaces-sv.html

level. You cannot enable transit LSP statistics collection if MPLS statistics collection

is disabledwith theno-transit-statistics statementat the [editprotocolsmplsstatistics]

hierarchy level.

• Changes toMPLS protection options—In Junos OS releases earlier than Release 13.3,you can configure both fast reroute and node and link protection on the same LSP.

Beginning in Junos OS Release 13.3, you can still configure both fast reroute and node

and link protection on the same LSP; however, when you attempt to commit a

configuration where both features are enabled, a syslog warning message states: The

ability to configure both fast-reroute and link/node-link protection on the same LSP is

deprecated andwill be removed in a future release.

Multicast

• PIM snooping support using relaymode (M Series andMX Series)—Starting withJunos OS Release 13.3, PIM snooping on PE routers is supported using relay mode

insteadofproxymode.This enablesCE routerswithPIMsnooping to sendHellopackets

without setting the tracking bit (T-bit) to the PE routers. In relay mode, you need not

configurevalues for the join-prune-timeoutstatementandsave theFiniteStateMachine.

To check the status of relay mode on the CLI, use the show pim snooping neighbors

command or the show pim snooping interfaces command.

• Traffic arriving via IRBwhen configured in enhanced ip-mode—Beginningwith JunosOS Release 13.3, when configured in enhanced-ip mode, traffic arriving over IRB

(multic-ast source connected over Layer 3) is not forwarded to remote PEs in VPLS

when igmp-snooping is configured along with the use-p2mp-lsp statement.


• Support of new system log by SNMP for notifying target addition (M Series, MXSeries, and T Series)—Beginning with Junos OS Release 13.3, when a new trap target

configuration is added to the agent, SNMP raises a new system log

SNMPD_TRAP_TARGET_ADD_NOTICE. The user can configure an event policy for this

system log event to raise a notification of the new trap target addition. This trap is sent

to all the configured trap targets including the new target.

• Error in IfMtuMIB value for IPv6 logical interface (MX Series)—Starting in Junos OSRelease 13.3, the output of the snmpwalk command for the IfMtuMIB object displays

the original value or the default value, 1500, as configured for the IPv6 logical interface.

In previous releases, the output displayed an incorrect value for the IfMtuMIB object.

[See Retrieving Virtual Private Network Information Using SNMP.]

• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (M Series, MX Series, and T Series)—Effective in Junos OS Release13.3R4, if the counter value of a Packet Forwarding Engine is reported lesser than its

previous value, then the residual counter value is added to the newly reported value

only for that specific counter. In that case, the CLI shows the

MIB2D_COUNTER_DECREASING system logmessage for that specific counter.



http://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/topic-collections/nce/snmp-vpn-retrieving/snmp_vpn_retrieving.pdf#search=%22ifmtu%22

[SeeMIB2D_COUNTER_DECREASING.]

• Enhancement for SONET interval counter (M Series, MX Series, and TSeries)—Starting with Junos OS Release 13.3R7, only the Current Day Interval Totaloutput field in the show interfaces interval command for SONET interfaces is reset

after 24 hours. In addition, the Previous Day Interval Total output field displays the last

updated time in hh:mm.

[See show interfaces interval.]


• Newfirewall filtermatchconditionsupportedonMPClinecards(MXSeries)—StartinginRelease 13.3R2, JunosOSsupports the gre-key firewall filtermatch condition onMPC

line cards on MX Series 3D Universal Edge Routers. To configure the gre-key firewall

filter match condition, include the gre-key statement at the [edit firewall family inet

filter filter term term from] hierarchy level.

Routing Protocols

• Hidden clear commands—Starting in Junos OS Release 13.3, the purge option of theclear ospf database and clear ospf3 database commands is hidden and unsupported.

• BGP attribute flag bits—In Junos OS Release 13.2 and earlier, unused attribute flagbits were propagated unchanged. Starting in JunosOSRelease 13.3, BGP attribute flag

bits are reset to zerobydefault andnotpropagated. This behavior is being standardized,

as specified in Internet draft draft-hares-idr-update-attrib-low-bits-fix-01, Update

Attribute Flag Low Bits Clarification.

• Change inconfiguringkeepnoneandkeepallstatements—Starting in JunosOSRelease13.3, configuring keep none or keep all no longer causes all BGP sessions to restart. For

peers that do not support route refresh, when you configure keep none or keep all, the

associated BGP sessions are restarted (flapped). For peers that do support route

refresh, the local speaker sends a route refresh and performs an import evaluation. For

these peers, the sessions do not restart when you configure keep none or keep all. To

determine if a peer supports refresh, check for Peer supports Refresh capability in the

output of the showbgpneighbor command. In previous releases, configuring keepnone

or keep all caused all BGP sessions to restart.

• Modification to the default BGP extended community value—Starting in Junos OS13.3, Junos OSmodifies the default BGP extended community value used for MVPN

IPv4 VRF route import (RT-import) to the IANA-standardized value. The

mvpn-iana-rt-import statement is the default. Themvpn-iana-rt-import statement has

been deprecated; we recommend that you remove it from configurations.

• BGP hides a route receivedwith a label block size greater than 256 (M Series, MXSeries, andTSeries)—WhenaBGPpeer (running JunosOS) sends a routewith a label

block size greater than 256, the local speaker hides the route anddoes not re-advertise

this route. The output of the show route detail/extensive hidden/all command displays

the hidden route and states the reasonas label block sizeexceedsmaxsupportedvalue.



http://contentapps.juniper.net/syslog-explorer/#message=MIB2D_COUNTER_DECREASING&product=Junos+OS&release=13.3

http://www.juniper.net/documentation/en_US/junos13.3/topics/reference/command-summary/show-interfaces-interval.html

In earlier Junos OS releases, when a peer sent a route with a label block size greater

than 256, the routing protocol process (rpd) terminated abnormally.

• Configure and establish targeted sessions with third-party controllers using LDPtargeted neighbor (MSeries andMXSeries)—Startingwith JunosOSRelease 13.3R6,you can configure LDP targeted neighbor to third-party controllers for applications

such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted

neighbor helps to establish a targeted session with controllers for a variety of

applications.

Security

• Packet typesaddedforDDoSprotectionL2TPpolicers(MXSerieswithMPCs,T4000withFPC5)—The followingeightpacket typeshavebeenadded to theDDoSprotectionL2TP protocol group to provide flexibility in controlling L2TP packets:

scccncdn

sccrqhello

stopccniccn

unclassifiedicrq

Previously, no individual packet types were available for this protocol group and all

L2TPpacketswerepoliced the samebasedon theaggregatepolicer value. Thedefault

values for the bandwidth and burst policers for all packet types is 20,000 pps. The

default recover-time is 300 seconds for each of the L2TP packet types.


• Restriction forRPMprobetestdata-size—In JunosOSRelease 13.2andearlier releases,the data-size statement at the [edit services rpmprobeowner test test-name] hierarchy

level did not enforce any additional restrictions when the hardware-timestampwas

included. Starting in Junos OS Release 13.3, the data-size value must be at least 100

bytes smaller than the default MTU of the interface of the RPM client interface when

the hardware-timestamp statement is used.

[edit services rpm probe owner test test-name]hardware-time-stamp;data-size size;

• New ranges for TWAMP server connections—In Junos OS Release 13.2 and earlierreleases, themaximum-connections statement at the [edit services rpmtwampserver]

hierarchy level had a range of 1 through 2048. Starting in Junos OS Release 13.3, the

maximum-connections statement has a range of 1 through 1000. In Junos OS Release

13.2 and earlier releases, themaximum-connections-per-client statement at the [edit

services rpm twamp server] hierarchy level had a range of 1 through 1024. Starting in

Junos OS Release 13.3, the maximum-connections-per-client statement has a range

of 1 through 500.



• New range for data-size statement—In Junos OS Release 13.2 and earlier releases,the data-size statement at the [edit services rpmprobeowner test test-name] hierarchy

level had a range of 0 through65507. Starting in JunosOSRelease 13.3R1, thedata-size

statement has a range of 0 through 65400.

• Restriction for NAT ruleswith translation type stateful-nat-64—In JunosOSRelease13.2 and earlier releases, the following restriction was not enforced by the CLI: if the

translation-type statement in the then statement of a NAT rule was set to

stateful-nat-64, the range specified by the destination-address-range or thedestination-prefix-list in the from statement needed to be within the range specified

by thedestination-prefix statement in the then statement. Starting in JunosOSRelease

13.3, this restriction is enforced.

[edit services nat]rule rule-name {term term-name {from {destination-address-range lowminimum-value highmaximum-value <except>;destination-prefix-list list-name <except>;

}then {destination-prefix destination-prefix;

}}

}

• Change in runningRPMtraceoptions—Starting in JunosOSRelease 13.2, runningRPMtraceoptions is performed from the [edit services rpm] hierarchy. In releases earlier

than Junos OS Release 13.2, running RPM traceoptions was performed at the [edit

snmp] hierarchy level.

The RPM traceoptions are configured as follows:

[edit services rpm]traceoptions {file filename <files number> <match regular-expression > <sizemaximum-file-size><world-readable | no-world-readable>;

flag flag;}

This issue was being tracked by PR857470.

• Restrictions for maximumblock size for NAT port block allocation—Beginning withJunos OS Release 13.3, the maximum blocksize for NAT port block allocation (PBA) is

32,000.

• Support for display of NAT type for EIF flows (MX Series routers with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R4, the output of the show services

sessionsextensive command, theTranslationType fielddisplays the valueasNAPT-44

for Endpoint Independent Filtering (EIF) flows. Also, the label, EIF, is displayed beside

the translation type parameter to enable easy identification of EIF flows.

• Support for passive-mode tunneling (MX Series routers with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R4, passive mode tunneling issupported on MS-MICs and MS-MPCs. You can include the passive-mode-tunneling



statementat the [editservicesservice-setservice-set-name ipsec-vpn-options]hierarchy

level to enable the service set to tunnel malformed packets.

NOTE: The header-integrity-check option that is supported onMS-MICs

andMS-MPCs to verify the packet header for anomalies in IP, TCP, UDP,and ICMPinformationandflagsuchanomaliesanderrorshasafunctionalitythat is opposite to the functionality caused by passivemode tunneling. Ifyou configure both the header-integrity-check statement and the

passive-modetunnelingstatementonMS-MICsandMS-MPCs,andattempt

to commit such a configuration, an error is displayed during commit.

The passivemode tunneling functionality (by including thepassive-mode-tunneling statement at the [edit services service-set

service-set-name ipsec-vpn-options] hierarchy level) is a superset of the

capability to disable IPsec tunnel endpoint in the traceroute output (byincluding no-ipsec-tunnel-in-traceroute statement at the [edit services

ipsec-vpn] hierarchy level). Passivemode tunneling also bypasses the

active IP checks and tunnel MTU check in addition to not treating an IPsectunnel as a next-hop as configured by the no-ipsec-tunnel-in-traceroute

statement.

• Interoperation of ingress sampling and PIC-based flowmonitoring (MXSeries)—Starting in Junos OS Release 13.3R6, If PIC-based flowmonitoring is enabled

onanms- logical interface, a commit checkerror occurswhenyouattempt toconfigure

ingress traffic sampling on that particular ms- logical interface. This error occurs

becauseacombinationof ingress samplingandPIC-based flowmonitoringoperations

onanms- logical interfacecausesundesired flowmonitoringbehavior andmight result

in repeatedsamplingofasinglepacket.Youmustnotconfigure ingress traffic sampling

onms- logical interfaces on which PIC-based flowmonitoring is enabled.

• Generation ofmspmand core file for flow control (MX Series with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R6, instead of an eJunos kernel corefile, themultiservicesPICmanagementdaemoncore file is generatedwhenaprolonged

flow control occurs and when you configure the setting to generate a core file during

prolonged flow control (by using the dump-on-flow-control option). The watchdog

functionality continues to generate a kernel core file in such scenarios.

• Change in support for service options configuration on service PICs at theMS andAMS interface levels (MX Series)—Starting in Junos OS Release 13.3R6, when amultiservices PIC (ms- interface) is a member interface of an AMS bundle, you can

configure the service options to be applied on the interface only at the ms- interface

level or the AMS bundle level by including the services-options statement at the [edit

interfaces interface-name] hierarchy level at a point in time. You cannot define service

options for a service PIC at both the AMS bundle level and at the ms- interface level

simultaneously.When youdefine the service options at theMS level or theAMSbundle

level, the service options are applied to all the service sets, on thems- interface or AMS

interface defined atms-fpc/pic/port.logical-unit or amsN respectively.



• Changes in the format of session open and close system logmessages (MX SerieswithMS-MICsandMS-MPCs)—Startingwith JunosOSRelease 13.3R7,with the JunosOS Extension-Provider packages installed and configured on the device for MS-MPCs

and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and

MSVCS_LOG_SESSION_CLOSE system logmessages aremodified to toggle the order

of the destination IPv4 address and destination port address displayed in the log

messages tobe consistent anduniformwith the formats of the session openand close

logs of MS-DPCs.

The following is the modified format of the MSVCS_LOG_SESSION_OPEN and

MSVCS_LOG_SESSION_CLOSE system logmessages:

month date hh:mm:ss syslog-server-ip-address yyyy-mm-dd hh:mm:ss

{NAT-type}<MSVCS_LOG_SESSION_CLOSE or MSVCS_LOG_SESSION_OPEN>:App:

application, source-interface-name fpc/pic/port\address in hexadecimal format

source-address:source-port source-nat-information ->

destination-address:destination-port destination-nat-information (protocol-name)

The following is an example of the session closure message generated for MS-MPCs

and MS-MICs.

Nov 26 13:00:07 10.137.159.1 2014-11-26 07:22:44:

{Dynamic-NAT-64-SS-NHS-1}MSVCS_LOG_SESSION_CLOSE:application:none,ae4.454

2402:8100:1:160:1:2:d384:463c:36822 [49.14.64.37:12261] -> [141.101.120.14]

64:ff9b::8d65:780e:80 (TCP)

• Support for bouncing service sets for dynamic NAT (MX Series with MS-MPCs andMS-MICs)—Starting in Junos OS Release 13.3R5, for service sets associated with

aggregatedmultiservices (AMS) interfaces, you can configure the

enable-change-on-ams-redistribution statement at the [edit services service-set

service-set-name service-set-options] hierarchy level to enable the service set to be

bounced (reset) for dynamic NAT scenarios (dynamic NAT, NAT64, andNAT44)when

amember interface of an AMS bundle rejoins or a member interface failure occurs.

When amember interface fails, the application resources (NAT pool in the case of

dynamic NAT scenarios) and traffic load need to be rebalanced. For application

resources to be rebalanced, which is the NAT pool for dynamic NAT environments, the

NAT pool is split and allocated by the service PIC daemon (spd).

• Support for RPM probes for IPv4 and IPv6 sources and targets (TXMatrixPlus)—Starting with Junos OS Release 13.3R7, you can configure the TXP-T1600,TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time

performancemonitoring (RPM) client router (the router or switch that originates the

RPMprobes)cansendprobepackets to theRPMprobeserver (thedevice that receives

the RPMprobes) that contains an IPv4 or IPv6 address. RPM enables you to configure

active probes to track andmonitor traffic. The support for configuring RPMprobes and

RPMclients on TXMatrix Plus routers is in addition to the support for RPM that existed

on M Series, MX Series, T1600, and T4000 routers in previous releases.




• Upgrading Junos OS in one step (MX Series)—Starting in Junos OS Release 13.3, youcan specifymultiple configuration files in one stepwhen youupgrade JunosOSon your

device.Whenyouenter the requestsystemsoftwareaddor the requestsystemsoftware

validate command, you can use the upgrade-with-config option. You can also use the

upgrade-with-config-format option when the configuration file is in the text format.

Subscriber Management and Services

• Subscriber loginwhen lawful intercept fails—Starting in JunosOSRelease 13.3, whenlawful intercept activation fails during a subscriber login, the subscriber login is not

denied.AnSNMPmessage is still generated that indicates the lawful interceptactivation

failed. In JunosOS releases earlier thanRelease 13.2R2, the subscriber loginwasdenied

if lawful intercept activation failed.

• Change to test aaa ppp user and test aaa dhcp user commands—Starting in Junos OSRelease 13.3, the test aaapppuser and test aaadhcp user commands no longer display

serviceactivation statusbecause serviceactivation is not required in these commands.

Inearlier releases, thecommandsdisplayedserviceactivationstatus to indicatewhether

service activation failed or succeeded. Service-related RADIUS attribute values are

still displayed.

• Configuring domainmaps to use the default routing instance (MXSeries)—Startingin Junos OS Release 13.3, on MX Series routers you can explicitly configure a domain

map to use the default (master) routing instance for the AAA or subscriber contexts.

This enhancement enables you to configure a domain map to use the default routing

instance in cases where a nondefault routing instance is currently referenced, or in

other scenarios in which you need to explicitly reference the default routing instance.

• Configuration support to prevent the LACPMC-LAG system ID from reverting to thedefault LACP system ID on ICCP failure—Beginning in Junos OS Release 13.3, you canconfigure the prefer-status-control-active statement with the status-control standby

configuration at the [edit interfaces aeX aggregated-ether-optionsmc-ae] hierarchy

level toprevent theLACPMC-LAGsystem ID from reverting to thedefault LACPsystem

ID on ICCP failure. Use this configuration only if you can ensure that ICCP does not go

down unless the router is down. Youmust also configure the hold-time down value (at

the [edit interfaces interface-name] hierarchy level) for the interchassis link with the

status-control standby configuration to be higher than the ICCP BFD timeout. This

configuration prevents traffic loss by ensuring that when the router with the

status-controlactiveconfigurationgoesdown, the routerwith the status-controlstandby

configuration does not go into standbymode.

• Support for rejecting IPv6CP negotiation in the absence of an authorized address(MX Series)—Starting in Junos OS Release 13.3, you can control the behavior of therouter in a situationwhere IPv6CP negotiation is initiated for subscriber sessionswhen

no authorized addresses are available. By default, IPv6CP negotiation is enabled to

proceed for an IPv6-only session when AAA has not provided an appropriate IPv6

address or prefix. In the absence of the address, the negotiation cannot successfully

complete. To prevent endless client negotiation of IPv6CP, include the



reject-unauthorized-ipv6cp statement at the [edit protocols ppp-service] hierarchy

level, which enables the jpppd process to reject the negotiation attempt.

• Support for ignoring DSL ForumVSAs from directly connected devices (MXSeries)—WhenCPEdevicesaredirectly connected toaBNG, youmightwant the router

to ignore any DSL Forum VSAs that it receives in PPPoE control packets because the

VSAs can be spoofed bymalicious subscribers. Spoofing is particularly serious when

the targeted VSAs are used to authenticate the subscriber, such as Agent-Circuit-Id

[26-1] and Agent-Remote-ID [26-2].

To ignore the DSL Forum VSAs, starting in Junos OS Release 13.3, include the

direct-connect statement for PPPoE interfaces or PPPoE underlying interfaces at the

following hierarchy levels:

• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family

pppoe]

• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number

family pppoe]

• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number

pppoe-underlying-options]

• [edit interfaces interface-name unit logical-unit-number family pppoe]

• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]

• [edit logical-systems logical-system-name interfaces interface-name unit

logical-unit-number family pppoe]

• [edit logical-systems logical-system-name interfaces interface-name unit

logical-unit-number pppoe-underlying-options]

You can determine whether direct-connect is configured for particular interfaces by

issuing the show interfaces or show pppoe underlying-interfaces command.

• ANCP agent behavior for invalid generic responsemessages (MX Series)—Startingin Junos OS Release 13.3, when the ANCP agent receives an incorrect or unexpected

generic responsemessage from an ANCP neighbor, it immediately drops the packet,

generates a system log notice message, and takes no further action.

• Changes toANCPshowcommandoutput (MXSeries)—Starting in JunosOSRelease13.3, the show ancp neighbor command displays information for all configured ANCP

neighbors regardless of operational state. In earlier releases, it displayed information

only for neighbors in the Established state. The Time field, which displays the elapsed

time since the neighbor entered its current state, has replaced the Up TIme field. An

asterisk (*) prefixed to the neighbor entry indicates that the adjacency information

might be stale.

In Junos OS Release 13.3 and later, the show ancp subscriber command displays

information for all subscribers regardless of operational state. In earlier releases, it

displayed information only for active subscribers in the Established state. An asterisk

(*) prefixed to the subscriber entry indicates that the information might be stale. Two

asterisks (**) indicate that the neighbor associated with the subscriber has lost its

adjacency.



• Enhancedaccountingstatistics (MSeries,MXSeries,andTSeries)—Starting in JunosOSRelease 13.3, the shownetwork-accessaaastatisticsaccounting command includes

the optional detail keyword, which provides additional information about the RADIUS

accounting statistics. You can use the enhanced details for troubleshooting

investigations.

[See Verifying andManaging Subscriber AAA Information.]

• Support for processing Cisco VSAs in RADIUSmessages for serviceprovisioning—Starting with Junos OS Release 13.3R3, Cisco VSAs are supported forprovisioning andmanagement of services in RADIUSmessages, in addition to the

supported Juniper VSAs for administration of subscriber sessions. In a deployment in

which a customer premises equipment (CPE) is connected over an access network to

a broadband remote access gateway, the Steel-Belted Radius Carrier (SBRC)

application might be used as the authentication and accounting server using RADIUS

as theprotocol and theCiscoBroadHopapplicationmightbeusedas thePolicyControl

and Charging Rules Function (PCRF) server for provisioning services using RADIUS

change of authorization (CoA)messages. Both the SBRC and the Cisco BroadHop

serversare considered tobeconnectedwith thebroadbandgateway in sucha topology.

By default, service accounting is disabled. If you configure service accounting using

both RADIUS attributes and the CLI interface, the RADIUS setting takes precedence

over the CLI setting. To enable service accounting using the CLI, include the accounting

statement at the [edit access profile profile-name service] hierarchy level. To enable

interim service accounting updates and configure the amount of time that the router

waits before sending a new service accounting update, include the update-interval

minutes statement at the [edit accessprofileprofile-name serviceaccounting]hierarchy

level.

Youcanconfigure the router tocollect timestatistics, or bothvolumeand timestatistics,

for the service accounting sessions beingmanaged byAAA. To configure the collection

of statistical details that are time-based only, include the statistics time statement at

the [edit access profile profile-name service accounting] hierarchy level. To configure

the collection of statistical details that are both volume-time-based only, include the

statistics volume-time statement at the [edit access profile profile-name service

accounting] hierarchy level.

• Specifying the UDP port for RADIUS dynamic-request servers—Beginning in JunosOS Release 13.3, you can define the UDP port number to configure the port on which

the router that functions as theRADIUSdynamic-request servermust receive requests

from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic

requests from remote RADIUS servers. You can configure the UDP port number to be

used for dynamic requests for a specific access profile or for all of the access profiles

on the router. To define the UDP port number, include the dynamic-request-port

port-number statement at the [edit access profile profile-name radius-server

server-address] or the [edit access radius-server server-address] hierarchy level.

• DCHP Relay subscriber and proxy-mode support (MX Series)—Starting with JunosOS Release 13.3, when DHCP Relay Agent for subscriber management is configured in

proxy-mode, DHCP Request packets for which no client/subscriber state exists on the

Relay Agent (stray requests) behave according to RFC 2131 Section 4.3.2: “If the DHCP

server hasno recordof this client, then itMUST remain silent, andMAYoutputawarning



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-network-access-aaa-statistics.html

to the network administrator. This behavior is necessary for peaceful coexistence of

non-communicatingDHCP servers on the samewire.” Suchbehavior also occurswhen

multiple, non-communicating, proxy-modeRelayAgentsareprocessingDHCPRequest

packets from the same client or subscriber. In some network configurations, Relay

Agent can send a NAK to the client or subscriber when Relay Agent is not configured

to act on bind-on-request. The NAK prevents Relay Agent from forwarding the DHCP

Request to the server or, in the case of a client move, when the packet is not directed

to the proxy-mode Relay Agent that receives it. DHCP Relay Agent for subscriber

management no longer generates a NAK in place of the server in response to stray

requests but relies on the server to respond appropriately to the client or subscriber.

For those cases when packets are configured not to be forwarded to the server

(no-bind-on-request is configured), orwhen thepacket isdeterminednot tobedirected

to the receiving Relay Agent, those packets are silently discarded in accordance with

RFC 2131 Section 4.3.2.

• Addition of pw-width option to the nas-port-extended-format statement—Starting inJunosOSRelease 13.3R4, you can configure the number of bits for the pseudowire field

in the extended-format NAS-Port attribute for Ethernet subscribers. Specify the value

with thepw-widthoption in thenas-port-extended-format statementat the [editaccess

profile profile-name radius options] hierarchy level. The configured fields appear in the

following order in the binary representation of the extended format:

aggregated-ethernet slot adapter port pseudo-wire stacked-vlan vlan

The width value also appears in the Cisco NAS-Port-Info AVP (100).

• LAC configuration no longer required for L2TP tunnel switching with RADIUSattributes (MX Series)—Starting in Junos OS Release 13.3R6, when you use JuniperNetworks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching,

you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel

switching failed when you did not also configure the LAC, even when the RADIUS

attributes were present.

• Local DNS configurations available when authentication order is set to none (MXSeries)—Starting in Junos OS Release 13.3R8, subscribers now get the DNS server

addresses when both of the following are true:

• The authentication order is set to none at the [edit access profile profile-name

authentication-order] hierarchy level.

• A DNS server address is configured locally in the access profile with the

domain-name-server, domain-name-server-inet, or domain-name-server-inet6

statement at the [edit access profile profile-name] hierarchy level.

In earlier releases, subscribers get an IPaddress in this situation, but not theDNSserver

addresses.

• Change in support for L2TP statistics-related commands (MX Series)—Starting inJunos OS Release 13.3R8, statistics-related show services l2tp commands cannot be

issued in parallel with clear services l2tp commands from separate terminals. In earlier

releases, you can issue these show and clear commands in parallel. Nowwhen any of

these clear commands is running, youmust press Ctrl+c to make the clear command



run in the background before issuing any of these show commands. The relevant

commands are listed in the following table:

show services l2tp destination extensiveclear services l2tp destination

show services l2tp destination statisticsclear services l2tp session

show services l2tp session extensiveclear services l2tp tunnel

show services l2tp session statistics

show services l2tp summary statistics

show services l2tp tunnel extensive

show services l2tp tunnel statistics

NOTE: Youcannot runmultipleclearservices l2tpcommands fromseparate

terminals. This behavior is unchanged.

• New option to limit themaximum number of logical interfaces (MX Series routerswith MS-DPCs)—Starting in Junos OS Release 13.3R9, you can include thelimited-ifl-scaling optionwith the network-services enhanced-ip statement at the [edit

chassis] hierarchy level to impose a limitation on themaximum number of logical

interfaces on MX Series routers with MS-DPCs to be 64,000 for enhanced IP network

services mode. Using the limited-ifl-scaling option prevents the problem of a collision

of logical interface indices that can occur in a scenario in which you enable enhanced

IP servicesmode and anMS-DPC is also present in the same chassis. A cold reboot of

the router must be performed after you set the limited-ifl-scaling option with the

network-servicesenhanced-ip statement.Whenyouenter the limited-ifl-scalingoption,

none of the MPCs are moved to the offline state. All the optimization and scaling

capabilities supported with enhanced IPmode apply to the limited-ifl-scaling option.




• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in the CLI (M Series, MX Series, and T Series)—Junos OS reserves the prefixjunos- for the identifiersofconfigurationsdefinedwithin the junos-defaultsconfiguration

group. User-defined identifiers cannot start with the string junos-. If you configured

user-defined identifiers using the reserved prefix through a NETCONF or Junos XML

protocol session, the commit correctly fails. In releases earlier than Junos OS Release

13.3, if you configured user-defined identifiers through theCLI using the reservedprefix,

the commit incorrectly succeeded. Junos OS Release 13.3 and later releases exhibit

the correct behavior. Configurations that currently contain the reserved prefix for

user-defined identifiers other than junos-defaults configuration group identifiers will

now correctly result in a commit error in the CLI.

• Change in show version command output (M Series, MX Series, and TSeries)—Beginning in JunosOSRelease 13.3, theshowversioncommandoutput includesthe new Junos field that displays the Junos OS version running on the device. This new

field is in addition to the list of installed sub-packages running on the device that also

display the Junos OS version number of those sub-packages. This field provides a

consistent means of identifying the Junos OS version, rather than extracting that

information from the list of installed subpackages.


single Junos field in theoutput thatdisplays the JunosOSversion runningon thedevice.

The only way to determine the Junos OS version running on the device is to review the

list of installed subpackages.



user@host> show versionHostname: lab Model: mx960 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...

user@host> show versionHostname: lab Model: mx960 JUNOS Base OS boot [12.2R2.4]JUNOS Base OS Software Suite [12.2R2.4]JUNOS Kernel Software Suite [12.2R2.4]JUNOS Crypto Software Suite [12.2R2.4]...

[See show version.]

• Configuring regularexpressions(MSeries,MXSeries, andTSeries)—Inall supportedJunosOS releases, regular expressions can no longer be configured if they requiremore

than 64MB of memory or more than 256 recursions for parsing.


wasmade in response to a known consumption vulnerability that allows an attacker

to cause a denial of service (resource exhaustion) attack by using regular expressions









• Newwarningmessage for the configurational changes to extend-size (MSeries, MXSeries, and T Series)—Starting with Junos OS Release 13.3R8, any operation on thesystemconfiguration-databaseextend-sizeconfiguration statement suchas,deactivate,

delete, or set, generates the following warning message:

Change in 'system configuration-database extend-size' will be effective at next reboot

only.









Known Behavior

This sectioncontains theknownbehavior, systemmaximums, and limitations inhardware

and software in Junos OS Release 13.3R10 for the M Series, MX Series, and T Series.







• MPLS on page 80


• IPv6 on page 80





• If you definemore than one forwarding class for a given queue number, do not use the

nameofadefault forwardingclass for oneof thenewclasses, becausedoing socauses

the forwarding classwith thedefault name tobedeleted. For example, donot configure

the following, because doing so deletes the best-effort class:

user@host# set class-of-service forwarding-classes class be queue-num0




user@host# set class-of-service forwarding-classes class best-effort queue-num0user@host# commit

• To use per-priority shaping on a physical interface on the MX104 router, you must

enable hierarchical scheduling on the interface with the set hierarchical-schedulerstatement at the [edit interface interface-name] hierarchy level.

General Routing

• In MX2020 routers and T Series routers, memory usage of the device increases when

the auto-64-bit statement is issued.

Hardware

• Support for MIC-3D-8OC3-2OC12-ATMRevision 22 andlater—MIC-3D-8OC3-2OC12-ATM Revision 22 is supported only by the following

Junos OS releases:

• Junos OS Release 12.3—12.3R9 and later




• Junos OS Release 15.1 and later


Known Behavior

Youmust upgrade to a supported Junos OS release to useMIC-3D-8OC3-2OC12-ATM

Revision 22 and later.


• The MPC5E, MPC5EQ, and MP6E cards do not support unified ISSU on an MX Series

Virtual Chassis.

MPLS

• Removal of SRLG from the SRLG table only on the next reoptimization of the LSP(M, MX, and T Series)—If a SRLG is associated with a link used by an ingress LSP inthe router then on deleting the SRLG configuration from that router, the SRLG gets

removed from the SRLG table only on the next reoptimization of the LSP. Until then

the output displaysUnknown-XXX instead of the SRLGnameand a non-zero srlg-cost

of that SRLG for run showmpls srlg command.

Multicast

• IGMP snooping does notmap router interface when source IP address is0.0.0.0—When a snooping switch sends an IGMP query on an interface with a source

IP address of 0.0.0.0, that interface is notmarked as a router interface. The show igmp

snooping interface command displays Router Interface: no for that interface. This is

expected behavior. To correct IGMPmapping, provide the querying interface with an

IP address other than 0.0.0.0.

IPv6

• Inconsistent IfMtuMIB value (M Series, MX Series, and T Series)—The value of theIfMtuMIB is inconsistent for the logical interfaces with IPv6 address.


• With static NAT configured as basic NAT44 or destination NAT44 onMXSeries routers

with MS-MICs and MS-MPCs, the input and output bytes and traffic rate values

displayed under the Input bytes andOutput bytes fields respectively in the output of

the show interfaces command differ by approximately 25 percent forms- interfaces

with lower packet sizes.




• Downgrading to Junos OS Release 12.3 when the configuration includes thetargeted-distribution statement—In Junos OS Release 12.3, the targetted-distributionstatement at the [edit interfaces demux0 unit logical-unit-number] hierarchy level is

misspelled.Starting in JunosOSRelease 13.3, the spelling for this statement is corrected

to targeted-distribution. If you use the misspelled targetted-distribution statement in

Junos OS Release 13.3 or higher, the CLI corrects the spelling to targeted-distribution

in your configuration, so existing scripts still work. The correct spelling is not backward

compatible; Junos OS Release 12.3 supports only the targetted-distribution spelling. If

you downgrade from Release 13.3 or higher to Release 12.3, all correctly spelled

targeted-distribution statementsare removed fromtheconfigurationandconfiguration

scripts with the correct spelling fail.


• The clear pppoe sessions command does not have an all option and consequently

clears all current PPPoE subscriber sessions when you enter the command. The CLI

does not prompt you to confirm that you want to clear all sessions. When you want to

gracefully terminateasubscriber session, always include the interfacenameassociated

with the session. For some network configurations, if your subscribers have unique

usernames, youcanalternatively issue theclearnetwork-accessaaasubscriberusername

command.

• On the MX Series, subscriber management uses firewall filters to capture and report

the volume-based service accounting counters that are used for subscriber billing. You

must always consider the relationship between firewall filters and service accounting

counters, especially when clearing firewall statistics. When you use the clear firewall

command (to clear the statistics displayed by the show firewall command), the

commandalso clears the service accounting counters that are reported to theRADIUS

accounting server. For this reason, youmust be cautious in specifying which firewall

statistics you want to clear. When you reset firewall statistics to zero, you also zero

the counters reported to RADIUS.

• On the MX Series, subscriber management provides a route suppression feature that

enables you to override the DHCP default behavior that adds access-internal and

destination routes for DHCPv4 sessions, and to access-internal and access routes for

DHCPv6 sessions. However, you cannot suppress access-internal routes when the

subscriber is configuredwithboth IA_NAand IA_PDaddressesover IPdemux interfaces,

because the IA_PD route relies on the IA_NA route for next-hop connectivity.

• The show ppp interface interface-name extensive and show interfaces pp0 commands

display different values for the LCP state of a tunneled subscriber on the LAC. The

show ppp interface interface-name extensive command displays STOPPEDwhereas

the show interfaces pp0 command displays OPENED (which reflects the LCP state

before tunneling).Asaworkaround, use the showppp interface interface-nameextensive

command to determine the correct LCP state for the subscriber.

• Subscriber management is not supported when the routing protocol daemon (rpd) is

running in 64-bit mode. For subscriber management support, rpd must run in 32-bit

mode.


Known Behavior









Known Issues

This section lists the known issues in hardware and software in JunosOSRelease 13.3R10

for the M Series, MX Series, and T Series.




• Forwarding and Sampling on page 83




• J-Web on page 92

• Layer 2 Ethernet Services on page 92


• Multiprotocol Label Switching (MPLS) on page 93






• VPNs on page 100


• The errormessage only per-unit and 2-level hierarchical scheduler are supported on this

interface is a cosmetic regression issue without any functional impact. PR1050512

• When the chained-composite-next-hop is enabled for Layer 3 VPN routes, MPLS CoS

rewrite rules attached to the core-facing interface for "protocol

mpls-inet-both-non-vpn" are applied not only to non-VPN traffic (which is the correct

behavior) but also to Layer 3 VPN traffic -- that is, both MPLS and IP headers in Layer

3 VPN traffic receive CoS rewrite. PR1062648






Forwarding and Sampling

• OnMX Series routers with the network services enhanced IP configuration, when the

firewall daemon comes up as part of the system reboot, it cannot read the chassis

network-service configuration statement from the kernel. After several retries, the

firewall daemonmust choose the default chassis network service IP mode. When the

interface description change is committed, the firewall daemon attempts to read

chassis network-serviceagain. If it is successful, the firewall daemonmust restart itself

because the chassis network service configuration is in enhanced IPmode. When the

daemon restarts, openFlow connections are dropped.PR1035956

• When VRRP is configured on MX Series routers with MPC/MIC-based MX Series

interfaces, staticMACentries are installedon thePacket ForwardingEngine in theMAC

database as part of MAC filter installation. The MIB walk on some object identifiers

(OIDs) will trigger a walk over the MACMIB entry (walk over the static MAC entries

with no OIDs), resulting in an error message. During the walk, it is expected that no

entries are read from static MAC database entries; however, the EODB is not set to

indicate theMACdatabasewalk has ended. This error log does not have any functional

impact on the MIB walk:

mib2d[xxx]: MIB2D_RTSLIB_READ_FAILURE: check_rtsock_rc: failed in readingmac_db:

0 (Invalid argument)mib2d[xxx]: SNMP_GET_ERROR1: macStatsEntry getnext failed

for interface: index1 ge-*/*/* (Invalid argument)

The following oidmight trigger the issue: 1/ Rpf related oid 2/ AtmCos related oid 3/Mac

related oid , such as jnxMacStatsEntry 4/ PMon related oid 5/ jnxSonetAlarmTable 6/

Scu related oid 7/ jnxCmRescueChg 8/ jnxCmCfgChgEventLog 9/

jnxIpv4AdEntReasmMaxSize.PR1042610

• Moving an interface from onemesh group to another might cause the Layer 2 Address

Learning Daemon (L2ALD) to generate a core file. PR1077432

• In Junos OS Release 12.3R9 and later, if shared-bandwidth-policer is configured on an

ARPpolicer for annon-bundle interface,DHCPwill fail toworkafter thedevice reboots,

even if DHCP is not configured on that same interface. As a workaround, delete

shared-bandwidth-policer or apply this policer to a bundle interface. PR1116450

• After committing a configuration change, youmight see a warning like the following

in the messages log: dfwc: invalid filter program pointer, dph_abst=0xffefd82c

dph_comp=0x0 . There should be no impact to traffic or protocols. This is an

informationalmessage indicating that the dfwc process is compiling the firewall filters

for use on the FPCs. It can be safely ignored. PR1116538

• If abandwidth-percentbasedpolicer isappliedonanaggregatedEthernet (AE)bundle

without the shared-bandwidth-policerconfigurationstatement, trafficwill hit thepolicer

even if the traffic is notexceeding theconfiguredbandwidth.Asaworkaround, configure

the shared-bandwidth-policer configuration statement under the policer. PR1125071

• If you disable the default ARP policer and reboot, when you execute the commit full

command, the default ARPpolicer is attached to the logical interface again.PR1198107


Known Issues








General Routing

• During interface flap, the FPC consolemight print the followingmessage:No localhost

ifl for rtt 65535. This is caused by a race condition in the software and is cosmetic.

PR676432

• OFTest can actively try to establish an openflow TCP connection on port 6633. When

OFTest is actively sending SYNmessages to request a TCP connection, the openflow

daemonsendsaTCP/IP reset (RST) flagand refuses theconnection request.PR838297

• Currently, most platforms do not support action set src-mac except QFX3500. Thus

if the controller pushes flowswith set src-mac to unsupported platforms, the CLI show

commanddisplays the flowwith action set src-mac but the router cannot program the

corresponding action to filter at the Packet Forwarding Engine. The router responds

to the controller with the following error message.OFPET_FLOW_MOD_FAILED and

reason code OFPMFC_UNSUPPORTED. code OFPMFC_UNSUPPORTED. PR838699

• The set ToS action is not supported. Flows containing this action are rejected and the

OpenFlow error messageOFPET_FLOW_MOD_FAILED and reason code

OFPFMFC_UNSUPPORTED sent to the controller PR838764

• set vlanpriority action is not supported. Flowscontaining suchanactionwill be rejected

and an error message sent back to the controller with error code

OFPET_FLOW_MOD_FAILED and reason code OFPFMFC_UNSUPPORTED PR838804

• OpenFlow is not supported in logical systems. If you configure the [edit protocols

openflow] hierarchy under the [edit logical-systems] hierarchy, a commit error is not

generated. PR839858

• When both Routing Engines in a dual-Routing Engine system reboot too quickly with

GRES enabled, 'ipsec-key-management' process would require a manual restart.

PR854794

• FTP/TFTP ALG connections/sec is limited to 10,000 connections/sec. PR875490

• Because the forwarding of a packet that arrives with MPLS labels is performed based

on theMPLS label and not basedon the IP address contained in the packet, the packet

is sampled at the output interface with the MPLS label that was popped not being

available at the time of sampling. In such a case, depending on the interface (IIF), the

VRF index is identified and the route for the sampled packet is determined in the VRF

table. Because a specific route is not available in the VRF that is different from theVRF

on which the packet is received, the Output Interface Index, Source Mask, and

Destination Mask fields are incorrectly populated. This behavior occurs when an IPv4

template is applied as a firewall filter on an egress interfacewith sample as the action.

PR876327

• This isaproduct limitation.NecessarydocumentationcanbedoneasnecessaryRelease

Notes or Enhancement Requests and assigned accordingly. PR882695

• The traffic-drd daemonmight hang once after logging into service PIC and restart the

net-monitor daemon. PR889982

• OnMXSeries routers, fabric chipsmight get incorrectly programmedafter unified ISSU

to Junos OS Release12.2 or later. To avoid this issue, make sure the system is in a clean














state before performing unified ISSU. For more information on steps to achieve clean

state, see this KB article. http://kb.juniper.net/KB28133 PR900028

• Minor memory leaks might occur if you add and delete the samemulti-VLAN flow on

the order of 100,000 such add and delete operations. PR905620

• Sessions are getting timed out immediately while trying to create 7M/15M sessions on

MICs and /MPCs with bidirectional traffic. PR931081

• When service-set configuration and interface service option configuration changes are

committed together in an MX80 router, sometimes both changes are not applied. As

a workaround, commit after one configuration. PR932418

• SR10 transceivers do not support power statistics, because no power monitor is

available on these transceivers. It is an expected behavior to see zero power values on

SR10 CFP. PR932599

• On the 2x10GEMIC and 4x10GEMIC, a +/-6.2ppm frequency offset occurs with the

SyncE operation. As a workaround, match the framing of the PIC and the interface

(this does not occur by default). PR932659

• A 50-Kbps performance drop (since the previous release) occurs on MICs and MPC

with IMIX traffic for next-hop style IPsec tunnels with session traffic. PR935393

• In some scenarios, the floodlight controller cannot connect to the switch running

openflowed because of the contents in the OFPT_SET_CONFIG packet.PR940707

• Asserting flow control when using the show services sessions command with large of

sessions present in MS-MICs results in traffic drop. PR947674

• AVirtualPrivateLanService(VPLS)scenario,when theDensePortConcentrator(DPC)

linecardsuse the label switched interface(lsi) interface, theMediaAccessControl(MAC)

address is incorrectly learned. PR947691

• When the BCM0 interface goes down, the Routing Engine should switch over on the

M320Multiservice Edge Router.. PR949517

• IPsec tunnels are deleted with Network Address Translation-Traversal (NAT-T) and

dead peer detection (DPD) on IPsec rekey. PR951616

• Traceroute through an interface-services style AMS service-set fails under some

configurations. PR966171

• BFDsession flap is expected in scaledenvironmentwhen restarting chassisdor Flexible

PIC Concentrators (FPCs). ". PR969023

• When themirror destination interface is a next-hop-subgroup and the enhanced-IP

chassis configuration statement is enabled, any mirroring applied on L3 interfaces

(inet/inet6) might not work in certain scenarios. PR972138

• Output for the show chassis power detail command displays power consumption as

zero for Windsurf FPCs in Junos OS Release 13.3R2 images. PR981621

• IPsec endpoint fails to decrypt packets on some of the tunnels with NAT between

IPsec endpoints. PR989054


Known Issues


















• When you use the restart packet-triggered-subscribers command, sessions between

the MX Series SAE and SRC (external policy manager) might become out-of sync. As

a result, new subscribers cannot be created. PR990788

• An inconsistency between JUNIPER-VPN-MIB and MPLS-L3VPN-STD-MIB regarding

the number of interfaces for a routing instance has been identified. For example, note

the following configuration:

user@router-re0>showconfiguration routing-instances ri1 instance-typevrf; interface

ge-2/0/8.10; interface lo0.10; route-distinguisher 65000:1; vrf-target target:65000:1;

vrf-table-label; According to the MPLS-L3VPN-STD-MIB,

maplsL3VpnVrfAssociatedInterfaces: OID: 1.3.6.1.2.1.10.166.11.1.2.2.1.8

Description: Total number of Interfaces connected to this VRF (Independent of

IfOperStatus type). {master} user@router-re0> show snmpmlb walk

1.3.6.1.2.1.10.166.11.1.2.2.1.8 mplsL3VpnVrfAssociatedInterfaces.3.114.105.49 = 2

According to JUNIPER-VPN-MIB, there interfaces in this VRF:

JUNIPER-VPN-MIB :: jnxVpnIfStatusOID: 1.3.6.1.4.1.2636.3.26.1.3.1.10Description:Status

of a monitored VPN Interface.

user@router-re0> show snmpmib walk 1.3.6.1.4.1.2636.3.26.1.3.1.10

jnxVpnIfStatus.2.3.114.105.49.733 = 5 jnxVpnIfStatus.2.3.114.105.49.754 = 5

jnxVpnIfStatus.2.3.114.105.49.774 = 5.

The interfaces in the example are: {master} user@router-re0> show snmpmib walk

1.3.6.1.2.1.2.2.1.2 ifDescr.733 = ge-2/0/8.10 ifDescr.754 = lo0.10 ifDescr.774 = lsi.0.

As a workaround, remove the dynamic interface (in this case, Isi.0) from the interface

list of JUNIPER-VPN-MIB.PR1011763

• There is an existing optimization in the Routing Engine kernel in which the add IPCs of

interface objects (IFD/IFL/IFF/IFA) are not sent to the FPCs (that is, these IPCs get

suppressed) when the corresponding IFD no longer has the IFDF_PRESENT flag set.

Since chassisd has already removed this flag from the IFD, all daemons will start

cleaning up the whole hierarchy, and soon the device control process (dcd) will delete

IFAs/IFFs/IFLs under it, before deleting the IFD itself. The kernel keeps track of which

object's add IPC was suppressed for which FPC peer (it is a per-object bit vector) and

suppresses the delete IPC as well if the add was suppressed. However, this logic does

not exist for RT and NH objects. Therefore, occasionally the FPCmight receive a NH

IPC for which the parent IFL got suppressed in the kernel. In this case, error messages

will be generated; however, the messages can be ignored because DCDwill delete

everything once scheduled. PR1015941

• With Enhanced IP network service mode configured, traffic might fail to be sent out

over the inline LSQ bundle interface. PR1018887

• InBGPMVPNRPT-SPTmode,onanegressprovider edge(PE)devicewithan interface

with static IGMPv2 configuredanddirectly connected IGMPv2hosts, the IGMP reports

can be treated as multicast data packets by the Packet Forwarding Engine, triggering

data events (IIF-MISMATCH) that can create undesirable (S,G) states. These states

are usually harmless but on large scale, can result in resource utilization. Note that in

BGPMVPNRPT-SPTmode, directly connected receivers and senders are not officially

supported for other reasons (because of lack of SPT-Switch capability). PR1021501








• On the MPC5E card, drops on ingress are unaccounted for when you run the show

interfaces extensive command. After you run the no-flow-control command, the drops

become visible. PR1037632

• When the ps interface is configured using a logical tunnel (lt) interface as anchor,

withoutexplicit tunnel-bandwidthconfiguration (under the [chassis fpc<fpc-number>

pic <pic-number> tunnel-services] hierarchy), the ps interface is created only in the

kernel, but not in the Packet Forwarding Engine. In order to have the ps interface in the

Packet Forwarding Engine, an explicit tunnel-bandwidth configuration is required.

PR1042737

• OnMX Series routers with MS-MICs and MS-MPCs, with 3:1 redundancy enabled for

AMS interfaces where onemember interface can back upmultiple other member

interfaces, it is observed that stale flows are preserved and not cleared for a long time.

Thisproblemoccurswith stateful firewall andcarrier-gradeNATconfigured.PR1055388

• On a P2MP branch node router, if the network-services is not in enhanced-ip mode,

packet drop will seen when another sub-LSP within the same P2MP is flapping.

PR1057927

• In the LDP tunneling over single-hop RSVP-based LSP environment, after enabling

chained-composite-next-hop, the router might fail to create the chained composite

next hops if the label value of VPN is equal to the label value of LDP. PR1058146

• Alogmessage requestinganupgradeofVSC8248firmwareofMPC3/MPC4 isdisplayed

during Junos OS upgrade. PR1058184

• The MS-MPC does not support clock synchronization, because it has no

clocking-capable interfaces. On receipt of clock synchronization messages, the router

logs the following message: Jan 20 17:33:14.032 2015 ROUTER_RE0 :%PFE-3: fpc1

gencfg nomsg handlers for gencfg msg command 34 Jan 20 17:35:18.388 2015

ROUTER_RE0/kernel:%KERN-1-GENCFG:op34(CLKSYNCblob) failed; err 7 (Doesnot

Exist). PR1062132

• When you use thempls-ipv4-template sampling template for non-IP traffic

encapsulated in MPLS, log messages such as this one can be seen frequently

(depending upon the rate of traffic, there could be a range of fewmessages to

2000-3000messages per minute): Feb 18 09:28:47 Router-re0 :%DAEMON-3: (FPC

Slot 2, PIC Slot 0)ms20mspmand[171]: jflow_process_session_close: Could not get

session extension: 0x939d53448 sc_pid: 5. Depending upon the frequency of the

messages per second, eventd (daemon) utilization can shoot up processing these

system logs at the Routing Engine. Eventually, high CPU utilization is observed at the

Routing Engine, which can by checked by using show chassis routing-engine or the

freebsd "Top" command under the shell. CPU states:% user,% nice,% system,%

interrupt,% idle <<<<< user cpu% (top command) "show chassis routing-engine"

Routing Engine status: <> CPU utilization: User percent <<<<<<<<<<<<< Background

percent Kernel percent Interrupt percent Idle percent .PR1065788

• Class 4 (32W) optics are not supported on the MPC4E (2CGE+8XGE). Upon insertion

and removal of a Class 4 optic, the TX laser will remain powered off, even when a

supported optic is inserted. PR1068269


Known Issues










• ICMP echo_reply traffic with applications like IPsecwill not work with theMS-MIC and

MS-MPC cards in an asymmetric traffic environment, because these cards employ a

stateful firewall by default. The packetwill be dropped at the stateful firewall because

it detects an ICMP reply that does not have amatching session. PR1072180

• The license-checkprocessmight consumemoreCPUutilizationon theRoutingEngine.

This canoccurwhencertain featuresattempt to registerwith the license-checkdaemon

and the daemon cannot process the requests. PR1077976

• On chassis-based line cards, the FI: Protect: Parity error for CP freepool SRAM SRAM

parity error might be seen. It is harmless and can be ignored. PR1079726

• M7i with ASMmodule and IPsec service is unsupported on Junos OS Release 13.3X.

This product has reached End of Life (EOL). PR1082450

• TCPmessages do not have their MSS adjusted by the Multiservices MIC and MPC if

they do not belong to an established session. PR1084653

• On PTX Series platforms, some non-fatal interrupts (for example, CM cache or AQD

interrupts) are logged as fatal interrupts. The following log messages will be shown

on CM parity interrupt: fpc0 TQCHIP 0: CM parity Fatal interrupt,Interrupt status:0x10

fpc0 CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt

has occurred 181 time(s) in 180010msecs TQCHIP0: CMcache parity Fatal interrupt has

occurred 181 time(s) in 180005msecs PR1089955

• Incorrect diagnostic optics information might be seen for the GE-LX10 SFP and SFP+

for SumitomoElectric. The issue is seen only for the following SFP type: "Xcvr vendor

part number: SCP6F44-J3-ANEÃ‚ Â it can be seen with show chassis pic fpc-slot X

pic-slot Y. user@device> show chassis pic fpc-slot 0 pic-slot 0 .. PIC port information:

Fiber Xcvr vendorWave- Xcvr Port Cable type type Xcvr vendor part number length

Firmware 0 GIGE 1000LX10 SMOPNEXT INC TRF5736AALB227 1310 nm0.0 1 GIGE

1000LX10 SM FINISAR CORP. FTLF1318P2BTL-J1 1310 nm0.0 2 GIGE 1000LX10 SM

SumitomoElectric SCP6F44-J3-ANE 1310 nm0.0 <<<<Error SFP>. PR1091063

• Themspmand processmight crash because of prolonged flow control with TCP ALGs

when the following conditions happen together:

1. The system is overloaded with TCP ALG Traffic. 2. There are lots of retransmissions

and reordered packets. PR1092655

• When the control path is busy/stuck for the service PIC, the AMSmember interface

hoistedby itmight bedown, butwhen thebusy/stuck condition is cleared, themember

interface might not recover, and AMS bundle will still show the PIC as inactive.

PR1093460

• WhenBGPmultipath is enabled ina virtual routingand forwarding (VRF), ifauto-export

and rib-group are configured to leak BGP routes from this VRF table to another (for

example, the default routing table), traffic coming from the default routing instance

might not be properly load-balanced because of the multipath route leaked into the

default routing table is not the active route. This is a random issue. As a workaround,

only use auto-export to exchange the routes among the routing tables. PR1099496

• OnMX104 Series platform, you use snmpbulkget or snmpbulkwalk (for example, used

by the SNMP server) on a chassisd - related component (for example,













jnxOperatingEntry), chassis process (chassisd) high CPU usage and slow response

might be seen because of hardware limitation, whichmight also lead to query timeout

on the SNMP client. In addition, the issue might not be seen when using SNMP query

for interface statistics. As a workaround, do either of the following: (Option 1)

Option 1 Use snmpget or snmpwalk instead of snmpbulkget or snmpbulkwalk, and

include "-t 30" options when doing the SNMP query (for example, "snmpget -v2c -c

XX -t 30").

Option 2 Use "-t 30" option with snmpbulkget or snmpbulkwalk (for example,

"snmpbulkget -v2c -c XX -t 30"). PR1103870

• On TX/TXP Series platform, during an LCC hit overtemp situation, it might go offline

abruptly without notifying SFC and other LCCs, which might cause traffic loss or

performance degradation. PR1116942

• TCP-Tickle Packets sent to Public Side targets will have the wrong sequence number

and also will have the untranslated private IP set as the source IP address. PR1117404

• On FPC-SFF-PTX-P1-A(PTX3000) /FPC-SFF-PTX-T(PTX3000)

/FPC-PTX-P1-A(PTX5000), and FPC2 -PTX-P1A(PTX5000), packet loss might be

observed in an equal-cost multipath (ECMP) or aggregated Ethernet (AE) scenario.

The issue occurs in a race condition: the unilist is created before ARP learned the MAC

addresses, then the selector table is corrupted. PR1120370

• In a multihoming EVPN scenario in which the customer-facing interface is an AE

interface, after moving an interface from the EVPN instance into a VPLS instance,

traffic loss might be seen on the customer edge (CE) device facing FPC. PR1126155

• In certain rare conditions, the FPC virtual output queue (VoQ) wedges, resulting in

dropped packets on the ingress Packet Forwarding Engine for the PTX router. Because

the wedge is unable to be reproduced, detection of the wedge condition is introduced

that alarmwould be raised once the wedge condition is detected within 10 seconds.

PR1127958

• A fewNAT ruleupdatesarenot effectiveoncurrent active sessions.Only "clear services

sessions" could help to apply the new rule. PR1142961

• In case of an active BGPmultipath route with more than two indirect next hops and

another BGP route that can participate in protocol-independentmultipathwith router

next hop, rpdmight crash if the interface onwhich the firstmember of the indirect next

hop resolves goes down. PR1156811

• On T Series and TX Series platforms, when themaster Switch Processor Mezzanine

Board (SPMB) goes for a reboot(goes offline/online), all Switch Interface Boards

(SIBs) will get hard-restarted. As a result, the traffic will fall into a black hole for more

than 1 min. PR1160658

• On T Series platforms with 10x10GE Type 4 PIC installed, if an interface in such a PIC

is configuredwithWANPHYmode, theCoSconfigurationon theportwill be incorrectly

programmed and it might result in unexpected packet drop. PR1179556

• GUMEMerrors for the sameaddressmight continually be logged if a parity error occurs

in a locked location in GUMEM. Thesemessages should not impact performance. The

parity error in the locked location can be cleared by rebooting the FPC. PR1200503


Known Issues













• After configuring a resolver import policy, some routes are stuck with unresolved next

hops in the resolver. Even though there exists an IGP route to resolve the protocol next

hop, the next hops remain unresolved. PR819068

• During a router hardware upgrade procedure, in a dual Routing Engine system, the

newly installed Routing Enginemight overwrite the other Routing Engine configuration

with the factory-default configuration. As a result, both Routing Engines may boot up

in "Amnesiac" mode. PR909692

• If NSR Routing Engine switchover occurs right after you commit the configuration

change that deletes routing instances, some of those instances might not be deleted

from the forwarding table. PR914878


• A DCD configuration write failure message is returned from the kernel when trying to

set an IFF object for pfh interfaces as the kernel rejects this as "Operation not

supported". PR742403

• To troubleshoot a particular subscriber, you can use 'monitor traffic interface <ifd>

write-file xy.pcap'. Using this command on aggregated or demux interfaces can lead

to corrupted ingress packets in the PCAP file. Customer traffic is not affected though.

PR771447

• Whensubscribermanagement control traffic is collectedusingmonitor traffic interface

demux0write-file xy.pcap, the logical unit number is incorrect whenmultiple demux

logical interfaces are present. This problem is fixed and the correct interface logical

unit number is reported in the juniper header of the captured PCAP file. However,

customer traffic is not affected. PR771453

• The kernel might crash on themaster Routing Engine if there are overlapping IP

addresses configured on the same interface. As a workaround, if possible, delete first

all the overlapping IP addresses, starting with the smaller subnet. Then reconfigure

only the IPaddress that is necessary on that interface. In this caseboth the IPaddresses

(10.99.250.156/2; 10.99.250.157/29) have to be deleted first and then the interface

can be configured with the correct IP address (10.99.250.157/29). PR785030

• The online insertion and removal (OIR) is not supported on PIC(PD-4XGE-XFP)

currently. If the PIC(PD-4XGE-XFP) is pulled from the FPC without first being offline,

the FPC crashes and generates a core file. PR874266

• PPP interfaceMTUchangesoccurafter youmakeconfigurationchanges to thesystem.

PR897940

• A nonexistent leg in an aggregated Ethernet bundle prevents DHCP subscribers from

coming up. PR918745

• In Junos OS Release 13.3, commit time improvements have been implemented for the

dcdmodule; however, the first commit after the reboot of the Routing Engine takes

longer time to complete, as compared to the subsequent similar commits. PR942351














• The following logs are seen with certain configuration changes: Dec 24 06:22:16

dcd[4177]: ae1: per-unit-scheduler is valid only on FR and VLAN encapsulation. Dec 24

06:22:17 dcd[1660]: ae1: per-unit-scheduler is valid only onFRandVLANencapsulation..

In this case, the check for allowing per-unit-scheduler on the AE interface was done

before the encapsulation attribute of AE interface was read, and therefore dcd

generated this log errormessage for any of themodifications on theAE interface. Issue

is cosmetic in nature. PR951434

• The PCS statistics counter onNEOMIC can increment even though no XFP is installed.

PR954896

• Demux Subscriber IFLs might show the interface as Hardware-Down even though the

underlying aggregated Ethernet bundle and its member links show up. PR971272

• In the large scaled VPLS environment (in this case, more than 2000 VPLS sessions),

when larger scale route updates occur during In-Service Software Upgrade (ISSU),

one of the FPCs in the router might get stuck in Ready state. In normal upgrades, this

issue will not be observed. PR986264

• On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and

committing, becauseof thedevicecontrolprocess (dcd)on thebackupRoutingEngine

might fail to process the configuration and keep it in the memory. In some cases, it

might beobserved that thememoryof thedcd keeps increasingon thebackupRouting

Engine. PR1014098

• Powering off by pushing theOffline button on themaster Routing Engine causes lots

of packets to be lost even though GRES/NSR is configured. FPC gets rebooted after

the Routing Engine switchover, which also causes traffic loss. PR1034164

• For multichassis link aggregation groups (MC-LAGs) running in active-active mode

with back-to-back square topology, when the Inter-chassis Control Protocol (ICCP)

is broken between any MC-LAG devices, the non-preferred device reverts to its own

local system ID. However, its Link Aggregation Control Protocol (LACP) partner on the

remote side does not remove the flap link from the AE bundle and it remains UP. This

might cause a network-wide loop resulting in traffic outage until manual intervention..

PR1061460

• Deactivating/activating logical interfacesmight causeBGPsession flappingwhenBGP

is using VRRPVIP as source address. This is caused by a timing issue between dcd and

the VRRP overlay file. When dcd reads the overlay file, it is not the updated one or the

one to be updated. This results in error and dcd stops parsing the VRRP overlay file.

PR1089576

• DCD generates a core file at /src/junos/sbin/dcd/infra/lag-link-dist/lag_link_dist_db.c

PR1105235

• In an L2TP subscriber management condition with LTS/LNS configured or when a

heapmemory violation occurs, the jpppd crashes and generates a core file. PR1140981

• Two issues may occurs in PPPoE/PPP subscriber management environment.

• PPPdaemon issue:whenPPPdaemonrestarts/crashes, theremightbe inconsistency

between interface state and SDB (the SDB entry for the IFL is incorrectly removed),

which results in stranded IFL.


Known Issues











• PPPoE daemon issue: when PPP daemon issue occurs, the PPPoE Active Discovery

Initiation (PADI) may get dropped due to stale "duplicate-protection" state in the

stranded IFL, which result in PPPoE subscriber login failure if the PPPoE subscribers

are actively logging in. PR1179931

J-Web

• When you open a J-Web interface session using HTTPS, enter a username and a

password, and thenclick theLoginbutton, the J-Web interface takes20seconds longer

to launch and load the Dashboard page than it does if you use HTTP. PR549934

• When the J-Web interface is launchedusingHTTPS, the time shown in theViewEvents

page (Monitor >Events And Alarms > View Events) differs from the actual time in the

switch. As a workaround, set the correct time in the box after the J-Web interface is

launched. PR558556

Layer 2 Ethernet Services

• Bridge domainmac-table does not update when arp is recieved formac on a different

interface. PR1088083

• There is a bug in code of handling the redistribution of periodic packet

management(PPM). Transmit and Adjacency entries for LACP, when the Interface

entry is inpendingdistribution state. This issuemight causeppmdtocrashafter graceful

Routing Engine switchover. PR1116741

• IPv4 and IPv6 long Virtual Router Redundancy Protocol (VRRP) convergence delay

andunexpectedpacket lossmighthappenwhenMACmove for the IRB interfaceoccurs

(for example, when flap occurs on Layer 2 interface, which is the underlying interface

of IRB onmaster VRRP). PR1116757

• For Routing Engine generated packets with VLAN tag, if the outgoing interface is an

LT interface, the VLAN tagwill not be removed even the LT interface is configuredwith

untagged encapsulation. PR1118540

• If a client sends a DHCP Request packet, and Option 55 includes PAD option (0), a

DHCP ACKwill not be sent back to the client. PR1201413

Layer 2 Features

• In a high-scale VPLS configuration,modification of a tunnel interface through a restart

or reconfiguration might cause the Packet Forwarding Engine to access an invalid

interface, resulting inminor packet loss and logging of packet processing engine traps.

Existing traffic flows on the Packet Forwarding Engine are not affected. The router

recovers quickly and normal operation resumeswith the new configuration. PR976972

• The rpdmight crash while trying to get the VPLS instance from the VPLS interface. In

a rare scenario, when the interface has *DELETED as well as a VCIFUK* flag, that

means the interface is still in the kernel update queue. As a result, it is still not

completely wiped out, but the instance pointer is already reset to NULL. However, due

to an assertion that insists that the instance pointer must NOT be NULL value, the rpd

crashes. PR1048737













• When "input-vlan-map" with "push" operation is enabled for dual-tagged interfaces

in "enhanced-ip" mode, the broadcast, unknown unicast, andmulticast (BUM) traffic

might be silently dropped or discarded on some of the child interfaces of the egress

Aggregated Ethernet (AE) interfaces or on some of the equal-cost multi path (ECMP)

core links. PR1078617

• When configuring the ecmp-alb configuration statement to enable adaptive load

balancing for equal-cost multipath (ECMP) next hops, the VPLS broadcast, unknown

unicast, andmulticast (BUM) trafficmightbedroppedon theegressPacketForwarding

Engine when ingress/egress interfaces are distributed to more than one Packet

Forwarding Engine. As a workaround, you can disable ecmp-alb to avoid this issue.

PR1142869

Multiprotocol Label Switching (MPLS)

• Given a point-to-multipoint branch label-switched path (LSP), the value of

jnxMplsTeP2mpTunnelTotalUpTime is reported incorrectly after a new instance of

the branch LSP is re-signaled at the ingress. PR543855

• When a firewall filter is set on Bidirectional Forwarding Detection (BFD) remote side

egress direction to block the incoming packet in local router point of view, and then

after the firewall filter is deleted, the BFD session might get stuck in "Init" state and

the remote state is "Down". PR860951

• Currently configuration of both fast-reroute and link-protection/node-link-protection

on a single LSP are allowed. However, when you configure both types of protection on

the LSPs, it might cause scaling issues in your network. As a workaround, you should

restrict the configuration toeither fast-rerouteor link/node-linkprotectiononaper-LSP

basis. PR860960

• When an LDP-enabled router receives a LDP label mappingmessage that includes an

unknown type, length, andvalue (TLV)withunknownand forwardbit set, theunknown

TLVwill be re-advertisedalongwith the LDPmessage to the upstream label-switching

router (LSR). . However, due to amerge issue, Junos OS appends these unknown TLVs

multiple times during construction of the label mapping message and will have a

unknown TLV(0x0000) with length 0 among the appended unknown TLVs, causing

LDP session flap on the peer. PR1037917

• Whenusingmplstraffic-engineeringbgp-igp-both-ribswithLDPandRSVPbothenabled,

Constrained Shortest Path First (CSPF) for interdomain RSVP LSPs cannot find the

exit area border router (ABR) when there are two or more such ABRs. This causes

interdomain RSVP LSPs to break. RSVP LSPs within the same area are not affected.

As a workaround, you can either run RSVP only on OSPF ABR or ISIS L1/L2 routers and

switch RSVP off on other OSPF area 0/ISIS L2 routers, or you can only use RSVP and

not use LDP at all. PR1048560

• When an LSP is link-protected and has no-local-reversion configured, if the primary

link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up,

before the LSP switch to link3. If link1 is enabled and link3 is disabled, the LSP will get

stuck in bypass LSP forever. This is a timing issue. PR1091774

• The traffic might be dropped for a hashing issue to the choice egress aggregated

Ethernet(AE) member port when there is a unilist of integrated routing and bridging


Known Issues









(IRB) interfaces that have underlying interfaces aggregates and label-switched

interfaces (LSIs).PR1112205

• During theLSPswitchover, theHighestWatermarkBWmightget set toanunexpectedly

high value. The issue happens because of an incorrect reference point taken while

calculating the Max avg BW in the last interval, and this results in an incorrect Highest

Watermark BW in the autobandwidth stats. PR1118573

• After the Packet Forwarding Engine restarts, benign error messages are generated.

These can be ignored.PR1136033

• Static MPLS LSP using the VT interface as a outgoing interface would not come up.

PR1151737

• If RSVP link-protection optimize-timer is enabled, rpdmemory might leak in "TED

cross-connect" when a bypass LSP is being optimized. PR1198775

• With two Routing Engines and ldp export policy or l2-smart-policy configured, rpd on

the backup Routing Engine might crash when ldp is trying to delete a filtered label

binding. PR1211194


• When sessions are coming at a high rate, a fewof the syslogs are not logged.PR868812

• In one scenario, the Packet Forwarding Engine is not able to keep up with full stats

requests from the Packet Forwarding Engine process (pfed). . Because of this delay,

pfed runs out of transfer credits to send stats request to thePacket Forwarding Engine.

It starts returning full stats requests with error response to mib2d with ifl-info flag set

to LSSTATSandapayload filledwith value zero. In this case,mib2d treats the returned

0 filled stats value as correct stats and returns the 0 values. This causes a spike in

delta value calculated by the side script. PR1010534

• On rare occasions, the event processing process (eventd) crashes and generates a

core file when it receives a new signal while it is processing another signal. The eventd

process uses the event library for signal handling. The crash is caused by a race

condition/ synchronization issue in the event library while handling signals. The event

library is not signal safe and thus is vulnerable to such issues. The eventd process

handles different kinds of signals (through signal handlers): SIGHUP (on commit),

SIGTERM (on killing eventd), SIGCHLD (on termination of event script execution), and

SIGUSR1 & SIGUSR2 (on log rotation). If one signal handler is preempted by another

signal-handler, WaitList structures are adversely affected, resulting in generation of a

core file. PR1122877

• In a certain MIB view configurations specific MIB OID instances are excluded from the

MIBview. In this scenario,whenanSNMPbulk-get request ismade that coversadjacent

MIB objects (at the end of the MIB view), the responsemight bemalformed and get

dropped at snmpd. PR1126432














• The show route forwarding-table command only displays <= 16 ecmp pathswhen CBF

is used. PR832999

• In a scaled environment with Bidirectional Forwarding Detection (BFD), addition or

deletion of member links to the existing aggregated Ethernet bundle causes the BFD

session to flap. PR838584

• When scripts are synchronized from one Routing Engine to the other, the destination

for the scripts in the other Routing Engine should be based on the configuration on the

otherRoutingEngine.An issueprevents this fromhappeninganddestination for scripts

depends on the current Routing Engine fromwhich the scripts were synchronized

instead of the configuration on the other Routing Engine. PR841087

• Inline J-Flow PPS rate is not at the line rate for 100G line cards. The following

performance numbers are for Junos OS Release 13.2 and later (numbers are the same

as for Release 12.3): Packet Size 64B 256B 400B 1500B Hyperion(mpps) 59.0 45.3

29.78.2Snorkel (mpps)29.7 29.322.86.3Line rate(mpps) 148.845.329.78.2PR875601

• In scaled scenario with a large number of probes (around 500), some intermittent

spikes around 500 to 1500 usec (the normal range should be 100-300 usec) in Round

Trip Time (RTT) are seen. The overall average RTTmeasurement is not deviated by

much as, though, because these are not seen regularly.PR892973

• Duringcommit, the followingerrormessagemightbeobserved in syslog:auditd[2303]:

%DAEMON-3-AUDITD_RADIUS_AV_ERROR:Unabletocreatecommandrecord:Attribute

too long. This error can occur in the older releases when the Radius AVmessage size

of 248 is exceeded. PR897295

• Router directly connected to multicast source fails to send all the source traffic sent

at line rate toward the down stream interface whenmore than 60MLDmembers are

connected, and MLD sessions flap. PR944001

• In some corner scenarios, when Bidirectional Forwarding Detection (BFD) and host

fast reroute (HFRR) are configured on the same interface, after a link flap for the

protected interface, the BFD session cannot come up because of the HFRR selecting

the backup path to transit traffic, and the HFRR primary path can not be selected due

to BFD session is down. PR951656

• A defect in Layer 3 VPNMake Before Break code results in freeing memory

corresponding to old next hops that is being used by the egress Packet Forwarding

Engine. This results in memory corruption. PR971821

• In the dual Routing Engines scenario with NSR configuration, the configuration

statement groups re0 interfaces fxp0 unit 0 is configured. If you disable interface fxp0,

the backup Routing Engine is unable to proceed with commit processing because of

SIGHUP isnot received, and the rpdprocesson thebackupRoutingEnginemight crash.

PR974430

• XML traceroute does not display as-numbers. PR988727

• GRES does not clear system login to the original master-only fxp0 addresses causing

stale login sessions. PR991029


Known Issues













• The IFD rate is calculated as the sum of the rates of all logical interfaces on top of that

physical interface. Logical interface rates are expressed in integral number of packets

per second; that is, the exact traffic rate is truncated to the nearest integral value. The

lower the traffic rate, the higher the percentage of error between the actual and

displayed rate.While this error is insignificantwhenpresenting the rate for an individual

logical interface, it ismultipliedwhen rates of individual logical interfaces are summed

up to calculate the physical interface rate. This might lead to reporting lower physical

interface traffic rate than the actual rate of the traffic being received or sent on the

interface under a low bandwidth utilization condition. PR992976

• Rate-limit value does not match between Routing Engine and Packet Forwarding

Engine. PR1023809

• Occasionally, while performing Multiple GRES and SDG switchovers for long duration,

the backupRouting Enginewill not be in syncwith themaster Routing Engine and thus

is not ready to take the mastership during Routing Engine Failover. PR1037985

• IPv6packet loss occurs and traffic degradesasa result ofMXSeries havinga restrictive

rate limit on ICMPv6 packet too big. PR1042699

• Once theTrafficOffloadEngine thread is stalledbecauseofmemoryerrorat the lookup

chip, all statistics collection from the interfaces hosted by this Packet Forwarding

Engine are not updated anymore. PR1051076

• In configurationswith IRB interfaces, during times of interface deletion, such as an FPC

reboot, the Packet Forwarding Engine might log errors such as

nh_ucast_change:291Referenced l2ifl not found. This condition shouldbe transient,with

the system reconverging on the expected state. PR1054798

• OnMX Series routers with frame-relay (FR) CCC to connect FR passport devices, if

someof the FR circuits carry trafficwithout any valid FR encapsulations, theMXSeries

based Packet Forwarding Engine drops those frames. PR1059992

• If a RADIUS server is configured as accounting server, when it is not reachable, the

auditd processmight become overloaded, sending a huge number of audit logs to the

server and then crashing. PR1062016

• WithVLANmanipulationconfigured for EthernetServices, incorrect frame lengthmight

be used for egress policing on MX Series with MPCs/MICs based line cards. Currently,

the frame length calculation is inconsistent for different traffic topology. When traffic

crosses the fabric, the frame length prior to output VLANmanipulation is used. With

local traffic, the frame length prior to input VLANmanipulation is used. However, the

length after output VLANmanipulation should always be used. PR1064496

• When deleting some uncommitted configuration on the active Routing Engine, the rpd

process on the backup Routing Engine might restart due to Unable to proceedwith

commit processing due to SIGHUP not received. Restarting to recover. PR1075089

• Fragmenting a special host outbound IP packet with an invalid IP header length (IP

header length is greater than actual memory buffer packet header length) can trigger

NULLmbufaccessinganddereferencing,whichmight lead toakernel panic.PR1102044

• JunosOSconfigurationdatabasecorruptionoccurs, resulting in two<junos comment>

entries under the [interfaces] stanza. PR1102086















• The following fields have been added to v10 Sampling (IPFIX) template and data

packets: - SAMPLING RATE - SAMPLING INACTIVE TIMEOUT - SAMPLING ACTIVE

TIMEOUT - TOTAL PACKETS EXPORTED - TOTAL FLOWS EXPORTED. PR1103251

• Output between VTY commands show jnh 0 pool and show jnh 0 pool usage differs

for internal JNHmemory usage. PR1103660

• On ungraceful exit of telnet (quit/shell logout), perm and env files created by pam are

not deleted. PR1142436

• If one logging user is a remote TACACS/RADIUS user, this remote user will bemapped

to a local user on the device. For permissions authorization of flow-tap operations,

when permissions are set on the local device without being set on the remote server,

they cannot work correctly. The flow-tap operations are as follows:

flow-tap -- Can view flow-tap configuration flow-tap-control -- Canmodify flow-tap

configuration flow-tap-operation -- Can tap flows PR1159832

Routing Protocols

• The route distinguisher ID configured in routing-options should not overlap with the

explicitly configured route distinguisher under the routing instance. As a workaround,

ensure that overlap does not happen by other means as well (for example, the same

route distinguisher ID configured at multiple routers). PR529339

• RPD running on the backup Routing Engine might generate core files when a router is

configured for NSR with an inter-AS BGP-signaled L2VPN/VPLS and the router is

functioning as a provider edge (PE) router. The problem is only observed in a highly

scaled setupwith hundreds or thousands of configured L2VPN/VPLS instances. There

is no impact to the master Routing Engine. PR710075

• The routingprotocoldaemon(rpd)mightgenerateacore file inmulticast environment.

This issue is caused by an internal logic error. When a PIM (S,G) state is deleted, the

code should stop processing the (S,G) but it does not. PR785073

• BFD triggered local-repair(RLI9007) is not initiating immediately on receiving a BFD

DOWN packet when the peer has detected the BFD session as down through control

expiry. PR825283

• In rare cases, rpdmight generate a core file with signature "rt_notbest_sanity: Path

selection failure on ..." The core is 'soft'. There should be no impact to traffic or routing

protocols. PR946415

• The rpd process will crash and generate a core file because of an ASPATH check error

when RIB groups are added before VRF.PR959962

• A bug in the code path for show route resolution causes an extra decrement of the

refcount in the show handling. This was causing an early free of some shared object

and a crash. PR995170

• When BGP IPv6 peers are flapping in a scaling setup, rpdmight crash on the backup

Routing Engine because of the BGP standby outbuffer size limit. PR1006185


Known Issues













• Scaled configurations toggling from 64-bit to 32-bit rpd at the same time that Rosen

MVPN routing instances are deleted can result in a kernel core file being generated on

the backup Routing Engine. PR1022847

• When configuring the router in RRmode (cluster-id or option BMP-eBGPpeering), the

advertise-external feature is not applicable in local VRFs because of a difference in

the routeselection/advertisementprocess (mainbgp.l3vpn.0vsVRF.inet.0).PR1023693

• The static/static access routes pointing to an unnumbered interface are getting added

in the routing table even if the interface is down. In this case, if graceful Routing Engine

switchover (GRES) is disabled, this type of route will never be added in the routing

table after Routing Engine switchover. PR1064331

• BFD sessions configured with authentication of algorithm keyed-sha1 and keyed-md5

might flap occasionally because of FPC internal clock skew. PR1113744

• JunosOSexhibits twodifferentnext-hopadvertisementbehaviors forMP_REACH_NLRI

on amulti-hop eBGP session, based on whether it is loopback peering or physical

interface peering. When the routers are peering on their loopback, only the global IP

of the interface (lo0) is advertised, whereas when the routers are peering through the

physical interface, both global and link-local address are advertised as the NHs.

PR1115097

• When the BGP speaker has multiple peers configured in a BGP group and it receives

the route from a peer and re-advertises route to another peer within the same group,

MIB object "jnxBgpM2PrefixOutPrefixes" to the peers in the same group reports the

totalnumberofadvertisedprefixes in thegroup.MIBvalue"jnxBgpM2PrefixOutPrefixes"

is defined as a per-peer basis but it looks as if it is a per-group basis. As a workaround,

youcanget thenumberofadvertisedprefixes fromtheCLI command showbgpneighbor

instead. PR1116382

• Whenmultiple addresses are configured on an interface, if the interface has

interface-type p2pconfigured under OSPF and the router does not receive any OSPF

packets from one of the IFAs, the OSPF state will not go down for the corresponding

adjacency. It should have no impact on route learning, but it might cause confusion for

troubleshooting, when peering with Cisco devices, which havemultiple addresses

configured as secondary addresses. PR1119685

• A few seconds of traffic loss is seen on some of the flows when the PE-CE interface

comesupand thePEdevice starts learning 70,000 IPv4prefixesand400 IPv6prefixes

from the CE device during Layer 3 VPN convergence. PR1130154

• In a multicast environment, when the rendezvous point (RP) is a first-hop router, and

it has Multicast Source Discovery Protocol (MSDP) peers, when the rpf interface on

the RP changes to the MSDP facing interface, because of the multicast traffic is still

on the old rpf interface, a multicast discard route is installed and traffic loss is seen.

PR1130238

• The log message "WARNING: no suitable primes in /etc/ssh/primes" is generated

when you log in to the router using SSH2. Thesemessages are generated each time

you log in to the router through SSH2 using SecureCRT. PR1146516













• The generate route does not inherit the next hop from the contributing route in Layer

3 VPNwhen the contributing route is learned throughMP-BGP. The next-hop remains

rejected for the generated route. PR1149970

• In a non-multicast virtual private network (MVPN) scenario, PIM bootstrapmessages

should not go out of interface if there is no PIM Nbr on the interface. In an MVPN

scenario, even if PIM Nbrs is down, the bootstrapmessage is still be able to send out.

However,withMVPNconfiguration,whenPIMNbrs isdown, thebootstrapexport policy

does work. This is not expected. PR1173607

• The VRF-related routes that are leaked to the global inet.0 table and advertised by

the access routers are not being advertised to global inet.0 table on the core file.

PR1200883

• In aBGPscenariowith inet-mdt family configuredunder protocols BGP, the route table

<NAME>.mdt.0 might get deleted if it has no routes. As a result, rpd might crash on

thebackupRoutingEngine, andBGPsessionsmight flapon themasterRoutingEngine.

PR1207988

• In the context of a large number of configured VPNs, routes changing in the midst of

a bgp path-selection configuration change can sometimes lead to an rpd core. This

core file has been seenwith the removal of the always-compare-med option.PR1213131


• In an ipsec-vpn scenario, if backup-remote-gateway under the [set services ipsec-vpn

rule term then] hierarchy is configured, when the Internet Key Exchange (IKE) security

association (SA) negotiation for the primary remote-gateway fails, the IKE tunnel

failover might not be initiated. As a result, the IKE tunnels are not establishedwith any

router. PR849758

• The kmd gets started on the backup Routing Engine and fails to connect to pic & add

manual SA to kernel, because kmd logs ERRORmessages to syslog/kmd logs. This

will not affect any IPsec functionality, and occurs only on T Series routers. PR854975

• TheSIPALGdoesnot recognize or translate the rare 'rtcp' attribute in theSDPpayload.

As a consequence nonsequential RTP and RTCP ports are not supported. The RTP

flow is unaffected,generation of an rpd core file. PR880738

• Performancedegradationof8percent is observedon themaximumpacketper second

supported of J-Flow records exported. PR949965

• Performancedegradationof8percent is observedon themaximumpacketper second

supported of J-Flow records exported. PR950101

• In the NAT environment, the jnxNatSrcPoolName object identifier (OID) is not

implemented in the jnxSrcNatStatsTable. PR1039112


Known Issues













• Performance is considerably slower for users who have permissions controlled by

Juniper-Allow-Commands and/or Juniper-Deny-Commands expressions and have

complex regularexpressionsconfiguredunder thesesamecommands.Asaworkaround,

define the expressions in the allow-configuration and deny-configuration commands

in a restrictive manner. [PR/63248] PR63248

• On the J-Web interface, Configure > Routing> OSPF> Add> Interface Tab shows only

the following three interfaces by default: - pfh-0/0/0.16383 - lo0.0 - lo0.16385. As a

workaround, you can configure the desired interfaces to associated ospf area-range,

by performing the following operation using the CLI: - set protocols ospf area 10.1.2.5

area-range 12.25.0.0/16 - set protocols ospf area 10.1.2.5 interface fe-0/3/1 . PR814171

• OnHTTPS service, J-Web is not launching the chassis viewer page on Internet Explorer

7. PR819717

• Onthe J-Web interface, forConfigure>CLI tools>Pointandclick>System>Advanced

> Deletion of saved core, the No option is not available. clitools->point and

click->system->advanced->deletion of saved core. PR888714

• For routers with multiple Routing Engines and "commit synchronize" configured, the

CLI might get stuck after the commit command is issued simultaneously from both

Routing Engines. PR937960

• When you enter the "restart r" incomplete command in the CLI, the command "restart

routing" is executed. An error message like the following should be seen: “error: invalid

daemon: r". PR1075746

VPNs

• In a next-generation MVPN scenario with multiple source PE routers for the same

group, if an inactive source PE router has local receivers, the routing protocol process

(rpd) on the device might causemulticast traffic loss and continuous IFF-MISMATCH

error. PR1009215

• In a BGPMVPN scenario, an MSDP timeout on the PE router might occur, causing the

source to be removed even if it is local. This will cause type-5 flaps and traffic loss of

30 to 40 seconds. The issue shows up in a scaling MSDP configuration where the KA

timer periodically expireswith aCEdevice (not aPEdevice) actingas rendezvouspoint

(RP). The fix has been provided to add a check for local source (even if not local RP)

before withdrawing the type-5 route. PR1011124

• In next-generation MVPN spt-only mode with a PE router acting as the rendezvous

point (RP), if there are only local receivers, the unnecessary multicast traffic

continuously goes to this RP and is dropped though it is not in the shortest-path tree

(SPT) path from source to receiver. PR1087948

• In amultihomedsource topology innext-generationMVPN(applicable toboth inter-AS

and intra-AS scenario), there are two problems: The first problem is Multicast (S, G)

signaling does not followRPF.When the routing table (mvpninstancename.inet0) has

two routes, because of the policy configuration, the best route to the source is through

the MPLS core, but Multicast (S, G) PIM join and NG-MVPN Type 7 both point to an












inactive route bymeans of local BGP peer. The second problem iswhen "clear pim join

instance NG" is entered, the multicast forwarding entries are wiped out. PR1099720

• Under certain conditions the l2circuit iw0 stitching is not programmed correctly. This

is due to a bug in the Junos OS code. PR1212429









Resolved Issues

This section lists the issues fixed in the Junos OSmain release and themaintenance

releases.













Resolved Issues






• In rare cases, CoS-related queue stats polling with multiple object identifier (OID)

packing or multiple SNMP client polling on the same interface simultaneously can

cause the CoS process (cosd) to generate a core file and restart. However, cosd restart

does not impact any CoS services. PR1199687


• Whenthesampledprocess is running, it continuously reads the routingprotocolprocess

(rpd) update information andupdates the routes in its local storage . At the same time,

the sampled process exports the updated records to PIC after every periodic

rescheduling. If many routes are involved, affected, the sampled process might crash

because of memory corruption. PR1055686

• On FPC restart, if a timing condition occurs in which the filter for the sub-interface is

not received, FPCmight crash. This issue might be seen if the following conditions are

met: aggregated Ethernet sub-interface with firewall filters, FPC reboot (or new FPC

coming up), shared-bandwidth-policer or regular policers. PR1113915

• OnMXSeries routers, a change of policers or counters to an existing firewall filter using

physical-interface-filter or interface-specific configuration statements will not be

correctly detected by MIB2D. PR1157043

• In rare situation, if the forwarding-option is configured and the sampled process of the

device receives lotsofClassofServiceupdates (suchaschanging theCoSconfiguration

on interfaces five to seven times per hour), high CPU utilization of the sample process

(50 to 80 percent) might occur. PR1164665

• After upgrading by using unified ISSU, as mib2d initializes connections to FPC Packet

Forwarding Engines. It might start querying states from the Packet Forwarding Engine

when the connection is not ready yet. This failure causes the connection to reinitialize

again, formed a loop that can causememory and CPU cycle usage to grow. As a result,

mib2d crashes. PR1165136

• Even if packets do not match firewall filter conditions, wildcard mask firewall filter

might match any packets, for example: set firewall family inet filter TEST-filter term

TEST1 from destination-address 0.0.0.255/0.0.0.255 <<<<<< set firewall family inet

filter TEST-filter term TEST1 then count TEST1 set firewall family inet filter TEST-filter

termTEST1 thendiscard set firewall family inet filter TEST-filter termTEST2 then accept

. This is a discard filter for /24 prefix broadcast address. However itmight discard other

packets. PR1175782

• OnM7i/M10iwithCompact Forwarding EngineBoard (CFEB) installed, if you configure

"bandwidth-percent" for the firewall policer, use this policer in the firewall filter, and

then apply this firewall filter to an interface, the filter does not work. PR1202181











General Routing

• After deleting and reconfiguring a VRF instance or changing route-distinguisher in the

VRF instance while rpf-check is enabled, the rpd process might crash. The routing

protocols are impacted and traffic disruption will be seen because of loss of routing

information. This is a timing issue.PR911547

• EVPN type 3 IM route format is different in Junos OS Release 13.3 compared to other

releases. PR922066

• The routing protocol process (rpd) on the CPU can be high because of router

advertisement (RA)-configured interfaces with family inet6 down state. PR942133

• The rpdprocessmight crashbecauseof a timing issue that occurs after Routing Engine

switchover in configurations with LDP P2MP and nonstop-routing (NSR) is enabled.

PR956258

• Trivia Network Protocol(TNP) is designed for internal communication between the

router components. InMXSeriesVirtual-Chassis(VC) scenario, sending tnpingpackets

fromthemasterRoutingEngineofVCBackupchassis(VC-Bm) fromthemasterRouting

Engine of VCMaster chassis(VC-Mm) fails because of a replication panic on next-hop

indexallocation.Asa result, VC-Mbcrashoccurswith kernel andvmcore files.PR977445

• JunosOS runs pkid for certificate validation.Whenapeer device presents a self-signed

certificate as its end-entity certificate with its issuer namematching one of the valid

CA certificates enrolled in Junos OS, the peer certificate validation is skipped and the

peer certificate is treated as valid. This might allow an attacker to generate a specially

crafted self-signed certificate and bypass certificate validation. Refer to JSA10755 for

more information. PR1096758

• WhenDHCP subscribers are terminated at specific routing instances and the interface

stack is IP demux over VLAN-subinterface over the aggregated Ethernet interface,

there might be amemory leak in the kernel AE iffamily when subscribers log in or out.

PR1097824

• If nonstop active routing (NSR) is enabled and a TCP session is terminatedwhile there

is still data in the socket pending transmission, theMBUF (kernelmemory buffer) used

to store this data might not get deallocated properly. In order to hit this issue the TCP

session must use NSR active socket replication. If the system runs low on MBUF

memory, the kernelwill automatically throttle downmemory allocation on low-priority

applications and ultimately, if there is no MBUF left, the system could become

unresponsive because of its inability to serve I/O requests. PR1098001

• With ECMP-FRRenabled, after rebooting the FPC that is hosting someECMP links, the

ECMP-FRRmight not work. PR1101051

• OnMX Series platforms, in a rare condition, if the Packet Forwarding Engine sends the

wrong Packet Forwarding Engine ID to chassisd as part of a capability message, the

kernelmight crashandsomeFPCsmightbestuck in thepresent state.Hence the traffic

forwarding will be affected. This is a corner case; it is not reproduced consistently.

PR1108532

• OnMX240/480/960 Series routers with MS-DPC, in scenarios where you are running

BGP over IPsec and the BGP session has a BFD session tied to it, the BGP session is up


Resolved Issues











but the BFD session remains in INIT state. The issue might be seen with any service

configured with multi-hop BFD enabled. Traffic forwarding will not be affected.

PR1109660

• In a rare condition, after Routing Engine switchover, the MPC PICmight offline, and

some error messages might be seen. Occasionally, chassisd on the Routing Engine

continuously generate core files, making the unit unusable because none of interfaces

come up. The root cause of this issue is that after Routing Engine switchover, chassisd

fails to get proper status of the FPCs and generates core files because of to insufficient

IDEEPROM read times. PR1110590

• OnMX Series platforms, MS-MPC crashmight occur. The exact trigger of the issue is

unknown; normally, this issue might happen over long hours (for example, within a

week) of traffic run (for example, running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic

profile). Core files might indicate that the program terminated with signal 4, Illegal

instruction. PR1124466

• With IPv6 access route configured in dynamic profile, when the router receives an IPv6

SOLICITmessage that requests only prefix delegation but no IPv6 address, the access

route will not be installed successfully. PR1126006

• When Junos OS devices use the Link Layer Discovery Protocol (LLDP), the command

showlldpneighbordisplays thecontentsofPortID type, length, andvalue (TLV) received

from the peer in the field Port Info, and it could be the neighbor's port identifier or port

description. A Junos OS CLI configuration statement can select which interface-name

or SNMP ifIndex to generate for the PortID TLV. Therefore they should not be any

problem as long as two Junos OS devices are connected for LLDP. However, youmight

have an interoperability issue if another vendor device that canmap the configured

port description in thePortID TLV is used. In this case, JunosOSdisplays the neighbor's

PortDescriptionTLV in thePort info field, and if thepeer sets theport descriptionwhose

TLV length is longer than 33 bytes (included), Junos OS is not able to accept the LLDP

packets and discards the packets as errors. The PortID TLV is given as : "the port id tlv

length = port description field length + port id subtype(1B)". PR1126680

• OnM320/T320/T640withFPC 1/2/3and their enhancedversion (-E2/-E), inmulticast

scenario and the aggregated Ethernet (AE) interface is within multicast NH (for

example, AE interface is the downstream interface for a multicast flow), egress

multicast statistics are displayed incorrectly after flapping of AEmember links.

PR1126956

• If two redundant logical tunnel (rlt) sub-interfaces are configured in the same subnet

and in the same routing-instance, a sub-interface will be down (this is expected), but

if the sub-interface is removed from the routing-instance later, after disabling and

enabling the rlt interface, a sub-interface might remain in the down state unless you

remove the configuration of the rlt interface and then do a rollback. PR1127200

• A routing protocol process (rpd) crashmight be seen during deletion of address family

on an interface while reverse path forwarding (RPF) check is configured. PR1127856

• When software encounters an error configuring the optics type into the VSC8248PHY

retimer component of an MX Series MIC/PIC (typically done on SFP+module plugin),

this could lead to 100 percentFPCCPU utilization indefinitely. The followingMPCs and











MICs that are potentially affected: MPC3 + 10x10GE SFPPMIC MPC4 32XGEMPC4

2CGE+8XGE (10G interfaces only)MPC6+ 24x10GE (non-OTN) SFPPMICPR1130659

• Inascenariowith largernumberof subscriberswithdynamicprofiles thatuseexpression

evaluation for setting variables in a dynamic profile (an example follows), after doing

login/logout atmultiple times, theauthdprocessmight crashbecauseofmemory leak.

<sample> dynamic-profiles { xxx { variables { ratelimit_igmp equals

"$igmp-max-rate##'k'"; burst-size_igmp equals "round($igmp-max-rate *

$burst-factor)"; term-dyn_vod4u equals "ifNotZero($dynamic-prefix_vod-1,

'vod:dynamic-prefix-list:'##$fc_vod_up##'_'##$plp_vod_up)"; term-dyn_vod4dequals

"ifNotZero($dynamic-prefix_vod-1,

'vod:dynamic-prefix-list:'##$fc_vod_out##'_'##$plp_vod_out)"; term-acl_icc4uequals

"ifNotZero($local-acl_icc, 'icc:'##$local-acl_icc##':'##$fc_icc_up##'_'##$plp_icc_up)";

term-acl_icc4d equals "ifNotZero($local-acl_icc,

'icc:'##$local-acl_icc##':'##$fc_icc_out##'_'##$plp_icc_out)"; term-mc_v4d equals

"'mcast:'##$fc_mc_out##'_'##$plp_mc_out"; } } PR1103548

• Insufficient time to allow an MPC5/MPC6 card to lock on the clocking source during

FPC boot timemight cause the Major Alarm raised due to "PLL Error." PR1137577

• In the multicast network topology, whenmaking normal changes, such that paths are

added or deleted, the rpd leaks 8 bytes of memory per operation. The system logs

RLIMIT_DATAmessages similar to the following when thememory usage reaches 85

percent:: kernel:Process (2634,rpd) has exceeded85%ofRLIMIT_DATA: used3084524

KBMax 3145728 KB. PR1144197

• With a 100G CFP2 MIC installed in a MPC6E FPC, if the FPC fails to initialize the MIC,

it is very likely that the FPC will get into a boot loop. PR1148325

• When using type 5 FPCon the T4000platform, traffic going out of the interfacewhere

"source-class-usage output" is configured will be dropped if the Source Class Usage

(SCU) or Destination Class Usage (DCU) policy configuration is missing. This issue is

caused by incomplete configuration.PR1151503

• In sampling feature, certain scenarios force handling of the sampled packet at the

interrupt context, which might corrupt the BMEB packet context and lead to BMEB

FDB corruption. PR1156464

• OnMXSeriesplatformswithMPC2-NG/MPC3-NG/MPC3/MPC4/MPC5/MPC6installed,

in rare cases, TSTATE Parity error might occur. It can cause FPC to get stuck, but it will

not trigger the error-reporting infra (CMERROR). PR1156491

• On Junos OS Release 13.2R1 and later, Packet Forwarding Engine interfaces on MX

SerieswithMPCs/MICs based line cardsmight remain downafter performing "request

system reboot both-routing-engines" or "restart chassisd" several times. PR1157987

• On Junos OS devices with a GRE or IP-IP tunnel configured (that is, devices with a gr-

or ip- interface), a specifically crafted ICMP packet can cause a kernel panic resulting

in a denial of service condition. Knowledge of network specific information is required

to craft such an ICMP packet. Receipt of such a packet on any interface on the device

can cause a crash. PR1159454

• Software OS thread on the line card is doing a busy loop by reading the clock directly

from hardware. Sometimes it seems the thread is getting the wrong values from the


Resolved Issues











HW register and waiting forever in the busy loop. After the busy loop crosses a certain

time period, the line card crashes and reboots. This is a rare condition. PR1160452

• OnMX Series routers with enhanced queuing DPCs, there is a memory leak whenever

doingSNMPwalk toanyofCoS-relatedobject identifiers (OIDs)or issuing thecommand

show interfaces interface-set queue <interface-set-name>. PR1160642

• The Router Lifetime field is set to 0 in the first routing advertisement (RA) sent from

LNS back to the Point-to-Point Protocol over Ethernet (PPPoE) subscriber. PR1160821

• Reliability featureon theHighSpeedLink (HSL2)betweenXLandXMforMPC6Ecards

is not active. Once packets are dropped because of CRC error,XMCHIP DRD parcel

timeouts are triggered and packet forwarding is compromised. MPC reboot is needed

to recover from this condition. Only MPC6E card is exposed to this issue. PR1161194

• OnMX Series router with services PIC (MS-DPC/MS-MPC/MS-MIC), the ICMP time

exceedederror packet is not generatedonan IPsec router on thedecap side.PR1163472

• When theMS-MIC orMS-MPC installed in anMXSeries router is processing traffic, and

the IPsec policy configuration is changed bymeans of adding or updating a policy,

mspmand process crashmight occur. PR1166642

• Class of Service process (cosd), routing protocol process (rpd), and device control

process (dcd) might generate core files in subscriber management deployment using

dynamic profiles and radius authentication. PR1168327

• The sample process continues logging events in the traceoption file after traceoption

isdeactivated. This issuecanoccur if there is noconfigurationunder forwarding-options

sampling but another configuration for the sample process is present (for example,

port-mirroring). PR1168666

• An ungraceful removal of an FPC can trigger fabric healing to begin. PR1169404

• Adding keyword fast-filter-lookup to existing filters of an input or output filter list may

result in failure to pass traffic. PR1170286

• If the no-cell-share configuration statement under the chassis stanza is activated on

MPC3, MPC4, MPC5, or MPC6 cards, the Packet Forwarding Engine will only be able

to forward about 62Gbps versus ~130Gbps causing fabric queue drops. PR1170805

• When using Periodic Packet Management process (PPMD, responsible for periodic

transmissionof packets onbehalf of its various clients) relatedprotocols (for example,

LFM, CFM, LACP, and BFD), during fabric or SIB online process, the client session that

establishes adjacencies with PPMD to receive/send periodic packets on those

adjacencies, (for example, LFM, CFM, and LACP) of PPMDmight flap because of CPU

over-utilization. PR1174043

• In a Virtual Tunnel (VT) tunnel environment with forwarding-class, if you use an

aggregated Ethernet (AE) interface to terminate subscribers on the box and the AE

interface has members on two different FPCs, the mirrored traffic does not go to the

correct forwarding class as expected. The issue is also seen when the terminate

SubscribersandVThosted interfaceareon twodifferentFPCs(non-AEcase).PR1174257
















• In amulticast scenario where there is PIM configured, if there are PIM assertmessages

sent or received or there is MVPN configured and NSR enabled, memory leak might

happen in rpd. PR1177125

• This is a display issue and does not affect functionality of the power, fixing has been

added to commands show chassis power and show chassis environment pem, when

one of the DC PEM circuit breakers are tripped. PR1177536

• On a dual Routing Engine system, if the master Routing Engine is running Junos OS

13.3R9/14.1R7/14.2R5/15.1R3/16.1R1 or later and the backup Routing Engine is running

Junos OS prior to 13.3R9/14.1R7/14.2R5/15.1R3/16.1R1, a major alarm is raised. This is

cosmetic and can be safely ignored. PR1177571

• OndualRoutingEngineplatforms, if interfacechangesoccuron theaggregateEthernet

(AE) interface that result in marking ARP routes as down on the AE (for example,

bringing down one of the member links), because of an interface state pending

operation issueonbackupRoutingEngine, in racecondition, thebackupRoutingEngine

might crash and reboot with an error message (panic:rnh_index_alloc: nhindex XXX

could not be allocated err=X). PR1179732

• In case of point-to-point interfaces and unnumbered interfaces, rpd crashmight be

seen in corner cases on configuration changes. PR1181332

• In an IPv6 environment, when you add a link local neigbor entry on the subscriber

interface thenaddanew lo0address, if youdelete thisneighborentryand thesubscriber

interface, thenext-hop info is not cleanedproperly. Asa result, rpdprocessmight crash.

The routing protocols are impacted and traffic disruption will be seen due to loss of

routing information. PR1185482

• In IPv6 environment with graceful Routing Engine switchover (GRES) enabled, when

a new prefix (global address) is added on the donor interface (in this case, loopback

interface), andGRES is performed, the ksyncdprocessmight crash because of a kernel

replication error. PR1186317

• OnMXSeries routers, a vulnerability in IPv6processing has beendiscovered thatmight

allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the

router rather than discarded. The crafted packet, destined to the router, will then be

processed by the Routing Engine. A malicious network-based packet flood, sourced

from beyond the local broadcast domain, can cause the Routing Engine CPU to spike,

or cause theDDoSprotectionARPprotocol grouppolicer toengage.When thishappens,

the DDoS policermay start dropping legitimate IPv6 neighbors as legitimate ND times

out. PR1188939

• OnMX Series with MPC3/MPC4/MPC5/MPC6, the VSC8248 firmware on the MPC

crashes occasionally. PR1192914

• OnMS-MPC and MS-MIC, the mspmand process generates a core file when an

encrypted packet is received out of the range of replay-window size. The issue might

occur in peak loadswhenencryptedpackets are receivedout of order becauseof drops

in the network. PR1200739

• Dynamic firewall filter programs incorrect match prefix on the Packet Forwarding

Engine. PR1204291


Resolved Issues












• False positive message "Host 1 failed tomount /var off HDD, emergency /var created"

is observed after both Routing Engines are upgraded. PR1207864

• Inline J-Flow - Sequence number in flow data template is always set to zero onMPC5E

and above line card type. PR1211520

• On T4000 routers, FPC Type 5 - 3D cards might experience an over-temperature

condition. This issue can occur because (1) chassisd process declares the

over-temperature condition and by default the router will shut down in 240 seconds

or (2) over-temperature SNMP trap (jnxOverTemp) is not sent to external

NMS.PR1213591

• If a zero-length interface name comes in the SDB database, on detection of a

zero-length memory allocation in the SDB database, a forced rpd crash is seen.

PR1215438


• When you configure "nonstop-routing" under one group and apply this group to the

[routing-options] hierarchy, sometimes nonstop active routing (NSR) does not work.

PR1168818

Infrastructure

• After configuration of em interface changed (such as configuring family inet or ip

address, but MTU is not changed) and system rebooting, the em interfacemay flap or

go down. It could cause Routing Engine and FEB connection failure. Under normal

circumstances, em interfaceshouldnot re-initializewhenMTU isnotchanged.PR983616

• The Remote NFS Server process (nfsd) is not terminated on the new backup Routing

Engine (RE) after Routing Engine switchover. As a result, it spawns a new one upon

Routing Engine switchover until running out of memory. PR1129631

• In scaling setup (in this case, there are 1000 VLANs, 1000 Bridge Domains, 120 IRB

interfaces, 120 VRRP instances, BGP and IGP), if the routing protocols are deactivated

and activated, there might be a chance that the pending route stats are not cleaned

up,whichwill cause the stats infra tohave stalepointers and lead tomemory corruption

in socket layers. The systemmight go to dbprompt because of this. All the traffic going

through the router will be dropped. PR1146720

• OnM/T/PTX platforms, the SNMP requests might return timeout if SNMP pollings on

IF-MIB and COS-MIB for the same ifl/ifd are requested at the same time. This is a

generic async stats infra issue in the kernel. On MX Series platform, the same issue

might not be seenbecauseSNMPpollings for ifl stats go throughpfed insteadof kernel

on MX Series platform. PR1149389

• With Junos OS Release 13.3 using Ericsson/Juniper EPG platforms, some session PIC

C-PICcardsmight experience some racecondition resulting in kernel vmcores, followed

by reboot (failover to spare C-PICs) caused by soft-update BSD enabled in some

partitions of the Routing-Engine. The Softdeps on freebsd is not used any longer in

freebsd6 where the fix includes disabling it on all Junos OS partitions. PR1174607














• Whenconfiguring theVirtual Router RedundancyProtocol (VRRP)onan interface that

is included in a routing-instance by applying groups setting, if changes aremade to the

interface, VRRP process (vrrpd) memory leak might be observed on the device.

PR1049007

• Due tomovement of SNMP stats model from synchronous requests to asynchronous

requests in Junos OS Release 13.3R1, the IQ2/IQ2E PIC, which has limitedmemory and

CPU power, cannot handle scaling SNMP polling at high rate (for example, a burst of

4800SNMPrequests). This issuecomeswithhigh rateSNMPstatspolling for IQ2/IQ2E

interfacesorAggregatedEthernet (AE) interfacewith IQ2/IQ2Easmember links. These

memory failures can cause IQ2/IQ2EPIC reboot because keepalivemessageswill also

not get memory. PR1136702

• When you poll SNMPMIBs for IPv6 traffic, for example, jnxIpv6IfInOctets, the logical

interface (IFL)on IQ2or IQ2EPICmightoccasionally report double statistics.PR1138493

• Starting from Junos OS Release 12.3R4, on dual-Routing Engine equipped M Series

routers, because of the mismatch of online status of the missing FRU (for example,

FPC or FEB that is not inserted, but is reported as online on backup Control Board),

error messages about the missing FRUmight be seen intermittently on the device.

PR1148869

• In affected releases, the followingcosmetic alarmsare seenafter reseating theclocking

cables: 2015-11-13 05:22:56 UTCMajor CB 0 External-A LOS 2015-11-13 05:22:56 UTC

Major CB 0 External-B LOS PR1152035

• jpppd core at SessionDatabase::getAttribute() from

Ppp::LinkInterfaceMsOper::getLowerInterfaceType(). PR1165543

• On

MIC_40XGE_RJ45/MIC_TAZ_48XGE_RJ45/MIC_20XGE_SFP_EMIC/MIC_20XGE_SFP_EHMIC,

MPCmight crash when the PHY link, which has autonegotiation capable, is up.

PR1166982

• On T1600 and T4000 Series routers, when hold-time for 100G interface is set or even

without hold-time configured, in the event of 100G interface shutdown, BFD flapping

and transit traffic loss might occur. PR1168536

• If an interface configured with VRRP is removed from a routing-instance to global, or

fromglobal to a routing-instance, the logical interfaces of that interfacewill be deleted

and re-created. In ideal cases as the interface gets deleted, VRRP should move to

bringup state; when the interface is created again, VRRP goes to previous state. After

this, VRRP should get VIP addition notification from the kernel and update VRRP state

and group ID for VIP. However, in race conditions, VRRPmight get VIP addition

notification from the kernel even before the interface creation event happens. If so,

VRRPwill never be able to update proper VRRP state and group ID. So the VIP will

reply for theARPwithan incorrectMACendingwith "00",while thecorrectMACshould

end with the group ID configured. PR1169808

• In an MX Series-Bras environment, when you try to remove a demux0 interface, the

dcd process might crash and a core file will be generated. PR1175254


Resolved Issues











• In the hsl2 toolkit, there is a process that periodically checks the ASICs that

communicate through it. Due to a bug in the toolkit code, the process used invalidates

the very ASIC that it used to process. As a result, a crash occurs. PR1180010

• Commit check might exit without providing correct error message and causing dcd

exit. The only known scenario to trigger this issue is to configure a IPv6 host address

with any other address on the same family. PR1180426

• When there is a configuration change about OAMCFM, cfmdmemory leak is observed

and sometimes also might trigger cfmd crash information. Following messages are

observed: /kernel: Process (44128,cfmd) has exceeded 85%of RLIMIT_DATA: used

378212 KBMax 393216 KB.PR1186694

• The jpppdmight crash and generate a core file because of a memory heap violation

associated with processing MLPPP request. PR1187558

• When VRRP is configured on IRB interface with scaling configuration (300,000 lines),

handles might not be released appropriately after use. As a result, memory leak on

vrrpdmight be seen after configuration commit. PR1208038

• In a PPP subscriber scenario, if the jpppd process receives a reply message attribute

from the RADIUS or tacplus server with a character of%, it might cause the jpppd

process to crash and cause the PPP user to be offline PR1216169

J-Web

• An information leak vulnerability in J-Webmight allow unauthenticated remote users

with network access to the J-Web service to gain administrative privileges or perform

certain administrative actions on the device. PR1114274

Layer 2 Features

• Input/Outputpps/bpsstatisticsmightnotbezeroafteramember linkof theaggregated

Ethernet (AE) interface with distributed ppmdwas down in M320/T

Series(GIMLET/STOLI based FPC). PR1132562

• In a VPLS scenario, when "$junos-underlying-interface-unit" is configured in the

[dynamic-profiles] hierarchy and then implemented in a routing-instance,

upgrade/commitwill fail with the following errormessage: Parseof thedynamicprofile

<dynamic-profile-name>) for the interface: $junos-interface-ifd-name and unit:

$junos-underlying-interface-unit failed. PR1147990

• From Junos OS Release 13.2R1 and later, the rpd process might crash when

adding/deleting virtual private LAN service (VPLS) neighbors in a single commit. For

example, a primary neighbor is changed to become the backup neighbor. PR1151497

• The "Node ID" information is not shown on MX Series platformwhen traceoption flag

"pdu" is configured to trace Ethernet ring protection switching (ERPS) PDU reception

and transmission. PR1157219

• During l2cpd restart, STP isnot receiving restart status.Hence l2cpd is taking thewrong

flowduringSTP initializationanewSTP index is allocated for instance "0", and instance

"0" is always set to "DISCARDING" status. This might lead to traffic loss. PR1176312















MPLS

• If a RSVP LSP has both a primary and a standby path and link-protection enabled, a

/32 bypass route is unhidden when the primary link goes down. This /32 route is

supposed to bemade hidden again when the primary link comes back up. But in some

cases, this /32 bypass route remains unhidden forever, which causes some issues (for

example, the BFD session down because a better prefix received from bypass LSP).

PR1115895

• When a point of local repair (PLR) is a non-Juniper router, Juniper ingress nodemight

stayon thebypass tunnel and ignore theConstrainedShortestPathFirst (CSPF) result.

PR1138252

• When a link fails on an RSVP LSP that has link-protection or node-link-protection

configured, the point of local repair (PLR) will initiate a bypass LSP and the RSVP LSP

will be tunneled on this bypass LSP. However, if now the bypass LSP is brought down

because there is a link failure on it, the PLRmight only send out a session_preemted

PathErr message to the upstream node without sending a ResvTear message. Hence

the ingress node does not receive a ResvTear message and the RSVP LSP is not

immediately torn down. The RSVP LSP will remain UP for more than 2minutes until

the RSB (Resv sate block) on the ingress's downstream node gets timed out and it

sends a ResvTear message to the ingress. PR1140177

• During FRR, Juniper MP does not send the label sub-object in the record route object

(RRO) for the backup LSPs. This issue is related to interoperability between

multivendors. PR1145627

• In an LDPP2MPscenariowithNSR, after performingmultiple iterations of FPC reloads,

protocol bounce, interface bounce, and GRES, rpd restarts in at random. In a rare

condition, the rpdprocessmight crash, inwhichcase the routingprotocolsare impacted

and traffic disruption will be seen due to loss of routing information. PR1148404

• When an L2VPN composite next-hop configuration statement is enabled along with

L2VPN control-word, end-to-end communication fails. This issue occurs control-word

is not inserted by the ingress provider edge (PE) device, but the other egress device

expects the control-word. PR1164584

• In an LDP-signaled VPLS environment, another vendor sends an AddressWithdraw

Message with FEC TLV but without MAC list TLV. The LDP expected that the Address

WithdrawMessagewith FEC TLV should always haveMAC list TLV. As such, it rejected

themessage and closed the LDP session. The following message can be seen when

this issue occurs: user@router> show logmessages |match TLV

RPD_LDP_SESSIONDOWN: LDP session xxx.xxx.xxx.xxx is down, reason: received bad

TLV. PR1168849

• In anMVPNscenario, if theactiveprimarypathgoesdown, then thepoint of local repair

(PLR) needs to send Label Withdraw for the old path and new Label Mapping for the

new path to the new upstream neighbor. In this case, the LDP P2MP pathmight stay

in "Inactive" state for an indefinite time if an LSR receives a Label Release, immediately

followed by a Label Mapping for the same P2MP LSP from the downstream neighbor.

PR1170847


Resolved Issues










• In rare cases, when themib2d process attempts connection with the snmpd process

and there are pending requests waiting to be finished, the mib2d process might crash

and theCPUutilization is high around the same timeas the crash happens.PR1076643

• The SNMP notify-filter object identifier (OID) does not treat wildcards properly. The

PR fixes theoutputofCLI commandwhensnmpnotify-filter is configuredwithwildcard

characters. Example Configuration: <sample> set snmp v3 notify-filter nf1 oid .1.*.6

include set snmp v3 notify-filter nf1 oid 1.2.3.4.5 mask 1.0.0.1.1 set snmp v3 notify-filter

nf1 oid 1.2.3.4.5 include OLD OUTPUT: root@R2_re0> show snmp v3 Local engine ID:

80 00 0a 4c 01 80 dd 8f 78 Engine boots: 33 Engine time: 9 seconds Maxmsg size:

65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none

nonvolatile active Group name Security Security Storage Status model name type

myGroup usmabhinav nonvolatile active Access control: GroupContext Security Read

Write Notify prefix model/level view view viewmyGroup usm/none iso iso iso SNMP

Target: AddressAddressPortParametersStorageStatusnamename type trapReceive

172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify

Storage Status name namemodel/level filter type trapReceiversP abhinav usm/none

nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1

trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type

type nf1 1.2.3.4.5 include nonvolatile active <<<<< Issue nf1 1.42.6 include nonvolatile

active <<<< Issue NEWOUTPUT: root@R2_re0> show snmp v3 Local engine ID: 80

00 0a 4c 01 80 dd 8f 78 Engine boots: 32 Engine time: 2850 seconds Maxmsg size:

65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none

nonvolatile active Group name Security Security Storage Status model name type

myGroup usmabhinav nonvolatile active Access control: GroupContext Security Read

Write Notify prefix model/level view view viewmyGroup usm/none iso iso iso SNMP

Target: AddressAddressPortParametersStorageStatusnamename type trapReceive

172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify

Storage Status name namemodel/level filter type trapReceiversP abhinav usm/none

nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1

trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type

type nf1 1.*.*.4.5 include nonvolatile active <<< Fixed nf1 1.*.6 include nonvolatile active

<<< Fixed PR1185143


• Error messages result from failed reads intended to locate failing memory locations

and repair. This thread only checks locations that have been initialized by the control

plane. It is not uncommon for this thread to encounter an error. This issue is also seen

due to a race condition that generates a syslog message with no impact. PR727569

• FPC generates a core file and reboots when show filter is executed in the Packet

ForwardingEngine inMSeries routers. The issue is not seenwith theForwardingEngine

Board (FEB). PR1032098

• OnMX Series with MPCs/MICs based line card with Junos OS Release 12.3R3 and

earlier, the system does not push the configured Tag Protocol ID (TPID) value (for

instance, 0x88a8) to the packets while sending out the packets. Instead it pushes







default TPID 0x8100. Thismight lead to traffic drop on the peer device if it is expecting

a particular TPID (for instance, 0x88a8) but it receives a different one. PR1059225

• Multiple privilege escalation vulnerabilities occur in Junos OS CLI (CVE-2016-4922).

Refer to https://kb.juniper.net/JSA10763 for more information. PR1061973

• In a hierarchical class of service (HCoS) environment,when the subscriber logout from

the reserved logical interface (ifl) includes the ".32767" unit (for example,

xe-x/x/x.32767), the CoS installation of the interface might get deleted on the Packet

Forwarding Engine. PR1077098

• Dynamic VLAN does not work correctly when it is terminated on the ps interface and

the IP demux inteface is terminated in a routing instance table. Because that IP Demux

lookup is not performed by the Packet Forwarding Engine, no arp-reply is sent to

subscribers and traffic loss occurs. PR1101042

• When you configure one groupwith a configuration of routing-instances and apply this

group under the routing-instances, the rpd process crashes after executing the

deactivating/activating routing-instances command. PR1109924

• With "fast-synchronize" configured, when you add a new configuration-group that has

configuration relevant to the rpd process and apply it and commit, then any

configuration commits might cause the rpd process on the backup Routing Engine to

crash. PR1122057

• On the MX Series platform, when offlining the line card (possibly with any of the line

cards listed here), "Major alarm"might be seen due toHSL (link between line card and

Packet Forwarding Engine) faults. This fault is non-fatal and does not cause service

impact. The line cards that might encounter the issue are: MS-MPC/MS-MIC

MIC-3D-8DS3-E3 MIC-3D-8CHDS3-E3-B MIC-3D-4OC3OC12-1OC48

MIC-3D-8OC3OC12-4OC48MIC-3D-4CHOC3-2CHOC12 MIC-3D-8CHOC3-4CHOC12

MIC-3D-1OC192-XFPMIC-3D-1CHOC48. PR1128592

• In MX Series , whenever the LU encounters an exception event while performing a

packet lookup, a text-based file is generated to record all the relevant information.

The trap file contains the data frame (including L2 header) in question. TTRACE is a

utility that enables you to stop an LU thread and to then trace its execution. For each

instruction that is executed, the internal state of the LU thread is retrieved. This tool

enables you to observe the execution of the forwarding lookup in detail. Auto-trace

feature is enabled by default on FPCs with an MX Series Packet Forwarding Engine.

Packet Processing Engine traps cause auto-trace to capture detailed information of

packets for future debugging. In some cases, that can keep the LU thread busy too

long and eventually might lead to awedge of the LU/XM or XL/XMPacket Forwarding

Engine complex and a restart of the respective FPC. This can happen if the

forwarding-lookup involves multicast replication with a large number of copies or

multicast replication with additional features like fragmentation or output firewall

filters. PR1139406

• In the MX Series with MPCs/MICs base linecard environment with inline sampling

service, after FPC reboot, in a rare condition, the traffic forwarding might get affected

because the PFEMAN SRRD thread continuously consumes high CPU in this case.

PR1141814


Resolved Issues










• When the CLI command show pfe statistics exceptions | match reject is executed,

CPROD thread in thePacket Forwarding Enginemight place excessive loadon theCPU

and result in FPC crash. PR1142823

• Receipt of a specifically crafted UDP packet destined to an interface IP address of a

Junos OS device with a 64-bit architecture might result in a kernel crash. This issue

only affects systems with a 64-bit architecture; 32-bit systems are unaffected by this

vulnerability. PR1142939

• When ARP is trying to receive a next-hopmessage whose size (for example, 73,900

bytes) is bigger than its entire socket receive buffer (65,536 bytes), the kernel might

crash, and the traffic forwarding might be affected. PR1145920

• On an MX Series platformwith MX Series based line card, inline 6rd with si interface

is deployed, if downlink traffic is over equal-cost multipath (ECMP) or aggregated

Ethernet (AE), some traffic might be dropped. PR1149280

• OnMX2000 Series, MPC4 going offline is seen when the Switch Fabric Board (SFB)

is offlined or removed. This could be caused by the buildup of CDR in application

detectionandcontrol (ADC),which leads to transientpacket lossor evengetting stuck.

PR1149677

• When theNTP server address is configured in the routing instance table and reachable

from inet.0 by static configuration (for example, by configuring

static/route/next-table/VRF.inet.0), and NTP source-address is configured, the ntpd

(the Network Time Protocol daemon running on NTP client) might pick the wrong

source-address instead of the configured source-address. As a result, the NTP server

cannot send the NTP packet back. PR1150005

• OnMX Series with MPCs/MICs platform, the FPC/MPCmight cause a black hole of

traffic for transient hardware error condition (LEM data error) in a private zone. The

following example shows error information on the private zone of FPC/MPC:

ppe_lmem_recover(2274) XL[0:0]_PPE 1 Excessive LMEMData errors require Zone 5

disable. Zone 5 is seen (which is nonzero). The Zones < 24 are by definition private

zones. PR1152026

• Duringaunified ISSUupgrade in theMXVCenvironment, linecardsmightcrash, causing

service impact. When the linecards come up, theremight be a next-hop programming

issue as a secondary impact and some logical interfaces might not pass

traffic.PR1152048

• OnMPCEType33D,MPC4E3D32XGE, orMPC4E3D2CGE+8XGE,when "inline-jflow"

with IPFIX is used, the IPFIX datagramswould contain overlapping sequence numbers

for the same Observation domain ID, where the Observation Domain field in exported

IPFIX datagrams are always using the value attributed for LU0. PR1152854

• The logs CHASSISD_READBACK_ERROR are reported on the backup Routing Engine

for the non-empty FPCs. PR1155823

• OnMX2000 series platform, when MPC goes down ungracefully, other MPCs in the

chassiswill experience "destination timeout". In this situation, automatic fabric-healing

will get triggered due to a "destination timeout" condition, which might cause

Fabric-Plane reset. All other MPCs to be restarted in some cases. PR1156069














• OnMX Series platform, when MPC experiences a FATAL error, it is reported to the

chassisd daemon. Based on the action that is defined for a FATAL error, the chassisd

will take subsequent action for the FATAL error. By default, the action for FATAL error

is to reset the MPC.When the MPC reports a FATAL error, chassisd will send an offline

message and will power off the MPC upon the ACK reception. However, if MPC is in

busy state for any reason, the ACK does not come in time and hence there would be

a delay in bringing down the MPC. PR1159742

• LU (or XL) and XM chip based linecard might go to wedge condition after receiving

corrupted packets, and this might cause linecard rebooting. PR1160079

• Because of a software bug on chassisd, backup Control Board (CB) temperature

information ismissingon theCLI command showchassisenvironmentcb if it is replaced

once. PR1163537

• The following logcanbeseenonMX2020after oneFPCwaspulledoutandcommitting

the configuration related interface: CHASSISD_UNSUPPORTED_FPC: FPCwith I2C ID

of 0x0 is not supported.PR1164512

• Modifying theconfigurationof ahierarchical policerwhen it is in usebymore than4000

subscribers on an FPC can cause the FPC to core and restart. PR1166123

• Because the sequence number in RPM ICMP-PING probes is introduced as 32-bit

variable instead of 16-bit, if it increases and reaches the maximum value of 65,535, it

doesnot roll over,whichmight causeall RPM ICMP-PINGprobes to fail andnot succeed

anymore. PR1168874

• Running a Packet Forwarding Engine command such as show sample-rr eg-table ipv4

entry ifl-index 1224 gateway 113.197.15.66 causes the MPC crash. PR1169370

• On all Junos OS platforms, when using the RADIUS server, after the RADIUS request

is successfully sent by the Junos OS device, if the network goes down suddenly, the

response sent by the RADIUS server is not received within the timeout period. In this

scenario, theRADIUS requestwill be sent againwithan invalid socketdescriptor,which

will lead toauditd (providesan intermediary for sendingaudit records toRADIUSand/or

TACACS+ servers) crash. PR1173018

• Because of an internal timer referring Time in Unix epoch (UNIX epoch January 1, 1970

00:00:00UTC) value gettingwrappedaround for every 49days, flowsmight get stuck

for more than the period of the active/inactive timeout period. The number of flows

that get stuck and how long they get stuck cannot be determined exactly; it depends

on the number of flows at the time. PR1173710

• The show arp commandmight not display complete results and reportserror: could

not find interface entry for given index. because some interfaces get deleted when the

show command running.PR1174150

• OnMX2020/2010, chassisd file rotation on commit check causes the trace file to get

stuck, and no other operational chassisd events are logged until chassisd restarts.

PR1177625

• If IGMP snooping is configured in a VPLS routing instance and the VPLS instance has

no active physical interfaces, multicast traffic arriving from the core might be send to


Resolved Issues












the Routing Engine. As a result, host queues might get congested and it might cause

protocol instability. PR1183382

• Rarely a VMCORE can occur caused by the process limit being breached by toomany

RSHD children processes being created. PR1193792

• After system startup or after PSM reset the PSM INP1 circuit Failure error message

might be seen. PR1203005


• When amalformed prefix is used to test policy (command test policy <policy-name>

<prefix>), and themalformed prefix has a dot symbol in the mask filed (for example,

x.x.x.x/.24), the rpd process might crash. PR1144161

• Starting with Junos OS Release 13.2R1, an attempt to commit a configuration with a

dangling conditional policy referring a nonexistent/inactive routing-instance will be

permitted. If you have a conditional policy referring to an active routing-instance,

deleting/deactivating this routing-instance and then committing will cause the rpd

process crash. PR1144766

Routing Protocols

• In some corner case scenarios, the execution of the show route commandmight lead

to illegal memory access within the rpd process, causing the rpd process to crash. The

routing protocols are impacted and traffic disruption will be seen because of loss of


• In the multicast environment with bidirectional PIM and graceful-restart, during

multicast traffic for the bidirectional rendezvous point (RP), if the rpd process is

restarted,PIMmight install thediscarded routeand traffic forwardingmightbeaffected.

PR1019560

• In a rare condition, the routing protocol daemon (rpd) might crash and create a core

file if there is internal BGP (IBGP) route churn while IBGPmultipath is configured and

there are multiple levels of IBGP next-hop recursion. PR1060133

• When route convergence occurred, the new gateway address is not updated correctly

in inline-JFlow route-record table (route-record table is used by sampling), and the

sampling traffic forwardingmightbeaffected,butnormal routingwouldbenotaffected.

PR1097408

• This issue is a regression defect introduced in JunosOSRelease 11.4R11, 12.1R10, 12.2R8,

12.3R6, 13.2R4, 13.3R2, 14.1R1. After upgrading to those releases containing the original

fix,when there is noexport policy configured for the forwarding table to select a specific

LSP, whenever routes are resolved over RSVP (for example, due to aggressive

auto-bandwidth), the resolverwill spendaconsiderableamountof timeon the resolver

tree, which contributes to the baseline increase in rpd/Routing Engine CPU. PR1110854

• IGMPv2 working in v2/v1 compatibility mode does not ignore v2 Leavemessages

received on a bridge-domain's L2 member interface. Moreover, an IGMP snooping

membership entry for the respective group at this L2 member interface will be timed

out immediately upon IGMPv2 Leave reception, evenwhen there are someother active













IGMP hosts attached to this L2member interface. It might breakmulticast forwarding

for this L2 member interface. PR1112354

• When two (or more) route target communities of MP-BGP route match to two (or

more) route target communities in the VRF import policy of a RI, duplicate routing

entries might be installed in the RI. In the output of show route table <RI-name>.inet.0

detail, two identical routing entries appear, with one beingmarked as 'Inactive reason:

Not Best in its group - No difference'. When such duplicate routing information is to be

deleted the rpd process will crash. PR1113319

• During many types of configuration changes, especially including import policy, BGP

has the need to reevaluate the routes it has learned from peers impacted by the

configuration change. This reevaluation involves rerunning the import policy to see if

there are any changes to the learned routes after applying the new policy. This work

is done in the background as part of an "Import Evaluation" job. When BGP is

reconfigured a second time, and the "Import Evaluation job" has not completed, it is

necessary to rerun the job from the beginning if there is another change to the policy

or a similar impact. This state is noted as "Import Evaluation Pending". However, in

this case, there was a bug that caused BGP to always enter the pending state upon

reconfiguration, regardlessofwhether relevantchangesweremade to importoranother

similarly impactful configuration. The result is that once it is necessary to start

reevaluation of the routes for a peer, even trivial configuration changes that happen

too quickly will cause the "Import Evaluation job" to need to run again as a result of

the "Pending" flag being set. PR1120190

• On Junos OS-based products, changes in routing-instance, like changing

route-distinguisher or routing-option changes, might lead to rpd crash. PR1134511

• OndualRoutingEngineplatformwithBidirectionalForwardingDetection(BFD)protocol

enabled, after graceful Routing Engine switchover (GRES), the periodic packet

management process (ppmd)might crash on the backup Routing Engine because of

a software defect. PR1138582

• When Protocol Independent Multicast (PIM) is used, in a very rare condition, if the last

hop router migrates from rendezvous point (RP), repeated routing protocol process

(rpd) crashmight occur due to patricia tree walk issue. PR1140230

• In MVPN scenario, deleting the MVPN configuration from the routing instance (for

example, delete routing-instances <instance-name> protocolsmvpn) might cause the

routing daemon on themaster Routing Engine to crash. The core files can be seen by

executing the CLI command show system core-dumps. PR1141265

• In the BGP labeled unicast environment, the secondary route is configured with both

add-path and advertise-external. If the best route and secondary route are changed

in a routing table at the same time, add-path might fail to readvertise the changed

route. The old route with the old label is still the last route advertised to one router,

instead of updating the advertisementwith the new route and new label. So the traffic

forwarding might be affected. PR1147126

• This core is seen because of incorrect accounting of refcount associated with the

memoryblock thatcomposes thenhid(IRBnh).Whenthe refcountprematurely reaches

0, thememory block was releasedwhile it was still referenced from a route. Youmight

see this issue whenmcsnoopd becomes a slow consumer of rtsock events generated


Resolved Issues









by rpd (next-hop events in the current case) andmessages get delivered in a

out-of-order sequence, causing the refcount to be incorrectly decremented. In the

testbed where the issue was reported, tracing was enabled for mcsnoopd (for logging

all events), causing it to become a slow consumer. However, it might become slow

because of other reasons such as processing a very high rate of IGMP snooping

reports/leaves, which could potentially trigger this issue. PR1153932

• OpenSSH client software supports an undocumented feature called roaming. If the

connection to an SSH server breaks unexpectedly, and if the server supports roaming

as well, the client is able to reconnect to the server and resume the suspended SSH

session. This functionality contains two vulnerabilities that can be exploited by a

malicious SSH server (or a trusted but compromised server): an information leak

(memory disclosure), and a buffer overflow (heap-based). PR1154016

• BGPMonitoringProtocol (BMP) feature is introduced in JunosOSRelease 13.3R1.When

BMP is configured in passive mode and the BMP session is closed ungracefully (for

example, No TCP FIN sent), in rare cases, the TCP session might not be cleaned up

properly and the rpd process crashmight be observed during the reestablishment of

the previous session. PR1154017

• In a dual Routing Engines scenario with NSR and PIM configuration, when the backup

Routing Engine handles mirror updates about PIM received from themaster Routing

Engine, it deletes the PIM session information from its database. However, because of

a software defect, a leak of 2 memory blocks (8 or 16 byte leaks) will occur for every

PIM leave. If the memory is exhausted, the rpd process might crash on the backup

Routing Engine. There is no impact seen on themaster Routing Engine when the rpd

generates a core file on the backup Routing Engine. PR1155778

• In a BGP scenario with a large number of routing-instances and BGP peers configured,

because of a software defect (a long thread issue), BGP slow convergencemight be

seen. For example, BGPmight godown8-9secondsafterBFDbringsdown theexternal

BGP (EBGP) session. The rpd slip usually does not hurt anything functionally, but if

the slip gets big enough, it could eventually cause tasks to not be done in time. For

example, BGP keepalives with lower than 90 seconds hold-timemight be impacted.

PR1157655

• When rib-group copy is done for a route change, the rib-group copy of the secondary

route into the destination tables of the copymight not honor maximum-prefixes in

some scenarios, such as upon damping changes. The traffic forwarding might be

affected. PR1157842

• In a BGP scenariowith independent domain enabled in a VRF,when configuring a BGP

session in a VRF routing instance with a wrong local-as number, some routes might

be declared as hidden because of an AS path loop. If you later configure the correct

AS number as local-as and committing the configuration, those routes might still

remain in hidden state. The hidden routes can be released after performing the

commands commit full or clear bgp table <ANY_VRF>.net.0. PR1165301

• On dual-Routing Engine platforms, with NSR enabled for PIM, when change on

reverse-path forwarding (RPF) unicast route occurs, a routing protocol process (rpd)

crashmight occur on backup Routing Engine. PR1174845











• When you have a route received from different external BGP (EBGP) neighbors, for

this specific route, if all BGP selection criteria is matching, you will end up using router

ID. Because this is an EBGP route, BGP will use the active route as the preferred one.

Now if this specific route flappedwith sequence fromthenonpreferred to thepreferred

path, rpd will run the path selection. During RPD path selection, a core file might be

generated. This issue has no operational impact. PR1180307

• In a Layer 3 VPN scenario, VPN routes with different next hops are advertised with the

same label, leading to PE-CE link protection failure and longer-than-expected traffic

loss (as reported 2.6 sec). PR1182777

• BGP routes are rejected as cluster ID loop prevention check fails caused by a

misconfiguration. However, when themisconfiguration is removed, BGP routes are not

refreshed. PR1211065


• SNMP Layer 2 Tunneling Protocol (L2TP) object identifier (OID)

jnxL2tpTunnelGroupStatsTotalSessions does not provide correct information. TheMX

Series router provides total sessions only associated with a remote ID for L2TP and

does not correctly reflect the total sessions associated with the L2TP tunnel group

when there are multiple remote IDs for L2TP tunnels. PR989386

• Whenmaking a configuration change to a EXP type rewrite-rule applied to a SONET

interface inanMXSeriesFPCType2orMXSeriesFPCType3, ifMS-DPC isalso installed

on the device, a MS-PIC core file may be generated. PR1137941

• When NAT for SIP is enabled, in a rare situation where the child SIP flow entries are

still present in theparent conversationwhile theyhavealreadybeendeleted, the service

PICmight crash if the SIP parent flow tries to access them. PR1140496

• OnMXSeriesplatform,whenusingMS-MPC, the "idpd_err.date" errormessage is filling

var/log. PR1151945

• When traffic is flowing through the MS-DPC card Service PIC and there is an active

port block and some ports are assigned from that active port block, if you change the

max-blocks-per-address setting to a lower value (lower than the current value), the

service line card might crash. PR1169314

• MS-PIC generates a core file when MPLS or IPV6 routing updates are received in the

PIC PR1170869

• WhenMS-PIC is running on T640/T1600/T4000, the number of maximum service

sets is incorrectly limited to 4,000, instead of 12,000. Thismight impact scaled service

(such as IPsec, IDS, NAT, and Stateful firewall filter) environments. PR1195088

• When configuring Network Address Translation (NAT) service, the service route is still

available in the route table even after the service interface is disabled. Any types of

service interfaces (except ams- interface) that support NATmight be affected.

PR1203147


Resolved Issues












Subscriber Access Management

• In a subscribermanagement environmentwith AAAauthentication, after a few rounds

of login/logout, some dynamic PPPoE subscribers might get stuck in configured

(AuthClntLogoutRespWait) state. PR1127823

• OnMX240/MX480/MX960/MX2010/MX2020, jdiameterd might generate a core file

if tx control elements are pushed out of order by the device itself. PR1153776

• Client IP address is not seen under the command test aaa ppp. PR1173389

• On EX2200/EX3300 Series switches configured with dhcp-local-server, if you bring

up a few (say 6 or more) or all interfaces that are under the [dhcp-local-server]

hierarchyat once, theauthdprocess continually generates core files, causing the switch

to get stuck and resulting in packet drop. PR1191446

• If RADIUS return Framed-route="0.0.0.0/0" to a subscriber terminated on a Junos OS

platform, this subscriber cannot log in because of an authentication error. PR1208637

• The session timeout for active PPPoE sessions has expired, but the subscribers are

still showing up. These sessions cannot be cleared using network-access or PPPoE

session commands. PR1230315


• The following warning is seen: Process: dfwd, path: <none>, statement: <none>,

pinned-page found for bucket 0xb416972c. Thiswarning is givenwhen the application

is done with the page pool and tries to find out if there were any pinned pages in

memory. PR1179264

• Commit fails with the error access has been revoked after automatic rollback because

of an unconfirmed commit. You can still make configuration changes however, the

subsequent commit failswitherror:accesshasbeenrevoked. After exitingconfiguration

mode, entering configuration mode using configure exclusive fails with error:

configuration databasemodified. PR1210942

VPNs

• Onadual Routing Engine platformwith BGP Layer 2 VPN (L2VPN) and nonstop active

routing (NSR) configured, the block label allocation and deletion for L2VPNmight be

out of order on the backup Routing Engine as following: <sample>Master rpd follows

thebelowsequeces (which is the correct order): AddPrefix P1 of Label L1 DeletePrefix1

of Label L1 Add Prefix P2 of Label L1 However, on backup rpd, it goes like this: Add

Prefix P1 of Label L1 Add Prefix P2 of Label L1 <====== Delete Prefix1 of Label

L1<sample>. In this situation, thebackup rpdcannotallocate the label L1 forP2because

L1 is already in use for P1, so it crashes. This occurs in scaling environment (10,000

L2VPN)where the routerhasmultipleBGPpeersanddifferentL2VPNrouting-instances

are deleted and added back. PR1104723

• In BGP VPLS environment, sometimes routes from BGPwith invalid next-hop related

information are received. In such scenarios, VPLS should treat them as bad routes and

not send them to rpd infra for route resolution. Because of a software defect, the bad

routes are passed to the route resolver, which might lead to rpd process crash. The












routing protocols are impacted and traffic disruption will be seen because of loss of




• ThisPRdoesoptimization inAESNMPhandling. If all the links inanAEbundlegodown,

then any COS SNMP query for this AE IFD/IFL will return cached values. PR1140440

• OnMX104platform,whenapplying the "rate-limit" and the "buffer-size" on the logical

tunnel (lt-) interface on themissing MIC (not insterted on MPC), commit failure with

error message would occur. As a workaround, this issue could be avoided by applying

the "rate-limit and "buffer-size" on inserted MIC, then commit. PR1142182


• When "shared-bandwidth-policer" is configuredwith aggregate Ethernet (AE), if there

are filters configured on the logical interface family (IFF) of the AE interface, the FPC

may crash upon rebooting (it also be seen when new FPC coming up) due to the fact

that the running thread is stuck at the association of the filter which is in the resolved

state (it happens when the filter has not yet come down to the Packet Forwarding

Engine whereas its association has already reached). It is a timing issue in the above

circumstance. However, it could be consistently reproduced whenmoving links from

one AE to another and then rebooting the FPC by scripts. As a workaround, if it is

possible, the administrator could disable all the filter configuration and then bring up

the line card. PR1113915

• OnMXSeriesplatformwithMX-FPC/DPC,M7/10iwithEnhance-FEB,M120,M320with

E3-FPC, when there are large sized IPv6 firewall filters(for example, use prefix lists

with 64k prefixes each) enabled, commit/commit check would fail and dfwd process

wouldcrashafter configurationcommit/commit check. There is nooperational impact.

PR1120633

• On all Junos OS platform, when both the filter and the policer are configured for an

interface, in rare cases, the policer templatemay not be received by Packet Forwarding

Engine (from the Routing Engine)when it is referenced by the filter term (normally the

policer template gets received before the filter term referencing it which is ensured by

mechanism in Routing Engine kernel). In this situation, the FPCwould crash due to this

timing issue. This issuemight be avoid by the recommended steps below: 1. Deactivate

the physical interface (IFD) and commit 2. Enable any filter and policer that attached

to the interface (e.g. IFL) and commit 3. Activate interface back PR1128518

General Routing

• In some corner case scenarios, the execution of "show route" commandmight lead to

illegal memory access within RPD thereby leading to the RPD crash. PR911056

• Destination ERR alarm is not getting cleared even after FPC offlined. PR937862

• Duringan in-service softwareupgrade (ISSU), if theunified ISSUaborts after upgrading

backupRoutingEngine to thenew release, it is possible that thebackupRoutingEngine

fails to decode themessage from themaster Routing Engine which is running the old


Resolved Issues









release, causing the ksyncd process crash on backupRouting Engine and vmcores (live

core) generated on both Routing Engines. Themaster Routing Engine will not be

upgraded and the backup Routing Engine will remain with the new release. There is

no rollback to old release. We have to manually bring backup Routing Engine to old

release. PR1035777

• Onall routingplatformsM/MX/TwithBGPconfigured tocarry flow-specification route,

in case of deleting a filter term and policer, then add the same term and policer back

(it usually happens in race condition when adding/deleting/adding the flow routes),

since confirmation from dfwd for the deleting policer might not be received before

attempting to add the same policer, the rpd would skip sending an add operation for

it to dfwd. As a result, when the filter term is sent to dfwd and tell it to attach to the

policer, dfwd had already deleted the policer, and since rpd skipped re-adding it, dfwd

will reject theattach filterwithpolicer not founderror and rpdwill crashcorrespondingly.

PR1052887




• When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP

routes), after clearing the LDP/RSVP routes, in the shortwindowbefore the LDP/RSVP

routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the

rpd process might crash. PR1063796

• Upon BFD flapping on aggregate interfaces, the Lookup chip (XL) might send illegal

packets to the center chip (XMCHIP) and compromise packet forwarding and an FPC

restart is needed to recover from this condition. If Fabric path side is affected, the fabric

healing processwill initiate this process automatically to recover fromsuch conditions.

MPC6E/MPC5E/NG-MPCareexposed to thisproblem.Corruptedparcels fromLookup

chip LU/XL to Center Chip (XM) can also compromise packet forwarding and report

DRD parcel timeout errors. An additional parcel verification check is added to prevent

sending corrupted parcels to the center chip (XM). PR1067234

• CFP2-100GBASE-ER4 is supported on MIC6-100G-CFP2/MPC6E/MPC5E from

13.3R8/14.1R6/14.2R3-S4/14.2R4-S1/14.2R5/15.1R2/15.2R1 PR1069112

• After reconnectwindow, chassisdcoredduringplaneonlineoperationdue toacondition

where number of active-active planes must not exceeding the max allowed numbers

(4). In the core file, all FPCs are sending onlinemask, and 7 planes have the fabric state

asACTIVE - this clearly indicates incorrect fabric state.Once the router hit the condition,

chassisd continues to core since the condition does not correct itself. This fix put in a

work-around to prevent the (continuous) chassid core at reconnect expire so that if

the condition is detected, all planes are bounced by offline all planes first, and follow

with online of the planes. Given the FPCs are all online already, the bouncing of the

planes should take reasonable time. PR1070116

• There is a bug about expansion memory usage computation. It does not account for

freedmemory. So the displayed expansion memory usage is higher than the real

expansion memory usage. As displayed expansion memory usage reaches over the

configured threshold (in this case, the threshold is 95%), subscribers are denied to










comeup. As aworkaround,we could disable the resourcemonitoring throttling feature

to avoid possibility incorrect expansion memory usage. PR1090733

• Occasionally , AFEB PCI reads from Cortona MIC with ATMOAM traffic might return

garbage values even though the actual content in the MIC has the correct value , this

corrupted values would lead to AFEB crash , and also PCI error logs such as : afeb0

PCI ERROR: 0:0:0:0 Timestamp 91614msec. afeb0 PCI ERROR: 0:0:0:0 (0x0006)

Status : 0x00004010 afeb0 PCI ERROR: 0:0:0:0 (0x001e) Secondary bus status :

0x00004000 afeb0 PCI ERROR: 0:0:0:0 (0x005e) Link status : 0x00000011 afeb0

PCI ERROR: 0:0:0:0 (0x0130) Root error status : 0x00000054 afeb0 PCI ERROR:

0:0:0:0 (0x0134)Error source ID : 0x02580258afeb0PCI ERROR:0:2:11:0Timestamp

91614msec. afeb0 PCI ERROR: 0:2:11:0 (0x0006) Status : 0x00004010 afeb0 PCI

ERROR: 0:2:11:0 (0x004a) Device status : 0x00000004 afeb0 PCI ERROR: 0:2:11:0

(0x0052)Linkstatus :0x00004001afeb0PCIERROR:0:2:11:0(0x0104)Uncorrectable

error status : 0x00000020 afeb0 PCI ERROR: 0:2:11:0 (0x0118) Advanced error cap

& ctl : 0x000001e5 afeb0 PCI ERROR: 0:2:11:0 (0x011c) Header log 0 : 0x00000000

afeb0 PCI ERROR: 0:2:11:0 (0x0120) Header log 1 : 0x00000000 afeb0 PCI ERROR:

0:2:11:0 (0x0124) Header log 2 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0128)

Header log 3 : 0x00000000. PR1097424

• If NSR (Nonstop Routing) is enabled and a TCP session is terminated while there is

still data in the socket pending transmission, the MBUF (Kernel Memory Buffer) used

to store this data might not get deallocated properly. In order to hit this issue the TCP

sessionmustuseNSRactivesocket replication. If thesystemruns lowonMBUFmemory

the kernel will automatically throttle downmemory allocation on low priority

applications and ultimately if there is no MBUF left, the system could become

unresponsive due to its inability to serve I/O requests. PR1098001

• When the clock sync process (clksyncd) is stopped and resumed during link flaps, the

clksyncdprocessmight get intoan inconsistent statewith various symptoms, the clock

source might be ineligible due to "Interface unit missing" or "Unsupported interface"

with no Ethernet Synchronization Message Channel (ESMC) transmit interfaces.

PR1098902

• Dynamic vlan ifl is not removed with 'remove when-no-subscriber' configuration

PR1106776

• OnMX240/480/960 Series router with MS-DPC, customer running BGP over IPSec.

ThisBGPsessionhasaBFDsession tied to it. TheBGPsession isupbut theBFDsession

remains in INIT state. The issuemightbeseenwithany service configuredwithmultihop

BFD enabled. Traffic forwarding will not be affected. PR1109660

• This issue is a regression defect introduced in JunosOSRelease 11.4R11, 12.1R10, 12.2R8,

12.3R6, 13.2R4, 13.3R2, 14.1R1. After upgrading to those releases containing the original

fix, when there is no export policy configured for forwarding table to select a specific

LSP, whenever routes are resolved over RSVP (for example, due to aggressive

auto-bandwidth), resolver will spend considerable amount of time on resolver tree,

which contributes to base line increase in rpd/Routing Engine CPU. PR1110854

• OnMX Series routers with Junos OS release 12.3X54-D20 or 12.3X54-D25, Inverse

multiplexing for ATM (IMA) interfaces on MIC-3D-4COC3-1COC12-CEmay not come


Resolved Issues








up due to "Insufficient Links FE" alarm. This is due to data corruption on the physical

layer. PR1114095

• When using the SIP-ALG with MS-MIC and MS-MPC cards in the 13.3R8 and earlier

builds, the MSPMAND process can generate a core file. PR1120100

• The commit latency will increase along with the increasing lines under [edit system

services static-subscribers group<groupname> interface]. Use ranges to create static

demux interfaces isa recommendedoption. e.g. [edit systemservices static-subscribers

group PROFILE-STATIC_INTERFACE] + interface demux0.10001001 upto

demux0.10003000. PR1121876

• OnMX Series platform, the MS-MPC crashmay occur. The exact trigger of the issue is

unknown, normally, this issuemayhappenover longhours (e.g.withinaweek)of traffic

run(forexample, runningHTTP/HTTPS/DNS/RTSP/TFP/FTPtrafficprofile).PR1124466

• Egress multicast statistics displays incorrectly after flapping of ae member links on

M320. PR1126956

• An incorrect destination MAC address is applied to the packet when a DHCPv6

Offer/Advertise packet is sent back to the subscriber from a non-default routing

instance across a pseudowire. PR1127364

• In current Juniper Networks implementation, the IPv6multicast Router Advertisement

timer is not uniformly distributed value between MinRtrAdvInterval and

MaxRtrAdvInterval as described in RFC 4861. PR1130329

• OnMX Series based line card, multiple modifications of firewall filter might cause

lookup chip error and traffic blackhole, following jnh_free error messages could help

to identify this issue: messages: fpc1 jnh_free(10212): ERROR [FW/3]:1 Paddr

0x006566a9, addr 0x2566a9, part_type 0call_stack 0x40497574 0x418ffa84

0x41900028 0x418ecf94 0x41861690. PR1131828

• When customers do changes under "protocol router-advertisement interfaceX" (such

as changing timers etc), they expect that commit would trigger a new

router-advertisement being sent out to notify hosts about configuration changes.

However it does not seem to be a case unfortunately. It makes the router information

to expire on hosts and causes obvious loss of connectivity for the hosts. PR1132345

• OnMX Series platformwith non-QMPC (for example, MPC2-3D) or Q-MPCwith

enhanced-queueing off, when traffic has to egress on any one of the dynamic PPPoE

(pp0), IP-DEMUX (demux0) and VLAN-DEMUX (demux0) IFLs, the queuemapping

might get wrong. The traffic forwarding might be affected. PR1135862

• Commit error after attempting to delete all guaranteed rates on all

traffic-control-profiles associated with demux0 [edit] user@host# commit re0: [edit

class-of-service interfaces] 'demux0' IFL excess rate not allowed on interface

(demux0), please specify guaranteed rate on at least one IFL error: configuration

check-out failed PR1150156















• OnMX Series router, the physical or logical interfaces (ifd/ifl) might be created and

marked UP before a resetting FPCs' fabric planes are brought up and ready to forward

traffic. As a result, traffic might be black-holed during the time window. This window

of traffic black-hole is particular long if the chassis is heavily populatedwith line-cards,

for example, the router has large scale of configuration (routes or subscribers), and

coupled with a lot of FPC reset, such as upon a node power up/reset. PR918324

• Anyhostoutbound traffic goacrossaggregatesonet interface,will lead to ifstatmemory

leak, finally result in kernal crash. Here is a failure phenonmenon: > show system

virtual-memory | match "mem|ifstat " Dec 28 10:24:03 Type InUse MemUse HighUse

Requests Size(s) ifstat 16315831263445K - 16317521

16,32,512,2048,4096,524288,2097152,4194304>showsystemvirtual-memory |match

"mem|ifstat " Dec 28 10:24:06 Type InUse MemUse HighUse Requests Size(s) ifstat

16317436263470K - 16319126 16,32,512,2048,4096,524288,2097152,4194304> show

system virtual-memory | match "memu|ifstat " Dec 28 10:27:23 Type InUse MemUse

HighUse Requests Size(s) ifstat 16456495265643K - 16458247

16,32,512,2048,4096,524288,2097152,4194304Dec2722:09:10T1600-a-re0/kernel:

kmem type ifstat using 284066K, approaching limit 332800K Dec 27 22:10:11

T1600-a-re0 /kernel: kmem type ifstat using 284726K, approaching limit 332800K

Dec 27 22:11:11 T1600-a-re0 /kernel: kmem type ifstat using 285385K, approaching

limit 332800K Dec 27 22:12:11 T1600-a-re0 /kernel: kmem type ifstat using 286045K,

approaching limit 332800K. PR975781

• When IEEE 802.3ah OAM link-fault management action profile is configured to define

event and the resulting action, the link might flap after it is brought down by an event

but brought up by other events erroneously. PR1000607

• OnDPConly chassis, after softwareupgradeornotgracefulRoutingEngineswitchover,

Ethernet OAM related LAG bundles might not come up due to the Link Fault

Management (LFM) packets arrive on AE interface instead of physical link interface.

PR1054922

• When adding new VCP port MX-VC, some of the traffic drops are seen. PR1067111

• OnMX240 or MX480 platformwith at least two DCmodules (PN: 740-027736)

equipped, when shutting down one of the PEMs and then turn it on again, even the

PEM is functioning, the "PEM Fan Fail" alarmmight be observed on the device due to

software logic bug. There is no way to clear the ALARM_REASON_PS_FAN_FAIL for

I2C_ID_ENH_CALYPSO_DC_PEM once it has been raised. PR1106998

• Onall JunosOSplatforms, if the "HDD/var" slice (for example, "/dev/ad1s1f" depending

on the type of Routing Engine) is notmounted (for example, label missing, file system

corrupted beyond repair, HDD/SDD is removed from the boot list, etc), the systemmay

build emergency "/var/". However, no alarm or trap is generated due to the incorrect

operation of the ata-controller. Although the boot messages may present the logs, it

may not be sufficient enough to identify the issue before encountering other problems

(for example, JunosOS upgrade failure and the Routing Enginemay hang in a recovery

shell). In addition, asamethod tocheckwhereRoutingEngine is running from,amanual

check could be done as below, user@re0> show system storage | match " /var$"


Resolved Issues







/dev/ad2s1f 34G 18G 13G 57% /var <<<<indicate that>show system storage | match

" /var$" <<<<No output>PR1112580

• Junos OS now checks ifl information under the ae interface and prints only if it is part

of it. PR1114110

• In PPPoE subscriber management environment, when dynamic VLAN subscriber

interfaces is createdbasedonAgentCircuit Identifier (ACI) Information, the subscribers

might unable to login after reboot FPC with syslog "Dropping PADI due to no ACI

IFLSET". PR1117070

• The jpppd processmight crash and restart due to a stalememory reference. The jpppd

process restart results in a minimal impact of system and subscribers. All connected

subscribers remain connected and only subscribers are attempting to connect at time

of process restart would need to retry. PR1121326

• On Junos OS platform, an aggregate-ethernet bundle having more-than onemember

link can show incorrect speedwhichwouldn'tmatch to the total aggregate bandwidth

of all member links. The issue would be seen when LFM is enabled on the

aggregate-ethernet bundle. The issue would be triggered when one of the member

link flaps. Although after the flap, the current master Routing Engine would show

correct aggregate speed, the backup Routing Engine would report incorrect value. In

this state,whenRoutingEnginemastership is switched, thenewmasterRoutingEngine

(which was backup) will show incorrect value. One of the side-effect of this issue is

that RSVP also reflects incorrect Bandwidth availability for the affected

aggregate-ethernetbundle, thus cancauseunder-utilizationof the linkwith LSPhaving

bandwidth constraints. PR1121631

• Since a bugwhichwas introduced in JunosOSRelease 15.1R1, loopback sub-interfaces

always have a Flag down in the output of CLI command "show interfaces". PR1123618

• A hidden configuration attribute is provided to allow alternate vendor IDs to be

considered valid for inspection for ACI/ARI information in PPPoE vendor-specific tags.

Thehiddenconfigurationattribute isas follows: "setprotocolpppoealternate-vendor-id

<vendor id value>" PR1124132

• If two redundant logical tunnels (rlt) sub-interfaces are configured in a same subnet

and in a same routing-instance, a sub-interface will be down (this is expected), but if

the sub-interface is removed from the routing-instance later, after disable and enable

the rlt interface, a sub-interface might remain in down state unless removing

configuration of rlt interface and then rollback. PR1127200

• In Dynamic PPPoE subscriber management scenario, when the system is overloaded

with requests coming, the subscribersmight fail to login in a race condition.PR1130546

• The jpppdprocessmight crashand restart due toabuffer overwrite. The jpppdprocess

restart results inaminimal impactof systemandsubscribers. All connectedsubscribers

remain connected and only subscribers are attempting to connect at time of process

restart would need to retry. PR1132373

• OnMX Series platform, the "Max Power Consumption" of MPC Type 1 3D (model

number: MX-MPC1-3D) would exceed the default value due to software issue. For

example, the value might be shown as 368Watts instead of 239Watts when "max

ambient temperature" is 55 degree Celsius. PR1137925














Layer 2 Features

• OnMX Series platformwith non-stop-routing (NSR) enabled and some L2 protocols

configured, performingRouting Engine switchovermight cause layer 2 control protocol

daemon (l2cpd) to crash and FPC to be rebooted. PR1076113

• OnMX Series platformwith Dynamic Host Configuration Protocol (DHCP)maintain

subscriber feature enabled, after rebooting the FPC hosts the Demux underlying

interfaces, the next-hop for some DHCP subscribers might bemarked as dead in the

forwarding table. When this issue occurs, we can execute CLI command "clear dhcp

server binding <address>" to restore. PR1118421

• For PVSTP/VSTP protocols, when MX/EX92xx router inter-operate with Cisco device,

due to the incompatible BPDU format (there are additional 8 Bytes after the required

PVID TLV in the BPDU for Cisco device), the MX Series might drop these BPDUs.

PR1120688

• In the DHCPv4 or DHCPv6 relay environment with large scaled environment (in this

case, 50-60K subscribers), and the system is under stress (many simultaneous

operations). The subscribers might get stuck in RELEASE state with large negative

lease time. PR1125189

• In some rare scenarios, theMVRPPDUmight be unable to be transmitted,which could

causememory leak in layer 2 control plane daemon (l2cpd), and finally results in the

l2cpd process crash. PR1127146

• WhenAE is core facing ifl in ldp-mesh vpls instancewith local-switching in it, the traffic

is looped back. PR1138842

MPLS

• With egress protection configured for Layer 3VPN services to protect the services from

egress PE node failure in a scenario where the CE site is multihomed with more than

one PE router, when the egress-protection is un-configured, the egress-protection

route cleanup is not handled properly and still point to the indirect composite nexthop

in kernel, but the composite nexthop can be deleted in rpd even the egress protection

route is pointing to the composite nexthop. This is resulting in composite nexthop "File

exists" errorwhen theegressprotection is re-enabledand reuse thecompositenexthop

(new CNH addition fails as old CNH is still referenced in kernel). PR954154

• In next-generation MVPN extranet scenario, if there is a mix of VT interface and LSI

(vrf-table-lable isused) interfaceonnext-generationMVPNegressnode, after changing

some vrf policies, the routing protocol process (rpd)might crash and reset.PR1045523

• InMPLSscenarios, removing the "familympls" configuration fromanoutgoing interface

may cause inet and/or inet6 nexthops associated with that interface to unexpectedly

transit to dead state. Even adding back "family mpls" cannot restore it. PR1067915

• If "optimize-timer" is configured under P2MP branch LSP, this branch LSP will not be

re-established if link flap on egress node. If "optimize-timer" is configured at

protocols/mpls level, issue could be avoided. PR1113634


Resolved Issues












• LAGMIB tables dot3adAggPortTable, dot3adAggPortDebugTable polling or lag

configuration changes may result in mib2d process core or unexpected values for lag

MIB OIDs. The PR fix will resolve these MIB table issues. PR1060202

• The SNMPv3message header has a 4 byte msgID filed, which should be in

(0....2147483647),when thesnmpdprocesshasbeen running for a long time, themsgID

might cross the RFC defined range and causing Net-SNMP errors, "Received bad

msgID". PR1123832


• On all high-endMXSeries devices, when a router is acting as anNTP broadcast server,

broadcast addresses must be in the default routing instance. NTPmessages are not

broadcasted when the address is configured in a VPN virtual routing and forwarding

(VRF) instance. PR887646

• After the "show version detail" command is executed, the syslog message

"UI_OPEN_TIMEOUT: Timeout connecting to peer" might appear. This message is

cosmetic only; you can ignore this message. PR895320:

• OnMX Series based line card, when GRE keepalive packets are received on a Packet

Forwarding Engine that is different from the tunnel interface hosted, the keepalive

messagewill apply the firewall filter configuredondefault instance loopback interface.

PR934654

• Bad udp checksum for incomingDHCPv6packets as shown inmonitor traffic interface

output. The UDP packet processing is normal, this is a monitor traffic issue as system

decodes checksum=0000. PR948058

• Under certain conditions the Packet Forwarding Engine flow export thread and flow

update threadmight be out of sync resulting in a situation where the update thread

might attempt to update a flow record that is being aged-out/deleted by the export

thread. As a consequence, PPE traps might be generated during flow processing; the

PPE trap signature is very dependent on the operation performed on that particular

record: fpc1 PPE Sync XTXN Err Trap: Count 3, PC 637f, 0x637f:

flow_export_read_src_address_ipv6LUCHIP(2)PPE_4Errors syncxtxnerrorUnder rare

conditions, this can ultimately lead to record corruption. Trying to reuse or update such

a recordwould trigger the following error: [LOG: Err] LUCHIP(2) HASH INTStatus FPM

Error: [LOG: Err] LUCHIP(2) HASH FPM ERROR: Alloc OMI Ram IF Error, TID=1,

FP_ID=0x2. - There is no impact to forwarding. - There may or may not be impact on

Jflow. - Its a generic problem for any inline-jflow application including IPv4 and IPv6.

With 13.2 release, new fields (min, max TTLs/QinQ values) are added to jflow record.

These fields need to be updated (if value changes) per packet in the flow. So the

probability of hitting the race condition between export thread (deleting the record)

and jflowdatapath code (updating the same record) and is higher in JunosOSRelease

13.2 and later. PR968807

• In rare condition, when execute cscript the cscript process might crash, so the current

cscript executionwill fail. The issue is due to third-party codewhichwe have imported










in Junos OS for cscript execution. It occurs in rare condition, and it is hard to reproduce.

PR1011518

• TheMIB counter or "showpfe statistics traffic" shows junk PPS and invalid total traffic

output counter. PR1084515:

• OnMX Series platformwith MPC/MIC or T4000 FPC5, TCP session with

MS-Interface/AMS-Interface configuration is not established successfully with the

"no-destination-port" or "no-source-port" configuration statements configured under

forwarding-options hierarchy level. PR1088501:

• On an MPC3E or MPC4E , when the flow-detection feature is enabled under the [edit

system ddos-protection] hierarchy, if suspicious control flows are received, two issues

might occur on the device: The suspicious control flowmight not be detected on the

MPC or line card. After suspicious control flows are detected, they might never time

out, even if traffic flows no longer violate control parameters. PR1102997:

• OnBNGplatform,when disable a static demux interface, theNPConMPCmight crash

and generate a core file. PR1116463:

• Inline 6rd and 6to4 support for XL and XL-XM based platforms. PR1116924:

• When inline static NAT translation is used, if two rules defined in two service sets are

pointing to the same source-prefix or destination-prefix, changing the prefix of one of

the rule and then rolling back the changes is not changing back all the pools correctly.

PR1117197:

• After changinganouter vlan-tags, the ifl is gettingprogrammedwith incorrect stp state

(discarding), so the traffic is getting dropped. PR1121564:

• OnMX Series based platform, when fragmented packets go through the inline NAT

(including source NAT, destination NAT, and twice NAT), the TCP/UDP checksum

would not be correctly updated. In this situation, checksum error would occur on the

remoteend(insideandoutsidedevice).Non-fragmentedpacketswouldnotbeaffected

by the issue. If possible, this issue could be avoided by either of the following

workarounds, * Enable "ignore-TCP/UDP-Checksum errors" at the inside or outside

devicewhich processes TCP/UDPdataOR*Make sure therewill not be any fragments

subjected to inline NAT functionality by appropriate MTU adjustment or setting.

PR1128671

• Parity error at ucode location which has instruction init_xtxn_fields_drop_or_clip will

lead to a LUWedge. LU is lookup ASIC inside the MX Series router. The LU wedge will

cause the fabric self ping to fail which will lead to a FPC reset. This is a transient HW

fault, which will be repaired after the FPC reset. There is no RMA needed unless the

same location continues to fail multiple times. PR1129500

• NTP.org published a security advisory for thirteen vulnerabilities in NTP software on

Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to

cause Denial(s) of Service(s), disruption of service(s) bymodification of time stamps

being issued by the NTP server frommalicious NTP crafted packets, including

maliciously crafted NTP authentication packets and disclosure of information. This

can impactDNS services, aswell as certificate chains, such as those used in SSL/https

communications and allow attackers to maliciously inject invalid certificates as valid

which clients would accept as valid. Refer to JSA10711 for more information. PR1132181


Resolved Issues












• OnMXSeries based line card, if there are scaled number of routes (e.g. 10million), due

to amemory allocation issue, the forwarding table might be full and causing failure of

install new routes. The following syslog could indicate this problem:

"jnh_expand_partition failed, inst 0, jnh_app ktree, dwords 524288". PR1133920

• With scaled firewall filters attached to interfaces (e.g. 10k+ filters), running "show

configuration" command can cause high CPU of the mgd process. As a workaround,

we can use "show configuration |display set" command to view the configuration.

PR1134117

• PPE thread timeout trapmay cause XM chip wedge, it will not affect MQ based FPC.

PR1136973

Routing Protocols

• In BGP scenario with IPv4 and IPv6 neighbors mixed in the same group, if all of the

IPv4peers flaps but none of the IPv6peers flaps, a timing issuemight happen that one

of the IPv4 peers comes up before inet.0 RIB is cleaned up. As a result, the routing

protocol daemon (rpd) crash will be seen. PR986272

• Since Junos OS Release 13.3R2 and later if delegated BFD sessions are flapping

continuously, packet buffer memory maybe be leaked. The automatic memory leak

detection process will report this within the syslog once certain threshold is reached

"fpc7 SHEAF: possible leak, ID 8 (packet(clones)) (10242/128/1024)". Please note

BFD sessions operating in centralizedmode are not exposed. PR1003991

• When BGP is doing path selection with default behavior, soft-asserts requests are

introduced. If BGP routes flap a lot, it needs to do path selection frequently, because

of which a great deal soft-asserts might be produced which will cause unnecessary

high CPU and some service issues, such as SNMP can not respond and even rpd core.

PR1030272

• EDITEDMP 8/31When amulticast group in protocol independent multicast (PIM)

densemode has a large number ofmulticast sources, the RPD process can crash after

a routing engine switchover. PR1069805

• On large scale BGP RIB, advertised-prefixes counter might show the wrong value due

to a timing issue. PR1084125

• Due to software bug Junos OS cannot purge so called doppelganger LSP, if such LSP

is received over newly formed adjacency shortly after receiving CSNP from the same

neighbor. PR1100756

• When the IS-IS configuration has been removed, the IS-IS LSDB contents got flushed.

If at the same time of this deletions process, there is an SPF execution, which is trying

to access the data structures at same time when a fraction of secs after freeing its

content, routing protocol process (rpd) crash occurs. PR1103631

• When two (or more) route target communities of MP-BGP route match to two (or

more) route target communities in VRF import policy of a RI duplicate routing entries

might be installed in the RI. In the output of 'show route table <RI name>.inet.0 detail'

two identical routing entries appear with one being marked as 'Inactive reason: Not

Best in its group - No difference'. This condition was observed under high scale (many













RI's and theBGP routewas imported inmanyRI's aswell).Whensuchduplicate routing

information is to be deleted, rpd process process will crash. PR1113319

• When the Multicast Source Discovery Protocol (MSDP) is used, if the RP itself is the

First-Hop Router (FHR) (i.e. source is local), the MSDP source active (SA) messages

are not getting advertised by the RP to MSDP peers after reverse-path forwarding

(RPF) change (e.g. the RPF interface is changed). PR1115494

• When an interface is associated with a Bidirectional Forwarding Detection (BFD)

session, if changing the unit number of the interface (for example, change the unit

number for a running BFD session from ge-1/0/0.2071 to ge-1/0/0.285), the device

may fail to change the name due themissing check for logical interface (IFL) index

change. PR1118002

• OndualRoutingEngineplatformwithNonstopactive routing (NSR)andauthentication

of the Bidirectional Forwarding Detection (BFD) session enabled, BFD process (bfdd)

memory leak may occur on themaster Routing Engine and the process may crash

periodicallyonce it hits thememory limit (RLIMIT_DATA).Theproblemdoesnotdepend

on the scale, but the leak will speed up with more BFD sessions (for instance 50

sessions). As aworkaround, if possible, disablingBFDauthenticationwill stop the leak.

PR1127367

• Inmulticast environment, when theRP is FHR (first hop router) and it hasMSDPpeers,

when the rpf interface on RP changed to MSDP facing interface, due to the multicast

traffic is still on the old rpf interface, a multicast discard route will be installed and

traffic loss will be seen. PR1130238

• Mt tunnel interface flap cause backup Routing Engine core. exact root cause is not

known. while processing updates on the backup re (received frommaster Routing

Engine), accessing free pointer cause the Core. PR1135701


• When polling to jnxNatSrcNumPortInuse via SNMPMIB get, it might not be displayed

correctly. PR1100696

• JunosOSRelease13.3 and above release, when configuring a /31 subnet address under

a nat pool, the adaptive services daemon (SPD) will continuously crash. PR1103237

• In CGNAT environment, when a service PIC is in heavy load continuously, there might

be a threads yielding loop in CPUs,whichwill cause theCPUutilization high, andmight

cause one the CPUs to be reset. PR1115277

• In CGNAT scenario, whenwe establish simultaneous TCP connects, we need to install

timers for eachTCPconnection/flow. Due to this bug,we endedup creating two timers

for the forward and reverse flow separately. Ideally there needs to be only one timer

for both the forward and reverse flow. Whenever the session used to get deleted due

to timer expiry, the PIC used to crash whenever the code tried to delete the same flow

again. PR1116800


Resolved Issues












• When using Neighbor Discovery Router Advertisement (NDRA) and DHCPv6 prefix

delegation over PPPoE in the subscriber access network, if a local pool is used to

allocate the NDRA prefix, when the CPE send DHCPv6 solicit message with both

InternetAssignedNumbersAuthority (IANA)and IdentityAssociationPrefixDelegation

(IAPD) options, the subscriber might get IPv6 prefix from the NDRA pool but not the

delegated pool. As a workaround, the CPE should send DHCPv6 solicit message with

only IAPD option. PR1063889

• OnMX Series platform, when using the DHCPv6 prefix delegation over PPPoE, if the

RADIUS allocates a DHCPv6 pool name during the authentication of subscribers and

"on-demand-ip-address" feature is enabled in a dynamic-profile, the prefixesmay not

be cleared by authentication process (authd) after disconnecting the subscribers.

PR1108038

• For scenarios thatarenot inaLayer 3wholesalenetworkenvironment,wecanconfigure

"duplication-vrf" to send duplicate accounting records to a different set of RADIUS

servers that reside in either the sameor adifferent routing context. AfterRoutingEngine

switchover, the duplicate accounting feature stops work for existing subscribers.

PR1121524

• Authd core dump in AaaService::cleanUpCliSessionInfo PR1127362

VPNs

• In scenario involving pseudowire redundancy where CE facing interface in the backup

neighbor (can be non-standby, standby, hot-standby type), if the virtual circuit (VC)

is not present for the CE facing interface, the CE facing interface may go up after

committing an unrelated VC interface configuration (e.g. changing description of

another VC interface) even though the local pseudowire status is in down state.

PR1101886

• In L2circuit environment, if one PE has pseudowire-status-tlv configured but remote

hasn't, and at the same time, this PE does not support control-word but remote does,

then it will not send changed local status code to remote PE, in a rare condition, after

enable status-tlv support at remote end, the l2circuit might stuck in "RD" state on

remote PE. PR1125438





• Infrastructure on page 136



• MPLS on page 138














• Subscriber Access Management on page 143



• For an ATM interface configured with hierarchical scheduling, when a

traffic-control-profile attached at ifd (physical interface) level and another output

traffic-control-profile at ifl (logical interface) level, flapping the interface might crash

the FPC. PR1000952

• After restarting chassisd or doing an in-service software upgrade from 13.2R8.2 to

13.3R7.3 results in the following messages seen in syslog:

cosd_remove_ae_ifl_from_snmp_db ae40.0 error 2 Messages appear to be harmless

with no functionality impact. PR1093090

• OnMX104 platform, when we configure rate-limit for the logical tunnel (lt-) interface,

the commit will fail. As a workaround, we can use firewall filter with policer to achieve

the same function. PR1097078

• When performing the Routing Engine switchover without GRES enabled, due to the

fact that the Class-of-Service process (cosd) may fail to delete the traffic control

profile state attached to logical interface (IFL) index, the traffic-control-profile may

not get programmed after the ifl index is reused by another interface. PR1099618


• This defect is seen only when an existing child link from an AE is moved to a newly

created AE, simultaneously from both-ends. The new AE is listed as child link in the

existing AE in 'show interface ae<>.0 extensive' CLI. PR965872

• In rare cases, MX Series routers might crash while committing inline sampling related

configuration for INET6 Family only. PR1091435

General Routing

• For inline portmirroring, configure "input-parameters-instance" tomake a port-mirror

instance inherit inputparameters fromanother instance.At times,anynewconfiguration

which is addedunderportmirror hierarchy levelwill not takeeffect even thoughcommit

succeeds. PR944631

• In a Layer 3 wholesale configuration, DHCPv6 advertise messages might be sent out

with source MAC all zeroes if the subscriber is terminated on the demux interface in a

non-default routing instance. For subscribers on default instance there is no such issue

observed. PR972603

• OnMX Series-based platform, when the feature flow-control is disabled (enabled by

default) by using CLI command "no-flow-control" configuration statement (for

example, under "gigether-options" hierarchy), after bringing up or rebooting the MPC,


Resolved Issues









due to the fact that status of the hardware may not be updated correctly, the flow

control on that MACmay remain enabled. PR1045052

• In IP security (IPsec)VPNenvironment, after performing theRoutingEngine switchover,

the traffic may fail to be forwarded because the SAsmay not be downloaded to the

PIC, or due to some security associations (SAs) on the PICmay incorrectly hold

references for old Security Policy Database (SPD) handles while SPD has deleted its

entries in the Security Association Database (SAD). PR1047827

• MPCwith Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC

(MIC-3D-4COC3-1COC12-CE) might crash. This problem is very difficult to replicate

and a preventive fix will be implemented to avoid the crash. PR1050007

• In the PPP environment, when a subscriber is logged out, its logical interface index is

freed, but in rare condition the session database (sdb) entry is not freed. When the

logical interface index is assigned to a new logical interface, it is still mapped to an old

sdb entry, so the jpppd process might crash because of mismatching. The issue is not

really fixed, developer just adds some debug information. PR1057610

• When"satop-options" is configuredonanE1withStructure-AgnosticTDMoverPacket

(SAToP) encapsulation, after Automatic ProtectionSwitching (APS) switchover, some

SAToP E1s on the previously protected interface (nowworking) start showing drops.

PR1066100

• OnMXSeries routerswithMPCbased line cards in a setup involvingPacket Forwarding

Engine fast reroute (FRR) applications, when BFD session flaps the next-hop program

in the Packet Forwarding Engine may get corrupted. It may lead to incorrect selection

of next-hop or traffic blackhole. PR1071028

• Scheduler: Protect: Parity error for tick table single messages might appear on MPC

cards utilizing XMCHIP like MPC2E-3D-NG,MPC3E, MPC4E, MPC5E or MPC6E.

PR1083959

• In a fib-localization scenario, IPv4 addresses configured on service PICs (SP) will not

appear on FIB-remote FPCs although all local (/32) addresses should, regardless of

FIB localization role, install on all Packet Forwarding Engines. There is no workaround

for this and it implies that traffic destined to this address will need to transit through

FIB-local FPC. PR1092627

• -OnXL-based cards suchasMPC5/MPC6, PPE thread timeout errors (resulting inPPE

trap files) can be triggered when the FPC allocates illegal memory space for the

forwarding state of router operations. - In certain cases, this can result in packet loss

depending on howmany packets use this forwarding state. PR110035

• When the null pointer of jbuf is accessed (jbuf, that is, a message buffer is allocated

onlywhen thepacket is ready toprocess. Thebuffer is freedafter thepacket completes

ALG handling is accessed), for example, when using the Microsoft Remote Procedure

Call (MS RPC) (as observed, issue may also happen on Sun Microsystems RPC)

Application-level gateway (ALG) with NAT (stateful firewall is used as a part of the

service chain), if the traffic matching configured universal unique identifier (UUID) is

arrived on the ALG, themspmand (whichmanages theMultiservice PIC) crash occurs.

PR1100821













• After JunosOS release 13.3R1, IPCMON infra is added to debug IPCs between PFEMAN

and the Routing Engine. When convergence occurs, string processing of IPCMOMwill

take added time. Then the slow convergence will be seen. It is a performance issue, it

is visible in scaled scenario (for example, more than 100K routes). As a workaround,

please execute command "set pfe ipclog filter clear" to disable IPC logging on all FPCs.

PR1100851

• FFP is a generic process that shall be called during commit process, and FFP calls the

PDB initializationaspartof itsprocess.On thePDB-unsupportedplatforms(MXSeries,

EX9200, M10i, M120, M320 is PDB-supported), when committing configuration, some

error messages will be seen. PR1103035

• If fpc offline configuration statement is configured after the presence of

Non-recoverable faults, then offline action will not be performed. PR1103185

• Non-queuing MPC5Emight crash continuously if rate-limit under transmit-rate for

scheduler is applied. As a workaround, do not configure rate-limit and use firewall

policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495

• When using "write coredump" to invoke a live coredump on an FPC in T Series, the

contents of R/SR ASICmemory (Jtree SRAM) will get dumped. In the situation that

there is a parity error present in the SRAM, then the coredumpwill abort and the FPC

will crash. As a workaround, configuring "set chassis pfe-debug flag

disable-asic-sram-dump" before "write coredump" will help to avoid the issue.

PR1105721

• An IPv4 filter configured to use the filter block with term that has both "from

precedence" and another non 5-tuple (i.e. not port, protocol, address) will cause an

XL/EA based board to reboot. Example: set firewall family inet filter FILTER

fast-filter-lookup set firewall family inet filter FILTER term TERM from precedence

PRECEDENCE set firewall family inet filter FILTER term TERM from tcp-established.

PR1112047

• In the scenario that the power get removed from the MS-MPC, but Routing Engine is

still online (for example, onMX960 platformwith high capacity power supplies which

split into two separate power zones, when the power zone for the MS-MPC line card

loses power by switch off the PEM that supports the MS-MPC situated slot), if the

power goes back (for example, switch on the PEM), the MS-MPCmight be seen as

"Unresponsive" (checked via CLI command "show chassis fpc") and not coming up

back online due to failure of reading memory. PR1112716

• Under certain conditions, when the JunosOSRouting Engine tries to send an IP packet

over a IPIP tunnel, the lookupmight endup in an infinite loopbetween two IPIP tunnels.

This is caused by a routing loop causing the tunnel destination for Tunnel#A to be

learned through Tunnel#B and the other way round. PR1112724

• Under certain conditions, when the JunosOSRouting Engine tries to send an IP packet

over aGRE tunnel, the lookupmight endup inan infinite loopbetween twoGRE tunnels.

This is caused by a routing loop causing the tunnel destination for Tunnel#A to be

learned through Tunnel#B and the other way round. PR1113754


Resolved Issues










Infrastructure

• When "show version detail" CLI command has been executed, it will call a separate

gstatd process with parameter "-vvX". Because the gstatd could not recognize these

parameters, it will run once without any parameter and then exit. In result of "show

version detail", following information could be seen: user@host> show version detail

Hostname:mx960Model:mx960Junos: 13.3R6-S3 JUNOSBaseOSboot [13.3R6-S3]

JUNOSBaseOSSoftwareSuite [13.3R6-S3] JUNOSKernelSoftwareSuite [13.3R6-S3]

JUNOS Crypto Software Suite [13.3R6-S3] <snipped> file: illegal option -- v usage:

gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] At the same time, log lines like

following might be recorded in syslog: Aug 25 17:43:35mx960 file: gstatd is starting.

Aug 25 17:43:35mx960 file: re-initialising gstatd Aug 25 17:43:35mx960mgd[14304]:

UI_CHILD_START: Starting child '/usr/sbin/gstatd' Aug 25 17:43:35mx960 gstatd:

gstatd is starting. Aug 25 17:43:35mx960 gstatd: re-initialising gstatd Aug 25 17:43:35

mx960 gstatd: Monitoring ad2 Aug 25 17:43:35mx960 gstatd: switchover enabled

Aug 25 17:43:35mx960 gstatd: read threshold = 1000.00 Aug 25 17:43:35mx960

gstatd: write threshold = 1000.00 Aug 25 17:43:35mx960 gstatd: sampling interval =

1 Aug 25 17:43:35mx960 gstatd: averaged over = 30 Aug 25 17:43:35mx960

mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status

0x4000 Aug 25 17:43:35mx960mgd[14304]: UI_CHILD_EXITED: Child exited: PID

14363, status 64, command '/usr/sbin/gstatd' PR1078702

• OndualRoutingEngineplatform, if GRES is configured (triggeredby "on-disk-failure"),

when a disk I/O failure occurs on themaster Routing Engine due to hardware issue (for

example, SSD failure), the graceful Routing Engine switchover might not be triggered

immediately after initial IO failure has been detected. As a result, Routing Enginemight

enter a state in which it responds to local pings and interfaces remain up, but no other

processes are responding. PR1102978






• OnMX Series platform, when an aggregated Ethernet bundle participating as L2

interface within bridge-domain goes down, the following syslog messages could be

observed. Themessages would be associated with FPC0 even if there are no link(s)

from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]:

SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2),

ifNamexe-3/3/2mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex637, ifAdminStatus

up(1), ifOperStatusdown(2), ifNamexe-3/3/3mib2d[2782]:SNMP_TRAP_LINK_DOWN:

ifIndex740, ifAdminStatusup(1), ifOperStatusdown(2), ifNameae102 fpc0LUCHIP(0)

Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion

Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC

color=RED, class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm set,

FPC 0Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones

2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED,

class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm cleared, FPC 0

Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN

Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout

Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15,

PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count

10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized

EDMEM[0x3f38b5]Read(0x6db6db6d6db6db6d)fpc0LUCHIP(0)RMC1Uninitialized

EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2

Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0)

RMC3UninitializedEDMEM[0x3d81b6]Read(0x6db6db6d6db6db6d)Thesemessage

would be transient in nature. The discrepancy of nexthop handling that is addressed

in this PR can alsomanifest itself in form of other issues in the system. Basically when

the nexthops go out of sync we are bound to see either Packet Forwarding Engine

crashes/traps or Routing Engine crashes. The fix in this PR should take care of this

behavior and ensurewehandle the nexthops correctly tomaintain the synchronization

betweenmaster Routing Engine, backup Routing Engine and all Packet Forwarding

Engine peers. PR990023

• In some configurations agg_pfe_get_fwd_options log message is generated at the

excessive rate. This log message can be helpful during troubleshooting, but it is not

needed during normal operation. Though it is not service impacting, it may increase

load of the system and it was decided to cover this message under traceoptions in

order to optimize system performance. PR1047564

• dcd will crash if targeted-distribution applied to ge ifd via dynamic-profile. PR1054145

• During subscriber login/logout the following error log might occur on the device

configured with GRES/NSR. /kernel: if_process_obj_index: Zero length TLV! /kernel:

if_pfe: Zero length TLV (pp0.1073751222). PR1058958

• For Junos OS Release 13.3R1 and later, after multiple (for example, 26) iterations of

gracefulRoutingEngine switchover (GRES), theTNPaddressofmanagement interface

might be deleted incorrectly during switchover, this leads to all FPCs to be offline.

PR1060764


Resolved Issues






• After removing a child link from AE bundle, in the output of "show interface <AE>

detail", the packets count on the remaining child link spikes, then if add back the

previous child link, the count recovers to normal. PR1091425

• During failure notification state machine, CFM does not correctly transit from DEFECT

CLEARINGstate toRESETonce theerror indicationhasbeencleared.Asaconsequence,

all the forthcoming errorswill be consideredpost errors andwill be reported right away

without incurring the fngAlarmTime. This is a cosmetic problem. PR1096346

• On PB-2OC12-ATM2-SMIR PIC, port 0 and port 1 are configured with clock source as

external, if Loss of signal (LOS) is inserted on port 0, the port 0 will be down, the

expected behavior is clock being used from port 1. But in this case, port 0 down will

results inport 1 flappingand reportingSONETphase lock loop(PLL)errors.PR1098540

• Due to the fact that the error injection rate configured by user on Routing Engine via

CLI command "bert-error-rate" may not be programmed in the hardware register, the

PE-4CHOC3-CE-SFP, PB-4CHOC3-CE-SFP, MIC-3D-4COC3-1COC12-CE, and

MIC-4COC3-1COC12-CE-Hmay fail to inject bit errors during a Bit Error Ratio Test

(BERT). PR1102630

• OnMPC-3D-16XGE-SFPP line card, when an optics (for example, 10G-LR-SFP) is

disabled and then enabled administratively, if the SFP is not temperature tolerant

(non-NEBS compliant), the TX laser may not be turned on due to the fact that the

chassisprocess (chassisd)maykeepsending the"disable-non-nebs-optics"command

to the optics if the current temperature of FPC reaches the threshold temperature.

PR1107242

• OnMX Series platform, continuous error messages might be seen on the MICs (for

10G/40G/100GMICs) fromMIC3 onwards (listed as below) when physical interface

(IFD) settings are pushed (e.g. booting the MPC). Based on the current observation,

the issue may not have any operational impact and the MICs that may encounter this

issueare listedasbelow, - 10GMICs:MIC3-3D-10XGE-SFPP,MIC6-10G,MIC6-10G-OTN,

- 40GMICs: MIC3-3D-2X40GE-QSFPP, - 100GMICs: MIC3-3D-1X100GE-CFP,

MIC3-3D-1X100GE-CXP, MIC6-100G-CXP, MIC6-100G-CFP2. PR1108769

Layer 2 Features

• With scaled subscribers connected, restarting one of MPCsmight cause subscribers

unable to log in for about 2 minutes. PR1099237

• Inascenario thatBGPbasedVPLSstitchingwithL2circuit,with "pseudowire-status-tlv"

configured under L2circuit's mesh-group, if L2circuit neighbor does not configure

"pseudowire-status-tlv", then status of "Negotiated PW status TLV" of VPLS

connection is "NO", this will cause BGP based VPLS connection can not up even the

L2circuit is up. PR1108208

MPLS

• InResourceReservationProtocol (RSVP)environment, if CoS-BasedForwarding (CBF)

for per LSP (that filter out traffic not related to that LSP) is configured, and either the

feature fast-reroute or link-protection is used on the device, when the primary link is

down (for example, turning off the laser of the link), due to some next hops of the

traffic may be deleted or reassigned to different class of traffic, and the RSVP local











repairmay fail to processmore than 200LSPs at one time, the trafficmay get dropped

by the filter on the device before the new next hop is installed. In this situation, the

feature (fast rerouteor linkprotection)may take longer time (for example, 1.5 seconds)

to function and the traffic loss might be seen at the meantime. In addition, the issue

may not be seen if the CBF for per LSP is not configured on the device. PR1048109

• Junkcharactersarebeingdisplayed inoutputof showconnectionsextensivecommand.

PR1081678


• All inline-services do not work for large FPC slot numbers on MX2020. It is due to

generic issue in receiving packets. The egress Packet Forwarding Engine instance was

chosen incorrectly. PR1012222

• VRRP advertisements might be dropped after enable delegate-processing on the

logical tunnel (lt) interface. It would result in VRRPmaster state observed on both

routers. PR1073090

• OnMXSeries-basedplatform,when learning theMACaddress fromthepseudo logical

interface (for example, label-switched interface), if the MAC address is aged out in

source FPC where the MAC got learnt, due to the delay (around 2 to 3milliseconds)

of MAC address deleting message processed in the source FPC and the egress FPC

(destination FPC of the traffic), the MAC addressmay be deleted first from the egress

Packet Forwarding Engine but get added again during these 2-3 milliseconds time

intervals (as these is continuous traffic coming on egress FPC destined to this MAC,

the MAC query is generated and send to Routing Engine and source FPC, since source

FPC has not yet processed the MAC deletedmessage, it sends the response, so stale

MACwill get added on the egress Packet Forwarding Engine), in this situation, no L2

flooding would occur for the "unknown" unicast (since the MAC address is present on

the egress Packet Forwarding Engine). PR1081881

• IfwithbothMPC/MSDPCandother typeofDPCsequipped, for local switchingatmesh

group level, split horizon on PW interfaces won't work and this would cause packets

to loop back to same PW interface. PR1084130

• In Junos OS Releases 13.3R3, 14.1R1, 14.2R1, there is a new feature, an extra TLV term

is added to accommodate the default action for the "next-interface" when the

correspondingnext-interface isdown.Whiledoingaunified ISSUfroman imagewithout

the feature to an image with this feature, all MPCsmight crash. PR1085357

• OnMX Series router, if ifl (logical interface) is configured with VID of 0 and parent ifd

(physical interface) with native-vlan-id of 0, when sending L2 traffic received on the

ifl to Routing Engine, the VID 0will not be imposed, causing the frames to get dropped

at Routing Engine. PR1090718

• OnMX2020/2010 router, anSPMBcore filewill be seen if therearebadXFchips (fabric

chip) on SFB, which might trigger Routing Engine/CB switchover. PR1096455

• OnMXSeries-basedplatform,when the typeof the IPv6 traffic is non-TCPor non-UDP

(for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is

high (for instance, higher than 3.5Mpps), the packet re-orderingmayoccur.PR1098776


Resolved Issues











• OnMX Series-based line cards, when the prefix-length is modified from higher value

to lower value for an existing prefix-action, heap gets corrupted. Due to this corruption,

the FPCmight crash anytime when further configurations are added/deleted. The

following operations might be considered as a workaround: Step 1. Delete the existing

prefix-action and commit Step 2. Then re-create the prefix-action with newer

prefix-length PR1098870

• In an MPLS L3VPN network with a dual-homed CE router connected to different PE

routers, a protectionpath shouldbeconfiguredbetween theCE router andanalternate

PE router to protect the best path. When BFD is enabled on the BGP session between

the CE and the primary PE router, with local traffic flowing from another CE connected

with the primary PE to this CE, after bringing down the interface on the best path, the

local repairwill be triggeredbyBFDsessiondown, but itmight fail due to a timing issue.

This will cause slow converge and unexpected traffic drop. PR1098961

• Under large-scale setup, VPLSMACmight not be aged-out from remote-Packet

Forwarding Engine when local-Packet Forwarding Engine is

MPC3/MPC4/MPC3E/MPC4E, then unknown-unicast frames flood will be seen on

local Packet Forwarding Engine. PR1099253

• When BFD or VRRP is running on amulti LU (lookup chip) Packet Forwarding Engine

(such as MPC3 or MPC4), some incoming BFD or VRRP packets might be incorrectly

evaluated by a firewall filter configured on a loopback interface of a different logical

systemor routing instance.Therefore, packetsmightbeunexpectedlydiscarded leading

to session/mastership flaps. PR1099608

• OnMX Series-based platform, before creating a new unilist nexthop, there is a check

to see if there is at least 512k DoubleWords (DW) free. So, even the attempting NH

requires only a small amount of memory (for example, < 100 DWs), if there is no such

enough free DWs (that is, 512k), the checkwill fail and the end result is that the control

plane will quit adding this NH prematurely - stopping at ~80% of capacity. With the

fix, it will check for 64k free DWswhich is lower reference watermark for available

resource, thereby ensuring that can allocate resource. PR1099753

• Large scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded

with theminimum-interval value 50ms. If FPC restarts, someBFD sessionsmight flap.

PR1102116

• OnMPC3E/MPC4E line card, when the feature "flow-detection" is enabled (under

"ddos-protection" hierarchy), if suspicious control flow is received, two issues may

occur on the device: Issue 1: sometimes, the suspicious control flowmay not get

detected on the line cards Issue 2: once the suspicious control flows are detected, they

may never time out even if the corresponding packets stop. PR1102997

• On T4000 platformwith FPC Type-5 equipped, after performing unified ISSU, due to

the fact that only 6 out of 16 temperature sensors may get initialized, the temperature

reading for the line card may be shown as "Absent". PR1104240

• Any configuration or logical interface (IFL) change will introduce 160 bytes memory

leak onMPC heapmemorywhenwe have any type of inline sampling configured (ipfix

or version 9). Only trigger of issue is the configuration of inline sampling, even without

traffic being sampled. The leak is more evident in a subscriber management scenario











whenwehavemany IFLaddition/deletion.RebootingMPC inacontrolledmaintenance

window is the only way to restore memory. PR1105644

• OnMX Series-based platform, in MX Series Virtual Chassis (MXVC) environment, if

the subscriber logical interface (IFL) index65793 is created (for example,whencarrying

15K DHCPv4 subscribers to exceed IFL index creation 65793) and the IEEE 802.1p

rewrite rule is configured (for example, using CoS rewrite rules for host outbound

traffic), due tousageof incorrect IFL index, theVirtualChassisControlProtocolDaemon

(vccpd) packets (for example, Hello packets) transmission may get lost on all VC

interfaces, which may lead to VC decouple (split brain state, where the cluster breaks

into separate parts). As a workaround, either delete the rewrite rule (delete

class-of-service host-outbound-traffic ieee-802.1 rewrite-rules), or find the IFL in jnh

packet trace that is not completing the vccpd send to other chassis and at Routing

Engine clearing that subscriber interface may resolve the issue. PR1105929

• When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) has

more than onemember link on the same Packet Forwarding Engine and the policer is

configuredwith "physical-interface-policer" configuration statement, if reconfiguration

occurs (for example, adding/deleting new logical units, logical interface flap...), Packet

Forwarding Engine may problemwrong policer during this reconfiguration process,

which could ultimately lead to unexpected packet drop/loss within the referenced

wrong shared policer. PR1106654

• When a common scheduler is shared bymultiple scheduler maps which applies to

differentVLANsofanAggregatedEthernet (AE) interface, if theconfigurationstatement

"member-link-scheduler" is configured as "scale", for some VLANs, the scheduler

parametersare incorrectly scaledamongAEmember links.Asaworkaround,weshould

explicitly configure different schedulers under the scheduler maps. PR1107013

• Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks

strongly discourage the use of Junos OS software version 13.3R7.3 on routers with

MQ-based MPC. This includes MX Series with MPC1, MPC2; all mid-range MX Series.

PR1108826

• DHCPEndoptions (option255) ismissingbyDHCP-relayagent (where20bytesDHCP

options82 inserted) for clientDHCPdiscovermessagewith 19bytespadding.PR1110939

• OnMX Series-based FPC, when MPLS-labled fragmented IPv6 packets arriving at PE

router (usually seen in 6PE and 6VPE scenario), the Packet Forwarding Engine might

mistakenly detect such IPv6 header and then drop these packets as "L3 incompletes"

in the output of "show interface extensive". PR1117064

• OnMXSerieswithMPCs/MICs based line card, the firewall filtermay have some issues

whenmatchingonAuthenticationHeader (AH)protocol. This canaffectVRRP(among

others) when authentication is used, and an Routing Engine firewall filter is matching

on protocol AH. As a workaround, we can change the filter to match on other criteria

(e.g. source or destination address). PR1118824


Resolved Issues










• On the platform that M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120, and

MXwith DPC, when the flood filter is configured in VPLS instance on the Packet

ForwardingEngine, if thePacketForwardingEngine receivesa filter change(forexample,

FPC rebootoccurandcomesup), the linecardmay fail toprogramthe filter.PR1099257

Routing Protocols

• In BGP environment, when configuring RIB copy of routes from primary routing table

to secondary routing table (for example, by using theCLI command "import-rib [ inet.0

XX.inet.0]") and if the second route-table's instance is type "forwarding", due to the

BGP routes in secondary routing table may get deleted and not correctly re-created,

the routes may be gone on every commit (even commit of unrelated changes). As a

workaround, for re-creating theBGP routes in secondary route table, useCLI command

"commit full" to make configuration changes. PR1093317

• With this change, the default label hold timer was increased for 10 seconds to 60

seconds. PR1093638

• When a BGP session supports multiple address families, the inactive route of some of

the address families might not be flushed correctly, leading to wrong behaviors for

some of the features which need to advertise inactive routes(e.g. advertise-inactive,

advertise-external, optimal-route-reflection, etc). PR1097297

• When polling SNMPOID isisPacketCounterTable 1.3.6.1.2.1.138.1.5.3, the rpd process

might crash. PR1101080


• When an MX Series router configured as an LNS sends an Access-Request message

toRADIUS for anLNSsubscriber, theLNSnow includes theCalled-Station-ID-Attribute

when it receives AVP 21 in the ICRQmessage from the LAC. PR790035

• With scaling Layer 2 Tunneling Protocol (L2TP) sessions (for example, 128k sessions),

when executing L2TP "show" command in one terminal and "clear" command in

another terminal simultaneously, pressingCtrl-Cor closing the terminal onone terminal

might cause the jl2tpd process to crash. PR1063207

• Withmajority of L2TP subscribers login with invalid credentials (75% of new login

requests are invalid), low call setup rate (CSR) will be observed for the good login

attempt subscribers. PR1079081

• OnM Series platform, in Layer 2 Tunneling Protocol (L2TP) network server (LNS)

environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type,

Framed-Protocol attributes) within Accounting-Request packet are sending to the

RADIUS server. PR1095315

• SIP one way audio calls when using X-Lite SIP Softphone, in case that SIP media is

switched to another media gateway though a SIP RE-Invite message PR1112307














• Add "on <host>" argument to "request system software validate" to allow validation

on a remote host/Routing Engine running Junos OS. PR1066150


• If authentication-order is configured as none under access profile and domain-name

servers (DNS) are configured locally under access profile, then the subscriberwill login

but will not get DNS addresses which were configured locally. PR1079691

• In scaled DHCP subscribers environment, the authd processmight crash and generate

a core file after clearing DHCP binding or logout subscribers. PR1094674

VPNs

• In Internet multicast over an MPLS network by using next-generation Layer 3 VPN

multicast (NG-MVPN) environment, when rib-groups are configured to use inet.2 as

RPF rib for Global Table Multicast (GTM, internet multicast) instance, the ingress PE

may fail to add P-tunnel as downstream even after receiving BGP type-7 routes. In

addition, this issue only affects GTM. PR1104676

















Resolved Issues






• When the egress rewrite rules are assigning to both the underlying interface and the

subscriber interface, the rewrite rule applied to the underlying interface may take

precedence and the priority values are applied as set at that level, which is wrong. The

rewrite rule applied to the subscriber interface should take effect over the underlying

interface. PR1058372

• Forwarding class accounting stops working after Routing Engine switchover. This

behavior has been corrected in Releases 13.3X2,13.3R6, 13.3R7, 14.1R5, 14.2R3, and 15.1.

Issue comes when MPC reboots for any reason with forwarding-class-accounting

configured on AE/AS interface. In forwarding-class-accounting feature, counters are

allocated based on number of forwarding classes configured in MPC. In error case on

MPC reboot, AE interface is getting createdbefore themessage for configuring number

of forwarding classes in MPC comes. As a result, while enabling

forwarding-class-accounting feature on AE interface, number of forwarding classes

value in MPC is 0, and counters are not allocated causing issue. Cause: Race condition

whenonMPC rebootAE interface getting createdbefore number of forwarding classes

areconfigured. Fix:Whennumberof forwardingclassesaresetafterMPCreboot, check

for any AE interface with forwarding-class-accounting configured and reprogram it.

PR1060637

• Add chassis schedulermap support on gr interface onMS-PIC, whichmeans therewill

be no commit error if scheduler-map-chassis is applied on gr interface. PR1066735

• 1. With "hierarchical-scheduler" configured at IFD level 2. Under class-of-service

hierarchy "output traffic control profile" configured at "interface-set" as well as IFD

level, for the same IFD/IFL. With the above two conditions met, when a Junos OS

upgrade is performed on a dual Routing Engine system, the configuration validation

check would fail on the Routing Engine that is upgraded later with the following error

message. Error message: "cannot configure a traffic control profile for this ifl when a

parent has a traffic control profile that references a scheduler map: ifl xe-11/0/0.5000

refers to traffic-control-profile TCP_PE-CE_30M. It is also amember of interface set

xe-11/0/0_OTag=80whichhas traffic-control-profileTCP_PE-CE_80Mwhich references

scheduler-mapSM_PE-CE"conditon-1: lab-re1>showconfiguration interfacesxe-11/0/0

{ hierarchical-scheduler; <<< Condition-2: lab-re1> show configuration interfaces

interface-set xe-11/0/0_OTag=80 { interface xe-11/0/0 { <...>; } } lab-re1> show

configuration class-of-service interfaces interface-set xe-11/0/0_OTag=80 {

output-traffic-control-profile TCP_PE-CE_80M; <<< } <..> xe-11/0/0 {

output-traffic-control-profile TCP_Maxbuff; unit 5000 { output-traffic-control-profile

TCP_PE-CE_30M <<< } } PR1069477

• Starting from Junos OS Release 12.3R1, on MX Series platform configured for IP

network-services (default) and with MS-DPC/Tunnel-Interface, virtual-tunnel (vt)

interfaces are created automatically to support ultimate-hop-popping upon enabling

"protocol rsvp". These interfaces are associated with default IP and MPLS classifiers

along with MPLS re-write rule. When "protocol rsvp" is disabled/enabled or

MS-DPC/FPC(with tunnel-service) restarts, the vt interfacesaredeletedand re-added

to the system. However during the deletion, these interfaces are not getting released

from cosd process and thus leads to memory leak in cosd. PR1071349









• OnMX Series platform, when deleting firewall filter and the routing instance it is

attached to, in some race conditions, the filter might not be deleted and remains in

resolved state indefinitely. PR937258

• OID .1.3.6.1.2.1.2.2.1.2 stops respondingafter upgrading JunosOS from11.4X27 to 13.3R5.9.

PR1072841

• In some rare cases, SNMPmight get Output bytes of Local statistics instead of the

Traffic statisticswhen retrievingOutput bytes of Traffic statistics on a logical interface.

PR1083246

• In rare cases, SSHor telnet trafficmight hit incorrect filter related toSCU (SourceClass

Usage) due to the defect in kernel filter match. This issue comes when the filter has

match condition on source class ID. PR1089382

General Routing

• Changing the static route configuration from next-hop to qualified-next-hopmight

result in static route getting missed from the routing table. Restarting routing process

can bring back the routes but with the rpd core. PR827727

• In the large scaled dual stack PPPoE subscribers environment (in this case, 16k dual

stack PPPoE subscribers), when IPv6 router-advertisement is configured for common

edge IPv6 subscribers, if flapping dual stack PPPoE subscribers multiple times, in rare

condition the rpd process might crash. The routing protocols are impacted and traffic

disruption will be seen due to loss of routing information. PR934081

• On dual Routing Engine platforms, after performing unified graceful Routing Engine

switchover (GRES) with 8K subscribers, the ksyncd process may crash due to the

replication error on a next hop change operation. The issue is hit when there'smemory

pressure condition on the Routing Engine and in that case, it may lead to null pointer

de-reference and ksyncd crash. Or in some case, the kernel on the newmaster Routing

Enginemight crash after Routing Engine switchover if Routing Engine is undermemory

pressure due to missing null check when trying to add a next hop and the next hop is

not found at the time. PR942524

• In point-to-point (P2P)SONET/SDH interfaceenvironment, there is adestination route

with this interface as next-hop. When this interface is disabled, the destination route

is still kept in the forwarding table andmight cause ping fails with "Can't assign

requested address" error. PR984623

• 'gratuitous-arp-on-ifup' shouldsendagratuitousarponeachunitofaphysical interface,

but inRelease 12.3 and later versions, only the first unit is seeing theconfiguredbehavior.

PR986262

• When there are no services configured, datapath-traced daemon is not running. In the

PIC, the plugin continues to try for the connection and continuous connection failure

logs are seen. PR1003714

• Whenever the logical tunnel (lt-) interfacewith IPv6 family configured goes down and

comes up upon hardware initialization (MPC/FPC replacement/reboot or chassis

reboot), due to Duplicate Address Detection (DAD) functionality not being performed


Resolved Issues











for the logical interface (IFL) up/down event, the "lt-" interface may get stuck in

"tentative" state and thus IPv6 traffic cannot pass over it. PR1006203

• A raw IP packet with invalid Memory Buffer(mbuf) length may trigger a kernel crash.

The invalid mbuf length might be set by other daemons incorrectly. PR1006320

• DuringWAN Link flaps , ASIC streams in the Packet Forwarding Engines are

disabled/enabled on the fly when traffic is inflight. This is normal and will result in the

Cell drops, PKTR ICELL signature errors, and SLOUT errors. However under certain rare

conditions, Lout IP -Pkt Len Mismatch error is observed which sometimes triggers

automatic restart of the FPC. On TXP, TXP-3D in FPC Type 4-ES can experience

automatic restart during wan interface flaps. PR1013522

• Configuring a routing policy with the "no-route-localize" option to ensure that the

routes matching a specified filter are installed on the FIB-remote Packet Forwarding

Engines , after removing the routing policy and changing the next-hop for the routes,

the previously installed routes using "no-route-localize" policy will not get removed

fromPFE 1 but will fromPFE 0 on the same FPC. Then traffic received on PFE 1 will not

forward received packets to the FIB-local Packet Forwarding Engines to perform full

IP table lookup but using the staled routes instead. This situation does also apply if

the interface is getting disabled. If traffic destined to the local-address is still received

on PFE 1, those stale route lookup entries might have incorrect entries andmight lead

tooneof the followingpossible symptoms. fpc1 RCHIP(1): 8Multicast list discard route

entries fpc1 Packet Forwarding Engine: Detected error nexthop: fpc1 RCHIP(1): RKME

int_status 0x10000000 RKME and Detected error nexthop will per default will trigger

a FPC restart PR1027106

• OnMPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is

attached to an interface, traffic dropmight be seen. PR1027516

• On the Type 5 PIC, when the "hold-time down" of the interface is configured less than

2 seconds and the loss of signal (LOS) is set and cleared repeatedly in a short period

(for example, performing ring path switchover within 50ms), the "hold-time down"

may fail to keep the interface in "up"statewithin theconfigured timeperiod.PR1032272

• OnMX Series router with MPC3E/MPC4E/MPC5E/MPC6E or T4000with FPC type 5,

when these cards are processing packets in size between 133B-148B, in some very

corner cases, traffic blackhole might be seen. PR1042742

• When querying specific entries of the JUNIPER-SUBSCRIBER-MIB, memory leak may

occur on the smihelperdprocesswhichprovides thenecessary informationoverSNMP.

PR1048469

• In the PPP dual-stack subscribers environment, in rare condition, if bringing up 1000

dual-stack subscribers quickly, the PPP negotiation might fail. Then PPP retries

negotiation, all subscribers fully establish. PR1050415

• OnMXSeries routers, the interrupt-drivenbasis linkdowndetection (an interrupt-driven

link-down notification is generated to trigger locally attached systems to declare the

interface down within a fewmilliseconds of failure) may fail after performing unified

in-service software upgrade (ISSU). The interrupt might have been prevented after

performing unified ISSU due to disabling the interrupt registers before unified ISSU,

but never restored after. PR1059098













• In an IPsec load-balancing environment using MS-MPC cards, the ICMP request and

ICMP reply can go through two different IPsec tunnels due to asymmetric routing; that

is, ICMP request goes through one PIC, and ICMP reply goes through another PIC.

Because of this, the ICMP reply will get dropped and never reach the other side of the

IPsec tunnel. PR1059940

• Due to incomplete fix, in releases containing PR869773 fix, rate limit drops are seen

for Ingress queuing even though rate-limit is not configured or supported for ingress.

PR1061256

• If Bidirectional Forwarding Detection (BFD) protocol is enabled via site-to-site IPsec

tunnel, the BFD session may fail to come up. It is because, when the BFD protocol is

trying to exchange the packet via IPsec tunnel, the value of the TTL in inner IP header

for packet may be decremented, hence the BFD packet gets dropped on the peer side

and no BFD session would come up. PR1061342

• With inline L2TP IP reassembly feature configured, the MX Series routers with

MPCs/MICs might crash due to amemory allocation issue. PR1061929

• If a subscriber-facing AE interface has child links which spread over multiple Packet

Forwarding Engines on a single FPC, when subscribers attempt to login, "LUCHIP

Congestion Detected" error messages will be seen periodically and there might be

some potential forwarding issues for subscribers. PR1069292

• If there are application-sets matching conditions in the NAT rule, NAT port might leak

after deleting applications under application-set in live network. PR1069642

• In subscriber management environment, changing the system time to the past (for

example, overoneday)maycause thedaemons (for example, pppoed, andautoconfd)

that use the time to become unresponsive. PR1070939

• Higher baseline CPU utilization and periodic CPU spikes might be seen on MX-based

MPC as compared to MPC-3D-16XGE-SFPP cards due to following reasons: On

MX-based MPC, low priority threads that monitor various things in the background on

a periodic basis such as voltage, temperature, stats counters, hardware status, and so

on are exited. When the system is idle these threads are allowed to take more of the

load and that is why higher baseline CPU/CPU spikes are seen. This does not prevent

other higher priority threads from running when they have to, as these are non-critical

activitiesbeingdone in thebackgroundandhence is anon-impacting issue.PR1071408

• The dfwd processmight crashwhen kernelmessages for objects such as IFL or IFF are

sent to the dfwd process soon after its dynamic profile delete request. This is a race

condition. PR1074068

• During unified ISSU on MX-VC working as an LAC, few HELLO packets from LNSwill

go unanswered, which might cause L2TP tunnel to get torn down. PR1074991

• In scaledsubscribermanagementenvironment (for example, 3.2KPPPoEsubscribers),

after heavy login/logout, the session setup rate keeps decreasing and also PAP-NAK

messages are sent with "unknown terminate code". This continues till Broadband

NetworkGateway(BNG)doesnotacceptPPPsessionsandall newly incomingsessions

are stuck in PAP Authentication phase (No PAP ACK received). PR1075338


Resolved Issues












• For Network Address Translation (NAT), Traffic Detection Function (TDF), or IPsec

service configured on MX Series platformwith MS-MPC/MS-MIC, the received

fragmented IPv4/IPv6 packets will be re-assembled and sent out. Under scaled

environment, the mspmand process might crash while MS-MPC/MS-MIC is under

process of assembling the fragmented packets. PR1075454

• When a router with AMS infrastructure has MAC flow control enabled, the continuous

fragmented packetsmight crash theNPUandmspmandprocess (whichmanages the

Multi-Services PIC). PR1076033

• If RTSP(RealTimeStreamingProtocol)ALGhasbeenconfigured,MS-MICmight crash

with core-file in scaled application layer traffic environment. PR1076573

• OnMXSeries, theCLI command set interfaces interface-namespeedauto-10m-100m

is not supported. PR1077020

• In subscriber management environment, the PPP daemon (jpppd) might crash

repeatedly due to amemory double-free issue. PR1079511

• The "inactivity-timeout" configuration statement under the [edit applications

applicationapplication-name]hierarchydoesnot takeeffect forTCP-basedprotocols.

PR1080464

• The rpd process might crash on both master and backup Routing Engines when a

routing instance is deleted from configuration if the routing instance is cleaned up

before the interface delete is received from device control daemon (dcd). This is a rare

timing issue. PR1083655

• OTN based SNMP Traps such as jnxFruNotifOperStatus and

jnxIfOtnNotificationOperStatus are raised by offline/online MIC although no OTN

interface is provisioned PR1084602

• In some rare conditions, depending on the order in which configuration steps were

performed or the order in which hardware modules were inserted or activated, if PTP

master and PTP slave are configured on different MPCs on MX Series router acting as

BC, itmight happen that clock is not properly propagated betweenMPCs. This PR fixes

this issue. PR1085994

• Log reports "LUCHIP(0) RMC 0 Uncorrectable ECC 0x6db6db6d6db6db6d" and

"PLCT INT_STAT0x00000001 InvalidDMEMAddress". TheFPCmay loseconnections

and need to be rebooted to clear the condition. PR1086557

• Wrong ESH checksum computation with non-zero Ethernet Padding in Juniper MX

Series router. PR1091396

Infrastructure

• On all Junos OS platforms, when the gstatd triggers false positives, this would result

in unnecessary Routing Engine switchover. Thus a configuration option is added to

prevent gstatd from initiating a Routing Engine unnecessary switchover or a Routing

Engine relinquishing themastership. FollowingErrormessagesareexpected tobeseen:

gstatd: [ad2] average write duration of 1021.34 crossed threshold of 1000.00 /kernel:

mastership: routing engine 1 relinquishing as master: voluntarily requested. PR1024515















• When the Ethernet Link Fault Management (LFM) action profile is configured, if there

are some errors (refer to the configuration, for example, frame errors or symbol errors)

happening in the past (even a long past), due to the improper handling of error stats

fetching fromkernel, the LFMprocess (lfmd)may generate false event PDUs and send

the false alarm to the peer device. PR1077778


• Multicast traffic may not be forwarded to the "Downstream Neighbors" as reported

by the command "show pim join extensive". There can be occasions where this traffic

is blackholed and not forwarded as expected. Alternatively, there may be an occasion

where multicast traffic is internally replicated infinitely, causing one or more of the

"Downstream Neighbors" to receive multicast traffic at line rate. PR944773

• PR fix corrected jnxoptIfOTNPMFECIntervalTimeStamp, jnxPMIntTimeStamp, and

jnxoptIfOTNPMIntervalTimeStamp reporting incorrect values around sytem-local

midnight time as reported in PR 1065110. It also corrected the “SNMP PM Interval -

incomplete date and time format without UTC offset”. PR946014

• OnMX Series based line cards, in virtual private LAN service (VPLS) environment, the

next hop in the kernel allocated by connectivity-fault management process (cfmd)

may not be freed even after the CFM session has been removed (for example,

deactivating the routing-instance). In this situation, after re-activating the

routing-instance, the interfacewithin the routing instancewould fail tocomeupbecause

the nexthop is not freed by the cfmd application and hence the VPLS connection is

down. PR1000060

• On standalone T Series router or TX platform, during Routing Engine rebooting, a bad

(or busy) I2C device on Switch Interface Board (SIB) might cause Switch Processor

MezzanineBoard (SPMB) tocrash.Pleasenote theTXPplatformmightalsoexperience

same issue due the bad I2C, and it has been addressed in another PR, which has been

fixed in Junos OS Releases 13.1R5, 13.2R6, 13.3R1, 13.3R4, 14.1R3, 14.2R1, and 15.1R1.

PR1010505

• In Virtual Router Redundancy Protocol (VRRP) environment, after restarting the FPC,

due to the Router Advertisement (RA) deletion is being incorrectly sent to routing

protocol process (rpd) by VRRP process, the ICMPv6may not be activated on the

corresponding interfaces on the router that is acting as the master. In this case, no RA

message could be sent out. PR1051227

• There is amismatch inmac statistics, few framesgounaccounted. This is a day-1 issue.

With the software fetching ofmac statistics, the snap and clear bits were set together

on pm3393 chip driver software, so it used to so happen that even before the copy of

stats to shadow registers happened, clear was happening which used to go

unaccounted. Now rollover mechanism has been implemented and tested for 2

continuous days and everything is fine. PR1056232

• WhenadynamicPPPoEsubscriberwith targeted-distributionconfiguredonadynamic

vlan demux interface over aggregated Ethernet, the device control daemon (dcd)

processmight crash during a commit if the vlan demux hasmistakenly been removed.

The end users can'not go to the Internet after the crash. This is a rare issue and not

easy to be reproduced. PR1056675


Resolved Issues









• It is observed that the syslogmessages related to kernel andPacket ForwardingEngine

may get generated at an excessive rate, especially in subscriber management

environment. Most of thesemessagesmay appear repeatedly, for example,more than

1.5 million messages may get recorded in 2 hours, and there are only 140 unique

messages. Besides, these messages are worthless during normal operation and due

to the excessive rate of log generation, high Routing Engine CPU consumption (for

example, RoutingEngineCPUutilization canbe stuckat 100%for a long time (minutes

or hours), it depends on the activity of subscribers (frequency of logins and logouts)

and on the AI scripts used by the customer) by event process (eventd) might be

observed on the device. PR1056680

• OnMX Series platform, when ACI VLAN interface sets are configured for PPPoE

subscribers, PPPoE process (pppoed) crashmay occur during PPPoE control packet

processing when the ACI VLAN interface set needs to be created. If this pppoed crash

is seen, then theACI VLAN interface setwill not be created andPPPoE subscriber login

will not make progress. There is no workaround for this issue and an upgrade to a

release that includes the fix for this PR is recommended. PR1057343

• In Multichassis link aggregation groups (MC-LAGs) environment, the MC-LAG peers

have theMACandport information and can forward the traffic appropriately. If a single

VLAN on ICL interface ismodified to a different VLAN, and then the administrator rolls

back the VLAN configuration to the original one, the remoteMACmight be stuck in the

"Pending" state and not be installed in the bridge MAC-table, which causes the traffic

forwarding to be affected. PR1059453

• In scaling PPP subscriber environment, when the device is under a high load condition

(for example, high CPU utilization with 90% and above), the long delay in session

timeout may occur. In this situation, the device may fail to terminate the subscriber

session (PPPor PPPoE) immediately after three LinkControl Protocol (LCP) keepalive

packets are missed. As a result, subscriber fails in reconnect due to old PPP session

and corresponding Access-Internal route are still active for some time. In addition to

this, it is observed that the server is still sending KA packets after the session timed

out. PR1060704

• OnMX Series routers, INET MTU (PPP payload MTU, that is IP header plus data

excluding any L2 overhead) is being set to lowest MRU of either MX (local device) or

peer. This behavior is not inline with ERX behavior, which is set tomin(local MTU, peer

MRU). This might cause the packet drops in the customer network in the downstream

path. PR1061155

• Error message is continuously logged every second after a particular copper-SFP

[P/N:740-013111] is plugged into a disabled port on MIC. ***** error message ****

mic_sfp_phy_program_phy: ge-*/*/* - Fail to init PHY link mic_periodic_raw: MIC(*/*)

- Error in PHY periodic function PQ3_IIC(WR): no target ack on byte 0 (wait spins 2)

PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x56)

mic_i2c_reg_set - write fails with bus 86 reg 29mic_sfp_phy_write:MIC(*/*) - Failed to

write SFP PHY link 0, loc 29mic_sfp_phy_mdio_sgmii_lnk_op: Failed to write: ifd = 140

ge-*/*/*, phy_addr: 0, phy_reg: 29 ala88e1111_reg_write: Failed (20) to write register:

phy_addr 0x0, reg 0x1d Fails in function ala88e1111_link_init PR1066951









• In PPPoE over AE subscribers management scenario, if "targeted-distribution" is

enabled for subscribers IFL, the dcd process might crash and reboot when try to

deactivate the AE interface. PR1067062

• OnMX Series Virtual Chassis (MX-VC) platform, due to a timing issue, the physical

interface (ifd) on the sameModular Interface Card (MIC) with Virtual Chassis port

(VCP)might not be created or take a very long time to be created after reboot the

hosted Modular Port Concentrator (MPC). PR1080032

• The VRRP preempt hold time is not being honored during NTP time sync and system

time is changed. PR1086230

• When an interface onSFPPmodule inMIC is set to disabled, after pulling out the SFPP

and then inserting it, the remote direct connected interfacemight get up unexpectedly.

PR1090285

Layer 2 Features

• The routingprotocolprocess (rpd)mightcrashunderaconditionwhentheconfiguration

statement "bum-hashing" is added and deleted frequently. PR936678

• If the ppmd does not send replies to lacpd's periodic request to gather port statistics,

the lacpd process may crash and restart due to the process memory consumption

being slowly increased and finally reaching RLIMIT_DATA value which is 128MB.

PR1045004

• The Layer 2 Control Protocol process (l2cpd) leaks memory when interface

configuration is applied to LLDP-enabled interfaces using 'apply-groups'. Size of the

leak is ~700 bytes per commit. PR1052846

• After change the way of getting site ID of VPLS from fixed site-id to automatic-site-id

on one site while other sites are still using the fixed site-id in the network, the rpd

process might crash due to the site ID get by "automatic-site-id" may conflict to site

ID which was configured as fixed site ID on other sites. PR1054985

• There are two issues reported. The first issue is bridge domain (BD) implicit filters for

Ethernet ringprotection switching (ERPS),which control the ring automatic protection

switching (RAPS)message forwarding, might get reprogrammedwith wrong logical

interface (ifl) index after rebooting the FPC, and thus cause the device to fail to receive

any ERPSpackets. The second issue is the ERPS statemaybe stuck in the Local Signal

Failure (SF) state when an FPC having an ERP interface is rebooted. PR1070791

• LACP partner system ID is shown wrong when the AEmember link is connected to a

differentdevice,whichmightmisguidewhile troubleshooting theLAG issues.PR1075436

• OnMXSeries routers,whenconfiguring thedynamicaccess routes forDHCPsubscribers

based on the Framed-Route RADIUS attribute, the access route may be created on

the device, however, the framed routes may not be installed for subscriber interface

(under the "Family Inet Source Prefixes"). PR1083871

• MTUchange is not advised on the Ethernet ring protection (ERP) ring interfaces unless

ring is in idle condition. Changing ring interface MTUwhile ring is not in idle state may


Resolved Issues












result in change in the forwarding state of the interface and which can lead to loop in

the ring. PR1083889

• During interface flaps a high amount of TCN (Topology Change Notification) might

get propagated causing other switches to get behind due to high amount of TCN

flooding. This problem is visible after the changed done from 11.4R8 onwards which

propagates TCN BPDU immediate and not in the pace of the 2 second BPDU Hello

interval to speed up topology change propagation. The root cause is the TCNWHILE

timer of 4 seconds is always reset upon receiving TCN notifications causing the high

churn TCN propagation. PR1089580

MPLS

• WithBGPprefix-independent convergence (PIC) edge feature enabled,more thanone

BGP next-hop association will be installed in the Packet Forwarding Engine for MPLS

VPNand Internet transit traffic. Deactiving/activating the IGPprotocol (IS-IS orOSPF)

might cause thebackupsession to staydownonPacket ForwardingEngine.PR1058190

• When fast-reroute, node-link-protection, or link-protection is configured, if a Shared

Risk Link Group (SRLG) is associated with a link used by an LSP ingressing at a router,

then on deleting the SRLG configuration from the router, the SRLG entry still stays in

the SRLG table even after the re-optimization of this LSP. PR1061988

• This is a regression issue on all Junos OS operating systems related to a timing factor.

When LDP session flaps, overwhich entropy label TLV or any unknownTLV is received,

the LDP speaker might not send label withdraw for some prefixes to some neighbors.

Asa result, theseneighborswill still use stale labels for theaffectedprefixes.PR1062727

• Bypass enabled with optimize-timer will flap during every re-optimization event.

PR1066794

• WhenCSPF computes the path for node-protected bypass, it considers only the SRLG

group configured on next-hop interface along the primary path. However it does not

consider the SRLG group on next-to-next-hop interface to adequately provide diverse

path between primary and node-protected bypass. PR1068197

• When a primary LSP gets re-routed due to better metric, Link/Node protection for this

LSP is expected to come up within 7 seconds provided the bypass-lsp protecting the

next-hop link/node is already available. However in some corner cases, the Link/Node

protection for re-routed primary LSP will not come up within 7 seconds even with

bypass-lsp availability. The PR fixes this issue and reduces the delay of associating

bypass-lsp with primary-lsp from 7 seconds to 2 seconds. PR1072781

• In scaled l2circuits environment, the rpd processmight crash due to a corruption in the

LDP binding database. PR1074145

• In race conditions, the rpd process on backup Routing Engine might crash when BGP

routes are exported into LDP by egress-policy and configuration changes during the

rpd process synchronizing the state to backup rpd process. PR1077804


• In some raceconditionswith firewall filters change, it is possible that themib2dprocess

receives a newMX Series filter ADD event before it learns about a non-MX Series filter













DELETE event for the same filter index. Themib2d process will crash due to this.

PR1057373

• SNMPqueries for LAGMIB tableswhile LAGchild interface is flappingmaycausemib2d

grow in size and eventually crash with a core file. Mib2d will restart and recover by

itself. PR1062177


• On routers with 64-bit Junos OS, Error message generated bymountdmight be seen:

"can't delete exports for /packages/mnt/jbase: Bad address" PR991814

• This issue happens as a result of incorrect programming in Packet Forwarding Engine

whendoing configuration changes related to irb interfaceor bridge-domain.PR995202

• In EVPN scenario, MPCmay crash with core-dumpwhen any interface is deleted and

add that interface to an aggregated Ethernet bundle or changing the ESI mode from

all-active to single-active. PR1018957

• LSI logical interface input packet andbyte stats are also added to core logical interface

stats, but when the LSI logical interface goes down and the core logical interface stats

are polled, there is a dip in stats. The fix is to restore LSI logical interface stats to core

logical interface before deleting the LSI logical interface. PR1020175

• OnMX Series, recurring LMEM data errors might cause a chip wedge. PR1033660

• The Priority code point (PCP) andDrop eligible indicator (DEI) bit in 802.1Q header are

preserved while packet gets routed within the same Packet Forwarding Engine . The

expectedbehavior is resetting thePCPandDEIbitwhen thepacket is routed.PR1036756

• MSDPC-HTTP redirect stops working. PR1039849

• For aRoutingMatrix, if differentRoutingEnginemodelsareusedonswitch-cardchassis

(SCC)/switch-fabric chassis (SFC)and line-cardchassis (LCC) (for example,RE-1600

onSCC/SFCandRE-DUO-C1800onLCC),where theout-of-band(OoB)management

interfaces are named differently (for example, fxp0 on SCC/SFC Routing Engine and

em0 on LCC Routing Engine), then the OoBmanagement interface configuration for

LCC Routing Engine will not be propagated from SCC/SFC Routing Engine during

commit. PR1050743

• On theMXSeries-based line cards, if inlineNetworkAddressTranslation (NAT) service,

Generic Routing Encapsulation (GRE) tunneling and packets fragmentation are

performed on the same Packet Forwarding Engine (specifically, after NAT, the packet

go to tunnel and then to fragmentation), the fragmented packetsmay get dropped by

FTP client due to the incorrect TCP checksum of the fragmented packet. PR1051144

• Under very rare situations, Packet Forwarding Engines on the following linecards, as

well as the compact MX80/40/10/5 series, may stop forwarding transit traffic: -

16x10GEMPC - MPC1, MPC2 This occurs due to a software defect that slowly leaks

the resources necessary for packet forwarding. Interfaces handled by the Packet

Forwarding Engine under duress may exhibit incrementing 'Resource errors' in

consecutive output of 'show interfaces extensive' output. A Packet Forwarding Engine

reboot via the associated linecard or chassis reload is required to correct the condition.

PR1058197


Resolved Issues













• With the configuration "extend-size", if user loads and commits scaled configuration

(in this case, 250K Unique Prefix list policy options), then deletes the configuration

statement "extend-size", the dfwd process might crash. PR1058579

• After committing the Network Time Protocol (NTP) configuration, if the number of

routing-instances per source-address exceeds 18, it may cause NTP daemon (ntpd)

crash. In this scenario, the NTP feature may not be functional. For example there are

19 routing-instance names per source address statement in the sample configuration

below. ntp { server X.X.X.X; source-address X.X.X.X routing-instance [ X1 X2 X3 X4 X5

X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 X16 X17 X18 X19 ]; (19 routing-instance names) }

PR1058614

• WhenMX Series platform acts as Virtual Extensible Local Area Network (VXLAN)

gateway, if there are multiple Packet Forwarding Engines, VXLAN packets will be

distributed to available Packet Forwarding Engines in the chassis to perform VXLAN

encapsulation/decapsulation. This is not expected (Expect behavior: VXLAN packet

processingwill be doneon the samePacket ForwardingEngine onwhich it is received).

This might result in unexpected packet drop and also overlay ping/traceroute not

working. PR1063456

• OnMX Series routers with MPCs and T4000 routers with Type 5 FPCs, the feature

"enhanced-hash-key" is configured to select data used in the hash key for enhanced

IP forwardingengines. If "type-of-service" is configuredat the [edit forwarding-options

enhanced-hash-key family inet] hierarchy level, or "traffic-class" is configured at the

[edit forwarding-options enhanced-hash-key family inet6] hierarchy level, the last

significant 2 bits of the TOS/TC bytes under the IPv4/IPv6 header are extracted

incorrectly as load-sharing input parameters, which might cause unexpected load

balancing. PR1066751

• StartTime and EndTime of the flow in inline-jflow (version 9) has future time-stamp

PR1067307

• Firewall filters which have a prefix-action cannot be configured under [edit

logical-system <name> firewall family inet] because the Packet Forwarding Engine

will not be programmed for the filter. PR1067482

• AnFPCwith interfaces configured as part of anAggregatedEthernet bundlemay crash

and reboot when the shared-bandwidth-policer is configured as part of the firewall

policer. PR1069763

• OnMXSeries routers, when using FPCwith feature inline sampling activated, memory

partition error messages andmemory leak might be observed on the FPC. In some

cases, this issue only affects sample route-records but not regular Packet Forwarding

Engine routes or next-hops. However, in the extreme case, it is also possible to cause

the Packet Forwarding Engine to fail in installing routes into forwarding next-hops and

hence traffic drop. On MX Series routers, when using FPCs, Junos OS Release 13.3R5

14.1R4 14.2R1or higher is exposed.OnT4korTXP-3D routers,whenusingFPC-3DFPC's,

Junos OS Release 14.2R1 or higher is exposed. PR1071289

• VPLS filter applied under forwarding-options might drop VPLS frame unexpectedly

when it is coming from an lt- interface. PR1071340












• When inline-sampling is enabled, in race conditions, if packet gets corrupted and the

corrupted packet length shows 0, this may cause "PPE_x Errors thread timeout error"

and eventually cause MPC card to crash. PR1072136

• After IPv6 RPM(real-time performancemonitor) support, snmp server cannot receive

someof IPv6PING-MIB info. Forexample, snmpserver receives"pingCtlRowStatus(23)"

and "pingCtlAdminStatus(8)" error and cannot get "pingResultsTable" and

"pingProbeHistoryTable" info. << example >> ** The following logs are snmp server

logs. "snmpset -v 2c -c xxxxxx" commands are used. ----pingCtlRowStatus(23) error

info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported

in some way) Failed object:

SNMPv2-SMI::mib-2.80.1.2.1.23.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65

---pingCtlAdminStatus(8) error info. Error in packet. Reason: inconsistentValue (The

set value is illegal or unsupported in some way) Failed object:

SNMPv2-SMI::mib-2.80.1.2.1.8.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ** The

following logs are snmp server logs. "snmpwalk -v 2c -c xxxxxx" commands are used.

pingResultsTable(3) SNMPv2-SMI::mib-2.80.1.3 = No Such Object available on this

agent at this OID pingProbeHistoryTable(4) SNMPv2-SMI::mib-2.80.1.4 = No Such

Object available on this agent at this OID PR1072320

• When Integrated routing and bridging (IRB) interface is configured with Virtual Router

Redundancy Protocol (VRRP) in Layer 2 VPLS/bridge-domain, in corner cases after

interface flapping,MACfilter ff:ff:ff:ff:ff:ff is cleared fromthePacketForwardingEngine

hardware MAC table, so the IRB interfacemay drop all packets with destinations MAC

address FFFF:FFFF:FFFF (e.g. ARP packet). PR1073536

• It tries to check allotted power for all the FPCs. In the

CHASSISD_I2CS_READBACK_ERROR logs, it shows the FPCs which are not present in

chassis. It just calls i2cs_readback() to read i2c device and fails there as these FPCs

slots are blank and prints those readback errors. Also the errors are harmless:

"CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC" Code

to check 'if power has been allotted to this FPC', needs to be executed only if the FPC

is present. PR1075643

• MPC is showing the following log message and will generate a core file.

jnh_private_mem_pool_free(898):Noprivatemem_pool for0x00300000/00100000

PR1081855

• LMEM is an internal memory in LU/XL ASIC chip. It has private and shared regions for

Packet Processing Engines. LMEM data errors are very rare events caused by

environmental factors (this is not created by software). Due to a software defect, an

error in the shared LMEM region will result in corruption of critical data structures of

Packet Processing Engines that causes unpredictable communication of LU/XL ASIC

chip with MQ/XM ASIC chip. These events will corrupt the state in MQ/XM and lead

toaMQ/XMwedge.TheMQ/XMwedgewouldcause fabricblackholeand finally reboot

the line card. PR1082932

• OnMX Series routers with MPCs/MICs the "RPF-loose-mode-discard" feature is not

workingwhenconfiguredwithinaVirtualRouter routing instance. The feature isworking

only when configured in the main instance. PR1084715


Resolved Issues








• Aggregate interfaces in combination with shared-bandwith-policer might lead to

Packet Forwarding Engine policer corruption in case the aggregate interface is being

reconfigured (add / delete units). This corruption could alter the policer rate

programmed in hardware and lead to unexpected policer behavior (we either consider

legitimate traffic as being out of profile or invalid traffic as being within profile).

PR1084912

• With MSDPC equipped on BNG, there might be amemory leak in ukernel, which

eventually causes MSDPC to crash and restart. PR1085023

• The prompt for SSH password changed in Junos OS Release 13.3, from "user@host's

password:" to "Password:". This change breaks the logic in "JUNOS/Access/ssh.pm"

which is located in /usr/local/share/perl/5.18.2/ on Ubuntu Linux, for example.

PR1088033

• IPv6 packets with non-UDP and non-TCP payload belonging to the same flowmight

get reorderedwhen being forwarded byMXSeries router withMPCPacket Forwarding

Engine PR1098776

Routing Protocols

• In a scaling setup a restart routing or NSR switchover can result in duplicate MSDP

entries. PR977841

• RIP is applying the RIB import-policy for the primary RIB table, and as per the policy

configured, evaluation fails and routesare removed fromprimaryRIB. But import-policy

is applied only for secondary tables. RIP should apply only the protocol import policy

and add routes to primary RIB. Routes are leaked to secondary routing table according

to import-policy. Fix: As suggested by rpd infrastructure team, removed the import

policy filter application to primary routing table by protocol RIP. Now import policy

application is handled by policy module within RPD. PR1024946

• After deactivating/deleting BFD configuration, Packet Forwarding Engine receives BFD

session down event and it marks corresponding next hops as down, and traffic drops

as a consequence. PR1053016

• Deletion of a routing-instancesmay lead to a routing daemon crash. Thismay happen

if routing-instance's Routing Information Base (RIB) is referenced in an active

policy-option configuration. As aworkaround,when deactivating the routing-instance,

all associated configurations using the route-table names in the routing-instance

should also be deactivated. PR1057431

• In PIMenvironment, BootstrapRouter (BSR) canbeusedonly betweenPIMv2enabled

devices. When deactivating all the interfaces which are running PIM bootstrap, the

systemchanges tooperate inPIMv1.At this time, all the information learnedabout/from

thecurrentBSRshouldbecleaned, butactually, BSRstate is not cleaned. If the interface

which was the previous "elected BSR" is activated, BSR state is

PIM_BSR_ELECTED(should be cleaned previously), and the system assumes the BSR

timer is still here. When the system tries to access the null BSR timer, the rpd process


• In Protocol Independent Multicast (PIM) sparse mode environment, in the situation

that the router is being used as the rendezvous point (RP) and also the last hop router,












when the (*,G) entry is present on the RP and a discard multicast route (for example,

due to receivingmulticast traffic fromnon-RPF interface) is alreadyexisted, if the (S,G)

entry is learned after receiving source-active (SA) of the Multicast Source Discovery

Protocol (MSDP), the SPT cutover may fail to be triggered. There is no traffic impact

as receivers still can get the traffic due to (*,G) route. PR1073773

• In multi-topologies IS-IS scenario, there is huge difference between estimated free

bytes and actual free bytes when generating LSP with IPv6 Prefix. It might cause LSP

fragment exhaustion. PR1074891

• In an MPLS L3VPN Core network, enable BGP Prefix-Independent Convergence (PIC)

Edge feature on a PE router. If the same VPN route is received with different multiple

exit discriminator (MEDs) via two route reflectors (RRs), when BGP PIC evaluates

those two routes, it disregards the one with higher MED, and hence fails to build a

multipath protection/backup path entry. PR1079949

• When removing scale BGP configuration, if the BGP session is holding stale routes for

the benefit of a restarting peer, the routing protocol process (rpd) may crash. As a

workaround, the administrator may use CLI command "show route receive-protocol

bgp <peer address> extensive | match STALE" to find the existing stale routes. If there

arenone, then removing theBGPconfigurationmaynot cause the rpdcrash.PR1081460

• If a policy statement referred toa routing-table, but the corresponding routing instance

is not fully configured (ie. no instance-type), committing such a configuration might

cause the rpd process to crash. PR1083257

• With Multicast Source Discovery Protocol (MSDP) and nonstop active routing (NSR)

configured on the Protocol Independent Multicast (PIM) sparse-mode rendezvous

point (RP), the rpd process might permanently get stuck whenmulticast traffic is

received shortly after Routing Engine switchover. PR1083385

• When there are a number of secondary BGP routes in inet.0, an SNMPwalk of inet.0

by thebgp4MIBcancauseacore if thecorrespondingprimary routesarebeingdeleted.

PR1083988

• WhenBGProute is leaked toa routing-instanceand there isan importpolicy tooverwrite

the route preference, if damping is also configured in BGP, the BGP routes which were

copied to second table cannot be deleted after routes were deleted in master table.

This is a day-1 issue. PR1090760

• When removing BGP Prefix-Independent Convergence (PIC) from the configuration,

the expected behavior is that any protected path would become unprotected. But in

this case, themultipath entry that contains the protection path (which is supposed to

be removed) remains active, until BGP session flaps or the route itself flaps. As a

workaround, use "commit full" command to correct or to commit. PR1092049

• The rpd process might crash when resolve-vpn and rib inet.3 are configured under

separate levels (BGP global, group and peer). The fix is If anybody configures a family

at a lower level, reset the state created by either of configuration statements from

higher levels. This behavior conformswith our current behavior of family config -which

is that any configuration at a lower level is honored and the higher-level configuration

is reset. PR1094499


Resolved Issues












• In IPsec environment, after performing the Routing Engine switchover (for example,

performinggracefulRoutingEngine switchover) or chassis reboot (that is,wholedevice

is powered downandpoweredUPagain), due to the keymanagement daemon (kmd)

maybe launchedbefore theRouting Enginemastership is finalized, itmay stop running

on the newmaster Routing Engine. PR863413

• On an L2TP access concentrator (LAC) device with more than 8K L2TP sessions up,

if execute command "clear services l2tp session all" and then stop the command by

using Ctrl-c, the Layer 2 Tunneling Protocol process (jl2tpd) might crash. PR1009679

• WithRealTimeStreamingProtocol (RTSP)ApplicationLayerGateway (ALG)enabled,

the PICmight crash if the transport header in status reply from themedia server is

bigger than 240 bytes. PR1027977

• OnM Series, MX Series, T Series routers with Multiservices 100, Multiservices 400, or

Multiservices 500 PICs with "dump-on-flow-control" configured, if prolonged flow

control failure, the coredump file might generate failure. PR1039340

• Inline IPv6 L2TP onMPC subscriber terminated at an LNS breaks adaptive services SP

unicast nexthops on MS-DPC. Even one subscriber causes the issue. PR1054589

• A Layer 2 Tunneling Protocol daemon (l2tpd) crash is seen sometimeswhen the L2TP

service interface unit number is configured higher than 8192. A restriction has been

added to force unit numbers below 8192. PR1062947

• OnMXSeries routerswhichareactingasLNS toprovide tunnel endpoints, it is observed

that theservice-interfacesarenotusable if aMICcorresponding to them isnotphysically

installed on the FPC. If only those service interfaces that belong to the removed PIC

are added to service-device-pool, this results in no LNS subscribers able to login. Note

that once the MIC is inserted into the FPC, the features could be used. PR1063024

• When configuring RADIUS authentication for Layer 2 Tunneling Protocol (L2TP), the

RADIUS server cannot be recognized because the source address is not being read

correctly. As a result, the L2TP session cannot be established. PR1064817

• L2TP daemon will core in LTS scenario while the subscriber logs out. This happens

when the subscriber has "Called Number AVP" attribute. The "Called Number AVP"

was not getting relayed correctly across LTS boundary, hence daemon cores.

PR1065002

• The trigger for the crash iswhen theMS-DPCsService PIC is in a lowmemory zone and

it receives two SYNmessages from the the same client IP within a very short time gap

inbetween the twoSYNs. So this race condition is tied to runningout ofmemory, failing

to allocating a timer for a conversation, and having rapid SYNs on a TCP connection

where the second TCP SYN is matched on flowwhich is being deleted due to a failed

timer allocation for that. This scenario is very difficult to hit and should not be seen in

production often. PR1069006

• Service PIC daemon (spd) might crash with core-dumps due to CGNAT pool's

snmp-trap-thresholds configuration. PR1070370














• InCG-NATor statefull firewall environment, due toanull pointer checkbug, theMS-DPC

might crash every few hours. Note that this is a regression issue. PR1079981

• The crash happens if in an http flow, the flow structure is allocated at a particular

memory region. There is no workaround but the chances of hitting this issue are very

low. PR1080749

• On Layer 2 Tunnel Protocol (L2TP) network server (LNS), during L2TP session

establishment, when receiving Incoming-Call-Connected (ICCN)messages with Last

Sent LCP CONFREQ Attribute Value Pair (AVP) but without Initial Received LCP

CONFREQ and Last Received LCP CONFREQ AVPs, the jl2tpd process might crash.

PR1082673

• In a L2TP tunnel-switching scenario, if a tunnel-switched tunnel is cleared with "clear

services l2tp tunnel peer-gateway" AND an incoming ICRQ is received simultaneously

from the LAC side destined for this tunnel-switched tunnel, this leads to jl2tpd crash.

This defect has now been rectified. PR1088355

• OnM Series platform, in Layer 2 Tunneling Protocol (L2TP) network server (LNS)

environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type,

Framed-Protocol attributes) within Accounting-Request packet are sending to the

RADIUS server. PR1095315

• Some values of MIB object jnxSrcNatStatsEntry might be doubled when AMS (or rsp)

interface and NAT are configured together. PR1095713


• Due to a software defect found in 13.3R7.3, Juniper Networks strongly discourage the

useof JunosOSsoftware version 13.3R7.3on routerswithMQ-basedMPC.This includes

MX-Series with MPC1, MPC2, and all mid-range MX-Series. PR1108826


• In subscribermanagement environment, after performing the graceful Routing Engine

switchover (GRES), if the Routing Engine switchover happens before the Acct-Start

response is received, and the timeout on service session happens before timeout on

subscriber session, the authentication process (authd) may crash. PR1074011

• Subscriber is not coming up when CISCO AVPair VSA value is returned in Radius

ACCESS-ACCEPT packets in certain scenarios. PR1074992

VPNs

• In NG-MVPN scenario, while traffic is not being generated by source for at least 3 and

ahalfminutes anda routing or othermulticast issueprevents themulticast traffic from

reaching the receiver PE, after the multicast data starts flowing again for about 6

minutes, the Type-7 and Type-5 routes might be withdrawn which causes a discard

route to remain present on the RP facing PE and causes the traffic not to be forwarded

even if there is state and flowing traffic for that group. PR1058574

• In MVPN RPT-SPTmode, with a mix of local and remote receivers all using (*,g) joins

(spt-threshold infinity), the downstream interfacesmay not get updated properly and

there may be a stuck (s,g) forwarding route. This issue can occur with the following


Resolved Issues











sequence of events: 1. Local receivers are joined 2. Traffic starts, then stops, and the

route times out. 3. Remote receiver joins. Both a (*,g) and an (s,g) forwarding route

are created. 4. Another local receiver is joined, or an existing one is pruned. 5. In the

(*,g) route the downstream interface list reflects the update, but in the (s,g) route the

downstream interface list doesnot. 6.When traffic startsagain, the (s,g) route --which

has the wrong interface list -- is used. The traffic flows to the wrong set of receivers.

PR1061501
















• This issue affects a systemwith two Routing Engines with "graceful-switchover"

configured. When performs upgrade to Junos OS Release 13.3 from previous releases,

without deactivating "graceful-switchover", master and backup Routing Engines are

likely to become unresponsive due to running out of memory. The Routing Engines

need a power reset to restore service. PR1033926

• When a firewall filter, which is used to de-encapsulate the IPv4 packets encapsulated

in IPv6 GRE header, is attached to interface hosts on MX Series MPC/MIC, the IPv6

GREheaderwould bede-encapsulatedbut the inner IPv4packetwould endupgetting

dropped and not forwarded. This issue affects the packet with IPv4 over IPv6 GRE

header only, and those packets with IPv6 over IPv6 GRE header are not affected.

PR1054039

• shared-bandwidth-policer failure results in subscriber exceeding the configured limit.

PR1056098







General Routing

• OnMX Series platformwith Enhanced DPCs equipped, after router rebooted, the IRB

broadcast channel is not enabled, all the broadcast packets that are received in the

IRB interface will get dropped. Also when ping is given the below L2Channel error

increases as ping packets are sent: user@router>show interfaces ge-*/*/* extensive

| match channel L3 incompletes: 0, L2 channel errors: 10, L2 mismatch timeouts: 0.

PR876456

• DPDmay not work with link-type IPSec tunnels when NAT is present between the

IPSec peers. Even when NAT is not present between the IPsec peers, the issue can

occur with lesser probability. PR895719

• On T/TX/TXP platforms, once detecting rchip sram parity errors, both parity-error

correction process and automatic jtree simulation are invokedwithin interrupt context

which triggers an assertion and resulting a FPC restart with coredump. FPC Type 5-3D

are not affected. Junos OS Releases 13.3R1 and later are exposed. PR944967

• When a router is booted with AE having per-unit-scheduler configuration and hosted

on an EQ DPC, AE as well as its children get default traffic control profile on its control

logical interface. However, if a non-AE GE interface is created on the DPCwith

per-unit-scheduler configuration, itwill get default schedulermapon its control logical

interface. PR946927

• In large scale L3VPN environment(in this case, there are 80K L3VPN routes) with

non-stopactive routing (NSR)enabled,when theL3VPN routesareaddedanddeleted

frequently, in rare condition, the Composite Next Hop (cnh) deletion from kernel after

backup rpdprocess learns cnhswithduplicated keybutwithdifferent nhids. Thismight

lead to rpd process crash on backup Routing Engine. This issue is not reproducible and

only happened once. PR959331

• OnMX Series, delete an interface A from routing-instance VRF1; then create

routing-instance VRF2 and interface A is added to VRF2 with qualified-next-hop

configured; finally, delete VRF1. Commit the entire above configuration once, in rare

condition, rpdmight crash. PR985085

• OnMX104 router with SONET/SDHOC3/STM1 (Multi-Rate) MIC. In rare condition, if

the MIC is plugged out fromMX104, the Packet Forwarding Engine might crash, the

traffic forwarding will be affected. These MICs as below belong to SONET/SDH

OC3/STM1(Multi-Rate)MIC:*MIC-3D-8OC3OC12-4OC48*MIC-3D-4OC3OC12-1OC48

* MIC-3D-8CHOC3-4CHOC12 * MIC-3D-4CHOC3-2CHOC12 * MIC-3D-8DS3-E3 *

MIC-3D-8CHDS3-E3-B * MIC-3D-1OC192-XFP. PR997821

• An unnecessary update from the routing protocol process (rpd) to the route record

databasemightbe triggeredbycertainconfigurationchange.Thisprocesscauses jump

in CPU utilization of all Packet Forwarding Engines. PR1002107

• OnMX Series Virtual Chassis with the no-split-detection configured, in some rare

circumstances, the transit traffic might get dropped if all of the virtual chassis ports

(VCP) go down and come up quickly (within few seconds). PR1008508


Resolved Issues










• OnMXSeriesplatformswithADPCFPCs,M120, orM7i/M10iwithEnhancedCFEB, each

VPLS LSI interface flapping triggers a memory leak in jtree segment 0. There is no

memory leak in FPC heap 0memory. PR1009985

• When destinations are pointing to protocol next-hops as unilist type or IP forwarding

next-hops as unilist, which in scenarios like using Loop-FreeAlternateRoutes forOSPF

(LFA-OSPF)with linkprotectionorMPLSFRR is enabled. If flapping theactive interface

very fast, especially an interface comes back up before Kernel gets a chance to delete

all theunilist next-hops, thoseunilist next-hopswhichhavenotbeendeletedyetwould

be re-used. As a result, the corresponding destinations are pointing to discard

next-hop(s) or replaced next-hop(s) in Packet Forwarding Engine Jtree. The "discard"

next-hop(s) causes traffic blackhole while the "replaced" next-hop(s) diverts traffic

to other active next-hop(s) in the unlist. Those unilist next-hops which have been

already deleted are safe and get updated accordingly. This is a day one timing issue.

PR1016649

• Under corner cases, if there are multiple back-to-back Virtual Chassis port (VCP)

related CLI commands, Network Processing Card (NPC) core may be observed and

FPC hosting the VC ports might reboot. PR1017901.

• If you issue the show services nat mappings details command with a large number of

service sets configured (such as 1000 service sets) and one or two NATmappings

specified, the command takes a certain amount of time to display the output. During

this period, if you deactivate or activate the services, amultiservices PICmanagement

daemon core file is generated. PR1019996

• Enabling sampling on anms- interface is not supported configuration, if

'forwarding-opions sampling sample-once' is subsequently deactivated, the FPCmay

reboot. PR1021946

• OnMXSeries routerwith IPv6 subscribers, after performingGRESor reloading one line

cardwhichhasunderlying interfaces fordemux, somedemux interfacesmightbestuck

in Tentative state, and some other demux interfaces which has the same link local

addresses might be unable to send any IPv6 RAmessage. PR1026724



• With an unrecognized or unsupported Control Board (CB), mismatch link speedmight

be seen between fabric and FPCs, which results in FPCs CRC/destination errors and

fabric planes offline. Second issue is in a race condition, Fabric Manager (FM)might

process the stale destination disable event but the error is cleared indeed, it will result

in the unnecessary FPC offline and not allowing Fabric Hardening action to trigger and

recover. PR1031561

• If a logical interface isusedas thequalified-next-hop(which implies the logical interface

has unnumbered-address configured), and there are changes in the logical interface

filter configuration, then the static route might disappear from routing table. Tomake

it reappear, need to delete it from the configuration and add it back. PR1035598.

• For MLPPP interface on MX Series based line card, in some very rare conditions, the

received fragmented packets might be dropped. PR1041412













• OnMX Series platformwith one of the following protocols configuration, flapping the

protocols will trigger the Composite Next-hop change operation. In rare condition,

since it is not proper programmed, the FPCmight crash. This is a day-1 issue. - LDP -

MPLS - Point-to-multipoint LSP - RSVP - Static LSPs. PR1045794

• Oncedefault route0.0.0.0/0 isadded,deletedorchanged, thePFEMANthread running

on the MPC/FPC5 needsmore than 600mseconds to program such changes. This is

long enough to trigger LFM or BFD flap. Junos OS Release 13.3R2 or later is exposed to

this symptom. PR1045828

• On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration. If there are

multiple FIB local FPCs or the FIB local is a multiple Packet Forwarding Engine FPC,

the TCP packetsmight be out of order, packets re-ordering would occur. It reduces the

application level throughput for any protocols running over TCP. PR1049613

• In the PPP dual-stack subscribers environment, in rare condition, if bringing up 1000

dual-stack subscribers quickly, the PPP negotiation might fail. Then PPP retries

negotiation, all subscribers fully establish. PR1050415

• Incorrect flow count is reported in the field 'count' of V9 header in all the packets sent

to the collector. PR1050543

• This problem is because of a race condition, where other FPCs are not able to drain

"which is 1 second" Fabric Streams connecting to FPC which is getting offline. With

this situation - evenwhenFPCcomesonline, other FPCswhichhaveobservedmessage

"xmchip_dstat_stream_wait_to_drain" will not be able to send traffic to that particular

FPC over fabric. There is no workaround. To recover, we have to reboot FPCs which

observed error message "xmchip_dstat_stream_wait_to_drain". PR1052472

• This problem scenario with stuck DEMUX VLANs was observed after upgrade to 12.3

from previous release of 11.4X27. PR1054914

• As a precautionary measure, a periodic sanity check is added to Ichip based FPC. It

checks FPC error conditions and performs the appropriate actions in case of an error.

PR1056161

• IFCM error messagesmay occur in logs when it is not used. We lowered the severity of

the message to avoid confusion. PR1057712

• When enabling pseudowire subscribers the "show subscribers extensive" command

does not display CoS policies applied to the subscriber interface. This issue was fixed

in 13.3R6, 14.1R5 and 14.2R3. PR1060036

• bfd-protectedospf-sessionandbfd-protectedbgp-session fail tocomeupviasite-site

IPSec tunnel. As a workaround use no-ipsec-tunnel-in-traceroute CLI configuration

statement. PR1061342


Resolved Issues













• Refer to the following topology. If we set interface ge-1/0/8disable, interface xe-2/0/0

and xe-2/1/0 become down status because "asynchronous-notification" feature.

However after 3 or 4 seconds, ether OAM detects link-fault status changed to good.

And then, interface xe-2/0/0 and xe-2/1/0 change link status from down to up. The

conditions are the following. 1. Configure MPLS circuit with ether CCC. 2. Configure

"asynchronous-notification"onCE facing interface inbothPEs. 3. ConfigureetherOAM

tooneofPE, CEpair. 4. UseDPC 10giga-interfaceonDTU. *This behavior did not occur

with MPC and DPC 1 giga-interface. << topology >>

********************************************************************* local

link remote linkDPC 10ge | xe-2/0/0Vge-1/0/6ge-1/0/8 [CE ]----------[PE ]---------[

PE ]----------[ CE ] xe-2/1/0 ge-1/0/7 ge-1/0/9 (DTU) <--------> <-------> <-------->

ether CCCMPLS ether CCC asynchronous-notification asynchronous-notification

<--------> ether OAM *CE:MX240 PE:MX240

*********************************************************************

PR973840

• With vrf-table-label configured on the routing-instances, when an FPCwith Enhanced

IQ (IQE) PIC is sharing the same Forwarding Engine Board (FEB) with another FPC,

and the FEB has two core-facing interfaces configured with the family mpls on

aforementionedFPCs separately, the label-switched interface (LSI)might be removed

incorrectly on the working FPC when the other FPC with IQE PIC is set to offline.

PR1027034

• If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE

interfaces may not be distributed.PR1032604

• Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the

duplicate entries to fix the issue. PR1036026

• FRR switching time is much higher than 50ms (e.g. might be 400-900ms) when

protected links are located on MX Series Gigabit Ethernet enhanced and hardened

MICs (i.e. MICmodel name end with -E or -EH, currently, the supported MICs are

MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH). PR1038999

• Using PPP authentication with a specifically crafted PAP Authenticate-Request may

cause the Juniper Networks PPP daemon (jpppd) to crash and restart. After PPPoE

Discovery and LCP phase is successfully negotiated, when the crafted PAP

Authenticate-Request is received, jpppd crashes and no response is sent by the

broadband edge router to the subscriber. The jpppd continues to crash every time the

subscriber re-sends the PAP Authenticate-Request. PR1040665

• In case of the IQ2 or IQ2E PIC are working in tunnel-only mode, rebooting the tunnel

PIC while the traffic is passing through the tunnel might cause the tunnel PIC to not

transfer traffic any more. PR1041811

• jpppd daemon ran out of memory as subscribers login failed due to missing CoS

parameters. Below logs will be seen in messages when the subscribers login fail. Nov

16 12:19:21 jtac-host jpppd: Semantic check failed for profile=PPPoE-1-QoS, error=301

Nov 16 12:19:21 jtac-host jpppd: dyn_prof_send_request: add pre_processing failure,










error=301 Nov 16 12:19:21 jtac-host jpppd: Profile: PPPoE-1-QoS variable:

$junos-cos-shaping-rate value: failed semantic check PR1042247

• clear interfaces interface-set statistics all fails due to memory limitation. PR1045683

• OnMX Series routers (platforms) with Enhanced Switch Control Board (SCBE), when

the fan tray is inserted or pulled out, the chassisd process might crash. PR1048021

• When Inherit is part of lower logical interface Unit, VRRPD parses it before Active. In

this case, VRRPD attaches a dummy Active to the Inherit, with the assumption that

the Active will be available soon and then replication of information from Active to

Inherit will take place. However, the replication of the priority was not done correctly

due to which the Inherit group was stuck with priority of 0. PR1051135

• In subscriber management environment, PPP client process (jpppd) might crash as a

result of a memory allocation problem. PR1056893

• mru remains set at previous value after deletingmru under group-profile ppp-options.

PR1059720

Layer 2 Features

• After FPC restart, bridge domain (BD) implicit filters for Ethernet ring protection

switching (ERPS)might get reprogrammedwith wrong logical interface (ifl) index,

which cause ERPS to not work correctly. PR1021795

• If a customer is using SNMPandperforms an snmpwalk on the dhcp binding table, not

all of the entries may be displayed. This fix resolves that issue so that bindings for all

IP addresses are displayed. PR1033158

• On a router with DHCP local server configured, if there are scaled number of DHCP

subscribers connected, most of the subscribers might get stuck in "RELEASE" status

after performing graceful Routing Engine switchover (GRES). PR1038385

• In DHCPdynamic subscribermanagement scenario,whenmaintainDHCPsubscribers

during interface delete is configured, some interface indices might be reused by a new

interface if system is under stress (such as high connection speed, many clients and

individual log files configured to be larger than 100M). In this case, it might result in

subscriber being associated with an interface that no longer exists. PR1044002

• Onmultiple Routing Engines systemwith NSR enabled, if the FEC129 VPLS instance

has "no-tunnel-service" configured, the VPLSmight show status as "OL" (no outgoing

label) after performing Routing Engine switchover. PR1050744

MPLS

• Error "tag_icmp_route:failed to find a chain composite ahead of fwd nh" might be

observed when doing traceroute. PR999034

• When configuring point-to-multipoint (P2MP) Label Distribution Protocol (LDP)

label-switched paths (LSPs), the labels will never be freed even though they are no

longer needed. This could lead to the MPLS label exhaustion eventually. To clear the

state, the rpd process will restart with core files. PR1032061


Resolved Issues














• On the P2MP LSP transit router with link protection enabled, if the LSP is the last

subLSP, tearing the last subLSP (for example, an RESV tear message is received from

downstream router) might crash the routing protocol process (rpd). PR1036452

• When node-protection is enabled for a specified LSP and optimize-timer for a

node-protecting bypass LSP is configured on router, the bypass route might

get-optimized in such a way that it traverses through the very node that the bypass is

trying toprotect during re-optimization. Asaconsequence, thenode-protectingbypass

LSP only provide link protection instead of node protection. PR1045055

• OnM/MX/T Series routers, dynamic-rsvp-lsp is configured under interface

link-protection hierarchy level. After interface flap, the bypass LSP does not come up.

PR1054155

Multicast

• In multicast environment, if GRES is performed immediately after a routing-instance

being deleted, the krt (kernel routing table) queuemight get stuck after adding back

the routing-instances which were deleted. PR1001122


• Mib2d cores while trying to re-add a lag child into the internal DB. Since the entry is

already present in the internal DB. Before adding the child link, mib2d does a lookup

on the tree, to know if the entry is not already there. However, this lookup returns no

results, since the child link is part of snmp filter-interface configuration. PR1039508

• SNMPmib walk jnxMac does not return value with et- interfaces on

MPC3/MPC4/MPC5/MPC6. PR1051960

• There is no specific counter name in the MIB2D_COUNTER_DECREASING syslog

message. PR1061225


• With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000)

while copying packets count from hash record into flow export packet, the

packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic

impact but may impact billing. PR886222

• For inline BFD over aggregated Ethernet (AE) interfacewhichmember links are hosted

on different FPCs, BFD packets coming on ingress line card will be steered to anchor

Packet Forwarding Engine through fabric. If FPC reconnects to master Routing Engine

(such as Routing Engine switchover operation), the inline BFD session punts the BFD

packet to host, the BFD packet should go through loopback interface filter of VRF on

which it is received. But in this case, the BFD packet might hit the wrong loopback

interface filter fromwrong routing-instance since the VRF information is not carried

across fabric. PR993882

• BFD sessionwithin default routing-instance are not coming up once inline-services pic

is configured and fixed class-of-service forwarding-class is assigned. BFD session

operating in no-delegate-processing are not affected. PR999647













• OnMX Series platformwith scaled set-up, after deactivate/activate or renaming a

bridge domain (BD) which has irb interface associated, the IGMP snooping configured

under the BDmight not work any more. Note it happens only when the router is in

"network-services enhanced-ip" mode. PR1024613

• A Packet Forwarding Engine memory leak is seen whenmulticast receivers are

connected in a bridge domain where IGMP snooping is enabled and IGMPmessages

exchanged between themulticast receivers and the layer 3 IRB (Integrated Routing

and Bridging) interface. PR1027473

• AggregatedEthernet interfacedoesnot sendPPPoEclient echo replywhenae interface

bundle spans multiple FPC(s). PR1031218

• OnMXSeries3DMPC,when there isacongestedPacketForwardingEnginedestination,

the non-congested Packet Forwarding Engine destinations might experience an

unexpected packet drop. PR1033071

• sa-multicast load sharingmethod under [chassis <> fpc <> pic <> forwarding-mode]

is not working on 100GE interface on MX Series FPC. PR1035180

• ThemicroBFDsessionswon't comeup if incominguntaggedmicroBFDpacketscontain

a source MACwhere the last 12 bits are zero. PR1035295

• Presence of /8 prefix in two terms results in incorrect filter processing and unexpected

behavior. PR1042889

• When IRB interface is configured with VRRP in layer 2 VPLS/bridge-domain, in corner

cases IRB interface may not respond to ARP request targeting to IRB sub-interface IP

address. PR1043571

• In a scaled subscriber management environment, the output of CLI command "show

subscribers" and its sub flavors might print more pages and has to be terminated by

"Ctrl+c" or "q". But this was not closing the back end Session Database (SDB)

connection properly. Over a period of time, this will cause inconsistency and the

subscriber management infrastructure daemon (smid) fails to register and no new

subscribers could connect. PR1045820

• On T4000 and FPC Type 5-3D or TXP-3D platforms , BFD sessions operating in

100msec interval with default multiplier of 3 might randomly flap after the

enhancements implemented via PR967013. BFD sessions with lower intervals of

100msec or higher intervals are not exposed. The internal FPC thread, monitoring the

High Speed Fabric links had a run time of longer then 100msec. PR1047229

• By default, after 16x10GEMPC boards come up, about 75% of queues were allocated

to support rich queuing with MQ chip. Such allocation causes MQ driver software

module to poll stats. Polling stats causes this rise in CPU usage. PR1048947


Resolved Issues













• In the BGP environment, if operator "!" exists in the regex for as-path, the commit

operation fails. PR1040719

Routing Protocols

• In themulticast environment, in rare condition, after gracefulRoutingEngine switchover

(GRES) is executed, the rpdprocessmight crashdue to receivingNULL incoming logical

interface. PR999085

• When BGP add-path feature is enabled on BGP route-reflector (RR) router, and if the

RR router has mix of add-path receive-enabled client and add-path receive-disabled

(which is default) client, due to a timing issue, the rpdprocess onRRmight crashwhen

routes update/withdraw. PR1024813

• WhenaBGPpeer goes down, the route for this peer should bewithdrawn. If it happens

that a enqueued BGP route update for this peer has not been sent out, issuing the CLI

command"showrouteadvertising-protocolbgp<peer-addr>"might crash the routing

protocol process (rpd). This is a very rare corner case. PR1028390

• When BGP is doing path selection with default behavior, soft-asserts requests are

introduced. If BGP routes flap a lot, it needs to do path selection frequently, because

of which a great deal soft-asserts might be produced which will cause unnecessary

high CPU and some service issues, such as SNMP can not respond and even rpd core.

PR1030272

• When "clear bfd session" is issued immediately (before the Poll - Final sequence is

completed) post config check-in for interval change from higher to lower

minimum-interval value, BFD sessions don't revert to lower interval. PR1033231

• Issue in populating isisRouterTable values. Some entries are not filled correctly. This

does not block/affect the functionality of IS-IS or other components. PR1040234

• If labeled BGP routes are leaked from inet.3 table to inet.0, then activation of BGP

"add-path" feature might crash the routing protocol process (rpd). PR1044221

• BFD session might reset on commit if version is configured. The adaptive RX interval

gets set to 0 which results in the reset. A sample configuration of BFD version is as

follows: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000;

transmit-interval { minimum-interval 1000; } } } PR1045037

• When BGP and ICCP are the client of the samemulti-hop BFD session, BFD runs in

centralized (non-distributed)mode. But if nonstop-routing configuration is added and

enabled, runningmodeofBFD is changed todistributedmode.Thisbehavior is incorrect

but it would not affect to protocols which is client of the BFD session. However, if

Routing Engine switchover is performed after enabling NSR, the BFD session will get

unstable and all the client protocols also get unstable. PR1046755

• Junos OSMulticast Source Discovery Protocol (MSDP) implementation is closing an

established MSDP session and underlying TCP session on reception of source-active

TLV from the peer when this source-active TLV have an "Entry Count" field of zero.

"Entry Count" is a field within SAmessage which defines howmany source/group

tuples are present within SAmessage. PR1052381














• TheBGPsession sendingadd-pathprefixes cancausean rpdcrashwhen theadd-path

IDs that it allocates roll over from 65535 to 0. If the routes contributing add-path

prefixes are changing, the allocated path-id can eventually reach this value. This fix

changes the allocation scheme to always use the lowest available free path-id, so a

rollover will never occur. PR1053339

• After multicast traffic source incoming interface and source ip RPF (reverse path

forwarding) route switching toadifferent interface, themulticast route cacheupstream

interface might not be refreshed to be in sync with the pim join upstream interface.

This is incorrect and will cause packet blackhole for the affectedmulticast stream.

PR1057023

• RPD cored at isisSysLevelTable_next function when we do snmpwalk/snmpget with

invalid value in snmp data variable part. With this fix,added sanity checks for those

OIDs that do not have checks in earlier versions. PR1060485


• Added support to bring up Tunnel-switched sessions when tunnel-group is not

configured at LTS and tunnel attributes are returned from RADIUS. PR1030799

• When NAT hasmultiple terms that refer to the same NAT Pool, the command 'show

snmpmib walk jnxSvcsMibRoot ascii' always prints out jnxNatPoolTransHits for the

count of jnxNatRuleTransHits in the first term. PR1035635

• The cause of the KMD crash is not known. This is not due to SA (Security Association)

memory corruption. The code sees that SA is getting freed without clearing the table

entry. PR1036023

• When the tunnel between L2TP access concentrator (LAC) and L2TP network server

(LNS) is destroyed, the tunnel information will be maintained until destruct-timeout

expire (if the destruct-timeout is not configured, the default value is 300 seconds). If

the same tunnel is restarted within the destruct-timeout expire, the LNS will use the

previously negotiatednondefaultUDPport,whichmight lead to the tunnel negotiation

failure. PR1060310


• The authd process memory leaks slowly when subscribers login and logout, which

eventually leads the process to crash and generate a core file. PR1035642

• The MX960will send out error message when it processes idle-timeout. PR1041654


Resolved Issues










VPNs

• For VPLS over VPLS topology, when the VPLS payload has two labels

(Customer-VPLS-label and Customer-MPLS-label), the framemight be dropped by

the core facing interface hosted on IQ2 PIC with "L2 mismatch timeout" error. This

particular scenario is fixed. But there are some other worse scenarios which might hit

this issue again due to the system architecture limitation, which are not fixed but need

to avoid: * Addition of VLAN tags on Service provider's or CE's VPLS payload e.g.

configuring QinQ. * Addition of MPLS tags on Service provider or CE's VPLS payload.

* Enabling VPLS payload load balancing on Service provider's PE router. PR1038103

• In NGMVPN, after the route to C-RP flaps, traffic lossmight be seen for a short period

of time. PR1049294

• In NG-MVPN scenario, when a source is directly connected to a PE that is acting as an

RP stops sending the traffic, the PE never withdraws the Type 5 route. This causes the

Type7 routesand forwarding routes to remainon theegressand ingressPEs.PR1051799

• In L2VPN scenariowith local switching enabled, in corner cases, the rpd processmight

crashafter flapping thePE-CE link. For example, if the L2VPNconnection typechanges

from remote to local after link flaps, for a brief period of time, two route entries (for

old remote VC connection and for the new local VC connection) might exist for the

same egress route (with interface name as destination prefix). In that case, when

deleting remoteVCconnectionand routeentryassociatedwith that remoteconnection,

the rpdmight crash due to trying to reset an internal variable which is already reset

during route addition for the new local VC connection. PR1053887
























• SometimesMXSeriesmight respondwith "no such instance" of the secondOIDwhen

two CoS OIDs in the single SNMP packet. PR1015342

• This issue specific to rate-limit on trunk port in DPC due to a software issue that

installing rate-limit variables to egress Packet Forwarding Engine does not work

normally. PR1022966

• For ichip based platform, IQ2 pic expects FC index in the cookie from ichip for packet

queuing. For Transit traffic, fc index is coming in cookie where are for host outbound

traffic, queue number is coming in cookie to IQ2 pic. As IQ2 pic is not aware whether

traffic is transit or host outbound, it treats value received in cookie as FC value and

looks into fc_to_q table to fetch queue number. This is causing issue in queueing of

host outbound traffic in IQ2PIC in incorrect queue. This is adayone issueandwill come

if in FC to Queuemapping, fc id and queue number are not same. PR1033572


• Onthe32-bit JunosOS,whenaverybigburst-size-limit value (2147492676andabove)

is configured in the ingress interface policer, the kernel may drop Routing Engine

destined traffic. PR1010008

• Deactivating Inline Jflow configuration does not makememory release normally.

PR1013320

• When an ARP policer is applied to an interface, it appears commented out in the

configurationwith the followingmessage: "invalidpathelement 'disable_arp_policer'".

PR1014598

• When an MX Series specific filter is configured on an interface located on a DPC, the

filter is not being installed and no warning message is logged on themessage log file.

PR1022836

• Adding "fast-lookup-filter" configuration statement to a firewall filter using one or

more terms with "next-term" action could cause dfwc crash during commit (commit

check phase). Hence because of this bug, this disallows use of "fast-lookup-filter"

feature on firewall filters with terms using "next-term". This PR fixes the above bug

exposed during firewall compiler optimization of filters using next-terms and

fast-lookup-filter. PR1029761

• This issue affects a systemwith two routing engines with "graceful-switchover"

configured. When performs upgrade to Junos OS version 13.3 from previous releases,

without deactivating "graceful-switchover", master and backup Routing Engines is

likely to becomeunresponsive due to running out ofmemory. The routing engines need

power reset to restore service. PR1033926

General Routing

• "show services accounting usage" does not populate cpu utilization for XLP based

cards . Please use "show services service-sets cpu-usage". PR864104

• Leak in /mfs/var/sdb/iflstatsDB.db. PR924761


Resolved Issues












• In this scenario the CPCD (captive-portal-content-delivery) is configured for

HTTP-REDIRECT for Subscriber Management clients using MS-DPC. When services

sessions start to redirect the HTTP traffic, thememory-usage consistently increments

for MSPMAND on themulti-service PIC. Thememory limit thenmight cause packets

loss. PR954079

• MPLS traceroute causes "rttable-mismatch" syslog messages. PR960493

• OnMX Series DPC line cards with redundancy System Control Boards (SCBs), when

active SCB goes down ungracefully by unexpected event (such as turn off Power Entry

Modules (PEMs)), traffic loss is observed and cannot be recovered on standby SCB

as expected. PR961241

• In the dual Routing Engines scenariowith large scale nexthops (in this case,more than

1-millionnexthopsandaround8KVRFs). In rarecondition, kernelmight crashonbackup

and/or master Routing Engine due to exhaustion of nexthop index space. PR976117

• 1)Due toaprevious fix chassisdon theprotocolmasterRoutingEngineand theprotocol

backup Routing Engine connect to the main snmpd on the protocol master using the

followingmethods. a) Chassisd on the protocolmaster Routing Engine connects using

a local socket since snmpd is running locally. b) Chassisd on the protocol backup

Routing Engine connects using a TNP socket since snmpd is not local. 2) However this

fix changed the way the other daemons connect to snmpd. All important daemons

runon theprotocolmaster andshould connect to snmpdusinga local socket.However

the fix changed it so that all daemons that ran on the protocol master (other than

chassisd) tried to connect using the TNP socket. SNMPD does not accept these

connections.Asa fix, inanMX-VC,wemadesure thatchassisdconnects toall processes

which run on the protocol master using internal socket while the chassisd process on

the protocol backup and protocol lincecard connect connect using TNP socket.

PR986009

• In the dual Routing Engines scenario, in rare condition, while executing GRES and

deleting interfaces at the same time, it is possible that a nexthop delete message is

not sent to rpd process, causing rpd to keep a nexthop index (NHID) that kernel has

already deleted. Laterwhen kernel allocates thisNHID for next newnexthopand sends

it to rpd process, rpd process might crash due to duplicate NHID. PR987102

• MX 960/480/240 fantray red alarm temp changed from 75C to 80C. PR995225

• In the dual Routing Engines scenariowithNSRconfiguration, backuppeer proxy thread

is hogging CPU for more than 1 second if there are multiple updates (>5000) going

frommaster Routing Engine to backup Routing Engine. This is leading to FPC socket

disconnections. The traffic forwarding might be affected. PR996720

• Bydefault, the syslogutility exports800,000 logsper second toa remotesyslogserver.

You canmodify the number of syslogs to be sent by including the message-rate-limit

statement at the [edit interfaces interface-name services-options syslog] hierarchy

level to suit your deployment needs. The rate at which syslog messages can be sent

to the Routing Engine is 10,000 logs per second. PR1001201

• WithNSRenabled,whenactivatingaBGPsession ina routing instance,and the interface

route is imported into the main routing instance, the TCP receive windowmight












decrement until it hits 0 after receiving incoming BGP traffic arrives from themain

routing instance. PR1003576

• MS-DPCmemory leak on system service setwhenHTTPRedirect attempts to process

none-HTTP traffic with HTTP ports (80/8080/443). PR1008332

• When deleting a routing-instance or making changes to the routing-instance, the

deletion of the routing-instance to kernelmight comebefore the deletion of the logical

interfaces in the routing-instance, resulting in rpd crash. This is a timing issue, hard to

reproduce. PR1009426

• OnMXSeries platformswith ADPC FPCs,M120 orM7i/M10i with EnhancedCFEB each

VPLS LSI interface flapping triggers a memory leak in jtree segment 0. There is no

memory leak in FPC heap 0memory. PR1009985

• Unknown unicast flood is seen with interface flap after router reboot and with static

MAC, no-mac-learning, interface-mac-limit configured for a virtual-switch. PR1014222

• The routing protocol daemon (rpd) might crash continuously with core-files upon

adding a sub-interfacewith "disable" configuration to aMC-LAG interface.PR1014300

• Sendingmulticast traffic to subscribers which have lawful interception enabledmight

crash the FPC. PR1014569

• For 64-bit Junos OS, the route protocols process (rpd) might crash and generate core

file during IBGP route churn when using IBGPmultipath andmultiple levels of IBGP

route/next-hop recursion. PR1014827

• If the serviceoption configuredonaggregatedMultiservices (AMS) interface is different

from its member interface, conflict would happen which might cause some serious

issue.After this fix, service-optionsconfiguration (which includes timeouts/sessios-limit

etc.) shouldonly be configuredonallmembers interfaceswhenconfigureAMSbundle.

PR1014898

• A new global configuration statement is added at the top level CLI "set

forwarding-options port-mirroring [no-preserve-ingress-tag]" By default the system

behavior would remain as it is today where ingressmirrored copy would contain VLAN

content exactly as what came in wire over ingress. However, if this configuration

statement is configured, if any VLANmodification happens to packet as part of its

datapath processing, that would get retained in the ingress mirrored copy ie we will

not restore VLAN to what came in ingress on wire. PR1015149

• This PR is implementing traceoptions debug enhancements to detect route-record

corruption events. The route-record traceoptions debug will be enabled as follows:

---------------------------- user@router> edit Entering configuration mode [edit]

user@router# set routing-options traceoptions flag route-record [edit] user@router#

commit ---------------------------- PR1015820

• hash-key command is no longer treated as a hidden command and considered invalid

input in 12.3 for small footprint routers (these platforms don't support the hash-key

feature), this could cause configuration failure during a software upgrade if hash-key

command is configured prior to the upgrade. This PR reverses the above change and

allowshash-keycommandtobe ignoredonunsupportedplatforms: showconfiguration


Resolved Issues












forwarding-options####Warning: configurationblock ignored: unsupportedplatform

(mx80) ## hash-key { family inet { layer-3; } } PR1016339

• In dynamic subscribersmanagement environmentwith "maintain-subscriber" feature

enabled, when scaling up the logged in subscribers, the demux interface might not be

associatedwith thesubscriberand"showauto-configurationextensive"CLI command

only print partial output. PR1017544

• MACaccounting support was added for 40G and 100G interfaces onMPC3 andMPC4

cards. PR1017595

• Traffic destined to theBroadcast orNetwork address of aNetworkAddressTranslation

(NAT) pool using the address prefix setting for the MS-MIC/MS-MPC card causes a

traffic loop that spikes the CPU. PR1019354

• On aMX Series-based FPCs, when there are next-hop changes, the "heap 0"memory

of the FPCmay experiencememory leakage which will eventually causes memory

exhaustion. PR1019794

• Noperformance or functional impact. Can be safely ignored. "Ignore the PTPmessage

(2) as this MPC does not support EEC" should bemoved from notice to debug level.

PR1020161

• When source address is configured under ms interface, and the service-set has syslog

host as local the FPC slot is printed as -ve. PR1020854

• Trace file size is already limited to 1 Mega bytes, but the actual issue is different. When

file reaches its maximum allowed size, an attempt is made to rotate trace file. But

trace files count is presently set to 0 (default), so rotate is not functional. As a result

all logs are appended to the same trace file even after crossing max limit. PR1021076

• MQCHIP(0) mqchip_get_q_forwarded_stats() invalid q_sys 0 q_nummessages are

continously shows in logs.It will cause two GE or XGE interfaces to not forward traffic.

PR1021951

• The host MPCmight continuously crash when trying to online a faulty MS-MIC after

discovering the hardware failure. PR1026310



• For M320 or T Series FPCs (M320 non-E3 FPC and T Series non-FPC5) with queuing

PIC, if theconfigured total buffer size temporal valuesexceeds thesupportedmaximum

scheduler buffer size for the PIC (e.g. For PD-5-10XGE-SFPP PIC, the maximum

temporal buffer size that can be configured for a scheduler is 40,000microseconds),

the default scheduler [95,0,0,5] is applied instead of the default chassis scheduler

[25,25,25,25], which might result in the packet drops on Q1 and Q2. PR1027547

• In a rare case, rdd core is reported under /usr/sbin/rdd as soon as applying the group

and commit is performed. PR1029810

• OnMX Series platformwith MS-MPC card, after performing switchover frommaster

RE0 to backup RE1, 2 internal ARP entries for Routing Engine address (128.0.0.1) on

MS-MPCPICs pointing to two eth interfaces connect to CB0 andCB1 separatelymight

be wrongly created. Then if pull out RE0/CB0, the MS-PIC would still select the eth
















interface connects to CB0, which results in loss of connectivity because that path is

not available anymore. PR1030119

• PCS statistics counter is now displayed for PTX 100GE interfces in below command:

cli > monitor interface <intf> PR1030819

• In rare cases, the AUTHD daemonmay crash and cause a corruption of subscriber

dynamicprofiles. In-useprofilesmaybe incorrectlymarkedasnot inuse.Anysubscribers

that reference that profile are forced to remain in Terminating state, until the router is

rebooted. Daemon restarts and GRES switches are ineffective in working around this

situation. PR1032548


• This issueoccurs in rare condition. In thedual Routing Engines scenario, doing interface

flap after Routing Engine switchover. If this action is repeatedmany times, the stale

indirect nexthopentrymight be seen in kernel, this leads to traffic blackhole.PR987959

Infrastructure

• SNMP socket sequence error log. PR986613


• If dynamic VLAN subscriber interface is over a physical interface (IFD), and there are

active subscribers over the interface, when deactivate the dynamic VLAN related

configuration under the IFD and add the IFD to an aggregated Ethernet (AE) interface

which has LACP enabled, the Routing Enginemight crash and get rebooted. PR931028

• In the dynamic-profile environment with preferred-source-address configuration. If

subscribers stuck in terminating state, it is impossible to commit changes. PR978156

• In the bridge domain configuration with IRB interface environment, the IRB interface

INET/ISOMTU is set to 1500. When the MTU on IRB interface is deleted, the MTU

would not be changed. PR990018

• In thePPPoEenvironment,when the subscriber logs in successfully but profile activate

fails, due to code processing error, the address entry is not deleted in the authd's DAP

pool. So when the subscriber tries to log in again, it connects fails. PR995543

• In L2 circuit, with async notification configured on a client facing interface goes down,

thenon the remotePE the correspondingCE interface showsup in show interface terse

output while in log snmp reports interface down. PR1001547

• As current Junos OSMultichassis link aggregation groups (MC-LAGs) design, the ARP

entry will not sync when learning ARP via ARP request but not Gratuitous ARP/ARP

reply, in some specific scenarios (e.g. a host changes its MAC address without sending

a Gratuitous ARP), traffic loss might occur. PR1009591

• IS-IS Adjacency may flap after unified ISSU. This behavior is being further analyzed

and fixed in further releases. PR1015895

• VRRP daemon (vrrpd) memory leak might be observed in "show system processes

extensive"whenVRRP is setwith routing-instance and then change any configuration.

PR1022400


Resolved Issues














• OnM120, when two type 1 FPCs are sharing the same FEB and they are both carrying

core facing interface, with vrf-table-label/no-tunnel-service configuration, the LSI

interfacesmightbe removed incorrect onaworkingFPCwhen theother is set tooffline.

PR1027034

• "set forwarding-options enhanced-hash-key symmetric" configuration statementwill

not get applied on MX104 Packet Forwarding Engine. PR1028931

• If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE

interfaces may not be distributed PR1032604

• Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the

duplicate entries to fix the issue. PR1036026

Layer 2 Features

• After configuration change or convergence events, kernel may report ifl_index_alloc

failures for LSI interfacesandcausingKRTqueueENOMEM issue, eventually preventing

new logical interfaces being added to the system. This condition always recovers on

its own once convergence is completed. PR997015

• If "maintain-subscriber" configuration statement is enabled on the router, DHCPv6

server/relaymight be unable to process any packet if deactivate and then activate the

routing instance, whichmeans the subscribers can not get the IPv6 addresses. Please

note, even with the fix, the results of this scenario is also expected if with

"maintain-subscriber" configuration statement enabled, please consider using the

workaround to avoid this issue. PR1018131

• After FPC restart, bridge domain (BD) implicit filters for Ethernet ring protection

switching (ERPS)might get reprogrammedwith wrong logical interface index, which

causes ERPS to not work correctly. PR1021795

• In amixedVPLS instancewhere both LDPandBGP flavors are presentwith "best-site"

configuration statement configured under "site" block, any cli change in that instance

will result in rpd crash. PR1025885

MPLS

• When the size of a Routing Engine generated packet going over an MPLS LSP is larger

than MTU (i.e. MTUminus its header size) of an underlying interface, and the extra

bytes leading to IP-fragmentation is as small as <8 bytes, then that small-fragment

will be dropped by kernel and lead to packet drop with kernel message

"tag_attach_labels():m_pullup() failed". For example - If SNMPResponsewith specific

size fall into abovementioned condition then small fragmentwill be droppedby kernel

and eventually the SNMP response will fail. PR1011548

• InMPLS scenariowith TX/TXP router acting as the transit node, performingMPLSLSP

ping or traceroute from ingress nodemight cause kernel crash on the transit node due

to improper timer initialization between SCC and LCC chassis. PR1020021

• Ted link information of protocol from highest credibility level is used irrespective of the

level at which CSPF is computing. i.e., cspf-metric in "showmpls lsp extensive" would

have the sum of te-metric of IGP with highest credibility at each hop in ERO. This has













been corrected and the cspf-metric will be sum of te-metric of current credibility at

each hop. PR1021593

• When RSVP label-switched-path (LSP) optimize is enabled, RSVP LSPmight stay

down after a graceful Routing Engine mastership switchover (GRES). To resolve the

problem, thecorresponding label-switched-pathconfigurationneeds tobedeactivated,

then, be activated again. PR1025413


• Mib2d cores while trying to re-add a lag child into the patricia tree. Since the entry is

already present in the patricia tree. Before adding the child link mib2d does a lookup

on the tree, to know if the entry is not already there. However, this lookup returns no

results, since the child link is part of snmp filter-interface configuration. PR1039508


• When apply-groups are used in the configuration, the expansion of interfaces <*>

apply-groups will be done against all interfaces during the configuration validation

process, even if the apply-group is configured only under a specific interface stanza.

PR967233

• TheGNUdebugger, gdb, canbeexploited inaway thatmayallowexecutionof arbitrary

unsigned binary applications. PR968335

• OnMX Series routers with MX Series linecards in a setup involving Packet Forwarding

Engine fast reroute (FRR) applications, if an interface is down for more than ARP

timeout interval or if ARPentries are clearedbyCLI commands, then after the interface

is up again packet forwarding issuesmay be seen for traffic being forwarded over that

interface. PR980052

• Have BFD session between one router supporting inline-BFD (MXSeries and JunosOS

13.3or later)and theotherwhichdoesnot support inline-BFD(anyversionandnon-MX

Series, or MX Series and Junos OS Release 13.3 prior releases). When the "failure

detection time" is less than 50ms, the BFD session might flap. PR982258

• OnMX2020/MX2010wemight see sporadic FO request time-out error reported under

heavy system traffic load. This would mean the request returning into a grant took

longer then +/-30usec. The packet will still get forwarded through the fabric hence no

operational impact. [May 6 18:56:59.174 LOG: Err] MQCHIP(2) FO Request time-out

error [May 6 19:33:47.555 LOG: Info] CMTFPC: Fabric request time out pfe 2 plane 6

pg 0, trying recovery. PR991274

• OnMX Series router with MX Series linecard or T4000 router with type5 FPC, there

are4kGRE tunnelswithdifferentMTUvalue.When thepacketsgo throughGRE tunnel,

if the packets size more than tunnel MTU, in rare condition, the GRE interface might

get stuck due to packets reassembling failure. PR993903

• Whenreceiving traffic comingonMPCandgoingoutonDPC, theMACentryonaPacket

Forwarding Enginemight not be up-to-date and the frames targeted to a knownMAC

address will be flooded across the bridge domain. PR1003525

• Micro BFD sessions are used to monitor the status of individual LAGmember links.

Whenmicro BFD configurations are added after the LAG bundle configuration in


Resolved Issues











separate commit, the micro BFD sessions for all the member links might remain in

"Down" state. PR1006809

• On TXMatrix Plus routers or TX Matrix Plus routers with 3D SIBs, all the incoming

interfaces on an FPC are deactivated when none of the fabric planes are functional.

By default, the interfaces remain activated. You can enable the deactivation of

interfaces by using the fpc-restart configuration statement at the edit chassis fabric

degraded hierarchy level. PR1008726

• If rate-limit has been configured in scheduler for MX-VC VCP ports, unified ISSUmight

fail. PR1009590

• MPLS traffic going through the ingress pre-classifier logic may not determine mpls

payload correctly classifyingmpls packet into control queue versus non-control queue

and expose possible packet re-order. PR1010604

• The fix was committed for this PR# but it also needs DDOS configuration additional

to this fix and it is as below: 1) check the "show ddos-protection protocols statistics

terse" 2) For each of the Control plane protocols on the system like ospf/vrrp/pvstp,

it is recommended to configure 2X of the rate as give below example along with

increasing DDOS rate for virtual-chassis control. Example, ######## set system

ddos-protection protocols virtual-chassis control-high bandwidth 20000 set system

ddos-protection protocols virtual-chassis control-high burst 20000 set system

ddos-protectionprotocolsospfaggregatebandwidth 1000set systemddos-protection

protocols ospf aggregate burst 1000 set system ddos-protection protocols vrrp

aggregate bandwidth 100 set system ddos-protection protocols vrrp aggregate burst

100. PR1017640

• For MX Series platformwith inline Network Address Translation (NAT) service, when

using "source-prefix" or "destination-prefix" in aNAT translation rule, a pool is implicitly

created, appending "_jinpool_" with the rule name and term namewith a form :

_jinpool_{rule_name}_{term_name}.Thenamemightbecroppeddueto themaximum

length limitation (64characters). If thathappens, bothpoolsmightget thesamename

and result in the indeterminate behavior (statistic issue, drop or incorrect translation).

PR1020033

• Problemscenario:Theerror logs"CHASSISD_FCHIP_CONFIG_MD_ERROR"will appear

during FPC normal boot up time and also during FPC restart time for each plane and

for each gimlet FPC. Problem statement: Ths Error logs

"CHASSISD_FCHIP_CONFIG_MD_ERROR"areobservedonly inM320chassiscontaining

FPCs based on Gimlet chipsets. Due to this error logs the rate limit for the fabric port

connecting the PFE 1 will be set to the default values. PR1020551

• OnMX Series based line card, if normal BFD sessions (e.g. BFD for OSPF) andmicro

BFD sessions are configured over LAG, it might be seen that only micro BFD sessions

come up and other normal BFD sessions keep in down state. PR1021584

• OnMXSeries based platform,with igmp-snooping enabled and amulticast routewith

integrated routingandbridging (IRB)asadownstream interface, amulticast composite

nexthop is created with a list of L3 and corresponding L2 nexthops. In a rare corner

case, the corresponding L2 nexthop to the L3 IRB nexthop is a DISCARD nexthop and

will cause the FPC to crash. PR1026124












• When receiving traffic coming on MPC and going out on DPC, an Ethernet frame with

known DMACwill be flooded to the whole bridge domain after flapping the link which

the given MAC is learnt for more than 32 times. PR1026879

• When a layer 2 frame entered the VPLS end point on the label switched interface (LSI)

interface with VLAN tagged, the frame is incorrectly interpreted and treated as no

VLAN frame. So the VLAN tagwill not be popped although the outbound interface has

a pop configuration. PR1027513

• On ICHIP line-card, when the packets are queued for several seconds due to interface

congestion and get aged, the ICHIPmight not able to detect those aged packets and

thus fail to drain the queue out, which results in the FPC showing CRC errors and going

into wedge condition. PR1028769

• MX Series-based line card might crash when trying to install the composite next-hop

used for the next-hop-group configuration related to port mirroring of traffic over IRB

to an LSI attached to VPLS instance for a remote host. PR1029070

• For BFD over aggregated Ethernet (AE) interfaces on MX Series routers with MS-MPC

thathaveconfigured theenhanced-ipoption, theBFDdistribution toPacketForwarding

Engine for AE interface might not happen. PR1031916

• This check ( log message) has been added as part an enhancement in the JNH error

report. For FC accounting on AE interface, ingress FC accounting is enabled on AE

interfacenexthopsandegressFCaccounting isenabledonAEchildmembernexthops.

While fetching stats for AE, both member child IFL and AE IFL stats are fetched and

added for result. If ingress FC accounting is enabled on AE IFL, while fetching statistics

for childmember links this error trace is coming because of this newly added JNH error

trace. The fix is to put a check to not call for child member FC statistics when egress

accounting is not enabled on AE bundle. PR1032952

• When the 'enhanced hash key service-load-balancing' feature is used by MPC line

cards load balancing of flows across multiple service PICS via the source-address

across does not work when iBGP is used to steer traffic to the inside service-interface

on the MX Series. For example the operator will see on the stateful firewall that the

same source-address has flows across multiple service interfaces. PR1034770

• Presence of /8 prefix in two terms results in incorrect filter processing and unexpected

behavior. PR1042889


• Executing CLI command "show route resolution" and stopping the command output

before reaching the end of the database, the rpd process might crash when executing

the same command again. PR1023682

• In the BGP environment, if operator "!" exists in the regex for as-path, the commit

operation failure. PR1040719


Resolved Issues











Routing Protocols

• Prefixes thataremarkedwith twoormore route target communities (matchingmultiple

configured targets configured in policies) will be using more CPU resources. The time

it takes toprocess this kindofprefixesdependson thenumberofVRFsand thenumber

of routes that are sharing this particularity. This can lead to prolonged CPU utilization

in rpd. PR895194

• Bringing up DFWD based BFD sessions at scale causes a churn in DFW as a result of

which the FPC CPU usage remains at 100% for a prolonged timespan. PR992990

• When all the below conditions aremet, if the configuration statement "path-selection

always-compare-med" is configured, the rpd process might crash. - routing-instance

(VR, VRF) with no BGP configuration - rib-group in default instance with

routing-instance.inet.0 as secondary-rib - rib-group applied to BGP in default instance

- BGP routes frommaster tables (inet.0) leaked to the routing-instance table

(routing-instance.inet.0). PR995586

• In themulticast environment, in rare condition, after gracefulRoutingEngine switchover

(GRES) is executed, the rpdprocessmight crashdue to receivingNULL incoming logical

interface. PR999085

• Abnormal ip6 route-calculation behavior can be seen when ospf3-te-shortcut is

configured. PR1006951

• When the same PIM RP address is learnt in multiple VRFs, with NSR configured, rpd

on the backup Routing Engine may crash duememory corruption by the PIMmodule.

PR1008578

• When inet.3/inet6.3 is not enabled, BGP group uses inet6.0 table to advertise the

routes for both inet6 unicast and inet6 labeled-unicast families. When BGP family is

changed, BGP sessions re-establish. When BGP starts to advertise routes to the peer,

BGP expects to see route label however if the old inet6 unicast routes are still present

(not completely cleaned), then rpd process crashes. The fix is to separate BGP group

for inet6 unicast with inet6 labeled-unicast with same rib. The old peers are cleaned

up in the old group and new peers are established in new group. Thus, new peer

establishment is not delayed by the cleanup of the old peer. PR1011034

• IS-IS router table MIB issues, when we do "show snmpmib walk

isisRouterHostName/isisRouterTable" we were not getting exact hostname as it is in

"show isis hostname"so theactual implementationwasnotasperRFC-4444,because

it was showing only the hostnames of the devices which are immediate neighbors of

Dut. Added level info to get sysis_entry per each level correctly and filled

data(isisRouterTable) correctly. PR1011208

• Under certain sequence of events RPD can assert after a RPD_RV_SESSIONDOWN

event. PR1013583

• Withmulticast discard route present, if a RP router has no pd- interface, it might not

generate (S,G) join to upstreamwhen receiving MSDP source active (SA) message.

PR1014145

• When receivingopenmessagewithany capability after the "add-path" capability from

BGP peer, the session will be bounced. PR1016736














• The snmp trap generated when an ipv6 BFD session goes up/down does not contain

the ipv6 bfd session address. PR1018122

• Junos OS implementation of RFC3107 uses unspecified label (0x000000) when

sending routewith label withdrawnmessage. Thismeans JunosOS sends 0x000000

instead of 0x800000 for label withdrawn, which is inconsistent with RFC3107.

PR1018434

• Multicast packets might get dropped with NSR configured and graceful switch over of

the Routing Engine is performed. PR1020459

• Establish two BFD sessions between two routers, one is single-hop BFD for directly

connected interface and the other is multi-hop MPLS OAM BFD. If configuring the

MPLS OAM on the same interface with single-hop BFD, when bringing downMPLS

OAM from the ingress, it might result in the OAM BFD session deleted on ingress but

it still receivingOAMBFDdownpacket fromegress. Since there is no sessionmatching

this BFD packet, it does a normal look up and brings down the single-hop BFD session

which is on the same interface. PR1021287

• If auto-export feature is enabled togetherwith rib-groups configuration option, the rpd

process might crash. PR1028522

• In distributed BFD (which is enabled by default), if the CLIENT session (for example

BGP) flaps due to any reason, themulti-hop BFD session that comes Up after the flap

would not be delegated to FPC. PR1032617

• When "clear bfd session" is issued immediately(before the Poll - Final sequence is

completed) post configuration check-in for interval change from higher to lower

minimum-interval value, BFD sessions do not revert to lower interval. PR1033231

• Issue in populating IS-IS router table values. Some entries are not filled correctly. This

does not block/affect the functionality of IS-IS or other components. PR1040234


• In the largescaledL2TPsubscribermanagementenvironment (in this case,60Ktunnels

upwith 1 sessioneach).When logoutand login 15Ksessions, in rarecondition, the jl2tpd

process (L2TP daemon) might crash. PR913576

• If adestination-prefix or source-prefix is used likebelowexample, theNetworkAddress

Translation (NAT) rule and term names will be used to generate an internal jpool with

a form : _jpool_{rule_name}_{term_name}. If the generated jpool name exceeds 64

characters in length, it will get truncated. If the truncated jpool name get overlapped

withothergenerated jpoolname itwill lead toan inconsistentpoolusage. user@router#

show services nat rule A_RULE_NAME_WHICH_IS_LONG_12345 { ... term

A_TERM_ALSO_WITH_LONG_NAME_1 { from{ source-address { 10.20.20.1/32; } } then

{ translated { source-prefix 10.10.10.1/32; <--- translation-type { source static; } } } }

termA_TERM_ALSO_WITH_LONG_NAME_2 { from { source-address { 10.20.20.22/32;

} } then { translated { source-prefix 10.10.10.2/32; <--- translation-type { source static;

} } } } } First jpool =

_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_LONG_NAME_1

> 64 characters. Second jpool =

_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_LONG_NAME_2


Resolved Issues










> 64 characters. The resulted jpool

"_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_" will be used

wrongly in both terms. PR973465

• In L2TP scenario, when the LNS is flooded by high rate L2TPmessages from LAC, the

CPU on Routing Engine might keep too busy to bring up new sessions. PR990081

• Softwire tunnel count management is inconsistent and incorrect, thus the output of

"show service softwire statistics" might be incorrect. PR1015365

• L2TP LNS dropped all tunnels/sessions after a commit PR1020420

• OnMX Series router that configured as L2TP tunnel switch (LTS), after receiving a

Call-Disconnect-Notify (CDN)message on LNS interface from remote LNS, the L2TP

daemon (l2tpd) might crash and generate a core file. PR1021881

• AnMS-DPC PIC coredumpmay be generated if ICMP is used with EIM. PR1028142

• Issue 1: "timeout-remaining" for some filters installed on the DFC pic. (Stream Times

out)Rootcause:Therewasan issuewitharithmeticoperation that lead towraparound

of remaining_time variable. Hence it was having a very huge value. Fix: Necessary

conditions are put in place to ensure there is no wrap around happening. Issue 2:

Problemwith forwarding traffic to the CD during randomDTCPADDs. (Streams Drop)

Root cause: Whenever a DTCP ADD is received by DFC PIC, a new filter is created and

placed in a list data structure called quick-list. 5-tuples of each data packet that is

hitting DFC PIC is matched against the filters in quick-list. Whenever amatch is found,

the 5-tuple(flow) is tagged/attached with the matched filter. Thematching would

continue for other flows aswell and it continues till the filter ismoved out of quick-list.

There was a bug in this logic that made filters to move out of quick-list is a sporadic

manner. Somemoved within fewmillisecond. So, for such filters there won't be any

flows towhich they are attached. Hence the issue. Fix:With this fix, the process of filter

movement out of quick-list is streamlined. A filter would move out of quick-list only

after ensuring that all active flows got a chance to getmatched against that particular

filter. PR1029004


• When PIM is enabled via apply-groups to one routing-instance whose instance-type

is not defined (no-forwarding type is set), incorrect constraint check of PIMwill cause

routingprotocoldaemon(rpd) tocrashuponanyconfigurationchange later.PR915603

• CST: chassis core generated while applying group configuration on chassis > FPC.

PR936150

VPNs

• In the 12.3 release after issuing a "request pimmulticast-tunnel rebalance" command

the software may place the default encapsulation and decapsulation devices for a

Rosen MVPN on different tunnel devices. PR1011074

• The problem is that MSDP is periodically polling PIM for S,G's to determine if the S,G

is still active. This check helps MSDP determine if the source is active and therefore

the SA still be sent. There is a possibility that PIM will return that the S,G is no longer

active which causesMSDP to remove theMSDP state and notify MVPN to remove the













Type 5. One of the checks PIMmakes is to determine if it is the local RP for the S,G.

During a re-configuration period where any commit is done, PIM re-evaluates whether

it is a local RP. It waits until all the configuration is read and all the interfaces have

come up before making this determination. The local rp state is cleared out early in

this RP re-evaluation process, however, which allows for a window of time where the

local RP statewas cleared out but it has not yet been re-evaluated. During thiswindow

PIMmay believe it is not the local rp and return FALSE to MSDP for the given source.

If MSDPmakes the call into PIM during this window after a configuration

change(commit), then it is possible that the Source Active(Type 5) state will be

removed. The fix will be to clear out the local rp state right before it is re-evaluated ie

after it reads configuration for all interfaces; to not allow any time gap where it could

be inconsistent. PR1015155


• Authentication and Access Control on page 183





• J-Web on page 187










• The syslogmessage "UI_OPEN_TIMEOUT: Timeout connecting to peer" might appear

if "show version detail" command is executed. This log is a cosmetic log and can be

ignored. This issue is fixed from Junos OS Release 13.3 onwards. PR895320


• OnMXSeries routerswith bothMXSeries linecard (in this case, MPC andMPCE on the

box) and other type linecard (DPCE on the box). When the Default Frame Relay DE

Loss Priority Map is configured and commited, all FPCs are getting restarted with

core-files. PR990911

• SNMPget-request for OID jnxCosIngressQstatTxedBytes (ingress queue)might return

the value of jnxCosQstatTxedBytes (egress queue). But SNMPwalk works fine since

it uses get-next-request. PR1011641


Resolved Issues


https://prsearch.juniper.net/PR895320




• Whena firewall filter hasoneormore termswhichhaveMXSeries-onlymatchcondition

or actions, such filters will not be listed during SNMP query. This behavior is seen

typically after Routing Engine reboot/upgrade/master-ship switch. Restarting mib2d

process will cause to learn these MX Series-only filters: cli > restart mib-process After

mib2d restart, SNMPmib walk of firewall OIDs will: - list all the OIDs corresponding

this MX Series-only filter - count correctly as configured in the filter Now, despite the

SNMPmib walk for firewall OIDs lists all OIDs and appropriate values, messages logs

will report the following logs for every interface that has this MX Series-only filter

applied. > Jul 8 15:52:09 galway-re0mib2d[4616]:

%DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed in reading

counter namesae33.1009-i: 288 (No such file or directory)> Jul 8 15:52:09galway-re0

mib2d[4616]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed

in reading counter names ae31.1004-i: 257 (No such file or directory) > Jul 8 15:52:09

galway-re0mib2d[4616]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE:

get_counter_list: failed in reading counter names ae33.1010-i: 289 (No such file or

directory) > Jul 8 15:52:09 galway-re0mib2d[4616]:

%DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed in reading

counter names ae31.1004-i: 257 (No such file or directory) The above two issues are

addressed in this PR fix. PR988566

General Routing

• OnTXP/TXP-3Dplatform, a bad I2Cdevice onSFCSwitch InterfaceBoard (SIB)might

cause Switch Processor Mezzanine Board (SPMB) to crash and all SIBs to be unable

to online. PR846679

• Changing the redundancymodeof rlsq interface from"hot-standby" to"warm-standby"

on the fly might lead to kernel crash and the router will go in db> prompt. PR880451

• A few particular sequence of member failures in an AMSwith HA-enabled and with

NAPT-44 configured can cause sessions to reset after a GRES (or SPD restart).

PR910802

• In scale DHCP subscribers scenario (e.g. 54K dual-stack DHCPv4/DHCPv6), graceful

Routing Engine switchover (GRES) is configured. If Routing Engine switchover occurs,

after that execute the command "root@user> show dynamic-configuration" many

times, large scale DHCP or DHCPv6 subscribers might be terminated. PR968021

• In the dual Routing Engines scenario with 8K PPP dual stack subscribers. In rare

condition, after Routing Engine switchover, some subscribers are stuck in terminating

state forever. PR974300

• 1)Due toaprevious fix chassisdon theprotocolmasterRoutingEngineand theprotocol

backup Routing Engine connect to the main snmpd on the protocol master using the

followingmethods. a) Chassisd on the protocolmaster Routing Engine connects using

a local socket since snmpd is running locally. b) Chassisd on the protocol backup

Routing Engine connects using a TNP socket since snmpd is not local. 2) However this

fix changed the way the other daemons connect to snmpd. All important daemons

runon theprotocolmaster andshould connect to snmpdusinga local socket.However

the fix changed it so that all daemons that ran on the protocol master (other than









chassisd) tried to connect using the TNP socket. SNMPD does not accept these

connections.Asa fix, inanMX-VC,wemadesure thatchassisdconnects toall processes

which run on the protocol master using internal socket while the chassisd process on

the protocol backup and protocol lincecard connect connect using TNP socket.

PR986009

• In 6PE scenario, when PE router is sending IPv6 TCP traffic to MPLS core, in rare

occasions, the kernel might crash and reboot with a vmcore file dumped. PR988418

• OpenFlow v1.0 running on an MX Series router does not respond reliably to interface

up or down events within a specified time interval. Per a fix implemented in Junos OS

Release 13.3R3.6, OpenFlow v1.0 running on an MX Series router responds reliably to


PR989308

• OnM7i/M10iwith enchancedCFEB,M320with E3-FPC,M120andMXSerieswithDPC.

If "no-local-switching" is present in the bridge domain, then the IGMP-snooping is not

functioning and client cannot see the multicast traffic. PR989755

• During large scale MVPN routes churn events, some core-facing IGP protocols (like

OSPF or LDP)might flap or experience a long convergence time. PR989787

• Commit error needs to be reported when using unsupported NAPT44 nat-options

max-sessions-per-subscriber configuration with MS-MIC/MS-MPC. PR993320

• On T4000 router with type5 FPC. After FPC rebooting, if chassisd process does not

get FPC ready/FPConlineACKmessage fromFPC in 360 seconds, the FPCmight reset

again. PR998075

• OnM/MX/TSeries routers (platforms)withNetwork Address Port Translation (NAPT)

configuration.When the router receives the packet whose value of protocol field in the

IPv4 header is 61, the router erroneously does NAPT44 translation. In the correct

situation, the packet should not be translated and forwarded. PR999265

• The PICmemory gauge counters show up as 0 after a GRES switchover in the "show

chassis pic fpc-slot X pic-slot Y" output. PR1000111

• OnMX240/MX480/MX960 routers running as precision time protocol (PTP)master

when interconnect with MX104 routers running as slave, the PTP clocking state might

get stuck in "INITIALIZING" for the first createdPTPport and not be aligned to clocking

state. Another issue is that when issue command "show ptp clock", wrong "slot"

number might be seen on MX104 slave. PR1001282

• "Syslog generated for session-open will have nat port information only if it is different

from the original source port". PR1001912

• If issue the command "show services nat mappings endpoint-independent" or "show

services nat mappings address-pooling-paired" or "show services sessions" and kill it

immediately when using EIM/APP feature with toomany EIM/APP entries present in

the system, lots of ipc message reply failure messages may be seen in the syslog.

PR1002683

• Multi-Services PIC could crash and restart on receiving a stray SIGQUIT signal due to

it not handling the signal. PR1004195


Resolved Issues














• When several PICs are set up as an aggregated Multi-services (AMS) doing

load-balancing, if one PIC of the AMS bundle gets offline and then gets online, 30 to

40 secondsmomentary traffic loss might be seen. PR1005665

• Ingress queuing is not supported on MPC5 (With Q-MPC) when Optical Transport

Network (OTN) is enabled. Enabling ingress queuing with OTNwould lead to line card

crash. PR1008569

• Withmore thaneight service-setsconfigured,whenusingSNMPmibwalk for service-set

(object "jnxSpSvcSetTable") info, the mspmand process (which manages the

Multi-Services PIC) might crash. PR1009138

• When the SIB plane state changed to fault state, it should read the FPGA for the power

related information instead of reading from the cpld. PR1009402

• Whenever an FPC goes down suddenly due to hardware failure, the data traffic in

transit towards this FPC fromtheother FPCs couldbe stuck in the fabric queue thereby

triggering fabric drops due to lack of buffers to transmit the data to active destination

FPCs. PR1009777

• On ALG router without "flow-control-options" configured, MS-MICmight not service

packets any more once prolonged flow control is hit and cleared. PR1009968


• When the GE port is configured withWAN PHYmode, a "Zero length TLV" message

might be reported from the port. This is a cosmetic issue. PR673937

• With nonstop active routing (NSR) enabled, the VRRP tracking routes state on backup

Routing Engine might not get synchronized when adding/deleting the tracking routes.

PR983608

• OnMX Series platform, when an aggregated Ethernet bundle participating as Layer2

interface within bridge-domain goes down, the following syslog messages could be

observed. Themessages would be associated with FPC0 even if there are no link(s)

from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]:

SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2),

ifNamexe-3/3/2mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex637, ifAdminStatus

up(1), ifOperStatusdown(2), ifNamexe-3/3/3mib2d[2782]:SNMP_TRAP_LINK_DOWN:

ifIndex740, ifAdminStatusup(1), ifOperStatusdown(2), ifNameae102 fpc0LUCHIP(0)

Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion

Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC

color=RED, class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm set,

FPC 0Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones

2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED,

class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm cleared, FPC 0

Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN

Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout

Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15,

PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count

10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized

EDMEM[0x3f38b5]Read(0x6db6db6d6db6db6d)fpc0LUCHIP(0)RMC1Uninitialized

EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2











Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0)

RMC3UninitializedEDMEM[0x3d81b6]Read(0x6db6db6d6db6db6d)Thesemessage

would be transient in nature. PR990023

• In the demux interfaces over aggregated Ethernet (AE) environment with

targeted-distribution configuration. The index of AE interface is confused when the

index ismore than 100. It copiesonly fourbytes from interfacename. (e.g. If binddemux

interface to ae110, it will be bound to ae11 at the same time). The traffic forwarding

might be affected. PR998906

• OnMX Series router with MX Series linecard or T4000 router with type5 FPC, when

the"Hardware-assisted-timestamping" isenabled, theMPCmodulesmightcrashwith

a core file generated. The core files could be seen by executing CLI command "show

system core-dumps". PR999392

• IGMP joins do not work for PPP subscribers that are usingMLPPP and LNS. PR1001214

• Fabric Blackholing logic recovery for certain cases will be done with different action

(Phase 1/2/3) based on the problem. PR1009502

• Here is the expected behavior for CFM CCM: 1. UP MEP CFM session a. If there is a

manually configured ieee-802.1 classifier attached to the interface, then forwarding

class of the CCM injected should match the respective classifier. b. If there interface

in which CFM is configured has no ieee-802.1 based 1p classified, then the forwarding

class of the CCMwill take as configured in "host-outbound-traffic". c. In case if there

is no "host-outbound-classifier"present thenpacketswill be treatedasnetworkcontrol

(Q3). 2. DownMEP CFM session a. forwarding class of the CCMwill always depends

on the FC classified based on "host-outbound-traffic". If it is not configured, then it

will always take Q3. PR1010929

J-Web

• An insufficient validation vulnerability in J-Web can allow an authenticated user to

execute arbitrary commands. This may allow a user with low privilege (such as read

only access) to get complete administrative access. This scope of this vulnerability is

limited to only those users with valid, authenticated login credentials. Please refer to

JSA10560 for more information. PR826518

Layer 2 Features

• In BGP signaled VPLS/VPWS scenario, rpd process memory leak might occur when

groups with wildcard configuration is applied to the routing instance. PR987727

• When "system no-redirect" is configured, l2 descriptor destination MAC address gets

overwritten and causes "DA rejects" on next-hop router. PR989323

• In race condition, when FPC gets rebooted or reset, link(s) from this FPC which are

part of aggregatedEthernetbundlewould remain inLACP"Detached" state indefinitely.

user@router> show lacp interfaces ae102 Aggregated interface: ae102 LACP state:

Role Exp Def Dist Col Syn Aggr Timeout Activity xe-2/0/0 Actor No Yes No No No Yes

Fast Active xe-2/0/0 Partner No Yes No No No Yes Fast Passive xe-2/0/1 Actor No No

Yes Yes Yes Yes Fast Active xe-2/0/1 Partner No No Yes Yes Yes Yes Fast Active LACP

protocol: Receive State Transmit State Mux State xe-2/0/0 Defaulted Fast periodic

Detached xe-2/0/1 Current Fast periodic Collecting distributing user@node> show


Resolved Issues










interfaces xe-2/0/0 terse Interface Admin Link Proto Local Remote xe-2/0/0 up up

xe-2/0/0.0 up up aenet --> ae102.0 xe-2/0/0.32767 up up aenet --> ae102.32767 This

issue would be seen when associated aggregated Ethernet bundle is configured for

vlan-tagging. To clear this condition, the affected interface should be deactivated and

activated using CLI commands. user@node# deactivate interfaces xe-2/0/0

user@node#commit user@node#activate interfaces xe-2/0/0user@node#commit

PR998246

• In the Ethernet ring protection switching (ERPS) environment, once graceful Routing

Engine switchover (GRES) happens on the ring protection links (RPLs) owner node,

there will be a ~30s Ring automatic protection switching (R-APS)message storm in

the ring, which in turn causes some VPLS instance flapping. PR1004066

• In BGP-VPLS scenarios with GRES activated, rpd process might crash in cycles after

manually restarting rpd. PR1011165

MPLS

• In the MPLS environment with no-cspf and strict ERO configuration. In race condition,

if a PATHmessage with routing loop error is received before standby Routing Engine

has resolved the correct PATHmessage with no loop, some of LSP are not replicated

on standby Routing Engine. If Routing Engine switchover occurs, the forwarding traffic

might be affected. PR986714


• The Packet Forwarding Engine local protocol statistics are 32-bit counters. If there is

a rollover (typical candidates are arp/lacp), those counters start from zero. mib2d will

addall counters again if oneof thepfe statistics traffic counter is less then theprevious

collected counter, causing the multiplication affect. PR986712

• Alarmmanagement daemon runs onmaster and backup Routing Engines on dual

Routing Engine systems. There is a 80megabyte alarm.db file that is copied over from

masterRoutingEnginetobackupRoutingEnginewhenthealarm-managementdaemon

has come up on both the Routing Engines. The basic issue is that alarm-management

daemon is trying to copy the alarm.db file over and over again in an infinite loop on the

system, causing CPU utilization shooting up after every 20 seconds or so. PR988969


• The error message 'unlink(): failed to delete .perm file: No such file or directory' was

logged when disconnecting from a Telnet session to the router. PR876508

• The cprod commands essentially allow "root" access to FPCs. Therefore, access to

those commands should be highly restricted. The issue here is any user with "shell"

permissionwill beallowed tousecprodcommand.Weshouldadd restrictions to cprod

to only "root" permission users. PR924574

• The continuous executing of CLI mib walk commandmight cause user being unable

to issue showcommandsandenter configuremodewith error "Littlememory remains.

Command not stored in history." PR949735

• OnMX Series platform, MPCmight crash and reboot when a non-template filter gets

deleted (but does not get completely cleaned up) and the same filter index gets












reassigned toa template filter. This couldbeconsideredasa timing issuegiven it comes

with a very specific sequence of events only. PR949975

• When a port being used for port mirroring goes down due to an external factor, such

asa fiber cut or the remote side rebooting, theFPCCPUmay rise to 100%for4minutes

and then followedbya reboot of the FPCwith a reasonof "pfemanwatchdogexpired".

The issue will only be observed occasionally and requires that the FPC CPU is already

very busy and very large firewall filters (thousands of terms long) to be used. If any of

these three factors are not present, the issue will not occur. As such disabling the port

being used for portmirroring on the Juniper prior to bringing down that link is sufficient

to avoid this issue. PR968393

• OnMX Series based line card, VPLS traffic might get blocked for about 5 minutes

(timer of MAC address aged-out) after re-negotiating control-word. PR973222

• The problem is seen because CFMD is getting a configuration commit after theMX-VC

switch has happened. This commit is deleting the cfmd session and then creating a

new sessionwhich is causing the old information of action-profile to be deletedwhich

brings the interface back up. This problem is fixed by the code correction. PR974663

• OnMXSeries Virtual Chassis platforms, if you configure the interface alias feature, the

featuremightnotworkasexpectedand interfacesmightgoupanddownafter commit.

PR981249

• Have BFD session between one router supporting inline-BFD (MXSeries and JunosOS

Release 13.3 or later) and the other which does not support inline-BFD (any version

andnon-MXSeries, orMXSeriesand JunosOSprior to 13.3).When the "failuredetection

time" is less than 50ms, the BFD session might flap. PR982258

• OnMX2020/MX2010wemight see sporadic FO request time-out error reported under

heavy system traffic load. This would mean the request returning into a grant took

longer then +/-30usec. The packet will still get forwarded through the fabric hence no

operational impact. [May 6 18:56:59.174 LOG: Err] MQCHIP(2) FO Request time-out

error [May 6 19:33:47.555 LOG: Info] CMTFPC: Fabric request time out pfe 2 plane 6

pg 0, trying recovery PR991274

• Packets dropped with IPv6 reject route are currently subjected to loopback ipv6 filter

processing on MX Series-based line cards. As a result the packet dropped by a reject

route may be seen from the "show firewall log". PR994363

• On anMX Series router with MX Series linecard or T4000 router with type5.When the

firewall filter under the [forwarding-options] hierarchy within a bridge domain is

removed, it might result in lookup error and frame dropmight be observed. PR999083

• In the IRB interface environment with "destination-class-usage" configuration. If the

bridge domain ID is the same as Destination Class Usage (DCU) ID (bridge domain ID

and DCU ID are generated by system), the firewall filter might match wrong packets,

the packet forwarding would be affected. PR999649

• OnM7i, orM10i equippedwithEnhancedCompactForwardingEngineBoard (CFEB-E).

When a MPLS LSP flaps, the CFEB-E is unable to recover 8 bytes of JTREEmemory

per event. PR1000385

• MS PICmay reset after GRES in case of excessive resolve traffic. PR1001620


Resolved Issues













• When sending traffic comingonMPCandgoing out onDPC, theMACentry on aPacket

Forwarding Engine will not be up-to-date and the frames targeted to a knownMAC

address will be flooded across the bridge domain. PR1003525

• The non-first IP fragments containing UDP payloadmay bemistakenly interpreted as

PTP packets if the following conditions are met: - the byte at the offset 9 in the IP

packet contains 0x11 (decimal 17) - UDP payload - the two bytes at the offset 22 in the

IP packet contain the value 0x01 0x3f (decimal 319; byte 22=0x01 and byte 23=0x3f)

- PTP protocol Themis-identification of the packet as PTP will trigger the corruption

of the fragment payload. PR1006718

• WhenMicro-BFD configurations is added after the ae bundle configuration, then

micro-bfdsession for all themember links remains in "Down"state.Below is thesnippet

as reference, when ae100 LACP state is "Disturbing", while micro-BFD session remain

in "Down" state while on the other end the session would be in "Init" state.

user@ndoeA> show lacp interfaces ae100 Aggregated interface: ae100 LACP state:

Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/3/0 Actor No No Yes Yes Yes

Yes Fast Active xe-0/3/0 Partner No No Yes Yes Yes Yes Fast Active xe-0/3/1 Actor

No No Yes Yes Yes Yes Fast Active xe-0/3/1 Partner No No Yes Yes Yes Yes Fast Active

LACPprotocol: ReceiveStateTransmitStateMuxState xe-0/3/0Current Fast periodic

Collecting distributing xe-0/3/1 Current Fast periodic Collecting distributing

user@ndoeA> show bfd session address 10.10.100.145 Detect Transmit Address State

Interface Time Interval Multiplier 10.10.100.145 Down xe-0/3/0 0.000 1.000 3

10.10.100.145 Down xe-0/3/1 0.000 1.000 3 PR1006809

• Memoryallocated in reference to theBFDsessionwasnotgetting freedup.This resulted

in memory leak and thememory exhaustion triggered crash. PR1007432

Routing Protocols

• When the IPv6 address on fxp0 is active during bootup, the joining of the all-router

group causes the kernel to create a ff02::2 route with a private next-hop, which is not

pushed to the Packet Forwarding Engine. When a non-fxp0 interface is active later,

theprivatenext-hopwill be sharedby thenon-fxp0 interfaceaswell, resulting inpacket

drops destined to ff02::2 on the non-management interface. - After this PR, the

advertising interface should be configured via the following CLI. [edit protocols] +

router-advertisement { + interface <interface_name>; + } PR824998

• Performing CLI command "clear multicast bandwidth-admission interface <int>" on

64-bit Junos OS results the rpd process crash. The command should be used without

the interface qualifier on the impacted releases. PR949680

• There are two receivers joined to same (S,G) and IGMP immediate-leave is configured.

When one of the receivers sends the leavemessage for (S,G), another receiver is not

receiving the traffic for 1-2 minutes. PR979936

• In the P2MP environment with OSPF adjacency are established. One router's time is

set to earlier date than another router. OSPF adjacency might not come up when one

router goes down and comes up. PR991540

• Bringing up DFWD based BFD sessions at scale causes a churn in DFW as a result of

which the FPC CPU usage remains at 100% for a prolonged timespan. PR992990












• BMP is not sending a correctly formatted prefix for inet/inet6 labeled unicast BGP

family routes. This occurs if the route resides in the inet[6].0 table, and not if the route

resides in the inet[6].3 table. PR996374

• There are two scenarios that the rpdmight crash. The first scenario is when all BGP

peers flap with bgp route target proxy configured. The second scenario is when BGP

session is configured in a way that one side is configured with family l2vpn

auto-discovery-only, while on the other side is configured with both family l2vpn

signaling and keep all configuration statements. PR1002190

• When IS-IS is configured for traffic engineer (TE), after remove family mpls from the

interface and remove the specific interface from [edit protocols rsvp] and [edit

protocols mpls] hierarchy level, corresponding link is not removed from the TED as

expected. PR1003159

• When there are more than 65535 "flow-spec" routes existing in the routing table, the

rpd processmight crash because it exceeds the currentmaximumsupportable scaling

numbers (Current scaling numbers are in the range of 10K~16K). PR1004575

• During unified in-service software upgrade (ISSU), when a Bidirectional Forwarding

Detection (BFD) session negotiation is happening, if the session is configured with 10

seconds or higher interval, BFD session would flap. PR1010161

• MisconfiguringBGP routevalidationsession to the router itselfmight lead to rpdprocess

crash. PR1010216

• In scaled BFD scenarios, BFD unified ISSU poll negotiation will fail causing the BFD

session to flap during unified ISSU. PR1012859

• Multicast packets might get dropped with NSR configured and graceful switchover of

the Routing Engine is performed. PR1020459


• OnMX240/480/960 routers with MS-DPCwith "deterministic-port-block-allocation

block-size" configuration. In rarecondition,when the "block-size" is set toa larger value

(in this case, block-size=16128), the Services PICmight crash. PR994107

• jflow-logging: seen "mspmand.core.ms41.0.gz*" with data traffic. PR994256

• The redundant services PIC (rsp-) interfaces or redundant Multiservices (rms-)

interfaces configured with "hot-standby" modemight flap upon committing any

configuration change (will happen for evenanunrelated interfacedescription change).

PR1000591

• The following messages are being logged at ERR not DEBUG severity: mspd[3618]:

mspd: Nomember config mspd[3618]: mspd: Building package info This PR sets the

correct severity. PR1003640


Resolved Issues














• MIB entries for jnxUserAAAAccessPoolRoutingInstancemay not appear after deleting

and re-adding an assignement pool under a routing instance. PR998967

VPNs

• In theRosenMVPNenvironment, somedatawouldpass intermittently over thedefault

MDT even after hitting threshold to switch to data MDT. PR999019

• Serving site B is not receiving all the traffic from serving site A when traffic is reduced

from the exceeded cmcast limit. PR1001861










• OpenFlow on page 201









• We cannot bind classifier on GRE interface" for MX Series routers withMPCs andMICs

for some customer demand now. To restore the old behavior, we can configure

'exp-default' configuration statement onGRE interfacewith the fixed JunosOS image.

<< example >> set class-of-service interfaces gr-0/0/0 unit 0 classifiers exp default.

PR941908

• If anyof the schedulers havean IDof zero, cosdprocessmight crash followingacommit.

PR953523

• Sometimes the cosd generate the coredumpwhen add/delete child interface on the

LAG bundle. PR961119











• Applying a scheduler with transmit rate below 65,535 bps and rate-limit option fails

the commit if the associated interface is an non-existing interface or a virtual interface.

PR964647

• OnMX Series router with non-Q DPC (in this case, DPCE 40x 1GE R), when the

"interface-set" is configured on a non-Q DPC, then execute the command "show

interfaces interface-setqueue<interface-set-name>", theDPCmightcrash. PR979668


• VPLSmac-table does not gets populated with mac of previous lt interface after

replacing the lt interface in the configuration, that might cause CE connected to the lt

interface to get isolated. PR955314

• When port-mirroring or sampling is configured, if a lot of route updates are happening

in the system, the routing protocol convergence timemight be long and packets loss

might be observed. PR963060

• In the large scaledDHCPsubscribers setup (e.g. 54,000dual-stackDHCPsubscribers),

dynamic firewall daemon (dfwd)memory leak during DHCP subscribers login/logout.

PR967328

• DPC crashed after deactivate/activate [routing-instances TPIX bridge-domains IX

bridge-options]. PR983640

General Routing

• The ingress family feature (uRPF) unicast Reverse Path Forwarding check execution

order was invalidated when (FBF) Filter Based Forwarding was enabled on MX Series

routers with MPCs or MICs. This solution repositions uRPF just prior to Filter Based

Forwaarding (FBF), so that both actions are compatible and applicable. This applies

to both IPv4 and IPv6. PR805599

• OnMX Series routers containing multiple Packet Forwarding Engines such as

MX240/MX480/MX960/MX2010/MX2020,witheitherMPC3EorMPC4Ecards(MPC3

Type 3 3D/MPC4E 3D 2CGE+8XGE/MPC4E 3D 32XGE), if multicast traffic or Layer 2

flood traffic enters the router via these MPC3E or MPC4E line cards, these line cards

mayexhibit a lockup, andoneormoreof their Packet ForwardingEngines corrupt traffic

towards the router fabric. PR931755

• In theMX-VCscenario, havechassis fabric redundancymodeset to increasedbandwidth

(root@user# set chassis fabric redundancy-mode increased-bandwidth). Then

configure the "offline-on-fabric-bandwidth-reduction" for any slot (root@user# set

chassis fpc<slot>offline-on-fabric-bandwidth-reduction). After that execute commit,

the commit check failed and chassisd crashed with core-dumps. PR932356

• Thisproblemoccurswhena largeamountof servicesandamsconfiguration is changed

in a single override operation. A workaround for this problem is to offline and online

the PIC during or after the configuration change. PR933674

• In Junos OS versions later than 11.2 where IFL localization is enabled, Routing Engine

mastership switchover could lead to IFL indexes inconsistency in Ichip FPCs when

graceful Routing Engine switchover (GRES) is configured. This inconsistency could

gradually lead to IFL index overlaps and traffic blackholing. PR940122


Resolved Issues














• When nonstop active routing (NSR) is configured and thememory utilization of rpd

process on the backup Routing Engine is high (1.4G or above), the rpd crash on backup

RoutingEnginemaybounce theBGPsessionson themasterRoutingEngine. PR942981

• Under particular scenarios, commit action might lead the Context-Identifier to be

ignored when OSPF protocol refresh its database. Then the PE router will stop

advertising this Context-Identifier out. PR954033

• FPCmight lose the socket connection to the Routing Engine during the time kernel

live-core dump is active. IGP session might get dropped after the socket connection

got closed.TheFPCwill get restartedby thekernel once the live-coredumphas finished.

PR954045

• Softwarewillmonitor the FPDdial setting in SFC and LCCand raise a alarm if changed

during runtime. In SFC the config dial and in LCCM/S dial will bemonitored. PR955319

• "show interfaces et-x/y/z extensive" will display MRU now. MRU can be configured at

"set interfaces et-x/y/z gigether-options mru" If MRU is not configured then it is

defaulted toMTU+8.MRUdisplayed fromtheCLIdoesnot include theCRC. PR958162

• To support controlwordonBGP-VPLS forM-320 (i-chip) andMX(DPC+MPC), below

2 config configuration statements are newly introduced. routing-instances { green {

protocols { vpls { + control-word; <<<<<<<<< new configuration statement. +

no-control-word; <<<<<<<< new configuration statement. } } } } To omit IP payload

over ether-pw from hash-key for MX Series, A new configuration statement like below

will be provided. forwarding-options { enhanced-hash-key { family mpls { +

no-ether-pseudowire; } } } PR958685

• In subscribermanagement environment, upgrade JunosOS to specific version (include

12.3R6 13.2R4 13.3R2) via ISSUmight make subsequence subscribers fail to connect

with following error: "jdhcpd_profile_request: Add Profile dhcp request failed for client

in state LOCAL_SERVER_STATE_WAIT_AUTH_REQ: error = 301". PR959828

• OnMXVirtual Chassis (MX-VC), if multiple VCP ports are configured betweenMPC5E

cards, traffic might not be load balanced over the VCP ports, besides, packets might

get lost due to VC ingress and egress next-hop caches getting out of synchronization.

PR960803

• Default threshold for ES-FPC errors is 1 for major errors and 10 for minor errors, when

the threshold is reached, someactions (eg, alarm|offline-pic|log|get-state|offline|reset)

will be taken by FPC as configured. This feature is designed for permament/real errors.

The issue here is that even some transient errors (eg, link flaps) will also trigger the

default action. In some cases, it might cause panic for the FPC. PR961165

• Ethernet over ATM LLC hasmissing OUI information. PR961468

• Onall JunosOSplatforms, if aneventoccurs that causes thePacket ForwardingEngine

to restart, service might be interrupted because the stale interface index has not been

deleted. PR962558

• In the initial router configuration, if static routes are configured over GRE interface and

OAM is enable, then the static routesmay remain active while the GRE tunnel is down.

PR966353

















• NHtracingprovidesa lightweightmechanismtocaptureNHchains traversedbypackets

of interest for further examination. PR967450

• Support for layer 3 VPN localization has been deprecated in the JunosOS releases and

platforms listedbelow.This affects the followingCLI command: "set routing-instances

[instance-name] routing-options localize" Junos OS releases: - 12.3R7 (CLI command

is hidden) - 13.1R5 (CLI command is hidden) - 13.2R5 (CLI command is hidden) - 13.3R3

(CLI command is removed) - 14.1 (CLI command is removed) - 14.2 (CLI command is

removed) Platforms: - M 320 Series router - MX Series routers (all) - T Series routers

(all). PR967584

• OnMX Series platform, when the Channelized T1/E1 Circuit Emulation MIC

(MIC-3D-16CHE1-T1-CE) with non-enhanced queuing MPC1 or MPC2 is inserted, no

traffic is being forwarded out of the T1/E1 ports. PR967861

• Although receiving the flow specification (flowspec) routes with packet-length,

icmp-code or icmp-typematching rules from a BGP peer properly, the local firewall

filter in the Packet Forwarding Engines might not include these matching rules.

PR968125

• Autoheal denied reasonmay not be shown if CRC errors occurs on the same cable

from F13 side more than once in an autoheal window and subsequently error is seen

is again from LCC side. PR973783

• In processing for fpc-resync and fab-liveness packets if error occurs while sending

packet we do not free the packet. This causes packets buffers to leak and eventually

the packet heap runs out of memory. PR973892

• You cannot configure an MTU value on family inet greater than 1496 if there is a trunk

port configured on the interface; if you configure an MTU greater than 1496, a commit

error occurs. If you configure an MTU value on a physical interface on which a trunk

interface is configured, the configuredMTUvalue is ignored and the value is set to 1518.

These issues do not occur if there is no trunk port on the interface. PR974809

• PPP over ATM transit traffic was not being fragmented correctly by ATMMIC. The

changes allow the fragmentation of the transit traffic to work properly. PR976508

• Changing service-set configuration continuously during scaled traffic conditions may

result in mspmand process crash and a core file generated. PR978032

• On T Series router with FIB Localization enabled, if reboot the Routing Engine while

scaled traffic running, the FIB-remote FPCmight crash. PR979098

• In the high scale P2MP LSP environment, heapmemory leak might occur when the

LSP flaps. Then some P2MP LSPsmight be not installed, so the traffic will lose.

PR979211

• scale-subscriber "License Used" filed shows wrong value after GRES. PR980399

• In rare condition, when PPPoE subscribers login with large amounts of configuration

data, the subscriber management infrastructure daemon (smid) and authentication

service process (authd) might crash, and no new subscribers could connect to the

router. PR980646


Resolved Issues
















• In the BFD environment with static route, the BFD session is established between two

routers.When disable the subinterface on one router, the BFD AdminDown packet will

be sent out from the router (this is not expected). But according to RFC 5882, another

router receives theAdminDownpacket, the static routewill never bedeleted on it. That

might cause traffic packets to be dropped. PR982588

• In scenarioofNG-MVPNwithP2MPLSPasprovider tunnel,KernelRoutingTable (KRT)

might get stuck after making changes for MVPN, then traffic loss will be seen, and

besides, rpd processmight crash while trying to generate a live core dump. PR982959

• With a firewall policer configured onmore than 256 IFFs (interface address family) of

a PIC, then offline and online the PICmight cause the FPC to crash. PR983999

• OpenSSL library in Junos OSwas patched to resolve CVE-2010-5298. PR984416

• OnM7i/M10iwith enchancedCFEB,M320with E3-FPC,M120andMXSerieswithDPC.

In a race condition, the Dense Port Concentrator (DPC)may crashwhen ifls get added

to an ifl-set while that same ifl-set get deactivated/deleted in class-of-service. For

example:#set interfaces interface-set interface_set_JTAC_ge-3/0/0 interfacege-3/0/0

unit 100 # deactivate class-of-service interfaces interface-set

interface_set_JTAC_ge-3/0/0 # commit or (quick commit of following changes) # set

interfaces interface-set interface_set_JTAC_ge-3/0/0 interface ge-3/0/0 # commit

# deactivate class-of-service interfaces interface-set interface_set_JTAC_ge-3/0/0

# commit. PR985974

• OpenFlow does not respond to port_down events when the echo interval timeout is

set for less than 11 seconds. PR989308

• The fabric performance ofMPC1, MPC2, or 16xXEMPC in 'increased-bandwidth'mode

on an MX960 populated with SCBE's will be less compared to redundant mode due

to XF1 ASIC scheduling bugs. PR993787

• Under normal circumstances, the Maximum Receive Unit (MRU) value is set to MTU

size + 8 bytes (e.g. MTU=9102, MRU=9102+8=9110). But in this case, whenMTU is set

to a large value (MTU=9192) on AE interface, theMRU still uses the default value 1522

bytes. Sowhen the interface receives packetswhich size aremore than 1522 bytes, the

packets are dropped. PR994826

• On10X10GESFPP,whenan interfaceconfigured forCCCandasynchronous-notification,

and it is told to turn off its laser. Its laser flaps on and off for some period of time.

PR996277

• On T4000 router with type5 FPC. After FPC rebooting, if chassisd process does not

get FPC ready/FPConlineACKmessage fromFPC in 360 seconds, the FPCmight reset

again. PR998075

• The PICmemory gauge counters show up as 0 after a GRES switchover in the "show

chassis pic fpc-slot X pic-slot Y" output. PR1000111















• ServicePIConMS-MPCcardcouldcore-dumpand restart on receivingastraySIGQUIT

signal due to it not handling the signal.With this fixwe ignoreSIGQUIT signal andavoid

Service PIC restart. PR1004195

• When using AMS load-balancing if a PIC in the AMS bundled if offline for any reason

and the operator on-lines the pic there is slight 30 to 40 secondmomentary traffic

loss. PR1005665

Infrastructure

• OnRE-S-1800familyofRoutingEngine, afteran intensivewriting toSSD, the immediate

rebooting might cause SSD to corrupt. PR937774


• If the "tunnel-destination"addressofaGenericRoutingEncapsulation (GRE) interface

is placed in one instance and the GRE interface is placed in another routing-instance,

the lookup for the GRE tunnel destination is done on inet.0 instead of the appropriate

routing instance's inet.0 table. The similar issue could happen on IP-over-IP or

Automatic Multicast Tunneling (AMT) tunnels too. PR851165

• NPC crash seen while verifying Inline Jflow in both RE0 and RE1 and do switchover 10

times and verify new files are updated properly. This is software bug which have been

fixed in 12.3R5. PR905916

• The Packet Forwarding Engine alarms raised by PFEMAN thread using cmalarm api

calls will not be transmitted to Routing Engine. As impact, these alarmswill not reflect

on Routing Engine. There is no impact on functionality, otherwise. PR921254

• If offline and remove a Non-Ethernet Modular Interface Card (MIC) fromMX Series

and then perform a unified in-service-software-upgrade (ISSU), the unified ISSUmay

get aborted. This happens because although theMIC is removed physically but it does

not get removed from the hardware database (HWDB), which makes the chassis

mistakenly try to offline the already removedMICduring unified ISSUand in turn cause

the upgrade failure. PR923569

• Queue stats counters for AE interface will become invalid after deactivating ifl on the

AE interface. PR926617

• Strange FRU Insertion trap[RE PCMCIA card 0] is generated when Routing Engine

master-switching is done on box with RE-1800. PR943767

• Kernel crash might happen when a router running a Junos OS install with the fix to PR

937774 is rebooted. This problemwill not be observed during the upgrade to this Junos

OS install. It occurs late enough in the shutdown procedure that it shouldn't interfere

with normal operation. PR956691

• When an ifl containing some vrrp group configuration is deleted, snmpwalk on vrrp

MIBmay loop continuously. PR957975

• If there is an IRB interface configured for "family inet6" in a bridge-domain on an MX

Series router, the Packet Forwarding Engine may not correctly update the next-hop

for an IPv6 route when theMAC address associatedwith the next-hopmoves from an

AE interface to a non-AE interface. PR958019


Resolved Issues













• In very uncommon situation, we will see LCCs chassisd state is inconsistent with SFC

chassisd state, this is verymisleading in troubleshooting stage. This PR fixed this issue.

PR963342

• Link speed of a LAG bundle may not properly reflect the total bandwidth, when

microBFD is enabled on the LAG interface. PR967046

• Temperature Top and Bottom are swapped in show chassis environments output for

Type3/Type4 FPCs of T Series. PR975758

• In the large scaled VPLS environment , during delete routing-instance of type VPLS,

thememory is not getting freed. The connectivity-fault management daemon (cfmd)

might crash with a core file generated.The core files could be seen by executing CLI

command "show system core-dumps". PR975858

• Vrrpdmemory leaksonlyonbackupRoutingEnginewithoutanyoperationoncondition

that graceful-switchover under chassis/redundancy is enabled and nonstop-routing

under routing-options is disabled with configuring ipv6 vrrp groups. PR978057

• In the multilink frame relay (mlfr) environment with "disable-tx" configuration. When

the differential delay exceeds the red limit, the transmission is disabled on the bundle

link. When it is restored, the link should be added back. But in this case, the link stays

disable state and it is not rejoined to the bundle. PR978855

• After the following process, we can findMCAEbecomes standby/standby status. Even

if we set "set interfaces aeX aggregated-ether-optionsmc-ae events iccp-peer-down

prefer-status-control-active" for both routers, we can find this issue. << topology

example >> iccp ge-1/0/1 ge-1/0/1 [ MX80(router A)]-----------------[MX240(router

B)] \ ae0 ae0 / --active-- \ / --standby-- \ MC-LAG / \ / \ / ae0(ge-0/0/0)\

/ae0(ge-0/0/1) [ EX4200(switch C) ] << process >> initial status router A : active

router B : standby 1. disable ae0 of router A. 2. disable iccp link of router A. 3. disable

ae0 of switch C 4. enable iccp link of router A. (Please wait until iccp status up.) 5.

enable ae0 of switch C 6. enable ae0 of router A. PR982713

• When upgrading to 13.3R2, customermay see the followingmessages: Chassis control

process: rtslib: ERROR kernel does not support all messages: expected 104 got 103,a

reboot or software upgrademay be required Chassis control process: Chassis control

process: rtslib: WARNING version mismatch for msgmacsec (103): expected 99 got

191,a reboot or software upgrademay be required Chassis control process: Chassis

control process: rtslib: ERROR kernel does not support allmessages: expected 104 got

103,a reboot or software upgrademay be required Chassis control process: Chassis

control process: rtslib: WARNING version mismatch for msgmacsec (103): expected

99got 191,a rebootor softwareupgrademaybe requiredThesemessagesaregenerated

during validating the new chassis management daemon against the old kernel, and

are harmless. PR983735

• 1GbE SFP(EX-SFP-1FE-LX) output optical power is restored after reseating bymanual

removal/insert of SFP although the IF is disabled. PR984192

• SNMPOID VRRP-MIB::vrrpAssoIpAddrRowStatus returns only one Ip address when

the interface ifl has configured with two virtual-addressees under two vrrp-groups.

PR987992















• Followingmessages couldbe seenon the router for the FPCslotwhich are evenempty.

These messages are cosmetic and could be ignored. chassisd[1637]: %DAEMON-6:

FPC 0 does not support Pic power off config cmd ignoring the config change

chassisd[1637]: %DAEMON-6: FPC 2 does not support Pic power off config cmd

ignoring the config change. PR988987

• CFMDmay crash after configuration change of an interface in a logical systemwhich

is under OAM config for a l2vpn instance. PR991122

Layer 2 Features

• WhenDHCP local server andDHCPrelayarebothconfiguredonsame router, theDHCP

relaybindingmightget lost if agracefulRoutingEngine switchover (GRES) isperformed.

PR940111

• In L3Wholesale environment, the DHCP clients might fail to renew their address in

DHCP relay scenario. PR956675

• Configuring Ethernet Ring Protection Switching (ERPS), after changing interface's

MTUonRing Protection Link (RPL) owner, all the interfaces on RPL owner change into

forwarding state, hence cause a layer 2 loop. PR964727

• OnMXSeries platformwith Ethernet Ring Protection Switching (ERPS) configuration,

after disabled Ring Protection Link (RPL) interface and thenmove RPL fromwest

interface to east interface, as a result, the ERPS east and west interface might go into

discard state at same time. PR970121

• In DHCPv6 subscriber environment, changing the c-tags (inner vlan)without clear the

DHCPv6 clients first is not recommended, it might cause the subscriber to use the old

inner vlan even after DHCPv6 RENEW process. PR970451

• When Cisco running in an old version of PVST+, it does not carry VLAN ID in the end of

BPDU. So Juniper Networks equipment fails to responds to Topology Change

Notification ACK packet when it interoperates with Cisco equipment. After the fix,

Juniper equipmentwill read theVLAN ID information fromEthernet header. PR984563

• Layer 2 Control Protocol process (l2cpd) is used to enable features such as Layer 2

protocol tunneling or nonstop bridging. If a router receives a Link Layer Discovery

Protocol (LLDP) packets withmultiplemanagement address TLV,memory leakmight

occur which resulting in l2cpd process crash. PR986716

• jnxLacpTimeOut trapmayshownegative valuesand incorrect values for jnxLacpifIndex

and jnxLacpAggregateifIndex. PR994725

• In race condition, when FPC gets rebooted or reset, link(s) from this FPC which are

part of aggregate-ethernetbundlewould remain in LACP"Detached" state indefinitely.

user@node> show lacp interfaces ae102Aggregated interface: ae102 LACPstate: Role

Exp Def Dist Col Syn Aggr Timeout Activity xe-2/0/0 Actor No Yes No No No Yes Fast

Active xe-2/0/0 Partner No Yes No No No Yes Fast Passive xe-2/0/1 Actor No No Yes

Yes Yes Yes Fast Active xe-2/0/1 Partner No No Yes Yes Yes Yes Fast Active LACP

protocol: Receive State Transmit State Mux State xe-2/0/0 Defaulted Fast periodic

Detached xe-2/0/1 Current Fast periodic Collecting distributing user@node> show

interfaces xe-2/0/0 terse Interface Admin Link Proto Local Remote xe-2/0/0 up up

xe-2/0/0.0 up up aenet --> ae102.0 xe-2/0/0.32767 up up aenet --> ae102.32767 This


Resolved Issues












issue would be seen when associated aggregate-ethernet bundle is configured for

vlan-tagging. To clear this condition, the affected interface should be deactivated and

activated using CLI commands. ============ [edit] user@node# deactivate

interfaces xe-2/0/0[edit] user@node#commit [edit] user@node#activate interfaces

xe-2/0/0 [edit] user@node# commit ============ PR998246

MPLS

• When the install prefix (specified by the "install" configuration statement) and

destination prefix (specified by the "to" address of the LSP) are same for a static LSP,

the routing protocol process (rpd) might crash while deleting the LSP. PR958005

• During SNMPwalk on tableMPLS cross-connect table (mplsXCTable) in case of flood

nexthop, the rpdmight crash. PR964600

• In the large scaled MPLS setup with NSR enabled. When restart routing protocol

daemon (rpd) on standby Routing Engine, or reload standby Routing Engine, or reload

router, some filtered output label bindings might bemissed on the backup Routing

Engine,which leads toLabelDistributionProtocol (LDP)databasebetween themaster

and backup Routing Engines are inconsistent. PR970816

• In a scaled MPLS environment, whenever fast reroute (FRR) or Link Protection (LP)

or Node Protection (NP) is configured, the switchover from the primary LSP to the

secondary LSPmight cause traffic loss for few seconds. PR973070

• In the MPLS environment, when execute the command "show snmpmib walk

mplsXCTable" to walk the MPLS cross connect table, the routing protocol daemon

(rpd) CPU utilization might reach over 90%, and the rpd process does not respond to

any CLI show commands. PR978381

• snmpwalk/snmpgetnextor "showsnmpmibwalk" failwhenpollingMPLSLSPOCTETS,

MPLSLSPPACKETS, MPLSLSPINFOOCTETS or MPLSLSPINFOPACKETS. PR981061

• LSPmetricmodification leads to Constrained Shortest Path First(CSPF) computation

and resignaling. It should update RSVP routes directly. PR985099

• In the MPLS environment with "egress-protection" configuration, there is a direct LDP

session between primary PE and protector. One context-id is configured as primary

PE's loopback address or any LDP enabled interface address. When delete the whole

apply-group or delete the ldp policy from apply-group, the routing protocol daemon

(rpd) might crash. PR988775

• In the virtual private LAN service (VPLS) environment with multihoming (FEC 129) is

configured, when the router receives the label request for the Forwarding Equivalency

Class (FEC) 129, if there is no route for the specific FEC 129, the routingprotocol daemon















• Alarmmanagement daemon runs onmaster and backup Routing Engine on dual

Routing Engine systems. There is a 80megabyte alarm.db file that is copied over from

masterRoutingEnginetobackupRoutingEnginewhenthealarm-managementdaemon

has come up on both the Routing Engines. The basic issue is that alarm-management

daemon is trying to copy the alarm.db file over and over again in an infinite loop on the

system, causing CPU utilization to shoot up after every 20 seconds or so. PR988969

OpenFlow

• OpenFlow v1.0 running on an MX Series router does not respond reliably to interface

up or down events within a specified time interval. Per a fix implemented in Junos OS

Release 13.3R3.6, OpenFlow v1.0 running on an MX Series router responds reliably to


PR989308


• Since theACPowerSystemonMX2020 isaN+Nfeed redundantandN+1power supply

modules (PSMs) redundant, there are two separate input stages per PSM , each

connected to one of the two different/redundant feeds. However, only one stage is

active at a time. This means, the other input stage (unused input stage) may be bad

and systemwill not know about it till it tries to switch to it in case of a feed failure.

PR832434

• When using OSPF/OSPFv3 with interface type point-to-point, it is possible that the

OSPFsession(usingmulticast traffic exclusively) tocomeupbeforenext-hop resolution

is done (ARP, or ND). In this case, transit traffic will be discarded, until resolution is

done. When you havemultiple links available, then the route will be balanced using a

"unilist" next-hop.When one of the links in the "unilist" doesn’t have layer2 resolution,

these next-hopswill actually drop traffic. The fix added by this PRwill make unilist not

contain forwarding and non-forwarding at the same time.When theNH resolutionwill

be done, then the link will be added to the unilist. PR832974

• The error message 'unlink(): failed to delete .perm file: No such file or directory' was

logged when disconnecting from a Telnet session to the router. PR876508

• When the instance have vlan-id all and adding interface unit with "vlan-tags outer X

innerY" to this instance, traffic fromALL instanceVLANs is leakingover that unit tagged

with outer tag X and each VLANs own inner tag A,B.C,..... Fix: When the instance have

vlan-id all, for dual tagged ifl the inner vlan check will be done. PR883760

• OnMX Series based line card, for interfaces tagged with VLAN ID same as the

native-vlan-id configured on the interface, FPC adds Native VLAN ID to the packets

received on the interface and destined to the host. This is irrespective of the packet

content. This results in the packets getting doubly tagged when receiving packets

which are already tagged with VLAN IDmatching the Native VLAN ID, and thus cause

ARP resolution failure on Native VLAN. For example, the ARP packets to IRB (on VLAN

101) are tagged with VLAN ID 101 (which is also the native VLAN ID) and are getting

additional tagged. Hence they are dropped by the IRB and this can cause the ARP

request packet not getting resolved on Native VLAN. PR917576


Resolved Issues


prsearch.juniper.net/PR989308







• When the transit traffic is hitting the router and the destination is a local segment IP

which requires ARP resolution, it's mis-classified by the DDOS filter and an incorrect

policer is applied. This leads to host queue congestion. PR924807

• Startingwith JunosOSRelease 13.3and later, the rangeofCLI screen-with is40 through

1024 (in earlier Junos OS releases, the range is 0 through 1024). This PR restores the

option of setting screen-width to 0 resulting in unlimited screen width. PR936460

• The Routing Engine and FPCs are connectedwith an internal Ethernet switch. In some

rare case, the FPCsmight receive amalformed packet from the Routing Engine (e.g.

packet gets corrupted somewhere on its way from Routing Engine to FPC). Then the

toxic traffic might crash the FPC. PR938578

• MPC Type 2 3Dmay crash with CPU hog due to excessive link flaps causing the

interrupts to go high. PR938956

• On a router which does a MPLS label POP operation (penultimate hop router for

example) if the resulting packet (IPv4 or IPv6) is corrupted then it will be dropped.

PR943382

• If a PE router is both egress and trazit node for a p2mp lsp, the Packet Forwarding

Engine may report errors and install a discard state for the fib entry representing the

p2mp lsp label with bottom of stack bit set to 0 . This problem does not have any

impact since there is no application using the s=0 entry of a p2mp lsp. PR950575

• * MX2020 FanTray power specification. - zone#1:FT#3 - gets power from zone#1 only

- zone#1:FT#2 - gets power from zone#0 in case of no-power in zone#1 - zone#0:FT#1

- gets power from zone#0 only - zone#0:FT#0 - gets power from zone#1 in case of

no-power in zone#0 - Critical(Minimum) number for MX2020 operation is 3 If one of

zone has no PSM, then it means FAN single-fault in the chassis's point of view. For

example, if zone#1hasnoPSM, then theFT#3doesnotgetpoweras it is local-powered

FT. Hence, in this case, the FT#3-LED should showORANGE to notify the single-fault

to user,while FT#2 can showsGREEN if it gets enoughpower fromzone#0. In addition,

CRAFT-LED for FT#3 should be turned off. * Due to HW-limit(bicolor), it could not

showORANGE color. In current implementation, both CRAFT-LED, FT#3-LED show

GREEN. That's problem. * NOTE: JunosOS does not support FT double-fault scenario.

(MX2020 needsminimum 3 FTs.) If FT#2 gets in trouble in above case(i.e.,FT

double-fault), the user should see serious cooling-trouble on SFMs within 1 minute.

PR957395

• Unable to modify dynamic configuration database after first commit. PR959450

• When we set "traffic-manager mode ingress-and-egress" on "MIC-3D-40GE-TX (3D

40x 1GE(LAN)RJ45)",we cannot use ingress queue correctly onPIC2 andPIC3. *Note:

We cannot see this issue if we set the above configuration to PIC0 or PIC1. PR959915

• Certain combinations of Junos OS CLI commands and arguments have been found to

be exploitable in a way that can allow root access to the operating system. This may

allow any user with permissions to run these CLI commands the ability to achieve

elevated privileges and gain complete control of the device. Refer to JSA10634 for


























• A defect in L3VPNMake Before Break code was resulting in freeing memory

corresponding tooldnexthopswhich isbeingusedbyegressPacket ForwardingEngine.

This was resulting in memory corruption. PR971821

• WithNG-MVPN,multicast trafficmight get duplicatedand/or blackholed if aPE router,

with active local receivers, is also a transit node and the p2mp lsp is branched down

over an aggregate interface with members on different Packet Forwarding Engines.

PR973938

• SNMP alarms/traps could be generated for unpowered fan trays when only one zone

is powered. PR982970

• OnMX Series platform, when filter is applied on the interface with the action of "then

next-interface", thepackets that are forwardedby the firewall filterwouldbecorrupted.

PR986555

• Interface aliaswas not shown in the show commandswhen configured. Now interface

aliaswill be shown (IF CONFIGURED) in show commands containing interface names.

A |display no-interface-alias command adds the ability to show the actual interface

name if its needed. PR988245

• When services packet(interface-style) is diverted to different routing-instance using

a firewall filter, route lookup of the services packet wasmatching a reject route which

results in PPE thread timeout. PR988553

• TXPwith 13.1R4might not trigger autoheal after65535CRCerror eventon inter-chassis

optical hsl2 link. Customer will need to domanual fabric plane reset to recover the

faulty SIBs after the 65535 CRC error event. PR988886

• NPC core /../src/pfe/ukern/cpu-ppc/ppc603e_panic.c:68. PR989240

• On logical-systems, backup rpd of logical systems is not getting SIGHUPwhen the

"commit fast-synchronize" statement at the [edit system] hierarchy level is enabled.

It causes the issue "restarting backup rpd" of logical systems (as part of recovery

mechanism). PR990347

• Whentwomidplane linkerrorsarepresentbetweenF13andF2Sibs thenCLOSrerouting

logic does not work properly. This can introduce RODR packet drops and result in

destination errors in the plane. PR992677

• "delete" or "deactivate" of apply-group defining the entire TACACS or RADIUS

configuration configured under [edit system apply-group <>] does not take effect on

commit. This could lead to TACACS or RADIUS based authentication to still continue

working despite removal (delete/deactivate) of configuration. PR992837


Resolved Issues
















• OnMX Series router with MPCs or MICs or T4000 router with type5 FPC, if the CoS

scheduler is configured without transmit-rate while with buffer-size temporal, the

Packet Forwarding Engine might not allocate buffer for the associated queue. The

issue might lead to packets loss. PR999029

• The configuration to be applied to the feature auto backup Routing Engine upgrade

for NON-GRES case when back up Routing Engine has unsupported CB. policy

FRU-UNSUPPORTED { events CHASSISD_FRU_UNSUPPORTED; attributes-match {

CHASSISD_FRU_UNSUPPORTED.fru-namematches CB; } then { event-script

auto-image-upgrade.slax; } } event-script { file auto-image-upgrade.slax; }

Recommended setting: -------------------- Since above

CHASSISD_FRU_UNSUPPORTED event generated for every 20mins on box after boot

up, to stop from repetitive execution of this event policy, we can specify following

'within clause' in the event policy configuration. policy FRU-UNSUPPORTED { events

CHASSISD_FRU_UNSUPPORTED; within 1200 { not events

CHASSISD_FRU_UNSUPPORTED; } attributes-match {

CHASSISD_FRU_UNSUPPORTED.fru-namematches CB; } then { event-script

auto-image-upgrade.slax; } } event-script { file auto-image-upgrade.slax; }PR1000476

Routing Protocols

• InPIM-SMnetworkwith"bootstrap routing"RPselectionmechanismused, it isobserved

that some bootstrapmessages (BSMs) generation and forwarding behavior of Junos

OS does not conform to RFC standard, specifically in the section 3.2 (Bootstrap

message generation), 3.3 (Sending Candidate-RP-Advertisement Messages) and 3.4

(Creating the RP-Set at the BSR). PR871678

• In Protocol Independent Multicast (PIM) scenario, if interface get deleted before the

(S,G) route is installed in the Routing Information Base (RIB), then this interface index

mightbe re-usedbykernel foranother interfaceand thuscause routingprotocolprocess

(rpd) core. PR913706

• The rpd process might crash when executing the command "show route

advertising-protocol bgp <nbr>" without a table option, or with a table that is not

advertised by BGP. PR959535

• In the scenario of multicast receiver could receive traffic frommLDP or PIM, if at first

the multicast traffic is flowing over PIM, then the flapping of PIM protocol will cause

the traffic to flow over mLDP and later switch back to PIM, but the mLDP

forwarding-cachemight not get pruned, which resulting duplicated traffic. PR963031

• In certain rare circumstances, BGP NSR replication to the backup Routing Engine may

not make forward progress. This was due to an issue where an internal buffer was not

correctly cleared in rare circumstances when the backup Routing Engine was

experiencing high CPU. PR975012

• In scaledBGPenvironment, if anNSRenabled routerdoesnothaveany routing-instance

configured, after flapping BGP groupswithmultiple peers, some BGP neighborsmight

get stuck in 'not advertising' state. PR978183

• In the dual Routing Engine scenario, after an Routing Engine switchover, the periodic

packet management daemon (ppmd)might exit. PR979541












• OnMXSeries platformswith IGMP snooping enabled on an IRB interface, some transit

TCP packets may be wrongly considered as IGMP packets, causing packets to be

dropped. PR979671

• Due to some corner cases, certain commits could cause the input and/or output BGP

policies to be reexamined causing an increase in rpd CPU utilization PR979971

• PPMD filter is not programmed properly which is resulting Routing Engine to absorb

BFD packets instead of Packet Forwarding Engine. PR985035

• In Junos OS, by default the RIP protocol "send" option is set to Multicast RIPv2. When

this "send"option is changed from"multicast"(active) to "none"(passive)or vice-versa,

rpd core might be seen on the router. PR986444

• In V4 RG, member site receives traffic from both serving sites for few sources upon

withdraw/inject routes for 30 seconds. PR988561

• OSPF adjacency is not coming up with error "OSPF packet ignored: authentication

failure (sequence error)" in p2mpwhen remote peer goes down. PR991540


• Any SIP MESSAGE request will be dropped by the SIP ALG, this type of request is

unsupported from day one. This is rare type of request which will not prevent more

usual SIP operations such as voice calls, but it may affect some instant messaging

applications based on SIP. PR881813

• Clearing the stateful firewall subscriber analysis causes the active subscriber count to

displaya very hugenumber. The largenumber is seenbecausewhenasubscriber times

out the number of active subscribers is decremented. If it is set to zero using the clear

command, then a decrement would give an incorrect result. There is no impact to the

overall functionality and the fix is expected to be present in 14.1R2. PR939832

• Ping failure from LNS to MLPPP client. PR952708

• The dynamic flow control process (dfcd) might core dumpwhen Dynamic Tasking

Control Protocol (DTCP) trigger request is same for both the VLAN and DHCP

subscriber. PR962810

• Message type for if_msg_ifl_channel_delete should be lower severity and not an error.

PR965298

• In the context ofDS-Lite softwire scenario,where theAddress Family TransitionRouter

(AFTR) node performs NATwith Endpoint Independent Filtering (EIF) and Endpoint

Independent Mapping (EIM) enabled, the simultaneous arrival of two packets from

opposite sides of the NATwill trigger the creation of the same flow, which in a race

condition results in the Service-PIC restart. PR966255

• During the Junos OS enhancement of the Port Control Protocol a few issues were

identified regarding NAT flows creation, clearing of the mappings, releasing the

addresses in use, etc. PR967971

• In the L2TP scenario with dual Routing Engines. After subscriber management

infrastructuredaemon(smid)being restarted,because thedeletenotification tobackup

Routing Engine might be lost, the subscriber database (SDB) information does not


Resolved Issues















synchronizebetweenmasterRoutingEngineandstandbyRoutingEngine.AfterRouting

Engine switchover is executed, the Layer 2 Tunneling Protocol daemon (jl2tpd) might

crash, and new L2TP subscribers are unable to dial. PR968947

• When transferring large FTP file, the server might send packets with incorrect layer 4

checksum. If inline NAT service is enabled on the router, it might transit the packets to

client insteadofdropping it,whicheventually causes theclient FTP timeout. PR972402

• If a PPPoE/PPP user disconnects in the access networkwithout the LAC/LNS noticing

it to tear down the connection (also the PPP keepalive hasn't detected yet), and a

second PPP request comes from the same subscriber on the L2TP tunnel (same or

different LAC/tunnel), then a second route is added to the table having the next hop

"service to unknown". PR981488

• The cflow export would cease due to memory exhaustion when flow-monitoring is

enabled using Adaptive Services II PIC due to memory leak condition. While in this

condition, user would see increments in "Packet dropped (nomemory)" as below:

user@node> show services accounting errors Service Accounting interface: sp-3/0/0,

Local interface index: 320Servicename: (default sampling) Interface state:Accounting

Error information Packets dropped (nomemory): 315805425, Packets dropped (not

IP): 0. PR982160

• In H323 ALGwith CGNAT scenario, the MS-PICmight crash when the ALG is deleting

an H323 conversation due to the deleting port is outside of allocated NAT port-block

range. PR982780

• OnM/MX/T Series routers (platforms) with Services PIC with dynamic-nat44

translation-type configured, when the flows are cleared the IP addresses in use are

never freed. This issue is present in JunosOSRelease 11.4R7andallmore recent releases

without this fix. PR986974

• In large scale L2TP LNS environment. When the SNMPMIB JNX-L2TP-MIB is walked

continuously, thememory of the L2TPdaemon (jl2tpd) increases due tomemory leak.

PR987678


• Routing Engine could be brought to DBmode when rebooting after interrupted

downgrade. PR966462

• By upgrade-with-config, user can specify a configuration to be applied on upgrade,

but the configuration filewill not be loadedpost upgrading. As a result, routerwill bring

up with old configuration. PR983291














• In early Release 13.3 code, if NSR and 64-bit rpd are used, there is a chance that the

Routing Engine may lose the primary floating IP address assigned to both Routing

Engine after a couple of GRES Routing Engine switchovers. This issue had been

corrected in later Release 13.3 branch codes. PR973278


• When load large scale configuration, due to the ddl object not being freed properly

after it's accessed, load configuration failed with error: Out of object identifiers.

PR985324

VPNs

• Upon withdraw /inject bgp routes in the serving PEs for two different

route-groups,member/regular sites receive traffic from both serving sites for 60

seconds. PR973623

• Route groupmember site and regular site may receive data from two serving sites of

twogroups for the same(S,G). This only happenswhen inoneRGthereareno receivers.

PR974245

• In Rosen MVPN environment, if there a twomultihomed ingress PEs, when the route

to multicast source flaps, the receiver router might keep switching between sender

Data MDTs, which resulting in traffic loss. PR974914

• In the Rosen MVPN environment, setting the TOS IP control packet bit can avoid the

possibility of data-mdt TLVmessages being dropped in the core during congestion.

But in this case, the TOS field to indicate its IP control packet (0xc0) is not set. This

might lead to traffic loss. PR981523

• The S-PMSI tunnelmight fail to be originated from ingress PE after flapping the routes

to customer multicast source. PR983410

• In MVPN scenario, a multihomed ingress PEmight fail to advertise type-4 after losing

routes to local sources. PR984946

• In AT and T route-group scenario, source route is flapped on preferred serving site.

After that the member site fails to originate type-4 even though it has type-5 and

type-3 from non-preferred serving sites. PR994687










Resolved Issues




















• WhenMAC addresses move, Layer 2 address learning process (l2ald) will be called

and produces some other child processes. The child processes cannot be terminated.

Thenmaximum process limitation is reached and the Routing Engine is locked up.

PR943026

General Routing

• Whengr- interface is disabled, theDECAP-NHalsoneeds tobedeleted / set todiscard.

PR791277

• When transit packets with TTL expired is received, FPC is responsible for sending an

ICMPTTLExpiredmessageback to thesender.There isa500ppsperPacketForwarding

Engine rate limit so that FPC is not overwhelmed when large volume of transit traffic

with TTL expired is received. PR893598

• MXVC /kernel: rts_ifstate_client_open:Number of ifstate clients have reached

threshold,current = 63maximum = 63. PR894974

• OnMXSeriesplatformswithMPC4E-3D-32XGE-SFFP/MIC3-3D-10XGE-SFPPequipped,

10G ports of these cards might stay offline where a link flaps or an SFP+ is inserted

after above 3months of link up. PR905589

• This PR addresses a timing issue, which happens when "no-vrf-propagate-ttl" is

configured in the routing-instance configuration. When this configuration is present, it

might sometime create a situationwhere the route selection happens of a routewhich

is yet to be resolved in secondary routing instance table, which results in a RPD core.

PR917536

• MX80 routers now support CLI command "show system resource-monitor summary".

PR925794

• In the Point-to-Point Protocol over Ethernet (PPPoE) scenario, for access or

access-internal routes using an unnumbered interface, if MAC is not specified along

withqualified-nexthop, the routingprotocolprocess (rpd)will fabricateaMACaddress

for it. When the access route or point-to-point interface itself is brought down, the rpd

created qualified-nexthop is being freed, due tomismatch between qualified-nexthop

and the kernel created point-to-point nexthop, rpd crashes and a core file is generated.

PR935978

• Some "service-set" have already existed, when add/delete "stateful-firewall-rules"

about more than 400 lines to the existing "service-set", then execute commit, the

traffic stopped and never restore without offline/online MS-MIC. PR937489

















• In subscriber management environment, profile database files at backup Routing

Engineget corruptedwhen thedynamicprofile versioningandcommit fast-synchronize

are enabled in configuration. After GRES when the backup Routing Engine become

master, all the existing DHCP subscribers stuck in RELEASE State and new DHCP

subscribers can't bind at this point. PR941780

• DS0/T1 channel throughput on "16x CHE1T1, RJ48" card with PPP/CISCO-HDLC is not

N*64kbps. PR944287

• PIC level "account-layer2-overhead" configuration statement with ethernet-bridge

does not add "Adjustment Bytes". As a workaround, configure it under interface level.

PR946131

• Egress multicast statistics display incorrectly after flapping of ae member links on

M320 or T Series FPC (M320 non-E3 FPC and T Series non-ES FPC). PR946760

• With scaled configuration of ATM VCs (~4000 VCs) on a single

MIC-3D-8OC3-2OC12-ATM ATMMIC, the MICmight crash. The crash is not seen with

lower scale (i.e. less than 3500 VCs per MIC). PR947434

• When configuring "no-readvertise" flag to existing static route, then this static route

will not exported to other VPN routing and forwarding (VRF) tables from onwards

which is expected. However, for the static route that has already exported to other

routing instance tablesbefore "no-readvertise" configuration, nodeletionevent occurs.

Also, the "rt-export" bit still set for the static route which is exported to other routing

tables after "no-readvertise" configuration. PR950994

• CLI command "show interfaces queue" does not account for interface queue drops

due to Head drops. This resulted in the "Queued" packets/bytes counter to be less

than what was actually received and dropped on that interface queue. This PR fixes

this issue. Head-drops, being a type of REDmechanism, are now accounted under the

"RED-dropped" section of the CLI command "show interfaces queue". PR951235

• In a scaled network and on amulti-chassis platformwith BGP ECMP configured, when

themaster Routing Engine of line-card chassis (LCC) crashes, LCC would go through

a reboot process to bring up the backup Routing Engine, during which the neighbor

session of BGP over aggregated Ethernet (AE) interface might get broken. This is

because the Unilist NHs of the AE are stuck at standby state and therefore no traffic

can be transmit through. PR953365

• On systems running Junos OS Release 13.3R1 and nonstop active routing (NSR) is

enabled, when "switchover-on-routing-crash" under [edit set system] hierarchy is set,

Routing Engine switchover should happen only when the routing protocol process

(rpd)crashes.ButunexpectedRoutingEngineswitchover canbeseenwhenperforming

the CLI command "request system core-dump routing running" to manually generate

a rpd live core. PR954067

• If an aggregated Ethernet (AE) interface has the "scaled" member-link scheduling

mode (which is the default mode), andmultiple forwarding-classes map to a same

queue, then the actual transmit-percent might be unable to reach the configured

scheduler. PR954789

• Default threshold for ES-FPC errors is 1 for major errors and 10 for minor errors, when

the threshold is reached, some actions (for example,


Resolved Issues












alarm|offline-pic|log|get-state|offline|reset) will be taken by FPC as configured. This

feature isdesigned forpermament/real errors.The issuehere is thatevensometransient

errors (eg, link flaps) will also trigger the default action. In some cases, it might cause

panic for the FPC. PR961165

• Sessions are getting reset when SFW rule and/or NAT term are added/deleted in a

service set having NAT also. PR961353

• On T Series or M320 routers with OSPF configuration statement, if have large-scale

routes (for example, 180K Composite Nexthop), when do costing-out and costing-in

operationsalongwith changinggigether-optionsof core router facing interfacemultiple

times continuously, the Flexible PICConcentrator (FPC)CPUutilizationmight increase

to 100%, and then FPCmight crash. PR961473

• On an MX Series router with dynamic vlan scenario, when improper sort order data is

sent to dynamic vlan on the Packet Forwarding Engine, theModular Port Concentrator

(MPC)might crash and generate core files. PR961645

• For MXVC platform, the pfe reconnect timer extends from the default 15s to 60s

temporarily. This will be reversed once Packet Forwarding Engine connection issues

resolved. PR963576

• Display issue only. "show route cumulative vpn-family" command is using "inet.6" for

vpnv6 routes instead of inet6.0. PR966828

• Destination alarms are cleared after fabric event even though destination errors are

present in the system. PR967013

• NHtracingprovidesa lightweightmechanismtocaptureNHchains traversedbypackets

of interest for further examination. PR967450


• /var/log/messages is getting filled up with following GRES relatedmessages. These

are harmless and due to the log level(info). *** messages *** Dec 1 22:46:49.201 re0

/kernel: update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1

is_local_slave_peer_gres_ready 0 Dec 1 22:46:49.201 re0 /kernel: vks[0] 1 vks[1] 0 Dec

1 22:46:49.201 re0 /kernel: PFE-MASTER - vks[0] 1 vks[1] 0 Dec 1 22:46:49.201 re0

/kernel: Slave is ready for GRES for vksid 0 Dec 1 22:46:49.201 re0 /kernel:

update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1









is_local_slave_peer_gres_ready 0Dec 1 22:46:53.000 re0 /kernel: vks[0] 1 vks[1] 0 Dec


/kernel: Slave is ready for GRES for vksid 0 PR918075












• Whenperformingaunified in-service softwareupgrade (ISSU)validateagainst a router

with ISSU unsupported hardware equipped, the unsupported hardware is being taken

offline, as if an actual ISSU is being performed. In addition, the unsupported hardware

is still offline after the ISSU validate is completed. The workaround is rebooting or

executing CLI commands to bring the offline hardware back online. PR949882

Infrastructure

• On RE-S-1800 family of Routing Engines, after an intensive writing to SSD, the

immediate rebooting might cause SSD to corrupt. PR937774


• The Packet Forwarding Engine alarms raised by PFEMAN thread using cmalarm api

calls will not be transmitted to the Routing Engine. As impact, these alarms will not

reflect on the Routing Engine. There is no impact on functionality, otherwise.PR921254

• Traffic that uses MPLS next-hops enters bridge-domain via IRB interface and if

forwardingnext-hopmoves fromnon-aggregate interface toaggregate interface (MAC

move), the MPLS next-hops are not correctly programmed in the Packet Forwarding

Engine and are dropped. The child next-hop of the aggregate interfaces are missing.

Once IRBMPLSnext-hopmoves fromaggregate interface to non-aggregate interfaces

are not affected. IPv4 traffic will not trigger traffic drop uponmacmove. The second

symptom is a possible kernel core-dump on the new backup Routing-Engine after

mastership switch. This applies to an IRBmacmove for ipv4,ipv6 andmpls next-hops.

PR924015

• "Toomany I2C Failures" alarm happens when a FRU (in this case:

PWR-MX960-4100-AC-S) experienced six consecutive i2c read/write failures. While

thePEM is still providing power to the chassis, the chassisd daemon cannot read/write

information from the PEM until it is reseated. In recent investigation, engineering team

has come up some enhancements for this MX960 HC AC PEM: 1. PEM i2c bus hang

avoidance 2. Junos OS recovery from a hung i2c bus 3. noise reduction This Junos OS

eliminates theneed for thePEMFWupgrade,andat thesametime is 100%compatible

with those PEMs which have been upgraded. PR928861

• Traffic is not flowing over Demux input interface A technical description can be found

in the Knowledge Base: http://kb.juniper.net/KB28821. PR937035

• PCS statistics counter(Bit errors/Errored blocks) not working on Mammoth PIC(xge).

PR942719

• Digital Optical Monitoring MIB jnxDomCurrentRxLaserPower gives wrong value in

12.3R3-S6. PR946758

• When Connectivity Fault Management (CFM) is configured, if maintenance domain

intermediate point (MIP) session associated with default maintenance domain (MD)

is inactive, a deletion of the interface cannot delete the MIP session structure, hence

might causing memory leak. This crash could also be seen if delete more than one

Virtual private LAN service (VPLS) routing instance with no neighbor configuration.

PR947499


Resolved Issues













• When transit traffic of Ethernet frames of size less than 64 bytes is received by 1x

10GE(LAN/WAN) IQ2E PIC, the router forwards the frames instead of dropping them.

PR954996

• Before the problemwas fixed, the CLI "show interfaces et-x/x/x extensive” did not give

full information. PR956497


937774 is rebooted.Thisproblemwill notbeobservedduring theupgrade to this install.

It occurs late enough in the shutdownprocedure that it shouldn't interferewith normal

operation. PR956691

• Whenmicro Bidirectional Forwarding Detection (mBFD) is configured on aggregated

Ethernet (AE) interface, if a member link of the AE interface is removed, if a member

link is marked admin down or disabled at CLI, the BFD session would correspondingly

bedown.However, the correspondingmember link in thepeer endcontinues to forward

traffic. PR963314

• In a very uncommon situation, we see that LCCs chassisd state is inconsistent with

SFC chassisd state. This is very misleading in troubleshooting stage. PR963342

Layer 2 Features

• Service accounting interim updates not being sent. PR940179

• In the unified in-service software upgrade (ISSU) for Dynamic Host Configuration

Protocol (DHCP) scenario, when ISSU initiates, if there are some subscribers stuck in

login state and keep sending discover/request packets, this leads to ISSU ready check

failing and ISSU aborting as a result. PR949337

• IP address change of a DHCP relay interface does not get reflected in gateway IP

address (giaddr)whenmaintain-subscribers configurationstatement is enabled,which

needs to restart DHCP daemon tomake it work again. PR951909

• When link level adjacency across IRB interface goes down, targeted LDP sessionmight

also go down even if there is a alternate route. PR959396

MPLS

• When static LSPs are configured on a node, RPD could assert upon committing a

MPLS-related configuration change. Example: router> show system rollback compare

9 8 [edit protocols mpls] interface ae11.0 { ... } + interface as3.0 { + admin-group red;

+} [edit protocols IS-IS interface as3.0 level 2] ! inactive: metric 2610; The following

error is seen in /var/log/messages in-relation to a static lsp, immediately following the

above-mentioned configuration change: rpd[1583]: UI_CONFIGURATION_ERROR:

Process: rpd, path: [edit groups STATELESS_ARIADNE protocols mpls

static-label-switched-path static-lsp], statement: transit 1033465, static-lsp:

incoming-label 1033465hasalreadybeenconfiguredby thisorother staticapplications.

PR930058

• MXSeries routerswithFPCscouldcrashduringnext-hop resolution triggeredby indirect

next-hop change. PR944393

• In certain circumstance, the Junos OS rpd route flash job and LDP connection job are

always running, starvingotherwork suchas stale routedeletion. These jobsare running
















as LDP is continuously sending label map and label withdrawmessages for some of

the prefixes under ldp egress policy. This is due to LDP processing a BGP route from

inet.3 forwhich it has a ingress tunnel (the sameprefix is also learned via IGP) creating

a circular dependency as BGP routes can themselves be resolved over a LDP route.

PR945234

• In a highly scaled configuration, the reroute of transit RSVP LSPs can result in BGP flap

due to lack of keepalive messages being generated by the Routing Engine. PR946030

• TheRSVPbandwidth of the aggregatedEthernet (AE) bundle does not adjust properly

when amember link is added to AE interface, and at the same time an IP address is

removed from this AE bundle. PR948690

• On IS-IS interfaces configured with point-to-point and ldp-synchronization, after a

change of IP address on the interface from the remote router, and if the old Label

Distribution Protocol (LDP) adjacency times-out after the new LDP adjacency is up,

the IS-IS protocol will be notified about the old LDP adjacency down event and the

LDP sync state will remain in "hold-down" even if the new LDP adjacency is up.

PR955219

• When Packet Forwarding Engine fast reroute (FRR) applications are in use (such as

MPLS facility backup, fast-reroute, loop free alternates), a flap of the primary path

could be triggered due to an interface flap or by Bidirectional Forwarding Detection

(BFD) session flap. However, this interface/session flap might lead to a permanent

use of the backup path, which means the original primary path could not be active

again. PR955231

• We add timer for all aggregate LDP prefixes but are not deleting it when the timer

expires because of a bug. Since the timer is not expiring, we never update the route for

any change. This will be sitting in the routing table as a stale entry. PR956661

• The Label Distribution Protocol (LDP) feature is enabled and the background job "LDP

sync send filtered label job" is running, when shut down the LDP, due to LDP failing to

delete a job that didn't exist while shutting down, routing protocol process (rpd)might

crash. PR968825


• In an MX-VC environment, in certain situations the inter-chassis traffic might not be

equally balanced across all available vcp links after adding extra links. PR915383

• Transit traffic is being improperly classified and competing with legitimate control

plane traffic. PR924807

• With MX Series routers with MPCs or MICs, changing the MTU on one interface might

cause Layer 2 traffic interruption on other interfaces in the same FPC. PR935090

• When chained-composite-nexthop ingress L3VPN is configured, and if two PEs are

directly connected, the unicast nexhhop on egress is IPv4 protocol encapsulated only

and no LSP label push, thus COS rewrite mask could not correctly set by IPv4 Unicast

nexthop, which leads to MPLS exp rewrite not working. PR941066

• TWAMP connection/session will come up only if the session padding length is greater

than or equal to 27 bytes on the TWAMP Client. The valid range of padding length


Resolved Issues














supportedby theTWAMPServer is 27bytes to 1400bytes. If IXIA is usedas theTWAMP

Client, packet length range from 41 bytes to 1024 bytes is supported. PR943320

• In a highly congested system (for example, high multicast traffic rate),

traffic/subscribers lossmightoccurwhileperformingunified in-servicesoftwareupgrade

(ISSU). PR945516

• OnMXSeries routerswithMPCs/MICs,when forwarding table filter (FTF) is configured

for a virtual private LAN service (VPLS) routing instance, the jtree memory corruption

might occur if the routing table attached by FTF is destroyed. The routing table that is

attached by FTF can get destroyed with different events such as an interface that is

part of the VPLS routing instance flaps or route-distinguisher is changed. PR945669

• Tested with 13.3 daily image "13.3-20140101.0". Issue not observed. Able to see both

the vlan fields updated properly. PR946964

• OnMX Series routers with MPCs, whenmulticast traffic flows over the integrated

routing and bridging (IRB) interfaces, MPCmight crash due to memory leak. PR947112

• In PPPoE subscriber management environment, if the BRAS router is an MX Series

router with MS-DPC equipped and traffic from the subscribers is NATed on MS-DPC

card, when PPPoE subscribers flap, heapmemory leak might occur on the MS-DPC.

PR948031

• MIC-3D-40GE-TX (3D 40x 1GE(LAN) RJ45) restarts with core files repeatedly after

configuring "VRRP interface" and "traffic-managermode ingress-and-egress" onPIC2

or PIC3. PR950806

• Current display of "cli> request chassis routing-engine hard-disk-test show-status"

command for Unigen SSD identified by "UGB94BPHxxxxxx-KCI" is incorrect and can

bemisleading when used for troubleshooting. For example, attribute 199 is displayed

as "UDMA CRC Error Count" and is actually "Total Count of Write Sector". PR951277

• Trafficunbalancecanbeseen inoutput interfaceof2ndnode in thecascaded topology.

Current Junos OS hash-seed implementation onMX Series routers with MPCs or MICs

can be used to protect the hash-cascade problem(unbalance at 2nd node output,

0:100 for example) but it does not work very well (60:40 or 70:30 can be seen). The

fixmadeanenhancement, so that it candelivernearly50:50LBperformance.PR953243

• OnMX Series or T4000 router, when a firewall filter is applied to allow only trusted IP

and router loopback address to request NTP service on the router in case of NTPDDoS

attack, the counter for the NTP protocol of the output of "show ddos-protection

protocols ntp" would be always null, though it is confirmed that there is an NTP DDoS

attack. The reason for this is that the only the multicast NTP packet is treated as an

NTP packet by the filter, whereas the unicast one is not. PR954862

• Whenoperating inenhanced-IPmode, forbridge-domains/vpls instanceswithsnooping

configuration, multicast data forwarding does not happen properly for multicast data

that is being routed over IRB interfaces associated with the bridge-domains/vpls

instances to egress on trunk ports associatedwith the bridge-domains/vpls instances.

PR955553
















• rmopd will throw an error without jcrypto package which is absent in export build.

Domestic versiondoes not have this error becauseof thepresenceof jcrypto. The issue

exists in only Release 13.3 and not on branches before that. PR960757

• In current Junos OS, a PSM shows dc output value even though it is turned off by a

switch. This cosmetic bug causes miscalculation of actual usage in 'show chassis

power'. PR960865

• Upon the deletion of a routing-instance and subsequent commit, error logs are

generated from each Type 1 - 3(non E3) based FPC. These logs are cosmetic and can

be ignored. PR964326


• Policy with Install-nexthop lspmight not work as expected when there is an LSP path

change triggering route resolution. PR931741

• Configurationofanextendedcommunity suchas: rt-import:*:* src-as:*:* fails because

the wildcard is not allowed during the configuration validation process. PR944400

Routing Protocols

• OnMX Series routers containing multiple Packet Forwarding Engines such as

MX240/MX480/MX960/MX2010/MX2020 routers, with DPC (Dense Port

Concentrator) or FPC (Flexible Port Concentrator) or with line cards designated with

"3D",RPDmight restartwhenattempting tosendaPIMassertmessageonan interface

(whose interface index exceeds 65536). It is likely that RPD restarts repeatedly, since

after RPDhas restarted andprotocols have converged, the samePIMassertwill trigger

further RPD restarts. PR879981

• On the first hop router if the traffic is received from a remote source and the

accept-remote-source configuration statement is configured, the RPF information for

the remote source is not created. PR932405

• Due to new features and the required infrastructure the rpdmemory footprint has

increased by as much as 5% between Releases 12.3 and 13.3. PR957550

• In scaled BGP routes environment, the BGP router has dual Routing Engines, graceful

Routing Engine switchover (GRES) and nonstop active routing (NSR) is configured,

after performing the operation of deactivate/activate BGP groups and commit the

configuration, the BGP router might be stuck in "not-advertising" state. PR961459

• With BGP import policy as next-hop peer-address, if the local router receives inet (or

inet-vpn) flownetwork-layer reachability information (NLRI), routing protocol process

(rpd)might crash. JunosOS is designed to create a fictitious next hop for inet flow and

inet-vpn flow families as they don't send/expect-to-receive next hops. So in this case

when the import-policy set a non-null next-hop for the received inet (or inet-vpn) flow

route, it could not handle it properly which might result in rpd crash. PR966130

• In a scaled setup, if BGP peers flap during an NSR, the sessions can end up out of sync

between themaster andbackupRoutingEngines. To recover youcanclear theaffected

neighbors. PR966206

• In a highly scaled setup after anNSR, someBGP sessionsmight be idle on bothmaster

andbackupRoutingEngines. To recover, clear theaffectedpeerusing theCLI.PR967788


Resolved Issues














• SIP call forwarding might fail when NAT is used between parties even though the SIP

ALG is in use. PR839629

• Junos OS Release 11.4 introduced the IKEv2 support and a stricter check on IKE/IPsec

SAs proposal parameters. PR843893

• DNSmultiple queries A and AAAAmight cause the Service-PIC to restart. PR943425

• During a rare scenario, switchover on another sp interface can crash a servicePICwhen

running traffic in hairpinning scenario. PR945114

• Jl2tpd process experiences high CPU condition if the process is restarted or if GRES is

executed. The jl2tpd process does recover. The length of the high CPU condition is

directly proportional to the number of tunnels on average, it is 1 second per tunnel.

PR955378


• LNS-Service accounting updates not sent. PR944807

• Radiusattribute ignore logical-system-routing-instancenot ignoringVSA26-1.PR953802

• Configuration change of the IPv4 address range in address-assignment pool does not

always take effect. PR954793


• If a configuration file that contains groups related configuration is loaded by command

"load replace", a "commit confirmed" operationmight fail.When this issue occurs, the

new configuration is committed even if you do not confirm it within the specified time

limit. PR925512

VPNs

• The issue happens when the virtual routing forwarding (vrf) is configured

"no-vrf-propagate-ttl" and the vrf import policy changes the local preference of the

vrf route. With "no-vrf-propagate-ttl", BGP will resolve the primary l3vpn route and

the vrf secondary route separately. The root cause is overwriting the route parameters

of the second vrf route with the route parameters of the primary route. So changes to

the local preference of the vrf route might not work. PR935574

• NGMVPNreceiverPEdoesnotgenerateTYPE4 routeafter receivingTYPE3.PR953449

• With these high amount of streams, we have a higher number of data-mdt-tlvs to

process which is becoming a bottleneck. PR957280

• Before Release 13.3R2, if no loopback interface inside vrf was configured, then Rosen

V6might not be able to use default main loopback as source for PE_PE pim

communications., As a result, Rosen v6 neighbor will not be formed toward remote

PEs. PR966825


























This section lists the errata and changes in Junos OSRelease 13.3R10 documentation for

the M Series, MX Series, and T Series.

• Adaptive Services Interfaces Feature Guide for Routing Devices on page 218

• Aggregated Ethernet Interfaces Feature Guide for Routing Devices on page 218

• Broadband Subscriber VLANs and Interfaces Feature Guide on page 221

• Chassis-Level Feature Guide on page 221

• Class of Service Library for Routing Devices on page 222

• Dynamic Firewall Feature Guide for Subscriber Services on page 222

• Ethernet Interfaces Feature Guide on page 223

• Ethernet Networking Feature Guide for MX Series Routers on page 224

• Firewall Filters Feature Guide for Routing Devices on page 226

• High Availability Feature Guide on page 226

• Interchassis Redundancy Using Virtual Chassis Feature Guide for MX Series

Routers on page 226

• Interfaces Feature Guide for Subscriber Management on page 227

• Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide on page 227

• Junos OS High Availability Feature Guide for Routing Devices on page 228

• Layer 2 Configuration Guide, Bridging, Address Learning, and Forwarding on page 228

• Layer 2 VPNs Feature Guide for Routing Devices on page 229

• Monitoring, Sampling, and Collection Services Interfaces Feature Guide for Routing

Devices on page 229

• MPLS Applications Feature Guide for Routing Devices on page 229

• Network Management Administration Guide for Routing Devices on page 230

• Overview for Routing Devices on page 231

• Release Notes: Junos OS Release 13.3R1 for the EX Series, M Series, MX Series, PTX

Series, and T Series on page 231

• Services Interfaces Configuration Guide on page 231

• Services Interfaces Overview for Routing Devices on page 236

• Standards Reference on page 237



• Subscriber Management Access Network Guide on page 237

• Subscriber Management Feature Guide on page 238

• Subscriber Management Provisioning Guide on page 239

• System Log Messages Reference on page 241

• System Services Administration Guide for Routing Devices on page 241

• Tunnel and Encryption Services Interfaces on page 241

• User Access and Authentication Guide for Routing Devices on page 241

• VPLS Feature Guide for Routing Devices on page 241

• VPNs Library for Routing Devices on page 241

• VPWS Feature Guide for Routing Devices on page 242

Adaptive Services Interfaces Feature Guide for Routing Devices

• The “Configuring Secured Port Block Allocation,” “port,” and

“secured-port-block-allocation” topics should include the following note:

If youmake any configuration changes to a NAT pool that has secured port block

allocation configured, youmust delete the existing NAT address pool, wait at least 5

seconds, and then configure a new NAT address pool. We also strongly recommend

that youperformthisprocedure if youmakeanychanges to theNATpool configuration,

even if you do not have secured port block allocation configured.

• The descriptions in the “Options” section of the IPsec protocol statement at the [edit

services ipsec-vpn ipsec proposal proposal-name] and [edit services ipsec-vpn rule

rule-name term term-name thenmanual direction direction] hierarchy levels fail to state

that the ah and bundle options are not supported on MS-MPCs and MS-MICs on MX

Series routers.

Aggregated Ethernet Interfaces Feature Guide for Routing Devices

• The following enhancements and additions apply to the “Example: Configuring

Multichassis Link Aggregation in an Active- Active Bridging Domain on MX Series

Routers” topic:

• The Topology Diagram section fails to mention that interface ge-1/0/2 functions as

the ICCP link between the two PE devices, interface ge-1/1/1 is the ICL-PL link, and

interface ge-1/1/4 is the link that connects to the server or theMC- LAG client device.

• As a best practice, we recommend that you configure the ICCP and ICL interfaces

over aggregated Ethernet interfaces instead of other interfaces such as Gigabit

Ethernet interfaces, depending on your topology requirements and framework.

• Youmust disable RSTP on the ICL-PL interfaces for an MC-LAG in an active-active

bridging domain.

• The Step-by-Step Procedure section for Router PE2 that is illustrated in the example

is missing, although the quick configuration statements are presented.



To configure Router PE2:

1. Specify the number of aggregated Ethernet interfaces to be created.

[edit chassis]user@PE2# set aggregated-devices ethernet device-count 5

2. Specify the members to be included within the aggregated Ethernet bundles.

[edit interfaces]user@PE2# set ge-1/0/5 gigether-options 802.3ad ae1user@PE2# set ge-1/1/0 gigether-options 802.3ad ae0

3. Configure the interfaces that connect to senders or receivers, the ICL interfaces,and the ICCP interfaces.

[edit interfaces]user@PE2# set ge-1/0/3 flexible-vlan-tagginguser@PE2# set ge-1/0/3 encapsulation flexible-ethernet-servicesuser@PE2# set ge-1/0/3 unit 0 encapsulation vlan-bridgeuser@PE2# set ge-1/0/3 unit 0 vlan-id-range 100-110user@PE2# set ge-1/0/4 flexible-vlan-tagginguser@PE2# set ge-1/0/4 encapsulation flexible-ethernet-servicesuser@PE2# set ge-1/0/4 unit 0 encapsulation vlan-bridgeuser@PE2# set ge-1/0/4 unit 0 vlan-id-range 100-110user@PE2# set ge-1/0/5 gigether-options 802.3ad ae0user@PE2# set ge-1/1/0 gigether-options 802.3ad ae1

4. Configure parameters on the aggregated Ethernet bundles.

[edit interfaces ae0]user@PE2# set flexible-vlan-tagginguser@PE2# set encapsulation flexible-ethernet-servicesuser@PE2# set unit 0 encapsulation vlan-bridgeuser@PE2# set unit 0 vlan-id-range 100-110user@PE2#setunit0multi-chassis-protection 100.100.100.1 interfacege-1/0/4.0

[edit interfaces ae1]user@PE2# set flexible-vlan-tagginguser@PE2# set encapsulation flexible-ethernet-servicesuser@PE2# set unit 0 encapsulation vlan-bridgeuser@PE2# set unit 0 vlan-id-range 100-110user@PE2#setunit0multi-chassis-protection 100.100.100.1 interfacege-1/0/4.0

5. Configure LACP on the aggregated Ethernet bundles.

[edit interfaces ae0 aggregated-ether-options]user@PE2# set lacp activeuser@PE2# set lacp system-priority 100user@PE2# set lacp system-id 00:00:00:00:00:05user@PE2# set lacp admin-key 1

[edit interfaces ae1 aggregated-ether-options]user@PE2# set lacp activeuser@PE2# set lacp system-priority 100user@PE2# set lacp system-id 00:00:00:00:00:05user@PE2# set lacp admin-key 1



6. Configure the MC-LAG interfaces.

[edit interfaces ae0 aggregated-ether-options]user@PE2# setmc-aemc-ae-id 5user@PE2# setmc-ae redundancy-group 10user@PE2# setmc-ae chassis-id 1user@PE2# setmc-aemode active-activeuser@PE2# setmc-ae status-control active

[edit interfaces ae1 aggregated-ether-options]user@PE2# setmc-aemc-ae-id 10user@PE2# setmc-ae redundancy-group 10user@PE2# setmc-ae chassis-id 1user@PE2# setmc-aemode active-activeuser@PE2# setmc-ae status-control active

Themultichassis aggregatedEthernet identificationnumber (mc-ae-id) specifies

which link aggregation group the aggregated Ethernet interface belongs to. The

ae0 interfaces on Router PE1 and Router PE2 are configuredwithmc-ae-id 5. The

ae1 interfaces on Router PE1 and Router PE2 are configured with mc-ae-id 10.

The redundancy-group 10statement is usedby ICCP toassociatemultiple chassis

that perform similar redundancy functions and to establish a communication

channel so thatapplicationsonpeeringchassis cansendmessages toeachother.

The ae0 and ae1 interfaces on Router PE1 and Router PE2 are configuredwith the

same redundancy group redundancy-group 10.

The chassis-id statement is used by LACP for calculating the port number of the

MC-LAG's physical member links. Router PE2 uses chassid-id 1 to identify both

its ae0 and ae1 interfaces. Router PE2 uses chassis-id 0 to identify both its ae0

and ae1 interfaces.

Themode statement indicates whether an MC-LAG is in active-standbymode

or active-active mode. Chassis that are in the same groupmust be in the same

mode.

7. Configure a domain that includes the set of logical ports.

[edit bridge-domains bd0]user@PE2# set domain-type bridgeuser@PE2# set vlan-id alluser@PE2# set service-id 20user@PE2# set interface ae0.0user@PE2# set interface ae1.0user@PE2# set interface ge-1/0/3.0user@PE2# set interface ge-1/1/1.0user@PE2# set interface ge-1/1/4.0

The ports within a bridge domain share the same flooding or broadcast

characteristics in order to perform Layer 2 bridging.

The bridge-level service-id statement is required to link related bridge domains

across peers (in this case Router PE1 and Router PE2), and should be configured

with the same value.



8. Configure ICCP parameters.

[edit protocols iccp]user@PE2# set local-ip-addr 100.100.100.2user@PE2# set peer 100.100.100.1 redundancy-group-id-list 10user@PE2# set peer 100.100.100.1 liveness-detectionminimum-interval 1000

9. Configure the service ID at the global level.

[edit switch-options]user@PE2# set service-id 10

Youmust configure the same unique network-wide configuration for a service in

the set of PE routers providing the service. This service ID is required if the

multichassis aggregated Ethernet interfaces are part of a bridge domain.

Broadband Subscriber VLANs and Interfaces Feature Guide

• The showsubscribers topic in the JunosOSSubscriberManagement FeatureGuidedoes

not fully describe the vlan-id vlan-id option. This option displays information about

active subscribers using a VLANwhere the VLAN tagmatches the specified VLAN ID.

The topic fails to mention that these subscriber VLANs can be either single-tagged or

double-tagged. The command output includes information about subscribers using

double-tagged VLANs when the inner VLAN tagmatches the specified VLAN ID. The

command output does not distinguish between these two types of subscribers.

To display only subscribers where the specified value matches only double-tagged

VLANs, use the stacked-vlan-id stacked-vlan-id option to match the outer VLAN tag

instead of the vlan-id vlan-id option.

Chassis-Level Feature Guide

• The following additional information regarding the compatibility of modules for the

interoperationofRPMclientsandRPMservers applies to the “ConfiguringRPMProbes”

section in the “Configuring Real-Time Performance Monitoring” topic:

Keep the following points in mind when you configure RPM clients and RPM servers:

• You cannot configure an RPM client that is PIC-based and an RPM server that is

based on either the Packet Forwarding Engine or Routing Engine to receive the RPM

probes.

• You cannot configure an RPM client that is Packet Forwarding Engine-based and an

RPM server that receives the RPM probes to be on the PIC or Routing Engine.

• The RPM client and RPM server must be located on the same type of module. For

example, if the RPM client is PIC-based, the RPM server must also be PIC-based,

and if the RPM server is Packet Forwarding Engine-based, the RPM client must also

be Packet Forwarding Engine-based.

• The show chassis fabric unreachable-destinations command is incorrectly mentioned

as supported on MX240, MX480, and MX960 routers from Junos OS Release 11.4R2

and JunosOSRelease 12.1. TheSupportedPlatformssectionof this topicalso incorrectly

state MX240, MX480, and MX960 routers as supported routers for this command.



This command is not available on the MX240, MX480, and MX960 routers. Instead,

the correct command is the showchassis fabric destinations command, which you can

use to view the state of fabric destinations for all FPCs.

• The followingadditional information regarding theprocessingofTWAMPtraffic applies

to the "Configuring TWAMP Servers" section in the "Configuring TWAMP" topic:

The preceding configuration settings that are described define a TWAMP server on the

router that enables a TWAMPclient to connect to the server using anymedia interface

IP address such as a ge- interface. In such a scenario, the router functions as a TWAMP

server and timestamping is performed in the ukernel of the media-facing FPC.

To configure an inline TWAMP server, which causes timestamping to be performed as

part of the inline services (si-) interfaceprocessing, configure theamountof bandwidth

reserved on each Packet Forwarding Engine for tunnel traffic using inline services by

including the bandwidth (1g | 10g) statement at the [edit chassis fpc slot-number pic

number inline-services] hierarchy level and specify the service PIC logical interface that

provides the TWAMP service by including the twamp-server statement at the [edit

interfaces sp-fpc/pic/port unit logical-unit- number family inet] hierarchy level.

• The description of the check option available with the request chassis routing-engine

master command topic fails to state that this option is supported on MX104 routers

and PTX5000 routers, in addition to the list of devicemodelsmentioned in that topic.

Also, this option is incorrectly stated as supported on MX240 routers, whereas this

option is not supported on those routers.

• The network-services configuration statement topic inadvertently fails to state that

the enhanced network servicesmode settings, such as the enhanced-ethernet and the

enhanced-ip option, are supported on MS-MPCs on MX Series routers.

• The "Configuring Redundancy Fabric Mode for Active Control Boards on MX Series

Routers" topic incorrectly states that on MX Series routers that contain the enhanced

SCBwith Trio chips and the MPC3E, redundancy mode is enabled by default. The

correct default behavior is that on MX Series routers that contain the enhanced SCB,

regardlessof the typeofDPCorMPC installedon it, thedefaultmode is the redundancy

mode.

Class of Service Library for Routing Devices

• The Applying Scheduler Maps and Shaping Rate to DLCIs and VLANs and Scaling of

Per-VLAN Queuing on Non-Queuing MPCs topics in the CoS Output Queuing and

Scheduling Feature Guide for Routing Devices fails to mention that you can configure

can also configure logical interface scheduling on the 8x10GE ports of an 2x100GE +

8x10GEMPC4E, apart the 2x100GE ports.

Dynamic Firewall Feature Guide for Subscriber Services

• The enhanced-policer topic fails to include a reference to the “Enhanced Policer

Statistics Overview” topic. The overview topic explains how the enhanced policer

enables you to analyze traffic statistics for debugging purposes.



The enhanced policer statistics are as follows:

• Offered packet statistics for traffic subjected to policing.

• OOSpacket statistics for packets that aremarkedout-of-specificationby thepolicer.

Changes to all packets that have out-of-specification actions, such as discard, color

marking, or forwarding-class, are included in this counter.

• Transmitted packet statistics for traffic that is not discarded by the policer. When

the policer action is discard, the statistics are the same as the in-spec statistics;

when thepoliceraction isnon-discard(loss-priorityor forwarding-class), thestatistics

are included in this counter.

To enable collection of enhanced statistics, include the enhanced-policer statement

at the [edit chassis] hierarchy level. To view these statistics, include the detail option

when you issue the show firewall, show firewall filter filter-name, or show policer

command.

Ethernet Interfaces Feature Guide

• In theOutput Fields sectionof the show interfaces(10-GigabitEthernet), show interfaces

(GigabitEthernet), and show interfaces(FastEthernet)command topicsof theEthernet

Interfaces Feature Guide, the descriptions of theBit errors and Erroredblocks fields that

are displayed under the PCS Statistics section of the output are ambiguous. The

following are the revised descriptions of these fields:

• Bit errors—The number of seconds during which at least one bit error rate (BER)

occurred while the PCS receiver is operating in normal mode.

• Errored blocks—The number of seconds when at least one errored block occurred

while the PCS receiver is operating in normal mode.

• The [edit protocols lacp] hierarchy level topic fails tomention that the ppmcentralized

statement is supported at this level for MX Series routers. This statement has been

supported from Junos OS Release 9.4. You can use the ppm statement to switch

between distributed and centralized periodic packet management (PPM). By default,

distributed PPM is active. To enable centralized PPM, include the ppm centralized

statement at the [edit protocols lacp] hierarchy level. You can disable distributed PPM

processing for all packets that use PPM and run all PPM processing on the Routing

Engine by configuring the no-delegate-processing configuration statement at the [edit

routing-options ppm] hierarchy level.

• The following additional information regarding the working of unnumbered interfaces

applies to the “Example: Configuring an Unnumbered Ethernet Interface” section in

the “Configuring an Unnumbered Interface” topic:

The sample configuration that is described works correctly on M Series and T Series

routers. For unnumbered interfaces on MX Series routers, youmust additionally

configure static routes on an unnumbered Ethernet interface by including the

qualified-next-hop statementat the [edit routing-optionsstatic routedestination-prefix]

hierarchy level to specify the unnumbered Ethernet interface as the next-hop interface

for a configured static route.



Ethernet Networking Feature Guide for MX Series Routers

• The following corrections apply to the “Example: Configuring One VPLS Instance for

Several VLANs” topic:

The following sentence is erroneously presented:

If VLANs 1 through 1000 for customer C1 span the same sites, then the vlan-id all and

vlan-id-list-range statements provide a way to switch all of these VLANs with a

minimum configuration effort and fewer switch resources.

The correct description is as follows:

If VLANs 1 through 1000 for customer C1 span the same sites, then the vlan-id all and

vlan-id-list statements provide a way to switch all of these VLANs with aminimum

configuration effort and fewer switch resources.

The following example replaces the existing example that illustrates the use of the

vlan-id all statement:

[edit]interfaces ge-1/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;unit 1 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.

}}unit 11 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1500;

}}

}interfaces ge-2/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;unit 1 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.

}}

}interfaces ge-3/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;family bridge {unit 1 {encapsulation vlan-vpls;



interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.

}}

}interfaces ge-6/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;family bridge {unit 11 {encapsulation vlan-vpls;interface-mode trunk;vlan-id-list 1500;

}}

}routing-instances {customer-c1-virtual-switch {instance-type virtual-switch;interface ge-1/0/0.1;interface ge-2/0/0.1;interface ge-3/0/0.1;bridge-domains {c1-vlan-v1-to-v1000 {vlan-id all; # Note the use of the VLAN id all statement

}}

} # End of customer-c1-v1-to-v1000customer-c2-virtual-switch {instance-type virtual-switch;interface ge-1/0/0.11;interface ge-6/0/0.11;bridge-domains {c1-vlan-v1500 {vlan-id all; # Note the use of the VLAN id all statement

}}

} # End of customer-c1-v1500} # End of routing-instances

Note the use of the vlan-id all statement in the virtual-switch instance called

customer-c1-v1-to-v1000.



Firewall Filters Feature Guide for Routing Devices

• The following additional information regarding the decapsulation of GRE packets as

a terminatingaction for firewall filters applies to the "Firewall FilterTerminatingActions"

topic:

NOTE: Thedecapsulateaction that youconfigureat the [edit firewall family

inet filter filter-name term term-name]hierarchy leveldoesnotprocess traffic

with IPv4and IPv6options.Asa result, trafficwithsuchoptions isdiscardedby the decapsulation of GRE packets functionality.

High Availability Feature Guide

• The topic “Improving the Convergence Time for VRRP” failed to include the following

information:

• Disableduplicationaddressdetection for IPv6 interfaces—Duplicateaddressdetection

is a feature of the Neighbor Discovery Protocol for IPv6. Duplicate address detection

is enabled by default and determines whether an address is already in use by another

node. When duplicate address detection is enabled, convergence time is high after an

IPv6 interface that has been configured for VRRP tracking comes up. To disable

duplicate address detection, include the ipv6-duplicate-addr-translation transmits 0

statement at the [edit system internet-options] hierarchy level. To disable duplicate

address detection only for a specific interface, include the dad-disable statement at

the [edit interfaces interface-nameunit logical-unit-number family inet6]hierarchy level.

Interchassis Redundancy Using Virtual Chassis Feature Guide for MX SeriesRouters

• In the Junos OS 13.2 Release Notes for M Series Multiservice Edge Routers, MX Series 3D

Universal Edge Routers, and T Series Core Routers, the Support for MX Series Virtual

Chassis (MXSeries routerswithMPC3E interfaces) feature description failed tomention

that you can configure a two-member MX Series Virtual Chassis on both MPC3E

modules and MPC4Emodules. The correct description for this feature is as follows:

• Support forMXSeriesVirtualChassisonMXSeries routerswithMPC3EandMPC4Einterfaces—Extendssupport for configuringa two-memberMXSeriesVirtualChassisto MX240, MX480, andMX960 routers with any of the followingmodules installed:

• MPC3E (model number MX-MPC3E-3D)

• 32x10GEMPC4E (Model number: MPC4E-3D-32XGE-SFPP)

• 2x100GE + 8x10GEMPC4E (Model number: MPC4E-3D-2CGE-8XGE)

All MX Series Virtual Chassis features are supported on these modules.

In earlier Junos OS releases, MX Series routers did not support MX Series Virtual

Chassis configuration on MPC3E and MPC4Emodules.



[See Junos OSHigh Availability Library for Routing Devices and Junos OS for MX Series

3D Universal Edge Routers.]

• The followingadditional informationapplies to theVirtualChassisComponentsOverview

topic in the Interchassis Redundancy Using Virtual Chassis Feature Guide for MX Series

Routers for Junos OS Release 11.2 and later releases.

When you configure chassis properties for MPCs installed in a member router in an

MX Series Virtual Chassis, keep the following points in mind:

• Statements included at the [edit chassis membermember-id fpc slot slot-number]

hierarchy level apply to the MPC (FPC) in the specified slot number only on the

specified member router in the Virtual Chassis.

For example, if you issue the set chassis member 0 fpc slot 1 power off statement,

only the MPC installed in slot 1 of member ID 0 in the Virtual Chassis is powered off.

• Statements included at the [edit chassis fpc slot slot-number] hierarchy level apply

to theMPCs(FPCs) in thespecifiedslotnumberoneachmember router in theVirtual

Chassis.

For example, if you issue the set chassis fpc slot 1 power off statement in a

two-member MX Series Virtual Chassis, both the MPC installed in slot 1 of member

ID 0 and the MPC installed in slot 1 of member ID 1 are powered off.

BEST PRACTICE: To ensure that the statement you use to configure MPCchassis properties in a Virtual Chassis applies to the intendedmemberrouter andMPC, we recommend that you always include themember

member-ID option before the fpc keyword, wheremember-id is 0 or 1 for a

two-member MX Series Virtual Chassis.

Interfaces Feature Guide for Subscriber Management

• The “IP Demux Interfaces over Static or Dynamic VLAN Demux Interfaces” topic

incorrectly states thatbothDPCsandMPCssupportVLANdemuxsubscriber interfaces.

In fact, only MPCs support these interfaces.

Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide

• The followingnoteapplies to the topic “ConfiguringAddressPools forNetworkAddress

Port Translation (NAPT) Overview”:

NOTE: When 99 percent of the total available ports in a pool for napt-44are used, no new flows are allowed on that NAT pool.

• Several errors were found in the configuration statements included in the “Example:

Configuring Inline Network Address Translation” topic. The topic has been corrected

on theWeb and in the Junos Address Aware Carrier Grade NAT and IPv6 Feature Guide

PDF.



http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/config-guide-high-availability/index.html

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/mx-series/

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/mx-series/

• The address-allocation statement topic fails to state the following additional

information regarding addresses allocation on MS-MICs and MS-MPCs:

Regardless of whether the round-robin method of allocation is addresses is enabled

byusing theaddress-allocationround-robinstatement, round-robinallocation isenabled

by default on MS-MICs and MS-MPCs.

• The topic “Configuring Secured Port Block Allocation” contains a note listing

configuration changes that require a reboot of the services PIC. The note has been

updated to include a change to the NAT pool name.

• The following information regarding the guidelines for configuration of IP addresses

for NAT processing applies to the "Configuring Source and Destination Addresses

Network Address Translation Overview " section of the "Network Address Translation

Rules Overiew" topic:

The addresses that are specified as valid in the inet.0 routing table and not supported

for NAT translation are orlongermatch filter types. You cannot specify any regions

within such address prefixes in a NAT pool.

• The following information regarding the working of APP with NAT rules applies to the

"Network Address Translation Rules Overiew" topic:

For MX Series routers with MS-MICs and MS-MPCs, although the address pooling

paired (APP) functionality is enabledwithinaNAT rule (by including theaddress-pooling

statement at the [edit services nat rule rule-name term term-name then translated]

hierarchy level), it is a characteristic of a NAT pool. Such a NAT pool for which APP is

enabled cannot be shared with NAT rules that do not have APP configured.

Junos OSHigh Availability Feature Guide for Routing Devices

• In Junos OS Release 13.3, the “Unified ISSU System Requirements” topic in the Junos

OS High Availability Feature Guide for Routing Devices incorrectly states in Table 2:

Unified ISSUProtocol Support that anMXSeries Virtual Chassis supports unified ISSU

in JunosOSRelease 12.2and later releases. In fact, anMXSeriesVirtualChassis supports

unified ISSU in Junos OS Release 14.1 and later releases.

[See Unified ISSU System Requirements.]

•

Layer 2 Configuration Guide, Bridging, Address Learning, and Forwarding

• The following information regarding the differences in the default limit on MAC

addresses that can be learned on an access port and a trunk port is inadvertently

omitted from the “Limiting MAC Addresses Learned from an Interface in a Bridge

Domain” topic:

• For an access port, the default limit on the maximum number of MAC addresses

that can be learned on an access port is 1024. Because an access port can be

configured in only one bridge domain in a network topology, the default limit is 1024

addresses,which is sameas the limit forMACaddresses learnedona logical interface

in a bridge domain (configured by including the interface-mac-limit limit statement

at the [edit bridge-domains bridge-domain-name bridge-options interface



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/requirements/issu-system-requirements.html

interface-name]or [editbridge-domainsbridge-domain-namebridge-options]hierarchy

level.

• For a trunk port, the default limit on the maximum number of MAC addresses that

can be learned on a trunk port is 8192. Because a trunk port can be associated with

multiple bride domains, the default limit is the same as the limit for MAC addresses

learned on a logical interface in a virtual switch instance (configured by including

the interface-mac-limit limit statement at the [edit routing-instances

routing-instance-name switch-options interface interface-name] hierarchy level for a

virtual switch instance).

• The following additional information applies to the "Configuring VLAN Identifiers for

Bridge Domains and VPLS Routing Instances" topic:

ThemaximumnumberofLayer2 interfaces that youcanassociatewithabridgedomain

or a VPLS instance on MX Series routers is 4000.

Layer 2 VPNs Feature Guide for Routing Devices

• The descriptions of the pw-label-ttl-1 and router-alert-label options in the

control-channel (Protocols OAM) configuration statement topic are incorrectly and

interchangeably stated. The correct descriptions of these options are as follows:

• pw-label-ttl-1—For BGP-based pseudowires that send OAM packets with the MPLS

pseudowire label and time-to-live (TTL) set to 1.

• router-alert-label—For BGP-based pseudowires that send OAM packets with router

alert label.

Monitoring,Sampling,andCollectionServices InterfacesFeatureGuideforRoutingDevices

• The “Configuring RPMTimestamping” topic failed tomention that RPM timestamping

is also supported on the MS-MPCs and MS-MICs on MX Series routers.

• The description for themax-packets-per-second,maximum-packet-length, and

run-length statementsat the [edit forwarding-optionssampling instance instance-name

input] hierarchy level failed to include the following note:

NOTE: This statement is not supported when you configure inline flowmonitoring (by including the inline-jflow statement at the [edit

forwarding-options sampling instance instance-name family (inet | inet6)

output] hierarchy level).

• The topics “Real-Time Performance Monitoring Services Overview” and “Configuring

RPM Probes” failed to state that RPM is not supported on logical systems.

MPLS Applications Feature Guide for Routing Devices

• The "Configuring Miscellaneous LDP Properties," "Configuring the Authentication Key

Update Mechanism for BGP and LDP Routing Protocols," "authentication-key-chain



(LDP)," and "authentication-key-chain (BGP and BMP)” topics should include the

following information: Youmust also configure the authentication algorithm using the

authentication-algorithmalgorithm statement. This statementmust be included at the

[edit protocols (bgp | ldp)] hierarchy level when you configure the

authentication-key-chainkey-chain statementat the [editprotocols(bgp| ldp)]hierarchy

level.

• The "Path Computation for LSPs on an Overloaded Router" topic should state that

when you set the overload bit on a router running IS-IS, only new LSPs are prevented

from transiting through the router. Any existingConstrainedPathShortest First (CPSF)

LSPs remain active and continue to transit through the router. The documentation

incorrectly states that any existing LSPs transiting through the router are also rerouted

when you configure the overload bit on an IS-IS router.

NetworkManagement Administration Guide for Routing Devices

• The syntax of the filter-interfaces statement in the “SNMP Configuration Statement”

section is incorrect. The correct syntax is as follows:

filter-interfaces {all-internal-interfaces;interfaces interface-names{interface 1;interface 2;

}}

[See filter-interfaces.]



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/filter-interfaces-edit-snmp.html

Overview for Routing Devices

• The "Configuring Automatic Mirroring of the CompactFlash Card on the Hard Disk

Drive" and the "mirror-flash-on-disk" topics shouldnot include support forMX5,MX10,

andMX40 3DUniversal Edge Routers. On theMXSeries, this feature is supported only

on the MX104, MX240, MX480, MX960, MX2010, and MX2020 routers.

Release Notes: Junos OS Release 13.3R1 for the EX Series, M Series, MX Series,PTX Series, and T Series

• Virtual Chassis support onMX104 routers—In Junos OS Release 13.3, the “Softwarefeature support (MX104)” feature description in the Release Notes: Junos OS Release

13.3R1 for the EX Series, M Series, MX Series, PTX Series, and T Series incorrectly states

in the Layer 2 Features section that Virtual Chassis is supported on MX104 routers.

Virtual Chassis is not supported on MX104 routers.

Services Interfaces Configuration Guide

• In the Lines of Sample DTCP Parameter File table in the “Flow-Tap Filter Operation”

topic, the description for the Seq:10 command contained in the DTCP file incorrectly

states that the router looks for a newer sequence number before accepting and

implementing new parameters, and that any configuration attempt with an older

sequence number is rejected by the dynamic flow capture process.

The following guideline correctly describes the processing of the Seq:10 command in

the DTCP file:

The router does not validate the sequence number attribute during any configuration

changes that are performed for a DTCP parameter file sent to the router from the

mediationdevice.Regardlessofwhether thesequencenumberconflictswithaprevious

sequence number or is unique, it is disregarded and not considered.

The following additional fields are missing from the Lines of Sample DTCP Parameter

File table:

DescriptionCommand

This indicates the DTCP version to be used. DTCP/0.6 should be used for all versions of Junos OS upto and including Junos OS 8.5. DTCP/0.7 should be used for Junos OS 9.0 and later. However, JunosOS 9.5R2 and later also accept previous versions of DTCP.

If any unsupported parameters are received for a particular DTCP version, the request is rejected.

NOTE: The notification responses from Junos OS contains the same DTCP version that the controlsource has communicated to Junos OS. For notifications being sent even before the control sourcehas contacted Junos OS, the DTCP version 0.7 will be used.

DELETE DTCP/0.6

This line denotes the ID that DTCP assigns for the mirrored session when you create a DTCP ADDmessage. Use this ID in your DELETEmessages to disable the intercept for a specific subscriber. Toview the ID, use the DTCP LISTmessage. The CRITERIA-ID and the Cdest-ID are mutually exclusive inDELETEmessages.

CRITERIA-ID:criteria-id

[See Flow-Tap Filter Operation.]



http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/flow-tap-filter-operation.html

• The following additional information applies to the sample configuration described in

the “Example: Flow-Tap Configuration” topic of the “FlowMonitoring” chapter.

NOTE: Thedescribedexampleappliesonly toMSeriesandTSeries routers,except M160 and TXMatrix routers. For MX Series routers, because theflow-tap application resides in the Packet Forwarding Engine rather thana service PIC or Dense Port Concentrator (DPC), the Packet ForwardingEnginemust send the packet to a tunnel logical (vt-) interface toencapsulate the interceptedpacket. In suchascenario, youneed toallocatea tunnel interface and assign it to the dynamic flow capture process forFlowTapLite to use.

• The following information is missing from the passive-mode-tunneling configuration

statement and the “Example: Configuring Junos VPN Site Secure on MSMIC and

MS-MPC” topic:

Passive module tunneling is not supported on MS-MICs and MS-MPCs.

• Theopen-timeout configuration statement topic and the “ConfiguringDefault Timeout

Settings for Services Interfaces” topic incorrectly state that the default value of the

timeout period for TCP session establishment is 30 seconds. The correct default value

is 5 seconds.

• The Supported Platforms section of the set chassis displaymessage command topic

erroneously states that this command is supportedonMXSeries routers.This command

is not available on MX Series routers.

• The following information regarding the restriction on prefix lengths that can be

configured inNATpools onMS-MPCs andMS-MICs applies to the "Configuring Source

and Destination Addresses Network Address Translation Overview " section of the

"Network Address Translation Rules Overiew" topic:

On MX Series routers with MS-MPCs and MS-MICs, if you configure a NAT address

pool with a prefix length that is equal to or greater than /16, the PIC does not contain

sufficientmemory to provision the configured pool. Also, memory utilization problems

mightoccur if youattempt toconfiguremanypoolswhosecombined total IPaddresses

exceed /16. In such circumstances, a system loggingmessage is generated stating that

the NAT pool name is failed to be created and that the service set is not activated. On

MS-MPCs andMS-MICs, youmust not configure NAT pools with prefix lengths greater

than /16.

• The following procedure applies to the “Provisioning Flow-Tap to a Linux Mediation

Device” topic:

The following example shows the syntax to invoke the Perl script from a Linux device

for deleting a previously configured Flow-Tap session:

1. Invoke the Perl script:

[root@host]# ./dfcclient.pl



2. Use the following line to push the parameter file del_lea1_tcp.flowtap to the router.

In this example, 10.209.75.199 is the IP address of the router, and verint verint123 is

the username and password that has permission to implement flow-tap-operation.

Any firewall that is between themediation device and the routing device should

allow ssh and port 32001.

[root@host]# ./dfcclient.pl 10.209.75.199 verint verint123 del_lea1_tcp.flowtap

The following settings are contained in the del_lea1_tcp.flowtap DTCP parameter

file. DTCP DELETE can use either Criteria- ID to delete only that criteria or Cdest-ID

to delete everything with cdest-ID that you previously created.

DELETE DTCP/0.7Csource-ID: dtcpCdest-ID: LEA1Flags: STATIC

3. Use the show policer | match flow statement to verify that the flow-tap filter is

removed from the router:

The following sample shows how to disablemirroring for a specific subscriber by using

the CRITERIA-ID.

DELETE DTCP/0.7Csource-ID: dtcp1CRITERIA-ID: 2Flags: STATICSeq: 10Authentication-Info: 7e84ae871b12f2da023b038774115bb8d955f17e

DTCP/0.7 200 OKSEQ: 10CRITERIA-COUNT: 1TIMESTAMP: 2011-02-13 16:00:02.802AUTHENTICATION-INFO: 2834ff32ec07d84753a046cfb552e072cc27d50b

• The following additional information regarding the interoperation of sample actions

in firewall filters and traffic sampling applies to the “MinimumConfiguration for Traffic

Sampling” section in the “Configuring Traffic Sampling” topic:

The following prerequisites apply to M Series, MX Series, and T Series routers when

you configure traffic sampling on interfaces and in firewall filters:

• If you configure a sample action in a firewall filter for an inet or inet6 family on an

interfacewithout configuring the forwarding-options settings, operational problems

might occur if you also configure port mirroring or flow-tap functionalities. In such a

scenario, all the packets that match the firewall filter are incorrectly sent to the

service PIC.

• If you include the then sample statement at the [edit firewall family inet filter

filter-name term term-name] hierarchy level to specify a sample action in a firewall

filter for IPv4 packets, youmust also include the family inet statement at the [edit

forwarding-options sampling] hierarchy level or the instance instance-name family

inet statement at the [edit forwarding-options sampling] hierarchy level. Similarly,

if you include the then sample statement at the [edit firewall family inet6 filter

filter-name term term-name] hierarchy level to specify a sample action in a firewall



filter for IPv6 packets, youmust also include the family inet6 statement at the [edit

forwarding-options sampling] hierarchy level or the instance instance-name family

inet6 statementat the [edit forwarding-optionssampling]hierarchy level.Otherwise,

a commit error occurs when you attempt to commit the configuration.

• Also, if you configure traffic sampling on a logical interface by including the sampling

input or sampling output statements at the [edit interface interface-name unit

logical-unit-number] hierarchy level, you must also include the family inet | inet6

statement at the [edit forwarding-options sampling] hierarchy level, or the instance

instance-name family inet | inet6 statementat the [edit forwarding-optionssampling]

hierarchy level.

• The “Configuring Port Mirroring” topic erroneously states that the input statement can

be includedunder the [edit forwarding-optionsport-mirroringfamily(inet | inet6)output]

hierarchy level. Only the output statement is available at the [edit forwarding-options

port-mirroring family (inet | inet6)] hierarchy level. To configure the input packet

properties for port mirroring, youmust include the input statement at the [edit

forwarding-options port-mirroring] hierarchy level.

To configure port mirroring on a logical interface, configure the following statements

at the [edit forwarding-options port-mirroring] hierarchy level:

[edit forwarding-options port-mirroring]input {maximum-packet-length bytesrate rate;run-length number;

}family (inet|inet6) {output {interface interface-name {next-hop address;

}no-filter-check;}

}

Also, the note incorrectly states that the input statement can also be configured at the

[edit forwarding-options port-mirroring] hierarchy level and that it is only maintained

for backwardcompatibility. Thenotealsomentions that theconfigurationof theoutput

statement is deprecated at the [edit forwarding-optionsport-mirroring] hierarchy level.

The correct behavior regarding the port-mirroring configuration for the packets to be

mirrored and for the destination at which the packets are to be received is as follows:

NOTE: The input statement is deprecated at the [edit forwarding-options

port-mirroring family (inet | inet6)] hierarchy level and is maintained only

for backward compatibility. Youmust include the input statement at the

[edit forwarding-options port-mirroring] hierarchy level.

• In theOutput Fields section of the show services ipsec-vpn ipsec security-associations

command topic of the Junos VPN Site Secure Feature Guide, the descriptions of the



Local Identity and Remote Identity fields are not clear and complete. The following are

the revised descriptions of these fields:

• Local Identity—Protocol, address or prefix, and port number of the local entity of the

IPsec association. The format is id-type-name

(proto-name:port-number,[0..id-data-len] = iddata-presentation). The protocol is

alwaysdisplayedasanybecause it is not user-configurable in the IPsec rule. Similarly,

the port number field in the output is always displayed as 0 because it is not

user-configurable in the IPsec rule. The value of the id-data-len parameter can be

one of the following, depending on the address configured in the IPsec rule:

• For an IPv4 address, the length is 4 and the value displayed is 3.

• For a subnet mask of an IPv4 address, the length is 8 and the value displayed is 7.

• For a range of IPv4 addresses, the length is 8 and the value displayed is 7.

• For an IPv6 address prefix, the length is 16 and the value displayed is 15.

• Forasubnetmaskofan IPv6addressprefix, the length is32and thevaluedisplayed

is 31.

• For a range of IPv6 address prefixes, the length is 32 and the value displayed is 31.

The value of the id-data-presentation field denotes the IPv4 address or IPv6 prefix

details. If the fully qualified domain name (FQDN) is specified insteadof the address

for the local peer of the IPsec association, it is displayed instead of the address

details.

• Remote Identity—Protocol, address or prefix, and port number of the remote entity

of the IPsec association. The format is id-type-name

(proto-name:port-number,[0..id-data-len] = iddata-presentation). The protocol is

alwaysdisplayedasanybecause it is not user-configurable in the IPsec rule. Similarly,

the port number field in the output is always displayed as 0 because it is not

user-configurable in the IPsec rule. The value of the id-data-len parameter can be

one of the following, depending on the address configured in the IPsec rule:

• For an IPv4 address, the length is 4 and the value displayed is 3.

• For a subnet mask of an IPv4 address, the length is 8 and the value displayed is 7.

• For a range of IPv4 addresses, the length is 8 and the value displayed is 7.

• For an IPv6 address prefix, the length is 16 and the value displayed is 15.

• Forasubnetmaskofan IPv6addressprefix, the length is32and thevaluedisplayed

is 31.

• For a range of IPv6 address prefixes, the length is 32 and the value displayed is 31.

The value of the id-data-presentation field denotes the IPv4 address or IPv6 prefix

details. If the fully qualified domain name (FQDN) is specified insteadof the address

for the remote peer of the IPsec association, it is displayed instead of the address

details.

• The “Understanding Aggregated Mulitservices Interfaces” and the “Example:

Configuring an Aggregated Mulitservices Interface (AMS)” topics in the Services



Interface Configuration Guide incorrectly state that whenmember-failure-options is

not configured, the default behavior is to redistribute the traffic among the available

interfaces. The correct behavior is that when themember-failure-options statement

is not configured, the default behavior is to dropmember trafficwith a rejoin timeout

of 120 seconds.

• The functionality to log the cflowd records in a log file before they are exported to a

cflowd server (by including the local-dump statement at the [edit forwarding-options

sampling instance instance-name family (inet |inet6 |mpls)output flow-serverhostname]

hierarchy level) is not supportedwhenyouconfigure inline flowmonitoring (by including

the inline-jflow statement at the [edit forwarding-options sampling instance

instance-name family inet output] hierarchy level).

• The following information regarding the interoperationofFTPALGandaddress-pooling

paired features is missing from the "ALG Descriptions" topic of the "Application

Properties" chapter:

OnMS-MPCs andMS-MICs, for passive FTP to work properly without FTP application

layer gateway (ALG) enabled (by not specifying the application junos-ftp statement

at the [edit services stateful-firewall rule rule-name term term-name from] and the [edit

services nat rule rule-name term term-name from] hierarchy levels), youmust enable

the address pooling paired (APP) functionality enabled (by including the

address-pooling statement at the [edit servicesnat rule rule-name term term-name then

translated] hierarchy level). Such a configuration causes the data and control FTP

sessions to receive the same NAT address.

• The “ConfiguringTunnel InterfacesonMXSeriesRouters” topic in theServices Interfaces

Configuration Guide fails to state that Ingress queuing and tunnel services cannot be

configured on the sameMPC as it causes Packet Forwarding Engine forwarding to

stop. Each feature can, however, be configured and used separately.

Services Interfaces Overview for Routing Devices

• The following items describe updates for aggregated Mulitservices (AMS) interfaces

information:

• The description for the rejoin-timeout statement under the hierarchy [edit interfaces

interface-name load-balancing-optionsmember-failure-optionsdrop-member-traffic]

should be changed to the following:

Configure the timebywhen failedmembers (members in theDISCARD state) should

rejoin the aggregatedMultiservices (AMS) interfaceautomatically. Allmembers that

do not rejoin by the configured time aremoved to the INACTIVE state and the traffic

meant for each of the members is dropped.

If multiple members fail around the same time, then they are held in the DISCARD

state using a single timer. When the timer expires, all the failed members move to

INACTIVE state at the same time.

• The following information should be added to the “Aggregated Multiservices

Interface” section in the “Understanding Aggregated Multiservices Interfaces” topic:



Member interfacesare identifiedasmams in theconfiguration. Thechassisdprocess

in routers that support AMS configuration creates amams entry for every

multiservices interface on the router.

When you configure services-options at the ams= interface level, the options apply

to all member interfaces (mams) for the ams interface.

The options also apply to service sets configured onms- interfaces corresponding

to the ams interface’s member interfaces. All settings are per PIC. For example,

session-limit applies per member and not at an aggregate level.

NOTE: You cannot configure services-options at both the ams(aggregate)andmember-interface level. If services-options isconfiguredonms-x/y/z, it also applies to service sets onmams-x/y/z.

When you want services-options settings to apply uniformly to allmembers, configure services-options at the ams interface level. If youneed different settings for individualmembers (for example, because ofa syslog configuration), configure services-options at themember-interface level.

• The show interfaces load-balancing command topic should include the following

description for Last change in the table:

Time elapsed since the last change to the interface. Changes that affect the elapsed

time displayed include internal events that may not have changed the state of any

member.

• The Options section for the flow-export-rate statement under the hierarchy [edit

forwarding-options sampling instance instance-name family inet output inline-jlow] did

not include the default value. The default value is:

Default: 1 for eachPacketForwardingEngineon theFPCtowhich thesampling instanceis applied.

Standards Reference

• The “Supported FlowMonitoring and Discard Accounting Standards” topic fails to

mention the following additional information:

On MX Series routers, Junos OS partially supports the following RFCs:

• RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the

Exchange of IP Traffic Flow Information

• RFC 5102, Information Model for IP Flow Information Export

Subscriber Management Access Network Guide

• The LACTunnel SelectionOverview,ConfiguringWeighted LoadBalancing for LACTunnel

Sessions andweighted-load-balancing (L2TP LAC) topics in the Junos OS Broadband

Subscriber Management and Services Library incorrectly describe howweighted load



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/subscriber-management-l2tp-lac-tunnel-selection-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/subscriber-management-l2tp-lac-tunnel-weighted-load-balancing.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/subscriber-management-l2tp-lac-tunnel-weighted-load-balancing.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/weighted-load-balancing-edit-services-l2tp.html

balancing works on an L2TP LAC. The topics state that the tunnel with the highest

weight (highest session limit) within a preference level is selected until it has reached

itsmaximumsessions limit, and then the tunnelwith thenext higherweight is selected,

and so on.

In fact, when weighted load balancing is configured, tunnels are selected randomly

within a preference level, but the distribution of selected tunnels is related to their

weight. The LAC generates a random number within a range equal to the aggregate

total of all session limits for all tunnels in the preference level. Portions of the

range—pools of numbers—are associated with the tunnels according to their weight;

a higher weight results in a larger pool. The random number is more likely to be in a

larger pool, so a tunnel with a higher weight (larger pool) is more likely to be selected

than a tunnel with a lower weight (smaller pool).

For example, consider a level that has only two tunnels, A and B. Tunnel A has a

maximum sessions limit of 1000 and tunnel B has a limit of 2000 sessions, resulting

in an aggregate total of 3000 sessions. The LAC generates a random number in the

range from 0 through 2999. A pool of 1000 numbers, the portion of the range from 0

through 999, is associated with tunnel A. A pool of 2000 numbers, the portion of the

range from 1000 through 2999, is associated with tunnel B. If the generated number

is less than 1000, then tunnel A is selected, even though it has a lower weight than

tunnel B. If the generated number is 1000 or larger, then tunnel B is selected. Because

the pool of possible generated numbers for tunnel B (2000) is twice that for tunnel A

(1000), tunnel B is, on average, selected twice as often as tunnel A.

• The Pseudowire Subscriber Logical Interfaces Overview and Configuring a Pseudowire

Subscriber Logical Interface topics have been updated in Junos OS Release 13.3R9 to

state thatVLANdemux interfacesarenot supportedoverpseudowire subscriber logical

interfaces. Earlier versions of these topics omitted this information.

Subscriber Management Feature Guide

• In the Junos OS Subscriber Management Feature Guide, the fail-over-within-preference

statement at the [edit services l2tp] hierarchy level is incorrectly spelled. The correct

spelling for this statement is failover-within-preference.

• The Junos OS Release 13.3 Subscriber Management Feature Guide fails to include the

new user@domain option for filtering AAA, L2TP, and PPP traces by subscriber. See

the feature description in these Release Notes titled Support for filtering trace results

by subscribers for AAA, L2TP, and PPP for information about using this option.

• The “Example: HTTPServiceWithin aService Set” topic in theSubscriberManagement

Feature Guide erroneously describes how to configure captive portal content delivery

rules in service sets.



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/pseudowire-subscriber-interfaces-overview.html



Use the followingprocedure to configure captiveportal content delivery rules in service

sets:

1. Define one or more rules with the rule rule-name statement at the [edit services

captive-portal-content-delivery]hierarchy level. In each rule youspecify oneormore

terms to match on an application, destination address, or destination prefix list;

where the match takes place; and actions to be taken when thematch occurs,

2. (Optional) Define one or more rule sets by listing the rules to be included in the set

with the rule-set rule-set-name statement at the [edit services

captive-portal-content-delivery] hierarchy level.

3. Configure a captive portal content delivery profile with the profile profile-name

statement at the [edit services captive-portal-content-delivery] hierarchy level.

4. In the profile, specify a list of rules with the cpcd-rules [rule-name] statement or a

list of rule setswith the cpcd-rule-sets [rule-set-name] statement. Both statements

areat the [editservicescaptive-portal-content-deliveryprofileprofile-name]hierarchy

level.

5. Associate theprofilewithaservicesetwith thecaptive-portal-content-delivery-profile

profile-name statement at the [edit services service-set service-set-name] hierarchy

level.

• The “LAC Tunnel Selection Overview” topic in the Junos OS Subscriber Management

FeatureGuide incorrectly describes thecurrentbehavior for failover betweenpreference

levels. The topic states that when the tunnels at every preference level have a

destination in the lockout state, the LAC cycles back to the highest preference level

andwaits for the lockout time for adestinationat that level to expire before attempting

to connect and starting the process over.

In fact, the current behavior in this situation is that from the tunnels present at the

lowest level of preference (highest preference number), the LAC selects the tunnel

that has the destinationwith the shortest remaining lockout time. The LAC ignores the

lockout and attempts to connect to the destination.

• The Subscriber Management Scaling Values (XLS) spreadsheet previously reported

that 64,000 PPPoE subscribers are supported per interface for Junos OS Release 12.3

and subsequent releases. In fact, the chassis supports 128,000 PPPoE subscribers

beginning in Junos OS Release 12.3.

You can access the latest version of the Subscriber Management Scaling Values (XLS)

spreadsheet fromtheDownloadsboxat JunosOSSubscriberManagementandServices

Library.

Subscriber Management Provisioning Guide

• The table in the topic, “AAA Access Messages and Supported RADIUS Attributes and

Juniper Networks VSAs for Junos OS” incorrectly indicates that VSA 26-1

(Virtual-Router) supports CoA Request messages. VSA 26-1 does not support CoA

Request messages.



http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/subscriber-access/index.html

http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/subscriber-access/index.html

• The following topics erroneously include information about the Ignore-DF-Bit VSA

(26-70): “RADIUSAttributesand JuniperNetworksVSAsSupportedby theAAAService

Framework,” “Juniper Networks VSAs Supported by the AAA Service Framework”, and

“AAAAccessMessages and Supported RADIUSAttributes and Juniper Networks VSAs

for Junos OS.” Junos OS does not support VSA 26-70.

Some versions of the RADIUS dictionary file also erroneously list 26-70 as supported

by the Junos OS.



System LogMessages Reference

• The formats of theMSVCS_LOG_SESSION_OPENandMSVCS_LOG_SESSION_CLOSE

system logmessages in the "MSVCS System Log Messages" chapter are incorrectly

specified. The following is the correct and complete format of the

MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log

messages:

App: application, source-interface-name fpc/pic/port\address in hexadecimal format

source-address:source-port source-nat-information ->

destination-address:destination-port destination-nat-information (protocol-name)

hh:mm:ss.milliseconds protocol-name (tos tos-bit-value, ttl ttl-value, id id-number,

offset offset-value, flags [ip-flag-type], proto protocol- name (protocol-id), length

number)

SystemServices Administration Guide for Routing Devices

• The “Configuring the SSH Protocol Version” topic incorrectly states that both version

1 and version 2 of the SSH protocol are enabled by default. The topic should state that

version 2 of the SSH protocol is enabled by default, and youmust explicitly configure

version 1 if you want to enable it.

Tunnel and Encryption Services Interfaces

• The topic “Configuring Tunnel Interfaces on MX Series Routers” incorrectly states that

bandwidth rates of 20 gigabits per seconds and 40 gigabits per second require use of

a 100-Gigabit Ethernet Modular Port Concentrator and 100-Gigabit CFP MIC. The

MPC4E, MPC5E, and MPC6E also support 20 and 40 gigabits per second.

User Access and Authentication Guide for Routing Devices

• The "Example: DHCP Complete Configuration" and "dchp" topics should not include

support for the MX Series Universal Edge 3D Routers. This feature is supported only

on the M Series and the T Series.

VPLS Feature Guide for Routing Devices

• The following information regarding the working of firewall filters and policers with

MAC addresses applies to the "Configuring Firewall Filters and Policers for VPLS "

topic:

The behavior of firewall filters processing with MAC addresses differs between DPCs

and MPCs. On MPCs, interface filters are always applied before MAC learning occurs.

The input forwarding table filter is applied after MAC learning is completed. However,

onDPCs,MAC learningoccurs independentlyof theapplicationof filters. If theCE-facing

interface of the PE where the firewall filter is applied is an MPC, then the MAC entry

times out and is never learned again. However, if the CE-facing interface of the PE

where the firewall filter is applied is an DP, then the MAC entry is not timed out and if

the MAC address entry is manually cleared, it is relearned.



VPNs Library for Routing Devices

• The “Routing Instances Overview” topic should include the following instance types:

EthernetVPN(EVPN)and InternetMulticastoverMPLS.Use theEhternetVPN instance

type, which is supported on the MX Series only, to connect a group of dispersed

customer sites using a Layer 2 virtual bridge. Use the Internet Multicast over MPLS

instance type to provide support for ingress replication provider tunnels to carry IP

multicastdatabetween routers throughanMPLScloud, usingMBGPornext-generation

MVPN.

To configure an EVPN instance type, include the evpn statement at the [edit

routing-instances routing-instance-name instance-type] hierarchy level. To configure

an Internet Multicast over MPLS instance type, include thempls-internet-multicast

statementat the [edit routing-instances routing-instance-name instance-type]hierarchy

level.

VPWS Feature Guide for Routing Devices

• In JunosOSRelease 13.3, the Layer 2Circuits FeatureGuide for RoutingDeviceshasbeen

renamed VPWS Feature Guide for Routing Devices. VPWS content has been added to

this guide, and has been removed from the VPLS Feature Guide for Routing Devices.










This sectioncontains theprocedure toupgrade JunosOS,and theupgradeanddowngrade

policies for JunosOS for theMSeries,MXSeries, andTSeries. Upgrading or downgrading

JunosOScan take several hours, depending on the size and configuration of the network.

• Basic Procedure for Upgrading to Release 13.3 on page 243

• Upgrade and Downgrade Support Policy for Junos OS Releases on page 245

• Upgrading a Router with Redundant Routing Engines on page 245

• Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS

Release 10.1 on page 246

• Upgrading the Software for a Routing Matrix on page 247

• Upgrading Using Unified ISSU on page 248

• Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and

NSR on page 249



• Downgrading from Release 13.3 on page 250

• Changes Planned for Future Releases on page 250

Basic Procedure for Upgrading to Release 13.3

In order to upgrade to Junos OS 10.0 or later, youmust be running Junos OS 9.0S2, 9.1S1,

9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or youmust specify the no-validate

option on the request system software install command.

When upgrading or downgrading Junos OS, always use the jinstall package. Use other

packages (such as the jbundle package) only when so instructed by a Juniper Networks

support representative. For information about the contents of the jinstall package and

details of the installation process, see the Installation and Upgrade Guide.

NOTE: With JunosOSRelease 9.0 and later, the compact flash diskmemoryrequirement for Junos OS is 1 GB. For M7i andM10i routers with only 256MBmemory, see the Customer Support Center JTAC Technical BulletinPSN-2007-10-001 athttps://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001

&actionBtn=Search

NOTE: Before upgrading, back up the file system and the currently activeJunos OS configuration so that you can recover to a known, stableenvironment in case the upgrade is unsuccessful. Issue the followingcommand:

user@host> request system snapshot

The installation process rebuilds the file system and completely reinstallsJunos OS. Configuration information from the previous software installationis retained, but the contents of log files might be erased. Stored files on therouting platform, such as configuration templates and shell scripts (the onlyexceptions are the juniper.conf and ssh files) might be removed. To preserve

the stored files, copy them to another system before upgrading ordowngrading the routing platform. For more information, see the Junos OS

Administration Library for Routing Devices.




http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/system-basics/


Thedownloadand installationprocess for JunosOSRelease 13.3 isdifferent fromprevious

Junos OS releases.

Before upgrading to 64-bit Junos OS, read the instruction on the following pages:

• To check Routing Engine compatibility, see Supported Routing Engines by Router.

• To read the upgrade instructions, see Upgrading to 64-bit Junos OS.

1. Using aWeb browser, navigate to the All Junos Platforms software download URL on

the Juniper Networks webpage:

http://www.juniper.net/support/downloads/

2. Select the name of the Junos platform for the software that you want to download.

3. Select the release number (the number of the software version that you want to

download) from the Release drop-down list to the right of the Download Software

page.

4. Select the Software tab.

5. In the Install Package section of the Software tab, select the software package for the

release.

6. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives.

7. Review and accept the End User License Agreement.

8. Download the software to a local host.

9. Copy the software to the routing platform or to your internal software distribution

site.

10. Install the new jinstall package on the routing platform.

NOTE: We recommend that you upgrade all software packages out ofband using the console because in-band connections are lost during theupgrade process.

Customers in the United States and Canada, use the following command:

user@host> request system software add validate rebootsource/jinstall-13.3R91-domestic-signed.tgz

All other customers, use the following command:

user@host> request system software add validate rebootsource/jinstall-13.3R91-export-signed.tgz

Replace sourcewith one of the following values:

• /pathname—For a software package that is installed from a local directory on the

router.

• For software packages that are downloaded and installed from a remote location:

• ftp://hostname/pathname



http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/routing-engine-m-mx-t-series-support-by-chassis.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/64-bit-junos-upgrading.html


• http://hostname/pathname

• scp://hostname/pathname (available only for Canada and U.S. version)

The validate option validates the software package against the current configuration

as a prerequisite to adding the software package to ensure that the router reboots

successfully. This is the default behavior when the software package being added is

a different release.

Adding the reboot command reboots the router after the upgrade is validated and

installed. When the reboot is complete, the router displays the login prompt. The

loading process can take 5 to 10minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a Junos OS Release 13.3 jinstall package, you cannot

issue the requestsystemsoftwarerollbackcommandto return to thepreviously

installed software. Instead youmust issue the request system software add

validate command and specify the jinstall package that corresponds to the

previously installed software.

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that spanmore than three Junos OS releases at

a time is not provided, except for releases that are designated as Extended End-of-Life

(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can

upgrade directly from one EEOL release to the next EEOL release even though EEOL

releases generally occur in increments beyond three releases.

You can upgrade or downgrade to the EEOL release that occurs directly before or after

the currently installed EEOL release, or to twoEEOL releases before or after. For example,

Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos

OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4.

However, you cannot upgrade directly from a non-EEOL release that is more than three

releases ahead or behind. For example, you cannot directly upgrade from Junos OS

Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from

Junos OS Release 11.4 to Junos OS Release 10.3.

To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases

before or after, first upgrade to the next EEOL release and then upgrade or downgrade

from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see


Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing

Engine separately to avoid disrupting network operation as follows:




1. Disable graceful Routing Engine switchover (GRES) on themaster Routing Engine

and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine while keeping the

currently running software version on themaster Routing Engine.

3. After making sure that the new software version is running correctly on the backup

RoutingEngine, switchover to thebackupRoutingEngine toactivate thenewsoftware.

4. Install the new software on the original master Routing Engine that is now active as

the backup Routing Engine.

For the detailed procedure, see the Installation and Upgrade Guide.

Upgrading JuniperNetworkRoutersRunningDraft-RosenMulticastVPN to JunosOS Release 10.1

In releases earlier than Junos OS Release 10.1, the draft-rosenmulticast VPN feature

implements the unicast lo0.x address configured within that instance as the source

address used to establish PIM neighbors and create the multicast tunnel. In this mode,

the multicast VPN loopback address is used for reverse path forwarding (RPF) route

resolution to create the reverse path tree (RPT), or multicast tunnel. Themulticast VPN

loopback address is also used as the source address in outgoing PIM control messages.

In Junos OS Release 10.1 and later, you can use the router’s main instance loopback

(lo0.0) address (rather than themulticast VPN loopback address) to establish the PIM

state for the multicast VPN. We strongly recommend that you perform the following

procedure when upgrading to Junos OS Release 10.1 if your draft-rosenmulticast VPN

network includes both Juniper Network routers and other vendors’ routers functioning

as provider edge (PE) routers. Doing so preservesmulticast VPNconnectivity throughout

the upgrade process.

Because JunosOSRelease 10.1 supportsusing the router’smain instance loopback (lo0.0)

address, it is no longer necessary for the multicast VPN loopback address to match the

main instance loopback adddress lo0.0 to maintain interoperability.

NOTE: Youmight want tomaintain amulticast VPN instance lo0.x address

to use for protocol peering (such as IBGP sessions), or as a stable routeridentifier, or to support the PIM bootstrap server function within the VPNinstance.

Complete the following steps when upgrading routers in your draft-rosenmulticast VPN

network to Junos OS Release 10.1 if you want to configure the routers’s main instance

loopback address for draft-rosenmulticast VPN:

1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the

loopback address for draft-rosen Multicast VPN.

NOTE: Do not configure the new feature until all theM7i andM10i routersin the network have been upgraded to Junos OS Release 10.1.




2. After you have upgraded all routers, configure each router’s main instance loopback

address as the source address formulticast interfaces. Include thedefault-vpn-source

interface-name loopback-interface-name] statement at the [edit protocols pim]

hierarchy level.

3. After you have configured the router’s main loopback address on each PE router,

delete the multicast VPN loopback address (lo0.x) from all routers.

We also recommend that you remove themulticast VPN loopback address from all

PE routers fromother vendors. In JunosOS releases earlier thanRelease 10.1, to ensure

interoperability with other vendors’ routers in a draft-rosenmulticast VPN network,

you had to perform additional configuration. Remove that configuration from both

the JuniperNetworks routers and the other vendors’ routers. This configuration should

beon JuniperNetworks routers andon theother vendors’ routerswhere youconfigured

the lo0.mvpnaddress ineachVRF instanceas thesameaddressas themain loopback

(lo0.0) address.

This configuration is not requiredwhen you upgrade to Junos OS Release 10.1 and use

themain loopback address as the source address for multicast interfaces.

NOTE: Tomaintain a loopback address for a specific instance, configurea loopback address value that does notmatch themain instance address(lo0.0).

For more information about configuring the draft-rosen Multicast VPN feature, see the

Multicast Protocols Feature Guide for Routing Devices.

Upgrading the Software for a RoutingMatrix

A routing matrix can be either a TXMatrix router as the switch-card chassis (SCC) or a

TXMatrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade

software for a TXMatrix router or a TXMatrix Plus router, the new image is loaded onto

the TXMatrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or

sfc option) and distributed to all line-card chassis (LCCs) in the routingmatrix (specified

in the Junos OS CLI by using the lcc option). To avoid network disruption during the

upgrade, ensure the following conditions before beginning the upgrade process:

• Aminimumof freedisk spaceandDRAMoneachRoutingEngine.Thesoftwareupgrade

will fail on any Routing Engine without the required amount of free disk space and

DRAM.Todetermine theamountofdisk spacecurrentlyavailableonallRoutingEngines

of the routing matrix, use the CLI show system storage command. To determine the

amount of DRAM currently available on all the Routing Engines in the routing matrix,

use the CLI show chassis routing-engine command.

• Themaster Routing Engines of the TXMatrix or TX Matrix Plus router (SCC or SFC)

and all LCCs connected to the SCC or SFC are all re0 or are all re1.

• The backup Routing Engines of the TXMatrix or TX Matrix Plus router (SCC or SFC)

and all LCCs connected to the SCC or SFC are all re1 or are all re0.



http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html

• All master Routing Engines in all routers run the same version of software. This is

necessary for the routing matrix to operate.

• All master and backup Routing Engines run the same version of software before

beginning the upgrade procedure. Different versions of the Junos OS can have

incompatible message formats especially if you turn on GRES. Because the steps in

the process include changing mastership, running the same version of software is

recommended.

• For a routing matrix with a TXMatrix router, the same Routing Engine model is used

within a TXMatrix router (SCC) and within a T640 router (LCC) of a routing matrix.

For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using

two RE-1600s is supported. However, an SCC or an LCC with two different Routing

Engine models is not supported. We suggest that all Routing Engines be the same

model throughout all routers in the routing matrix. To determine the Routing Engine

type, use the CLI show chassis hardware | match routing command.

• For a routing matrix with a TXMatrix Plus router, the SFC contains twomodel

RE-DUO-C2600-16G Routing Engines, and each LCC contains twomodel

RE-DUO-C1800-8G or RE-DUO-C1800-16G Routing Engines.

BEST PRACTICE: Make sure that all master Routing Engines are re0 and allbackup Routing Engines are re1 (or vice versa). For the purposes of thisdocument, themaster Routing Engine is re0 and the backup Routing Engineis re1.

To upgrade the software for a routing matrix, perform the following steps:


(re0) and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping

the currently running software version on themaster Routing Engine (re0).

3. Load the new JunosOSon the backupRouting Engine. Aftermaking sure that the new

software version is running correctly on the backup Routing Engine (re1), switch

mastership back to the original master Routing Engine (re0) to activate the new

software.

4. Install the new software on the new backup Routing Engine (re0).

For thedetailedprocedure, see theRoutingMatrixwithaTXMatrixRouterDeploymentGuide

or the Routing Matrix with a TXMatrix Plus Router Deployment Guide.

Upgrading Using Unified ISSU

Unified in-service softwareupgrade (ISSU)enables you toupgradebetween twodifferent

Junos OS releases with no disruption on the control plane and with minimal disruption

of traffic. Unified in-service software upgrade is only supported by dual Routing Engine

platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active

routing (NSR)must be enabled. For additional information about using unified in-service

software upgrade, see the High Availability Feature Guide for Routing Devices.



http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/solutions/routing-matrix/routing-matrix.pdf

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/solutions/routing-matrix-tx-matrix-plus/index.pdf

http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/config-guide-high-availability/high-availability.html

Upgrading from JunosOSRelease 9.2 or Earlier on aRouter Enabled for BothPIMand NSR

Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the

following PIM features are not currently supportedwith NSR. The commit operation fails

if the configuration includes both NSR and one or more of these features:

• Anycast RP

• Draft-Rosenmulticast VPNs (MVPNs)

• Local RP

• Next-generation MVPNs with PIM provider tunnels

• PIM join load balancing

Junos OS Release 9.3 introduced a new configuration statement that disables NSR for

PIM only, so that you can activate incompatible PIM features and continue to use NSR

for the other protocols on the router: the nonstop-routing disable statement at the [edit

protocolspim]hierarchy level. (Note that this statementdisablesNSR for all PIM features,

not only incompatible features.)

If neitherNSRnorPIM is enabledon the router tobeupgradedor if oneof theunsupported

PIM features is enabled but NSR is not enabled, no additional steps are necessary and

you can use the standard upgrade procedure described in other sections of these

instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use

the standard reboot or ISSU procedures described in the other sections of these

instructions.

Because the nonstop-routing disable statement was not available in Junos OS Release

9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to

be upgraded from Junos OS Release 9.2 or earlier to a later release, youmust disable

PIM before the upgrade and reenable it after the router is running the upgraded Junos

OS and you have entered the nonstop-routing disable statement. If your router is running

Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR

orPIM–simplyuse thestandard rebootor ISSUproceduresdescribed in theother sections

of these instructions.

To disable and reenable PIM:

1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and

disable PIM:

[edit]

user@host# deactivate protocols pimuser@host# commit

2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate

for the router type. You caneither use the standardprocedurewith reboot or use ISSU.

3. After the router reboots and is running the upgraded Junos OS, enter configuration

mode, disablePIMNSRwith thenonstop-routingdisable statement, and then reenable

PIM:



[edit]

user@host# set protocols pim nonstop-routing disableuser@host# activate protocols pimuser@host# commit

Downgrading fromRelease 13.3

To downgrade from Release 13.3 to another supported release, follow the procedure for

upgrading, but replace the 13.3 jinstall package with one that corresponds to the

appropriate release.

NOTE: Youcannot downgrademore than three releases. For example, if yourrouting platform is running Junos OS Release 11.4, you can downgrade thesoftware to Release 10.4 directly, but not to Release 10.3 or earlier; as aworkaround, you can first downgrade to Release 10.4 and then downgradeto Release 10.3.

For more information, see the Installation and Upgrade Guide.

Changes Planned for Future Releases

The following are changes planned for future releases.

Routing Protocols

• Change in Junos OS support for the BGPMonitoring Protocol (BMP)—In Junos OSRelease 13.3and later, thecurrently supportedversionofBMP,BMPversion 1, asdefined

in Internet draft draft-ietf-grow-bmp-01, is planned to be replaced with BMP version

3, as defined in Internet draft draft-ietf-grow-bmp-07.txt. Junos OS can support only

one of these versions of BMP in a release. Therefore, Junos OS Release 13.2 and earlier

releases will continue to support BMP version 1, as defined in Internet draft

draft-ietf-grow-bmp-01. Junos OS Release 13.3 and later support only the updated

BMP version 3 defined in Internet draft draft-ietf-grow-bmp-07.txt. This also means

thatbeginning in JunosOSRelease 13.3,BMPversion3configurationsarenotbackwards

compatible with BMP version 1 configurations from earlier Junos OS releases.

• Removalofsupport forproviderbackbonebridging(MXSeries routers) fromRelease14.1—Starting with Junos OS Release 14.1, the provider backbone bridging (PBB)capability is disabled and not supported on MX Series routers. The pbb-options

statementand its substatementsat the [edit routing-instances routing-instance-name]

hierarchy level and the pbb-service-options statement and its substatements at the

[edit routing-instances routing-instance-name service-groups service-group-name]

hierarchy level are no longer available for configuring customer and provider routing

instances for PBB. When you upgrade MX Series routers running Junos OS Releases

12.3, 13.2, or 13.3 to JunosOSRelease 14.1 and if your deployment contains PBB settings

in configuration files, the configuration files after the upgrade need to bemodified to

remove the PBB-specific attributes because PBB is not supported in Release 14.1 and

later.

[See Provider Backbone Bridging Feature Guide for Routing Devices.]




http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/layer-2/pbb-mx-series.html











special compatibility guidelineswith the release, see theHardwareGuideand the Interface

Module Reference for the product.

To determine the features supported onM Series, MX Series, and T Series devices in this

release, use the Juniper Networks Feature Explorer, a Web-based application that helps

you to explore and compare Junos OS feature information to find the right software

release and hardware platform for your network. Find Feature Explorer at:










Junos OS Release Notes for PTX Series Packet Transport Routers

These release notes accompany Junos OS Release 13.3R10 for the PTX Series. They

describe new and changed features, limitations, and known and resolved problems in

the hardware and software.













OS Release 13.3R10 for the PTX Series.









Hardware

• PTX3000PacketTransportRouter—TheJuniperNetworksPTX3000PacketTransportRouter provides 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet

interfaces for large networks and network applications, such as those supported by

ISPs. The router accommodates up to eight Flexible PIC Concentrators (FPCs), each

of which supports one PIC. The compact design of the PTX3000 router allows up to

four chassis to be installed back-to-back in a single four-post rack. The PTX3000

router can be configured with single-phase AC or DC power supply modules.

[See the PTX3000 Packet Transport Router Hardware Guide.]

• CFP-GEN2-CGE-ER4 and CFP-GEN2-100GBASE-LR4 (PTX5000)—TheCFP-GEN2-CGE-ER4 transceiver (part number: 740-049763) provides a duplex LC

connector and supports the 100GBASE-ER4 optical interface specification and




http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/ptx-series/ptx3000/index.html

monitoring. The CFP-GEN2-100GBASE-LR4 transceiver (part number: 740-047682)

provides a duplex LC connector and supports the 100GBASE-LR4 optical interface

specificationandmonitoring. Starting in JunosOSRelease 13.3, the “GEN2”optics have

been redesigned with newer versions of internal components for reduced power

consumption. The following interface module supports the CFP-GEN2-CGE-ER4 and

CFP-GEN2-100GBASE-LR4transceivers. Formore informationabout interfacemodules,

see the Interface Module Reference for your router.

• 100-Gigabit Ethernet PIC with CFP (model number:

P1-PTX-2-100GE-CFP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3R1, and

later






• Support for strict-priority scheduling (PTX Series)—Beginning with Junos OS Release

13.3, interfaces on PTX Series routers support strict-priority scheduling. Configured

queues are processed in strict-priority order. Within the guaranteed region, multiple

CoS queues that compete in the same hardware-based priority level are selected

based on the packet round-robin algorithm, while within the excess region, selection

is based on theWRR algorithm. The queues receive equal share when they send the

same packet size. Otherwise, the queues receive shares proportional to the respective

packet sizes sent. To enable configuration of strict-priority scheduling for a physical

interface on a PTX Series router, include the strict-priority-scheduler statement in the

traffic control profile associated with the interface.

[See Understanding Scheduling on PTX Series Routers.]

General Routing

• Nonstop active routing support for logical systems (PTX Series)—Starting in Junos

OSRelease 13.3, this featureenablesnonstopactive routing support for logical systems

using the nonstop-routing option under the [edit logical-systems logical-system-name

routing-options] hierarchy. As a result of extending nonstop active routing support for

logical systems, the logical-systems argument has been appended in some show

operational commands to allow display of status, process, and event details.


• Nonstop active routing support for BGP addpath (PTX Series)—Beginning in JunosOS Release 13.3, nonstop active routing support for BGP addpath is available on the

PTX Series. Nonstop active routing support is enabled for the BGP addpath feature.

After the nonstop active routing switchover, addpath-enabled BGP sessions do not

bounce. The secondary Routing Engine maintains the addpath advertisement state

before the nonstop active routing switchover.


• FPCself-healing(PTXSeries)—Starting in JunosOSRelease 13.3onPTXSeries routersyoucanconfigurePacket ForwardingEngine-relatederror levels (fatal,major, orminor)

and the actions to perform (alarm, disable-pfe, or log) when a specified threshold is

reached. Previously, Packet Forwarding Engine-related errors disabled the FPC. Using

this command Packet Forwarding Engine errors can be isolated thereby reducing the

need for a field replacement. This command is available at the [edit chassis fpc

slot-number] and [edit chassis] hierarchy levels.

• 2-port 100-Gigabit DWDMOTNPIC (PTX3000)—Beginning with Junos OS Release13.3, the 2-port 100-Gigabit dense wavelength division multiplexing (DWDM) optical

transport network (OTN) PIC is supported by Type 5 FPCs on PTX3000 routers. The

100-Gigabit DWDMOTN PIC supports the following features:

• Transparent transport of two 100-Gigabit Ethernet signals with OTU4 framing

• ITU-standard OTN performancemonitoring and alarmmanagement



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/cos-strict-scheduling-ptx.html

• Dual polarization quadrature phase shift keying (DP-QPSK)modulation and

soft-decision forwarderror correction (SD-FEC) for longhaul andmetroapplications

You can use SNMP tomanage the PIC based on RFC 3591,Managed Objects for the

Optical Interface Type.

[See 100-Gigabit Ethernet OTNOptions Configuration Overview.]

• Pre-FECBERfast reroute(PTX3000)—Starting in JunosOSRelease 13.3, the 100-GbpsDWDMOTN PIC (P1-PTX-2-100G-WDM) supports pre-forward error correction

(pre-FEC) bit error rate (BER) monitoring as a condition for MPLS fast reroute (FRR).

Pre-FEC BER FRR uses pre-FEC BER as an indication of the condition of an optical

transport network (OTN) link. When the pre-FEC BER degrade threshold is reached,

thePIC stops forwarding packets to the remote interface and raises an interface alarm.

Ingress packets continue to be processed. When Pre-FEC BER FRR is used with MPLS

FRR or another link protection method, traffic is then rerouted to a different interface.

You can optionally enable backward FRR to inject local pre-FEC status into the

transmitted OTN frames, notifying the remote interface. The remote interface then

reroutes traffic to a different interface.When you use pre-FEC BER FRR and backward

FRR, notification of signal degradation and rerouting of traffic can occur in less time

than through a Layer 3 protocol.

[See 100-Gigabit Ethernet OTNOptions Configuration Overview.]

• Support for configuring interface alias names (PTX Series)—Beginning in Junos OSRelease 13.3, you can configure a textual description of a physical interface or the

logical unit of an interface to be the alias of an interface name. If you configure an

interface alias, this alias name is displayed in the output of the show interfaces

commands instead of the interface name. Also, in the output of all of the show and

operational mode commands that display the interface names, the alias name is

displayed instead of the interface name if you configure the alias name. It has no effect

on theoperationof the interfaceon the router or switch.Youcanuse thealias statement

at the [edit interfaces interface-name], [edit interfaces interface-name unit

logical-unit-number], and [edit logical-systems logical-system-name interfaces

interface-name unit logical-unit-number] hierarchy levels to specify an interface alias.

[See Interface Alias NameOverview]

• Support for active flowmonitoring version 9 (PTX5000 routers withCSE2000)—Starting with Junos OS Release 13.3, Carrier-Grade Service Engine(CSE2000) supports active flowmonitoring version 9 on PTX5000 routers.

TheCSE2000 is tethered toaPTX5000router toenableactive flowmonitoringversion

9.Active flowmonitoring version9 supports IPV4,MPLS, and IPV6 templates to collect

a set of sampled flows and send the records to a specified host.

• SFPP-10G-CT50-ZR (PTX Series)—Beginning in Junos OS Release 13.3R3, theSPFF-10G-CT50-ZR tunable transceiver provides a duplex LC connector and supports

the 10GBASE-Z optical interface specification andmonitoring. The transceiver is not

specified as part of the 10-Gigabit Ethernet standard and is instead built according to

Juniper Networks specifications. OnlyWAN-PHY and LAN-PHYmodes are supported.

To configure the wavelength on the transceiver, use thewavelength statement at the



http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-100-gigabit-ethernet-otn-options-configuration-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-100-gigabit-ethernet-otn-options-configuration-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/interfaces-alias-name-overview.html

[edit interfaces interface-name optics-options] hierarchy level. The following interface

module supports the SPFF-10G-CT50-ZR transceiver:

• 10-Gigabit Ethernet LAN/WANOTN PIC with SFP+ (model number:

P1-PTX-24-10G-W-SFPP)—Supported in JunosOSRelease 13.2R3, 13.3R2, and later



[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications andwavelength.]

• SFPP-10G-ZR-OTN-XT (PTX Series)—Starting with Junos OS Release 13.3R3, theSFPP-10G-ZR-OTN-XTdual-rate extended temperature transceiver provides aduplex

LC connector and supports the 10GBASE-Z optical interface specification and

monitoring. The transceiver is not specified as part of the 10-Gigabit Ethernet standard

and is instead built according to ITU-T and Juniper Networks specifications. The

following interface modules support the SFPP-10G-ZR-OTN-XT transceiver:

• 10-Gigabit Ethernet PIC with SFP+ (model number:

P1-PTX-24-10GE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and

later

• 10-Gigabit Ethernet LAN/WANOTN PIC with SFP+ (model number:

P1-PTX-24-10G-W-SFPP)—Supported in JunosOSRelease 12.3R5, 13.2R3, 13.3, and

later



[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications.]

• OTN support for PTX Series—Starting in Junos OS Release 13.3, you can configureOTNmode on 10-Gigabit Ethernet interfaces on PTX Series Packet Transport Routers.

Only the 24-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (model number:

P1-PTX-24-10G-W-SFPP) supports OTNmode. The following OTN framingmodes

are supported:

• 10-Gigabit Ethernet LAN-PHY over OTU2e/OTU1e

• 10-Gigabit EthernetWAN-PHY over OTU2

The following forward error correction (FEC) types are supported:

• GFEC (G.709)

• EFEC (G.975.1 I.4)

• UFEC (G.975.1 I.7)

• None

You canmonitor various transport features like 24-hour bins and transport states by

using the transport-monitoring statement at the [edit interfaces] hierarchy level.

• Support for active flowmonitoring version 9 (PTX3000 routers withCSE2000)—Starting with Junos OS Release 13.3R4, Carrier-Grade Service Engine(CSE2000) supports active flowmonitoring version 9 on PTX3000 routers.




http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/wavelength-edit-interfaces.html


TheCSE2000 is tethered toaPTX3000router toenableactive flowmonitoringversion

9. Active flowmonitoring version 9 supports IPv4,MPLS, and IPv6 templates to collect

a set of sampled flows and send the records to a specified host.

• Support fordual-ratespeed(PTXSeries)—Starting in JunosOSRelease 13.3R3, 14.1R3,14.2R2, and later for PTX3000, and Junos OS 14.2R2 and later for PTX5000, support

for dual rate for the 24-port 10-Gigabit Ethernet PIC (P1-PTX-24-10GE-SFPP) enables

you to switch all port speeds to either 1-Gigabit Ethernet or 10-Gigabit Ethernet. The

default is 10 Gbps. All ports are configured to the same speed; there is no

mixed-rate-mode capability. You can use either the SFP-1GE-SX or the SFP-1GE-LX

transceiver for 1 Gbps. Changing the port speed causes the PIC to reboot.

Toconfigureall portson theP1-PTX-24-10GE-SFPPtooperateat 1Gbps, use the speed

1G statement at the [edit chassis fpc fpc-number pic pic-number] hierarchy level. To

return all ports to the 10-Gbps speed, use the delete chassis fpc fpc-number pic

pic-number speed 1G command.

[See speed (24-port and 12-port 10 Gigabit Ethernet PIC) and 10-Gigabit Ethernet PIC

with SFP+ (PTX Series).]

• CFP-100GBASE-ZR (PTX Series)—In Junos OS Release 13.3R6, 14.1R4, 14.2R3, and15.1R1 and later, the CFP-100GBASE-ZR transceiver provides advanced dual

polarization-quadraturephaseshift keying(DP-QPSK)coherentdigital signalprocessing

(DSP) and forward error correction (FEC)-enabled robust tolerance to optical

impairments and supports 80 km reach over single-mode fiber. The transceiver is not

specifiedaspart of IEEE802.3but is built according to JuniperNetworks specifications.

The following interface module supports the CFP-100GBASE-ZR transceiver:

• 100-Gigabit Ethernet PIC with CFP (P1-PTX-2-100GE-CFP)

For more information about the interface modules, see the “Cables and Connectors”

section in the PTX Series Interface Module Reference.

[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported

Network Interface Standards by Transceiver for PTX Series Routers.]



http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/speed-24-port-10ge-pic.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/pic-ptx-series-10-ge-sfpp.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/general/pic-ptx-series-10-ge-sfpp.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/ptx-series/index.html


http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/transceiver-ptx-series-standards-by-model.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/reference/specifications/transceiver-ptx-series-standards-by-model.html


• Support for BFD over child links of AE or LAG bundle (cross-functional PacketForwarding Engine/kernel/rpd) (PTX Series)—Beginning in Junos OS Release 13.3,BFDover child links of anAEor LAGbundle is supportedon thePTXSeries. This feature

provides a Layer 3 BFD liveness detection mechanism for child links of the Ethernet

LAG interface. You can enable BFD to run on individual member links of the LAG to

monitor theLayer 3or Layer 2 forwardingcapabilitiesof individualmember links. These

micro BFD sessions are independent of each other despite having a single client that

manages the LAG interface. To enable failure detection for aggregated Ethernet

interfaces, include the bfd-liveness-detection statement at the [edit interfaces aex

aggregated-ether-options bfd-liveness-detection] hierarchy level.

[See Understanding Independent Micro BFD Sessions for LAG.]

Routing Protocols

• Bidirectional PIM support (PTX5000)—Beginning with Junos OS Release 13.3,bidirectional PIM is supported on the PTX5000. The following caveats are applicable

for the bidrectional PIM configuration on the PTX 5000:

• You can configure the PTX5000 both as a bidirectional PIM rendezvous point and

the source node.

• For the PTX5000, you can configure the auto-rp statement at the [edit protocols

pimrp]or the [edit routing-instances routing-instance-nameprotocolspimrp]hierarchy

level with themapping option, but not the announce option.

• The PTX5000 does not support nonstop active routing in Junos OS Release 13.3.

• ThePTX5000does not support unified in-service software upgrade (ISSU) in Junos

OS Release 13.3.


• Unified ISSU support for the 100-Gbps DWDMOTNPIC (PTX5000)—Starting inJunosOSRelease 13.3, the 100-GbpsDWDMOTNPIC(P1-PTX-2-100G-WDM)supports

unified in-service software upgrade (ISSU) onPTX5000 routers. Unified ISSUenables

you to upgrade between two different Junos OS releases with no disruption on the

control plane and with minimal disruption of traffic.

[See Unified ISSU System Requirements.]










http://www.juniper.net/techpubs/en_US/junos13.3/topics/concept/bfd-for-lag-overview.html

http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/requirements/issu-system-requirements.html




of Junos OS statements and commands from Junos OS Release 13.3R10 for the PTX

Series.



• IPv6 on page 260





• New redundancy failover CLI statement (PTX Series)—Starting in Junos OS Release13.3R6, the chassis redundancy failover not-on-disk-underperform statement prevents

gstatd from causing failovers in the case of slow disks on the Routing Engine.


Disks.]


• Change to interpolatedWRED drop probability (PTX Series)—In Junos OS Releases13.2R4 and 13.3R2, the interpolated fill level of 0 percent has a drop probability of 0

percent for weighted random early detection (WRED). In earlier Junos OS releases,

interpolatedWRED can have a nonzero drop probability for a fill level of 0 percent,

which can cause packets to be dropped even when the queue is not congested or the

port is not oversubscribed.

• Exporting active flowmonitoring version 9 packets fromCSE2000 to PTX Seriesrouters—Starting with Junos OS Release 13.3R4, active flowmonitoring version 9

records created by CSE2000 are sent back to PTX Series Routers on the 10-Gigabit

Ethernet interface. The PTX Series routers then forward the version 9 flow records to

the version 9 flow server.

In releasesbefore JunosOSRelease 13.3R4, the version9 recordsare sent to theversion

9 flow server by means of a separate external collector port. This issue was being

tracked by PR985729







IPv6

• IPv6 support for SNMP traps (PTX Series)—In Releases 13.3R4 and later, Junos OSsupports IPv6 source addresses for the SNMP traps.


• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (PTXSeries)—Effective in JunosOSRelease 13.3R4, if the counter valueof a Packet Forwarding Engine is reported lesser than its previous value, then the

residual counter value isadded to thenewly reportedvalueonly for that specific counter.

In that case, the CLI shows theMIB2D_COUNTER_DECREASING system logmessage

for that specific counter.

[SeeMIB2D_COUNTER_DECREASING.]

• Enhancement for SONET interval counter (PTX Series)—Starting with Junos OSRelease 13.3R7, only the Current Day Interval Total output field in the show interfaces

interval command forSONET interfaces is reset after 24hours. In addition, thePrevious

Day Interval Total output field displays the last updated time in hh:mm.

[See show interfaces interval.]

Routing Protocols

• Modification to the default BGP extended community value—Junos OSmodifies thedefault BGP extended community value used for MVPN IPv4 VRF route import

(RT-import) to the IANA-standardized value. The behavior of themvpn-iana-rt-import

statement isnowthedefault. Themvpn-iana-rt-importstatementhasbeendeprecated;

we recommend that you remove it from configurations.

• Configure and establish targeted sessions with third-party controllers using LDPtargeted neighbor (PTX Series)—Starting with Junos OS Release 13.3R6, you can

configure LDP targeted neighbor to third-party controllers for applications such as

route recorder thatwants to learn label-FECbindingsof anLSR. LDP targetedneighbor

helps to establish a targeted session with controllers for a variety of applications.



http://contentapps.juniper.net/syslog-explorer/#message=MIB2D_COUNTER_DECREASING&product=Junos+OS&release=13.3

http://www.juniper.net/documentation/en_US/junos13.3/topics/reference/command-summary/show-interfaces-interval.html


• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in the CLI (PTXSeries)—Junos OS reserves the prefix junos- for the identifiers ofconfigurations defined within the junos-defaults configuration group. User-defined

identifiers cannot start with the string junos-. If you configured user-defined identifiers

using the reserved prefix through a NETCONF or Junos XML protocol session, the

commit would correctly fail. Prior to Junos OS Release 13.3, if you configured

user-defined identifiers through the CLI using the reserved prefix, the commit would

incorrectly succeed. Junos OS Release 13.3 and later releases exhibit the correct

behavior. Configurations that currently contain the reserved prefix for user-defined

identifiers other than junos-defaults configurationgroup identifiers nowcorrectly result

in a commit error in the CLI.

• Change in show version command output (PTX Series)—Beginning in Junos OSRelease 13.3, the show version command output includes the new Junos field that

displays the Junos OS version running on the device. This new field is in addition to the

list of installed sub-packages running on the device that also display the Junos OS

version number of those sub-packages. This field provides a consistent means of

identifying the Junos OS version, rather than extracting that information from the list

of installed sub-packages.


single Junos field in theoutput thatdisplays the JunosOSversion runningon thedevice.

The only way to determine the Junos OS version running on the device is to review the

list of installed sub-packages.



user@host> show versionHostname: lab Model: ptx5000 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS 64-bit Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...

user@host> show versionHostname: lab Model: ptx5000 JUNOS Base OS boot [12.3R2.5]JUNOS Base OS Software Suite [12.3R2.5]JUNOS 64–bit Kernel Software Suite [12.3R2.5]JUNOS Crypto Software Suite [12.3R2.5]...

[See show version.]

• Configuring regular expressions (PTX Series)— In all supported Junos OS releases,

you can no longer configure regular expressions if they require more than 64MB of

memory or more than 256 recursions for parsing.


wasmade in response to a known consumption vulnerability that allows an attacker

to cause a denial-of-service (resource exhaustion) attack by using regular expressions









• Newwarningmessage for the configurational changes to extend-size (PTXSeries)—Starting with Junos OS Release 13.3R8, any operation on the systemconfiguration-databaseextend-sizeconfiguration statement suchas,deactivate,delete,

or set, generates the following warning message:

Change in 'system configuration-database extend-size' will be effective at next reboot

only.









Known Behavior

This sectioncontains theknownbehavior, systemmaximums, and limitations inhardware

and software in Junos OS Release 13.3R10 for the PTX Series.



IPv6

• Inconsistent IfMtuMIB value (PTXSeries)—The value of IfMtuMIB is inconsistent forthe logical interfaces with IPv6 address.

MPLS

• Removal of SRLG from the SRLG table only on the next reoptimization of the LSP(PTX Series)—If a SRLG is associated with a link used by an ingress LSP in the routerthen on deleting the SRLG configuration from that router, the SRLGgets removed from

theSRLGtableonlyon thenext reoptimizationof theLSP.Until then theoutputdisplays

Unknown-XXX instead of the SRLG name and a non-zero srlg-cost of that SRLG for

run showmpls srlg command.











Known Issues

This section lists theknown issues inhardwareandsoftware in JunosOSRelease 13.3R10.

The identifier following the description is the tracking number in the Juniper Networks

Problem Report (PR) tracking system.






General Routing

• CCG locks to cc-8k even when configured signal type is cc-8k-400, without

off-frequency PR895450

• CCG configuration change does not reprogram hardware automatically. PR896226

• Output ifIndex is being exported as 0.PR964745

• When request system halt is executed on a PTX Series router, the Routing Engine is

halted, but the PTX Series device does not display the Halt message on the

CRAFT-Interface confirming that the system has halted. PR971303

• On PTX Series routers with 1k ifls, when changing the speed from 10G to 1Gmultiple

times, the ping will not work because the serdes is not being in the correct state, and

the traffic forwarding is affected. As a workaround, restart the PIC.PR988663

• When the TL- chip encounters a KHTmemory parity error, the content of thememory

is not corrected.PR1001052

• In LDP tunneling over single hop RSVP-based LSP environment, after enabling

chained-composite-next-hop, the router might fail to create the chained composite

next hops if the label value of VPN is equal to the label value of LDP. PR1058146

• On PTX Series platforms, some non-fatal interrupts (for example, CM cache or AQD

interrupts) are logged as fatal interrupts. The following log messages are shown on

CMparity interrupt: fpc0TQCHIP0: CMparity Fatal interrupt,Interrupt status:0x10 fpc0

CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt has

occurred 181 time(s) in 180010msecs TQCHIP 0: CM cache parity Fatal interrupt has

occurred 181 time(s) in 180005msecsPR1089955

• OnPTXSeries platforms, if there are scaling configurations (for example, 5000 routes,

each with 64 ECMP paths configured) on a single interface and an L2 rewrite profile

is applied for the interface, the Flexible PIC Concentrator (FPC) might crash when

deactivating and then activating the CoS configuration of the interface. PR1096958


Known Issues










• On the

FPC-SFF-PTX-P1-A(PTX3000)FPC-SFF-PTX-T(PTX3000)FPC-PTX-P1-A(PTX5000),

and FPC2 -PTX-P1A(PTX5000), packet loss might be observed in an equal-cost

multipath (ECMP) or aggregated Ethernet (AE) scenario. This issue occurs in a race

condition: the unilist is created before Address Resolution Protocol (ARP) learns the

MAC addresses and then the selector table is corrupted. PR1120370

• In certain rare conditions the FPC virtual output queue (VOQ) wedges, resulting in

dropped packets on the ingress PFE Packet Forwarding Engine for the PTX Series

router. Because the wedge is unable to be reproduced, detection of wedge condition

is introduced that alarmwould be raised once the wedge condition is detected within

10 seconds. PR1127958


• On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and

committing, the device control process (dcd) on the backup Routing Enginemight fail

to process the configuration and keep it in thememory. In some cases (not happening

all the time), it might be observed that thememory of the dcd keeps increasing on the

backup Routing Engine. PR1014098

• On PTX Series platforms "cfp_lh_update_1sec_pm_var received" messages are

periodically logged withWarning level. PR1089592

MPLS

• Currently configuration of both fast-reroute and link-protection/node-link-protection

on a single LSP is allowed. However, when you configure both types of protection on

the LSPs, it might cause scaling issues in your network. As a workaround, you should

restrict the configuration to either fast-reroute or link/node-link protection on per-LSP

basis. PR860960

• When an LSP is link-protected and has no-local-reversion configured, if the primary

link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up,

before the LSP switch to link3. If link1 is enabled and link3 is disabled, the LSP will get

stuck in bypass LSP forever. This is a timing issue. PR1091774

• If LSP's bandwidth is modified to maximum possible value of the link bandwidth in

one commit, some of the LSPsmight be delayed to signal to the new bandwidth.

PR1125323










Routing Protocols

• In a multicast environment, when the rendezvous point (RP) is a first-hop router, and

it has Multicast Source Discovery Protocol (MSDP) peers, when the rpf interface on

the RP changed to an MSDP-facing interface, because the multicast traffic is still on

the old rpf interface, a multicast discard route will be installed and traffic loss will be

seen. PR1130238

VPNs

• For JunosOSRelease 13.3R4, traffic lossmight be seenon flapping theCE-PE interface

on thePTXSeries platform.However for JunosOSRelease 13.3R4.6 and later, no traffic

loss will be seen on flapping the access-facing interface. PR1026955









Resolved Issues

This section lists the issues fixed in the Junos OSmain release and themaintenance

releases. The identifier following the description is the tracking number in the Juniper

Networks Problem Report (PR) tracking system.











Resolved Issues





• In case of member links of an aggregated Ethernet (AE) interface scattering over

multiple Packet Forwarding Engines, if the FPCwheremember links of theAE interface

reside gets reset or the interface is disabled, theremight be adip in the output of SNMP

walk on the AE-related queue MIB (such as jnxCosQstatTxedPkts). This behavior is

intermittent.PR1122343

General Routing

• The rpd process crashmight crash because of a timing issue that occurs after Routing

Engine switchover in configurations with LDP P2MP and nonstop-routing (NSR) is

enabled. PR956258

• OnPTXSeriesplatforms,when the firewall filter is configuredon the loopback interface

of the device, because of bad error handling orNULLpointer, all the FPCs on the device

might continuously crash and be unstable. Because the issue is not reproducible, the

trigger of the issue is not clear. PR996749

• In the multicast network topology, whenmaking normal changes, such that paths are

added or deleted, the rpd leaks 8-bytes of memory per operation. The system logs

RLIMIT_DATAmessages similar to the following when thememory usage reaches

85%: kernel: Process (2634,rpd) has exceeded 85%of RLIMIT_DATA: used 3084524

KBMax 3145728 KBPR1144197







Infrastructure

• Whendeleting child link fromanaggregatedEthernet (AE)bundle, theoutput statistics

for the AE physical interface can return 0 from Packet Forwarding Engine and get

summed incorrectly afterward. The AE logical interface, however, has the correct

statistics, including the residual value from the removed child logical interface. Input

stats are displayed properly and unaffected by this bug. PR1098264


• When you configure one group with routing instances and apply this group under the

[routing-instances] hierarchy, the rpd process crashes after executing

"deactivating/activating routing-instances" commands. PR1109924

Routing Protocols






• ThisPRdoesoptimization inAESNMPhandling. If all the links inanAEbundlegodown,

then any COS SNMP query for this AE IFD/IFL will return cached values PR1140440

General Routing




• When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP

routes), after clearing the LDP/RSVP routes, in the shortwindowbefore the LDP/RSVP

routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the

rpd process might crash. PR1063796

• Using the "write coredump" vty command on FPC causes crash after the core is

uploaded. Issue is not seen in 14.1, 14.2 and 15.1 due todesign change Inprevious version,

fixed in 13.3R9 and 13.2R9 PR1139370


Resolved Issues









• TheMIB counter or "showpfe statistics traffic" shows junk PPS and invalid total traffic

output counter. PR1084515

Routing Protocols

• Inmulticast environment, when theRP is FHR (first hop router) and it hasMSDPpeers,

when the rpf interface on RP changed to MSDP facing interface, due to the multicast

traffic is still on the old rpf interface, a multicast discard route will be installed and

traffic loss will be seen. PR1130238


• In certain conditions, when /var is notmounted fromapersistent filesystem, executing

a Junos upgrade will have unexpected results. This is caused by an inexact check of

whether it is running from an Emergency VAR. PR1112334

VPNs

• For Layer 2 circuit, PTX3000 uses different VCCV (Virtual Circuit Connectivity

Verification) BFD control packet format from that of MX and the other PTX Series

platforms. PTX3000 negotiates Router-alert control channel type, and uses PW

Associated Channel Header of Channel Type : 0x0021. However, MX and the other

PTXplatforms use theChannel Type is 0x0007without IP/UDPheaders. JUNOS takes

the Channel-type 0x0007 as default. MX and the other PTX Series platforms work as

expected. This is PTX3000 specific issue. PR1116356




General Routing

• FFP is a generic process that shall be called during commit process, and FFP calls the

PDB initializationaspartof itsprocess.On thePDB-unsupportedplatforms(MXSeries,

EX9200, M10i, M120, M320 is PDB-supported), when committing configuration, some

error messages will be seen. PR1103035


• During subscriber login/logout thebelowerror logmightoccuron thedeviceconfigured

with GRES/NSR. /kernel: if_process_obj_index: Zero length TLV! /kernel: if_pfe: Zero

length TLV (pp0.1073751222) PR1058958

• After removing a child link from AE bundle, in the output of "show interface <AE>

detail", the packets count on the remaining child link spikes, then if add back the

previous child link, the count recover to normal. PR1091425














• In PTXSeries Carrier-Grade Service Engine (CSE) jflow solution environment, because

the sampling process (sampled) may get into a continuous loop when handling

asynchronous event (for example, aggregated tethered services interface flapping, or

route update, or IFL/IFD update), the sampledmay never come out of that loopwhich

may result in high CPU usage (up to 90% sometimes). Because, sampled is not able

to consumeany states (such as route updates, interface updates) generatedby kernel,

this results in memory exhaustion and finally results in the router not making any

updates and forcing a router reboot. PR1092684

General Routing

• OnPTXSeries routers, the interrupt-drivenbasis linkdowndetection(an interrupt-driven

link-down notification is generated to trigger locally attached systems to declare the

interface down within a fewmilliseconds of failure) may fail after performing unified

iIn-service softwareupgrade (ISSU).The interruptmightgetpreventedafterperforming

unified ISSU due to disabling the interrupt registers before unified ISSU, but never

restored after. PR1059098







General Routing

• On PTX Series routers with MPLS environment (30k transit LSP), large number of

MPLS interfaces (in this case, 200 interfaces) are configured with 0 or 1 MPLS labels.

When these interfaces flap, the FPC kernel memory usagemight leak. PR995893

• The problem is seen in PTX Series routers where the composite nexthops are not

observed, for agivenVPNmpls routeandhence the show routeoutput commandgives

a truncated value which results in script failure. This may be due to default disabled

l3vpn-cnh in case of transit l3vpn router on PTX Series platform. If Resync blob is not

set, RPDwill create indirect nexthop for transit route on PE-PE connection network on

PTX. If Resyncblob is set, RPDwill create composite nexthop for transit routeonPE-PE

connection network on PTX Series. Using composite nexthop (cnh) can help scaled

network. However, either indirect (inh) or composite nexthopswork properly in control

and forwarding planes. PR1007311

• OnPTX5000, thepacketdrop isobservedalongwith theparity error read from l3bnd_ht

entry corresponding to certain addresses. With this SRAM parity error, ASIC will


Resolved Issues





unconditionally drop the packet even PTX does not use l3bnd_ht during lookup. The

parity check for l3bnd_ht lookup forPTX5000will bedisabled toavoid theSRAMparity

error and packet drop as a workaround. We also add new logmessage to report the

counter valuechange for slu.hw_err trapcount -TL[<num>]:SLUhwerror count<xxx>

(prev count <yyy>). PR1012513

• LACPonAE interfaces currently does not support unified ISSUonPTXSeries platform.

Awarningmessage ispresentedbeforeperformingunified ISSU if LACP is soconfigured;,

then the user can discontinue the unified ISSU process. PR1018233

• When there is link/node protection/ECMP for RSVP/LDP transit or egress LSPs with

huge scaling and continuous flapping of LSPs like auto-bandwidth case, traffic might

get black-holed upon LSP re-optimizations. The issue would get triggered if the same

unilist list-id (unilist list-id is a unique id for unilist nexthop) is allocated for twodifferent

unilist forwarding topologies. This situation ariseswhen the unilist list-idwraps around

aftermax value of 65535. After thewraparound, if there is long living list-id (which can

bedue to somenode/link protected LSP that has not been re-optimized for long time),

the Packet Forwarding Engine assigns the same list-id during allocation (upon other

LSP re-optimizations) and this will trigger the issue as the new unilist will be directed

to incorrect interface. PR1043747

• OnPTXSeries platformwith one of the following protocols configuration, flapping the

protocols will trigger the Composite Next-hop change operation. In rare condition,

since it is not proper programmed, the FPCmight crash. This is a day-1 issue. - LDP -

MPLS - Point-to-multipoint LSP - RSVP - Static LSPs. PR1045794

• Fix for this PRwas not available at the time of 13.2R7 release time frame. Fix is avaiable

in 13.2R8. 1)Non revertive mode is configured in PTX5000where external clock is

connected to it. 2)Primary clock is set to gps-0-10mhz 3)Secondary clock is set to

fpc-0 4)Hencemaster clock will be locked to primary clock 5)When primary clock is

deleted, the master clock locked to secondary clock 6)Since non-revertive mode is

configured,whenprimary clock is addedback it shouldnot fall back toprimary, it should

stay in secondary. But here it is falling back to Primary clock. PR1052549

• When the port on 24x 10GE(LWO) SFP+ (which never went link up since the PIC is

onlined) is configured as CLI loopback, the ports will receive framing error during until

the interface gets physically linked up. (i.e. with real fiber instead of CLI loop). There

would be no problem in normal use. This is only seen in self-loopback testing with CLI

loopback. PR1057364


• When changing the speed from 10G to 1Gmultiple times, the ping will not work due to

the serdesnotbeing in the right state. A restart of thepic could fix this issue. PR988663

MPLS

• On P2MPMPLS LSP transit router with NSR enabled, when RSVP refresh reduction

feature is enabled and LSP link protection is configured on all interfaces, slight P2MP

traffic lossmight be seen after the graceful Routing Engine switchover (GRES) is done.

PR1023393











• In MPLS traffic engineering with link or node protection enabled, after adding Shared

Risk Link Group (SRLG) configuration, the bypass LSPmight ignore the constraint and

use a unexpected path. PR1034636


• In some rare conditions, setting up configuration access privileges using the

"allow-configuration-regexps" or "deny-configuration-regexps” statements will crash

the management daemon (mgd), which serves a central role in the user-interface

component of Junos OS. PR1029384

Routing Protocols

• After addingSharedRiskLinkGroup(SRLG)configurationonan interface, the interface

would be deleted from the TED database. If the interface is traversed by LSP optimal

path, in some cases, the re-optimization that occurs selects a sub-optimal path.

PR1035359

• With any single hop BFD session and MPLS OAM BFD session configured over same

interface, when the interface is disabled and enabled back immediately (e.g. a delay

of 10 sec between the two commit check in), the single hop BFD session might get

stuck into Init-Init state due to Down packet is received from other end for MPLS BFD

session on the same interface might get demultiplexed to single hop BFD session

wrongly. PR1039149








General Routing

• When large number of IGMP join packets trying to reach router, some IGMP packets

may get dropped. PR1007057

• PCS statistics counter is now displayed for PTX 100GE interfaces in the following

command: cli > monitor interface <intf> PR1030819

Infrastructure

• SNMP socket sequence error log. PR986613


• Interface statistic information is wrong for IPV6. This is expected behavior because

ipv6 transit stat is not supported yet. PR965360


Resolved Issues









• On PTX Series platform, CFP-100G-LR4 and CFP2-100G-LR4 optics report incorrect

"Laser output power" values on all four lanes in cli > show interface diagnostics optics

<intf>. PR1021541

Layer 2 Features

• The PTX Series router is not supposed to generate pause frames even if it gets

congestion. The behavior is to drop aggressively if it ever runs out of queuing memory.

PR968803

MPLS

• When a PTX Series router is at the merge-point (MP) of a bypass LSP, if MPLS

explicit-null has been enabled on the router, and the loopback interface has not been

configured under protocol RSVP, the bypass LSPmight not work correctly. PR1012221

• On P2MPMPLS LSP transit router with NSR enabled, when RSVP refresh reduction

feature is enabled and LSP link protection is configured on all interfaces, slight P2MP

traffic lossmight be seen after the graceful Routing Engine switchover (GRES) is done.

PR1023393

Routing Protocols

• Establish two BFD sessions between two routers, one is single-hop BFD for directly

connected interface and the other is multi-hop MPLS OAM BFD. If configuring the

MPLS OAM on the same interface with single-hop BFD, when bringing downMPLS

OAM from the ingress, it might result in the OAM BFD session deleted on ingress but

it still receivingOAMBFDdownpacket fromegress. Since there is no sessionmatching

this BFD packet, it does a normal look up and brings down the single-hop BFD session

which is on the same interface. PR1021287






General Routing

• On PTX Series routers with AE interface, when the PTX is in ingress node for P2MP

LSP, the double traffic rate might be seen. PR987005

• When a large number of IGMP join packets try to reach the router, some IGMP packets

might get dropped. PR1007057










MPLS

• On PTX Series platformworking as LSP ingress router, the MPLS auto-bandwidth

feature might cause FPC to wedge condition with all interfaces down. PR1005339


• This PR fixes the issue where output ifIndex was being exported as 0. Unless there is

a critical business need, we do not plan to backport the fix to releases earlier than 14.1.

PR964745

Routing Protocols

• ForbidirectionalPIM, the showmulticaststatistics commanddoesnotdisplay the input

counters. This is because a bidirectional route associates with multiple incoming

interfaces (iif's). The statistics are collectedpermroute, and thepacket for bidirectional

groups might come in from any of the iif's. There is no way to impose the incoming

traffic of the route to one of the iif's. PIM-SM, on the other hand, has only one iif per

mroute, and hence the incoming counters are displayed for all PIM-SM routes.

PR865694


• Authentication and Access Control on page 273






• VLAN Infrastructure on page 274


• "delete" or "deactivate" of apply-group defining the entire TACACS or RADIUS

configuration configured under [edit system apply-group <>] does not take affect on

commit. This could lead to TACACS or RADIUS based authentication to still continue

working despite removal (delete/deactivate) of configuration. PR992837

General Routing


937774 is rebooted. This problemwill not be observed during the upgrade to this Junos

OS install. It occurs late enough in the shutdown procedure that it shouldn't interfere

with normal operation. PR956691

• On PTX Series platform, performing Routing Engine switchover might cause flabel

(fabric token) tobeoutof syncbetween themasterRoutingEngineandbackupRouting

Engine, which results in FPC crash. PR981202


Resolved Issues









• Sometimes cosd generates a corefile when add/delete a child interface on the LAG

bundle. PR961119

• SFP+-10G-ZR (part number = 740-052562) is not fully supported on

P1-PTX-24-10G-W-SFPP pic. Inserting the optic on P1-PTX-24-10G-W-SFPP pic can

cause FPC core on the pic. PR974783

IPv6

• On PTX Series platform, when receiving high rate ipv4/ipv6/mpls packets with TTL

equals 1, the ICMP TTL expired messages are sent back to the sender not according

with the ICMP rate limit settings. PR893129

• PTX Series drops packets containing same source and destination IP due to LAND

attack check. PR934364

MPLS

• In rare scenarios, the routing protocol process can fail to read themesh-group

information from the kernel, which might result in the VPLS connections for that

routing-instance to stay in MI (Mesh-Group ID not available) state. The workaround is

to deactivate/activate the routing-instance. PR892593

• MPLS traceroute does not work with logical router. PR965883

• When issue "traceroutempls rsvp lsp-name" from theMPLS LSP ingress node, if there

are PTX Series routers on the LSP path, PTX Series would not list correct downstream

router's IP in the TLV of the response packet. PR966986


• On PTX Series platform, when a firewall filter hasmany terms, all the termsmight not

work correctly due to incorrect order of terms due to mis-programming. PR973545

VLAN Infrastructure

• Commits less than 3minutes apart with per-vlan-queuing configuration should be

avoided, as this might lead to interrupts or undesirable side-effects. PR897601


• Chassis Cluster on page 275

• Dynamic Host Configuration Protocol (DHCP) on page 275




















Chassis Cluster

• When only one end of an AE link sees LACP timeouts or there is intermittent LACP loss

on the AE link, it does not result in AE flap. PR908059


• DHCP relay feature doesn't work on PTX3000. PR864601

General Routing

• On PTX Series Packet Transport Routers, we support only 48k longest prefix match

(LPM) routes. If the limit of 48,000 longest prefix match (LPM) routes is exceeded,

the kernel routing table (KRT) queue can be stuck with the error "Longest Prefix

Match(LPM) route limit is exceeded." PR801271

• RPDon thebackupRoutingEnginemight crashwhen it receives amalformedmessage

from themaster. This can occur at high scale with nonstop active routing enabled

when a large flood of updates are being sent to the backup. There is no workaround

to avoid the problem, but it is rare and backup RPDwill restart and the systemwill

recover without intervention. PR830057

• While performing GRES, the following error message appears: Feb 24 21:23:57 striker1

license-check[1555]: LIBJNX_REPLICATE_RCP_ERROR: rcp -T

re0:/config/license_revoked.db /config/license_revoked.db.new : rcp:

/config/license_revoked.db: No such file or directory This error is seen when no license

is revoked on themaster Routing Engine. It is safe to ignore as it will not affect any

licensing functionality. PR859151


• Interrupt storm happened when press craft button with "craft-lockout". PR870410

• On the PTX Series, while deactivating or activating a firewall filter that has tcp-flags

in the match condition on a loopback interface (e.g. lo0.0), memory corruption could

occur when the filter configuration is pushed to the Packet Forwarding Engine, or is

removed fromthePacketForwardingEngine, causingall theFPCs tocrashandgenerate

core files. The following is logged by the FPCs a few seconds prior to the failure:

fpc1dfw_match_branch_db_destroy:77filter index 1, dfw0x20bb2a90,match_branch_dbnot empty on filter delete

fpc2dfw_match_branch_db_destroy:77filter index 1,dfw0x205a6340,match_branch_dbnot empty on filter delete

fpc0dfw_match_branch_db_destroy:77filter index 1,dfw0x20471c38,match_branch_dbnot empty on filter delete

PR874512

• FPC crash can be triggered by a SBE event after accessing a protectedmemory region,

as indicated in the following log: "System Exception: Illegal data access to protected

memory!" The DDRmemory monitors SBEs and reports the errors as they are

encountered. After the syslog indicates a corrupted address, the scrubbing logic tries


Resolved Issues








to scrub that location by reading and flushing out 32-byte cache line containing that

location inanattempt toupdate thatmemory locationwithcorrectdata. If thatmemory

location is read-only, it causes illegal access toprotectedmemoryexceptionas reported

and resets the FPC. The above-mentioned scrubbing logic is not needed because even

if SBE is detected, the data is already corrected by the DDR and CPU has a good copy

of the data to continue its execution path. PR919681

• 100GE interfaces on the PTX Series do not display PCS BIP-8 error counters when

queried from the FPC command showmtip-cgpcs <> errors. PR920439

• USB install failed with 13.3B1-PS.1. PR931231

Layer 2 Features

• In some configurations, the MAC address of an AE bundle would fail to be copied to

its child interfaces. This causes thedestinationMACaddress filter check to fail on those

child interfaces, thus preventing ARP resolution and in turn causing the failure in

establishing new egress LSPs.

The workarounds are identified as the following:

• Issuing "commit full" on the router, or

• Adding AE configuration and child interface configuration as two separate commits:

a. Add AE interface configuration, without adding child interface configuration.

b. Commit.

c. Add the child interface configuration (et interface configurations) for the AE

interface.

d. Commit.

PR901744

MPLS

• In an RSVP P2MP crossover/pass-through scenario, more than one sub-LSP can use

the same PHOP and NHOP. If link protection is enabled in the above-mentioned

scenario,whena 'primary linkup' event is immediately followedbyaPathTearmessage,

disassociation of the routes/nexthops are sequential in nature. When the

routes/nexthops disassociation is in progress, if a sub-LSP receives a path tear/PSB

delete will lead to this core file. PR739375

• When a PTX Series router is a penultimate hop of one P2MP LSP branch and acts as

a transit LSR on another branch for the same P2MP LSP, the MPLS packets going out

from the penultimate hop branchmight be tagged with an incorrect Ethertype field.

PR867246

• RPD (routing-protocol process) generates a core file on receipt of an RESVmessage

with an unexpected next-hop address. To avoid the crash, drop the RESVmessage









with a different next-hop IP address, and then the LSP will time out due to lack of

refresh by the RESVmessage and the session is reset. PR887734

• Changing thepreference onan LSPwas considered a catastrophic event, tearing down

the current path and then re-establishing a new one. This PRmakes the preference

changeminor and only needs a new path to be re-signalled in a make-before-break

manner. PR897182

Multicast

• Starting in JunosOSRelease 13.2, PTXSeries routers accept traffic from remote sources

to enable the remote source to be learned and advertised by MSDP so that receivers

in other MSDP areas can join the source. To configure this feature, use the

accept-remote-source configuration statement at the [edit protocols pim interface

interface-name] hierarchy level.

NOTE: On PTX Series routers requiring tunnel services, the PIMaccept-remote-source configuration statement is not supported.

PR891500


• "PowerSupply failure", "PowerSupplyRemoved"or "Fan/BlowerRemoved"messages

and SNMP trap hourly occur. PR860223

• Changing the domain-namedoesn't reflect in DNSquery unless a Commit full is done.

Thisbug inmanagementdaemon(mgd)hasbeen resolvedbyensuringmgdpropagates

the new domain-name to file /var/etc/resolv.conf, so that this can be used for future

DNS queries. PR918552


• BothRoutingEnginesmight crashwhenperforminggracefulRoutingEngine switchover

(GRES)or unified in-service software upgrade (ISSU). The root causeof thepanic here

is the addresses used for internal communication are not taken from the new logical

interfaces in such scenarios. PR851086

• In this case, since the overall package (jinstall) is signed, the underlying component

packagesarenot required tobesignedexplicitly.However the infrastructurewaswritten

in such a way to display a warning message if the component package is not signed.

PR932974


• Processing of a neighbor advertisement can get into an infinite loop in the kernel, given

a special set of events with regard to the Neighbor cache entry state and the incoming

neighbor advertisement. PR756656





Resolved Issues
















This section lists the errata and changes in Junos OSRelease 13.3R10 documentation for

the PTX Series.

• Network Management Administration Guide for Routing Devices on page 278

• VPWS Feature Guide for Routing Devices on page 278

NetworkManagement Administration Guide for Routing Devices

• The syntax of the filter-interfaces statement in the “SNMP Configuration Statement”

section is incorrect. The correct syntax is as follows:

filter-interfaces {all-internal-interfaces;interfaces interface-names{interface 1;interface 2;

}}

[See filter-interfaces.]

VPWS Feature Guide for Routing Devices

• In JunosOSRelease 13.3, the Layer 2Circuits FeatureGuide for RoutingDeviceshasbeen

renamed VPWS Feature Guide for Routing Devices. VPWS content has been added to

this guide, and has been removed from the VPLS Feature Guide for Routing Devices.











http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/filter-interfaces-edit-snmp.html


This sectioncontains theprocedure toupgrade JunosOS,and theupgradeanddowngrade

policies for Junos OS for the PTX Series. Upgrading or downgrading Junos OS can take

several hours, depending on the size and configuration of the network.

• Upgrading Using Unified ISSU on page 279

• Upgrading a Router with Redundant Routing Engines on page 279

• Basic Procedure for Upgrading to Release 13.3 on page 279

Upgrading Using Unified ISSU

Unified in-service softwareupgrade (ISSU)enables you toupgradebetween twodifferent

Junos OS releases with no disruption on the control plane and with minimal disruption

of traffic. Unified in-service software upgrade is only supported by dual Routing Engine

platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active

routing (NSR)must be enabled. For additional information about using unified in-service

software upgrade, see the High Availability Feature Guide for Routing Devices.

Upgrading a Router with Redundant Routing Engines

If the router has two Routing Engines, perform a Junos OS installation on each Routing

Engine separately to avoid disrupting network operation as follows:


and save the configuration change to both Routing Engines.

2. Install the new Junos OS release on the backup Routing Engine while keeping the

currently running software version on themaster Routing Engine.

3. After making sure that the new software version is running correctly on the backup

RoutingEngine, switchover to thebackupRoutingEngine toactivate thenewsoftware.

4. Install the new software on the original master Routing Engine that is now active as

the backup Routing Engine.

For the detailed procedure, see the Installation and Upgrade Guide.

Basic Procedure for Upgrading to Release 13.3

When upgrading or downgrading Junos OS, use the jinstall package. For information

about the contents of the jinstall package and details of the installation process, see the

Installation and Upgrade Guide. Use other packages, such as the jbundle package, only

when so instructed by a Juniper Networks support representative.

NOTE: Backupthe file systemandthecurrentlyactive JunosOSconfigurationbefore upgrading Junos OS. This allows you to recover to a known, stableenvironment if the upgrade is unsuccessful. Issue the following command:

user@host> request system snapshot



http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/config-guide-high-availability/high-availability.html



NOTE: The installation process rebuilds the file system and completelyreinstalls Junos OS. Configuration information from the previous softwareinstallation is retained, but the contents of log files might be erased. Storedfiles on the router, suchas configuration templatesandshell scripts (theonlyexceptions are the juniper.conf and ssh files),might be removed. To preservethe stored files, copy them to another system before upgrading ordowngrading the routing platform. For more information, see the Junos OS

Administration Library for Routing Devices.





NOTE: We recommend that you upgrade all software packages out of bandusing the console because in-band connections are lost during the upgradeprocess.

Thedownloadand installationprocess for JunosOSRelease 13.3 isdifferent fromprevious

Junos OS releases.

1. Using aWeb browser, navigate to the All Junos Platforms software download URLon the Juniper Networks webpage:


2. Select thenameof the JunosOSplatformfor thesoftware that youwant todownload.

3. Select the release number (the number of the software version that you want to

download) from the Release drop-down list to the right of the Download Softwarepage.

4. Select the Software tab.

5. In the Install Package section of the Software tab, select the software package forthe release.

6. Log in to the Juniper Networks authentication system using the username (generally

your e-mail address) and password supplied by Juniper Networks representatives.

7. Review and accept the End User License Agreement.

8. Download the software to a local host.

9. Copy the software to the routing platform or to your internal software distribution

site.

10. Install the new jinstall package on the router.

NOTE: After you install a Junos OS Release 13.3 jinstall package, youcannot issue the request system software rollback command to return tothe previously installed software. Instead youmust issue the requestsystem software add validate command and specify the jinstall packagethat corresponds to the previously installed software.




a different release. Adding the reboot command reboots the router after the upgrade

is validated and installed. When the reboot is complete, the router displays the login

prompt. The loading process can take 5 to 10minutes. Rebooting occurs only if the

upgrade is successful.

Customers in the United States and Canada, use the following command:

user@host> request system software add validate rebootsource/jinstall-13.3R91-domestic-signed.tgz




All other customers, use the following command:

user@host> request system software add validate rebootsource/jinstall-13.3R91-export-signed.tgz

Replace the sourcewith one of the following values:

• /pathname—For a software package that is installed from a local directory on the

router.

• For software packages that are downloaded and installed from a remote location:

• ftp://hostname/pathname

• http://hostname/pathname

• scp://hostname/pathname (available only for Canada and U.S. version)




a different release.

Adding the reboot command reboots the router after the upgrade is validated and

installed. When the reboot is complete, the router displays the login prompt. The

loading process can take 5 to 10minutes.

Rebooting occurs only if the upgrade is successful.

NOTE: After you install a Junos OS Release 13.3 jinstall package, you cannot

issue the requestsystemsoftwarerollbackcommandto return to thepreviously

installed software. Instead youmust issue the request system software add

validate command and specify the jinstall package that corresponds to the

previously installed software.















special compatibility guidelineswith the release, see theHardwareGuideand the Interface

Module Reference for the product.

Todetermine the features supportedonPTXSeriesdevices in this release, use the Juniper

Networks Feature Explorer, a Web-based application that helps you to explore and

compare Junos OS feature information to find the right software release and hardware

platform for your network. Find Feature Explorer at:













Third-Party Components

This product includes third-party components. To obtain a complete list of third-party

components, see Copyright and Trademark Information.

For a list of open source attributes for this Junos OS release, seeOpen Source: Source

Files and Attributions.

FindingMore Information

For the latest, most complete information about known and resolved issues with Junos

OS, see the Juniper Networks Problem Report Search application at:

http://prsearch.juniper.net .

Juniper Networks Feature Explorer is aWeb-based application that helps you to explore

and compare Junos OS feature information to find the correct software release and

hardware platform for your network. Find Feature Explorer at:

http://pathfinder.juniper.net/feature-explorer/.

Juniper Networks Content Explorer is aWeb-based application that helps you explore

Juniper Networks technical documentation by product, task, and software release, and

download documentation in PDF format. Find Content Explorer at:

http://www.juniper.net/techpubs/content-applications/content-explorer/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf .



http://www.juniper.net/techpubs/en_US/junos13.3/information-products/pathway-pages/system-basics/system-management-initial-configuration.pdf

http://www.juniper.net/support/downloads/opensource/junos/os.html

http://www.juniper.net/support/downloads/opensource/junos/os.html



http://www.juniper.net/techpubs/content-applications/content-explorer/

mailto:[email protected]?subject=

https://www.juniper.net/cgi-bin/docbugreport/

http://www.juniper.net/customers/support/downloads/710059.pdf

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html .

If you are reporting a hardware or software problem, issue the following command from

the CLI before contacting support:

user@host> request support information | save filename

To provide a core file to Juniper Networks for analysis, compress the file with the gzip

utility, rename the file to include your company name, and copy it to

ftp.juniper.net/pub/incoming. Then send the filename, along with software version

information (the output of the show version command) and the configuration, to

[email protected]. For documentation issues, fill out the bug report form located at

https://www.juniper.net/cgi-bin/docbugreport/.



http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

http://www.juniper.net/support/requesting-support.html

http://www.juniper.net/support/requesting-support.html

mailto:[email protected]?subject=

https://www.juniper.net/cgi-bin/docbugreport/

Revision History

24 January 2017—Revision 3, Junos OS Release 13.3R10– EX Series, M Series, MX Series,

PTX Series, and T Series.





4 August 2016—Revision 5, Junos OS Release 13.3R9– EX Series, M Series, MX Series,


5 May 2016—Revision 4, Junos OS Release 13.3R9– EX Series, M Series, MX Series, PTX

Series, and T Series.

17 March 2016—Revision 3, Junos OS Release 13.3R9– EX Series, M Series, MX Series,




3 March 2016—Revision 1, Junos OS Release 13.3R9– EX Series, M Series, MX Series, PTX


19November 2015—Revision 3, JunosOSRelease 13.3R8–EXSeries,MSeries,MXSeries,


11 November 2015—Revision 2, Junos OSRelease 13.3R8– EX Series, M Series, MX Series,


5 November 2015—Revision 1, Junos OS Release 13.3R8– EX Series, M Series, MX Series,


10September2015—Revision6, JunosOSRelease 13.3R7–EXSeries,MSeries,MXSeries,








30 July 2015—Revision 2, Junos OS Release 13.3R7– EX Series, M Series, MX Series, PTX








16 April 2015—Revision 3, Junos OS Release 13.3R6– EX Series, M Series, MX Series, PTX










29December 2014—Revision 1, JunosOSRelease 13.3R5–EXSeries,MSeries,MXSeries,


7 October 2014—Revision 3, Junos OS Release 13.3R4– EX Series, M Series, MX Series,


30September2014—Revision2, JunosOSRelease 13.3R4–EXSeries,MSeries,MXSeries,


23September2014—Revision 1, JunosOSRelease 13.3R4–EXSeries,MSeries,MXSeries,
















26 June 2014—Revision 6, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX




29May 2014—Revision 5, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX












27 February 2014—Revision 4, Junos OS Release 13.3R1– EX Series, M Series, MX Series,


6 February 2014—Revision 3, Junos OS Release 13.3R1– EX Series, M Series, MX Series,






Copyright © 2017, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.



Release Notes: Junos® OS Release 13.3R9 for the EX Series, M ...

Documents

Transcript of Release Notes: Junos® OS Release 13.3R9 for the EX Series, M ...