® Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 20 September 2016 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Bridging and Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Open vSwitch Database Management Protocol (OVSDB) . . . . . . . . . . . . 11 OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 VXLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Copyright © 2016, Juniper Networks, Inc. 1 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Open vSwitch Database (OVSDB) Management Protocol . . . . . . . . . . . 18 OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 VXLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Resolved Issues: Release 14.2R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Resolved Issues: Release 14.2R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Resolved Issues: Release 14.2R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Resolved Issues: Release 14.2R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Resolved Issues: Release 14.2R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Resolved Issues: Release 14.2R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 28 Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 28 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Junos OS Release Notes for Junos Fusion Provider Edge . . . . . . . . . . . . . . . . . . . . 31 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Layer 2 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Satellite Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Resolved Issues: Release 14.2R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Resolved Issues: Release 14.2R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Resolved Issues: Release 14.2R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Resolved Issues: Release 14.2R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Resolved Issues: Release 1.0R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Resolved Issues: Release 1.0R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Resolved Issues: Release 1.0R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2 Copyright © 2016, Juniper Networks, Inc. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 49 Basic Procedure for Upgrading an Aggregation Device . . . . . . . . . . . . . . 50 Upgrading an Aggregation Device with Redundant Routing Engines . . . 52 Preparing the Switch for Satellite Device Conversion . . . . . . . . . . . . . . . 53 Autoconverting a Switch into a Satellite Device . . . . . . . . . . . . . . . . . . . . 54 Manually Converting a Switch into a Satellite Device . . . . . . . . . . . . . . . 56 Configuring a Switch into a Satellite Device Before Connecting It to a Junos Fusion Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configuring Satellite Device Upgrade Groups . . . . . . . . . . . . . . . . . . . . . 59 Converting a Satellite Device to a Standalone Device . . . . . . . . . . . . . . . 60 Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 62 Downgrading from Release 14.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . 65 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Authentication, Authorization and Accounting (AAA) (RADIUS) . . . . . . 67 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Junos Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Operation, Administration, and Maintenance (OAM) . . . . . . . . . . . . . . . 87 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Software-Defined Networking (SDN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Layer 2 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Copyright © 2016, Juniper Networks, Inc. 3 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 108 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Software-Defined Networking (SDN) . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . 120 System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 VPNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Resolved Issues: 14.2R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Resolved Issues: 14.2R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Resolved Issues: 14.2R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Resolved Issues: 14.2R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Resolved Issues: 14.2R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Resolved Issues: 14.2R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Adaptive Services Interfaces Feature Guide for Routing Devices . . . . . 242 Broadband Subscriber VLANs and Interfaces Feature Guide . . . . . . . . 243 High Availability Feature Guide for Routing Devices . . . . . . . . . . . . . . . 244 4 Copyright © 2016, Juniper Networks, Inc. Monitoring, Sampling, and Collection Services Interfaces Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 MPLS Applications Feature Guide for Routing Devices . . . . . . . . . . . . . 245 Overview for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Routing Policies, Firewall Filters, and Traffic Policers Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Services Interfaces Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . 246 Standards Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Subscriber Access Protocols Feature Guide . . . . . . . . . . . . . . . . . . . . . . 246 Subscriber Management Access Network Guide . . . . . . . . . . . . . . . . . . 247 Subscriber Management Provisioning Guide . . . . . . . . . . . . . . . . . . . . . 248 Traffic Sampling, Forwarding, and Monitoring Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Tunnel and Encryption Services Interfaces Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 User Access and Authorization Feature Guide for Routing Devices . . . 249 VPNs Library for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 250 Basic Procedure for Upgrading to Release 14.2 . . . . . . . . . . . . . . . . . . . 250 Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . 253 Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 253 Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . 255 Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Downgrading from Release 14.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Changes Planned for Future Releases . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Software Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Junos OS Release Notes for PTX Series Packet Transport Routers . . . . . . . . . . . 261 New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 266 Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Copyright © 2016, Juniper Networks, Inc. 5 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 269 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Resolved Issues: 14.2R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Resolved Issues: 14.2R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Resolved Issues: 14.2R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Resolved Issues: 14.2R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Resolved Issues: 14.2R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Resolved Issues: 14.2R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 283 Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 283 Basic Procedure for Upgrading to Release 14.2 . . . . . . . . . . . . . . . . . . . 284 Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 6 Copyright © 2016, Juniper Networks, Inc. Introduction Introduction ® Junos OS runs on the following Juniper Networks hardware: ACX Series, EX Series, M Series, MX Series, PTX Series, QFabric systems, QFX Series, SRX Series, T Series, and Junos Fusion. These release notes accompany Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. They describe new and changed features, limitations, and known and resolved problems in the hardware and software. Junos OS Release Notes for EX Series Switches These release notes accompany Junos OS Release 14.2R7 for the EX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at http://www.juniper.net/techpubs/software/junos/. • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Known Issues on page 20 • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 14.2R7 for the EX Series. NOTE: The following EX Series platforms are supported in Junos OS Release 14.2R7: EX9200. • Hardware • Authentication and Access Control • Bridging and Learning • Class of Service • Interfaces and Chassis • Management • Network Management and Monitoring • Open vSwitch Database Management Protocol (OVSDB) Copyright © 2016, Juniper Networks, Inc. 7 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • OpenFlow • Port Security • Routing Policy and Firewall Filters • Software Installation and Upgrade • User Interface and Configuration • VPNs • VXLAN Hardware • 8 New line cards for EX9200 switches—EX9200 switches support two new line cards. These line cards interoperate with all existing line cards for EX9200 switches: • EX9200-6QS—6 40-Gigabit Ethernet QSFP+ ports that support 40GBASE-LR4 and 40GBASE-SR4 transceivers and 24 10-Gigabit Ethernet SFP+ ports that support 10GBASE-SR, 10GBASE-LR, 10GBASE-ER, and 10GBASE-ZR transceivers. • EX9200-40F-M—40 MACsec-capable 1-Gigabit Ethernet SFP ports that support 1000BASE-T, 10/100/1000BASE-T, 100BASE-FX, 1000BASE-EX, 1000BASE-LH, 1000BASE-LX, and 1000BASE-SX transceivers. Copyright © 2016, Juniper Networks, Inc. New and Changed Features Authentication and Access Control • Access control (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support controlling access to your network by using several different authentication methods: 802.1X authentication, MAC RADIUS authentication, or captive portal. You now enable the authentication-whitelist statement at the [edit switching-options] hierarchy level instead of at the [edit ethernet-switching-options] hierarchy level. [See Access Control on EX9200 Switches]. Bridging and Learning • Support for PVLANs (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support private VLANs. Private VLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting communication between known hosts. Private VLANs help ensure the security of service providers sharing a server farm, or to provide security to subscribers of various service providers sharing a common metropolitan area network. NOTE: An interface can belong to only one private VLAN domain. [See Understanding Private VLANs on EX Series Switches.] Class of Service • Layer 2 class of service (CoS) support (EX9200)—Starting with Junos OS Release 14.2R1, EX9200 switches support the following Layer 2 CoS features: DSCP IPv4 and DSCP IPv6 rewrite on Layer 2 access and trunk ports, inet-precedence rewrite on Layer 2 access and trunk ports, IEEE 802.1p rewrite on access ports, and IEEE 802.1p classifiers on access ports. The rewrite feature enables you to change the code point bits of packets when they egress the switch. Classification groups packets into forwarding classes at the ingress interface, based on the IEEE 802.1p code point in the Ethernet frame header. (Classification can also use DSCP IPv4 or DSCP IPv6 code points. You can configure both an IEEE 802.1p classifier and a DSCP classifier on the same port.) You can configure the new Layer 2 CoS support features at the [edit class-of-service rewrite-rules] and the [edit class-of-service classifier] hierarchy levels. [See Rewriting Packet Header Information on EX9200 Switches and Classifying Packets by Behavior Aggregate on EX9200 Switches.] Copyright © 2016, Juniper Networks, Inc. 9 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Interfaces and Chassis • Configuration support to improve MC-LAG Layer 2 and Layer 3 convergence (EX9200)—Starting with Junos OS Release 14.2R3, you can configure multichassis link aggregation (MC-LAG) interfaces on EX9200 switches to improve Layer 2 and Layer 3 convergence times to subsecond values when an MC-AE link goes down or comes up in a VLAN. To use this feature, ensure that the interchassis link (ICL) is configured on an aggregated Ethernet interface. For Layer 2 convergence, configure the enhanced-convergence statement on an aggregated Ethernet interface at the [edit interfaces aex aggregated-ether-options mc-ae] hierarchy level. For Layer 3 convergence, configure the enhanced-convergence statement on an integrated routing and bridging (IRB) interface at the [edit interfaces irb unit unit-number] hierarchy level. Management • YANG module that defines the Junos OS configuration hierarchy (EX9200)—Starting with Junos OS Release 14.2, Juniper Networks provides a YANG module, which defines the Junos OS configuration hierarchy. You can download the YANG module that defines the complete Junos OS configuration hierarchy for all devices running a particular Junos OS release from the Juniper Networks website at http://www.juniper.net/. You can also generate a YANG module that defines the device-specific configuration hierarchy by using the show system schema module configuration format yang operational mode command on the local device. The Juniper Networks YANG module, configuration, is bound to the namespace URI http://yang.juniper.net/yang/1.1/jc and uses the prefix jc. [See Understanding YANG on Devices Running Junos OS.] Network Management and Monitoring • Enhancements to SNMP statistics operational mode commands (EX9200)—Starting with Junos OS Release 14.2, you can use the show snmp stats-response-statistics command to view information about SNMP statistics responses sent from the Packet Forwarding Engine during the MIB II process (mib2d). In addition, you can use the subagents option in the show snmp statistics command to view the statistics of the protocol data units (PDUs) and the number of SNMP requests and responses per subagent. You can also use the subagents option to view the SNMP statistics received from each subagent on each logical system. [See show snmp stats-response-time and show snmp statistics.] 10 Copyright © 2016, Juniper Networks, Inc. New and Changed Features Open vSwitch Database Management Protocol (OVSDB) • OVSDB support (EX9200)—Starting with Junos OS Release 14.2, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means by which VMware NSX controllers and EX9200 switches that support OVSDB can communicate. In an NSX multi-hypervisor environment, NSX controllers and EX9200 switches can exchange control and statistical information, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to entities in a physical network and the reverse. [See Understanding the Open vSwitch Database Management Protocol Running on Juniper Networks Devices and “Product Compatibility” on page 29.] • OVSDB schema update (EX9200)—Starting with Junos OS Release 14.2R4, the OVSDB schema for physical devices version that is implemented on the EX9200 switch is version 1.3.0. In addition, the schema now supports the multicast MACs local table. [See Open vSwitch Database Schema For Physical Devices.] OpenFlow • Support for OpenFlow v1.3.1 (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support OpenFlow v1.3.1 in addition to the OpenFlow v1.0 functionality that is already supported on EX9200 switches. OpenFlow v1.3.1 enables the action specified in one or more flow entries to direct packets to a base action called a group. The purpose of the group action is to further process these packets and assign a more specific forwarding action to them. You can use the show openflow groups command to view groups that were added, modified, or deleted from the group table by the OpenFlow controller. You can view group statistics using the show openflow statistics groups command. [See Understanding How the OpenFlow Group Action Works.] Port Security • IPv6 access security (EX9200)—Starting with Junos OS Release 14.2, IPv6 access security, with the following features, is supported on EX9200 switches: DHCPv6 snooping, IPv6 neighbor discovery inspection, IPv6 source guard, and RA guard. DHCPv6 snooping enables a switch to process DHCPv6 messages between a client and a server and build a database of the IPv6 addresses assigned to the DHCPv6 clients. The switch can use this database, also known as the binding table, to stop malicious traffic. The EX9200 also supports DHCPv6 options to provide additional information in messages sent by the client to the server. This information can be used by the server to assign addresses and configuration parameters to the client. The following options are supported: Copyright © 2016, Juniper Networks, Inc. 11 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Option 14, also known as Rapid Commit. When Rapid Commit is enabled, the DHCPv6 server and client use a two-message exchange (Solicit and Reply) to configure clients, rather than the default four-message exchange (Solicit, Advertise, Request, and Reply). • Option 16, also known as the Vendor-Class option, is used to transmit information about the vendor of the hardware on which the client is hosted. • Option 18, also known as the Interface-ID option, is used to transmit information about the port on which the DHCPv6 request was received from the client. • Option 37, also known as the Remote-ID option, is used to transmit information about the remote host. IPv6 neighbor discovery inspection analyzes neighbor discovery messages and Router Advertisement (RA) messages sent from IPv6 nodes on the same link, and verifies them against the DHCPv6 binding table. IPv6 source guard inspects all IPv6 traffic from the client and verifies the source IPv6 address and source MAC address against the entries in the DHCPv6 binding table. If no match is found, the traffic is dropped. You configure DHCPv6 snooping, DHCPv6 options, IPv6 neighbor discovery Inspection, and IPv6 source guard at the [edit vlans vlan-name forwarding-options dhcp-security] hierarchy level. [See Understanding Port Security.] • Unknown unicast forwarding (EX9200)—Unknown unicast traffic consists of unicast packets with unknown destination MAC addresses. By default, the switch floods these unicast packets that traverse a VLAN to all interfaces that are members of the VLAN. This type of traffic forwarding can create unnecessary traffic that leads to poor network performance or even a complete loss of network service. This is known as a traffic storm. To prevent a storm, you can disable the flooding of unknown unicast packets to all VLAN interfaces by configuring one VLAN or all VLANs to forward all unknown unicast traffic to a specific interface. This channels the unknown unicast traffic to a single interface. Configure unknown unicast forwarding at these hierarchy levels: • [edit vlans vlan-name forwarding-options flood input uuf-filter-name] • [edit forwarding-options next-hop-group next-hop-group-name group-type layer-2 interface interface-name] • [edit firewall family ethernet-switching filter uuf-filter-name term term-name from traffic-type unknown-unicast] • [edit firewall family ethernet-switching filter uuf-filter-name term term-name then next-hop-group next-hop-group-name] [See Understanding Unknown Unicast Forwarding.] 12 Copyright © 2016, Juniper Networks, Inc. New and Changed Features Routing Policy and Firewall Filters • Firewall filter match condition support (EX9200)—Starting with Junos OS Release 14.2R1, EX9200 switches support the following match conditions in a family-ethernet-switching filter for IPv6 traffic: destination-address, destination-prefix-list, source-address, source-prefix-list, icmp-type, icmp-code, next-header, source-port, destination-port, tcp-flags, tcp-initial, tcp-established, and traffic-class. You can configure these match conditions at the [edit firewall family ethernet-switching filter filter-name term term-name from] hierarchy level. [See Firewall Filters for EX9200 Switches.] • Support for firewall filter flexible match conditions (EX9200)—Starting with Junos OS Release 14.2R7, EX9200 switches support flexible match conditions under family ethernet-switching for firewall filters. Standard firewall filter match conditions vary based on the protocol family of the traffic being matched. The fields available for matching within each protocol family are fixed or predefined. This means that filters can match on patterns within those predefined fields only. Using flexible match conditions, you can construct flexible match filter terms that start the match at Layer 2, Layer 3, Layer 4, or payload locations. You can enable further pattern matches at user-defined custom locations within a packet by specifying additional offset criteria. Flexible match filter terms are applied to interfaces as either input or output filters just as any other firewall filter terms. Flexible match filter terms can also be created as templates at the [edit firewall] hierarchy level. These templates can then be referenced within a flexible match term. [See Firewall Filters Match Conditions.] Copyright © 2016, Juniper Networks, Inc. 13 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Software Installation and Upgrade • Support for unified-in-service software upgrade on 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet line cards (EX9200)—Starting with Junos OS Release 14.2, unified-in-service software upgrade (unified ISSU) is supported on EX9200 switches on 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet line cards. Unified ISSU is a process to upgrade Junos OS with minimal disruption of transit traffic and no disruption of the control plane. This process is for upgrading Junos OS from an earlier release to a later one. After the unified ISSU completes, the new upgrade works identically to one performed through a cold boot. Configure unified ISSU with the request system software in-service-upgrade command. [See Unified ISSU System Requirements.] User Interface and Configuration • Enhancement to reduce the time taken for performing system commit (EX9200)—Starting with Junos OS Release 14.2, you can configure the delta-export statement at the [edit system commit] hierarchy level to reduce the time taken to commit configuration changes. [See commit (system) and delta-export.] VPNs • EVPN (EX9200)—Starting with Junos OS Release 14.2, an Ethernet virtual private network (EVPN) is made up of a set of CE devices that are connected to PE devices or MPLS edge switches (MES) that make up the edge of the MPLS network. The CE devices can be routers or switches. The MESs provide Layer 2 virtual bridge connectivity between the CE devices. You can deploy multiple EVPNs in the provider's network. In an EVPN, learning between MESs takes place in the control plane by using BGP rather than in the data plane (as is the case with traditional bridging). EVPNs can be used to provide connectivity between data centers spanning metro area networks (MANs) and wide area networks (WANs). [See EVPN Overview for Switches.] 14 Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax VXLAN • VXLAN gateway support (EX9200)—Starting with Junos OS Release 14.2, EX9200 switches support Virtual Extensible LAN (VXLAN) gateways. Each VXLAN gateway supports the following functionalities: • 32,000 VXLANs (with one VXLAN per bridge domain) • 8000 virtual tunnel endpoints (VTEPs) • 32,000 multicast groups • Switching functionality with traditional Layer 2 networks and VPLS networks • Inter-VXLAN routing and VXLAN-only bridging • Virtual switches • Virtual routing instances • Configurable load balancing • Statistics for remote VTEPs [See Understanding VXLANs.] Related Documentation • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Known Issues on page 20 • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.2R7 for the EX Series. • Dynamic Host Configuration Protocol • Interfaces and Chassis • Network Management and Monitoring • Port Security • User Interface and Configuration Dynamic Host Configuration Protocol • DHCP clients can send packets without Option 255 (EX9200)—On EX Series switches, starting with Junos OS Release 14.2R2, you can override the default configuration of the DHCP local server and enable clients to send DHCP packets that do not include Copyright © 2016, Juniper Networks, Inc. 15 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Option 255 (end-of-options). The default behavior in Junos OS is to drop packets that do not include Option 255. To override that default behavior, configure the allow-no-end-options CLI statement under the [system services dhcp-local-server overrides] hierarchy level. • Format change for DHCP Option 18—On EX9200 switches with DHCP snooping configured, when the VLAN ID is appended to the prefix of DHCP option 18, it appears in decimal format instead of hexadecimal format. Interfaces and Chassis • Configuration statement to correct mismatches between MAC and ARP entries in MC-LAGs (EX9200)—Starting with Junos OS Release 13.2R4 but first documented in Release 14.2R6, the arp-l2-validate configuration statement is available as a workaround when network issues or conditions result in MAC and ARP entries going out of sync in an MC-LAG scenario. Configure the arp-l2-validate statement at the [edit interfaces irb] hierarchy level to recognize and correct mismatches between MAC and ARP entries related to the next-hop interface. You can remove the arp-l2-validate configuration when the network issues or conditions are resolved. Network Management and Monitoring • New system log message indicating the difference in the Packet Forwarding Engine counter value (EX9200)—Effective in Junos OS Release 14.2R2, if the counter value of a Packet Forwarding Engine is reported to be less than its previous value, then the residual counter value is added to the newly reported value only for that specific counter. In that case, the CLI shows the MIB2D_COUNTER_DECREASING system log message for that specific counter. Port Security • Enhanced output for show ethernet-switching interface extensive CLI command—Starting with Junos OS Release 14.2, the output of the show ethernet-switching interface extensive CLI command includes the fields VLAN members, TAG, and STP state. The Logical interface flags field now includes STCL, which indicates that the port is disabled because storm control is in effect, and MMAS, which indicates that the port is disabled because the MAC address move limit has been exceeded. User Interface and Configuration Related Documentation 16 • Changed destination file format for transfer-on-commit feature (EX9200)—Starting with Junos OS Release 14.2, the format of the destination filename for the transfer-on-commit feature is changed from router-name_juniper.conf.n.gz_YYYYMMDD_HHMMSS to router-name_YYYYMMDD_HHMMSS_juniper.conf.n.gz. • New and Changed Features on page 7 • Known Behavior on page 17 • Known Issues on page 20 Copyright © 2016, Juniper Networks, Inc. Known Behavior • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Known Behavior This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 14.2R7 for the EX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Authentication and Access Control • Infrastructure • Interfaces and Chassis • Network Management and Monitoring • Open vSwitch Database (OVSDB) Management Protocol • OpenFlow • Software Installation and Upgrade • VXLAN Authentication and Access Control • On EX9200 switches with 802.1X authentication enabled, if you associate an 802.1X-enabled interface in single-secure mode with a VLAN, when a client is authenticated on that VLAN and then is later authenticated on a dynamic VLAN (a guest VLAN or a VLAN assigned by a RADIUS server), the client might still be associated with the interface-associated VLAN and receive the broadcast and multicast traffic of that VLAN. PR955141 • On EX9200 switches, if you configure a firewall filter name (filter name plus term name plus counter name) that has more than 128 characters, 802.1X (dot1x) authentication might fail and cause the Network Processing Card (NPC) to crash. As a workaround, configure the filter name, term name, and counter name such that when the total length of those three names is added to the length of the interface name and the MAC address, the total length does not exceed 128 characters. PR1083132 • On EX9200 switches, the LLDP-MED bypass feature is not supported. PR1124537 Copyright © 2016, Juniper Networks, Inc. 17 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Infrastructure • On EX9200 switches, the value for the udpOutDatagrams object displayed in the output of the show snmp mib walk decimal udpOutDatagrams command is different from the value for the same object displayed in the output of the show system statistics udp member 0 command. The value for datagrams dropped due to no socket field is incorrectly used as the value for udpOutDatagrams in the show snmp mib walk decimal udpOutDatagrams output. As a workaround, use the show system statistics udp member 0 command. PR1104831 Interfaces and Chassis • On EX9200 switches, BFD on IRB interfaces flaps if BFD is configured for subsecond timers. PR844951 • On EX9200 switches, a transient loop might be seen when interfaces are brought up on an EVPN PE device or when a PE device having one of the ESIs comes up after reboot. PR1110285 • On EX9200 switches, traffic loss might occur for a few seconds (two through six seconds) on the active node of an MC-LAG when the ICCP (Inter-Chassis Control Protocol) goes down and then comes back. PR1107001 • On EX9200 switches, OSPF sessions between CE devices might flap when a PE device that provides EVPN multihoming is rebooted. PR1113013 • On EX9200 switches, with single-active EVPN, a loop might lead to an OSPF flap between CE devices when the BGP session between the PE devices that provide EVPN multihoming flaps. PR1113023 Network Management and Monitoring • On EX9200 switches, the interface index value is displayed as 0 on the sFlow collector. PR1083226 Open vSwitch Database (OVSDB) Management Protocol • The amount of time that it takes for Juniper Networks devices that function as hardware virtual tunnel endpoints (VTEPs) to learn a new MAC address after the first packet is sent from this MAC address is a maximum of 4.5 seconds. (The amount of time depends upon the server configuration that VMware NSX is running.) During this time, traffic destined for this MAC address floods the VXLAN. PR962945 • After the connections with NSX controllers are disabled on a Juniper Networks device, interfaces that were configured to be managed by OVSDB continue to transmit traffic. PR980577 • 18 If an entity with a particular MAC address is moved from one Juniper Networks device so that its traffic is handled by a different Juniper Networks device that functions as a hardware virtual tunnel endpoint (VTEP), this MAC address is not learned by entities served by the new hardware VTEP until the hardware VTEP that previously handled Copyright © 2016, Juniper Networks, Inc. Known Behavior its traffic ages out from the MAC address. During this transitional period, traffic destined for this MAC address is dropped. PR988270 OpenFlow • On EX9200 switches running OpenFlow v1.3.1, the output for the show openflow flows command displays IPv6-related fields. However, the Junos OS implementation of OpenFlow v1.3.1 for EX9200 switches does not support IPv6 specifications. Therefore, the output for these fields typically displays None. • On EX9200 switches running OpenFlow v1.3.1, topology discovery might fail when an LLDP packet-in message is sent to the controller at a traffic rate of 1 Mbps. PR897917 • On EX9200 switches, after a restart of the firewall filter daemon, an OpenFlow 1.3.1 packet might not be received on an interface. PR969520 • On EX9200 switches running OpenFlow v1.3.1, if OpenFlow is enabled when you query port information, the values for duration_nsec and duration_sec are always shown as 0. PR978321 • On EX9200 switches running OpenFlow v1.3.1, flow statistics show packet flow as increasing even when the output port link is down. PR987753 • On EX9200 switches running OpenFlow v1.3.1, ADPC line cards are not supported. Configure enhanced IP network services mode to disable ADPC line cards. PR988256 • On EX9200 switches running OpenFlow v1.3.1, EtherType 0x806 (ARP) and IPv4 address fields are not supported as match fields. PR990196 • On a hybrid interface on EX9200 switches running OpenFlow v1.3.1, OpenFlow traffic can exit only a logical interface that has the same VLAN-ID range as that of the ingress interface. PR865320 • On EX9200 switches running OpenFlow v1.3.1, a BGP session might flap while an OpenFlow interface is receiving line-rate traffic to which the default action packet-in is applied, as it has no matching rule. PR892310 Copyright © 2016, Juniper Networks, Inc. 19 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Software Installation and Upgrade • On EX9200 switches, if you issue a unified ISSU from Junos OS Release 13.2 or earlier to Junos OS Release 14.1 or later, approximately 20 seconds of traffic drop occurs for IPv6 protocols (for example, OSPFv6, BGPv6, or RIPv6) that are enabled on integrated routing and bridging (IRB) interfaces. The problem occurs because different link local addresses have been generated in the two releases for the same IRB logical units. As a workaround, configure different local IPv6 interfaces for different IRB logical units. PR1086775 VXLAN Related Documentation • On EX9200 switches, IGMP snooping does not work on virtual tunnel endpoint (VTEP) interfaces. PR989664 • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Issues on page 20 • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Known Issues This section lists the known issues in hardware and software in Junos OS Release 14.2R7 for the EX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Authentication and Access Control • Interfaces and Chassis • Software Installation and Upgrade Authentication and Access Control • On EX9200 switches, dot1x authentication might fail, with a dot1xd core file created. PR1204104 Interfaces and Chassis • 20 On EX9200 FPCs with an XM chipset, an SRAM parity error might be logged during normal operation. This behavior is expected. You can ignore the error as long as you do not see large numbers of error messages. PR958661 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • On an EX9200-6QS line card, storm control might not work for multicast traffic. PR1191611 Software Installation and Upgrade • On EX9200 switches, all interfaces on 1-Gigabit line cards with copper SFPs might flap during a unified ISSU. The unused ports might flap as well. One or more interfaces might flap on a 10-Gigabit line card with 32 ports in an MC-LAG/LACP configuration. PR1007038 Related Documentation • On EX9200 switches, if you execute a unified ISSU from Junos OS Release 14.2R6 to Release 14.2R7, all Layer 2 and Layer 3 traffic might drop for about 7 seconds. PR1199270 • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Resolved Issues This section lists the issues fixed in the 14.2 Junos OS main release and the maintenance releases. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Resolved Issues: Release 14.2R7 on page 21 • Resolved Issues: Release 14.2R6 on page 22 • Resolved Issues: Release 14.2R5 on page 22 • Resolved Issues: Release 14.2R4 on page 23 • Resolved Issues: Release 14.2R3 on page 24 • Resolved Issues: Release 14.2R2 on page 26 Resolved Issues: Release 14.2R7 • Network Management and Monitoring • Platform and Infrastructure Network Management and Monitoring • On EX9200 switches, sFlow sampling might remain enabled after you delete an sFlow sample-rate configuration from an interface. PR1075789 Copyright © 2016, Juniper Networks, Inc. 21 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On EX9200 switches, ingress sFlow samples of packets routed on an IRB interface might be dropped, and an error message similar to the following might be displayed for every drop: Sflow trinity_sflow_handle_packet, 145ifl 1245541 NULL. PR1147719 • On EX9200 switches, an sFlow flow sample with an incorrect Frame Length value in a raw packet header might be generated for frames larger than 128 bytes, because of which, traffic volume calculated based on Frame Length and Sampling rate values in the sFlow collector might be inaccurate. PR1152275 Platform and Infrastructure • On EX9200 switches, attempts by line cards to make unnecessary connections to the Routing Engine might continuously generate debugging-level log messages, which consume system resources. PR1113309 Resolved Issues: Release 14.2R6 • Authentication and Access Control • Interfaces and Chassis Authentication and Access Control • On an EX9200 switch acting as a DHCPv6 server, the server does not send a Reply packet on receiving a Confirm packet from the client; the behavior is not compliant with the RFC3315 standard. PR1025019 Interfaces and Chassis • On EX9200 switches, an IRB unicast next hop in a scenario with a Layer 2 LAG as the underlying interface might result in traffic blackholing. PR1114540 Resolved Issues: Release 14.2R5 • Access Control and Authentication • Dynamic Host Configuration Protocol • Firewall Filters • Interfaces and Chassis • Network Management and Monitoring • Platform and Infrastructure • Routing Protocols Access Control and Authentication • On EX9200 switches, RADIUS authentication might fail if the switch receives an Access-Accept message containing a Cisco vendor-specific attribute (VSA). PR1095197 Dynamic Host Configuration Protocol • 22 On EX9200 switches, DHCP snooping and related access security features of ARP inspection, IP source guard, neighbor discovery inspection and IPv6 source guard are Copyright © 2016, Juniper Networks, Inc. Resolved Issues not supported at the [edit logical-systems logical-system-name vlans vlan-name forwarding-options dhcp-security] hierarchy level. PR1087680 • On EX9200 and QFX5100 switches, if you configure DHCP relay with the DHCP server and the DHCP client in separate routing instances, unicast DHCP reply packets, such as a DHCPACK message in response to a DHCPRENEW message, might be dropped. PR1079980 Firewall Filters • On EX9200 switches, 32k is the minimum value that you must configure for policer bandwidth limits. If you configure a policer bandwidth limit that is less than 32k, an error message is displayed. PR1109780 Interfaces and Chassis • On EX9200 switches, a remote attacker can make a denial-of-service attack by using maliciously crafted uBFD packets that are received directly through VPN, MPLS, and multicast or broadcast traffic, and on Virtual Tunnel (VT) interfaces, or otherwise. This issue affects both IPv4 and IPv6 traffic in Ethernet environments where the crafted packet is received over physical interfaces. PR1102581 Network Management and Monitoring • On EX9200 switches, if you configure an invalid interface address as the SNMP source address, SNMP traps might not be sent even after you change the SNMP source address to a valid interface address. As a workaround, restart the snmpd process. PR1099802 Platform and Infrastructure • On EX9200 switches with MPC3E/MPC4E line cards installed, if you enable the flow detection feature at the [edit system ddos-protection] hierarchy level, suspicious control flow might not be detected on the line cards; or, if the suspicious control flows are detected, they might never time out, even if the traffic flows no longer violate the control parameters. PR1102997 Routing Protocols • On EX9200 switches operating in a routing domain with a PIM-embedded IPv6 rendezvous point (RP), accessing the RP after the memory is freed might cause the routing protocol process to generate a core file. PR1101377 Resolved Issues: Release 14.2R4 • Interfaces and Chassis • Layer 2 Features Copyright © 2016, Juniper Networks, Inc. 23 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Interfaces and Chassis • On EX9200 switches, the Dynamic Host Configuration Protocol (DHCP) relay feature, which allows the client interface and the server interface to be in separate virtual routing and forwarding (VRF) instances, does not work if the client interface is configured as an integrated routing and bridging (IRB) interface. PR1064889 • On EX9200 switches, if DHCP relay is configured using the forward-only and forward-only-replies statements at the [edit forwarding-options dhcp-relay] hierarchy level, and the DHCP local server is configured with the forward-snooped-clients statement at the [edit system services dhcp-local-server] hierarchy level, then the configuration for forward-snooped-clients takes precedence over the configuration for forward-only and forward-only-replies. As a result, DHCP message exchange between VRF instances might not work as expected. As a workaround, do not configure forward-only and forward-only-replies together with forward-snooped-clients. PR1077016 • On EX9200 switches, the unsupported auto-10m-100m option no longer appears in the CLI. PR1077020 • On EX9200 switches, if you configure an MC-LAG with two devices, and then delete and re-create an MC-AE interface, broadcast and multicast traffic that is flooded might loop for several milliseconds. PR1082775 • On EX9200 switches, if you configure a virtual private LAN service (VPLS), no label-switched interface (LSI) belongs to a VLAN even though the VPLS connection is in the UP state, and traffic does not flood to an LSI. As a workaround, configure VPLS on the routing instance instead of on the virtual-switch instance. PR1083561 • An EX9200-40F-M line card drops all traffic on an IRB logical interface, including both data plane and control plane traffic. If an IRB logical interface is configured on an EX9200-40F-M line card as part of a VLAN, any device connected through that interface cannot use Layer 3 forwarding outside the subnet, because EX9200-40F-M does not handle the ARP function correctly. Configuring static ARP on devices using the EX9200 as a gateway is not a workaround, because packets are still dropped if the Routing Engine of the EX9200 has the routes and the ARP entry for the destination IP. PR1086790 • On EX9200 switches, if you add a VLAN on an existing virtual-switch instance for virtual private LAN service (VPLS), the label-switched interface (LSI) might not be associated with the new VLAN. PR1088541 Layer 2 Features • On EX9200 switches, if you configure a virtual private LAN service (VPLS) routing instance and then add interfaces to that VPLS routing instance, the system might create a core file and go into db (debug) mode, because the addition of the interfaces to the routing instance caused a buffer overflow. PR1068898 Resolved Issues: Release 14.2R3 24 • Access Control and Authentication • Dynamic Host Configuration Protocol Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Firewall Filters • Interfaces and Chassis • Layer 2 Features • OpenFlow • Platform and Infrastructure • Routing Protocols Access Control and Authentication • On EX9200 switches, the output for the ptopoConnRemotePort MIB might display an incorrect value for portIDMacAddr. PR1061073 • On EX9200 switches, when clients are authenticated with dynamic VLAN assignment on an 802.1X-enabled interface, disabling 802.1X authentication on that interface might cause the Layer 2 Address Learning daemon (l2ald) to generate a core file. PR1064491 Dynamic Host Configuration Protocol • On EX9200 switches with DHCPv6 snooping configured, if the Juniper Enterprise ID (2636) is included in the prefix of DHCPv6 option 37 (Remote ID) or DHCPv6 option 16 (Vendor Class ID), the Juniper Enterprise ID will be encoded in binary. The DHCPv6 options are appended to DHCPv6 packets if DHCPv6 snooping is configured on the switch. PR1052956 Firewall Filters • On EX9200 switches, after you upgrade Junos OS to Release 14.1R1 or a later release, configuring ipv6-payload-protocol as a firewall filter match condition might cause the related filters to stop working. PR1066725 Interfaces and Chassis • On EX9200 switches, when the switch receives LACP control packets from an interface other than an aggregated Ethernet (AE) interface, it forwards the packets, causing LACP peer devices that receive the packets to reset the LACP connections. This might cause continuous flaps for all AE or multichassis aggregated Ethernet (MC-AE) interfaces. PR1034917 • On EX9200 switches, although the minimum Junos OS release that supports the EX9200-6QS line card is Release 14.2R1, if an IRB logical interface is configured on an EX9200-6QS line card as part of a VLAN, any device connected through that interface is unable to route outside of the subnet because EX9200-6QS drops all ARP requests. As a result, the EX9200-6QS line card drops all routed traffic, including both data plane and control plane traffic. Configuring static ARP on devices that use an EX9200 switch as gateway is not a workaround because the packets are still dropped if the Routing Engine of the EX9200 has the routes and ARP entry for the destination IP. As a workaround, upgrade your software to the release specified in TSB16659 if your switch configuration includes an IRB logical interface configured on an EX9200-6QS line card as part of a VLAN. PR1055566 Copyright © 2016, Juniper Networks, Inc. 25 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On EX9200 switches, if a 100-gigabit interface is configured as part of a Link Aggregation Group (LAG), committing any configuration change causes the interface to flap. PR1065512 Layer 2 Features • On EX9200 switches, if MVRP is configured on an aggregated Ethernet (AE) interface, MVRP might become unstable if the CLI command no-attribute-length-in-pdu is configured. PR1053664 OpenFlow • On EX9200 switches running OpenFlow v1.3.1, the switching device stops responding if an interface goes down when the echo interval timeout is set to less than 11 seconds. PR989308 Platform and Infrastructure • On EX9200 switches, if the switch receives a BFD control packet that is larger than 52 bytes, the BFD process might create a core file. PR1004482 • On EX9200 switches, recurring local memory (LMEM) data errors might cause a chip wedge. PR1033660 • On EX9200 switches, when the switch is configured as a DHCP relay agent with option 82, and the circuit ID is configured with the CLI statement use-interface-description with the device option, then the string of the option 82 field in the DHCP DISCOVER message that is forwarded to the DHCP server must include the switch name, physical interface name, and the VLAN name. However, the string contains integrated routing and bridging (IRB) information in place of the physical interface name. PR1037687 • On EX9200 switches, a process that fails multiple times in a short period of time might not generate a core file. PR1058192 Routing Protocols • On EX9200 switches on which virtual private LAN service (VPLS) is enabled, if the interfaces on the CE device belong to multiple FPCs, traffic might keep flooding the VPLS routing-instance for more than 2 seconds during the MAC learning phase when the links between the PE device and the CE device flap, or when the administrator clears the VPLS MAC table. PR1031791 Resolved Issues: Release 14.2R2 • Dynamic Host Configuration Protocol • Infrastructure • Interfaces and Chassis • Spanning-Tree Protocols Dynamic Host Configuration Protocol • 26 On EX9200 switches, the DHCPv6 binding table as shown in the output of the show dhcp-security ipv6 binding might contain stale entries under the following conditions: Copyright © 2016, Juniper Networks, Inc. Documentation Updates 1. There is a mismatch in the link local address between the link local binding and the dynamic binding. 2. There is no dynamic binding, and a SOLICIT message that matches the link local entry is received, causing the state of the IPv6 address to transition from BOUND to WAITING. This resets the lease timer and creates a stale entry. The presence of stale entries in the DHCPv6 binding table might cause the jdhcpd process to create a core file. PR1012556 • On EX9200 switches, Dynamic Host Configuration Protocol (DHCP) relay functionality might stop working and DHCP does not form new bindings if the number of subscribers exceeds 1000. PR1033921 Infrastructure • On EX9200 switches, if the switch receives an ARP packet while the forwarding information base (FIB) has exceeded the limit of 262144 routes, the kernel might generate a core file. PR1028714 Interfaces and Chassis • On EX9200 switches, in an MC-LAG scenario, a MAC address might incorrectly point to an inter-chassis control link (ICL) after a MAC move from a single-home LAG to the MC-LAG. PR1034347 Spanning-Tree Protocols Related Documentation • On EX9200 switches running the VLAN Spanning Tree Protocol (VSTP), incoming BPDUs might not be included in the output of the show spanning-tree statistics interface command. PR847405 • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Known Issues on page 20 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Documentation Updates This section lists the errata and changes in Junos OS Release 14.2R7 for the EX Series switches documentation. • Interfaces and Chassis on page 28 Copyright © 2016, Juniper Networks, Inc. 27 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Interfaces and Chassis Related Documentation • The arp-l2-validate statement at the [edit interfaces irb] hierarchy level was added to the CLI for EX9200 switches in Junos OS Release 13.2R4 but was documented first in Release 14.2R6. • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Known Issues on page 20 • Resolved Issues on page 21 • Migration, Upgrade, and Downgrade Instructions on page 28 • Product Compatibility on page 29 Migration, Upgrade, and Downgrade Instructions This section contains the upgrade and downgrade policies for Junos OS for the EX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. • Upgrade and Downgrade Support Policy for Junos OS Releases on page 28 Upgrade and Downgrade Support Policy for Junos OS Releases Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release, even though EEOL releases generally occur in increments beyond three releases. You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases earlier or later. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS Release 11.4 to Junos OS Release 10.3. To upgrade or downgrade from a non-EEOL release to a release more than three releases earlier or later, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release. For more information about EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html. 28 Copyright © 2016, Juniper Networks, Inc. Product Compatibility For information on software installation and upgrade, see the Installation and Upgrade Guide. Related Documentation • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 • Known Issues on page 20 • Resolved Issues on page 21 • Documentation Updates on page 27 • Product Compatibility on page 29 Product Compatibility • Software Compatibility on page 29 • Hardware Compatibility on page 29 Software Compatibility The Juniper Networks implementation of OVSDB on the EX9200 switch is supported with the following VMware NSX versions: • Starting with Junos OS Release 14.2R1, NSX version 4.0.3. • Starting with Junos OS Release 14.2R2, NSX version 4.2 and later versions. The Juniper Networks implementation of OVSDB on the EX9200 switch supports the following OVSDB schema for physical devices versions: • Starting with Junos OS Release 14.2R1, OVSDB schema version 1.11.90. This schema version is compatible with NSX version 4.0.3. • Starting with Junos OS Release 14.2R4, OVSDB schema version 1.3.0. This schema version is compatible with NSX version 4.0.3 and with NSX version 4.2 and later. Hardware Compatibility To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide for the product. To determine the features supported on EX Series switches in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at http://pathfinder.juniper.net/feature-explorer/. Related Documentation • New and Changed Features on page 7 • Changes in Behavior and Syntax on page 15 • Known Behavior on page 17 Copyright © 2016, Juniper Networks, Inc. 29 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 30 • Known Issues on page 20 • Resolved Issues on page 21 • Documentation Updates on page 27 • Migration, Upgrade, and Downgrade Instructions on page 28 Copyright © 2016, Juniper Networks, Inc. Junos OS Release Notes for Junos Fusion Provider Edge Junos OS Release Notes for Junos Fusion Provider Edge These release notes accompany Junos OS Release 14.2R7 for the Junos Fusion. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at http://www.juniper.net/techpubs/software/junos/. • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 14.2R7 for Junos Fusion Provider Edge. • Junos Fusion on page 31 • Class of Service (CoS) on page 34 • Interfaces on page 34 • Layer 2 Protocols on page 37 • Layer 3 Protocols on page 37 • Multicast Protocols on page 38 • Network Management and Monitoring on page 38 • Software Installation and Upgrade on page 39 • System Logging on page 40 • VPNs on page 40 Junos Fusion • Junos Fusion support (MX Series routers, QFX5100 switches, and EX4300 switches)—Starting with Junos OS Release 14.2R3, Junos OS supports a network system named Junos Fusion. Based on the 802.1BR standard, Junos Fusion is a combination of aggregation devices and satellite devices that appear to the rest of the network as a single device. Junos Fusion expands the port density of the aggregation device and allows it to send and receive traffic using the customer-facing ports of the directly connected satellite devices. The composite of the aggregation device and satellite devices–Junos Fusion–is configured and managed through the aggregation device. You can configure the following MX Series routers as an aggregation device: Copyright © 2016, Juniper Networks, Inc. 31 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • MX80 routers • MX104 routers • MX240 routers • MX480 routers • MX960 routers • MX2010 3D Universal Edge Routers • MX2020 3D Universal Edge Routers You can configure the following switches as satellite devices: • QFX5100 switches—QFX5100-24Q, QFX5100-48S, QFX5100-48T, and QFX5100-96S • EX4300 switches—EX4300-24P, EX4300-24T, EX4300-32F, EX4300-48P, EX4300-48T, and EX4300-48T-BF [See Junos Fusion Overview.] 32 • Extended satellite device support (EX4300-32F switch)—Starting with Junos OS Release 14.2R5, an EX4300-32F switch can be converted for use as a satellite device in a Junos Fusion topology. You must upgrade the switch to Junos OS Release 14.1X53-D30 or later before you convert it into a satellite device; the MX Series aggregation device must run Junos OS Release 14.2R5 or later; and the satellite device package must be version 1.0R2 or later. • Extended aggregation device support (MX80 and MX104 routers)—Starting with Junos OS Release 14.2R6, the MX80 and MX104 3D Universal Edge Routers can be used as aggregation devices in a Junos Fusion Provider Edge topology. • Environment monitoring satellite policies (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion allows you to configure environment monitoring satellite policies to define how environmental events on satellite devices, such as link-down alarms, are handled in Junos Fusion. To configure an environment monitoring satellite policy, include the environment-monitoring-policy statement at the [edit policy-options satellite-policies] hierarchy level. • New and enhanced chassis commands (Junos Fusion)—Starting with Junos OS Release 14.2R3, several new show chassis commands are available and several existing show chassis commands have been enhanced to display output related to Junos Fusion operations. The following new commands are now available to support Junos Fusion: • show chassis satellite • show chassis satellite extended-port • show chassis satellite interface • show chassis satellite neighbor • show chassis satellite software • show chassis satellite statistics Copyright © 2016, Juniper Networks, Inc. New and Changed Features • show chassis satellite unprovision • show chassis satellite upgrade-group The following existing commands have been enhanced to include the satellite option to display information about a Junos Fusion topology: • • show chassis alarms • show chassis environment • show chassis environment fpc • show chassis environment pem • show chassis environment routing-engine • show chassis fan • show chassis firmware • show chassis hardware • show chassis led • show chassis routing-engine • show chassis temperature-thresholds Enhanced system commands (Junos Fusion)—Starting with Junos OS Release 14.2R3, several existing request system commands have been enhanced to support software installation and file management procedures for Junos Fusion. The following existing request system commands have been enhanced to support Junos Fusion: • request system software add • request system software delete • request system software rollback • request system storage cleanup NOTE: The request system software rollback command does not work if you reboot the aggregation device. Instead, issue the request system software add command. For more information, see the “Note” on page 52 in the Basic Procedure for Upgrading an Aggregation Device section of the Junos Fusion Provider Edge Release Notes. • Additional MPC support (MX Series routers)—Starting with Junos OS Release 14.2R6, the following Modular Port Concentrators (MPCs) are supported as Junos Fusion Provider Edge cascade ports on MX240, MX480, MX960, MX2010, and MX2020 routers: • MPC2E NG • MPC2E NG Q Copyright © 2016, Juniper Networks, Inc. 33 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • MPC3E NG • MPC3E NG Q Class of Service (CoS) • CoS support (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion supports the standard Junos OS CoS features and operational commands. Each extended port on a satellite device is a logical extension to the aggregation device. Therefore, the default CoS policy on the aggregation device applies to each extended port. You can also create standard CoS policies for extended ports. A cascade port is a physical port or interface on an aggregation device that provides a connection to a satellite device. Port scheduling is supported on cascade ports. Junos Fusion technology reserves a separate set of queues with minimum bandwidth guarantees for in-band management traffic to protect against congestion caused by data traffic. Support for configuring enhanced transmission selection (ETS) is also extended to MX Series routers for satellite device ports that support ETS. If ETS is configured on the MX Series aggregation device for a satellite device port that does not support ETS, the satellite device converts the ETS configuration to a port scheduler. [See Understanding CoS on an MX Series Aggregation Device in Junos Fusion.] Interfaces • Supported port types (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion supports the following port types: • Cascade port—Provides a connection to a satellite device. Cascade ports on an aggregation device connect to uplink ports on the satellite device. • Uplink port—Provides a connection to an aggregation device. Uplink ports on a satellite device connect to cascade ports on the aggregation device. • Extended port—Provides a connection to servers or endpoints. Extended ports are the physical interfaces of the satellite devices. The satellite devices appear as additional FPCs on the aggregation device in a Junos Fusion topology, and extended ports appear as additional interfaces to be managed by the aggregation device. [See Understanding Junos Fusion Ports.] • Uplink failure detection (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion enables satellite devices to detect link failures on the uplink interfaces used to connect to aggregation devices. When a host device is multihomed to two satellite devices, and one of the uplink interfaces goes down, the host device can redirect traffic through the other active satellite device. All of the extended ports configured on the satellite device with the uplink interface failure are shut down. By default, UFD is disabled. To enable UFD for all satellite devices, include the uplink-failure-detection statement at the [edit chassis satellite-management] hierarchy level. To enable UFD for specific satellite devices, include the uplink-failure-detection statement at the [edit chassis satellite-management fpc] hierarchy level. 34 Copyright © 2016, Juniper Networks, Inc. New and Changed Features EX4300 and QFX5100 switches configured as satellite devices have a default set of uplink interfaces.Table 1 on page 35 shows the default set of uplink interfaces that UFD selects for failure detection. Table 1: UFD Default Uplink Interfaces for Satellite Devices Device Type Default Uplink Interfaces EX4300-24P (4 ports each on PIC1 and PIC2) 1/0 through 1/3 and 2/0 through 2/3 EX4300-24T (4 ports each on PIC1 and PIC2) 1/0 through 1/3 and 2/0 through 2/3 EX4300-32F (Miscellaneous ports on PIC0, PIC1, and PIC2) 0/32 through 0/35, 1/0 through 1/1, and 2/0 through 2/7 EX4300-48P (4 ports each on PIC1 and PIC2) 1/0 through 1/3 and 2/0 through 2/3 EX4300-48T (4 ports each on PIC1 and PIC2) 1/0 through 1/3 and 2/0 through 2/3 EX4300-48T-BF (4 ports each on PIC1 and PIC2) 1/0 through 1/3 and 2/0 through 2/3 QFX5100-24Q 0/20 through 0/23 QFX5100-48S (6 QSFP+ ports) 0/48 through 0/53 QFX5100-48T (6 QSFP+ ports) 0/48 through 0/53 QFX5100-96S (8 QSFP+ ports) 0/96 through 0/103 If you choose not to use the default set of uplinks for your satellite devices, you need to specify which uplink interfaces you want to use for UFD. To apply UFD to an uplink interface, include the ufd-default-policy statement at the [edit chassis satellite-management uplink-failure-detection] hierarchy level. You also need to configure the UFD policy. For example: [edit policy-options] satellite-policy { candidate-uplink-port-profile { ufd-default-policy { term qfx5100 { product-model QFX5100*; uplink-port-group uplink-ports; } } } port-group-alias { uplink-ports { pic 0 { port [1, 2]; } pic 1 { port [3,4]; } } Copyright © 2016, Juniper Networks, Inc. 35 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion } } [See Overview of Uplink Failure Detection on a Junos Fusion.] • Increasing number of aggregated Ethernet interfaces to approximately 1000 (Junos Fusion)—Starting with Junos OS Release 14.2R3, aggregation devices support up to 1000 aggregated Ethernet interfaces, depending on the number satellite devices included in a Junos Fusion topology. • LACP support (Junos Fusion)—Starting with Junos OS Release 14.2R3, LACP is supported on Junos Fusion. It provides the ability to bundle several physical interfaces to form one logical aggregated Ethernet interface. The LACP mode can be active or passive. The transmitting link is known as the actor, and the receiving link is known as the partner. If the actor and partner are both in passive mode, they do not exchange LACP packets, and the aggregated Ethernet links do not come up. If either the actor or partner is active, they do exchange LACP packets. By default, LACP is in passive mode on aggregated Ethernet interfaces. To initiate transmission of LACP packets and response to LACP packets, you must enable LACP active mode. You can configure Ethernet links to actively transmit PDUs, or you can configure the links to passively transmit them, sending out LACP PDUs only when they receive them from another link. [See Understanding Link Aggregation and Link Aggregation Control Protocol in a Junos Fusion.] • MC-LAG support (Junos Fusion)—Starting with Junos OS Release 14.2R3, you can configure MC-LAG between two aggregation devices in a Junos Fusion topology. You can also configure MC-LAG interfaces to improve the Layer 2 and Layer 3 convergence time when a MC-LAG Ethernet link goes down or comes up. To configure enhanced convergence, issue the enhanced-convergence statement at the [edit interfaces ae aggregated-ether-options mc-ae] hierarchy level for an aggregated Ethernet interface and at the [edit interfaces irb unit unit-number] hierarchy level for an IRB interface. [See Understanding Multichassis Link Aggregation in a Junos Fusion.] NOTE: EVPN cannot be configured simultaneously with MC-LAG. • 36 Configuration synchronization for MC-LAG (Junos Fusion)—Starting with Junos OS Release 14.2R6, Junos Fusion supports the ability to easily propagate, synchronize, and commit configurations from one MC-LAG peer to another MC-LAG peer. MC-LAG configuration synchronization enables you log into any one of the MC-LAG peers to manage both MC-LAG peers, thus having a single point of management. With MC-LAG configuration synchronization, you can use configuration groups to simplify the configuration process. For example, you can create configuration groups for the local MC-LAG peers, one for the remote MC-LAG peer, and one for the global configuration, which is essentially a configuration that is common to both MC-LAG peers. You can create conditional groups to specify when a configuration is synchronized with another MC-LAG peer. Additionally, you can enable the peers-synchronize command at the Copyright © 2016, Juniper Networks, Inc. New and Changed Features [edit system commit] hierarchy level to synchronize the configurations and commits across the MC-LAG peers by default. NETCONF over SSH provides a secure connection between the MC-LAG peers, and Secure Copy Protocol (SCP) copies the configurations securely between the MC-LAG peers. • Enhanced interface commands (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion provides information for extended ports and uplink ports on satellite devices through operational mode commands and output. Extended port names include the extended FPC slot number, PIC slot, and port number. For example, a 10-Gigabit Ethernet extended port number might be xe-125/1/8, where 125 is the FPC slot number, 1 is the physical interface card (PIC) slot, and 8 is the extended port number. The following commands have been enhanced to display the extended ports and uplink ports by using either the slot or the alias. Additionally, you can now use the keyword satellite to view information about the satellite device ports: • show interfaces satellite-device (all | alias) • show interfaces extensive satellite-device (all | alias) • show interfaces terse satellite-device (all | alias) Layer 2 Protocols • RSTP configuration supports 1024 VLAN instances on extended ports for MX Series platforms (Junos Fusion)—Starting with Junos OS Release 14.2R4, Junos Fusion supports up to 1024 VLAN instances for the Rapid Spanning Tree Protocol (RSTP) on MX Series platforms for improved scalability. Typically each VLAN corresponds with an associated spanning tree, which affects processing resources due to the number of VLANs. Increasing the number VLAN instances helps increase scalability across the MX Series platform. Layer 3 Protocols • Support for Layer 3 protocols (Junos Fusion)—Starting with Junos OS Release 14.2R4, many of the routing protocols supported on MX Series routers have been extended to the satellite devices in a Junos Fusion topology. You can configure the following Layer 3 routing protocols on satellite device extended ports: • BGP • BGP for IPv6 • IS-IS • IS-IS for IPv6 • OSPF • OSPF version 3 You can configure the following Layer 3 routing protocols on satellite device extended ports that are included in LAGs and MC-LAGs: • BGP Copyright © 2016, Juniper Networks, Inc. 37 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • IS-IS • OSPF [See Junos Fusion Protocol Support.] Multicast Protocols • Support for multicast protocols (Junos Fusion)—Starting with Junos OS Release 14.2R4, many of the multicast protocols supported on MX Series routers have been extended to the satellite devices in a Junos Fusion topology. You can configure the following multicast protocols on satellite device extended ports: • IGMP • MLD • PIM source-specific multicast (SSM) • PIM sparse mode [See Junos Fusion Protocol Support.] Network Management and Monitoring • Chassis MIB support (Junos Fusion)—Starting with Junos OS Release 14.2R3, satellite devices in a Junos Fusion topology are represented in the chassis MIB. Satellite devices are represented as FPC slots (100, 101, 102, ...) in the aggregation device. The support is enabled using a range of container indexes, which enable the SNMP process to redirect SNMP requests to the chassis process or SPMD based on the first index entry. The following tables have been implemented for satellite devices: • jnxContainersTable • jnxContentsTable • jnxFilledTable • jnxOperatingTable • jnxFRUTable These tables have an index consisting of four entries–CIDX, L1, L2, and L3–where CIDX is the container index, L1 is the level-1 index (slot), L2 is the level-2 index (component within the L1 slot), and L3 is the level-3 index (subcomponent of the L2 slot). For example, an entry of 104.101.2.0 would indicate CIDX 104 is the index for fans and refers to the second fan of satellite device 100 (all indexes are 1-based). The CIDX indexes for Junos Fusion are offset by 100 from regular indexes; for example, a regular CIDX 2 (power supply) is 102 for the power supply of the satellite device. Using these indexes, you can distinguish the satellite device hardware from the aggregation device hardware. [See Chassis MIB Support (Junos Fusion).] • 38 Satellite device system log messages (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion generates system log messages for the following major events on satellite devices: Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Satellite device discovery • Satellite device offline • Satellite device software upgrade success or failure • Satellite device extended port up/down • Satellite device extended port addition/deletion failures • Satellite device extended port link down alarms raised/cleared • Satellite device power supply addition/removal • Satellite device fan addition/removal • Satellite device chassis alarms raised/cleared • Satellite device converted to a standalone switch (Junos OS) • Standalone switch (Junos OS) converted to a satellite device Software Installation and Upgrade • Upgrading and managing the satellite software on satellite devices (Junos Fusion)—Starting with Junos OS Release 14.2R3, Junos Fusion provides the ability to manage satellite software. To convert a standalone switch to a satellite device, you can use one of the following methods: • Autoconversion—Automatically converts a standalone device into a satellite device when it is cabled to a cascade port on the aggregation device. • Manual conversion—Installs satellite software manually from the aggregation device using the request chassis satellite interface interface-name device-mode satellite command. • Preconversion—Installs satellite software onto a device before connecting it to a Junos Fusion topology. After you convert the switch to a satellite device, you can install satellite software upgrades onto a satellite device through the aggregation device. Satellite software upgrade groups are often needed to install satellite software. A satellite software upgrade group is a group of satellite devices that are designated to upgrade to the same satellite software version using the same satellite software package. When you add a satellite to an upgrade group that is not running the same satellite software, the satellite device is automatically updated to the version of satellite software associated with the upgrade group. You can use the following commands to add and associate a satellite software version with an upgrade group: • request system software add upgrade-group upgrade-group-name—Add the satellite software and associate it with the specified upgrade group. • request system software delete upgrade-group upgrade-group-name—Remove the satellite software association from the specified upgrade group. Copyright © 2016, Juniper Networks, Inc. 39 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • request system software rollback upgrade-group upgrade-group-name—Associate an upgrade group with a previous version of satellite software. You can issue the show chassis satellite software command to see which software images are stored on the aggregation device and which upgrade groups are associated with the software images. [See Understanding Junos Fusion Components, Understanding Software in a Junos Fusion, and Configuring Junos Fusion.] System Logging • System log messages to indicate checksum errors on the DDR3 interface—Starting with Junos OS Release 14.2R7, two new system log messages, XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR and XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR, are added to indicate memory-related problems on the interfaces to the double data rate type 3 (DDR3) memory. These error messages indicate that an FPC has detected a checksum error, which is causing packet drops. The following error threshold values classify the error as a major error or a minor error: • Minor error— 6 to 254 errors per second • Major error—255 or more errors per second VPNs • Support for VPNs (Junos Fusion)—Starting with Junos OS Release 14.2R4, many of the VPN protocols supported on MX Series routers have been extended to the satellite devices in a Junos Fusion topology. You can configure satellite device extended ports as CE router interfaces for the following VPNs: • Layer 2 circuits • Layer 2 VPNs • Layer 3 VPNs • Logical routers • Virtual private LAN service (VPLS) [See Junos Fusion Protocol Support.] • EVPN and VXLAN support (Junos Fusion)—Starting with Junos OS Release 14.2R6, Junos Fusion extends the use of EVPN with VXLAN encapsulation to satellite devices managed by MX Series routers. This feature provides Layer 2 connectivity for end stations within a virtualized network. The end stations consist of virtual hosts connected to the virtualized server, and nonvirtualized bare-metal servers connected to top-of-rack switches. The MX Series routers also function as default gateways for the internetwork traffic among end stations that belong to different virtual networks. NOTE: MC-LAG cannot be configured simultaneously with EVPN. 40 Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax Related Documentation • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands in Junos OS Release 14.2R7 or later for Junos Fusion Provider Edge. Junos Fusion • Default configuration statement now implicit (Junos Fusion)—Starting in Junos OS Release 14.2R5, the single-home statement at the [edit chassis satellite-management] hierarchy level is now both the default value and implicit. The statement becomes automatically configured when you include any portion of the [edit chassis satellite-management] hierarchy level in your Junos Fusion configuration. As a result, all satellite devices are single-homed by default and the single-home statement does not need to be configured explicitly. However, for backward compatibility reasons, the single-home configuration statement is still supported for legacy configurations. • Support for the satellite all option across multiple user classes (Junos Fusion)—Starting in Junos OS Release 14.2R6, you can now include the satellite all statement at the [edit system login class class-name] hierarchy level for multiple classes. When you assign a class containing the satellite all privilege to a user, the user can access a satellite device from an aggregation device without re-entering user credentials, such as username and password. • Evolution of satellite device user privileges (Junos Fusion)—When you assign the following privileges to a user, the user can log in to a satellite device from an aggregation device per software release, as follows: • • Junos OS Release 14.2R3: The root user can log in without a password, and users with class satellite all can log in with a password. • Junos OS Release 14.2R5: The root user, superuser, and users with class satellite all can log in without a password. • Junos OS Release 14.2R6: The root user, superuser, and users with class satellite all, permissions all, and permissions maintenance can log in without a password. Automatic channelized interface support on QFX5100-96S satellite devices (Junos Fusion)—Starting with Junos OS Release 14.2R7 and satellite software release 1.0R4, port 96 and port 100 on QFX5100-96S satellite devices can be automatically channelized as follows: Copyright © 2016, Juniper Networks, Inc. 41 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion If the satellite device has not established a connection with the aggregation device: • The satellite device tries to channelize port 96 if no transceivers are inserted in ports 97 to 99. • The satellite device also tries to channelize port 100 if no transceivers are inserted in ports 101 to 103. Until the satellite device establishes a connection with the aggregation device, the channelization mode will toggle. When this happens, the SPFE process on the QFX5100-96S satellite device restarts and changes the channelization mode. The autodiscovery process stops when the satellite device establishes a connection with the aggregation device and does not restart until the satellite device reboots. Related Documentation • New and Changed Features on page 31 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Known Behavior This section lists known behavior, system maximums, and limitations in hardware and software in Junos OS Release 14.2R7 for Junos Fusion Provider Edge. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. Junos Fusion • On a Junos Fusion Provider Edge topology, if you attempt to implement MAC filtering or MAC accounting on extended ports, the features do not work. PR1023578 • On a Junos Fusion Provider Edge topology running 32-bit Junos OS, if you configure an aggregation device with nonstop active routing, and the aggregation device processes more than 150,000 routes, the standby Routing Engine might lose its connection to the master Routing Engine. As a workaround, verify that the aggregation device Routing Engine is compatible with the 64-bit Junos OS, and then upgrade it to the 64-bit version. PR1068157 Related Documentation 42 • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Issues on page 43 • Resolved Issues on page 44 Copyright © 2016, Juniper Networks, Inc. Known Issues • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Known Issues This section lists the known issues in hardware and software in Junos OS Release 14.2R7 for Junos Fusion Provider Edge. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. Junos Fusion • On a Junos Fusion Provider Edge topology, if you configure 3000 VLANs and 3000 IRB interfaces in your topology, commit the configuration, and immediately issue show and clear operational mode commands, the system might be slow to respond (more than 10 seconds) but does recover eventually. PR1076345 • On a Junos Fusion Provider Edge topology, if you enable MC-LAG over an IRB interface and perform a graceful Routing Engine switchover, the system might experience traffic loss of up to 60 percent of the traffic for 90 seconds and a drop in the Address Resolution Protocol (ARP) count. PR1080192 • On a Junos Fusion Provider Edge topology running multicast, if you disable and reenable a satellite device, the PIM upstream interface state might not be updated correctly. PR1091449 • On a Junos Fusion Provider Edge topology running multicast, if you delete multicast routes from native aggregation device ports and extended ports, the PIM join (s,g) states might still appear in the output of the show pim join summary command. PR1092192 • On a Junos Fusion Provider Edge topology, when unicast next hops for the satellite device extended ports are deleted and added, if the routing chip memory is not freed, a small memory leak occurs during the next-hop deletion. If the churn happens for an extended period, the Flexible PIC Concentrator (FPC) might run out of memory and stop operating. PR1114369 Satellite Software • On a Junos Fusion topology where the QFX5100-96S is deployed as a satellite device, you cannot channelize the 40-Gigabit Ethernet ports. PR1052225 • On a Junos Fusion topology, if you configure an outgoing firewall or policer to drop packets prior to transmission, the logical interfaces of satellite device extended ports that appear in the output of the show interfaces extensive command might include packets in the statistics counter that have been dropped but not forwarded. PR1078304 • On a Junos Fusion Provider Edge topology, you might not be able to disable auto-negotiation on fiber-based, Gigabit Ethernet ports in a QFX5100 switch acting as a satellite device. PR1183112 Copyright © 2016, Juniper Networks, Inc. 43 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Related Documentation • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Resolved Issues on page 44 • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Resolved Issues This section lists the issues fixed in the Junos OS main release and the maintenance releases. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Resolved Issues: Release 14.2R7 on page 44 • Resolved Issues: Release 14.2R6 on page 45 • Resolved Issues: Release 14.2R5 on page 46 • Resolved Issues: Release 14.2R4 on page 46 • Resolved Issues: Release 1.0R4 on page 46 • Resolved Issues: Release 1.0R3 on page 48 • Resolved Issues: Release 1.0R2 on page 48 Resolved Issues: Release 14.2R7 This section lists the issues fixed since Junos OS Release 14.2R6 for Junos Fusion Provider Edge. Junos Fusion 44 • On a Junos Fusion Provider Edge topology, when you issue the show chassis satellite device-alias ? command, the list of available satellite devices is not displayed. PR1148762 • On a Junos Fusion Provider Edge topology, if you configure BFD and reboot the system, the periodic packet management process (ppmd) might stop operating and dump core. As a workaround, set the BFD transmit interval to 300 msec with a multiplier of 3. PR1170800 • On a Junos Fusion Provider Edge topology, if a cascade port transitions down and up, and the diagnostics data sent from a satellite device exceeds 25 kilobytes, the satellite platform management process (spmd) might dump core. PR1175591 • On a Junos Fusion Provider Edge topology, if you issue the request chassis satellite shell-command command and the output generates more than 24 kilobytes of data, the satellite discovery and provisioning process (SDPD) might stop operating. As a Copyright © 2016, Juniper Networks, Inc. Resolved Issues workaround, issue the request chassis satellite login command and run the commands in the resulting session. PR1188712 Resolved Issues: Release 14.2R6 This section lists the issues fixed since Junos OS Release 14.2R5 for Junos Fusion Provider Edge. Junos Fusion • On a Junos Fusion Provider Edge topology, if you configure CoS classifiers on an aggregated Ethernet bundle comprised of satellite device extended ports, the configuration commits and the classifiers are applied correctly. However, the output of the show class-of-service interface ae-interface-name command does not display the configured classifiers. As a workaround, apply the classifier on unit 0 of the LAG and the show command output will display the correct information. PR1062500 • On a Junos Fusion Provider Edge topology, broadcast Ethernet traffic with an unknown Ethertype might generate the following log entries: fpc0 XL[0:0]_PPE 1.xss[0] ADDR Error and fpc0 XL[0:0]_PPE 1 Errors async xtxn error. PR1123040 • On a Junos Fusion Provider Edge topology, if you configure Junos Fusion on an MX Series aggregation device, corresponding system log messages might not be received by a remote syslog server. PR1134269 • On a Junos Fusion Provider Edge topology, when you insert a field-replaceable unit (FRU) into a satellite device, the aggregation device might not generate the expected SNMP traps for this event (such as jnxFruOnline and jnxFruInsertion). PR1136566 • On a Junos Fusion Provider Edge topology configured with LACP, if a Routing Engine switchover causes the Periodic Packet Manager (ppman) to lose connectivity with the Periodic Packet Management Process (ppmd), and the reconnection results in new interface entries that do not have a valid interface name, the reconnection attempt might exceed 120 seconds and cause the LACP adjacencies to remain in the detached state as seen in the output of the show lacp interfaces command. PR1147546 • On a Junos Fusion Provider Edge topology, if you configure the aggregation device for the first time, the satellite device to standalone device conversion might fail if the satellite discovery and provisioning process (sdpd) has not restarted. This happens because you perform the initial satellite management configuration on the aggregation device. As a workaround, restart the process by issuing the restart satellite-discovery-provisioning-process command before performing the satellite device conversion. PR1148786 • On a Junos Fusion Provider Edge topology, when you configure an integrated routing and bridging (IRB) interface that includes both regular and extended ports, multicast traffic might not flow to the satellite device extended ports. PR1156750 • On a Junos Fusion Provider Edge topology, you could only assign satellite all privileges to a single user class. In Junos OS Release 14.2R6, you can now include the satellite all statement at the [edit system login class class-name] hierarchy level for multiple classes. PR1161531 Copyright © 2016, Juniper Networks, Inc. 45 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Resolved Issues: Release 14.2R5 This section lists the issues fixed since Junos OS Release 14.2R4 for Junos Fusion Provider Edge. Junos Fusion • On a Junos Fusion Provider Edge topology, if you deactivate and reactivate et-interfaces, LACP might not come back up. As a workaround, deactivate and reactivate the aggregated Ethernet interface that contains the et- interface. PR1078299 • On a Junos Fusion Provider Edge topology, if you issue the show interfaces media command on an extended port, the output does not show the autonegotiation information for the port. As a workaround, upgrade the satellite device to software version 1.0R3 or later and the aggregation device to Junos OS Release 14.2R5 or later. PR1078301 • On a Junos Fusion Provider Edge topology, if you issue the show interfaces diagnostics optics satellite interface-name command for a satellite device extended port, the output does not provide any optical transceiver diagnostic data. PR1087366 • On a Junos Fusion Provider Edge topology running bidirectional PIM, if you issue a nonstop active routing graceful Routing Engine switchover, multicast routes are not synchronized correctly between the master and standby Routing Engines. PR1095993 • On a Junos Fusion Provider Edge topology, if you turn off a power supply, the system might not send an SNMP trap for this event. PR1116266 Resolved Issues: Release 14.2R4 This section lists the issues fixed since Junos OS Release 14.2R3 for Junos Fusion Provider Edge. Junos Fusion • On a Junos Fusion Provider Edge topology configured for MC-LAG, if you perform an snmpwalk on iso, the operation times out with the error message “Request failed: OID not increasing: dot3adAggPortStatsLACPDUsRx.2387 >=dot3adAggPortStatsLACPDUsRx.2387.” PR1071050 • On a Junos Fusion Provider Edge topology, if a QFX5100 switch is running Junos OS Release 14.1X53-D16 with Enhanced Automation, and you try to convert the switch into a satellite device by using either the automatic or manual conversion method, the conversion might fail. PR1072806 • On a Junos Fusion Provider Edge topology, if you issue any of the show chassis commands available for satellite devices (such as show chassis hardware satellite) and include the device-alias option to display output for a specific device, the output might still include all the devices. PR1080516 Resolved Issues: Release 1.0R4 This section lists the issues fixed since satellite software release 1.0R3 for Junos Fusion. 46 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Satellite Software • On a Junos Fusion topology with QFX5100 satellite devices, if the satellite device has a bad power supply, the output of the show chassis environment pem satellite and show chassis alarms satellite commands might not indicate there is a problem. PR1161861 • On a Junos Fusion topology, the CCC-DOWN state (the asynchronous notification of link state from the remote end of a Layer 2 circuit) is not supported on satellite device extended ports. PR1162899 • On a Junos Fusion topology with EX4300 satellite devices, some physical interfaces for the 10-Gigabit Ethernet ports on the uplink PIC (PIC2) are created while others are not, and the system log might show a transceiver EPROM failure. This issue might be resolved by removing the PIC and reinserting it, or restarting the satellite device. PR1169555 • On a Junos Fusion topology, when the port channelization state changes (for example, et-0/0/1:0 to et-0/0/0) on a satellite device extended port, the system might assign the same ECID to more than one port and the following message might be generated: “IFRT: 'IFD hardware address configuration' (opcode 226) failed.” PR1170428 • On a Junos Fusion topology with a QFX5100-96S satellite device, channelized interfaces are not supported on 40-Gigabit Ethernet uplink ports. PR1179317 • On a Junos Fusion topology with dual aggregation devices, if you issue the show snmp mib walk command on one aggregation device, the output might not display PEM and fan information correctly for the 124th satellite device. As a workaround, issue the command on the second aggregation device. PR1182030 • On a Junos Fusion topology, you might not be able to disable autonegotiation on fiber-based Gigabit Ethernet ports in a QFX5100 switch acting as a satellite device. PR1183112 • On a Junos Fusion topology, if you configure CoS on an aggregation device, in some cases the satellite devices do not get provisioned and the DPD process might stop operating and dump core. As a workaround, disable CoS on interfaces, scheduler maps, and traffic control profiles. PR1184828 • On a Junos Fusion topology, if you issue the request chassis satellite shell-command command and the output generates more than 24 kilobytes of data, the satellite discovery and provisioning process (SDPD) might stop operating. As a workaround, issue the request chassis satellite login command and run the commands in the resulting session. PR1188712 • On a Junos Fusion topology, in some cases after a satellite device PFE restart, some of the channelized ports on a QFX5100-24Q satellite device cannot transmit or receive traffic. PR1192218 • On a Junos Fusion topology, if an EX4300 satellite device is connected to an aggregation device over a copper, 40-Gigabit Ethernet uplink port, sometimes the link might transition down and up. PR1197913 Copyright © 2016, Juniper Networks, Inc. 47 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On a Junos Fusion topology, if you issue the show interfaces command on a 40-Gigabit Ethernet port on a QFX5100 satellite device, the output does not display the correct bits per second if the traffic is 32 Gbps or larger. PR1197916 • On a Junos Fusion topology, in some cases the ppman-lite or ppman process running on the satellite device might attempt to view information in the packet beyond the packet length, which might cause the process to stop operating. Issues with the ppman-lite process impact LLDP functionality, while issues with the ppman process impact LACP functionality. PR1208058 • On a Junos Fusion topology, if you issue the request support information operational mode command, you expect that the system will consolidate and collect information from the /var/log directory of all the satellite devices and place it into the /var/home/ftp/sd_logs directory of the aggregation device. However, the collected logs (for example, sd101.tgz) do not contain relevant satellite device information from the consolidated log files. PR1208066 • On a Junos Fusion topology, when a QFX5100 satellite device operates continuously for more than 140 days, or an EX4300 satellite device operates continuously for more than 280 days, the output of the show chassis routing-engine satellite command might indicate very high CPU utilization for the satellite device, even when the actual CPU utilization is very low. PR1208846 Resolved Issues: Release 1.0R3 This section lists the issues fixed since satellite software release 1.0R2 for Junos Fusion. Satellite Software • On a Junos Fusion Provider Edge topology, if you issue the show interfaces extensive command on a copper-based satellite device extended port, the output does not show autonegotiation information. As a workaround, upgrade the aggregation device to Junos OS Release 14.2R5 or later and upgrade the satellite device to satellite software version 1.0R3. PR1107243 Resolved Issues: Release 1.0R2 This section lists the issues fixed since satellite software release 1.0R2 for Junos Fusion. Satellite Software 48 • On a Junos Fusion Provider Edge topology, if you issue the show interfaces diagnostics optics satellite interface-name command for a satellite device extended port, the output does not provide any optic transceiver diagnostic data. PR1087366 • On a Junos Fusion Provider Edge topology, if you issue the show chassis hardware satellite command, the output indicates that EX4300-24T satellite devices are unsupported. As a workaround, upgrade the satellite devices to satellite software 1.0R2 and the aggregation devices to Junos OS Release 14.2R5 or later. PR1126060 • On a Junos Fusion Provider Edge topology with QFX5100 satellite devices running satellite software version 1.0R1-S2 or earlier, if you remove a 1-gigabit small-form factor pluggable (SFP) fiber transceiver and replace it with a copper transceiver, the port Copyright © 2016, Juniper Networks, Inc. Documentation Updates might not transmit or receive traffic. As a workaround, restore the fiber transceiver in the port or upgrade the satellite software to version 1.0R2 or later. PR1140313 Related Documentation • In a Junos Fusion Provider Edge topology, if there are power failures or the power is not connected to a power supply on a satellite device, the jnxPowerSupplyFailure traps are not generated by the aggregation device. For example, if there are two Power Entry Modules (PEMs) inserted on the satellite device and one PEM is not powered on, the aggregation device does not generate a trap for the PEM without power. PR1140097 • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Documentation Updates on page 49 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Documentation Updates This section lists the errata or changes in Junos OS Release 14.2R7 for Junos Fusion Provider Edge documentation. Related Documentation • There are no errata and changes in the current Junos Fusion Provider Edge documentation. • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Migration, Upgrade, and Downgrade Instructions on page 49 • Product Compatibility on page 63 Migration, Upgrade, and Downgrade Instructions This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for Junos Fusion Provider Edge. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. • Basic Procedure for Upgrading an Aggregation Device on page 50 • Upgrading an Aggregation Device with Redundant Routing Engines on page 52 • Preparing the Switch for Satellite Device Conversion on page 53 Copyright © 2016, Juniper Networks, Inc. 49 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Autoconverting a Switch into a Satellite Device on page 54 • Manually Converting a Switch into a Satellite Device on page 56 • Configuring a Switch into a Satellite Device Before Connecting It to a Junos Fusion Topology on page 58 • Configuring Satellite Device Upgrade Groups on page 59 • Converting a Satellite Device to a Standalone Device on page 60 • Upgrade and Downgrade Support Policy for Junos OS Releases on page 62 • Downgrading from Release 14.2 on page 63 Basic Procedure for Upgrading an Aggregation Device When upgrading or downgrading Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. NOTE: Before upgrading, back up the file system and the currently active Junos OS configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command: user@host> request system snapshot The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files), might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. See the Junos OS Administration Library for Routing Devices. 50 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions The download and installation process for Junos OS Release 14.2R7 is different from previous Junos OS releases. 1. Using a Web browser, navigate to the Download Software URL on the Juniper Networks webpage: http://www.juniper.net/support/downloads/ 2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. 3. Select By Technology > Junos Platform > Junos Fusion to find the software that you want to download. 4. Select the release number (the number of the software version that you want to download) from the Version drop-down list to the right of the page. 5. Select the Software tab. 6. Select the software package for the release. 7. Review and accept the End User License Agreement. 8. Download the software to a local host. 9. Copy the software to the routing platform or to your internal software distribution site. 10. Install the new jinstall package on the aggregation device. NOTE: We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process. Customers in the United States and Canada, use the following commands. • For 64-bit software: NOTE: We highly recommend using 64-bit Junos OS software when implementing Junos Fusion. user@host> request system software add validate reboot source/jinstall64-14.2R7.5-domestic-signed.tgz • For 32-bit software: user@host> request system software add validate reboot source/jinstall-14.2R7.5-domestic-signed.tgz All other customers, use the following commands. • For 64-bit software: NOTE: We highly recommend using 64-bit Junos OS software when implementing Junos Fusion. Copyright © 2016, Juniper Networks, Inc. 51 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion user@host> request system software add validate reboot source/jinstall64-14.2R7.5-export-signed.tgz • For 32-bit software: user@host> request system software add validate reboot source/jinstall-14.2R7.5-export-signed.tgz Replace source with one of the following values: • /pathname—For a software package that is installed from a local directory on the router. • For software packages that are downloaded and installed from a remote location: • ftp://hostname/pathname • http://hostname/pathname • scp://hostname/pathname (available only for Canada and U.S. version) The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release. Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful. NOTE: After you install a Junos OS Release 14.2R7 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software. Upgrading an Aggregation Device with Redundant Routing Engines If the aggregation device has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to minimize disrupting network operations as follows: 1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines. 2. Install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine. 3. After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software. 4. Install the new software on the original master Routing Engine that is now active as the backup Routing Engine. 52 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions For the detailed procedure, see the Installation and Upgrade Guide. Preparing the Switch for Satellite Device Conversion Satellite devices in a Junos Fusion topology use a satellite software package that is different from the standard Junos OS software package. Before you can install the satellite software package on a satellite device, you first need to upgrade the target satellite device to an interim Junos OS software version that can be converted to satellite software. Table 2 on page 53 shows a support matrix that maps Junos OS software used in aggregation devices to the compatible preconverted switch software and satellite device software. Table 2: Aggregation Device Junos OS Software Compatibility with Satellite Software Aggregation Device Version Switch Version Satellite Device Software Version Junos OS Release 14.2R3 Junos OS Release 14.1X53-D16 or later 1.0R1 Junos OS Release 14.2R4 Junos OS Release 14.1X53-D25 or later 1.0R1-S2 Junos OS Release 14.2R5 Junos OS Release 14.1X53-D30 or later 1.0R2 Junos OS Release 14.2R6 Junos OS Release 14.1X53-D30 or later 1.0R3 Junos OS Release 14.2R7 Junos OS Release 14.1X53-D30 or later 1.0R4 Customers with EX4300 switches, use the following command: user@host> request system software add validate reboot source/jinstall-ex-4300-14.1X53-D30.3-domestic-signed.tgz Customers with QFX5100 switches, use the following command: user@host> request system software add validate reboot source/jinstall-qfx-5-14.1X53-D30.3-domestic-signed.tgz When the interim installation has completed and the switch is running a version of Junos OS that is compatible with satellite device conversion, perform the following steps: 1. Log in to the device using the console port. 2. Clear the device: [edit] user@satellite-device# request system zeroize NOTE: The device reboots to complete the procedure for resetting the device. If you are not logged in to the device using the console port connection, your connection to the device is lost after entering the request system zeroize command. If you lose your connection to the device, log in using the console port. Copyright © 2016, Juniper Networks, Inc. 53 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 3. (EX4300 switches only) After the reboot is complete, convert the built-in 40-Gbps QSFP+ interfaces from Virtual Chassis ports (VCPs) into network ports: user@satellite-device> request virtual-chassis vc-port delete pic-slot 1 port port-number For example, to convert all four built-in 40-Gbps QSFP+ interfaces on an EX4300-24P switch into network ports: user@satellite-device>request virtual-chassis vc-port delete pic-slot 1 port 0 user@satellite-device> request virtual-chassis vc-port delete pic-slot 1 port 1 user@satellite-device> request virtual-chassis vc-port delete pic-slot 1 port 2 user@satellite-device> request virtual-chassis vc-port delete pic-slot 1 port 3 This step is required for the 40-Gbps QSFP+ interfaces that will be used as uplink interfaces in a Junos Fusion topology. Built-in 40-Gbps QSFP+ interfaces on EX4300 switches are configured into VCPs by default, and the default settings are restored after the device is reset. After this initial preparation, you can use one of three methods to convert your switches into satellite devices—autoconversion, manual conversion, and preconfiguration. Autoconverting a Switch into a Satellite Device Use this procedure to automatically configure a switch into a satellite device when it is cabled into the aggregation device. You can use the autoconversion procedure to add one or more satellite devices to your Junos Fusion topology. The autoconversion procedure is especially useful when you are adding multiple satellite devices to Junos Fusion, because it allows you to easily configure the entire topology before or after cabling the satellite devices to the aggregation devices. Before you begin: • Ensure that your aggregation device is running Junos OS Release 14.2R5 or later, and that the satellite devices are running Junos OS Release 14.1X53-D30 or later. To autoconvert a switch into a satellite device: 1. Cable a link between the aggregation device and the satellite device, if desired. NOTE: You can cable the aggregation device to the satellite device at any point in this procedure. When the aggregation device is cabled to the satellite device during this procedure, the process for converting a switch into a satellite device to finalize this process occurs immediately. If the aggregation device is not cabled to the satellite device, the process for converting a switch into a satellite device to finalize this process starts when the satellite device is cabled to the aggregation device. 2. Log in to the aggregation device. 3. Configure the cascade ports. 54 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions For example, to configure interface xe-0/0/1 on the aggregation device into a cascade port: [edit] user@aggregation-device# set interfaces xe-0/0/1 cascade-port 4. Associate an FPC slot ID with each satellite device. Examples: • To configure the FPC slot ID of the satellite device that is connected to xe-0/0/1 to 101: [edit] user@aggregation-device# set chassis satellite-management fpc 101 cascade-ports xe-0/0/1 • To map FPC slot ID 101 to the satellite device using the serial number ABCDEFGHIJKL: [edit] user@aggregation-device# set chassis satellite-management fpc 101 serial-number ABCDEFGHIJKL • To map FPC slot ID to the satellite device using MAC address 12:34:56:AB:CD:EF: [edit] user@aggregation-device# set chassis satellite-management fpc 110 system-id 12:34:56:AB:CD:EF 5. (Recommended) Configure an alias name for the satellite device: [edit] user@aggregation-device# set chassis satellite-management fpc slot-id alias alias-name where slot-id is the FPC slot ID of the satellite device defined in the previous step, and alias-name is the alias. For example, to configure the satellite device numbered 101 as qfx5100-48s-1: [edit] user@aggregation-device# set chassis satellite-management fpc 101 alias qfx5100-48s-1 6. Configure an FPC slot ID into a software upgrade group. For example, to add a satellite device with FPC number 101 to an existing software group named group1, or create a software upgrade group named group1 and add a satellite device with FPC slot 101 to the group: [edit] user@aggregation-device# set chassis satellite-management upgrade-group group1 satellite 101 If you are creating a new software upgrade group in this step, you also need to associate the group with a satellite software image. You can skip this final step if the software upgrade group has been created and an association already exists. Before associating a satellite software image with a satellite software group, the configuration with the satellite software upgrade group must be committed: [edit] user@satellite-device# commit synchronize After committing the configuration, associate a satellite software image named satellite-1.0R4.2-signed.tgz to the upgrade group named group1: user@aggregation-device> request system software add /var/tmp/satellite-1.0R4.2-signed.tgz upgrade-group group1 Copyright © 2016, Juniper Networks, Inc. 55 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 7. Enable automatic satellite conversion: [edit] user@aggregation-device# set chassis satellite-management auto-satellite-conversion satellite slot-id For example, to automatically convert FPC 101 into a satellite device: [edit] user@aggregation-device# set chassis satellite-management auto-satellite-conversion satellite 101 8. Commit the configuration: [edit] user@aggregation-device# commit If you want to commit the configuration to both Routing Engines: [edit] user@aggregation-device# commit synchronize The satellite software upgrade on the satellite device begins after this final step is completed, or after you cable the satellite device to a cascade port using automatic satellite conversion if you have not already cabled the satellite device to the aggregation device. After the satellite software update, the switch operates as a satellite device in the Junos Fusion topology Manually Converting a Switch into a Satellite Device Use this procedure to manually convert a switch into a satellite device after cabling it into the Junos Fusion topology. This procedure should be used to convert a switch that is not currently acting as a satellite device into a satellite device. A switch might not be recognized as a satellite device for several reasons, including that the device was not previously autoconverted into a satellite device or that the switch had previously been reverted from a satellite device to a standalone switch. Before you begin: • Ensure that your aggregation device is running Junos OS Release 14.2R5 or later, and that the switches that will become satellite devices are running Junos OS Release 14.1X53-D30 or later. To manually convert a switch into a satellite device: 1. Cable a link between the aggregation device and the satellite device. 2. Log in to the aggregation device. 3. Configure the link on the aggregation device into a cascade port, if you have not done so already. For example, to configure interface xe-0/0/1 on the aggregation device into a cascade port: [edit] user@aggregation-device# set interfaces xe-0/0/1 cascade-port 56 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions 4. Associate an FPC slot ID with the satellite device. Examples: • To configure the FPC slot ID of the satellite device that is connected to xe-0/0/1 to 101: [edit] user@aggregation-device# set chassis satellite-management fpc 101 cascade-ports xe-0/0/1 • To map FPC slot ID 101 to the satellite device using the serial number ABCDEFGHIJKL: [edit] user@aggregation-device# set chassis satellite-management fpc 101 serial-number ABCDEFGHIJKL • To map FPC slot ID to the satellite device using MAC address 12:34:56:AB:CD:EF: [edit] user@aggregation-device# set chassis satellite-management fpc 110 system-id 12:34:56:AB:CD:EF 5. Configure the interface on the aggregation device into a software upgrade group. For example, to add a satellite device with FPC number 101 to an existing software group named group1, or create a software upgrade group named group1 and add a satellite device configured with FPC number 101 to the group: [edit] user@aggregation-device# set chassis satellite-management upgrade-group group1 satellite 101 If you are creating a new software upgrade group in this step, you also need to associate the group with a satellite software image. You can skip this final step if the software upgrade group has been created and an association already exists. Before associating a satellite software image with a satellite software group, the configuration with the satellite software upgrade group must be committed: [edit] user@satellite-device# commit synchronize After committing the configuration, associate a satellite software image named satellite-1.0R4.2-signed.tgz to the upgrade group named group1: user@aggregation-device> request system software add /var/tmp/satellite-1.0R4.2-signed.tgz upgrade-group group1 6. Manually configure the switch into a satellite device: user@aggregation-device> request chassis satellite interface interface-name device-mode satellite For example, to manually configure the switch that is connecting the satellite device to interface xe-0/0/1 on the aggregation device into a satellite device: user@aggregation-device> request chassis satellite interface xe-0/0/1 device-mode satellite The satellite software upgrade on the satellite device begins after this final step is completed. After the satellite software update, the switch operates as a satellite device in the Junos Fusion topology Copyright © 2016, Juniper Networks, Inc. 57 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Configuring a Switch into a Satellite Device Before Connecting It to a Junos Fusion Topology Use this procedure to install the satellite software onto a switch before interconnecting it into a Junos Fusion topology as a satellite device. Installing the satellite software on a switch before interconnecting it to a Junos Fusion topology allows you to more immediately deploy the switch as a satellite device by avoiding the downtime associated with the satellite software installation procedure for Junos Fusion. Before you begin: • Ensure that your switch that will become a satellite device is running Junos OS Release 14.1X53-D30 or later. • Ensure that you have copied the satellite software onto the device that will become a satellite device. NOTE: Ensure there is sufficient space available in the /var/tmp directory to be able to copy the software to the switch (especially for EX4300 switches). If there is not enough memory available, issue the request system storage cleanup command on the device before attempting to perform the conversion. In satellite software release 1.0R3 and later, a satellite-ppc-release-signed.tgz package is included specifically for converting Junos OS to satellite software on an EX4300 switch to address a memory space issue. The satellite-ppc package is to be used only for configuring a standalone EX4300 switch into a satellite device before connecting it to a Junos Fusion topology. 1. You can manually install the satellite software onto a switch by entering the following command: user@satellite-device> request chassis device-mode satellite URL-to-satellite-software For instance, to install the satellite software package satellite-1.0R4.2-signed.tgz stored in the /var/tmp/ directory on the switch: user@satellite-device> request chassis device-mode satellite /var/tmp/satellite-1.0R4.2-signed.tgz • To install satellite software onto a QFX5100 switch, use the satellite-1.0R4.2-signed.tgz satellite software package. • To install satellite software onto a EX4300 switch, use the satellite-ppc-1.0R4.2-signed.tgz satellite software package. 2. The device will reboot to complete the satellite software installation. 58 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions After the satellite software is installed, follow this procedure to connect the switch into a Junos Fusion topology: 1. Log in to the aggregation device. 2. Configure the link on the aggregation device into a cascade port, if you have not done so already. For example, to configure interface xe-0/0/1 on the aggregation device into a cascade port: [edit] user@aggregation-device# set interfaces xe-0/0/1 cascade-port 3. Configure the satellite switch into a satellite software upgrade group that is using the same version of satellite software that was manually installed onto the switch. This step is advisable, but not always required. Completing this step ensures that the satellite software on your device is upgraded to the version of satellite software associated with the satellite software upgrade group when the satellite device connects to the aggregation device. 4. Commit the configuration. To commit the configuration to both Routing Engines: [edit] user@aggregation-device# commit synchronize To commit the configuration to a single Routing Engine: [edit] user@aggregation-device# commit 5. Cable a link between the aggregation device and the satellite device. Configuring Satellite Device Upgrade Groups To simplify the upgrade process for multiple satellite devices, you can create a software upgrade group at the aggregation device, assign satellite devices to the group, and install the satellite software on a groupwide basis. To create a software upgrade group and assign satellite devices to the group, include the satellite statement at the [edit chassis satellite-management upgrade-groups upgrade-group-name] hierarchy level. To configure a software upgrade group and assign satellite devices to the group: 1. Log in to the aggregation device. 2. Create the software upgrade group, and add the satellite devices to the group. [edit] user@aggregation-device# set chassis satellite-management upgrade-groups upgrade-group-name satellite satellite-member-number-or-range upgrade-group-name is the name of the upgrade group, and the satellite-member-number-or-range is the member numbers of the satellite devices that are being added to the upgrade group. If you enter an existing upgrade group name as Copyright © 2016, Juniper Networks, Inc. 59 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion the upgrade-group-name, you add new satellite devices to the existing software upgrade group. For example, to create a software upgrade group named group1 that includes all satellite devices numbered 101 through 120, configure the following: [edit] user@aggregation-device# set chassis satellite-management upgrade-groups group1 satellite 101-120 To install, remove, or roll back a satellite software version on an upgrade group, issue the following operational mode commands: • request system software add upgrade-group group-name—Install the satellite software on all members of the specified upgrade group. • request system software delete upgrade-group group-name—Remove the satellite software association from the specified upgrade group. • request system software rollback upgrade-group group-name—Associate an upgrade group with a previous version of satellite software. Customers installing satellite software on EX4300 and QFX5100 switches referenced in a software upgrade group, use the following command: user@aggregation-device> request system software add upgrade-group group-name source/satellite-1.0R4.2-signed.tgz A copy of the satellite software is saved on the aggregation device. When you add a satellite device to an upgrade group that is not running the same satellite software version, the new satellite device is automatically updated to the version of satellite software that is associated with the upgrade group. You can issue the show chassis satellite software command to see which software images are stored on the aggregation device and which upgrade groups are associated with the software images. Converting a Satellite Device to a Standalone Device In the event that you need to convert a satellite device to a standalone device, you will need to install a new Junos OS software package on the satellite device and remove it from the Junos Fusion topology. NOTE: If the satellite device is a QFX5100 switch, you need to install a PXE version of Junos OS. The PXE version of Junos OS is the software that includes pxe in the Junos OS package name when it is downloaded from the Software Center—for example, the PXE image for Junos OS Release 14.1X53-D30 is named install-media-pxe-qfx-5-14.1X53-D30.3.tgz. If the satellite device is an EX4300 switch, you install a standard jinstall-ex-4300 version of Junos OS. 60 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions The following steps explain how to download software, remove the satellite device from Junos Fusion, and install the Junos OS software image on the satellite device so that the device can operate as a standalone device. 1. Using a Web browser, navigate to the Junos OS software download URL on the Juniper Networks webpage: http://www.juniper.net/support/downloads 2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. 3. Select By Technology > Junos Platform > Junos Fusion from the drop-down list and select the switch platform series and model for your satellite device. 4. Select the Junos OS Release 14.1X53-D30 software image for your platform. 5. Review and accept the End User License Agreement. 6. Download the software to a local host. 7. Copy the software to the routing platform or to your internal software distribution site. 8. Remove the satellite device from the automatic satellite conversion configuration. If automatic satellite conversion is enabled for the satellite device’s member number, remove the member number from the automatic satellite conversion configuration. The satellite device’s member number is the same as the FPC slot ID. You can check the automatic satellite conversion configuration by entering the show command at the [edit chassis satellite-management auto-satellite-conversion] hierarchy level. [edit] user@aggregation-device# delete chassis satellite-management auto-satellite-conversion satellite member-number For example, to remove member number 101 from Junos Fusion: [edit] user@aggregation-device# delete chassis satellite-management auto-satellite-conversion satellite 101 9. Commit the configuration. To commit the configuration to both Routing Engines: [edit] user@aggregation-device# commit synchronize Otherwise, commit the configuration to a single Routing Engine: [edit] user@aggregation-device# commit 10. Install the Junos OS software on the satellite device to convert the device to a standalone device. [edit] user@aggregation-device> request chassis satellite install URL-to-software-package fpc-slot member-number For example, to install a PXE software package stored in the /var/tmp directory on the aggregation device onto a QFX5100 switch acting as the satellite device using FPC slot 101: Copyright © 2016, Juniper Networks, Inc. 61 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion [edit] user@aggregation-device> request chassis satellite install /var/tmp/install-media-pxe-qfx-5-14.1X53-D30.3.tgz fpc-slot 101 For example, to install a software package stored in the var/tmp directory on the aggregation device onto an EX4300 switch acting as the satellite device using FPC slot 101: [edit] user@aggregation-device> request chassis satellite install /var/tmp/jinstall-ex-4300-14.1X53-D30.3-domestic-signed.tgz fpc-slot 101 The satellite device stops participating in the Junos Fusion topology once the software installation starts. The software upgrade starts after this command is entered. 11. Wait for the reboot that accompanies the software installation to complete. 12. When you are prompted to log back into your device, uncable the device from the Junos Fusion topology. See Removing a Transceiver from a QFX Series Device or Removing a Transceiver from a Switch, as needed. Your device has been removed from Junos Fusion. NOTE: The device uses a factory default configuration after the Junos OS installation is complete. Upgrade and Downgrade Support Policy for Junos OS Releases Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS Release 11.4 to Junos OS Release 10.3. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html 62 Copyright © 2016, Juniper Networks, Inc. Product Compatibility Downgrading from Release 14.2 To downgrade from Release 14.2 to another supported release, follow the procedure for upgrading, but replace the 14.2 jinstall package with one that corresponds to the appropriate release. NOTE: You cannot downgrade more than three releases. For example, if your routing platform is running Junos OS Release 11.4, you can downgrade the software to Release 10.4 directly, but not to Release 10.3 or earlier; as a workaround, you can first downgrade to Release 10.4 and then downgrade to Release 10.3. For more information, see the Installation and Upgrade Guide. Related Documentation • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Documentation Updates on page 49 • Product Compatibility on page 63 Product Compatibility • Hardware Compatibility on page 63 Hardware Compatibility To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guides for the devices used in your Junos Fusion Provider Edge topology. To determine the features supported on Junos Fusion devices, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/. Related Documentation • New and Changed Features on page 31 • Changes in Behavior and Syntax on page 41 • Known Behavior on page 42 • Known Issues on page 43 • Resolved Issues on page 44 • Documentation Updates on page 49 Copyright © 2016, Juniper Networks, Inc. 63 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • 64 Migration, Upgrade, and Downgrade Instructions on page 49 Copyright © 2016, Juniper Networks, Inc. Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers These release notes accompany Junos OS Release 14.2R7 for the M Series, MX Series, and T Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at http://www.juniper.net/techpubs/software/junos/. CAUTION: This release introduces some behavior changes to the unified in-service software upgrade (ISSU) functionality for M Series, MX Series, and T Series routers. We recommend that you not use unified ISSU to upgrade from an earlier Junos OS release to Junos OS Release 14.2. • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 • Resolved Issues on page 139 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 14.2R7 for the M Series, MX Series, and T Series. • Hardware on page 66 • Authentication, Authorization and Accounting (AAA) (RADIUS) on page 67 • Class of Service (CoS) on page 67 • General Routing on page 68 • High Availability (HA) and Resiliency on page 68 • Interfaces and Chassis on page 70 • IPv4 on page 80 • IPv6 on page 80 • Junos Fusion on page 80 • Layer 2 Features on page 80 • Layer 2 VPN on page 82 • Management on page 82 • MPLS on page 82 Copyright © 2016, Juniper Networks, Inc. 65 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Multicast on page 84 • Network Management and Monitoring on page 85 • Operation, Administration, and Maintenance (OAM) on page 87 • Routing Policy and Firewall Filters on page 89 • Routing Protocols on page 91 • Services Applications on page 93 • Software-Defined Networking (SDN) on page 97 • Software Installation and Upgrade on page 98 • Subscriber Management and Services on page 98 • System Management on page 101 • User Interface and Configuration on page 101 • VPNs on page 101 Hardware • SFPP-10G-DT-ZRC2 (MX Series)—Starting in Junos OS Release 14.2, the SFPP-10G-DT-ZRC2 tunable transceiver provides a duplex LC connector and supports the 10GBASE-Z optical interface specification and monitoring. The transceiver is not specified as part of the 10-Gigabit Ethernet standard and is instead built according to Juniper Networks specifications. The SFPP-10G-DT-ZRC2 transceiver supports WAN-PHY and LAN-PHY modes. To configure the wavelength on the transceiver, use the wavelength statement at the [edit interfaces interface-name optics-options] hierarchy level. The following interface modules support the SFPP-10G-DT-ZRC2 transceiver: MX Series MPCs and MICs: • 10-Gigabit Ethernet MIC with SFP+ (model number: MIC3-3D-10XGE-SFPP)—Supported in Junos OS Release 12.3R6, 13.2R3, 13.3R2, 14.1R1, and later • 16-port 10-Gigabit Ethernet MPC (model number: MPC-3D-16XGE-SFPP)—Supported in Junos OS Release 12.3R8, 13.2R5, 13.3R3, 14.1R2, 14.2, and later • 32-port 10-Gigabit Ethernet MPC4E (model number: MPC4E-3D-32XGE-SFPP)—Supported in Junos OS Release 12.3R6, 13.2R3, 13.3R2, 14.1R1, and later • 2-port 100-Gigabit Ethernet + 8-port 10-Gigabit Ethernet MPC4E (model number: MPC4E-3D-2CGE-8XGE)—Supported in Junos OS Release 12.3R6, 13.2R3, 13.3R2, 14.1R1, and later For more information about interface modules, see the “Cables and Connectors” section in the Interface Module Reference for your router. 66 Copyright © 2016, Juniper Networks, Inc. New and Changed Features [See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications, MX Series Interface Module Reference, and wavelength.] Authentication, Authorization and Accounting (AAA) (RADIUS) • RADIUS functionality over IPv6 for system AAA—Starting in Release 14.2, Junos OS supports RADIUS functionality over IPv6 for system AAA (authentication, authorization, and accounting) in addition to the existing RADIUS functionality over IPv4 for system AAA. With this feature, Junos OS users can log in to the router authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now configure both IPv4 and IPv6 RADIUS servers for AAA. To accept the IPv6 source address, include the source-address-inet6 statement at the [edit system radius-server ipv6] hierarchy level. (If an IPv6 RADIUS server is configured without any source-address-inet6, default ::0 is used as the source address.) [See Configuring RADIUS Authentication, and Configuring RADIUS System Accounting.] Class of Service (CoS) • Support for user-configurable traffic class map (T4000 routers with Type 5 FPC)—Starting with Junos OS Release 14.2 introduces a user-configurable input priority map, known as a traffic class map, that helps prioritize and classify input traffic entering a Packet Forwarding Engine during ingress oversubscription. You can define traffic class maps for a packet on the basis of the following CoS code points: • Differentiated Services code point (DSCP) for IP DiffServ • IP precedence bits • MPLS EXP bits • IEEE 802.1p CoS bits • IEEE-802.1ad drop eligible indicator (DEI) bits You can associate the traffic class map to one of the following traffic classes: • Real time • Network control • Best effort [See Configuring Traffic Class Maps.] • Source class accounting (T4000)—Starting with Junos OS Release 14.2, the source class accounting is performed at the ingress on a T4000 Type 5 FPC in T4000 routers. [See Understanding Source Class Usage and Destination Class Usage Options.] • Increased per-VC bandwidth speed on ATM MIC with SFP (MX Series with MPCs and ATM MIC with SFP)—Starting in Junos OS Release 14.2, you can configure constant bit rate (CBR) bandwith speeds up to 622 Mbps (OC12) per virtual circuit (VC) on an MX Series router with an ATM MIC with SFP (model number MIC-3D-8OC3-2OC12-ATM) and a supported MPC installed. In earlier Junos OS releases, you could configure per-VC CBR bandwidth speeds only up to 155 Mbps (OC3) on an ATM MIC with SFP. Copyright © 2016, Juniper Networks, Inc. 67 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion With the increased per-VC CBR bandwidth speed, each VC can support up to line rate traffic in OC12 mode, subject to the following restrictions: • You must configure the CBR service category when you define the ATM traffic shaping and scheduling profile. For other ATM service categories including variable bit rate nonreal time (VBR-NRT), variable bit rate real time (VBR-RT), and unspecified bit rate (UBR), the per-VC bandwidth speed for an ATM MIC with SFP remains a maximum of 155 Mbps. • The actual Layer 3 payload throughput you obtain depends on the ATM encapsulation type and IP packet size you use. [See CoS on Circuit Emulation ATM MICs Overview.] • Support for packet marking schemes on a per-customer basis (MX Series)—Traditionally, packet marking in Junos OS uses the forwarding class and loss priority determined from a BA classifier or multifield classifier. This approach does not allow for direct assignment of rewrite rules on a per-customer basis due to the limited number of combinations of forwarding class and loss priority. Beginning with Junos OS Release 14.2R3, there is a packet marking scheme, called policy map, that allows the definition of rewrite rules on a per-customer basis. Policy maps are defined at the [edit class-of-service policy-map] hierarchy level and can be assigned to a customer through a firewall action, an ingress interface, or a routing policy. General Routing • Configurable TCP MSS value (MX Series)—Starting in Junos OS Release 14.2, you can configure the TCP MSS value on MX Series routers. To specify a TCP MSS value, include the tcp-mss statement at the [edit interfaces interface-name unit logical-unit-number family family] hierarchy level. • Configuring routing process mode (MX Series)— Starting in Junos OS Release 14.2, you can configure routing process mode to 64-bit mode or 32-bit mode. [See routing.] High Availability (HA) and Resiliency • 68 Support for Ethernet alarm indication signal (MX Series)—Starting with Junos OS Release 14.2, ITU-T Y.1731 Ethernet alarm indication signal function (ETH-AIS) is supported on MX Series routers. ETH-AIS provides fault management for service providers where it enables the service provider to suppress alarms when a fault condition is detected. Using ETH-AIS, you can differentiate faults at the customer level and faults at the provider level. When a fault condition is detected, a maintenance end point (MEP) generates and transmits ETH-AIS packets to the configured router for a specified duration until the fault condition is cleared. An MEP that is configured to generate ETH-AIS packets transmits the signals to a level higher than its own. Therefore, the MEP receiving ETH-AIS packets recognizes that the fault is at a lower level and suppresses alarms at its own level. Copyright © 2016, Juniper Networks, Inc. New and Changed Features MX Series routers support ETH-AIS protocol data unit (PDU) generation for server MEPs on the basis of the following defect conditions: • Loss of connectivity (physical link loss detection) • Layer 2 circuit or Layer 2 VPN down [See Ethernet Alarm Indication Signal (ETH-AIS) Function Overview.] • MX Series Virtual Chassis support for logical systems (MX Series with MPCs)—Starting in Junos OS Release 14.2, MX Series Virtual Chassis configurations support the use of logical systems. A logical system independently performs a subset of the tasks performed by the main router and has a unique routing table, and unique interfaces, policies, and routing instances. In earlier Junos OS releases, MX Series Virtual Chassis configurations do not support the logical systems feature. To configure routing policies or enable a protocol such as OSPF when you are using logical systems with an MX Series Virtual Chassis, you must include routing policy configuration statements at the [edit logical-systems logical-system-name policy-options] hierarchy level, and protocol configuration statements at the [edit logical-systems logical-system-name protocols] hierarchy level. [See Introduction to Logical Systems.] • MX Series Virtual Chassis support on MS-MPCs (MX Series with MS-MPCs)—Starting in Junos OS Release 14.2, you can configure a two-member MX Series Virtual Chassis to use the stateful firewall advanced service on MX240, MX480, or MX960 routers with Multiservices MPCs (MS-MPCs) and Multiservices MICs (MS-MICs) installed. A two-member MX Series Virtual Chassis configuration supports a maximum of four MS-MPCs and four MS-MICs per Virtual Chassis. In earlier Junos OS releases, MX240, MX480, and MX960 routers did not support MS-MPCs or MS-MICs in MX Series Virtual Chassis configurations. • Support for MS-MPC on SCBE2 (MX Series)—Starting with Junos OS Release 14.2R2, MS-MPC is supported on SCBE2 on MX240, MX480, and MX960 routers. • MX Series Virtual Chassis support for MX2010 and MX2020 member routers (MX Series with MPCs/MICs)—Starting in Junos OS Release 14.2R2, you can configure an MX2010 router or MX2020 router as a member router in an MX Series Virtual Chassis. In earlier releases, MX2010 routers and MX2020 routers cannot function as member routers in an MX Series Virtual Chassis. In a two-member Virtual Chassis configuration, the following member router combinations are supported with an MX2010 router or MX2020 router: • MX960 router and MX2010 router • MX960 router and MX2020 router • MX2010 router and MX2020 router • MX2010 router and MX2010 router • MX2020 router and MX2020 router Copyright © 2016, Juniper Networks, Inc. 69 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion To ensure that a Virtual Chassis configuration consisting of an MX2020 router and either an MX960 router or MX2010 router forms properly, you must issue the request virtual-chassis member-id set member member-id slots-per-chassis slot-count command, where member-id is the member ID (0 or 1) configured for the MX960 router or MX2010 router, and slot-count is 20 to match the slot count for the MX2020 router. In addition, for a Virtual Chassis that includes an MX2020 member router, all four Routing Engines in the Virtual Chassis configuration must have at least 16 gigabytes of memory. • Enhancements made to unified ISSU for VRRPv3 to avoid adjacency flap (M Series and MX Series)—Starting in Junos OS Release 14.2R2, enhancements have been made to maintain protocol adjacency with peer routers during unified ISSU and to maintain interoperability among equipment and with other Junos OS releases and other Juniper Networks products. This design is for VRRPv3 only. VRRPv1 and VRRPv2 are not supported. The show vrrp command output is updated to display unified ISSU information. Interfaces and Chassis • • Unified in-service software upgrade support—Starting with Junos OS Release 14.2, unified in-service software upgrade (unified ISSU) is supported on the following MICs: • Channelized SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP • Channelized SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP • Channelized E1/T1 Circuit Emulation MIC • DS3/E3 MIC Support for inline active flow monitoring (T4000 routers with T4000-FPC5-3D)—Beginning with Release 14.2, Junos OS supports inline active flow monitoring services on T4000 routers with T4000-FPC5-3D. Inline active flow monitoring is implemented on the Packet Forwarding Engine. Inline active flow monitoring supports version 9 and IPFIX flow collection templates. [See Configuring Inline Active flow Monitoring.] • New command to set the license mode for MPCs (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Junos OS Release 14.2, you can set the license mode for enhanced MPCs such as MPC4E, MPC5E, and MPC6E by including the ir-mode configuration statement at the [edit chassis fpc] hierarchy level. Setting the license mode enables you to distinguish between an MPC with an IR license and an MPC with an R license after the MPC is installed on the router. NOTE: You cannot set or alter the license of the MPC when you configure the mode. The license mode settings are used only to provide information. The license mode settings are set per slot. If the MPC is installed on a different slot, or moved to another device, the license mode settings must be re-configured on the new slot or device. Also, the license mode settings configured on the previous slot must be removed. To view the current license mode settings, as well as the effect of the new 70 Copyright © 2016, Juniper Networks, Inc. New and Changed Features settings, use the show chassis fpc and show chassis hardware extensive commands. To delete the license mode settings, use the delete chassis fpc command. • Supported for mixed-mode aggregated Ethernet (MX Series)—Starting with Junos OS Release 14.2, support for mixed aggregated Ethernet bundles is extended to MX240, MX480, MX960, MX2010, and MX2020 routers, thereby enabling you to configure the MPC-based member links with any combination of rates—10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet—on an aggregated Ethernet interface. [See Understanding Mixed Rates and Mixed Modes on Aggregated Ethernet Bundles.] • Support for MPC5E on SCBE2 (MX Series)—Starting with Junos OS Release 14.2, MPC5E is supported on SCBE2 on the MX240, MX480, and MX960. • Entropy label support in mixed mode (MX Series)—Beginning with Junos OS Release 14.2, the entropy label is supported in mixed mode for chassis. MX Series 3D Universal Edge Router DPCs support the pop-out entropy label but do not support the flow label. The entropy label can be configured without enhanced-ip configuration. • Support for private VLAN (MX240, MX480, and MX960)—Starting with Junos OS Release 14.2, you can configure a private VLAN on a single MX Series router to span multiple MX Series routers. VLANs limit broadcasts to specified users. Private VLANs take this concept a step further by limiting communication within the VLAN. Private VLANs accomplish this limitation by restricting traffic flows through their member switch ports (which are called private ports) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port (or link aggregation group or LAG) is usually connected to a router, firewall, server, or provider network. Each private VLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other. Private VLANs provide Layer 2 isolation between ports within the same VLAN, splitting a broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside another primary VLAN. You can configure an isolated VLAN within a private VLAN that spans multiple switches by including the isolated-vlan vlan-id statement at the [edit bridge-domains bridge-domain-name] hierarchy level. You configure an interface to be the trunk port, connecting routers that are configured with a private VLAN across these routers by including the interface-mode trunk inter-switch-link statement at the [edit interfaces ethernet-interface-name unit logical-unit-number family bridge] hierarchy level. The private VLAN trunk port is a member of all the VLANs within the private VLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN). It can communicate with all ports other than the isolated ports. You configure a community VLAN, which is a secondary VLAN that transports frames among community interfaces within the same community and forwards frames upstream to the primary VLAN, by specifying a list of VLAN IDs separated by spaces by including the community-vlan vlan-ids statement at the [edit bridge-domains bridge-domain-name] hierarchy level. This functionality is supported only on MX240, MX480, and MX960 routers that function in enhanced LAN mode (by entering the network-services lan statement at the [edit chassis] hierarchy level). • Port-based network access control (MX240, MX480, and MX960)—Starting in Junos OS Release 14.2, support is implemented for controlling access to your network through Copyright © 2016, Juniper Networks, Inc. 71 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion an MX Series router by using several different authentication methods, by configuring 802.1X, MAC RADIUS, or a captive portal. This functionality is supported on an MX Series Virtual Chassis combination that functions in enhanced LAN mode (by entering the network-services lan statement at the [edit chassis] hierarchy level). Port-based network access control is supported on MX240, MX480, and MX960 routers with MPCs in both the MX-LAN mode and the non-MX-LAN mode (with other supported network services modes on MPCs on these routers). To configure the IEEE 802.1x Port-Based Network Access Control protocol on Ethernet interfaces, you must configure the authenticator statement at the [edit protocols authentication-access-control] hierarchy level. You can also configure captive portal authentication on a router so that users connected to the switch are authenticated before being allowed to access the network. You can also configure Junos Pulse Access Control Service as the access policy to authenticate and authorize users connected to the switch for admission to the network and for access to protected network resources by using the uac-policy statement. • MAC RADIUS authentication (MX Series routers with DPCs and MPCs)—Starting in Junos OS Release 14.2, on MX Series routers with MPCs and DPCs, you can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication on the MX Series router interfaces to which the hosts are connected. You can also allow non-802.1X-enabled devices to access the LAN by configuring their MAC address for static MAC bypass of authentication. You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication, or you can configure either authentication method alone. Include the mac-radius flap-on-disconnect statement at the [edit protocols dot1x authenticator interface interface-name] hierarchy level to cause the router to reset the interface on which the supplicant is authenticated when the RADIUS server sends a disconnect message to a supplicant. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the restrict option is also set. To restrict authentication to MAC RADIUS only, include the mac-radius restrict statement at the [edit protocols dot1x authenticator interface interface-name] hierarchy level. In restrictive mode, all 802.1X packets are eliminated and the attached device on the interface is considered a nonresponsive host. If both MAC RADIUS and 802.1X authentication are enabled on the interface, the switch first sends the host three EAPOL requests to the host. If there is no response from the host, the switch sends the host’s MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected. • 72 Support for MACsec (MX Series)—Starting in Junos OS Release 14.2R2, you can configure Media Access Control Security (MACsec) on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E). MACsec is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. You can enable MACsec using static connectivity association key (CAK) security mode or static secure association key (SAK) security mode by using the connectivity-association connectivity-association-name statement and its substatements at the [edit security macsec] hierarchy level. MACsec is supported on MX Series routers in both enhanced LAN mode (by entering the Copyright © 2016, Juniper Networks, Inc. New and Changed Features network-services lan statement at the [edit chassis] hierarchy level) and in non-enhanced LAN mode. MACsec using static secure association key (SAK) security mode does not work properly on MX80 routers and FPC slots other than slot 0 of MX104 routers. MACsec is not supported with unified ISSU. After a unified ISSU operation is completed, an FPC reboot is required for MACSec to work. If you upgrade a router from an earlier Junos OS release to Release 14.2R2 using unified ISSU and MACsec is configured on that router, you must reboot the FPC for MACsec to function properly. • Support for fabric black-hole detection and recovery (TX Matrix Plus)—Starting in Junos OS Release 14.2, TX Matrix Plus routers can detect and recover from fabric faults that are not caused by hardware failure. To recover from a fabric black-hole condition, the routing matrix uses the following options: • SFC SIB Reboot • LCC SIB Reboot • FPC Reboot • Destination Reprogramming • Interchassis Link Retraining You can disable the automatic recovery feature by using the auto-recovery-disable statement at the [edit chassis fabric degraded] hierarchy level. You can also turn the FPC offline by using the fpc-offline-on-blackholing statement at the [edit chassis fabric degraded] hierarchy level if nonrecoverable errors are present in the routing matrix. [See fpc-offline-on-blackholing and auto-recovery-disable.] • Support for inclusion of element IDs 54 and 64 in IPFIX templates (MX Series)—Starting with Junos OS Release 14.2, the following attributes can be contained in IPFIX flow templates that are sent to the flow collector: • fragmentIdentification (element ID 54) • ipv6ExtensionHeaders (element ID 64) To enable the inclusion of element ID 54 and element ID 64, IPFIX flow templates that are exported to the flow collector, include the ipv6-extended-attrib statement at the [edit chassis fpc slot-number inline-services flow-table-size] hierarchy level. Collection of IPv4 fragmentation IDs occurs automatically without having to configure this setting explicitly. • Enhanced Y.1731 functionality on VPWS to support ETH-LM for dual VLAN tags (MX Series)–Staring with Release 14.2, Junos OS supports Ethernet frame loss measurement (ETH-LM) between maintenance association end points (MEPs) configured on Ethernet physical or logical interfaces on Rev-B Dense Port Concentrators (DPCs) in MX Series routers. Additionally, the Y.1731 functionality supports ETH-LM only for an end-to-end connection that uses Virtual Private Wire Service (VPWS). Prior to Junos OS Release 14.2, this functionality did not support ETH-LM for dual VLAN identifier tags. It only supported ETH-LM for untagged or single VLAN identifier tags. Starting with Junos OS Copyright © 2016, Juniper Networks, Inc. 73 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Release 14.2, the Y.1731 functionality supports ETH-LM on VPWS for dual VLAN identifier tags as well. • Support for enhanced link aggregation group on (MX Series routers with MPCs)—Starting in Junos OS Release 14.2, you can configure an enhanced link aggregation group (LAG) on MX Series routers. When you associate a physical interface with an aggregated Ethernet interface, the physical child links are also associated with the parent aggregated Ethernet interface to form a LAG. In the absence of enhanced LAG support, one child next hop is created for each member link of an aggregated Ethernet interface for each VLAN interface. For example, an aggregate next hop for an aggregated Ethernet interface with 16 member links leads to the installation of 17 next hops per VLAN created. Thus the number of next hops supported on the routers with aggregated Ethernet interfaces is significantly reduced. With the enhanced LAG support, when the set chassis network-services enhanced-ip statement is configured, child next hops are not created for member links and, as a result, a higher number of next hops can be supported. • Support for physical interface damping (M Series and MX Series )—Beginning with Junos OS 14.2, interface damping is supported on physical interfaces to address longer periodic flapping lasting 5 seconds or more, with an up and down duration of one second. This damping method limits the number of advertisements of longer interface up and down events to the upper-level protocols. For longer periodic interface flaps, configure interface damping with the damping statement at the [edit interfaces interface-name] hierarchy level. You use the show interfaces extensive command to view the interface damping values and link state. [See Damping Longer Physical Interface Transitions.] • 74 Ethernet ring protection switching (MX Series)—Starting with Junos OS Release 14.2, MX Series routers support Ethernet ring protection switching (ERPS) which is defined in ITU-T Recommendation G.8032/Y.1344 version 2. ERPS comprises the following features: • G.8032/Y.1344 version 2 compliant protocol state-machine with the new FDB flush mechanism • Support for revertive and nonrevertive mode of operation of the Ethernet ring • Support for manual commands such as manual switch, force switch, and clear commands • Support for configurable wait-to-restore, wait-to-block, and guard timers • Support for multiple logical ring instances on the same physical ring • Support for ring interconnection using non-virtual-channel mode. Ring interconnection using virtual channel mode is not supported. • Support for ring ID values from 1 through 239 • Support for ring protection link neighbor node Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Support for topology change propagation from a sub-ring to an interconnected major ring • Ability to add a node or remove a node from the Ethernet ring [See Understanding Ethernet Ring Protection Switching Functionality.] • MS-MIC support (MX104)—Starting in Junos OS Release 14.2, the Multiservices MIC (MS-MIC-16G) is supported on MX104 3D Universal Edge Routers. The MS-MIC has an enhanced memory of 16 GB and provides improved scaling and high performance. The MX104 chassis is capable of supporting two MS-MICs. The MS-MIC supports the following software features: • Active flow monitoring exports flow monitoring version 9 records, based on RFC 3954 • IPsec encryption • Network Address Translation (NAT) for IP addresses • Port Address Translation (PAT) for port numbers • Real-time performance monitoring • Stateful firewall with packet inspection which detects SYN attacks, ICMP and UDP floods, and ping-of-death attacks • Traffic sampling [See Multiservices MIC.] • Support for hold-off timing synchronization (MX Series)—Starting in Junos OS Release 14.2, you can configure hold-off time for Synchronous Ethernet interfaces and external clock synchronization sources to prevent rapid successive switching. If an interface goes down, hold-off time delays short signal failures from being sent to the clock selection process. If you configure hold-off time when quality level (QL) mode is enabled, the configured quality level is used in the clock selection process during the hold-off time period. After the hold-off time period ends, a signal failure is sent to the clock selection process. To configure hold-off time, include the hold-off-time statement at the [set chassis synchronization source interfaces (external-a | external-b | interface interface-name)] hierarchy level. [See Understanding Clock Synchronization on MX Series Routers.] • Support for Synchronous Ethernet on MPC5E and MPC6E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 14.2, Junos OS extends Synchronous Ethernet support to MPC5E and MPC6E on the MX240, MX480, MX960, MX2010, and MX2020 routers. MPC5E-40G10G, MPC5EQ-40G10G, MPC5E-100G10G, MPC5EQ-100G10G, and MX2K-MPC6E support Ethernet Synchronization Messaging Channel (ESMC) and external clocking. To configure Synchronous Ethernet, include the synchronization statement and its substatements at the [edit chassis] hierarchy level. Copyright © 2016, Juniper Networks, Inc. 75 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Support for REST interfaces (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, M Series, MX Series, and T Series routers support REST interfaces for secure connection to Junos OS devices and execution of remote procedure calls, a REST API Explorer GUI enabling you to conveniently experiment with any of the REST APIs, and a variety of formatting and display options, including JSON support. [See REST API Guide.] • Aggregated Ethernet-specific naming for logical systems—Starting in Junos OS Release 14.2, aggregated Ethernet interfaces created under a logical system can be individually named. Prior to Release 14.2, aggregated Ethernet interfaces were named automatically, AE1, AE2, and so on, upon setting the device count, and system resources were allocated for each aggregated Ethernet interface regardless of whether it was used or not. This change allows administrators to use whatever naming scheme makes sense in the context of their deployment and is more efficient in the allocation of system resources. • Increase available bandwidth by bypassing the queuing chip (MX240, MX480, MX960, MX2010, MX2020)—On MPC1 Q, MPC1E Q, MPC2 Q, MPC2 EQ, MPC2E Q, MPC2E EQ, and MPC5E Q line cards, starting with Junos OS Release 14.2, when hierarchical and per-VLAN queuing features are not required, you can bypass the queuing chip to increase the available bandwidth on an interface. You can bypass the queuing chip by enabling the bypass-queuing-chip statement at the [edit interfaces interface-name] hierarchy level. [See Increase Available Bandwidth on Rich-Queuing MPCs by Bypassing the Queuing Chip.] • Configuration support to keep an MC-LAG aggregated Ethernet link up for a peer with limited LACP capability—Starting with Junos OS Release 14.2, you can configure an aggregated Ethernet link or interface in an MC-LAG topology to remain up even when the peer link or peer interface has limited Link Access Control Protocol (LACP) capability. To configure this feature, configure the force-up statement at the [edit interfaces interface-name aggregated-ether-options lacp] hierarchy level. • Load balancing for ECMP next hops (MX Series)—Starting with Junos OS Release 14.2, the following load-balancing solutions are supported on equal-cost multipath (ECMP) next hops to correct traffic imbalance among the member links: • Adaptive — Uses real-time feedback and control mechanism to monitor and manage traffic imbalances. • Random spray — Packet random spray load balancing randomly sprays the packets to the aggregate next hops to ensure that the next hops are equally loaded. To configure adaptive load balancing use the ecmp-alb statement at the [edit chassis] hierarchy level. However, to configure adaptive load balancing, make sure that the per-packet statement is enabled at the [edit policy-options policy-statement policy_name then load-balance] hierarchy level. To configure random load balancing, use the random statement at the [edit policy-options policy-statement policy_name then load-balance] hierarchy level. 76 Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Enhanced Y.1731 functionality on VPWS to support ETH-LM for dual VLAN tags (MX Series)—Starting with Release 14.2, Junos OS supports Ethernet frame loss measurement (ETH-LM) between maintenance association end points (MEPs) configured on Ethernet physical or logical interfaces on Enhanced Dense Port Concentrators (DPCEs) in MX Series routers. The Y.1731 functionality supports ETH-LM only for an end-to-end connection that uses Virtual Private Wire Service (VPWS). In releases before Release 14.2, Junos OS supports ETH-LM only for untagged or single-tagged VLAN identifiers. Starting with Junos OS Release 14.2, ETH-LM is supported on VPWS for dual VLAN identifier tags as well. [See Ethernet Frame Loss Measurement Overview.] • Support for interface damping for longer periodic interface flaps (MX960, MX480, MX240, MX80 3D Universal Edge Routers and M10i Multiservice Edge Routers)—Starting with Junos OS Release 14.2, interface damping is supported on physical interfaces to address longer periodic flapping lasting 5 seconds or more, with an up and down duration of 1 second. This damping method limits the number of advertisements of longer interface up and down events to the upper-level protocols. For longer periodic interface flaps, configure interface damping by using the damping statement at the [edit interfaces interface-name] hierarchy level. You use the show interfaces extensive command to view the interface damping values and link state. [See Damping Longer Physical Interface Transitions.] • Support for NAT port block allocation (MX Series routers with MS-MPCs/MS-MICs)—Starting in Junos OS Release 14.2R2, you can configure port block allocation for NAT with port translation (NAPT) on MX Series routers with MS-MPCs or MS-MICs. You can use the existing CLI and configuration procedures used for other interface cards. Deterministic port block allocation is not supported. [See Configuring Address Pools for Network Address Port Translation (NAPT) Overview and secured-port-block-allocation.] • Provide egress VLAN ID and direction information in sampling records (MX Series)—Starting in Release 14.2R2 , Junos OS includes egress VLAN ID and flow direction information in output records and, optionally, flow keys, when you perform sampling using the IPFIX or version 9 templates. • VLAN ID used for single-tagging is output to field 58, Vlan Id. • VLAN IDs used for dual-tagging (QinQ) are output to fields 243, Dot1q Vlan Id, and 245, Dot1q Customer Vlan Id. (IPFIX template only) • To put one or two Vlan IDs in the flow key of the output record, include the vlan-id option at the [edit services flow-monitoring version-ipfix template template-name flow-key] or [edit services flow-monitoring version9 template template-name flow-key] hierarchy level. • To put flow direction in the flow key of the output record, include the flow-direction option at the [edit services flow-monitoring version-ipfix template template-name Copyright © 2016, Juniper Networks, Inc. 77 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion flow-key] or [edit services flow-monitoring version9 template template-name flow-key] hierarchy level. • The flow direction field in the output record contains an initial value of 0xFF. The field contains 0x00 (ingress) or 0x01 (egress) only when you include the flow-direction vlan-id option at the [edit services flow-monitoring version-ipfix template template-name flow-key] or [edit services flow-monitoring version9 template template-name flow-key] hierarchy level. NOTE: In Junos OS releases earlier than Release 14.2R2, only ingress VLAN IDs were reported in flow records. [See Configuring Flow Aggregation to Use IPFIX Flow Templates and Configuring Flow Aggregation to Use Version 9 Flow Templates.] • Support for ITU-T Y.1731 ETH-LM, ETH-SLM, and ETH-DM on aggregated Ethernet interfaces (MX Series routers with MPCs)—Starting in Junos OS Release 14.2R3, you can configure ITU-T Y.1731 standard-compliant Ethernet loss measurement (ETH-LM), Ethernet synthetic loss measurement (ETH-SLM), and Ethernet delay measurement (ETH-DM) capabilities on aggregated Ethernet (ae) interfaces. These performance monitoring functionalities are supported on MX Series routers with MPCs, where the same level of support for the Ethernet services OAM mechanisms as the level of support on non-aggregated Ethernet interfaces is available on aggregated Ethernet interfaces. ETH-DM is supported on MPC3E and MPC4E modules with only software timestamping. ETH-SLM is supported on MPC3E and MPC4E modules. • Configuration support to improve MC-LAG Layer 2 and Layer 3 convergence (MX Series)—Starting with Junos OS Release 14.2R3, you can configure multichassis link aggregation (MC-LAG) interfaces to improve Layer 2 and Layer 3 convergence time to subsecond values when a multichassis aggregated Ethernet link goes down or comes up in a bridge domain. To use this feature, ensure that the interchassis link (ICL) is configured on an aggregated Ethernet interface. For Layer 2 convergence, configure the enhanced-convergence statement at the [edit interfaces aeX aggregated-ether-options mc-ae] hierarchy level. For Layer 3, configure the enhanced-convergence statement at the [edit interfaces irb unit unit-number] hierarchy level for an integrated routing and bridging (IRB) interface. 78 Copyright © 2016, Juniper Networks, Inc. New and Changed Features NOTE: • If the enhanced-convergence feature is configured on a multichassis aggregated Ethernet interface of a bridge domain that has an IRB interface, the IRB interface must also be configured for the convergence feature. • All multichassis aggregated Ethernet interfaces that are part of a bridge domain must be configured for enhanced convergence in order to utilize this feature on any of them. • On enabling or disabling the enhanced convergence feature, all services get deleted and re-created. [See Configuring Active-Active Bridging and VRRP over IRB in Multichassis Link Aggregation on MX Series Routers.] • LACP hold-up timer configuration support on LAG interfaces—Starting with Junos OS Release 14.2R3, you can configure a Link Aggregation Control Protocol (LACP) hold-up timer value for link aggregation group (LAG) interfaces. You configure the hold-up timer to prevent excessive flapping of a child (member) link of a LAG interface due to transport layer issues. With transport layer issues, it is possible for a link to be physically up and still cause an LACP state-machine flap. An LACP state-machine flapping can adversely affect traffic on the LAG interface. To prevent this, a hold-up timer value is configured. LACP monitors the PDUs received on the child link for the configured time value, but does not allow the member link to transition from the expired or defaulted state to current state. This configuration thus prevents excessive flapping of the member link. To configure the LACP hold-up timer for LAG interfaces, use the hold-time up timer-value statement at the [edit interfaces ae aeX aggregated-ether-options lacp] hierarchy level. • CFP-100GBASE-ZR (MX Series)—In Junos OS Release 14.2R3 and later, the CFP-100GBASE-ZR transceiver provides advanced dual polarization-quadrature phase shift keying (DP-QPSK) coherent digital signal processing (DSP) and forward error correction (FEC)-enabled robust tolerance to optical impairments and supports 80 km reach over single-mode fiber. The transceiver is not specified as part of IEEE 802.3 but is built according to Juniper Networks specifications. The following interface modules support the CFP-100GBASE-ZR transceiver: • 2x100GE + 8x10GE MPC4E (MPC4E-3D-2CGE-8XGE) • 100-Gigabit Ethernet MIC with CFP (MIC3-3D-1X100GE-CFP) For more information about the interface modules, see the “Cables and Connectors” section in the MX Series Interface Module Reference. [See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported Network Interface Standards by Transceiver for ACX, M, MX, and T Series Routers.] Copyright © 2016, Juniper Networks, Inc. 79 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion IPv4 • IPv4 address conservation method for hosting providers (MX Series)—Starting in Junos OS Release 14.2R4, you can configure a static route on an IRB interface with or without pinning to a specific underlying interface, thereby conserving the usage of IP address space. When a customer needs servers to be assigned within a block of IP addresses, several IP addresses are consumed. These include the network and broadcast IP addresses, the addresses for the router gateway that the servers are connected to, and the addresses of the individual servers. When this effect is multiplied across thousands of hosting providers, IP address space is far from being used efficiently. This issue can be resolved by configuring the interface on the router with an address from the reserved IPv4 prefix for shared address space (RFC 6598) and by using static routes pointed at the interface. IANA has recorded the allocation of an IPv4 /10 for use as shared address space. The shared address space address range is 100.64.0.0/10. This way, the interface in the router is allocated an IP address from the shared address space, so it is not consuming publicly routable address space, and connectivity is handled with static routes on an interface. The interface in the server is configured with a publicly routable address, but the router interfaces are not. Network and broadcast addresses are consumed out of the shared address space rather than the publicly routable address space. IPv6 • IPv6 support for next-hop groups (MX Series)—Starting in Junos OS Release 14.2, this feature allows support of next-hop groups of type inet6 (IPv6). The following features are also supported: • Configuration of interfaces of inet6 (IPv6) type at the [edit forwarding-options port-mirroring family inet6 output] hierarchy level or subgroups at the [edit forwarding-options port-mirroring family inet6 output next-hop-group] hierarchy level. • Configuration of next-hop groups as filter action. • Configuration of next-hop groups as port-mirror destination when specified at the [edit forwarding-options port-mirroring family inet6 output] hierarchy level. [See next-hop-group, port-mirroring, and [edit firewall] Hierarchy Level.] Junos Fusion • Junos Fusion (MX Series)—Starting with Release 14.2, Junos Fusion is supported on MX Series routers. For Junos Fusion related information, see “New and Changed Features” on page 31 for Junos Fusion. Layer 2 Features • 80 Egress protection service mirroring for BGP-signaled Layer 2 service (MX Series)— Starting in Junos OS Release 14.2, this feature enables BGP-signaled multihomed l2vpn to restore egress traffic in the following scenarios: Copyright © 2016, Juniper Networks, Inc. New and Changed Features • PE to CE link failure • Egress PE node failure [See Configuring Egress Protection Service Mirroring for BGP Signaled Layer 2 Services, Example: Configuring Egress Protection Service Mirroring for BGP Signaled Layer 2 Services, and host-standby.] • Create multiple pseudowires on a per-virtual circuit basis (MX Series)—Starting in Junos OS Release 14.2, you can create multiple pseudowires between the same pair of PEs in LDP-VPLS for a single routing instance, using the same loopback address. Do this with the vpls-id-list option under LDP-VPLS neighbor. For each pseudowire created under a neighbor, VPLS creates a VT/LSI interface and adds both it and the label route to the mpls.0 table. Each pseudowire terminates in its specified mesh-group. Support is added at the following CLI hierarchy level: [edit routing-instances routing-instance-name protocols vpls mesh-group mesh-group-name neighbor address pseudowire-status-tlv vpls-id-list vc-id-numbers vc-id-number]. [See the vpls-id-list command reference.] • Native analyzer support (MX240, MX480 and MX960)—Starting with Junos OS Release 14.2, MX Series routers support native analyzers and remote port-mirroring capabilities. A native analyzer configuration contains both an input stanza and an output stanza in the analyzer hierarchy for mirroring packets. In remote port mirroring, the mirrored traffic is flooded into a remote mirroring VLAN that can be specifically created for the purpose of receiving mirrored traffic. The analyzer configuration is available at the [edit forwarding-options analyzer] hierarchy level. Copyright © 2016, Juniper Networks, Inc. 81 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Layer 2 VPN • Control word feature for LDP VPLS and FEC129 VPLS (MX Series)— Starting with Junos OS Release 14.2R4, the control word feature is supported for LDP VPLS and FEC129 VPLS. Management • YANG module that defines the Junos OS configuration hierarchy—Starting with Junos OS Release 14.2, Juniper Networks provides a YANG module that defines the Junos OS configuration hierarchy. You can download the YANG module that defines the complete Junos OS configuration hierarchy for all devices running that Junos OS release from the Juniper Networks website at http://www.juniper.net/. You can also generate a YANG module that defines the device-specific configuration hierarchy by using the show system schema module configuration format yang operational mode command on the local device. The Juniper Networks YANG module, configuration, is bound to the namespace URI http://yang.juniper.net/yang/1.1/jc and uses the prefix jc. [See Understanding YANG on Devices Running Junos OS.] MPLS • On-demand packet loss and delay measurement (MX Series routers with MPCs and MICs only)—Starting with Release 14.2, Junos OS introduces an on-demand tool to monitor and measure packet loss, packet delay, or both for associated bidirectional MPLS ultimate hop popping (UHP) point-to-point label-switched paths (LSPs), using the monitor mpls loss rsvp, monitor mpls delay rsvp, and monitor mpls loss-delay rsvp commands, respectively. These commands provide an on-demand summary of performance metrics for direct mode packet loss, two-way packet delay, and related metrics, such as inter-packet delay variation and channel throughput measurement. This functionality provides real-time visibility into network performance, thereby facilitating network performance planning, troubleshooting, and evaluation. • GMPLS RSVP-TE VLAN LSP signaling (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, the point-to-point Layer 2 connectivity between two client routers across an external or third-party server-layer network can be set up by the client routers on an on-demand basis using GMPLS RSVP-TE signaling. This feature provides the client routers the flexibility to establish, maintain, and provision each individual Layer 2 connection, without any dependency on the server-layer administration. As a result, the burden on the operational expenses of the provider network, in terms of provisioning individual Layer 2 connections, is reduced. In traditional Layer 2 VPN technology that is based on LDP and BGP, the provider network handled the provisioning activity for each Layer 2 circuit established between two client routers. [See GMPLS RSVP-TE VLAN LSP Signaling Overview and Example: Configuring GMPLS RSVP-TE VLAN LSP Signaling.] 82 Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Extension of traceroute over MPLS tunnels—Starting with Junos OS Release 14.2, a new command as of Junos OS Release 14.2, traceroute mpls bgp, enables you to perform end-to-end LSP traceroute by having the transit routers provide information to the ingress router about the start and ending of new tunnels for the following cases: • • For hierarchical LSPs for the following use cases: • LBGP over LDP (traceroute explores all ECMP paths) • LBGP over RSVP (traceroute explores all ECMP paths) • LDP over RSVP (traceroute explores all ECMP paths) • RSVP over BYPASS For stitched LSP case for LDP stitched to labeled BGP The mechanism by which this is accomplished is explained in RFC 6424, which extends RFC 4370. Use traceroute mpls bgp as a debugging tool to locate MPLS BGP forwarding issues in a network. The traceroute mpls bgp command is supported on all platforms. [See traceroute mpls bgp.] • Dynamic bandwidth management using container LSPs (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, a new type of LSP, called a container LSP, is introduced to enable load balancing across multiple point-to-point member LSPs between the same ingress and egress routers. Each member LSP takes a different path to the same destination and can be routed along a different IGP cost path. Based on the configuration and aggregate traffic, a container LSP provides support for dynamic bandwidth management by enabling the ingress router to dynamically add and remove member LSPs through a process called LSP splitting and LSP merging respectively. Member LSPs can also be re-optimized with different bandwidth values in a make-before-break way. [See Dynamic Bandwidth Management Using MP-LSP Overview and Example: Configuring Dynamic Bandwidth Management Using MP-LSP.] • Egress peer engineering of service labels (BGP, MPLS) and egress peer protection for BGP-LU (MX Series)—Beginning with Junos OS Release 14.2R4, you can enable traffic engineering of service traffic, such as MPLS LSP traffic between autonomous systems (ASs), using BGP-labeled unicast for optimum utilization of the advertised egress routes. You can specify one or more backup devices for the primary egress AS boundary router. Junos OS installs the backup path in addition to the primary path in the MPLS forwarding table, which enables MPLS fast reroute (FRR) when the primary link fails. • Support of Internet draft draft-ietf-pce-stateful-pce-07 for the stateful PCC implementation (M Series, MX Series, and T Series)—The partial client-side implementation of the stateful Path Computation Element (PCE) architecture is currently based on version 2 of Internet draft draft-ietf-pce-stateful-pce. Starting with Junos OS Release 14.2R4, this implementation is upgraded to support version 7, as defined in Internet draft draft-ietf-pce-stateful-pce-07. Releases earlier than 14.2R4 support the older version of the PCE draft, causing interoperability issues between a Path Computation Client (PCC) running a previous Copyright © 2016, Juniper Networks, Inc. 83 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion release and a stateful PCE server that adheres to Internet draft draft-ietf-pce-stateful-pce-07. • Support of Internet draft draft-crabbe-pce-pce-initiated-lsp-03 for the stateful PCE-initiated LSP implementation (M Series, MX Series, and T Series)—In the partial client-side implementation of the stateful Path Computation Element (PCE) architecture, the implementation of PCE-controlled LSPs that are dynamically initiated by a PCE is currently based on version 1 of Internet draft draft-crabbe-pce-pce-initiated-lsp. Starting with Junos OS Release 14.2R4, this implementation is upgraded to support version 3, as defined in Internet draft draft-crabbe-pce-pce-initiated-lsp-03. Releases prior to 14.2R4 support the older version of the PCE draft, causing interoperability issues between a Path Computation Client (PCC) running a previous release and a stateful PCE server that adheres to Internet draft draft-crabbe-pce-pce-initiated-lsp-03. Multicast • BGP link state distribution (M Series, MX Series, and T Series)—Starting with Release 14.2, Junos OS introduce a new mechanism to distribute topology information across multiple areas and autonomous systems (ASs) by extending the BGP protocol to carry link state information. Earlier, this information was acquired using an IGP, which has scaling limitations when it comes to distributing large a database. Using BGP provides a policy-controlled and scalable means of distributing the multi-area and multi-AS topology information. This information is used for computing paths for MPLS LSPs spanning multiple domains, such as inter-area TE LSP, and enables external path computing entities, such as ALTO and PCE, to acquire network topology. [See Link State Distribution Using BGP Overview and Example: Configuring GMPLS RSVP-TE VLAN LSP Signaling.] • MLD snooping (MX Series routers with MPCs)—Beginning with Junos OS Release 14.2, support for MLD snooping is available on MX Series routers with MPCs (MPC-1, MPC-2, MPC-3, and MPC-4). MLD snooping restricts the forwarding of IPv6 multicast traffic to only those interfaces in a bridge-domain/VPLS that have interested listeners. The operational commands for mld-snooping, including defaults, behavior, logging, and tracing, are the same as for IGMP snooping (which provides the same functionality for IPv4 traffic). • Separate multicast snooping domains for different logical systems (MX Series routers with MPCs and DPCs)—Starting in Junos OS Release 14.2, support for multicast, PIM, and IGMP snooping is available for named logical systems on MX Series routers with MPCs and DPCs. Multicast traffic specific to one logical system does not have to flood the entire bridge domain. This enhancement extends all the available snooping functionality in the default logical system (including separate routing tables, routing instances, policies, and interface configurations) to all of the named logical systems on the router. Likewise, the output of show commands is restricted to data from the named logical system only. The 84 Copyright © 2016, Juniper Networks, Inc. New and Changed Features master logical system, however, can view the states of any or all named logical systems configured on the device. For service providers, the main benefits of this change are the ability to provide customers with distinct multicast domains for snooping and the ability to simplify multicast snooping testing by collapsing multiple routers onto a single device via logical systems. Multicast snooping per named logical systems also extends to MC-LAG in logical systems that were introduced in Junos OS Release 14.1. Multicast snooping in named logical systems does not support unified ISSU. We recommend that, prior to performing unified ISSU, the provider remove all IGMP-snooping specific configurations. Graceful Routing Engine switchover (GRES) is not affected by this change. IGMP snooping support for P2MP in VPLS for logical systems applies where such configurations are already valid. Network Management and Monitoring • Configuring SNMP to match jnxNatObjects values for MS-DPC and MS-MIC (MX Series)—In Junos OS Release 13.3R7, 14.1R6, and 14.2R4, you can configure the snmp-value-match-msmic statement at the [edit services service-set service-set-name nat-options] hierarchy level. In networks where both MS-DPC and MS-MIC are deployed, you can configure this statement to ensure that the values for MS-MIC-specific objects in the jnxNatObjects MIB table match the values for MS-DPC objects. By default, this feature is disabled. You can use the deactivate services service-set service-set-name nat-options snmp-value-match-msmic configuration mode command to disable this feature. • Logical interfaces summary (MX Series)—Beginning with Junos OS Release 14.1R2, a new show command, show interfaces summary, is available to display the status and statistics on the logical interfaces configured on the device at the Flexible PIC Concentrator (FPC) level. [See show interfaces summary.] • Enhancements to SNMP statistics operational mode commands (M Series, MX Series, and T Series)—Beginning with Junos OS Release 14.2, you can use the show snmp stats-response-statistics command to view the statistics of SNMP statistics responses sent from the Packet Forwarding Engine during the MIB II process (mib2d). In addition, you can use the subagents option in the show snmp statistics command to view the statistics of the protocol data units (PDUs) and the number of SNMP requests and responses per subagent. The subagents option also helps you to view the SNMP statistics received from each subagent per logical system. [See show snmp stats-response-time and show snmp statistics.] • SNMP support for enterprise-specific MVPN MIB (M Series and T Series)—Starting with Junos OS Release 14.2, Junos OS SNMP supports the enterprise-specific MVPN MIB. Junos OS SNMP support for MVPN is based on the enterprise-specific extension of the IETF standard MIBs defined in Internet draft draft-ietf-l3vpn-mvpn-mib-03.txt, MPLS/BGP Layer 3 VPN Multicast Management Information Base. [See Juniper Networks Enterprise-Specific MIBs and Supported Devices, Juniper Networks Enterprise-Specific MIBs, and SNMP MIBs and Traps Reference.] Copyright © 2016, Juniper Networks, Inc. 85 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Support for RFC 4133, Entity MIB (MX240, MX480, and MX960)—Starting with Release 14.2, Junos OS supports tables and objects defined in RFC 4133, Entity MIB, except: • entityLogicalGroup table • entityNotificationsGroup table • entPhysicalMfgDate and entPhysicalUris objects in entityPhysical2Group table • entLPMappingTable and entPhysicalContainsTable in entityMappingGroup table [See Standard SNMP MIBs Supported by Junos OS.] • Support for RFC 4268, Entity State MIB (MX240, MX480, and MX960)—Starting with Release 14.2, Junos OS supports all objects and tables defined in RFC 4268, Entity State MIB. • Support for RFC 3635, Definitions of Managed Objects for the Ethernet-like Interface Types (MX Series only)—Starting with Release 14.2, Junos OS supports all objects and tables defined in RFC 3635, Definitions of Managed Objects for the Ethernet-like Interface Types, except dot3StatsRateControlAbility and dot3StatsRateControlStatus in dot3StatsEntry table. [See Standard SNMP MIBs Supported by Junos OS.] • Enhancement to reduce the time taken for performing system commit (M Series, MX Series, and T Series)—Beginning with Junos OS Release 14.2, you can configure the delta-export statement at the [edit system commit] hierarchy level to reduce the time taken to commit the configuration changes. [See commit (system) and delta-export.] • SNMP support for the timing feature—Starting in Junos OS Release 14.2, SNMP supports the timing feature. Currently, SNMP support is limited to defect and event notifications through SNMP traps. A new enterprise-specific MIB, Timing Feature Defect/Event Notification MIB, has been added to monitor the operation of PTP clocks within the network. The trap notifications are disabled by default. To enable trap notifications for the timing feature, include the timing-event statement at the [edit snmp trap-group trap-group object categories] hierarchy level to enable SNMP trap notifications for timing events and defects. • SNMP support for fabric queue depth, WAN queue depth, and fabric counter (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 14.2R3, Junos OS provides SNMP support for WAN queue depth, fabric queue depth, and fabric counter. The following SNMP MIB tables include the associated objects: • jnxCosQstatTable table • jnxCosIngressQstatTable table • jnxFabricMib table In addition, this feature supports the following traps for the Packet Forwarding Engine resource monitoring MIBs: • 86 jnxPfeMemoryTrapVars Copyright © 2016, Juniper Networks, Inc. New and Changed Features • jnxPfeMemoryNotifications [See jnxCosQstatTable, jnxCosIngressQstatTable, jnxFabricMib, jnxPfeMemoryTrapVars, and jnxPfeMemoryNotificationsPrefix.] Operation, Administration, and Maintenance (OAM) • Support for MEF-36-compliant performance monitoring (MX Series)—Starting in Release 14.2R5, Junos OS supports performance monitoring that is compliant with Technical Specification MEF 36. You can enable MEF-36-compliant performance monitoring by configuring the measurement-interval statement at the [edit protocols oam ethernet cfm performance-monitoring] or [edit protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name] hierarchy level. NOTE: When MEF-36-compliant performance monitoring is enabled, an SNMP get next request for a variable might not fetch the current value unless an SNMP walk is performed before performing the get next request. This limitation applies only to the current statistics for delay measurement, loss measurement, and synthetic loss measurement. When MEF-36-compliant performance monitoring is enabled: • The output for the field Current delay measurement statistics might display a measurement interval of 0 (zero) and an incorrect timestamp until the first cycle time has expired. • Supported data TLV size for performance monitoring protocol data units (PDUs) is 1386 bytes when MEF-36-compliant performance monitoring is enabled. The TLV size is 1400 bytes in legacy mode. • The maximum configurable value for the lower threshold bin is 4,294,967,294. • Frame loss ratio (FLR) is excluded in loss measurements during period of unavailability for synthetic loss measurement only. In case of loss measurement, FLR is included even during period of unavailability. • During a period of loss of continuity (adjacency down), although SOAM PDUs are not sent, FLR and availability calculations are not stopped. These calculations are performed with the assumption of 100% loss. • The number of SOAM PDUs that are sent during the first measurement interval might be less than expected. This is because of a delay in detecting the adjacency state at the performance monitoring session level. • The number of SOAM PDUs transmitted during a measurement interval for a cycle time of 100 ms might not be accurate. For example, in a measurement interval of two minutes with a cycle time 100 ms, the SOAM PDUs transmitted might be in the range of 1198—2000. When MEF-36-compliant performance monitoring is disabled, the show oam ethernet connectivity-fault-management maintenance-domain sla-iterator-history maintenance-domain md-name maintenance-association ma-name mep mep-id Copyright © 2016, Juniper Networks, Inc. 87 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion sla-iterator profile-name command displays 32 records from this Junos OS release onward. In earlier releases, the command displays 16 records. • Loopback tracking for IEEE 802.3ah OAM link-fault management (MX Series)—Starting in Junos OS Release 14.2, MX Series routers support loopback tracking for the Ethernet Operation, Administration, and Management (OAM) link-fault management process (lfmd). When loopback tracking is enabled and the Ethernet OAM lfmd process detects its own generated packets on an interface, it marks the interface as down. When the loopback issue resolves, the interface is brought back up. To enable loopback tracking for Ethernet OAM, include the loopback-tracking statement at the [edit protocols oam ethernet link-fault-management interface] hierarchy level. hierarchy level. • Ethernet loss measurement counter support for each class in a multiclass environment—Junos OS supports Ethernet loss measurement (ETH-LM) for multiclass services. The ETH-LM feature is used by operators to collect frame loss counter values for ingress and egress service frames. Starting with Junos OS Release 14.2R3, the ETH-LM feature is extended to support the frame loss measurement counters for each class of packets in a multiclass environment. Counters for each class of packets are supported for point-to-point services only. NOTE: ETH-LM is currently supported for VPWS services only. ETH-LM maintains counters based on the forwarding class and loss priority of a packet. The loss priority determines the color of a packet—green indicates loss priority low for committed information rate (CIR) and yellow indicates loss priority medium-high for excess information rate (EIR). The color (green and yellow) counters are maintained for each class of packets. Based on the counters supported on an interface, you can configure the following accounting modes for Ethernet loss measurement: • Forwarding class-based accounting with color—In this mode, traffic is serviced based on packet loss priority and forwarding class. Two counters–green and yellow–are maintained for each forwarding class on each service interface. In this mode, an OAM (operation, accounting, and maintenance) packet collects counters based on the forwarding class. To configure this mode of loss measurement accounting, use the enable-multiclass-loss-measurement statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration. • Forwarding class-based accounting without color—In this mode, traffic is serviced based on the forwarding class only. Only one counter is maintained for each forwarding class in each service interface. To configure this mode of loss measurement accounting, use the enable-multiclass-loss-measurement and colorless-loss-measurement statements at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set 88 Copyright © 2016, Juniper Networks, Inc. New and Changed Features protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration. • Color-based accounting—In this mode, traffic is serviced based on the loss priority. Two counters—green and yellow—are maintained for each service interface. Color-based accounting is the default loss measurement mode and requires no configuration. • Code point-based accounting—In this mode, traffic is serviced based on the 802.1p priority bits. One counter is maintained for each code point (priority bit) on each service interface. If there are user virtual LAN or 802.1p rewrite rules configured, loss measurement accounting is done before applying the rewrite rules. To configure this mode, use the code-point-based-lm-accounting statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration. NOTE: Code point-based accounting mode does not work if virtual LAN pop or push is configured on the interface. If pop or push is configured, the 802.1p bits are removed from the data packets. Therefore, in such cases, you can use forwarding class-based accounting if a one-to-one mapping exists between a forwarding class and the 802.1p bits value; otherwise you can use the priority-based accounting mode. • Priority-based accounting—In this mode, four counters are maintained for each forwarding class for each interface, with each counter corresponding to one of the two colors. To configure this mode, use the priority-based-lm-accounting statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration. Routing Policy and Firewall Filters • New flexible offset firewall filter terms (MX Series routers with MPCs or MICs)—In Junos OS releases earlier than Release 14.2, you configured firewall filter terms using the CLI only on pre-defined or fixed offsets within the IP packet, such as source address, destination port, and so on. Starting in Junos OS Release 14.2, new flexible offset firewall filter terms are available. These flexible offset filter terms allow a user to begin the search for match conditions at Layer 2, Layer 3, Layer 4, or payload locations within the IP packet and to vary the match parameters within those locations. [See Firewall Filter Match Conditions for IPv6 Traffic]. • New firewall family bridge match criteria for IPv6 (MX Series routers with MPCs or MICs)—For IPv4 traffic, the following header match criteria are supported in bridge filters: IP source address, IP destination address, protocol type, and DiffServ code point (DSCP). Starting in Junos OS Release 14.2, the same match criteria have been added Copyright © 2016, Juniper Networks, Inc. 89 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion to the [firewall family bridge filter filter-name term rule-name from] hierarchy for the matching of IPv6 fields in firewall bridge filters. In addition, the IPv6 next-header and payload-protocol fields can be matched. [See Firewall Filter Match Conditions for IPv6 Traffic.] 90 • New walkup statement available (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.2, a new walkup feature is available. The walkup feature allows the user to change the default route filter prefix match behavior, so that the evaluation walks up multiple route filters contained within a single policy term, in order to allow matches on terms other than the default longest match. This can be applied globally or locally to a single policy. This feature can be configured in the main routing instance and in logical systems, but not in routing instances. • Support for consistent load balancing for ECMP groups (MX Series routers with MPCs)—Starting in Junos OS Release 14.2R2, on MX Series 3D Universal Edge Routers with Modular Port Concentrators (MPCs) only, you can prevent the reordering of flows to active paths in an ECMP group when one or more paths fail. Only flows that are inactive are redirected. This feature applies only to Layer 3 adjacencies learned through external BGP connections. It overrides the default behavior of disrupting all existing, including active, TCP connections when an active path fails. Include the consistent-hash statement at the [edit policy-options policy-statement policy-statement-name then load-balance] hierarchy level. You must also configure a global per-packet load-balancing policy. • Support for logical queue-depth in the PFE for IP options packets for a given protocol (M Series, MX Series, and T Series)— Starting with Junos OS Release 14.2R6, you can configure logical queue-depth in the PFE for IP options packets for a given protocol. The queue-depth indicates the number of IP options packets which can be enqueued in the PFE logical queue, beyond which it would start dropping the packets. Copyright © 2016, Juniper Networks, Inc. New and Changed Features Routing Protocols • Virtual route reflector using 64-bit routing processes (MX Series)—Starting with Junos OS Release 14.2, many of the applications running on Junos OS can be shifted to external and more robust, powerful computing resources, thereby preserving the hardware resources on devices running Junos OS for switching and routing functionalities. Among the protocols and modules that can be transferred to external computing utilities, control plane protocols are suited for such an offloading. Such a virtualized process can be run on more powerful blade servers, and the computed entities can be downloaded to the router or the switch. With such an approach, the scaling dimensions for each of the virtualized processes can be increased to a large level. Out of the various processes that run within rpd, route reflector is an operation that requires a considerable amount of computing power (both with memory utilization and computation overhead). Such a virtualized module, virtual route reflector, can be run on external servers to achieve more scaling numbers. The virtualization of such functional blocks enables the service to be run on external high-performance servers. To enable this capability of a virtual route reflector, the entire Junos OS is virtualized and launched as a VM (virtual machine). To achieve higher and effective scaling numbers, rpd is configured as a 64-bit application, which benefits from a much better address space. The 64-bit capacity of rpd requires the kernel to also be of 64-bit type. The purpose of route reflection is loop prevention when the internal BGP (IBGP) routing devices are not fully meshed. To accomplish this, RRs break one of the rules of normal BGP operation: They readvertise routes learned from an internal BGP peer to other internal BGP peers. A new Junos OS platform image called vrr64 is provided. You can use the jinstall64-vrr package to install the 64-bit virtual route reflector on your device. Raw disk image format is supported for the VRR image. The new Junos OS platform image is converted to kernel-based virtual machine (KVM) or a Quick Emulator (QEMU) disk image, which is launched as a VM on the QEMU hardware virtualizer. • BGP-static routes (MX Series)—Beginning with Junos OS Release 14.2, you can configure and advertise BGP-static routes in a BGP network. You can advertise a BGP-static route in a BGP network, even if it is not the active route for the prefix. BGP-static routes do not flap unless they are deleted manually. You can define a policy that determines which BGP-static routes need to be advertised and included in the advertisements. Peer routers receive advertisements for these BGP-static routes regardless of dynamic routing information learned by the advertising router. To configure BGP-static routes, include the bgp-static route statement at the [edit routing-options] hierarchy level. [See BGP-Static Routes in a BGP Network.] • Remote LFA support for LDP in IS-IS (MX Series)—Beginning with Junos OS Release 14.2, you can configure a remote loop-free alternate (LFA) to extend the backup provided by the LFA in an IS-IS network. This feature is useful especially for Layer 1 metro-rings where the remote LFA is not directly connected to the PLR. The existing LDP implemented for the MPLS tunnel setup can be reused for the protection of IS-IS networks and subsequent LDP destinations, thereby eliminating the need for RSVP-TE backup tunnels for backup coverage. Copyright © 2016, Juniper Networks, Inc. 91 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion To configure remote LFA over LDP tunnels, include the remote-backup-calculation statement at the [edit protocols isis backup-spf-options] hierarchy level and the auto-targeted-session statement at the [edit protocols ldp] hierarchy level. [See Example: Configuring Remote LFA over LDP Tunnels in IS-IS Networks.] • OSPF domain-id interoperability (MX Series)— Starting in Junos OS Release 14.2R4, to enable interoperability with routers from other vendors, you can set the AS number for domain-id attributes to 0 at the following hierarchical levels: [edit routing-instances routing-instance name protocols ospf domain-id] or [edit policy-options community community name members] CAUTION: Do not downgrade Junos OS after configuring the AS number for domain-id attributes to 0. Set the AS number to a nonzero value and commit the configuration before downgrading Junos OS. • Flow-aware transport pseudowire for BGP L2VPN and BGP VPLS (MX Series)— Starting with Junos OS Release 14.2R7, the flow-aware transport (FAT) label is supported for BGP-signaled pseudowires such as L2VPN and VPLS. Configuring flow-label-receive and flow-label-trasmit on the label edge routers (LERs) enables the transit routers or label-switching routers (LSRs) to perform load balancing of MPLS packets across equal-cost multipath (ECMP) paths or link aggregation groups (LAGs) without the need for deep packet inspection of the payload. • OSPFv3-TTL propagation policy for TE-Shortcuts and FA-LSPs in-line with other modules in the system (MX Series)—Starting in Junos OS Release 14.2R4, the OSPFv3-TTL propagation policy will be dictated by MPLS-TTL propagation policy which, by default, allows propagation of TTL. This change makes behavior of OSPFV3 in-line with the default behavior of rest of the system, allowing you to disable TTL propagation for the above mentioned LSPs and for traffic-engineering-shortcuts (TE-Shortcuts) and forwarding adjacency LSPs (FA-LSPs) using OSPFv3 as IGP, by configuring the no-propagate-ttl statement at the [edit protocols mpls] hierarchy. 92 Copyright © 2016, Juniper Networks, Inc. New and Changed Features Services Applications • Support for interim logging for NAT port block allocation (MX Series routers with MS-MPCs/MS-MICs)—Starting in Junos OS Release 14.2R2, you can configure interim logging for NAT with port translation on MX Series routers with MS-MPCs or MS-MICs. Default logging sends a single log entry for ports allocated to a subscriber. These syslog entries can be lost for long running flows. Interim logging triggers the re-sending of logs at configured time intervals for active blocks that have traffic on at least one of the ports of the block, ensuring that there is a recent syslog entry for active blocks. You can specify interim logging by including the pba-interim-logging-interval statement at the [edit interfaces interface-name services-options] hierarchy level. • Support for transmission of probes between a TWAMP client and a TWAMP server (MX Series)—Starting in Junos OS Release 14.2R2, you can configure an MX Series router that contains a Packet Forwarding Engine with 16-port 10-Gigabit Ethernet MPCs, FPCs (MPCs), MPC3Es, or MPC4Es to function as a Two-Way Active Measurement Protocol (TWAMP) client. A TWAMP client is a device that sends probe or test packets and functions as the generator or initiator of the probes. A TWAMP server is a device that receives the probes from the client and functions as the reflector or the receiver. A client opens a TCP connection with the server on a well-known port, which is port number 862. The host that initiates the TCP connection takes the roles of the control-client and (in the two-host implementation) the session-sender. Such a device is also called the TWAMP client. The host that acknowledges the TCP connection accepts the roles of a server and (in the two-host implementation) the session-reflector. Such a device is also called the TWAMP server. • Support for logging flow monitoring records with version 9 and IPFIX templates for NAT events (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 14.2R2, you can configure MX Series routers with MS-MPCs and MS-MICs to log network address translation (NAT) events using Junos Traffic Vision (previously known as J-flow) version 9 or IPFIX (version 10) template format. NAT event logger generates messages in flow monitoring format for various NAT events, such as the creation of a NAT entry, deletion of a NAT entry, and for invalid NAT processing (such as NAT address pools or address values being exhausted for allocation). These events also support NAT64 translations (translation of IPv6 addresses to IPv4 addresses), binding information base (BIB) events, and more detailed error generation. The generated records or logs for NAT events in flow template format are sent to the specified host or external device that functions as the NetFlow collector. Until Junos OS Release 14.2R1, MS-PIC uses the system logging protocol (syslog) to generate session logging. System log messages can be sent directly from the MS-PIC to an external system-logging server. For this transmission of syslogs to work properly, the services PIC interface must have an IP address and appropriate system logging options configured. • IPsec invalid SPI notification (M Series, MX Series, and T Series)—Starting in Junos OS Release 14.2, you can enable automatic recovery when peers in a security association (SA) become unsynchronized. When peers become unsynchronized, this can cause the transmission of packets with invalid security parameter index (SPI) values and the dropping of those packets by the receiving peer. You can enable automatic recovery by using the new respond-bad-spi max-responses configuration statement, which Copyright © 2016, Juniper Networks, Inc. 93 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion appears under the [edit services ipsec-vpn ike policy] hierarchy level. This statement results in a resynchronization of the SAs. The max-responses value has a default of 5 and a range of 1 through 30. [See Configuring IKE Policies.] • IPv6 support for aggregated multiservices (AMS) interfaces (MX Series with MS-MPCs)—Starting in Junos OS Release 14.2, you can use AMS interfaces for IPv6 traffic. To configure IPv6 support for an AMS interface, include the family inet6 statement at the [edit interfaces ams-interface-name unit unit-number] hierarchy level. NOTE: When family inet and family inet6 are set for an AMS interface sub-unit, the hash-keys set at the [edit services service-set-name load-balancing-options] hierarchy level apply both to IPv4 and IPv6 flows. 94 • ICMP, ping, and traceroute ALGs for MS-MICs and MS-MPCs (MX Series)—Starting with Junos OS Release 14.2, Junos OS extension-provider packages that are preinstalled and preconfigured on the MS-MIC and MS-MPC offer support for ping, traceroute, and ICMP ALGs in a consistent manner that is identical to the support that the uKernel service provides. Parity and uniformity of support is established for these ALGs between MS-MICs/MS-MPCs and the uKernel service. Until Junos OS Release 14.1, ICMP ALGs, ping ALGs, and traceroute ALGs were not entirely supported on MX Series routers with MS-MICs and MS-MPCs in comparison with the uKernel service that enables Network Address Translation (NAT) with stateful firewall (SFW) on the uKernel PIC. Support was available for handling of ICMP error response packets that match any existing flow in the opposite direction and NAT processing of ICMP packets with NAT processing of ping packets. • Support for IP reassembly on GRE tunnel interfaces for (MX Series routers with MPCs)—Starting with Junos OS Release 14.2, you can configure the generic routing encapsulation (GRE) tunnel interfaces on MX Series routers with MPCs to support IP packet reassembly. You can configure the GRE interfaces to reassemble the fragmented packets at the endpoint of the tunnel before they can be further processed on the network by including the reassemble-packets statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number] hierarchy level. You can view the reassembly statistics by using the show services inline ip-reassembly statistics <fpc fpc-slot | pfe pfe-slot> command. Inline IP reassembly is supported on MX80, MX240, MX480, MX960, MX2010, MX2020, and MX104 routers. The line modules compatible with the corresponding MX Series routers that support the reassembly of GRE packets are MPC1, MPC2, MPC3, MPC4, and MPC-16X10GE. Until Junos OS Release 14.1, reassembly of IP fragments received at GRE tunnels is supported only on MX Series routers with MS-DPCs. • Enhancements to the RFC 2544-based benchmarking tests (MX104)—RFC 2544 tests are performed by transmitting test packets from a device that functions as a generator. These packets are sent to a device that functions as a reflector. The reflector receives and reflects packets back to the generator. MX104 routers can be configured as reflectors. Starting with Junos OS Release 14.2, MX104 routers support RFC 2544-based benchmarking tests for Ethernet transparent LAN (E-LAN) services Copyright © 2016, Juniper Networks, Inc. New and Changed Features configured using bridge domains. The RFC 2544 tests are performed to measure and demonstrate the service-level agreement (SLA) parameters before activation of the service. The tests measure throughput, latency, frame loss rate, and back-to-back frames. RFC 2544 performance measurement testing for Layer 2 E-LAN services on MX104 routers supports user-to-network interface (UNI)-to-UNI unicast traffic only. • Support for PCP version 2 (MX Series)—Starting in Release 14.2R3, Junos OS supports Port Control Protocol (PCP) version 2, defined by IETF RFC 6887. PCP version 2 uses the client once for authentication. Junos OS is able to decode and process version 2 and version 1 messages. There are no CLI changes for PCP version 2 support. • Support for RPM probes with IPv6 sources and destinations (MX Series routers with MPCs)—Starting in Junos OS Release 14.2R3, the RPM client router (the router or switch that originates the RPM probes) can send probe packets to the RPM probe server (the device that receives the RPM probes) that contains an IPv6 address. To specify the destination IPv6 address used for the probes, include the target (url ipv6-url | address ipv6-address) statement at the [edit services rpm probe owner test test-name] hierarchy level. You can also define the RPM client or the source that sents RPM probes to contain an IPv6 address. To specify the IPv6 protocol-related settings and the source IPv6 address of the client from which the RPM probes are sent, include the inet6-options source-address ipv6-address statement at the [edit services rpm probe owner test test-name] hierarchy level. • Support for H.323 NAT on MS-MPC and MS-MIC (MX Series routers)—Starting in Junos OS Release 14.2R7, the H.323 ALG is supported in NAPT-44 rules and IPv4 stateful-firewall rules on the MX Series. H.323 is a legacy VoIP protocol. To configure H.323 in a NAPT-44 rule, include the application-sets junos-h323-suite statement at the [edit services nat rule rule-name term term-name from] hierarchy level. To configure H.323 in a stateful-firewall rule, include the application-sets junos-h323-suite statement at the [edit services stateful-firewall rule rule-name term term-name from] hierarchy level. To show H.323 ALG statistics, issue the show services alg statistics application-protocol h323 command. • Support for AMS warm standby on MS-MPC and MS-MIC (MX Series routers)—Starting in Junos OS Release 14.2R7, one service interface can be the backup interface for multiple service interfaces. This feature is called AMS warm standby. To make a service interface the backup for multiple service interfaces, you configure an AMS interface for each service interface you want to protect. Each of these AMS interfaces has two member interfaces—a primary member interface, which is the service interface you want to protect, and the secondary member interface, which is the backup service interface. You can use the same secondary member interface in multiple AMS interfaces. To configure a warm-standby AMS interface, include the primary mams-a/b/0 statement and the secondary mams-a/b/0 statement at the [edit interfaces amsn redundancy-options] hierarchy level. If you use redundancy-options in an AMS interface, you cannot use load-balancing-options in the same AMS interface. Copyright © 2016, Juniper Networks, Inc. 95 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion You cannot use the same member interface in both an AMS interface that includes load-balancing-options and an AMS interface that includes redundancy-options. To show the state of an AMS interface configured with warm standby, issue the show interfaces redundancy command. To switch from the primary interface to the secondary interface, issue the request interface switchover amsn command. To revert to the primary interface from the secondary interface, issue the request interface revert amsn command. • NAT with deterministic IP address and port mapping—Starting in Junos OS Release 14.2R7, you can configure deterministic NAT mapping for NAPT44. Deterministic NAT mapping ensures that a given internal IP address and port are always mapped to the same external IP address and port, and the reverse mapping of a given translated external IP address and port are always mapped to the same internal IP address. Deterministic NAT mapping eliminates the need for logging address translations. Configure deterministic NAT translation in a NAT rule by including the translation-type deterministic-napt44 statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level. Configure the range low value to be at least 1024 and the range high value to be no more than 65,535 at the [edit services nat pool pool-name port] hierarchy level. If you configure any ports below 1024, they are readjusted. You can configure up to 64,512 ports to make available for each internal subscriber with the deterministic-port-block-allocation block-size block-size statement at the [edit services nat pool pool-name port] hierarchy level. If you do not include this statement, the default value is 512. If you configure the block-size as 0, Junos OS automatically calculates the block size by using the number of configured subscriber IP addresses, the number of external translated IP addresses, and the port range. • Support for IKE and IPsec Passthrough NAPT-44 and NAT64 (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 14.2R7, you can enable the passing of IKE and IPsec packets through NAPT-44 and NAT64 filters between IPsec peers that are not NAT-T compliant by using the IKE-ESP-TUNNEL-MODE-NAT-ALG on MS-MPCs and MS-MICs. Use the following hierarchy to enable the IKE-ESP-TUNNEL-MODE-NAT-ALG: [edit applications] application ike-esp-application-name { application-protocol ike-esp-nat; protocol udp; destination-port 500; inactivity-timeout 3600; gate-timeout 90; child-inactivity-timeout 6000; } application-set ike-esp-application-set-name { application ike-esp-application-name; } [edit services nat] 96 Copyright © 2016, Juniper Networks, Inc. New and Changed Features pool ike-isp-nat-pool-name { address ip-prefix; port automatic; } rule rule-name { match-direction input; term 0 { from { source-address address; application-sets ike-esp-application-set-name; } then { translated { source-pool ike-isp-nat-pool-name; translation-type napt-44; } } } } • Class-of-service (CoS) marking and reclassification for the MS-MICs and MS-MPCs—Starting with Junos Release 14.2R7, the MS-MIC and MS-MPC support CoS configuration, which enables you to configure Differentiated Services code point (DSCP) marking and forwarding-class assignment for packets transiting the MS-MIC or MS-MPC. You can configure the CoS service alongside the stateful firewall and NAT services, using a similar rule structure. [See Configuring CoS Rules.] Software-Defined Networking (SDN) • Support for OpenFlow v1.3.1 (MX Series)—Starting with Junos OS Release 14.2, MX Series routers support OpenFlow v1.3.1. In addition to the OpenFlow v1.0 functionality that is already supported on MX Series routers, OpenFlow v1.3.1 allows the action specified in one or more flow entries to direct packets to a base action called a group. The purpose of the group action is to further process these packets and assign a more specific forwarding action to them. You can view groups that were added, modified, or deleted from the group table by the OpenFlow controller using the show openflow groups command. You can view group statistics using the show openflow statistics groups command. [See Understanding How the OpenFlow Group Action Works.] • OVSDB support (MX Series)—Starting with Junos OS Release 14.2, the Junos OS implementation of the Open vSwitch Database (OVSDB) management protocol provides a means through which VMware NSX controllers and MX Series routers that support OVSDB can communicate. In an NSX multi-hypervisor environment, NSX controllers and MX Series routers can exchange control and statistical information, thereby enabling virtual machine (VM) traffic from entities in a virtual network to be forwarded to entities in a physical network and the reverse. [See Understanding the Open vSwitch Database Management Protocol Running on Juniper Networks Devices and “Product Compatibility” on page 260.] Copyright © 2016, Juniper Networks, Inc. 97 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • OpenFlow v1.3.1 with IPv6 match conditions (MX80 3D Universal Edge, MX240, MX480, and MX960 3D Universal Edge Routers)—Starting with Junos OS Release 14.2R3, the MX80 3D Universal Edge, MX240, MX480, and MX960 3D Universal Edge routers support IPv6 match conditions OFPXMT_OFB_IPV6_SRC and OFPXMT_OFB_IPV6_DST. [See OpenFlow v1.3.1 Compliance Matrix for Devices Running Junos OS.] • OVSDB schema update (MX Series)—Starting with Junos OS Release 14.2R4, the OVSDB schema for physical devices version that is implemented on the MX Series routers is version 1.3.0. In addition, the schema now supports the multicast MACs local table. [See Open vSwitch Database Schema For Physical Devices.] • Destination MAC address rewrites for OpenFlow (MX80, MX240, MX480, and MX960)—Some types of network equipment that function as routers accept and handle packets only if the destination MAC address in the packet is the same as the MAC address of the Layer 3 interface on which the packet is received. To interoperate with these routers, connected devices must also be able to rewrite the destination MAC address of an incoming packet. Starting with Junos OS Release 14.2R6, an OpenFlow controller can configure an MX Series router that supports OpenFlow to rewrite the destination MAC address of an incoming packet. [See Understanding How the OpenFlow Destination MAC Address Rewrite Action Works.] Software Installation and Upgrade • Validate system software against running configuration on remote host—Beginning with Junos OS Release 14.2R5, you can use the on (host host <username username> | routing-engine routing-engine) option with the request system software validate package-name command to verify candidate system software against the running configuration on the specified remote host or Routing Engine. • Validate system software add against running configuration on remote host or routing engine—Beginning with Junos OS Release 14.2R5, you can use the validate-on-host hostname and validate-on-routing-engine routing-engine options with the request system software add package-name command to verify a candidate software bundle against the running configuration on the specified remote host or Routing Engine. Subscriber Management and Services NOTE: Subscriber management is not supported in Release 14.2R6. Although present in the code, the subscriber management features are not supported in Junos OS Release 14.2. Documentation for subscriber management features is included in the Junos OS Release 14.2 documentation set. 98 Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Excluding diameter AVPs from JSRC messages (MX Series)—Starting in Junos OS Release 14.2, you can configure the router to exclude the Diameter user-name (1) AVP from authorization requests and provision requests sent to the SAE (remote SRC peer). [See Excluding AVPs from Diameter Messages for JSRC.] • Support for PPPoE-Description VSA (MX Series)—Starting in Junos OS Release 14.2, you can use Juniper Networks VSA 26-24 (PPPoE Description) when using RADIUS to authenticate subscribers based on the client MAC address. [See Juniper Networks VSAs Supported by the AAA Service Framework.] • DHCP relay agent for clients in different VRF than DHCP server (MX Series)—Starting in Junos OS Release 14.2, subscriber management provides enhanced security when exchanging DHCP messages between a DHCP server and DHCP clients that reside in different virtual routing instances (VRFs). The DHCP cross-VRF message exchange uses the DHCP relay agent to ensure that there is no direct routing between the client VRF and the DHCP server VRF. To exchange DHCP messages between the two VRFs, you configure both the server side and the client side of the DHCP relay to permit traffic based on the Agent Circuit ID (DHCP option 82 suboption 1) in DHCPv4 packets and the Relay Agent Interface-ID (DHCPv6 option 18) in DHCPv6 packets. [See DHCP Message Exchange Between DHCP Clients and DHCP Server in Different VRFs.] • ANCP agent adjustment of downstream data rate and overhead for SDSL, VDSL, and VDSL2 subscriber lines (MX Series)—Starting in Junos OS Release 14.2, you can configure the ANCP agent to provide two independent, adjusted values to CoS for downstream subscriber traffic on frame mode DSL types (SDSL, VDSL, and VDSL2), enabling CoS to more accurately adjust the effective shaping rate for the downstream subscriber traffic. You can specify a percentage value that is applied to the actual, unadjusted data rate received in ANCP Port Up messages. You can also specify a number of bytes that is added to or subtracted from the frame overhead for the traffic. [See Configuring the ANCP Agent to Report Traffic Rates to CoS.] • Concurrent support for PPPoE-over-ATM and IPoE-over-ATM subscriber interfaces on a single ATM PVC (MX Series with MPCs and ATM MICs with SFP)—Starting in Junos OS Release 14.2 for MX Series routers with ATM MICs with SFP installed, you can configure subscriber interfaces for both PPP-over-Ethernet-over-ATM (PPPoE-over-ATM) and IP-over-Ethernet-over-ATM (IPoE-over-ATM) concurrently on a single ATM PVC. The concurrent PPPoE-over-ATM and IPoE-over-ATM configuration supports all features specific to PPPoE-over-ATM interfaces and IPoE-over ATM interfaces, with no changes. To configure concurrent PPPoE-over-ATM and IPoE-over-ATM subscriber interfaces on a single ATM PVC, you configure the ATM logical interface as an IPoE-over-ATM interface by specifying the ether-over-atm-llc encapsulation type. You then use the family pppoe stanza at the [edit interfaces at-fpc/pic/port unit logical-unit-number] hierarchy level to configure PPPoE-over-ATM as a supported family. When the router detects the family pppoe stanza and the IPoE-over-ATM encapsulation, it identifies the configuration as concurrently supporting both PPPoE-over-ATM and IPoE-over-ATM on the ATM PVC. Copyright © 2016, Juniper Networks, Inc. 99 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion [See Configuring Concurrent PPPoE-over-ATM and IPoE-over-ATM Subscriber Interfaces on an ATM PVC.] • Configuration support to change the maximum transmission unit size and maximum receive unit size for PPP subscriber access—To prevent frequent fragmentation and reassembly of Point-to-Point Protocol (PPP) packets, starting in Junos OS Release 14.2, you can configure the PPP maximum transmission unit (MTU) size and the maximum receive unit (MRU) size that is sent during link control protocol (LCP) negotiation for the following PPP subscribers: • PPP over Ethernet (PPPoE) subscribers • PPP over Ethernet over ATM (PPPoE over ATM) subscribers • PPP over ATM (PPPoA) subscribers • Tunneled PPP LAC subscribers • Tunneled PPP LNS subscribers To configure the MTU size for each of the PPP subscribers, include the mtu (size | use-lower-layer) statement, and to configure the MRU size, include the mru size statement at the following hierarchy levels: • For dynamic and static PPP LNS subscribers associated with a group profile—[edit access group-profile group-profile-name ppp ppp-options] • For dynamic PPP subscribers—[edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit” ppp-options] • For dynamic LNS subscribers—[edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit” ppp-options] • • For static PPP subscribers—[edit interfaces pp0 unit unit-number ppp-options] • For static LNS subscribers—[edit interfaces si interface-id unit unit-number ppp-options] Support for IP reassembly on an L2TP connection (MX Series routers with MPC3E and MPC4E)—Starting in Junos OS Release 14.2, you can configure the service interfaces on MX Series routers with MPC3E and MPC4E to support IP packet reassembly on a Layer 2 Tunneling Protocol (L2TP) connection. The IP packet is fragmented over an L2TP connection when the packet size exceeds the maximum transmission unit (MTU) defined for the connection. Depending on the direction of the traffic flow, the fragmentation can occur either at the L2TP access concentrator (LAC) or at the L2TP network server (LNS) and reassembly occurs at the peer interface. (In an L2TP connection, a LAC is a peer interface for the LNS and vice versa). You can configure the service interfaces on the LAC or on the LNS to reassemble the fragmented packets before they can be further processed on the network. On a router running Junos OS, a service set is used to define the reassembly rules on the service interface. The service set is then assigned to the L2TP service at the [edit services l2tp] hierarchy level to configure IP reassembly for L2TP fragments. You can view the reassembly statistics by using the show services inline ip-reassembly statistics <fpc fpc-slot | pfe pfe-slot> command. [See IP Packet Fragment Reassembly for L2TP Overview.] 100 Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Global support for LAC forwarding of subscriber line information (MX Series)—Starting in Junos OS Release 14.2, you can configure the LAC to forward subscriber line information and optionally to include the Connection Speed Update Enable AVP (98) for all destinations with the access-line-information statement at the [edit services l2tp] hierarchy level. In earlier releases, you can configure this only on a per-destination basis. Both the global and per-destination configurations are disabled by default. The global and per-destination settings interact in the following way: • Access line information—You can enable forwarding at the global or per-destination level. When forwarding is enabled globally, you cannot disable the global setting for a specific destination. • Connection speed updates—You can enable updates at the global or per-destination level. You can disable the global setting for a specific destination by specifying access-line-information for the destination and omitting connection-speed-update. [See Subscriber Access Line Information Forwarding by the LAC Overview.] • Support for up to 256 L2TP tunnel groups (MX Series)—Starting in Junos OS Release 14.2R5, you can configure and commit up to 256 tunnel groups. In earlier releases, the CLI prevents you from committing the configuration when you create more than 32 groups. System Management • Statement introduced to deny hidden commands—Starting in Release 14.2R4, Junos OS allows users to deny hidden commands to all users except root. To deny hidden commands to all users except root, use the set system no-hidden-commands statement at the edit hierarchy level. User Interface and Configuration • Support for allowing commands in a Junos OS op script (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, you can specify a regular expression that defines which commands to explicitly allow during execution of a Junos OS op script. The commands that you specify are performed even if a user login class denies that command. The permission to perform commands within a script applies to all users. [See Defining Commands to Allow in an Op Script.] VPNs • Virtual route reflector (VRR)—Starting in Junos OS Release 14.2, you can implement route reflector capability using a general-purpose virtual machine on a 64-bit Intel-based blade server or appliance. Benefits of the VRR are: • Improved scalability (depending on the server core hardware use) • Scalability of the BGP network with lower cost using VRR at multiple locations in the network Copyright © 2016, Juniper Networks, Inc. 101 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • • Fast and more flexible deployment using Intel servers rather than router hardware • Space savings through elimination of router hardware VRF localization (MX Series with MPCs)—Starting with Junos OS Release 14.2, VRF localization provides a mechanism for localizing routes of VRF to specific line cards to help maximize the number of routes that a router can handle. CE-facing interfaces localize all the routes of instance type VRF to specific line cards. If CE-facing interfaces are logical interfaces like AE or RLSQ or IRB, then the line card number has to be configured to localize routes. Core-facing line cards store all the VRF routes. These cards have to be configured as VPN core-facing only or VPN core-facing default. To configure VRF localization, configure the localized-fib configuration statement at the [edit routing-instances instance-name routing-options] hierarchy level and configure vpn-localization at the [edit chassis fpc fpc-slot] hierarchy level. The show route vpn-localization command displays the localization information of all the VRFs in the system. [See Example: Configuring VRF Localization on MX Series.] • Loop prevention in VPLS network due to MAC moves (MX Series)—Starting with Junos OS Release 14.2, the base learning interface approach and the statistical approach can be used to prevent a loop in a VPLS network by disabling the suspect customer-facing interface that is connected to the loop. Some virtual MACs can genuinely move between different interfaces and such MACs can be configured to ignore the moves. The cooloff time and statistical approach wait time are used internally to find out the looped interface. The interface recovery time can be configured to auto-enable the interface that gets disabled due to a loop in the network. To configure these parameters of VPLS MAC moves, include the vpls-mac-move statement at the [edit protocols l2-learning] hierarchy level. The show vpls mac-move-action instance instance-name command displays the learning interfaces that are disabled, in a VPLS instance due to a MAC move. The clear vpls mac-move-action interface ifl-name command enables an interface disabled due to a MAC move. [See Example: Configuring Loop Prevention in VPLS Network Due to MAC Moves.] • Integrating EVPN with VXLAN for Layer 2 data center interconnect (MX Series with MPCs and MICs only)—Virtual Extensible Local Area Network (VXLAN) is a technology that provides intra data center connectivity using a tunneling scheme to stretch Layer 2 connections over an intervening Layer 3 network. The Ethernet VPN (EVPN) technology, on the other hand, provides a solution for multipoint Layer 2 VPN services with advanced multihoming capabilities, using BGP control plane over MPLS/IP network. EVPN provides mechanisms for next generation DCI by adding extended control plane procedures to exchange Layer 2 MAC address and Layer 3 IP address information among the participating Data Center Border Routers (DCBRs). EVPN with its advanced features like active-active redundancy, aliasing, and mass MAC withdrawal helps in addressing the DCI challenges, such as seamless VM mobility and optimal IP routing, thus making it essential to provide VXLAN solutions over EVPN. • 102 Leveraging DPCs for EVPN deployment (MX Series with DPCs)—Starting with Junos OS Release 14.2R3, DPCs can be leveraged to provide support for Ethernet VPN (EVPN) Copyright © 2016, Juniper Networks, Inc. New and Changed Features functionality. Earlier, the EVPN functionality was provided by MX Series routers with MPC and MIC interfaces only. The DPC support for EVPN is provided with the following considerations: • • Related Documentation DPCs provide support for EVPN in the active-standby mode of operation including support for the following: • EVPN instance (EVI) • Virtual switch (VS) • Integrated routing and bridging (IRB) interfaces DPCs intended for providing the EVPN active-standby support should be the customer edge (CE) device-facing line card. The provider edge (PE) device interfaces in the EVPN domain should use only MPC and MIC interfaces. • Overlay ping and traceroute functionality for VXLAN tunnels (MX Series)—Starting in Junos OS Release 14.2R4, two new CLI commands supporting ping and traceroute troubleshooting functionality are provided to debug VXLAN overlay tunnels: ping overlay vni vni-id tunnel-src ip-address-src tunnel-dst ip-address-dst and traceroute overlay vni vni-id tunnel-src ip-address-src tunnel-dst ip-address-dst. Use the ping overlay and traceroute overlay commands to validate and verify the presence of the VXLAN tunnel endpoints within the context of the overlay VXLAN Network Identifier or VXLAN Segment ID (VNI) segment. • EVPN with VXLAN data plane encapsulation (MX Series)—Starting in Junos OS Release 14.2R4, MX Series routers can use EVPN with VXLAN encapsulation to provide Layer 2 connectivity for end stations within a Virtualized Network (VN) created by the Contrail virtualization software. The end stations consist of virtual hosts connected to the virtualized server, and non-virtualized bare metal servers connected to top-of-rack platforms. MX Series routers also function as default gateways for the inter-VN traffic among end stations that belong to different VNs. EVPN is used as a Layer 2 overlay solution to provide Layer 2 connections over the IP underlay for the endpoints within a VN whenever Layer 2 connectivity is required by an end station. • IPv6 support over IRB interfaces for EVPN (MX Series)—Starting in Junos OS Release 14.2R5, the Ethernet VPN (EVPN ) integrated routing and bridging (IRB) solution supports IPv6 and the Neighborhood Discovery Protocol (NDP). NDP is used by IPv6 nodes on the same link to discover each other’s presence, determine each other’s Link Layer addresses, find routers, and maintain reachability information about the paths to active neighbors. IPv6 addresses over IRB for EVPN is supported for unique VLAN EVPN instances and for virtual switches with protocol EVPN instances. • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 Copyright © 2016, Juniper Networks, Inc. 103 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Product Compatibility on page 260 Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.2R7 for the M Series, MX Series, and T Series. • High Availability (HA) and Resiliency on page 104 • Interfaces and Chassis on page 105 • Layer 2 VPNs on page 106 • MPLS on page 106 • Multicast on page 107 • Network Address Translation (NAT) on page 108 • Network Management and Monitoring on page 108 • IPv6 on page 108 • Layer 2 Features on page 108 • Routing Policy and Firewall Filters on page 109 • Routing Protocols on page 109 • Security on page 111 • Services Applications on page 113 • Subscriber Management and Services on page 116 • User Interface and Configuration on page 118 High Availability (HA) and Resiliency • Enhanced show virtual-chassis heartbeat command (MX Series with MPCs)—Starting in Junos OS Release 14.2, a new state, Detected, has been added to the show virtual-chassis heartbeat command display output. When you configure a heartbeat connection in an MX Series Virtual Chassis, the Detected state indicates that the master Routing Engine in the specified member router has successfully exchanged a heartbeat connection message with the other member router when an adjacency disruption or split occurs in the Virtual Chassis. The Detected state persists until the heartbeat connection is reset, or until the Virtual Chassis forms again and a master router (protocol master) and backup router (protocol backup) are elected. In previous releases, the show virtual-chassis heartbeat command displayed the Alive state for both split and merged Virtual Chassis conditions when a heartbeat message was successfully exchanged between the member routers. As a result, the only way to detect whether a heartbeat connection was in use during an adjacency split or disruption was to check for the Heartbt status in the show virtual-chassis status command. The new Detected state in the show virtual-chassis heartbeat command enables you to use a single command to determine whether or not the heartbeat message was successfully exchanged during an adjacency split. [See show virtual-chassis heartbeat.] 104 Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax • Improved command output for determining GRES readiness in an MX Series Virtual Chassis (MX Series with MPCs)—Starting in Junos OS Release 14.2R3, the request virtual-chassis routing-engine master switch check command displays the following output when the member routers in a Virtual Chassis are ready to perform a graceful Routing Engine switchover (GRES): {master:member0-re0} user@host> request virtual-chassis routing-engine master switch check Switchover Ready In earlier releases, the request virtual-chassis routing-engine master switch check command displays no output to confirm that the member routers are ready for GRES. The output of the request virtual-chassis routing-engine master switch check command has not changed when the member routers are not yet ready for GRES. Interfaces and Chassis • Distributed denial-of-service protection policer added for system log messages (MX Series)—Starting in Junos OS Release 14.2, a new protocol-group policer is available for system log messages. This aggregate policer controls UDP traffic on port 6333, where the system log server runs on a Routing Engine. In a network where the local Routing Engine is the system log server, you can use this policer to control the rate at which system log messages reach the Routing Engine. You can configure values appropriate for your network environment at the [edit system ddos-protection protocols syslog aggregate] hierarchy level. The syslog policer is enabled by default, with a default bandwidth of 2000 packets per second and a default burst of 10,000 packets. • Support for LLDP frames on management interfaces (MX Series)—Starting with Junos OS Release 14.2, LLDP protocol can be enabled on management interfaces (fxp0 and me0) by including the interface interface-name statement or the interface all statement at the [edit protocols lldp] and [edit routing-instances routing-instance-name protocols lldp] hierarchy levels. The outputs of various LLDP show commands have been enhanced to display the LLDP specific local and remote neighbor information on these management ports, if LLDP is enabled on these ports. • Support for auto-10m-100m speed option on Tri-rate MIC (MX Series)— In Junos OS Release 14.2R7, a new option—auto-10m-100m— is introduced (for the speed statement) to allow the fixed tri-speed port to autonegotiate with ports that support a maximum of 100 Mbps or 10 Mbps. When you configure the speed auto-10m-100m statement on the Tri-rate MIC, it advertises only 10 Mbps and 100 Mbps speeds. The MIC then autonegotiates either speed on the basis of peer port advertisement. This option is supported on MX Series routers with Tri-rate MICs (model number: MIC-3D-40GE-TX) only. • Support for fabric self-pings and Packet Forwarding Engine liveness in single-chassis systems (T Series)—Starting in Junos OS Release 14.2R6, T Series single-chassis systems support the fabric self-ping and Packet Forwarding Engine liveness mechanisms to detect fabric degradation and avoid a traffic black hole. If any error is detected by these two mechanisms, the fabric manager raises a fabric degraded alarm and initiates recovery by restarting the FPC. In a single-chassis system, FPC restart is Copyright © 2016, Juniper Networks, Inc. 105 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion enabled by default, unlike in a multichassis system where FPC restart is disabled by default. Layer 2 VPNs • Support for hot standby pseudowire for VPLS instances with LDP (MX Series)—Starting with Junos OS Release 14.2R6, you can configure a routing device running a VPLS routing instance configured with the Label Distribution Protocol (LDP) to indicate that a hot-standby pseudowire is desired upon arrival of a PW_FWD_STDBY status-tlv. Include the hot-standby-vc-on statement at the [edit routing instances routing-instance-name protocols vpls mesh-group mesh-group-name neighbor address pseudowire-status-tlv] hierarchy level. MPLS • Enhanced show ldp database and show ldp overview commands—Starting in Junos OS Release 14.2, the show ldp database command includes a new option and two new output fields that provide enhanced information about LDP label accounting. The command now includes a Labels received field in the Input label database section and a Labels advertised field in the Output label database section. A new option, summary, displays how many labels are received and sent for each LDP session. The show ldp overview command includes a new field, Label allocation, that displays how many LDP labels are allocated, how many are freed, how many have experienced failure, and the number allocated by all protocols. These enhancements enable you to debug label exhaustion events more easily. [See show ldp database.] • Enhanced support for GRE interfaces for GMPLS (MX Series)—Starting in Junos OS Release 12.3R7, on GRE interfaces for Generalized MPLS control channels, you can enable the inner IP header’s ToS bits to be copied to the outer IP packet header. Include the copy-tos-to-outer-ip-header statement at the [edit interfaces gre unit logical-unit-number] hierarchy level. Previously, the copy-tos-to-outer-ip-header statement was supported for GRE tunnel interfaces only. [See copy-tos-to-outer-ip-header.] • Changes to MPLS protection options—In Junos OS releases prior to Release 14.2, you can configure both fast reroute and node and link protection on the same LSP. In Junos OS Release 14.2 and later releases, you can still configure both fast reroute and node and link protection on the same LSP; however, when you attempt to commit a configuration where both features are enabled, a syslog warning message is displayed that states: The ability to configure both fast-reroute and link/node-link protection on the same LSP is deprecated and will be removed in a future release. • 106 Enhanced transit LSP statistics collection—Starting in Junos OS Release 14.2, RSVP no longer periodically polls for transit LSP statistics. This change does not affect the show mpls lsp statistics command or automatic bandwidth operations for ingress LSPs. To enable the polling and display of transit LSP statistics, include the transit-statistics-polling statement at the [edit protocols mpls statistics] hierarchy level. You cannot enable transit LSP statistics collection if MPLS statistics collection Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax is disabled with the no-transit-statistics statement at the [edit protocols mpls statistics] hierarchy level. This issue was being tracked by PR984000. [See statistics.] Multicast • Change to show pim join summary command—Starting in Junos OS Release 14.2, the XML output of the show pim join summary command has changed. The new CLI output introduces an extra XML hierarchy to separate the tags with the same name. user@host> show pim join summary | display xml [snip] <join-family junos:style="summary"> <pim-instance>PIM.master< /pim-instance> <address-family>INET< /address-family> <join-summary-all> <join-summary> <multicast-route-type>(s,g)< /multicast-route-type> <multicast-route-count>1000< /multicast-route-count> </join-summary> <join-summary> <multicast-route-type>(*,g)< /multicast-route-type> <multicast-route-count>2< /multicast-route-count> </join-summary> </join-summary-all> </join-family> [snip]</output> </sample> Copyright © 2016, Juniper Networks, Inc. 107 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Network Address Translation (NAT) • Support for a new option to configure sequential allocation of ports for NAT (MX Series)— Until Junos OS Release 14.1, you could include the port automatic statement at the [edit services nat pool nat-pool- name] hierarchy level without having to use the auto option with the port automatic statement. Although the default method of assignment of ports was sequential (indicated by the auto option), the auto option was not required to be specified. Starting with Junos OS Release 14.2, the sequential option is introduced to enable you to configure sequential allocation of ports. The sequential and random-allocation options available with the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level are mutually exclusive. You can include the sequential option for sequential allocation and the random-allocation option for random delegation of ports. By default, sequential allocation of ports takes place if you include only the port automatic statement at the [edit services nat pool nat-pool-name] hierarchy level. The auto option is hidden and is deprecated in Junos OS Release 14.2 and later, and is only maintained for backward compatibility. It might be removed completely in a future software release. If you upgrade a router running a Junos OS release earlier than Release 14.2 to Release 14.2 and if the router contains the port automatic statement defined without the auto option included with the configuration, the router validates the auto option present in the configuration for sequential allocation of ports. Network Management and Monitoring • Enhancement for SONET interval counter (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R6, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces is reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm. [See show interfaces interval.] IPv6 • IPv6 addresses with padded zeros in MIC or MS-MPC system log messages (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R4, all system log messages originating from MIC or MS-MPC line cards display padded zeros in IPv6 addresses to make them compatible with MS-DPC line cards. Earlier, the system log messages from MIC or MS-MPC line cards displayed IPv6 addresses with ’::’ instead of padded zeros. Layer 2 Features • 108 Support for configuring MAC move parameters globally (MX Series)—Starting in Junos OS Release 14.2R7, you can configure parameters for media access control (MAC) address move reporting by including the global-mac-move statement and its substatements at the [edit protocols l2-learning] hierarchy level. When a MAC address appears on a different physical interface or within a different unit of the same physical interface and this behavior occurs frequently, it is considered a MAC move. You can Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax configure the router such as to report a MAC address move based on the following parameters: the number of times a MAC address move occurs, a specified period of time over which the MAC address move occurs, and specified number of times a MAC address move occurs in one second. • Support for bridge domain MAC move action in MX104 router—Starting with Junos OS Release 14.2, the enable-mac-move-action statement is supported in MX104 router. Routing Policy and Firewall Filters • New option for show firewall command—Starting in Junos OS Release 14.2, the show firewall command supports a new option, filter regex regular-expression, that enables you to display information about a subset of firewall filters. For regular-expression, include a regular expression that matches the specific names of filters for which you want to display information. Previously, the command only allowed you to display information either about all filters or a specific filter. This enhancement enables devices configured with a very large number of filters to display information about a subset of filters more efficiently. [See show firewall.] • Support for shared firewall filters across multiple routing instances (MX Series routers with MPCs)—Starting in Junos OS Release 14.2, on MX Series routers with Modular Port Concentrators (MPCs) only, you can specify to share one or more firewall filters across multiple routing instances. Multiple firewall filters can be shared only when network services for the device are configured with enhanced IP mode. By default, firewall filters are not shared automatically across multiple routing instances. Include the instance-shared statement at the [edit firewall family protocol-family-name filter filter-name] hierarchy level. You can configure a combination of shared and nonshared filters on the same routing device. This feature can be used with the following protocol families: Bridge, IPv4, IPv6, Layer 2 CCC, MPLS, and VPLS. [See Guidelines for Configuring Firewall Filters.] Routing Protocols • Support for loss-of-continuity check per remote MEP (MX Series)—Beginning with Junos OS Release 14.2, you can specify that Ethernet OAM continuity checks are performed for an individual remote maintenance end point (MEP) by including the detect-loc statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain md-name maintenance-association ma-name mep mep-id remote-mep mep-id] hierarchy level. A loss-of-continuity (LOC) defect is declared if no continuity check message is received from the remote MEP within a period equal to 3.5 times the continuity check interval configured for the maintenance association. If this occurs, the show oam ethernet connectivity-fault-management interfaces detail command displays a value of yes for the Remote MEP not receiving CCM defect field. The error also generates a syslog CFMD_CCM_DEFECT_RMEP message. • Support for BFD for IS-IS IPv6 interfaces—Starting in Junos OS Release 14.1R2, bidirectional forwarding detection (BFD) is supported for IS-IS IPv6 interfaces. Include the bidirectional-forwarding-detection statement at the [edit protocols isis interface interface-name] hierarchy level. By default, multiple BFD sessions over a single adjacency Copyright © 2016, Juniper Networks, Inc. 109 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion for IPv4 and IPv6 interfaces that belong to the same IS-IS instance are not automatically created. To enable BFD on IPv4 and IPv6 interfaces configured on the same IS-IS instance, you must also include the new bfd-per-address-family statement at the [edit protocols isis interface interface-name] hierarchy level. When BFD is enabled for both IPv4 and IPv6 interfaces in a single IS-IS instance, a BFD session is created for each protocol family interface. If either the IPv4 or IPv6 session fails, the adjacency is torn down. [See Example: Configuring BFD for IS-IS.] • Introduction of the all keyword to prevent accidental execution of certain clear commands—The all keyword is introduced in Junos OS Release 14.2 (as an optional keyword). This makes users explicitly select the all keyword to clear all protocol or session information. Thus, it prevents accidental clearing or resetting of protocols or neighbor sessions, which might disrupt network operations. The all keyword is introduced for the following clear commands: • 110 • clear arp • clear bgp neighbor • clear bfd adaptation • clear bfd session • clear igmp membership • clear isis adjacency • clear isis database • clear ldp neighbor • clear ldp session • clear mld membership • clear mpls lsp • clear msdp cache • clear multicast forwarding-cache • clear (ospf | ospf3) database • clear (ospf | ospf3) neighbor • clear pim join • clear pim join-distribution • clear pim register • clear rsvp sessions Support for RFC 6996, RFC 7300, and Internet draft-ietf-idr-as0-06—Beginning with Junos OS Release 14.2, RFC 6996, Autonomous System (AS) Reservation for Private Use, RFC 7300, Reservation of Last Autonomous System (AS) Numbers, and Internet draft-ietf-idr-as0-06 are supported. Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax RFC 6996, Autonomous System (AS) Reservation for Private Use, defines the range of the reserved, private AS numbers. The set of reserved 16-bit AS numbers is in the range from 64,512 through 65,535 and the reserved 32-bit AS numbers range from 4200000000 through 4294967294. Even though the use of the last 16-bit AS numbers are reserved, private AS number 65535 is allowed in Junos OS configurations. However, we do not recommend using this restricted AS number. RFC 7300, Reservation of Last Autonomous System (AS) Numbers, and the Internet draft draft-ietf-idr-as0-06 restrict the use of 4-byte AS number 4294967295UL, and AS number 0 in a configuration. When you use these restricted AS numbers, the commit operation fails. [See 4-Byte Autonomous System Numbers Overview.] • BGP hides a route received with a label block size greater than 256—Beginning with Junos OS Release 14.2R2, when a BGP peer (running Junos OS) sends a route with a label block size greater than 256, the local speaker hides the route and does not re-advertise this route. The output of show route detail/extensive hidden/all displays the hidden route and states the reason as label block size exceeds max supported value. In earlier Junos releases, when a peer sent a route with a label block size greater than 256, the routing protocol process (rpd) terminated abnormally. Security • Packet types added for DDoS protection L2TP policers (MX Series with MPCs, T4000 with FPC5)—The following eight packet types have been added to the DDoS protection L2TP protocol group to provide flexibility in controlling L2TP packets: cdn scccn hello sccrq iccn stopccn icrq unclassified Previously, no individual packet types were available for this protocol group and all L2TP packets were policed the same based on the aggregate policer value. The default values for the bandwidth and burst policers for all packet types is 20,000 pps. The default recover-time is 300 seconds for each of the L2TP packet types. • BGP route is hidden when AS path length is more than the configured maximum AS size —Beginning with Junos OS Release 14.1, BGP hides a route when the length of the AS path does not match the number of ASs in the route update. In earlier Junos releases when a route with AS path size over 2048 was advertised, it could cause session flaps between BGP peers because of the mismatch. Therefore, to avoid session flaps, such routes are now hidden by Junos. You can see this behavior when bgp-error-tolerance is configured. If you want BGP to advertise the hidden route to an OSPF neighbor, we recommend to add the AS path statically in the default route configuration. For example: Copyright © 2016, Juniper Networks, Inc. 111 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion [edit routing-instances instance-name routing options] user@host# set aggregate route 0.0.0.0/0 as-path path 1267 • Changes to distributed denial of service (DDoS) protection protocol groups and packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following syntax changes have been made: • • Policer The mlp protocol group has been modified as follows to provide DDoS protection with full control of the bandwidth: • The aging-exc, packets, and vxlan packet types have been removed from the mlp protocol group. • The add, delete, and lookup packet types have been added to the mlp protocol group. These packets correspond to the MAC learning command codes. • The keepalive protocol group has been renamed to tunnel-ka. • The firewall-host protocol group and the mcast-copy packet type in the unclassified protocol groups have been removed from the CLI. They are now classified by the internal host-bound classification engine on the line card. Changes to distributed denial of service (DDoS) protection default values for MLP packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following default bandwidth (pps) and burst (packets) values apply for MLP packets by line card: MPC1, MPC2, MPC5, and MPC6 MPC3, MPC4, and FPC5 Bandwidth Burst Bandwidth Burst aggregate 10,000 20,000 5000 10,000 add 4096 8192 2048 4096 delete 4096 8192 2048 4096 lookup 1024 2048 512 1024 unclassified 1024 1024 512 512 • • 112 Changes to distributed denial of service (DDoS) protection flow detection defaults (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, flow detection defaults to disabled for the following protocol groups and packet type, because they do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable flow detection for these groups and the packet type. • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services. • Packet type: unclassified in the ip-opt protocol group. Changes to show ddos-protection protocols command output (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, when you disable DDoS protection policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax displayed next to that field in the CLI output. For example, if you issue the following statements: user@host# set system ddos-protection protocols mlp lookup disable-routing-engine user@host# set system ddos-protection protocols mlp lookup fpc 1 disable-fpc the fields are marked as in the following sample output: user@host> show ddos-protection protocols mlp lookup Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: MLP Packet type: lookup (MLP lookup request) Individual policer configuration: Bandwidth: 1024 pps ... Routing Engine information: Bandwidth: 1024 pps, Burst: 2048 packets, disabled* Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 1 information: Bandwidth: 100% (1024 pps), Burst: 100% (2048 packets), disabled* Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0 Services Applications • Increase in the default rate of transmission of system logs to an external syslog server (MX Series)—Starting with Junos OS Release 14.2 the maximum number of system log messages per second to an external syslog server has been increased from 200,000 to 800,000 logs. • Interoperation of ingress sampling and PIC-based flow monitoring (MX Series)—If PIC-based flow monitoring is enabled on an ms- logical interface, a commit check error occurs when you attempt to configure ingress traffic sampling on that particular ms- logical interface. This error occurs because a combination of ingress sampling and PIC-based flow monitoring operations on an ms- logical interface causes undesired flow monitoring behavior and might result in repeated sampling of a single packet. You must not configure ingress traffic sampling on ms- logical interfaces on which PIC-based flow monitoring is enabled. • Change in support for service options configuration on service PICs at the MS and AMS interface levels (MX Series)—Starting in Junos OS Release 14.2R3, when a multiservices PIC (ms- interface) is a member interface of an AMS bundle, you can configure the service options to be applied on the interface only at the ms- interface level or the AMS bundle level by including the services-options statement at the [edit interfaces interface-name] hierarchy level at a point in time. You cannot define service options for a service PIC at both the AMS bundle level and at the ms- interface level simultaneously. When you define the service options at the MS level or the AMS bundle Copyright © 2016, Juniper Networks, Inc. 113 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion level, the service options are applied to all the service-sets on the ms- interface or AMS interface defined at ms-fpc/pic/port.logical-unit or amsN, respectively. • Generation of mspmand core file for flow control (MX Series routers with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.2R3, instead of an eJunos kernel core file, the multiservices PIC management daemon core file is generated when a prolonged flow control occurs and when you configure the setting to generate a core dump during prolonged flow control (by using the dump-on-flow-control option). The watchdog functionality continues to generate a kernel core file in such scenarios. • Changes in the format of session open and close system log messages (MX Series routers with MS-MICs and MS-MPCs)—Starting with Junos OS Release 14.2R3, with the Junos OS Extension-Provider packages installed and configured on the device for MS-MPCs and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages are modified to toggle the order of the destination IPv4 address and destination port address displayed in the log messages to be consistent and uniform with the formats of the session open and close logs of MS-DPCs. The following is the modified format of the MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log messages: month date hh:mm:ss syslog-server-ip-address yyyy-mm-dd hh:mm:ss {NAT-type}<MSVCS_LOG_SESSION_CLOSE or MSVCS_LOG_SESSION_OPEN>:App: application, source-interface-name fpc/pic/port\address in hexadecimal format source-address:source-port source-nat-information -> destination-address:destination-port destination-nat-information (protocol-name) The following is an example of the session closure message generated for MS-MPCs and MS-MICs: Nov 26 13:00:07 10.137.159.1 2014-11-26 07:22:44: {Dynamic-NAT-64-SS-NHS-1}MSVCS_LOG_SESSION_CLOSE: application:none, ae4.454 2402:8100:1:160:1:2:d384:463c:36822 [49.14.64.37:12261] -> [141.101.120.14] 64:ff9b::8d65:780e:80 (TCP) 114 • Optional inclusion of Flags in DTCP LIST messages (MX Series)—Starting in Junos OS Release 14.2R3, the Flags field is not a required parameter in the DTCP LIST message. The LIST request is not rejected if the LIST message does not contain the Flags field. If the DTCP LIST message contains the Flags field, the value of that field is processed. If the LIST message does not contain the Flags field, the CRITERIA field parameter is used for the Flags field. • Support for bouncing service sets for dynamic NAT (MX Series with MS-MPCs and MS-MICs)— Starting in Junos OS Release 14.2R2, for service sets associated with aggregated multiservices (AMS) interfaces, you can configure the enable-change-on-ams-redistribution statement at the [edit services service-set service-set-name service-set-options] hierarchy level to enable the service set to be bounced (reset) for dynamic NAT scenarios (dynamic NAT, NAT64, and NAT44) when a member interface of an AMS bundle rejoins or a member interface failure occurs. When a member interface fails, the application resources (NAT pool in the case of dynamic NAT scenarios) and traffic load need to be rebalanced. For application Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax resources to be rebalanced, which is the NAT pool for dynamic NAT environments, the NAT pool is split and allocated by the service PIC daemon (spd). • Changes to distributed denial of service (DDoS) protection protocol groups and packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following syntax changes have been made: • • Policer The mlp protocol group has been modified as follows to provide DDoS protection with full control of the bandwidth: • The aging-exc, packets, and vxlan packet types have been removed from the mlp protocol group. • The add, delete, and lookup packet types have been added to the mlp protocol group. These packets correspond to the MAC learning command codes. • The keepalive protocol group has been renamed to tunnel-ka. • The firewall-host protocol group and the mcast-copy packet type in the unclassified protocol groups have been removed from the CLI. They are now classified by the internal host-bound classification engine on the line card. Changes to distributed denial of service (DDoS) protection default values for MLP packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, the following default bandwidth (pps) and burst (packets) values apply for MLP packets by line card: MPC1, MPC2, MPC5, and MPC6 MPC3, MPC4, and FPC5 Bandwidth Burst Bandwidth Burst aggregate 10,000 20,000 5000 10,000 add 4096 8192 2048 4096 delete 4096 8192 2048 4096 lookup 1024 2048 512 1024 unclassified 1024 1024 512 512 • • Changes to distributed denial of service (DDoS) protection flow detection defaults (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, flow detection defaults to disabled for the following protocol groups and packet type, because they do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable flow detection for these groups and the packet type. • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services. • Packet type: unclassified in the ip-opt protocol group. Changes to show ddos-protection protocols command output (MX Series, T4000 with FPC5)—Starting in Junos OS Release 14.2, when you disable DDoS protection Copyright © 2016, Juniper Networks, Inc. 115 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is displayed next to that field in the CLI output. For example, if you issue the following statements: user@host# set system ddos-protection protocols mlp lookup disable-routing-engine user@host# set system ddos-protection protocols mlp lookup fpc 1 disable-fpc the fields are marked as in the following sample output: user@host> show ddos-protection protocols mlp lookup Currently tracked flows: 0, Total detected flows: 0 * = User configured value Protocol Group: MLP Packet type: lookup (MLP lookup request) Individual policer configuration: Bandwidth: 1024 pps ... Routing Engine information: Bandwidth: 1024 pps, Burst: 2048 packets, disabled* Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 FPC slot 1 information: Bandwidth: 100% (1024 pps), Burst: 100% (2048 packets), disabled* Policer is never violated Received: 0 Arrival rate: 0 pps Dropped: 0 Max arrival rate: 0 pps Dropped by aggregate policer: 0 Dropped by flow suppression: 0 • Support for deterministic NAPT (MX Series)—You can configure deterministic port block allocation for Network Address Port Translation (NAPT) on MX Series routers with MS-MPCs or MS-MICs. By configuring deterministic NAPT, you ensure that translation of internal host IP(private IP to public IP and vice versa) is deterministic thus eliminating the need for address translation logging for each connection. To use deterministic port block allocation, you must specify deterministic-napt44 as the translation type in your NAT rule. Subscriber Management and Services NOTE: Subscriber management is not supported in 14.2R6. Although present in the code, the subscriber management features are not supported in Junos OS Release 14.2R6. Documentation for subscriber management features is included in the Junos OS Release 14.2 documentation set. 116 Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax • Locally configured DNS addresses displayed in the result of the test aaa (dhcp | ppp) command (MX Series)—Starting in Junos OS Release 14.2, if RADIUS does not return any DNS addresses, then the output of the test aaa (dhcp | ppp) command includes any locally configured DNS addresses. [See Testing a Subscriber AAA Configuration.] • Support for applying access profiles to DHCP local server and DHCP relay agent—Access profiles enable you to specify subscriber access authentication and accounting parameters. After access profiles are created, you can attach them at the [edit system services dhcp-local-server] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers, group of subscribers, or group of interfaces. If you configured a global access profile at the [edit access profile profile-name] hierarchy level for all DHCP or DHCPv6 clients on a router that functions as a DHCP local server or a DHCP relay agent, the access profile configured at the [edit system services dhcp-local-server] or [edit system services dhcpv-local-server dhcpv6] hierarchy level on a DHCP local server for DHCP or DHCPv6 subscribers and at the [edit forwarding-options dhcp-relay] or [edit forwarding-options dhcp-relay dhcpv6] hierarchy level on a DHCP relay agent for DHCP or DHCPv6 subscribers take precedence over the global access profile. Configuring an access profile for DHCP subscribers at the DHCP relay agent level or the DHCP local server level provide you with the flexibility and effectiveness of enabling DHCP authentication and accounting for specific subscribers instead of enabling them at a global level. If no access profile is configured at the DHCP relay agent level or the DHCP local server level, the global access profile becomes effective. • Support for processing Cisco VSAs in RADIUS messages for service provisioning—Starting with Junos OS Release 14.2, Cisco VSAs are supported for provisioning and management of services in RADIUS messages, in addition to the supported Juniper Networks VSAs for administration of subscriber sessions. In a deployment in which a customer premises equipment (CPE) is connected over an access network to a broadband remote access gateway, the Steel-Belted Radius Carrier (SBRC) application might be used as the authentication and accounting server using RADIUS as the protocol, and the Cisco BroadHop application might be used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages. Both the SBRC and the Cisco BroadHop servers are considered to be connected with the broadband gateway in such a topology. By default, service accounting is disabled. If you configure service accounting using both RADIUS attributes and the CLI interface, the RADIUS setting takes precedence over the CLI setting. To enable service accounting using the CLI, include the accounting statement at the [edit access profile profile-name service] hierarchy level. To enable interim service accounting updates and configure the amount of time that the router waits before sending a new service accounting update, include the update-interval minutes statement at the [edit access profile profile-name service accounting] hierarchy level. Copyright © 2016, Juniper Networks, Inc. 117 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion You can configure the router to collect time statistics, or both volume and time statistics, for the service accounting sessions being managed by AAA. To configure the collection of statistical details that are time-based only, include the statistics time statement at the [edit access profile profile-name service accounting] hierarchy level. To configure the collection of statistical details that are both volume-time-based only, include the statistics volume-time statement at the [edit access profile profile-name service accounting] hierarchy level. • Specifying the UDP port for RADIUS dynamic-request servers—Starting in Junos OS Release 14.2, you can define the UDP port number to configure the port on which the router that functions as the RADIUS dynamic-request server must receive requests from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic requests from remote RADIUS servers. You can configure the UDP port number to be used for dynamic requests for a specific access profile or for all of the access profiles on the router. To define the UDP port number, include the dynamic-request-port port-number statement at the [edit access profile profile-name radius-server server-address] or [edit access radius-server server-address] hierarchy level. • LAC configuration no longer required for L2TP tunnel switching with RADIUS attributes (MX Series)—Starting in Junos OS Release 14.2R3, when you use Juniper Networks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching, you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel switching failed when you did not also configure the LAC, even when the RADIUS attributes were present. • Change to show services l2tp tunnel command (MX Series)—Starting in Junos OS Release 14.2R4, the show services l2tp tunnel command also includes in its display tunnels that have no active sessions. In earlier releases, the command does not display tunnels without any active sessions. User Interface and Configuration • Changed destination file format for transfer-on-commit feature (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2, the format of the destination filename for the transfer-on-commit feature is changed from router-name_juniper.conf.n.gz_YYYYMMDD_HHMMSS to router-name_YYYYMMDD_HHMMSS_juniper.conf.n.gz. [See archive-sites and Using Junos OS to Configure a Router or Switch to Transfer Its Configuration to an Archive Site.] • New warning message for the configurational changes to extend-size (M Series, MX Series, and T Series)—Starting with Junos OS Release 14.2R5, any operation on the system configuration-database extend-size configuration statement such as, deactivate, delete, or set, generates the following warning message: Change in 'system configuration-database extend-size' will be effective at next reboot only. Related Documentation 118 • New and Changed Features on page 65 • Known Behavior on page 119 Copyright © 2016, Juniper Networks, Inc. Known Behavior • Known Issues on page 121 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 Known Behavior This section contains the known behavior, system maximums, and limitations in hardware and software in Junos OS Release 14.2R7 for the M Series, MX Series, and T Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Hardware on page 119 • High Availability (HA) and Resiliency on page 119 • MPLS on page 120 • Network Management and Monitoring on page 120 • Routing Protocols on page 120 • Software-Defined Networking (SDN) on page 120 • Subscriber Management and Services on page 120 • System Logging on page 121 • VPNS on page 121 Hardware • MIC-3D-8OC3-2OC12-ATM Revision 22 is supported only by the following Junos OS releases: • Junos OS Release 12.3—12.3R9 and later • Junos OS Release 13.3—13.3R6 and later • Junos OS Release 14.1—14.1R4 and later • Junos OS Release 14.2—14.2R3 and later • Junos OS Release 15.1 and later You must upgrade to a supported Junos OS release to use MIC-3D-8OC3-2OC12-ATM Revision 22 and later. High Availability (HA) and Resiliency • The MPC5E, MPC5EQ, and MP6E cards do not support unified ISSU on an MX Series Virtual Chassis. • In an MX Series Virtual Chassis configuration, a unified in-service software upgrade (ISSU) from Junos OS Release 14.1 or 14.1R2 to Junos OS Release 14.2 fails with traffic loss. As a workaround, download the latest build of Junos OS Release 14.1R3, which Copyright © 2016, Juniper Networks, Inc. 119 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion contains a fix for this issue, and perform a unified ISSU to this build from Junos OS Release 14.1R1 or 14.1R2. You can then successfully perform a unified ISSU from the latest build of Junos OS Release 14.1R3 to Junos OS Release 14.2 in an MX Series Virtual Chassis. PR1014295 MPLS • If an SRLG is associated with a link used by an ingress LSP in the router, then on deleting the SRLG configuration from that router, the SRLG gets removed from the SRLG table only on the next reoptimization of the LSP. Until then, the output displays Unknown-XXX instead of the SRLG name and a non zero srlg-cost of that SRLG for the run show mpls srlg command. Network Management and Monitoring • On the MX Series, when there is no traffic, the Qdepth statistics output field in the show class-of-service fabric statistics detail command displays count 0 for all the subfields, except the Max count subfield. • On MX Series routers, when you configure multiple prefix lists for endpoint independent filtering, all the prefix lists do not get enabled. As a workaround, to configure multiple prefix lists for endpoint independent filtering, ensure that you use a single commit command to commit the configuration of all the defined prefix lists. If you want to include additional prefixes in the prefix lists, delete all the existing prefix lists and add them again. Routing Protocols • Junos OS displays the configured BGP group description pushed by the remote procedure call (RPC) in the show | compare output even after commit is performed. This occurs due to the use of terminating double quotes in the string inputs, in the RPC XML format. Therefore, as a workaround do not include terminating quotes in strings in any RPC XML configuration to avoid this issue. PR1066084 Software-Defined Networking (SDN) • On MX Series routers running OpenFlow v1.3.1 software, flow statistics show that the packet flow is increasing even when the output port link is down. PR987753 • On MX Series routers running OpenFlow v1.3.1 software, the ADPC might create a core file. Configure enhanced IP network services mode to disable the ADPC. PR988256 Subscriber Management and Services • 120 The show ppp interface interface-name extensive and show interfaces pp0 commands display different values for the LCP state of a tunneled subscriber on the LAC. The show ppp interface interface-name extensive command displays STOPPED whereas the show interfaces pp0 command displays OPENED (which reflects the LCP state before tunneling). As a workaround, use the show ppp interface interface-name extensive command to determine the correct LCP state for the subscriber. Copyright © 2016, Juniper Networks, Inc. Known Issues • On MX Series routers, when you configure the subscriber-awareness statement on a service set by committing the set services service-set service-set-name service-set-options subscriber-awareness statement, the service sessions fail to create. To avoid this issue, on MX Series routers that support the Service Control Gateway solution, ensure that the Junos OS Mobility package software is installed on the router. The Service Control Gateway solution is supported only in 14.1X55 releases. For Junos OS Releases 14.2, and 15.1, ensure that the subscriber-awareness statement is not set. • Subscriber management is not supported when the routing protocol daemon (rpd) is running in 64-bit mode. For subscriber management support, rpd must run in 32-bit mode. System Logging • On MX Series routers, when you configure a rate limit for system log messages by setting the message-rate-limit statement for a multiservices interface, ensure that the syslog host option for that interface is configured. This configuration ensures that the system log statistics reflect the rate limit set for the interface. VPNS • Default export EVPN policy has been removed (MX Series)—Starting in Junos OS Release 14.2R7 and forward, the hidden default EVPN export policy statement (evpn-pplb) has been removed. To enable and configure load balance per packet for EVPN and PBB-EVPN, use the existing policy statements: • set routing-options forwarding-table export evpn-pplb • set policy-options policy-statement evpn-pplb from protocol evpn • set policy-options policy-statement evpn-pplb then load-balance per-packet NOTE: To support EVPN multihoming, you must configure the load-balance per-packet statement. Related Documentation • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Issues on page 121 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 Known Issues This section lists the known issues in hardware and software in Junos OS Release 14.2R7 for the M Series, MX Series, and T Series. Copyright © 2016, Juniper Networks, Inc. 121 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Class of Service (CoS) on page 122 • Forwarding and Sampling on page 122 • General Routing on page 123 • High Availability (HA) and Resiliency on page 128 • Infrastructure on page 128 • Interfaces and Chassis on page 128 • J-Web on page 130 • Layer 2 Features on page 131 • Layer 2 Ethernet Services on page 131 • MPLS on page 131 • Network Management and Monitoring on page 132 • Platform and Infrastructure on page 133 • Routing Protocols on page 135 • Services Applications on page 136 • Subscriber Access Management on page 137 • User Interface and Configuration on page 138 • VPNs on page 138 Class of Service (CoS) • When the egress rewrite rules are assigning to both the underlying interface and the subscriber interface, the rewrite rule applied to the underlying interface may take precedence and the priority values are applied as set at that level, which is wrong. The rewrite rule applied to the subscriber interface should take effect over the underlying interface. PR1058372 Forwarding and Sampling • When VRRP is configured on Trio-based MX interfaces, Static mac entries are installed on Packet Forwarding Engine in the MAC-DB as part of the mac-filter installations. RPF mib-walk triggering a walk over the MAC MIB entry(Walk over the static mac entries with no OIDs) causes the error message. During the walk, it is expected that no entries are read from static mac-db entries, however the EODB is not set to indicate MAC-DB walk has ended. This error log does not have any functional impact on the RPF mib-walk. mib2d[xxx]: MIB2D_RTSLIB_READ_FAILURE: check_rtsock_rc: failed in reading mac_db: 0 (Invalid argument) mib2d[xxx]: SNMP_GET_ERROR1: macStatsEntry getnext failed for interface: index1 ge-*/*/* (Invalid argument) PR1042610 • OID .1.3.6.1.2.1.2.2.1.2 stops responding after upgrading Junos OS from 11.4X27 to 13.3R5.9. PR1072841 • 122 On Trio-based platforms, when the Layer 3 packets destined to an Integrated Routing and Bridging (IRB) interface and then hit the underlying Layer 2 logical interfaces (IFLs), Copyright © 2016, Juniper Networks, Inc. Known Issues due to the egress feature list of the Layer 2 IFLs may get skipped, the features under the family bridge (for example, the firewall filter) on the Layer 2 interfaces may not be executed. PR1073365 • If bandwidth-percent based policer is applied on aggregated Ethernet (AE) bundle without the "shared-bandwidth-policer" configuration statement, traffic will hit policer even if the traffic is not exceeding the configured bandwidth. As a workaround, configure the "shared-bandwidth-policer" configuration statement under the policer. PR1125071 • Firewall filter-list configured of inet and inet6 applied on same ifl under inet and inet6 family input-list. Functionality-wise no issue and the CLI command "run show firewall" shows correct statistics for both filters lists configured for inet and inet6 families. Here the limitation arrived with the day-one implementation of filter-list renaming logic. Both inet and inet6 filter list configured will have the same name, refer to http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/firewal l-filter-option-multiple-listed-overview.html . The system will have two filters with the same name. Due to this, in SNMP MIB will handle only any one of this filter-list stats and report when fetched. Concluding: When input-list/output-list filters applied under different families of same ifl, then only one of the filter-list family counters can be shown in SNMP MIB walk of firewall counter table. PR1173332 General Routing • Loopback filter handling for Openflow Traffic. PR837136 • When both Routing Engines in a dual-Routing Engine system reboot too quickly with GRES enabled, 'ipsec-key-management' process would require a manual restart. PR854794 • On M Series routers, packets are dropped upon setting AE LP discard-data knob, however there is no CLI command to display the drop count. PR876190 • The IFL count is incorrect and will not be repaired until a PIC restart. PR882406 • Kernel messages "SO_RTBL_INDEX " are seen continuously when LDP session is down. The log messages were meant for debugging purpose and are harmless.Messages example: “/kernel: setsocketopts: setting SO_RTBL_INDEX to 0” PR888162 • Checksum error is seen on ICMP reply when 'sequence, data' field in request set to '0'. PR898487 • Minor memory leaks might occur if you add and delete the same multi-VLAN flow on the order of 100,000 such add and delete operations. PR905620 With "chassis maximum-ecmp 64" configured, when there is a route having 64 ECMP LSP next-hops and CoS-based forwarding (CBF) is enabled with 8 forwarding class (64*8=512 next-hops), not all next-hops will be installed on Packet Forwarding Engine due to crossing the boundary in the kernel when number of ECMP next-hops is larger than 309. PR917732 • On Junos OS platform, a license service may crash during license check process. At that time, a core file will be generated by license-check daemon. You may also see multiple core files in the system. PR918682 Copyright © 2016, Juniper Networks, Inc. 123 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • There is a 50 Kpps drop in performance due to addition of new functionality over previous release. PR935393 • In MX Virtual Chassis (MX-VC) environment, the private local nexthops and routes pointing to private local nexthops are sent to Packet Forwarding Engine from master Routing Engine and not sent to slave Routing Engine, then an Routing Engine switchover happens. Now as the new master Routing Engine does not know about such nexthops and routes, they are not cleaned up. When a nexthop with same index is added on new master Routing Engine and sent to Packet Forwarding Engine, the Packet Forwarding Engine might crash due to a stale nexthop. PR951420 • OVSDB/NSX: NSX controller does not delete stale VTEP+MAC information. PR962949 • Traceroute through an interface-services style AMS service-set fails under some configurations. PR966171 • In scale DHCP subscribers scenario (e.g., 54K dual-stack DHCPv4/DHCPv6), graceful Routing Engine switchover (GRES) is configured. If Routing Engine switchover occurs, after that execute the command "root@user> show dynamic-configuration" many times, large-scale DHCP or DHCPv6 subscribers might be terminated. PR968021 • Openflow 1.3: packet was not received on interface after restart firewall daemon. PR969520 • If the ICMP echo response is sent with a wrong sequence number, flow lookup passes and the counter gets incremented, but the packet is discarded by the ICMP ALG. PR971871 124 • Trigger for seeing fabric errors: --------------------------------- Have traffic between 2 FPCs. Offline the destination FPC Result of the trigger: ----------------------- Fabric errors like "Fo: Request timeout errors" will be seen on the source FPC. As the source FPC has outstanding requests to the offlined destination FPC, the requests timeout and hence these errors are seen. These messages are expected. PR971956 • Query port information duration_nsec and duration_sec always shows 0. PR978321 • OVSDB/NSX: nsx switch port still showed up after deactivate interface from routing instance. PR979695 • ovsdb/nsx: traffic still passing when deactivate protocol ovsdb. PR980577 • Flow statistics still show packet increasing when the output port link is down. PR987753 • On devices running OpenFlow 1.3.1, ADPC line cards are not supported. Please configure IP-enhanced network services to disable ADPC line cards. PR988256 • When a MAC moves from one VTEP to another VTEP, it is not learnt behind the new VTEP until the old VTEP ages out this MAC. This will cause traffic for this MAC to black hole until it ages out on the old VTEP. PR988270 • An NSX controller occasionally overrides an existing local MAC with a remote MAC of the same address. If a hardware VTEP in a Junos OS network detects such a condition (that is, it receives a remote MAC from the NSX controller that conflicts (matches) with an existing local MAC), the hardware VTEP in a Junos OS network accepts the remote MAC and stops publishing the local MAC to the NSX controller. PR991553 Copyright © 2016, Juniper Networks, Inc. Known Issues • Some intermediate hostnames that are displayed incorrectly for the MTR (My traceroute) utility with NAPT44. Traceroute utility works fine. PR1008088 • On MX Series routers with MPC3E, MPC4E, MPC5E, MPC6E, Junos OS does not support short (sub-second) interface hold-time down configuration. So, a hidden configuartion statement is introduced to ignore DFE tuning state during hold-down timer period. This configuration statement allows sub-second hold-down timer on MPC3E, MPC4E, MPC5E, MPC6E. set interfaces <intf name> hold-time up <U ms> down <D ms> alternative The configuration statement does not work/support 'MPC5E 3D Q 2CGE+4XGE' and 'MIC6 2X100GE CFP2 OTN', and we recommend configuring hold-time down to be more than 3 seconds for these two cards. PR1012365 • In BGP MVPN RPT-SPT mode, on an egress PE with an interface with static IGMP v2 configured and directly connected IGMP v2 hosts, the IGMP reports can be treated as multicast data packets by Packet Forwarding Engine and it can trigger data events (IIF-MISMATCH) that can create undesirable (S,G) states. These states are usually harmless but, in a high scale, can result in resource utilization. It is worth noting that in BGP MVPN RPT-SPT mode, directly connected receivers and senders are not officially supported for other reasons (due to lack of SPT-Switch capability). PR1021501 • On Offline/Online cycle of a 40GE QSFP card, a 40GE interface port's Physical Link might remain down. Few events which will result into the Offline/Online cycle of a 40GE QSFP card are router reboot, FPC reboot, or chassis-control restart or 40GE Card offline request followed by a 40GE Card online request. PR1026088 • When using large configs with many BGP peers and a high level of logging, RPD scheduler slips may be logged in the syslog messages file. PR1028608 • On MPC5E card, the drops on ingress are unaccounted when executing CLI command "show interfaces extensive". After configuring the "no-flow-control" knob, the drops are visible. PR1037632 • When ps interface is configured using as anchor interface a logical tunnel (lt) interface without explicit tunnel-bandwidth configuration (under 'chassis fpc <fpc-number> pic <pic-number> tunnel-services' configuration hierarchy), the ps interface is created only in kernel, but not on Packet Forwarding Engine. In order to have ps interface in Packet Forwarding Engine, an explicit tunnel-bandwidth configuration is required. PR 1042737 removes this restriction, and a ps interface may be anchored to an lt interface without explicit tunnel-bandwidth configured. PR1042737 • On dual Routing Engine platform, when performing unified graceful Routing Engine switchover (GRES) or graceful restart (GR) on the device, due to the fact that some part of the code may not be executed on Routing Engine, the Routing Engine may get into DB prompt state. PR1052330 • In configurations with IRB interfaces, during times of interface deletion, such as an FPC reboot, the Packet Forwarding Engine may log errors stating "nh_ucast_change:291Referenced l2ifl not found". This condition should be transient, with the system re-converging on the expected state. PR1054798 • Log message that request upgrade of VSC8248 firmware of MPC3/MPC4 is displayed during Junos upgrade. PR1058184 Copyright © 2016, Juniper Networks, Inc. 125 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • With inline L2TP IP reassembly feature configured, the MX Series routers with MPCs/MICs might crash due to a memory allocation issue. PR1061929 • On MX routers with MPC2E-3D-NG/MPC3E-3D-NG/MPC5/MPC6 line cards, the Ethernet frame loss measurement (ETH-LM) feature does not work. PR1064994 • Wrong byte count was seen in the ipfix exported statistics packets for mpls flows . This issue is taken care of now . PR1067084 • Class 4 (32W) Optics are not supported on MPC4E (2CGE+8XGE). Upon insertion and removal of a Class 4 optic, the TX laser will remain powered-off, even when a supported optic is inserted. PR1068269 • ICMP echo_reply traffic with applications like IPsec will not work with the MS-MIC and MS-MPC cards in an asymmetric traffic environment since these cards employ a stateful firewall by default. The packet will be dropped at the stateful firewall since it sees an ICMP Reply that has not matching session. PR1072180 • During ISSU on MX-VC working as an LAC, few HELLO packets from LNS will go unanswered, which might cause L2TP tunnel to get torn down. PR1074991 • In scaled subscriber management environment (for example, 3.2K PPPoE subscribers), after heavy login/logout, the session setup rate keeps decreasing and also PAP-NAK messages are sent with "unknown terminate code". This continues untill Broadband Network Gateway (BNG) does not accept PPP sessions and all newly incoming sessions are stuck in PAP Authentication phase (no PAP ACK received). PR1075338 • The Trio-based line card might reboot immediately after restarting l2tp daemon at L2TP network server (LNS) during login/logout of scaled (e.g., 10k) L2TP clients. PR1082321 • Memory leaks will be seen with jnx_msp_jbuf_small_oc object, upon sending millions of PPTP control connections[3-5M] alone @ higher CPS[> 150KCPS]. This issue is not seen upto 50K control connections @ 10K-30K CPS. PR1087561 • There is a bug about expansion memory usage computation. It does not account for freed memory. So the displayed expansion memory usage is higher than the real expansion memory usage. As displayed expansion memory usage reaches over the configured threshold (in this case, the threshold is 95%), subscribers are denied to come up. As a workaround, we could disable the resource monitoring throttling feature to avoid possibility incorrect expansion memory usage. PR1090733 • Dynamic vlan ifl is not removed with 'remove when-no-subscriber' configuration. PR1106776 • 126 MX1 MX2 \ / spine switch layer / \ TOR1 TOR2 With EPVN VXLAN configured on TOR and MX running Junos OS software and spine switches configured for IBGP to GW layer and ebgp to TOR layer, no-nexthop-change is typically configured on spine switch (as the switch doesn't participate in EVPN and is part of the IP underlay) and VTEP tunnels are established between TOR and MX devices. If this knob is changed on spine switch, spine switch will announce itself to be the EVPN protocol next-hop and new VTEP tunnels will be setup between MX/TOR to spine switch, but the old VTEP tunnels between TOR and MX won't be deleted. It is not expected that the status of knob will be changed on spine switch as it doesn't have L2 state to support forwarding. Fixing Copyright © 2016, Juniper Networks, Inc. Known Issues this symptom would also add complexity to routing control plane, hence there's no plan to fix it. PR1114809 • The entire set of prefix list needs to be committed in one go. In case new prefix needs to be added on the fly, all the prefix lists needs to be re-added after deletion so that all prefix lists are honored. PR1124165 • In some cases at high pps, the CPU utilization reported in the output of the "show services service-sets summary" command may fluctuate but there is no impact to functionality. PR1127433 • SIP-ALG: In SIP Session, RTCP packets from the public get dropped. This issue is due to the return flow from the outside triggered session which will conflict with inside triggered session (forward flow). The workaround is to trigger outside traffic first (initiate RTCP packet from from outside at first). PR1137615 • ALG-SIP64: SIP session fails when the IPv4 SIP Client in public network initiates sip call with the IPv6 SIP client in the private network PR1139008 • 5M PPTP control + Data sessions are not supported on PIC. CPU's are busy with closing sessions and going to Prolong Flow control mode. CPU throttling can control incoming session rate but can't control teardown session rate. We can say that we don't support these scale values. Note : We have tested 2M-4M PPTP control + Data sessions test few times for 48 hours and the PFC cores were not seen with those tests. PR1140832 • MX routers with MPC3E NG hardware prior to 15.1 will see cosmetic messages like: Feb 1 11:55:41.799 JTAC-re0 : %PFE-3: fpc3 IFFPC: 'IFD Ether uint8 set' (opcode 54) failed Feb 1 11:55:41.882 JTAC-re0 : %PFE-3: fpc3 ifd 312; Ether uint8 set error (7) Feb 1 11:55:41.954 JTAC-re0 : %PFE-3: fpc3 MIC: unknown option 207, ifd 312/xe-3/0/8, cmic_eth_uint8_set .. upon commit of changes to [edit interfaces] configuration. This issue was fixed for MPC4E hardware under PR/1097262, but is not going to be fixed for MPC3E. PR1157861 • When a NAT pool is shared among multiple terms, and if "address-pooling paired" is enabled only in few of those terms (not all), it leads to traffic drop. So, for all terms sharing a NAT pool, either all of them should have address-pooling paired configured or none of them should have it configured. PR1161623 • Traffic may drop during Routing Engine switchover. PR1164107 • NAT64 service-set:Port block efficiency and Unique pool users stats displays incorrect value when NAT POOL is modified dynamically with CGNAT traffic for the particular term in the NAT-rule. PR1177244 • CGNAT-NAT64: Few port leak are observed for the EIM/EIF IPv4 traffic(2M sessions) from public side. PR1177679 • The number of nat-logs generated and the service-set syslog stats does not match. Service-set stats "show services service-sets statistics syslog service-set <name>”. PR1177706 • NAT64: Source-prefix filtering and protocol filtering of the CGNAT sessions are incorrect For example show services sessions extensive protocol udp source-prefix <0:7000::2> displays incorrect filtering of the sessions. PR1179922 Copyright © 2016, Juniper Networks, Inc. 127 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • CGNAT-NAT64:All the members of the AMS bundle crashes upon running Ipv6 TCP stack scrambler + isic6 + mix of ALG [HTTP+FTP] + DNS64 traffic with NAT64 configured. PR1183503 • Source-address based Filter Based Forwarding is used under forwarding-options to steer the packets towards AMS bundle in the Vodafone configuration. When we remove the from source-address condition from the filter, the reverse traffic gets looped back into the AMS bundle. Under this condition, Prolonged Flow Control cores are seen. We do have from source-address configured in the SFW rule, which should have dropped the packets, which are getting looped back into the AMS bundle, but, this is not happening, even though SFW functionality works as expected for other packets. PR1192184 • CGNAT NAT mappings and ports are not cleared after SIP session timeouts for the SIP spoofed traffic and SIP scaled traffic, and very few ports not released for the scaled traffic of 10-20K SIP sessions. PR1187965 • Ingress queuing configuration on MPC2ENG is leading to host loopback wedge due to some bug in the code specific to MPC2ENG; there is a mis-programming in the Junos code for the lookup chip for this type of card. PR1189800 High Availability (HA) and Resiliency • During a router hardware upgrade procedure, in a dual Routing Engines system, the newly installed Routing Engine (RE) may overwrite the other Routing Engine configuration with the factory default configuration. As a result, both Routing Engines may boot up in "Amnesiac" mode. PR909692 Infrastructure • The 'show system memory' command does not work on 64-bit systems. The implementation requires the use of loadable kernel module to gather data. This module has known issues and has been the root cause of numerous kernel panics. In addition the pmap utility which provides the data for the CLI has known, rare, crashes on 32-bit kernels. In the case when the pmap utility crashes, no information will be reported by the CLI. PR883953 • With 64-bit image, when activate the Network Time Protocol (NTP) configuration with system date set prior to 1981, negative value from ntpd process results in wrong time settings instead of Real-time clock (RTC), and the router might crash. PR1056669 Interfaces and Chassis 128 • During an Routing Engine switchover in which OAM-AH (LFM) is configured, the peer router may see syslog entries which indicate an LFM session new state of up. These logs are harmless, however rightfully cause concern that the LFM session had dropped, which is not the case. PR775616 • Routing Engine might panic and go to db prompt when a member link of an Aggregated Ethernet (AE) bundle is moved out of the bundle and the links are configured separately in it in a single commit. PR892129 Copyright © 2016, Juniper Networks, Inc. Known Issues • For a VRRP interface, if illegal speed is configured (for example 100M is configured to a GE-only interface), there is possibility that the virtual IP addresses for VRRP will be removed from the master VRRP router at commit. PR901803 • Kernel crash may happen when a router running a Junos install with the fix to PR 937774 is rebooted. This problem will not be observed during the upgrade to this Junos install. It occurs late enough in the shutdown procedure that it shouldn't interfere with normal operation. PR956691 • When AE interface is made down, VRRP sessions over that AE does not move to init state directly in case of scaled configuration. This is because delay in "interface down" VRRP session detects adjacency down first and moves to master state. Subsequently when interface down is reported VRRP session moves to init state. PR959672 • The VRRP version change is a catastrophic event. Runtime change in VRRP version may result in significant amount of traffic drop, duplication of packets, false state change alarm, etc. Changing version on a production router is not advisable. PR960395 • On MX Series router, in rare condition, the kernel might crash and the router will go in db prompt when router reboots. PR993978 • On MX Series-based line cards, in virtual private LAN service (VPLS) environment, the next hop in the kernel allocated by connectivity-fault management process (cfmd) may not be freed even after the CFM session has been removed (for example, deactivating the routing-instance). In this situation, after re-activating the routing-instance, the interface within the routing instance would fail to come up because the nexthop is not freed by the cfmd application and hence the VPLS connection is down. PR1000060 • On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and committing, due to the device control process (dcd) on the backup Routing Engine might fail to process the configuration and keep it in the memory. In some cases (not happening all the time), it might be observed that the memory of the dcd keeps increasing on the backup Routing Engine. PR1014098 • On MX Series platform with large-scale PPPoE subscribers (more than 60k) connected, PPP client process (jpppd) might crash and generate core files when performing Routing Engine switchover. PR1018313 • ISSU is not supported for VRRP sessions running over LT interface. For minimum impact on traffic during upgrade, user should move the mastership to peer router and then issue an upgrade. PR1030945 • When configuring MX Virtual-chassis system, pace the creation of VCP ports. PR1052821 • During subscriber login/logout, the following error log might occur on the device configured with GRES/NSR: “/kernel: if_process_obj_index: Zero length TLV! /kernel: if_Packet Forwarding Engine: Zero length TLV (pp0.1073751222)” PR1058958 • Whenever the MIC 10x 1GE(LAN) SFP is offlined, there may be times when the certain PCI ERROR messages are seen as part of the messages. This happens if the PCI thread is running and thread_yield() is invoked when the MIC is being offlined. These error messages are expected due to the thread_yield. These messages are harmless and shouldn't affect the PCI access once the MIC is brought online. PR1067083 Copyright © 2016, Juniper Networks, Inc. 129 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • The following debug message can be seen on the log, but is harmless and no action needs to be taken: “/kernel: pp0.102132231: ENTERED: calculate_ppp_mru with lower_mru (1492) ppp_local_mtu = 1492 ppp_cfg_mru = 0 , lower_max_mtu = 9016 , pppoe_rwlen = 24, pppoe_ifl_l2hdr_len = 0” PR1074765 • In a VPLS scenario with specific CE mesh group configured, after a Routing Engine restart or Routing Engine master switchover, the flood NH for the mesh group might not be programmed properly. A complete black-holing for the VPLS instance would be seen as a consequence. PR1087293 • Deactivating/activating logical interfaces may cause BGP session flapping when BGP is using VRRP VIP as source address. This is caused by a timing issue between dcd and VRRP overlay file. When dcd reads the overlay file, it is not the updated one or yet to be updated. This results in error and dcd stops parsing VRRP overlay file. PR1089576 • To ensure that the router or switch is reachable for management purposes while it boots or if the routing protocol process fails to start properly, we can configure a backup router, which is a router that is directly connected to the local router or switch (that is, on the same subnet) through its private management interface (for example, fxp0 or me0). When a backup router running IPv6 and a static route to reach the management network are configured, some invalid IPv6 routes are added to default forwarding-table on the master or the backup Routing Engine (RE). PR1100981 • In PPPoE subscriber management environment, when dynamic VLAN subscriber interfaces are created based on Agent Circuit Identifier (ACI) Information, the subscribers might unable to log in after reboot FPC with syslog "Dropping PADI due to no ACI IFLSET". PR1117070 • In Dynamic PPPoE subscriber management scenario, when the system is overloaded with requests coming, the subscribers might fail to log in in a race condition. PR1130546 • The jpppd process might crash and restart due to a buffer overwrite. The jpppd process restart results in a minimal impact of system and subscribers. All connected subscribers remain connected and only subscribers are attempting to connect at time of process restart would need to retry. PR1132373 • jpppd core at SessionDatabase::getAttribute() from Ppp::LinkInterfaceMsOper::getLowerInterfaceType(). PR1165543 J-Web 130 • When you open a J-Web interface session using HTTPS, enter a username and a password, and then click the Login button, the J-Web interface takes 20 seconds longer to launch and load the Dashboard page than it does if you use HTTP. PR549934 • When the J-Web interface is launched using HTTPS, the time shown in the View Events page (Monitor >Events And Alarms > View Events) differs from the actual time in the switch. As a workaround, set the correct time in the box after the J-Web interface is launched. PR558556 Copyright © 2016, Juniper Networks, Inc. Known Issues Layer 2 Features • In a high-scale VPLS configuration, modification of a tunnel interface through a restart or reconfiguration may cause the packet processing engine to access an invalid interface, resulting in minor packet loss and logging of packet processing engine traps. Existing traffic flows on the Packet Forwarding Engine are not affected. The router recovers quickly and normal operation resumes with the new configuration. PR976972 • When "input-vlan-map" with "push" operation is enabled for dual-tagged interfaces in "enhanced-ip" mode, there is a probability that the broadcast, unknown unicast, and multicast (BUM) traffic may be blackholed on some of the child interfaces of the egress Aggregated Ethernet (AE) interfaces or on some of the equal-cost multi-path (ECMP) core-links. PR1078617 Layer 2 Ethernet Services • When Routing Engine instructs the FPC to delete a next-hop (NH) which involving PFH or Packet Forwarding Engine internal interface, the FPC might crash. PR928230 • When using Link Aggregation Control Protocol (LACP) link protection to protect a single link in the Aggregated Ethernet (AE) bundle, the lacpd process might crash upon the configuration changes to AE or LACP. PR1078184 MPLS • Given a Point-to-Multipoint branch LSP, the value of jnxMplsTeP2mpTunnelTotalUpTime is reported incorrectly after a new instance of the branch LSP is re-signaled at the ingress. PR543855 • When a firewall filter is set on Bidirectional Forwarding Detection (BFD) remote side egress direction to block the incoming packet in local router point of view , and then after the firewall filter is deleted, the BFD session might stuck in "Init" state and the remote state is "Down". PR860951 • IPv6 traceroute may not show some hops for scenarios where 1) two LSPs are involved. 2) INET6 shortcuts are enabled. In such scenarios, hops that are egress for one LSP and ingress for the next LSP in the traceroute do not show up. This was a software issue with ICMP error handling for packets with IPv6 payload having a ttl of 1. PR899283 • If 'edit->protocols->mpls->traffic-engineering' knob is configured, then the user cannot downgrade from a 14.2 release to a pre-14.2 release. In order to downgrade, the user is required to delete the "traffic-engineering” stanza and re-configure it after downgrade. PR961717 • The traffic loss occurs after link up as the old path used for LDP P2MP LSP is not loop-free. So the traffic loss occurs till the new LDP P2MP branch is established on the new best path with mLDP signaling. This is caveat for LDP P2MP make before break. It works only if the old path is not torn down due to IGP route changes. This can be solved by using mLDP over RSVP tunneling feature. PR1017032 • When "soft-preemption" is enabled on ingress router and the preemption is configured with "aggressive" option to preempt RSVP sessions whenever bandwidth is lowered or a new higher-priority session is established, if one LSP is established over AE Copyright © 2016, Juniper Networks, Inc. 131 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion (aggregation Ethernet) interface, in case of link failure to cause the bandwidth insufficient at the ingress, the CSPF is not triggered, owing to missing data in TED, to establish a new path for more than 30 seconds and eventually the LSP is hard preempted. PR1030586 • When using "mpls traffic-engineering bgp-igp-both-ribs" with LDP and RSVP both enabled, CSPF for inter-domain RSVP LSPs cannot find the exit ABR when there are 2 or more such ABRs. This causes inter-domain RSVP LSPs to break. RSVP LSPs within same area are not affected. Workarounds are: run RSVP only on OSPF ABR or ISIS L1/L2 routers and switch RSVP off on other OSPF area 0/ISIS L2 routers; or don't use LDP at all, use only RSVP. PR1048560 • Execution of "clear ldp neighbor all" command may end up with error "error: timeout communicating with routing daemon" and cause task scheduler slip in a scaled LDP setup. Traffic loss will be observed. PR1092532 • LDP route delete is always communicated to resolver before resolver unresolves BGP nexthop via LDP tunnel. In this particular scenario which seems to stress the Junos routing deamon, LDP route delete happens but resolver is yet to know about it. And resolver access the deleted LDP route entry. This leads resolver to access LDP route pointer that is already freed and leads to RPD core. PR1097642 • These benign error messages can be ignored. The Junos OS code will be cleaned up to remove these messages in later code. PR1136033 • In a p2mp LSP setup, such that an ingress LER is running a pre-14.1R1 image and the egress is running a post-14.1R1 image, the p2mp LSP may not come up. In such a situation the provided workaround (to be enabled on the egress router), allows the p2mp LSP to come up. PR1160549 Network Management and Monitoring 132 • In rare cases, when the mib2d process attempts connection with the snmpd process and there are pending requests waiting to be finished, the mib2d process might crash and the CPU utilization is high around the same time as the crash happens. PR1076643 • Eventd uses event library for Signal handling. This core dump is due to a race-condition / synchronization issue in event library while handling signals. Event library is not signal safe and thus it is vulnerable to such issues. Eventd handles different kinds of Signals (Through Signal Handlers) - SIGHUP (On Commit), - SIGTERM (On killing eventd) SIGCHLD (On termination of event script execution) - SIGUSR1 & SIGUSR2 (on log rotation) If one signal handler is preempted by another signal-handler, then it can mess up WaitList structures (and this can cause core-dump). This can happen when eventd received a new signal, when it was processing another signal. This situation may not happen every-time and hence we see this core-dump rarely. PR1122877 Copyright © 2016, Juniper Networks, Inc. Known Issues Platform and Infrastructure • Adaptive load-balance functionality is only supported for unicast traffic. If the aggregate bundle contains logical interfaces for bridge or vpls domains, flooded traffic might get dropped. PR821237 • CLI command 'show route forwarding-table' would only display <= 16 ecmp paths when CBF is used. PR832999 • When scripts are synchronized from one Routing Engine to the other, the destination for the scripts in the other Routing Engine should be based on the configuration on the other Routing Engine. This issue prevents this from happening and destination for scripts depends on the current Routing Engine from which the scripts were synchronized instead of the configuration on the other Routing Engine. PR841087 • The audit daemon (auditd) is the daemon which handles system accounting events and tries to send them out to configured RADIUS servers. If there is any problem in sending these accounting records to RADIUS (In this case RADIUS servers is unreachable or disconnecting frequently), auditd will spend more time on each accounting record because of the retries, and during this time if there are many accounting events, all those records will be in queue. And at one point of time, queue exceeds its limit and hence auditd crashes. PR863697 • Kernel messages "SO_RTBL_INDEX " are seen continuously when LDP session is down. The log message were meant for debugging purpose. It is harmless message. < messages example > /kernel: setsocketopts: setting SO_RTBL_INDEX to 0 PR888162 • Checksum error is seen on ICMP reply when 'sequence, data' field in request set to '0' PR898487 • When there is huge logical interface (IFL) scaling on AE (500 or more) with more than 32 member links and when all FPCs are restarted one by one, followed by member link addition to the link aggregation group (LAG), the state dependency evaluation in the kernel will take a long time given the scale involved, causing the FPCs not getting all the states from the Routing Engine (RE). This is a pretty uncommon sequence of events/conditions to happen and the likelihood of this happening in the field is very remote. PR938592 • On MX Series platform, while configuring the option 125, CLI does not accept all the hexadecimal characters. PR965368 • A defect in L3VPN Make Before Break code was resulting in freeing memory corresponding to old nexthops which is being used by egress Packet Forwarding Engine. This was resulting in memory corruption. PR971821 • In the dual Routing Engine’s scenario, the backup Routing Engine does not sync up the configuration change while deleting an inactivated interface from the master. So after the operation, the inactivated interface still exists on the backup Routing Engine. PR991081 • The overhead values need to be represented with 8 bits to cover the range "-120..124", but the microcode is only using the last 7 bits. PR1020446 Copyright © 2016, Juniper Networks, Inc. 133 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • The rate-limit value does not match between Routing Engine and Packet Forwarding Engine. PR1023809 • When upgrading from 13.3R3 to 14.2, users may notice a tnetd core after the upgrade. This core file is harmless and does not affect operation of the platform or software in any way. PR1025287 • MSDPC-HTTP redirect stops working. PR1039849 • Once the Traffic Offload Engine (TOE) thread is stalled due to memory error at the lookup chip, all statistics collection from the interfaces hosted by this Packet Forwarding Engines are not updated anymore. PR1051076 • Under very rare situations, Packet Forwarding Engines on the following linecards, as well as the compact MX80/40/10/5 series, may stop forwarding transit traffic: 16x10GE MPC - MPC1, MPC2. This occurs due to a software defect that slowly leaks the resources necessary for packet forwarding. Interfaces handled by the Packet Forwarding Engine under duress may exhibit incrementing 'Resource errors' in consecutive output of 'show interfaces extensive'. A Packet Forwarding Engine reboot via the associated linecard or chassis reload is required to correct the condition. PR1058197 • On MX Series router with frame-relay (FR) CCC to connect FR passport devices. If some of the FR circuits carry traffic without any valid FR encapsulations, the MX Series based Packet Forwarding Engine drops those frames. PR1059992 • Prior to the fix, Juniper VSA length above 2K bytes is not supported. Using authorization parameters above this length would result in wrong authorization setting for the user. PR1072356 134 • On Trio-based line cards, when the firewall filters with prefixes are configured, the heap memory leak issue might be observed. PR1073911 • When deleting some uncommitted configuration on active Routing Engine, the rpd process on backup Routing Engine might restart due to "Unable to proceed with commit processing due to SIGHUP not received. Restarting to recover". PR1075089 • In XM based multi LU systems (MX platform with MPC3E/MPC4E/MPC5E/MPC6E/NG-MPC3/NG-MPC2 or T4000 with T4000-FPC5-3D linecard), we have multiple LUs representing the same Packet Forwarding Engine complex, we designate the BFD processing to a dedicated LU (LU 0), called as anchor LU, the rest of the LUs (LU 1, LU 2, LU 3) are called non-anchor LUs. When the Inline BFD packets punts from non-anchor LU to the anchor LU, it does not have the 'interface-group' populated in the packet context, so the packets might not be matched by related filter term. PR1084586 • When the large scale firewall filter (e.g., with 10K terms on input/output) is configured on either FPC5 or MPC3/4/5/6, traffic drop may occur due to allocation limit. PR1093275 • Preventing an issue where one could end up with two junos:comment entries under the [interfaces] stanza. PR1102086 • The kernel next-hop acknowledgement timeout maximum interval configured (krt-nexthop-ack-timeout) under the CLI hierarchy "routing-options forwarding-table" Copyright © 2016, Juniper Networks, Inc. Known Issues has been increased to 400 seconds to avoid performance issues with scaled subscribers. PR1102346 • Improved VTY commands to show internal JNH memory usage. PR1103660 • On Trio-based platform, in MX Series Virtual Chassis (MXVC) environment, if the subscriber logical interface (IFL) index 65793 is created (for example, when carrying 15K DHCPv4 subscribers to exceed IFL index creation 65793) and the IEEE 802.1p rewrite rule is configured (for example, using CoS rewrite rules for host outbound traffic), due to usage of incorrect IFL index, the Virtual Chassis Control Protocol Daemon (vccpd) packets (for example, Hello packets) transmission may get lost on all VC interfaces, which may lead to VC decouple (split brain state, where the cluster breaks into separate parts). As a workaround, either delete the rewrite rule (delete class-of-service host-outbound-traffic ieee-802.1 rewrite-rules), or find the IFL in jnh packet trace that is not completing the vccpd send to other chassis and at Routing Engine clear that subscriber interface may resolve the issue. PR1105929 • In the Trio base linecard environment with inline sampling service, after FPC reboot, in rare condition, the traffic forwarding might get affected as the PFEMAN SRRD thread consumes high CPU in this case continuously. PR1141814 • On ungraceful exit of telnet (quit/shell logout), perm and env files created by pam were not deleted. PR1142436 • The jtree will corrupt which will cause router can't forward traffic after interface flaps when OSPF LFA is configured and no load-balance policy is configured. PR1169468 Routing Protocols • BFD triggered local-repair(RLI9007) not initiating immediately on receiving BFD DOWN packet when the peer has detected the BFD session as down through control expiry. PR825283 • The multicast nexthop (show multicast nexthop) shown for Master and Backup Routing Engine for the same flow could be different if the nexthop is hierarchy MCNH. When doing NSR switch, however, there is no traffic loss caused by this show difference. PR847586 • When a new bidirectional RP is configured after the RPF to the RP has been resolved, PIM won't receive a RPF change event. Hence, the RPF interface won't be added to the multicast route incoming interface list. The traffic forwarding might be affected. PR939823 • In a BGP scenario with IPv4 and IPv6 neighbors co-exist in the same group, if all of the IPv4 peers flap but none of the IPv6 peers flaps, a timing issue might happen that one of the IPv4 peers comes up before inet.0 RIB is cleaned up. As a result, the routing protocol daemon (rpd) crash will be seen. PR986272 • There was a bug in the code path for 'show route resolution' which was causing an extra decrement of the refcount in the show handling. This was causing an early free of some shared object and hence causing a crash. PR995170 Copyright © 2016, Juniper Networks, Inc. 135 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On MX Series router, when a instance type is changed from VPLS to EVPN, and in the same commit an interface is added to the EVPN instance, the newly added EVPN interface might not be able to come up. PR1016797 • When configuring router in RR mode (cluster-id or option B MP-eBGP peering), the advertise-external feature will not be applicable in local VRFs due to a different route selection/advertisement process (main bgp.l3vpn.0 vs VRF.inet.0). PR1023693 • The static/static access routes pointing to an unnumbered interface are getting added in the routing table even if the interface is down. In this case, if graceful Routing Engine switchover (GRES) is disabled, this type of routes will never be added in routing table after Routing Engine switchover. PR1064331 • Junos OS exhibits two different next-hop advertisement behaviors for MP_REACH_NLRI on a multi-hop eBGP session, based on whether it is loopback peering or physical interface peering. When the routers are peering on their loopback, only the global IP of the interface (lo0) is advertised, whereas when the routers are peering through the physical interface, both global and link-local address are advertised as the NHs. PR1115097 • When multiple addresses are configured on an interface, if the interface has "interface-type p2p" configured under OSPF and the router does not receive any OSPF packets from one of the IFAs, the OSPF state will not go down for the corresponding adjacency. It should have no impact on route learning, but it might cause confusion for troubleshooting, when peering with Cisco devices, which have multiple addresses configured as secondary addresses. PR1119685 • Generate route doesn't inherit the next-hop from the contributing route in L3VPN case when the contributing route is learnt via MP-BGP. The next-hop remains as reject for the generated route. PR1149970 • In dual Routing Engines scenario with NSR and PIM configuration, when backup Routing Engine handling mirror updates about PIM received from the master Routing Engine, it will delete the PIM session info from its database. But due to a software defect, a leak of 2 memory blocks (8 or 16 byte leaks) will occur for every PIM leave. If the memory is exhausted, the rpd process might crash on backup Routing Engine. There is no impact seen on the master Routing Engine when the rpd cores on backup. PR1155778 • Inet6.1 table is removed from the router. PR1183419 Services Applications • The SIP ALG does not recognize or translate the rare 'rtcp' attribute in the SDP payload, as a consequence non-sequential RTP and RTCP ports are not supported. The RTP flow will be unaffected, not so for the RTCP control flow. PR880738 • Performance degradation of 8% is observed on the maximum packet per second supported of jflow records exported. PR949965 and PR950101. • When transferring large FTP file, the server might send packets with incorrect layer 4 checksum. If inline NAT service is enabled on the router, it might transit the packets to client instead of dropping them, which eventually causes the client FTP time out. PR972402 136 Copyright © 2016, Juniper Networks, Inc. Known Issues • In the NAT environment, the jnxNatSrcPoolName OID is not implemented in jnxSrcNatStatsTable. PR1039112 • With scaling Layer 2 Tunneling Protocol (L2TP) sessions (for example, 128k sessions), when executing L2TP "show" command in one terminal and "clear" command in another terminal simultaneously, pressing Ctrl-C or closing the terminal on one terminal might cause the jl2tpd process crash. PR1063207 • With majority of L2TP subscribers log in with invalid credentials (75% of new login requests are invalid), low call setup rate (CSR) will be observed for the good login attempt subscribers. PR1079081 • If l2tp is configured under access-group hierarchy, during commit or commit check operation, the pppd process might crash (the configuration could commit successfully). It might result in a minimal impact of system, and it will restore automatically. As a workaround, please configure the same under the access profile client hierarchy. PR1108024 Subscriber Access Management • On BNG router, When the router is processing session "idle timeout", the following error message might be seen: “./../../../../src/junos/usr.sbin/authd/acc/authd_aaa_acc.cc:1273 Failed to process the Idle Timeout for session-id:10” Please note it will not affect any services. PR1041654 • When using Neighbor Discovery Router Advertisement (NDRA) and DHCPv6 prefix delegation over PPPoE in the subscriber access network, if a local pool is used to allocate the NDRA prefix, when the CPE send DHCPv6 solicit message with both Internet Assigned Numbers Authority (IANA) and Identity Association Prefix Delegation (IAPD) options, the subscriber might get IPv6 prefix from the NDRA pool but not the delegated pool. As a workaround, the CPE should send DHCPv6 solicit message with only IAPD option. PR1063889 • Subscriber is not coming up when Cisco AVPair VSA value is returned in Radius ACCESS-ACCEPT packets in certain scenarios. PR1074992 • On MX Series platform, when using the DHCPv6 prefix delegation over PPPoE, if the RADIUS allocates a DHCPv6 pool name during the authentication of subscribers and "on-demand-ip-address" feature is enabled in a dynamic-profile, the prefixes may not be cleared by authentication process (authd) after disconnecting the subscribers. PR1108038 • For scenarios that are not in a Layer 3 wholesale network environment, we can configure "duplication-vrf" to send duplicate accounting records to a different set of RADIUS servers that reside in either the same or a different routing context. After Routing Engine switchover, the duplicate accounting feature stops working for existing subscribers. PR1121524 • In subscriber management environment with AAA authentication, after a few rounds of login/logout, some dynamic PPPoE subscribers might get stuck in configured (AuthClntLogoutRespWait) state. PR1127823 Copyright © 2016, Juniper Networks, Inc. 137 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion User Interface and Configuration • Selecting the Monitor port for any port in the Chassis Viewer page takes the user to the common Port Monitoring page instead of the corresponding Monitoring page of the selected port. PR446890 • On the J-Web interface, Configure > Routing> OSPF> Add> Interface Tab is showing only the following three interfaces by default: - pfh-0/0/0.16383 - lo0.0 - lo0.16385. To overcome this issue and to configure the desired interfaces to associated ospf area-range, perform the following operation on the CLI: - set protocols ospf area 10.1.2.5 area-range 12.25.0.0/16 - set protocols ospf area 10.1.2.5 interface fe-0/3/1 PR814171 • On HTTPS service, J-web is not launching the chassis viewer page at Internet Explorer 7. PR819717 • On configure->clitools->point and click->system->advanced->deletion of saved core context on "No" option is not happening at J-Web. PR888714 • Basic value entry format error check is not present in Configure-->Security-->IPv6 Firewall Filters, but the same is present in IPv4 Firewall Filters. But it will throw error when try to commit the wrong format data entered. PR1009173 VPNs Related Documentation 138 • (Refer to release note of PR 535844) Future releases of Junos OS will modify the default BGP extended community value used for MVPN IPv4 VRF Route Import (RT-Import) to the IANA-standardized value. Thus, default behavior will change such that the behavior of the configuration 'mvpn-iana-rt-import' will become the default and the 'mvpn-iana-rt-import' configuration will be depricated. PR890084 • In a multi-homed source topology in NG-MVPN (applicable to both inter-AS and intra-AS scenario), there are two problems: The first problem is Multicast (S, G) signaling doesn't follow RPF. When the routing table (mvpninstancename.inet0) has two routes, due to the policy configuration, the best route to the source is via the MPLS core, but Multicast (S, G) PIM join and NG-MVPN Type 7 both point to inactive route via local BGP peer. The second problem is when "clear pim join instance NG" is entered, the multicast forwarding entries are wiped out. PR1099720 • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Resolved Issues on page 139 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Resolved Issues This section lists the issues fixed in the Junos OS main release and the maintenance releases. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • Resolved Issues: 14.2R7 on page 139 • Resolved Issues: 14.2R6 on page 153 • Resolved Issues: 14.2R5 on page 171 • Resolved Issues: 14.2R4 on page 195 • Resolved Issues: 14.2R3 on page 216 • Resolved Issues: 14.2R2 on page 234 Resolved Issues: 14.2R7 General Routing • DPD may not work with link-type IPSec tunnels when NAT is present between the IPSec peers. Even when NAT is not present between the IPsec peers, the issue can occur with lesser probability. PR895719 • In MX Virtual Chassis (MX-VC) environment, the private local next hops and routes pointing to private local next hops are sent to thePacket Forwarding Engine from master Routing Engine and not sent to slave Routing Engine, then an Routing Engine switchover happens. Now, as the new master Routing Engine does not know about such next hops and routes, they are not cleaned up. When a next hop with same index is added on new master Routing Engine and sent to Packet Forwarding Engine, the Packet Forwarding Engine might crash due to a stale next hop existing. PR951420 • An EVPN with support for inter-subnet routing using an irb interface may experience a crash and restart of rpd, leaving a core file for analysis. In this case, EVPN MAC routes contain MAC+IP, and this IP/32 is installed in VRF table on egress router. Core is triggered in the IP/32 route installation flow. There is no special trigger point- it's a timing issue with basic irb configurations. PR992059 • The L2ald may crash after interface flap. PR1015297 • In IP security (IPsec) VPN environment, after performing the RE switchover, the traffic may fail to be forwarded due to the SAs may not be downloaded to the PIC, or due to some security associations (SAs) on the PIC may incorrectly hold references for old Security Policy Database (SPD) handles while SPD has deleted its entries in the Security Association Database (SAD). PR1047827 • PCE-initiated LSPs are less preferred than locally configured LSPs. After this issue is fixed, PCE-initiated LSPs will have same preference as locally configured LSPs. PR1075559 • Junos OS runs PKId for certificate validation. When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer Copyright © 2016, Juniper Networks, Inc. 139 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion certificate is treated as valid. This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation. Refer to JSA10755 for more information. PR1096758 140 • If NSR (nonstop routing) is enabled and a TCP session is terminated while there is still data in the socket pending transmission, the MBUF (kernel memory buffer) used to store this data might not get deallocated properly. In order to hit this issue the TCP session must use NSR active socket replication. If the system runs low on MBUF memory, the kernel will automatically throttle down memory allocation on low priority applications and ultimately, if there is no MBUF left, the system could become unresponsive due to its inability to serve I/O requests. PR1098001 • On MX Series routers where MS-MIC or MS-MPC is inserted, certain combinations of fragmented packets might lead to an MS-MIC or MS-MPC coredump. PR1102367 • In rare condition, after Routing Engine switchover, - the MPC PIC might offline, and some error messages might be seen. - at times chassisd on Routing Engine goes to continuous coring makes unit unusable as none of interfaces come up. Root cause: After Routing Engine switch over chassisd fail to get proper status of the FPCs and cores due to insufficient IDEEPROM read times. PR1110590 • If a static or protocol learned route points to a set of interfaces effectively resulting in static route pointing to a unilist nexthop, it is possible that the selector weights may not be initialized correctly resulting in traffic drop. You can mitigate this issue by deactivating and then activating the static route configuration. PR1120370 • For scaled configuration, it may take too much time for commit and session gets hung because there is an unnecessary check to see if family Ethernet-switching co-exists with family bridge for all interfaces having bridge configuration. PR1122863 • RPD crash might be seen during deletion of address family on an interface while rpf check is configured. PR1127856 • The speed konb auto-10m-100m allows to auto negotiate the speed maximum to 100mbps. PR1155196 • CE in an EVPN setup which has no-mac-learning or is otherwise forwarding traffic upstream to MX's in an Active/Active EVPN configuration will see split horizon broken by the MX PE which has the MAC as DRC status. PR1156187 • After MIC "MIC-3D-4OC3OC12-1OC48" reboot, we might see below logs filling syslog message : router-re0 fpc2 cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????^^??^P-sM-^T^S?? - Device is not SFP type router-re0 fpc2 cc_mic_sfp_periodic: Link 0 SFP - plugged in. router-re0 fpc2 cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????^^??^P-sM-^T^S?? - Device is not SFP type [LOG: Err] cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????5?x??l?8 - Device is not SFP type [LOG: Err] cc_mic_sfp_is_present:????????????????????????????????????????????????????? ?????????????????????????5?x??l?8 - Device is not SFP PR1156353 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Given an active BGP multipath route with 2+ Indirect-Next-Hops and another BGP route which can participate in protocol independent multipath with router-next-hop, rpd might crash if the interface on which first member of Indirect-Next-Hop resolves goes down. PR1156811 • A previous enhancement to strengthen the VC-Heartbeat message exchange resulted rejecting messages at the crucial time of determining the health of the other VC member when all adjacency links fail. Validation of messages has been adjusted to remain strong when the VC is connected, but relaxed during the split conditions to prevent rejecting valid messages. PR1157383 • On MX Series platform supporting MPC3E or MPC4E type MPC, the single-hop BFD session configured under a routing-instance (RI) can flap intermittently. The problem would be seen when the main-instance loopback firewall filter discards/rejects the BFD packets OR has term to accept only BFD packets from neighbors configured under main instance. In both scenarios, the BFD session packets coming on routing-instance will be wrongly matched to main-instance loopback filter and gets discarded. With the fix of this issue, this situation is avoided and BFD session packets from routing-instance will be matched with the correct RI loopback filter (if configured). Note: In case there is no RI loopback interface configured, then BFD packets are matched against main-instance loopback filter. PR1157437 • From Junos OS Release 13.2R1 and later, Packet Forwarding Engine interfaces on Trio-based line cards might remain down after performing "request system reboot both-routing-engines " or "restart chassisd" several times. Reboot the FPC might restore it. PR1157987 • RPD may crash after EVPN was configured when extra bits in the ESI label extended community are set besides the single-active bit PR1158195 • On MX Series platform, when MPC experiences a FATAL error, it gets reported to the chassisd daemon. Based on the action that is defined for a FATAL error, the chassisd will take subsequent action for the FATAL error. By default, the action for FATAL error is to reset the MPC. When the MPC reports FATAL error, chassisd will send offline message and will power off the MPC upon the ACK reception. However, if MPC is in busy state for any reason, the ACK doesn't come in time and hence there would be a delay in bringing down the MPC. The fix ensures to bring down the MPC in time upon FATAL error. PR1159742 • Software OS thread on the line card is doing a busy loop by reading the clock directly from hardware, Sometimes it seems the thread is getting wrong values from HW register and waiting forever in the busy loop. After the busy loop crosses a certain time period, the line card crashes and reboots. This is a rare condition. PR1160452 • The Router Lifetime field is set to 0 in the first Routing Advertisement sent from LNS back to PPPoE subscriber. PR1160821 • Upon receiving some specific packets, a compute CPU of the MS-MIC/MS-MPC will stop refreshing the inactivity-timeout of sessions despite receiving traffic matching them. As a result, an affected session will be removed when the inactivity-timeout time has expired. PR1161040 Copyright © 2016, Juniper Networks, Inc. 141 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • The VCCPD_PROTOCOL_ADJDOWN system log message does not include a 'reason' string to explain why the virtual chassis adjacency was terminated. This information will now be present in the message. PR1161089 • Default EVPN policy in junos-defaults for mx-series is removed. This was used to enable per packet load-balance for EVPN routes. Now per-packet load balance needs to be configured explicitly. PR1162433 • Interfaces routing status message xxx.xxx.xxx.xxx <Up Broadcast Multicast Localup> may be reported on an interface that is not associated with the config change, such as bridge-domain addition. It should be reported only if there is any change in the IFL parameters. This is an info(6) level message for debug purpose, so we can safely ignore the cosmetic problem. rpd[xxx]: %DAEMON-6: EVENT Flags ge-1/0/4.0 index 371 10.180.230.8/24 -> 10.180.230.255 <Up Broadcast Multicast Localup> rpd[xxx]: %DAEMON-6: EVENT Flags irb.110 index 326 10.9.17.254/22 -> 10.9.17.255 <Up Broadcast Multicast Localup> rpd[xxx]: %DAEMON-6: EVENT Flags irb.190 index 373 10.9.53.254/22 -> 10.9.53.255 <Up Broadcast Multicast Localup> PR1162699 • From Junos OS Release 14.1X51-D75, 15.1F4, and 15.2IB, if deactive interface, in rare condition, due to a software defect, NH is getting deleted, while there are still routes pointing to it, which leads to inconsistent states in Packet Forwarding Engine. The MPC might crash or traffic blackhole. PR1164101 • On MX Series router with MPC3/4/5/6/7E/8E/9E linecard, neither low-light warning nor alarm work on these linecards with 10G or 100G interfaces. When using JAM image, NG-MPC are affected as well. This is optics or fiber issue, no critical service impact. PR1168589 142 • When MS-MPC is used, if any bridging domain related configuration exists (e.g. "family bridge", "“vlan-bridge"”, "“family evpn", etc), in some cases, continuous MS-MPC crash hence traffic loss may occur. PR1169508 • Adding keyword 'fast-filter-lookup' to existing filters of an input or output filter list may result in failure to pass traffic. To avoid this issue, the filter list should first be deactivated then the filters updated with a the keyword 'fast-filter-lookup; then the filter list activated. PR1170286 • If the "no-cell-share" configuration statement under the chassis stanza is activated on MPC3, MPC4, MPC5, or MPC6 cards, the Packet Forwarding Engine will only be able to forward about 62Gbps versus ~130Gbps and causing fabric queue drops. PR1170805 • The fan speed logic does not operate correctly once PEM on MX104 platforms does automatically shuts down due to over-temperature protection. The fan speed moves back to speed normal. It takes more time for PEM to cool down and come back online automatically with fan at normal speed. PR1174528 • Storm control feature is not working on MX104 platform. In Packet Forwarding Engine, associated filters and vty commands are not visible as well. It works on other MX Series platforms. PR1176575 • On dual Routing Engine system, if master Routing Engine is running Junos OS 13.3R9/14.1R7/14.2R5/15.1R3/15.2IB or later, backup Routing Engine is running Junos OS prior to 13.3R9/14.1R7/14.2R5/15.1R3/15.2IB, a major alarm is raised. This is cosmetic and can be safely ignored. Please upgrade backup Routing Engine to the same release Copyright © 2016, Juniper Networks, Inc. Resolved Issues with master RE to avoid the issue. user@router> show system alarms 2 alarms currently active Alarm time Class Description 2016-xx-xx xx:xx:xx UTC Major PEM 1 Not OK 2016-yy-yy yy:yy:yy UTC Major Host 1 failed to mount /var off HDD, emergency /var created <<<<<<<<<<<<<<< PR1177571 • In a rare error scenario krt_q_entry of flow route is freed without dequeuing it from the queue. This has been fixed via software change. PR1178633 • In EVPN A/S mode, IFL mark down programming at the Packet Forwarding Engine on the BDF gets removed causing traffic loops. PR1179026 • [EVPN] Active-Active IP4 L3 session with CE over IRB Flaps. PR1179105 • On 10x10GE(LAN/WAN) SFPP PIC, when the port is configured with WAN PHY mode, the CoS configuration on the port will be incorrectly programmed and it might result in unexpected packet drop. PR1179556 • In the CGNAT CLI show service alg conversations fails to display parent session status for ALG conversations. PR1181140 • When "dynamic-tunnels" is configured with configuration statement "gre", performing Routing Engine switchover might result in rpd crash. PR1181986 • If a bridge domain (BD) is created within an Ethernet VPN (EVPN) instance with type of virtual-switch but its VLAN ID is not added to the extended vlan list, the BD works in local switching mode only. When the BD's VLAN ID is then later added to the extended vlan list, there might be a chance that the update is not properly replicated to the routing protocol daemon (RPD) and therefore the EVPN database doesn't properly learn local or remote MAC addresses. PR1182215 • Fragmented ALG control traffic is not supported on the MS-MPC. PR1182910 • With NAT translation-type as napt-44, a few sessions are getting stuck upon deactivating/activating service-set or corresponding applications at a few times with traffic running. The same symptom is seen upon deactivating/activating service-set with traffic running and with 'deterministic-napt44' translation type as well. PR1183193 • In EVPN environment, the rpd might crash when a bridge-domain within an EVPN virtual-switch instance for VLAN X is deleted from the configuration when a trunk interface which is part of the same instance still has VLAN X present in the vlan-id-list. The core files can be seen via command "show system core-dumps" root@PE1> show system core-dumps -rw-rw---- 1 root field 4974891 May 18 03:24 /var/tmp/rpd.core-tarball.0.tgz PR1183570 • With BGP add-path and consistent-hash enabled, when a BGP learnt route prefix with multiple paths(next-hop) is installed in the forwarding-table, all the next-hops should be reachable/resolvable at the time of installing the route in the forwarding-table. However, there might be a chance that any of the next-hops are not resolvable at that time, which will lead Packet Forwarding Engine's incorrect route programming. In this case, traffic forwarded to this prefix will be affected. PR1184504 • When ams-interface is configured in warm-standby mode without adding any members, configuration commit will lead to rdd core. PR1185702 Copyright © 2016, Juniper Networks, Inc. 143 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • AMS redundant interfaces not listed under possible-completions of operational commands. PR1185710 • ksyncd crash might be seen with GRES due to kernel replication error. PR1186317 • The command "request system reboot both-routing-engines local' on VC-Mm will reboot only one Routing Engine on an MX-VC, with this fix, it will reboot both Routing Engines of local chassis. In addition, this fix also removes the "set virtual-chassis member <n> role line-card" configuration option on an MX-VC because this option is not supported on MX-VC as designed. PR1188383 • In rare cases, a logical IRB interface (irb.x) might refer to a wrong MAC address when sending unicast IPv6 neighbor solicitation (NS) (a packet type of IPv6 Neighbor Discovery Protocol) to verify the reachability of a neighbor. The NS messages will with a wrong source MAC address, result in the neighbor discard the packet and IPV6 neighborship goes to an unreachable state. Note: - Neighbor Solicitations are multicast when the node (host or router) needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. For the first release of IRB supported product, please refer to the following link: https://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=2219 =Integrated+routing+and+bridging+(IRB) PR1191086 • Memory leak in variable-sized malloc block leading to RPD crash due to "out of memory". PR1198165 Class of Service (CoS) • When customers delete an IFL from an interface-set that has CoS applied to it and activate CoS profile directly on that IFL in one single commit, commit fails with an error. Commit goes through if they do it one by one, delete IFL from interface set, commit and then activate CoS on that IFL, commit. PR1169272 Forwarding and Sampling 144 • The configuration statement "interface-mac-limit" might be set to default value when activating "mac-table-size" on a VPLS routing instance. Restarting l2ald, reapplying the "interface-mac-limit" or changing to another value (set interface ge-3/1/0.0 interface-mac-limit 510) fixes the issue. user@router> show vpls statistics | match count Current MAC count: 0 (Limit 1024) << set to default value 1024 instead of the value set by interface-mac-limit PR1025503 • On MX Series router with "network-services enhanced-ip" configuration. When firewall daemon first come up as part of the system reboot, it could not read the chassis network-service configuration statement from the kernel, which is expected. After so many read retries, firewall daemon has to choose the default chassis network-service IP mode. When the interface description change is committed, firewall reads the chassis network-service configuration statement again. If it reads successfully, the firewall daemon has to restart itself because the chassis network-service is enhanced-ip mode. When firewall daemon is restarted, the openFlow connections get dropped. PR1035956 • On MX Series routers, a change of policers or counters to an existing firewall filter using physical-interface-filter or interface-specific configuration statements will not be correctly detected by MIB2D. PR1157043 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Configuration container [protocols] [l2-learning] [global-mac-move] is made visible. The functionality under it are already supported but the command was hidden till now. PR1160708 • After upgrading by using ISSU, as part of bring-up procedure, mib2d will initialize connections to FPC Packet Forwarding Engines ( packet forwarding engines ). It might start querying states from Packet Forwarding Engine while the connection is not ready yet. This failure will cause the connection to reinitialize again. Thus this can form sort of loop which can cause memory and CPU cycle usage to grow. As a result, it causes mib2d to crash. PR1165136 • Commit gives error as follows when apply-groups is configured under bridge domain. error: Check-out failed for Firewall process (/usr/sbin/dfwd) without details. PR1166537 • This issue will be seen only when there are huge number of routes having different BGP NHs pointing to the same AS. Depending on the number of routes pointing to AS paths and also the difference in BGP NHs in the routes can shoot up the srrd (Sampling Route-Record Daemon) CPU consumption. In the real network this issue might not be seen often, as the number of AS paths will be huge and the routes referring these AS paths will be usually distributed among the AS paths. Even if the routes are pointing to the same AS, the impact would be lesser than the one seen in this scenario. PR1170656 • When polling SNMP counters for Trio-Only firewall filters, MIB2D_RTSLIB_READ_FAILURE cosmetic error messages might get reported in syslog. PR1173057 • statistics-service daemon (pfed) experiences constant memory leak of 10 KB every 2 minutes when MobileNext package is installed: > show version Model: mx480 Junos: 14.1X55-D30.10 JUNOS Base OS boot [14.1X55-D30.10] <...> JUNOS MobileNext Routing Engine Software [14.1X55-D30.10] <<< this package PR1174193 • Even if packets don't match firewall filter conditions, wildcard mask firewall filter might match any packets. << Sample config >> ------------------------------------------------set firewall family inet filter TEST-filter term TEST1 from destination-address 0.0.0.255/0.0.0.255 <<<<<< set firewall family inet filter TEST-filter term TEST1 then count TEST1 set firewall family inet filter TEST-filter term TEST1 then discard set firewall family inet filter TEST-filter term TEST2 then accept ------------------------------------------------- This is discard filter for /24 prefix broadcast address. However it might discard other packets. PR1175782 • In EVPN/VXLAN environment, while Layer2 Address Learning Daemon (l2ald) is processing MAC Routes during re-sync (whenever l2ald gets restarted) with kernel, if MAC Route has stale information, it needs to be deleted by l2ald and then by the kernel. Due to a software defect, there is no check for ifl validation, if ifl is invalid (which could be due to several reasons such as config change), the l2ald process might crash, traffic forwarding might be affected. PR1176177 • SRRD(Sampling Route-Record Daemon) process doesn't delete routes when the DELETE is received from RPD in few configuration cases. This results in build-up of memory in SRRD daemon and once SRRD reaches the limit, it crashes and restarts itself. This happens only when one certain family is not configured on all of the FPC clients (e.g. FPC with inline jflow enabled or PIC with PIC-based sampling enabled is Copyright © 2016, Juniper Networks, Inc. 145 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion one client). For example, only IPv4 family is configured in all the clients and, IPv6 and MPLS families are not configured for sampling in any of the clients. PR1180158 • FPC offline could trigger Sampling Route Record (SRRD) daemon restart. PR1191010 High Availability (HA) and Resiliency • The rtsock message length that was sent by ksyncd to kernel via rtsock was incorrectly set to ipc length. PR1052425 • Right after all FPC complete their upgrade, the kernel (on the VC-Mm) closes its connection to ksyncd (on the VC-Bm) since it has received a message "invalid IPC type 20". This disconnect causes ksyncd to restart, it then cleans all kernel state in the VC-Bm and starts the replication process. This causes the timer for waiting for the VC to become GRES ready (after FPC upgrade) to expire and abort the ISSU. PR1163807 • When configure the "nonstop-routing" under one group and apply this group to routing-options configuration hierarchy, sometimes the NSR does not work. As a workaround, please configure the "nonstop-routing" directly under the routing instance hierarchy. PR1168818 Infrastructure • RPD stuck on high CPU utilization when executing 'show route multicast' CLI with Invalid Option and RPD stops responding to any management requests. PR1027891 • In scaling setup (in this case, there are 1000 VLANs, 1000 Bridge Domains, 120 IRB interfaces, 120 VRRP instances, BGP and IGP), if the routing protocols are deactivated and activated, there might be a chance that the pending route stats are not cleaned up, which will cause the stats infra to have stale pointers and lead to memory corruption in socket layers. The system might go to db prompt because of this. All the traffic going through the router will be dropped. PR1146720 Interfaces and Chassis 146 • In affected releases, the following cosmetic alarms are seen after reseating the clocking cables: 2015-11-13 05:22:56 UTC Major CB 0 External-A LOS 2015-11-13 05:22:56 UTC Major CB 0 External-B LOS PR1152035 • SONET interface on MIC-3D-1OC192-XFP does not count input error correctly. While hardware counts framing error, runts and giants but input error in 'show interface extensive' command reports runts and giants only. PR1154268 • When a Routing Engine (RE) experiences a media block error, the RE will try to switch mastership immediately due to this software defect. The switch-over attempt happens even on a single RE system which in this case will cause all FPCs to reset. PR1168494 • If an interface configured with VRRP is removed from a routing-instance to global, or from global to a routing-instance, the IFLs of that interface will be deleted and recreated. In ideal cases as the interface gets deleted, VRRP should move to bringup state; when the interface is created again, VRRP goes to previous state. After this, VRRP should get VIP addition notification from kernel and update VRRP state and group id for VIP. However, in race conditions, VRRP might get VIP addition notification from kernel even before the interface creation event happens. If so, VRRP will never be able to update Copyright © 2016, Juniper Networks, Inc. Resolved Issues proper VRRP state and group id. So the VIP will reply for the ARP with an incorrect MAC ending with "00", while the correct MAC should end with the groups id configured. PR1169808 • In previous release, only IEEE classification is supported for CFM OAM packets. In the fix, we will support 802.1AD based filter for CFM OAM packets. when Linktrace and loopback requests are received in MX, 802.1p bits is used to determine the forwarding class and queue for response or linktrace request forwarded to next router, this cause these PDUs are put to wrong queue when input-vlan-map pop is present because received PDU doesn't carry 802.1p bits. In the fix, we will use incoming forwarding class to determine the 802.1p priority and outgoing forwarding class and queue for new generated response or link trace requests. PR1175951 • Commit check may exit without providing correct error message and causing dcd exit. The only known scenario to trigger this issue is to configure a IPv6 host address with any other address on the same family. PR1180426 • when there is a configuration change, cfmd memory leak is observed and sometime also may trigger cfmd coredump. Following messages are observed: /kernel: Process (44128,cfmd) has exceeded 85% of RLIMIT_DATA: used 378212 KB Max 393216 KB PR1186694 Junos Fusion Provider Edge • Do not issue commands that might generate more than 24k of output using the 'request chassis satellite shell-command' command. Use 'request chassis satellite login' and then run the commands in the resulting session. PR1188712 Layer 2 Features • In BGP-based VPLS scenarios, changing the configuration of a VPLS mesh group might cause rpd core. FPC reboot might also be seen during the rpd core. PR1123155 • From Junos OS Release 13.2R1 and later, the rpd process might crash when adding/deleting Virtual private LAN service (VPLS) neighbors in a single commit. For example, a primary neighbor is changed to become the backup neighbor. PR1151497 Multiprotocol Label Switching (MPLS) • In MPLS environment, the master Routing Engine might crash due to Mbuffer allocation failure and this crash will trigger an Routing Engine switchover, as a result Backup Routing Engine will become active. The issue is unreproducible, and trigger condition is not clear. PR979448 • Due to some data structure changes of ipc messages in 64-bit RPD, some of 32-bit applications (e.g. lsping, lspmon) would not work normally when RPD is running in 64-bit mode. Depends on Junos version, some of cli commands might not work as expected. PR1125266 • User is allowed to configure both "load-balance-label-capability" and "no-load-balance-label-capability" together. This is incorrect and confusing. PR1126439 • Static MPLS LSP using VT interface as a outgoing interface would not come up. PR1151737 Copyright © 2016, Juniper Networks, Inc. 147 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • With NSR enabled and LDP configured, the rpd process might crash and restart on the new master Routing Engine after a Routing Engine switchover. PR1155002 • LSPing returns 'routing instance does not exist' when used in vpls routing-instance under logical system. PR1159588 • If container LSP name and the suffix together are more than 60 characters in length, rpd process might crash during extensive split merge conditions. Its always advisable to keep them less than 60 characters. The member lsp name is coined in the following manner: <container-name>-<suffix-name>-<member-count> The LSP name can have upto 64 characters. So after putting together the container name, suffix, member-count (could go up to 2 digits), and the 2 hyphens, it should not exceed 64. So container-name and suffix together should not exceed 60 characters. A commit check will be added to throw warning if the name is more than supported character long. PR1160093 • When L2VPN composite next hop configuration statement is enabled along with L2VPN control-word, end-to-end communication fails. Because in this scenario, control-word is not inserted by the ingress PE, but other end expects the control-word. PR1164584 • Changing maximum-labels configuration under the hierarchy [edit interfaces interface-name unit logical-unit-number family mpls] might cause existing MPLS LSPs to become unusable. The root cause of this issue is that the family MPLS gets deleted and re-added. PR1166470 • In LDP-signaled VPLS environment, other vendor sends an Address Withdraw Message with FEC TLV but without MAC list TLV. The LDP expected that Address Withdraw Message with FEC TLV should always have MAC list TLV. As such, it rejected the message and close the LDP session. The following message can be seen when this issue occurs: A@lab> show log messages |match TLV RPD_LDP_SESSIONDOWN: LDP session xxx.xxx.xxx.xxx is down, reason: received bad TLV PR1168849 • In MVPN scenario, if active primary path goes down, then PLR(Point of Local Repair) needs to send Label Withdraw for old path and new Label Mapping for new path to the new upstream neighbor. In this case, LDP P2MP path may stay in "Inactive" state for indefinite time if an LSR receives a Label Release, immediately followed by a Label Mapping for the same P2MP LSP from the downstream neighbor. PR1170847 Network Management and Monitoring 148 • In customer setup Packet Forwarding Engine was not able to keep-up with full stats requests from PFED. Because of this delay, PFED runs out of transfer credits to send stats request to Packet Forwarding Engine and starts returning full stats requests with error response to mib2d with ifl-info flag set to LS STATS and a payload filled with value zero. mib2d was treating the returned 0 filled stats value as correct stats and was returning these 0 values. This results in spike in delta value calculated by the customer side script. PR1010534 • When syslog is forwarded to an external host, the millisecond and year format should not be forwarded as it is a JUNOS specific implementation. When such details are included in syslog messages sent to a remote host, it can result in duplicate timestamp on log message as shown in following example. user@router> show log messages Oct 30 18:16:58.496 2014 MX96-1-re0 : %DAEMON-3: Oct 30 18:16:58.498 2014 MX96-1-re1 Copyright © 2016, Juniper Networks, Inc. Resolved Issues ffp[6375]: "dynamic-profiles": No change to profiles >>>>>>>>>>> Duplicate timestamp PR1038616 Platform and Infrastructure • The mgd daemon (which manages the CLI) may crash when "system commit persist-groups-inheritance" configuration statement is deleted and later added again. PR1079991 • Under large-scale setup, VPLS MAC might not be aged-out from remote-Packet Forwarding Engine when local-Packet Forwarding Engine is MPC3/MPC4/MPC3E/MPC4E, then unknown-unicast frames flood will be seen on local Packet Forwarding Engine. PR1099253 • When "system/commit/delta-export" is enabled, a system configuration commit may result in crash and the following error. A core file might be generated. PR1102046 • In certain cases, with some events such as disable/enable of links followed by Routing Engine rebooting or GRES enabled switch-over, below error message could be seen due to a software bug where it doesn't handle an internal flag properly. KERNEL/Packet Forwarding Engine APP=NH OUT OF SYNC: error code 1 REASON: invalid NH add received for an already existing nh ERROR-SPECIFIC INFO: PR1107170 • Configuring one group with configuration of routing-instances and applying this group under routing-instances, then the rpd process will crash after executing "deactivating/activating routing-instances" commands. As a workaround, you can avoid using "apply-groups" under routing-instances hierarchy. PR1109924 • FPC can crash and core due to a missing NULL check. PR1144381 • On MX2000 Series, MPC4 going offline is seen when SFB (Switch Fabric Board) is offlined or removed. This could be caused by the build-up of CDR in ADC which leads to transient packet loss or even getting stuck. The fix prevents line-cards going offline due to transient buildup in ADC. PR1149677 • With Enhanced LAG mode enabled and sampling configured on AE interfaces, MS-DPC might drop all traffic as "regular discard". Disabling Enhanced LAG mode would avoid this issue. PR1154394 • On MX2000 series platform, when MPC goes down ungracefully, other MPCs in the chassis will experience "destination timeout". In this situation, auto fabric-healing will get triggered due to "destination timeout" condition, which may cause Fabric-Plane reset, even all other MPCs to be restarted in some cases. PR1156069 • cosd[20362]: cosd_config_database: Configuration database(/var/run/db/juniper-prop.data) does not exist. cosd[20460]: cosd_config_database: Configuration database(/var/run/db/juniper-prop.data) does not exist. The above log messages may be seen after after some commits. These messages do not pose an operational impact. PR1158127 • If one logging user is a remote TACACS/RADIUS user, this remote user will be mapped to a local user on device. For permissions authorization of flow-tap operations, when they are set on the local device without setting the permissions on the remote server, they cannot work correctly. The flow-tap operations are as follow: flow-tap -- Can Copyright © 2016, Juniper Networks, Inc. 149 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion view flow-tap configuration flow-tap-control -- Can modify flow-tap configuration flow-tap-operation -- Can tap flows PR1159832 150 • LU(or XL) and XM chip based linecard might go to wedge condition after receiving corrupted packets, and this might cause linecard rebooting. PR1160079 • The MPC with LU chipset might crash after ISSU. PR1160748 • Due to software bug on chassisd, backup CB temperature information is missing on cli command 'show chassis environment cb' if it's replaced once. PR1163537 • For MX Series Virtual Chassis with "default-address-selection" configured, when we have a discard route to a specific subnet ( e.g., 10.0.0.0/8 ) with discard next-hop, and at the same time we have more specific routes through other interfaces ( e.g., 10.1.1.1 through xe-0/0/0 ), if a UDP packet is being sent to 10.1.1.1 through xe-0/0/0 while interface xe-0/0/0 flaps or FPC reboots, it might cause kernel crash on both Master Routing Engine in the Virtual Chassis master router (VC-Mm) and Master Routing Engine in Virtual Chassis backup router (VC-Bm). As a workaround, we can disable "default-address-selection" configuration. PR1163706 • The following log can be seen on MX2020 after one FPC was pulled out and committing the configuration related interface: CHASSISD_UNSUPPORTED_FPC: FPC with I2C ID of 0x0 is not supported. PR1164512 • A sonet interface configured as unnumbered BFD session fails to come up. PR1165720 • Modifying the configuration of a hierarchical policer when in use by more than 4000 subscribers on an FPC can cause the FPC to core and restart. PR1166123 • Because the sequence number in RPM ICMP-PING probes is introduced as 32-bit variable instead of 16-bit, if it increases and reaches the max value 65535, it does not rollover, which might cause all RPM ICMP-PING probes to fail and not succeed any more. PR1168874 • In affected release, if user runs the Packet Forwarding Engine debug command like "show sample-rr eg-table ipv4 entry ifl-index 1224 gateway 113.197.15.66" will cause the MPC crash. PR1169370 • Layer 2 protocols might flap when router was flooded with low priority traffic reaching towards FPC CPU/Routing Engine CPU when DDoS protection is disabled. PR1172409 • On MPC5E/6E/7E/8E/9E/NG linecards, firewall filter of family inet/inet6/vpls configured with non-contiguous prefixes for address matching might fail and cause traffic drop. Using only contiguous prefixes can avoid this issue. PR1172725 • Because of an internal timer referring Time in Unix epoch (UNIX epoch January 1, 1970 00:00:00 UTC) value getting wrapped around for every 49 days, flows might get stuck for more than the period of active/inactive time out period. The number of flows that get stuck and how long they get stuck can not be deterministic exactly, which depends on the number of flows at the time of timer wrapping around. PR1173710 • "show arp" command can't get complete results and reports "error: could not find interface entry for given index". PR1174150 • A flow is determined by doing hashing on the packet header. Usually 5-tuple (src/dest IP addresses, IP protocol number, src/dest ports) are used for hashing because a flow Copyright © 2016, Juniper Networks, Inc. Resolved Issues is defined by 5-tuple. This is all fine for TCP/UDP packets. But Layer-3 packets generated by JDSU tester only have Layer-3 header and don't have Layer-4 header. JDSU tester uses the same location as Layer-4 header as packets' sequence number. So MX Series card treats sequence number of JDSU tester packets as Layer-4 header of a packet, hence Junos OS thinks every packet is a single flow and order of different flows is not guaranteed. PR1177418 • On MX2020/2010, chassisd file rotation on commit check will cause the trace file to be stuck and no other operational chassisd events will be logged until chassisd restart. PR1177625 Routing Protocols • Traffic drop from less than 400 ms to 8 seconds might be seen in RLFA scenario when the primary link comes up. The reason for seeing the traffic drop is due to the delay in ARP resolution on the new link that just came up and IGP has programmed that link as the primary next hop. So though the FIB has been updated, Packet Forwarding Engine cannot still use it as it waits for ARP resolution on the new link. PR1106310 • BFD session configured with authentication of algorithm keyed-sha1 and keyed-md5 might be flapping occasionally due to FPC internal clock skew. PR1113744 • In multicast environment, when the RP is FHR (first-hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238 • On Junos-based products, changes in routing-instance, like changing route-distinguisher or routing-option changes in some corner cases might lead to rpd crash. As a workaround always deactivate routing-instance part that is to be changed before committing the changes. PR1134511 • When Protocol Independent Multicast (PIM) is used, in very rare condition, if the last hop router (LHR) migrates from (Designated Router) DR to non-DR, repeated routing protocol process (rpd) crash may occur due to patricia tree walk issue. PR1140230 • In BGP scenario with large scale routing-instances and BGP peers configured, due to a software defect (a long thread issue), BGP slow convergence might be seen. For example, BGP might go down 8-9 seconds after BFD brings down the EBGP session. The rpd slip usually does not hurt anything functionally, but if the slip gets big enough, it could eventually cause tasks to not be done in time. For example, BGP keepalives with lower than 90 seconds hold-time might be impacted. There is no known workaround for this issue, but configuring the configuration statement "protocol bgp precision-timers" can take care of the weak spot like sending BGP keepalives. PR1157655 • In BGP scenario with independent domain enabled in a VRF, when configuring a BGP session in a VRF routing instance with a wrong local-as number, some routes might be declared as hidden because of AS path loop. If later configuring the correct AS number as local-as and committing the configuration, those routes might still remain in hidden state. The hidden routes can be released after performing the commands "commit full" or "clear bgp table <ANY_VRF>.net.0". PR1165301 Copyright © 2016, Juniper Networks, Inc. 151 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In L3VPN scenario, feature multipath is configured under [set protocols bgp group] with L3VPN chained CNH under routing-options, the feature multipath does not work for L3VPN routes. PR1169289 • When clearing IS-IS database, process rpd might crash due to a rare memory de-allocation failure that a task pointer is attempted to be freed twice. In the fix of this issue, the order of referencing the task pointer is being revised to avoid the occurrence of rpd crash. PR1169903 • PIM bootstrap export policy is not working as expected when there are no pim neighbors up on the router PR1173607 • In L3VPN scenario, VPN routes with different next-hops were advertised with same label, leading to PE-CE link protection failure and longer than expected traffic loss (as reported 2.6 sec). PR1182777 • Any configuration change can cause deletion of a firewall filter created for a routing instance if the flowspec routes in that instance are imported using rib-group, and there is no "inet-vpn flow" address family configured and the routing instance does not have any BGP group configured with "inet flow" address family. PR1185954 • On the RSVP LSP scenario with ISIS configured, memory leak might happen in rpd and Packet Forwarding Engine after the LSP re-optimization, and this migth cause FPC crash. PR1187395 Services Applications • When making a configuration change to a EXP type rewrite-rule applied to a SONET interface in an MX FPC Type 2 or MX FPC Type 3, if MS-DPC is also installed on the device, a MS-PIC core dump may be generated. PR1137941 • When NAT for SIP is enabled, in a rare situation where the child SIP flow entries are still present in the parent conversation while they have already been deleted, the service PIC might crash if the SIP parent flow tries to access them. PR1140496 • On MX Series platform, when using MS-MPC, the "idpd_err.date" error message is filling var/log. Please refer to KB30743 for details. PR1151945 • When deleting NAT flow under a race condition the Service PIC can core. PR1159028 • When traffic is flowing through MS-DPC card Service PIC and there is an active port block and some ports are assigned from that active port block, if changing the max-blocks-per-address setting to a lower value (lower than the current value), the service line card may crash. PR1169314 • MS-PIC core-dump when MPLS or IPV6 routing updates are received in the PIC. PR1170869 • When using MS-DPC under heavy load condition (e.g. with about 7m flows) with deterministic NAT and port block allocation (PBA) scenario, in rare condition, MS-DPC crash may occur due to memory issue. PR1186391 User Interface and Configuration • 152 When entering the "restart r" incomplete command in the CLI, the command "restart routing" is executed. It should throw an error like "error: invalid daemon: r". PR1075746 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • MGD spawns dexp with one of below three options: - delta-export is enabled in just this commit, (so dexp.db should not exist) - Someone deactivated delta-export in some previous commits and actiavted it now, so dexp.db in case if existing should be discarded - For some reasons change bit is set on delta-export configuration statement It is possible that an incorrect update into dexp.db goes through instead of just copying the file, causing mismatch in config (i.e. we display config that was previously deleted or miss some statements that have been applied). PR1168906 • Description: Issue --------------- pinned-page found for bucket warning is seen after application (in this case dfwc) is done with the page pool and trying to com eout after ppool_close. Root-cause --------------- This warning is given when the application is done with the page pool and tries to find out if there were any pinned pages in memory. However this warning is basically internal to Junos development team and has been masked in the later releases starting from 15.1 onwards with below: PR https://gnats.juniper.net/web/default/1030715 Fix --------------- We have the taken the relevant changes from PR 1030715 to prevent these flurry of warnings, and to enable these warnings only for Junos development team upon enabling leak check internally. PR1179264 VPNs • In NG-MVPN large-scale multicast routes (140k Rosen and 140k NGen MVPN routes total in 500+ VRFs) network, RE switchover with GRES/NSR enabled, it might cause multicast traffic loss . PR1086129 • Upon clearing p2mp lsp in dual-home topology, system is adding the same outgoing interface to the (S,G)OIL multiple times and thus duplicate/multiply the amount outgoing traffic. PR1147947 Resolved Issues: 14.2R6 Class of Service (CoS) • This PR does optimization in AE SNMP handling. If all the links in an AE bundle go down, then any COS SNMP query for this AE IFD/IFL will return cached values. PR1140440 • On MX104 platforms, when applying the "rate-limit" and the "buffer-size" on the logical tunnel (lt-) interface on the missing MIC (not inserted on MPC), commit failure with error message would occur. As a workaround, this issue can be avoided by applying the "rate-limit and "buffer-size" on inserted MIC, then commit. PR1142182 Forwarding and Sampling • On MX80 and MX104 platforms, applying a firewall filter with an MX Series specific match condition will raise the following warning message: "Filter <filter_name> is Trio specific; will not get installed on DPCs for interface <interface_name>". This warning message is needed for the other modular-type MX Series platforms since they can have DPC and MPC mixed. But the message is not needed for MX80 and MX104 platforms since they only have the MX Series-based Packet Forwarding Engine. Although the warning message indicates that the relevant firewall filter is not installed, the firewall filter is correctly installed into the Packet Forwarding Engine. Thus, the user can ignore the message in case it is logged on MX80 and MX104 platforms. PR1138220 Copyright © 2016, Juniper Networks, Inc. 153 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • For Junos OS Release 14.1R1 and above, when a broadcast packet is sent in a scenario of Integrated routing and bridging (IRB) over Virtual Tunnel End Point (VTEP) over IRB, the packet is getting dropped in kernel as it was looping due to a software issue. The error log message "if_pfe_vtep_ttp_output: if_pfe_ttp_output failed with error 50" is observed when issue occurs. PR1145358 General Routing • On an MX Virtual Chassis platform, when we restart one or both of the standby Routing Engines, the log message "ksyncd_select_control_plane_proto: rhost_sysctlbyname_get: No such file or directory" might be observed as the ksyncd daemon attempts to select a communication protocol (UDP/TCP). After several tries, it will fall back to TCP and proceed as normal. PR945925 • The L2ald may crash after interface flap. PR1015297 • On MX Series platforms, MPC may crash when bringing up the 100-Gigabit Ethernet MIC with CFP2 (model number: MIC6-100G-CFP2) if initialization failure occurs (e.g., when bringing up the MIC6 which has hardware issues). PR1037661 • There is a remote loopback feature in 802.3ah standard, where one end can put the remote end into remote-loopback mode by sending an enable loopback control LFM PDU. In remote loopback, all incoming packets (except LFM packets) are sent back on wire as it is. Transmit or receive of LFM packets should not be affected when an interface is in remote loopback mode. On VMX platforms, when we configure the LFM remote-loopback, we run into problem state. In problem state we will see that LFM packets sent from node that is in loopback state is not reaching the peer end, hence we will not see the remote entity information for the "run show oam ethernet link-fault-management" command on the peer router. PR1046423 • On all routing platforms M/MX/T/PTX with BGP configured to carry flow-specification route, in case of deleting a filter term and policer, then adding the same term and policer back (it usually happens in race condition when adding/deleting/adding the flow routes), since confirmation from dfwd for the deleting policer might not be received before attempting to add the same policer, the rpd would skip sending an add operation for it to dfwd. As a result, when the filter term is sent to dfwd and tells it to attach to the policer, dfwd has already deleted the policer, and since rpd skipped re-adding it, dfwd will reject the attach filter with a policer not found error and rpd will crash correspondingly. PR1052887 • When a labeled BGP route resolves over a route with MPLS label (e.g., LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP route resolves over a direct route (e.g., a one-hop LSP), the rpd process might crash. PR1063796 • Link Up/Down SNMP traps for AE member links might not be generated, but the SNMP traps for the AE bundle work well. PR1067011 • PCE-initiated LSPs are less preferred than locally configured LSPs. After this issue is fixed, PCE-initiated LSPs will have same preference as locally configured LSPs. PR1075559 154 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • MPC connection to Routing Engine closed with below error logs: [May 19 19:41:23.724 LOG: Err] PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x77) [May 19 19:41:23.724 LOG: Err] Failed to enable PCA9548(0x77):grp(0x1)->channel(1) These logs are generated because the FPC ideeprom should not be accessed when the card is online and cty to any FPC results in accessing the ideeprom of all the FPCs in the Routing Engine, before establishing the actual cty. Routing Engine (cty) accessing the ideeprom and the FPC accessing the I2c devices at the same point can result in conflict and end up in port hang state and other issues. PR1089266 • When DHCP subscribers are terminated at specific routing-instances and the interface stack is IP demux over vlan-subinterface over AE interface, there might be a memory leak in the kernel AE iffamily when subscribers log in/log out. PR1097824 • If NSR (nonstop routing) is enabled and a TCP session is terminated while there is still data in the socket pending transmission, the MBUF (kernel memory buffer) used to store this data might not get deallocated properly. In order to hit this issue, the TCP session must use NSR active socket replication. If the system runs low on MBUF memory, the kernel will automatically throttle down memory allocation on low priority applications and ultimately, if there is no MBUF left, the system could become unresponsive due to its inability to serve I/O requests. PR1098001 • With ECMP-FRR enabled, after rebooting the FPC which is hosting some ECMP links, the ECMP-FRR might not work. Clearing any of BGP sessions (that are the part of ECMP) could help to clear this issue. PR1101051 • On MX Series platform, in rare condition, if Packet Forwarding Engine sends wrong Packet Forwarding Engine id to chassisd as part of capability message, kernel might crash and some FPCs might be stuck in the present state, the traffic forwarding will be affected. This is a corner case, it is not reproduced consistently. PR1108532 • On MX240/480/960 Series routers with MS-DPC, customers running BGP over IPsec. This BGP session has a BFD session tied to it. The BGP session is up but the BFD session remains in INIT state. The issue might be seen with any service configured with multi-hop BFD enabled. Traffic forwarding will not be affected. PR1109660 • In rare condition, after Routing Engine switchover, the MPC PIC might offline, and some error messages might be seen. At times chassisd on Routing Engine goes to continuous coring makes unit unusable as none of interfaces come up. Root cause: After Routing Engine switch over chassisd fail to get proper status of the FPCs and cores due to insufficient IDEEPROM read times. PR1110590 • Right now this fix is available from 14.2R6 and later. On 14.2R5 or earlier images, MSRPC gates once opened would never get deleted. From 14.2R6 and later, MSRPC gates are opened for 60 minutes no matter whether the expected packet hits the gate or not. After 60 minutes, gates are deleted by the timer. PR1112520 • On a busy MX Series Virtual Chassis platform, for example, with 100k subscribers and 16k subscribers concurrent login/logout, the ksyncd process might crash on Virtual Chassis backup Routing Engines (REs) after a local or global graceful Routing Engine switchover (GRES). This issue has no service impact. PR1115922 • On TX/TXP platforms, when an LCC hit overtemp situation occurs, it might go offline abruptly without notifing SFC and other LCCs, which might cause traffic loss or Copyright © 2016, Juniper Networks, Inc. 155 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion performance degradation. Now with the fix, the overtemp situation on LCC is handled gracefully. PR1116942 156 • On M/MX Series platform, the 10G Tunable SFP/SFP+ cannot be tuned in Junos OS Release 15.1R2. PR1117242 • On MX Series routers containing multiple Packet Forwarding Engines such as MX240/MX480/MX960/MX2010/MX2020, with MPC3E/MPC4E/MPC5E/MPC6E cards, if the routers have GRE decap, then certain packet sizes coming via these line cards at very high rate can cause these line cards to exhibit a lockup, and one or more of their Packet Forwarding Engines corrupt traffic toward the router fabric. PR1117665 • On MX Series platforms, in rare conditions, if removing or deactivating "member-interfaces" configured for an aggregated Multiservices (AMS) bundle (only officially supported on MS-MPC/MS-MIC), for example, using the CLI command "deactivate interfaces ams0 load-balancing-options member-interface mams-7/1/0", all the Trio-based FPCs and the MS-MPC/MS-MIC may crash. As a workaround, to avoid the issue, following is the recommended procedures to change AMS bundle size: 1. Offline member PICs. 2. Change AMS configuration. 3. Online member PICs. PR1119092 • On MS-MPC-equipped MX Series platforms, during the "three-way handshake" process, when receiving ACKs (e.g., after sending SYN and receiving SYN/ACK) with window size 0 (as reported, it is set to 0 by TCP client when using some proprietary protocol), the ACKs would be incorrectly dropped by the line card due to failure in TCP check. This issue could be avoided by preventing software from dropping packets that fail in the check, for example, by the following CLI command, re# set interfaces ms-3/0/0 services-options ignore-errors tcp. PR1120079 • Router is using BFD with its ECMP neighbours, when FPCs are rebooted, normally FPC would resolve ARP one by one and update unilist and corresponding selector. But in this case, due to a software defect, unilists remained stale and disabled. So the traffic might be dropped or not be load balanced. PR1120809 • On MX Series platforms, the MS-MPC crash might occur. The exact trigger of the issue is unknown; normally, this issue might happen over long hours (e.g., within a week) of traffic run (e.g., running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic profile). PR1124466 • Right now this fix is available from Junos OS Release 14.2R6 and later. On Junos OS Release 14.2R5 or earlier images, SUN RPC gates once opened would never get deleted. From Junos OS Release 14.2R6 and later, SUN RPC gates are opened for 60 minutes no matter whether the expected packet hits the gate or not. After 60 minutes, gates are deleted by the timer. PR1125690 • In an EVPN scenario, the EVPN route table between the master Routing Engine and backup Routing Engine would be different (unused garbage routes will appear) once Routing Engine switchover (e.g., by rebooting the "old" master Routing Engine or performing a graceful Routing Engine switchover) is performed, which might cause a kernel crash on the new master Routing Engine in some cases. PR1126195 • When Junos OS devices use the Link Layer Discovery Protocol (LLDP) , the command "show lldp neighbor" displays the contents of PortID type, length, and value (TLV) received from the peer in the field 'Port Info', and it could be the neighbor's port identifier or port description. A Junos OS CLI configuration statement can select which Copyright © 2016, Juniper Networks, Inc. Resolved Issues "interface-name" or "SNMP ifIndex" to generate for the PortID TLV, so we do not have any problem as long as two Junos OS devices are connected for LLDP, but we might have an interoperability issue if another vendor’s device that can map the configured 'port description' in the PortID TLV is used. In this case, Junos OS displays the neighbor's PortDescription TLV in the Port info field, and if the peer sets the port description whose TLV length is longer than 33 bytes (included), Junos OS is not able to accept the LLDP packets and discards the packets as errors. The PortID TLV is given as : "the port id tlv length = port description field length + port id subtype(1B)". PR1126680 • EVPN route attributes like the label and Ethernet segment identifier (ESI) may be missing from EVPN family routes installed by BGP. PR1126770 • On M320/T320/T640 with FPC 1/2/3 and their enhanced version (-E2/-E), in multicast scenario and AE interface is within multicast NH (such as, AE interface is the downstream interface for a multicast flow), egress multicast statistics displays incorrectly after flapping of AE member links. PR1126956 • If two redundant logical tunnel (rlt) sub-interfaces are configured in the same subnet and in the same routing-instance, a sub-interface will be down (this is expected), but if the sub-interface is removed from the routing-instance later, after disabling and enabling the rlt interface, a sub-interface might remain in the down state unless you remove the configuration of the rlt interface and then do a rollback. PR1127200 • In current Juniper Networks implementation, the IPv6 multicast Router Advertisement timer is not a uniformly distributed value between MinRtrAdvInterval and MaxRtrAdvInterval as described in RFC 4861. PR1130329 • When software encounters an error configuring the optics type into the VSC8248 PHY retimer component of an MX MIC/PIC (typically done on SFP+ module plugin), this could lead to 100% FPC CPU utilization indefinitely. MPCs and MICs that are potentially affected are: MPC3 + 10x10GE SFPP, MIC MPC4 32XGE, MPC4 2CGE+8XGE (10G interfaces only), MPC6 + 24x10GE (non-OTN) SFPP MIC. PR1130659 • On MX Series routers with MS-MIC (or possibly, MS-MPC is affected as well), changing the configuration of sampling input parameters, such as "rate" under forwarding-options, is not reflected without restarting the line card. PR1131227 • When using Point-to-Point Tunneling Protocol (PPTP) Application Layer Gateways (ALGs) on MS-MPC/MS-MIC, if running a scaled number of PPTP sessions control and data sessions (e.g., 1M sessions) for long hours (e.g., more than 8 hours), when the traffic is stopped, the "Bytes used" field of the output of CLI command "show services service-sets summary" will show a randomly large value due to memory issue. PR1131605 • On MX Series-based line card, multiple modifications of the firewall filter might cause lookup chip error and traffic blackhole. The following jnh_free error messages could help to identify this issue: “messages: fpc1 jnh_free(10212): ERROR [FW/3]:1 Paddr 0x006566a9, addr 0x2566a9, part_type 0call_stack 0x40497574 0x418ffa84 0x41900028 0x418ecf94 0x41861690.” PR1131828 • CLI output of "clear services sessions" gives an impression to the user that the session is marked for deletion in case of delayed delete, but the XML output "clear services sessions|display xml"of the above command says "session removed." Ideally both Copyright © 2016, Juniper Networks, Inc. 157 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion should convey the same message to the user. The changes have been made to make sure CLI and XML information given to the user is in sync. PR1132006 • When customers do changes under "protocol router-advertisement interface X" (such as changing timers, etc.), they expect that a commit would trigger a new router-advertisement being sent out to notify hosts about configuration changes. However, this does not seem to be the case, unfortunately. It makes the router information to expire on hosts and causes obvious loss of connectivity for the hosts. PR1132345 158 • In a situation where both mirrored interface and mirrored destination are on MPC card and mirror destination interface is a unilist next-hop (e.g., an ae interface), mirrored packets may get dropped. PR1134523 • On MX Series platforms with non-Q-MPC (for example, MPC2-3D) or Q-MPC with enhanced-queueing off, when traffic has to egress on any one of the dynamic PPPoE (pp0), IP-DEMUX (demux0), and VLAN-DEMUX (demux0) IFLs, the queue mapping might get wrong. The traffic forwarding might be affected. PR1135862 • MXVC-Same subnet VC-heartbeat polling failed to recover. PR1136119 • On MS-MIC, TCP session Up/Down causes JSERVICES_NAT_* and JSERVICES_SESSION_* messages though severity level "none" are configured for services. PR1137596 • On MX Series platforms, the "Max Power Consumption" of MPC Type 1 3D (model number: MX-MPC1-3D) would exceed the default value due to software issues. For example, the value might be shown as 368 Watts instead of 239 Watts when "max ambient temperature" is 55 degrees Celsius. PR1137925 • MIC-3D-16CHE1-T1-CE only supports 4 queues by default due to the incorrect setting in code; this is a very minor change to make MIC-3D-16CHE1-T1-CE support 8 queues by default. PR1138270 • JNH periodically attempts to recover memory no longer in use. Recently, when firewall address space was expanded to 16M, a side effect was triggered: memory recovery was extended to 16M as well. On the Hercules line card, Firewall does not use a small block of IDMEM, causing JNH to attempt the return of the unused memory. There is no mechanism for recovery of IDMEM, therefore, this message is displayed. Excepting the syslog impact, there is no further effect on the line card. PR1140021 • On a Junos Fusion Provider Edge topology, if there are power failures or the power is not connected to a power supply on a satellite device, the "jnxPowerSupplyFailure" traps are not generated by the aggregation device. For example, if there are two Power Entry Modules (PEMs) inserted on the satellite device and one PEM is not powered on, the aggregation device does not generate a trap for the PEM without power. PR1140097 • With a 100G CFP2 MIC installed in a MPC6E FPC, if the FPC fails to initialize the MIC, it is very likely that the FPC will get into boot loop. PR1148325 • In EVPN environments, when CE MAC address alone gets changed for a MAC+IP entry, the new MAC+IP entry is not getting reflected in the EVPN database and the old entry still exists on the PE router. PR1149340 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Commit error after attempting to delete all guaranteed rates on all traffic-control-profiles associated with demux0 [edit] lab@mx480-J12_09# commit re0: [edit class-of-service interfaces] 'demux0' IFL excess rate not allowed on interface (demux0), please specify guaranteed rate on at least one IFL error: configuration check-out failed. PR1150156 • When using type 5 FPC on T4000 platforms, traffic going out of the interface where "source-class-usage output" is configured will be dropped if the Source Class Usage (SCU) or Destination Class Usage (DCU) policy configuration is missing. This issue is caused by incomplete configuration, so to avoid the issue, please make the configuration complete (e.g., with "source-class-usage output" and SCU policy). PR1151503 • From Junos OS Release 14.2 with "exclude-hostname" configuration, hostname is not excluded from the messages before forwarding. This is a minor case, there is no other service impact. PR1152254 • Routers using inline Layer 2 services may experience Packet Forwarding Engine wedge leading to fabric degradation and FPC restart. During issue state, the affected FPC will not be able to transmit and traffic will be fully blackholed. This problem is amplified by fragmented and out of order packets. This log entry may be seen during the error state: Host Loopback:HOST LOOPBACK WEDGE DETECTED IN PATH ID 0. PR1153750 • In the TXP environment, the Line-Card Chassis (LCC) Switch Interface Board (SIB) status is not right when execute the command "user@router> show chassis environment", their status is Absent, but no alarms. This is a minor issue, it does not affect business. PR1156841 • On Junos devices with a GRE or IPIP tunnel configured (i.e., devices with a gr- or ipinterface), a specifically crafted ICMP packet can cause a kernel panic resulting in a denial of service condition. Knowledge of network specific information is required to craft such an ICMP packet. Receipt of such a packet on any interface on the device can cause a crash. Refer to JSA10752 for more information. PR1159454 • On MX Series routers with enhanced queuing DPCs, there is a memory leak whenever doing SNMP walk to any of COS related OIDs or issue the command "show interfaces interface-set queue <interface-set-name>". PR1160642 High Availability (HA) and Resiliency • With NSR enabled on multiple Routing Engine systems, when a dynamic GRE tunnel is configured, performing Routing Engine switchover might cause rpd to crash repeatedly on backup the Routing Engine. PR1130203 Infrastructure • The Remote NFS Server process (nfsd) is not terminated on the new backup Routing Engine (RE) after RE switchover. As a result, it spawns a new one upon RE switchover until running out of memory. PR1129631 • On M/T/PTX platforms, the SNMP requests may return timeout if SNMP pollings on IF-MIB and COS-MIB for the same ifl/ifd are requested at the same time. This is a generic async stats infra issue in kernel. On MX Series platforms, the same issue may not be seen since SNMP pollings for ifl stats go through pfed instead of kernel on MX Series platforms. PR1149389 Copyright © 2016, Juniper Networks, Inc. 159 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Interfaces and Chassis • jnxBoxDescr is reworded for MXVC to replace the platform type with a more general representation that replaces the specific member platform type with "Virtual Chassis." Old virtual chassis text example: jnxBoxDescr.0 = member0 Juniper MX240 Internet Backbone Router. New virtual chassis text example: jnxBoxDescr.0 = member0 Juniper MX Series Virtual Chassis Internet Backbone Router. NOTE: The MIB design for jnxBoxAnatomy "top-level" chassis information works properly for a standalone chassis, but doesn't fully represent virtual chassis multi-member configurations because it is capable of providing information for only one physical chassis. (The remainder of the jnxBoxAnatomy MIB "containers" properly support the inventory of a multi-member configuration.) MX Series virtual chassis provides another MIB, jnxVirtualChassisMemberTable, to supply the equivalent "top-level" information. PR1024660 160 • MS-DPC might crash when allocating chain-composite next hop in an enhanced LAG scenario. PR1058699 • The following CLI configuration statement needs to be used for the CFM session to work: "set chassis aggregated-devices disable-lag-enhanced." Enhanced-lag is enabled by default in the system when the system is configured with enhanced-ip. CFM is not supported with enhanced-lag at present. PR1116826 • MXVC-specific behavior for SNMP walk of jnxOperating* containers was divergent from the physical MX Series. Returned to vergence. PR1136414 • Due to movement of SNMP stats model from synchronous requests to asynchronous requests in Junos OS Release 13.3R1, the IQ2/IQ2E PIC, which has limited memory and CPU power, cannot handle scaling SNMP polling at high rate (e.g., a burst of 4800 SNMP requests). This issue comes with high rate SNMP stats polling for IQ2/IQ2E interfaces or Aggregated Ethernet (AE) interface with IQ2/IQ2E as member links. These memory failures can cause IQ2/IQ2E PIC reboot because keepalive messages will also not get memory. PR1136702 • When Micro Bidirectional Forwarding Detection (BFD) sessions are configured for link aggregation group (LAG), the device control process (DCD) acts as the client to the micro BFD session. In order to monitor the connection between client (DCD) and server(BFD), the client needs to exchange keepalive hello packets with the server. To send hello packets, DCD needs to move out of IDLE phase to CONFIG_BFD phase, which is the reason for the following log messages: dcd.c:585 dcd_new_phase_if_idle() INFO : Current phase is IDLE, going to phase CONFIG_BFD usage.c:75 dcd_trace_times() INFO : Phase Usage for IDLE : user 0.001 s, sys 0.000 s, wall 60.019 s dcd.c:717 dcd_new_phase() INFO : New phase is CONFIG_BFD usage.c:75 dcd_trace_times() INFO : Phase Usage for CONFIG_BFD : user 0.000 s, sys 0.000 s, wall 0.000 s dcd.c:717 dcd_new_phase() INFO : New phase is IDLE. There is no functionality impact; however, these messages might flood the logs. As a workaround, we can filter out these messages from being written to the log file according to this KB article: http://kb.juniper.net/InfoCenter/KB9382. PR1144093 • On OAM maintenance domain intermediate point (MIP), the connectivity fault management (CFM) will not be enabled on the L2VPN interface if it is configured after L2VPN is up. PR1145001 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Starting from 12.3R4, on dual-RE equipped M series routers, due to the mismatch of online status of the missing FRU (e.g., FPC or FEB which is not inserted, but is reported as online on backup Control Board), error messages about the missing FRU might be seen intermittently on the device. PR1148869 • With Junos OS Release 14.2R1 to 14.2R5, for an multichassis link aggregation group (MC-LAG) running in active-standby mode, when two MC-LAG peers are connected to a specific vendor's device (e.g., NEC QX switch), after the configured MC-AE active node is rebooted, both MC-AE member links will become "Collecting distributing" (Active) status for LACP. Depending on topology, there might be a loop and causing broadcast storm. PR1158444 • When a Routing Engine (RE) experiences a media block error, the RE will try to switch mastership immediately due to this software defect. The switch-over attempt happens even on a single RE system which in this case will cause all FPCs to reset. PR1168494 J-Web • An information leak vulnerability in J-Web may allow unauthenticated remote users with network access to the J-Web service to gain administrative privileges or perform certain administrative actions on the device. Refer to JSA10754 for more information. PR1114274 Junos Fusion Provider Edge • On a Junos Fusion Provider Edge topology, broadcast Ethernet traffic with an unknown Ethertype might generate the following log entries: fpc0 XL[0:0]_PPE 1.xss[0] ADDR Error and fpc0 XL[0:0]_PPE 1 Errors async xtxn error. PR1123040 • On a Junos Fusion Provider Edge topology, if you configure Junos Fusion on an MX Series aggregation device, corresponding system log messages might not be received by a remote syslog server. PR1134269 Layer 2 Features • In VRRP scenario, one host connected to active and backup VRRP switches, if the host send huge amount of traffic continuously to backup VRRP switch, it might cause high ppmd (Periodic Packet Management Daemon) CPU utilization and slow response on backup VRRP switch. PR1124038 • In VPLS scenario with AE interfaces as core facing interfaces, when LDP mesh-group is enabled with local-switching enabled in it, the neighbors configured under the local-switching hierarchical will cause LSI (Label-Switched Interface) to be created automatically. If port flapping occurs causing MPLS interface change associated with the LSI interface, the VPLS split-horizon might not be in functionality, this will cause traffic to be looped back. As a workaround, configuring configuration statement "enhanced-ip" can avoid this issue. PR1138842 • In a VPLS scenario, when "$junos-underlying-interface-unit" is configured in the "dynamic-profiles" hierarchy, which is then implemented in a routing-instance, upgrade/commit will fail with the following error message: Parse of the dynamic profile Copyright © 2016, Juniper Networks, Inc. 161 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion (<dynamic_profile_name>) for the interface: $junos-interface-ifd-name and unit: $junos-underlying-interface-unit failed. PR1147990 • For routers equipped with the following line cards: T4000-FPC5-3D, MX-MPC3E-3D, MPC5E-40G10G, MPC5EQ-40G10G, MPC6E MX2K-MPC6E. If the router is working as VPLS PE, due to MAC aging every 5 minutes, the VPLS unicast traffic is flooded as unknown unicast every 5 minutes. PR1148971 Layer 2 Ethernet Services • There is a bug in code of handling the redistribution of PPM (periodic packet management) Transmit and Adjacency entries for LACP, when the Interface entry is in pending distribution state. This issue might cause ppmd crash after graceful Routing Engine switchover. PR1116741 • For Routing Engine generated packet with VLAN tag, if the outgoing interface is an LT interface, the VLAN tag will not be removed even if the LT interface is configured with untagged encapsulation. PR1118540 • In the DHCPv4 or DHCPv6 relay environment with large-scaled environment (in this case, 50-60K subscribers), and the system is under stress (many simultaneous operations), the subscribers might get stuck in RELEASE state with large negative lease time. PR1125189 • Input/Output pps/bps statistics might not be zero after a member link of AE interface with distributed ppmd was down in M320/T-Series (GIMLET/STOLI-based FPC) PR1132562 • When the LACP hold timer config is added and LACP is getting activated for the first time on the parent interface, the lacpd process might crash. PR1135187 • When a power supply has failed, the Power Supply failed alarm is generated every 30 minutes. The expected interval is every 60 minutes. This is a minor issue, there is no other service impact. PR1144795 • The "Node ID" information is not shown on MX Series platform when traceoption flag "pdu" is configured to trace Ethernet ring protection switching (ERPS) PDU reception and transmission. PR1157219 Multiprotocol Label Switching (MPLS) • With egress protection configured for Layer 3 VPN services to protect the services from egress PE node failure in a scenario where the CE site is multihomed with more than one PE router, when the egress-protection is un-configured, the egress-protection route cleanup is not handled properly and still points to the indirect composite next hop in kernel, but the composite next hop can be deleted in rpd even when the egress protection route is pointing to the composite next hop. This results in composite next hop "File exists" error when the egress protection is re-enabled and reuses the composite next hop (new CNH addition fails as old CNH is still referenced in kernel). PR954154 • 162 Please see CVBC section PR1054491 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • In MPLS scenarios, removing the "family mpls" configuration from an outgoing interface may cause inet and/or inet6 next hops associated with that interface to unexpectedly transit to dead state. Even adding back "family mpls" cannot restore it. PR1067915 • For advertising IPV6 packets over an MPLS GRE tunnel, the IPv6 address gets stuck in the KRT queue. PR1113967 • If a RSVP LSP has both primary and secondary standby path and link-protection enabled, a /32 bypass route is unhidden when the primary link goes down. This /32 route is supposed to be made hidden again when primary link comes back up. But in some cases, due to software defect, this /32 bypass route remains unhidden forever, which causes some issues, for example, BFD session down due to better prefix received from Bypass LSP. PR1115895 • During interoperation with Cisco device (e.g., CRS) belonging to different IGP area, if the P2MP LSP ping echo reply message from the Cisco device is using interface address other than loopback/router-id as the source address, the reply message will be dropped on the Junos OS device. With the fix, the Junos OS device will accept the packets and print them as 'uncorrelated responses'. PR1117166 • When an PLR is a non-Juniper router, Juniper ingress node might stay on the bypass tunnel and ignore the CSPF result. PR1138252 • When a link fails on an RSVP LSP which has link-protection or node-link-protection configured, the PLR (point of local repair) will initiate a bypass LSP and the RSVP LSP will be tunneled on this bypass LSP. However, if now the bypass LSP is brought down because there is a link failure on it, the PLR might only send out a session_preemted PathErr message to the upstream node without sending a ResvTear message. Hence the ingress node does not receive the ResvTear message and the RSVP LSP is not immediately torn down. The RSVP LSP will remain UP for more than 2 minutes until the RSB (Resv sate block) on the ingress's downstream node gets timed out and it sends a ResvTear message to the ingress. PR1140177 • There is no entropy label for an LDP route in the scenario of LDP tunneling across a single-hop RSVP LSP with label 0 (explicit-null) used. As a workaround, either remove LDP tunneling or RSVP explicit-null will resolve the issue. PR1142357 • This issue is related to inter-op between a multivendor scenario. This fix will add sub-object RRO, which will help change of label during an FRR active scenario. PR1145627 • MPLS TED might not select random links to calculate the ERO when OSPF is overloaded. Instead, only one or two interfaces will be used for all the configured LSPs originating from the router. PR1147832 • In LDP P2MP scenario with NSR, after performing multiple iterations of FPC reloads, protocol bounce, interface bounce, GRES, rpd restarts in random, in rare condition, the rpd process might crash, the routing protocols are impacted and traffic disruption will be seen due to loss of routing information. PR1148404 Copyright © 2016, Juniper Networks, Inc. 163 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • With NSR enabled and LDP configured, the rpd process might crash and restart on the new master Routing Engine after a Routing Engine switchover. PR1155002 • If container LSP name and the suffix together are more than 60 characters in length, rpd process might crash during extensive split merge conditions. Its always advisable to keep them less than 60 characters. The member lsp name is coined in the following manner: <container-name>-<suffix-name>-<member-count>. The LSP name can have upto 64 characters. So after putting together the container name, suffix, member-count (could go up to 2 digits), and the 2 hyphens, it should not exceed 64. So container-name and suffix together should not exceed 60 characters. A commit check will be added to throw warning if the name is more than supported character long. PR1160093 Network Management and Monitoring • Mib2d cores while trying to re-add a lag child into the internal DB. Since the entry is already present in the internal DB, before adding the child link, mib2d does a lookup on the tree, to know if the entry is not already there. However, this lookup returns no results, since the child link is part of snmp filter-interface configuration. PR1039508 • LAG MIB tables dot3adAggPortTable, dot3adAggPortDebugTable polling, or lag configuration changes may result in mib2d process core or unexpected values for lag MIB OIDs. The PR fix will resolve these MIB table issues. PR1060202 • With Junos OS Release 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R2, 15.1X49-D30, and above, when we configure fxp0 "master-only" address as the source address of and SNMP trap, the SNMP trap packets are not sent out after Routing Engine (RE) switchover. To restore this issue, we can use "restart snmp" or "delete/set snmp trap-options". As a workaround, we can use other addresses for the SNMP trap source. PR1153722 Platform and Infrastructure 164 • When one of the "deny-commands" is incorrectly defined in the profile of a TACACS+ server, all "deny-commands" regexes will be ignored, which leads to an over-permissive profile without any warning. PR1078238 • Fragmenting a special host outbound IP packet with an invalid IP header length (IP header length is greater than actual memory buffer packet header length) can trigger NULL mbuf accessing and dereferencing, which might lead to a kernel panic. PR1102044 • Junos OS defines the SNMP ifXTable (ifJnxInErrors/ifJnxInL3Incompletes) counter as 64-bit width, but it worked as 32-bit width counter. It works as 64-bit width counter after the fix. PR1105266 • On MX-VC, when traffic with TPID 0x88a8 or 0x9100 is sending over an AE interface, the packets which cross VCP links might be dropped on the egress VCP Packet Forwarding Engine due to an invalid fabric token. PR1112752 • On a Junos Fusion Provider Edge topology, when unicast next hops for the satellite device extended ports are deleted and added, if the routing chip memory is not freed, a small memory leak occurs during the next-hop deletion. If the churn happens for an extended period, the Flexible PIC Concentrator (FPC) might run out of memory and stop operating. PR1114369 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Inline 6rd and 6to4 support for XL and XL-XM-based platforms. PR1116924 • In certain specific network/operating system configurations when a telnet or SSH session client is initiated from a Junos OS device to another device, both the telnet/SSH server, and the telnet/SSH client incorrectly handle the TCP connection on each end. In this event, both the client and the server are stuck in various TCP states and never establish the connection, or release the connection. PR1123496 • On MX Series-based line cards, for GRE over IPv6 packet with layer 4 length less than 8 bytes, it will be discard with reason "L4 len too short". PR1126752 • On MX Series platforms, when offlining the line card (possibly, with any of the line cards listed below), "Major alarm" might be seen due to HSL (link between line card and Packet Forwarding Engine) faults. This fault is non-fatal and would not cause service impact. The line cards that may hit the issue could be seen as: MS-MPC/MS-MIC MIC-3D-8DS3-E3, MIC-3D-8CHDS3-E3-B, MIC-3D-4OC3OC12-1OC48, MIC-3D-8OC3OC12-4OC48, MIC-3D-4CHOC3-2CHOC12, MIC-3D-8CHOC3-4CHOC12, MIC-3D-1OC192-XFP, MIC-3D-1CHOC48. PR1128592 • On MX Series based line card platform, if FPC offline is performed while FPC is in online progress (online process is at the stage of fabric links training), in very corner scenario, the Routing Engines state is stale and being sent to other existing FPCs, so the traffic forwarding might be affected. PR1130440 • For IPv6 packet with "no next header" in Hop-By-Hop header, if the Hop-By-Hop header length field value is large than 112, the router will drop the packet and log the following error: PPE PPE HW Fault Trap: Count 105, PC 60ce, 0x60ce: ipv6_input_finished_parsing LUCHIP(3) PPE_10 Errors lmem addr error. PR1130735 • NTP.org published a security advisory for 13 vulnerabilities in NTP software on Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to cause Denial(s) of Service(s), disruption of service(s) by modification of time stamps being issued by the NTP server from malicious NTP crafted packets, including maliciously crafted NTP authentication packets and disclosure of information. This can impact DNS services, as well as certificate chains, such as those used in SSL/https communications, and allow attackers to maliciously inject invalid certificates as valid which clients would accept as valid. Refer to JSA10711 for more information. PR1132181 • Doing a file copy from a Routing Engine running Junos OS image to a Routing Engine running Junos OS with Upgraded FreeBSD image fails. PR1132682 • Too many duplicate ACK messages are generated from Packet Forwarding Engine for TCP control connection with Routing Engine. This could cause: 1. MX-VC DDoS protection violation for VC-control low queue and makds MXVC split. 2. Routing Engine and FPC high CPU utilization. PR1133293 • With scaled firewall filters attached to interfaces (e.g., 10k+ filters), running the "show configuration" command can cause high CPU of the mgd process. As a workaround, use the "show configuration | display set" command to view the config. PR1134117 • On XM chip-based line cards (e.g., MPC3/4/5/6, and FPC type 5), in rare situations, when LU or XL chip congestion occurs (e.g., may occur when configuring with more than 4000 entries in the multicast list and large traffic performing replication, please note this is not a realistic configuration), XM chip wedge may occur. PR1136973 Copyright © 2016, Juniper Networks, Inc. 165 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On MX2020, when we remove whole power of a power zone, and then put the power back to the zone, FANTray LED stays Amber and FANTray LED on craft card stays OFF, and do not revert to green (FANTray LED) or ON (Craft LED) until we reboot the entire chassis system or hot swap that FAN tray. For Zone 0 (PSM 0 to 8), FAN 1 shows the above behavior. For Zone 1 (PSM 9 to 17), FAN 3 shows the above behavior. PR1138209 • When the CLI command "show Packet Forwarding Engine statistics exceptions | match reject" is executed, the CPROD thread in the Packet Forwarding Engine may hog the CPU and result in an FPC crash. PR1142823 • Receipt of a specifically crafted UDP packet destined to an interface IP address of a Junos OS device with a 64-bit architecture may result in a kernel crash. This issue only affects systems with a 64-bit architecture. 32-bit systems are unaffected by this vulnerability. Refer to JSA10758 for more information. PR1142939 • When ARP is trying to receive a next hop message whose size (for example, 73900 bytes) is bigger than its entire socket receive buffer (65536 bytes), the kernel might crash, and the traffic forwarding might be affected. PR1145920 • In certain affected Junos OS Releases, executing the "nhinfo -d" shell command might trigger a kernel panic. This is caused by insufficient buffer space in the routing socket requested by the "nhinfo" utility. PR1148220 • On MX Series platform with MX Series based line card, inline 6rd with si interface is deployed, if downlink traffic is over ECMP or AE, some traffic might be dropped. PR1149280 • When a routing instance is configured with "routing-instances <instance-name> routing-options localized-fib", then VPN localization may fail, causing all routes for the affected routing instance to be installed on all Packet Forwarding Engines. PR1149840 166 • When the NTP server address is configured in a routing instance table and reachable from inet.0 by static configuration (for example, by configuring static/route/next-table/VRF.inet.0), and NTP source-address is configured, the ntpd (the Network Time Protocol daemon running on NTP client) might pick the wrong source-address instead of the configured source-address. As a result, the NTP server cannot send the NTP packet back. PR1150005 • FPC may experience blackhole of traffic after lmem data error in private zone. PR1152026 • During an ISSU upgrade in MXVC environment, linecards may crash, causing service impact. When the linecards come up, there may be a nexthop programming issue as a secondary impact and some IFLs may not pass traffic. Affected linecards need to be rebooted to recover from this condition. PR1152048 • On MX Series routers with Junos OS Release 14.2R5-S1, when we specify a multiservice (ms-) interface to add a timestamp to Real-time Performance Monitor (RPM) probe messages, it will cause the mspmand process to crash and the MS-MPC/MS-MIC to keep crashing. As a workaround, configure RPM to perform timestamping either on the Routing Engine (Routing Engine-based RPM) or on an installed MPC Packet Forwarding Engine (Inline-RPM). PR1152785 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Fixed an issue with Inline J-Flow where the Observation Domain field in exported IPFIX datagrams were always using the value attributed for LU0 in MPCs with multiple LUs per Forwarding-Engine. PR1152854 • The logs CHASSISD_READBACK_ERROR are reported on the backup Routing Engine for the non-empty FPCs. PR1155823 • Configuring a firewall filter with multiple terms matching either on flexible-match-mask or flexible-match-range might lead to FPC crashing while trying to program the firewall filter and add it to the local table. PR1157759 • On a Junos Fusion Provider Edge topology, you could only assign "satellite all" privileges to a single user class. In Junos OS Release 14.2R6, you can now include the "satellite all" statement at the [edit system login class class-name] hierarchy level for multiple classes. PR1161531 Routing Policy and Firewall Filters • When a malformed prefix is used to test policy (command "test policy <policy name> <prefix>"), and the malformed prefix has a dot symbol in the mask filed (e.g., x.x.x.x/.24), the rpd process might crash. PR1144161 • From Junos OS Release 13.2R1, an attempt to commit a configuration with a dangling conditional policy referring to a non-existent/inactive routing-instance will be permitted. If we have a conditional policy referring to an active routing-instance, deleting/deactivating this routing-instance and then committing will cause the rpd process crash. As a workaround, we should always make sure that conditional policies are referring to active routing-instances. PR1144766 Routing Protocols • If the command to trace ppm is issued from the FPC shell and a malformed incoming packet (required to be handled by PPM) is in the buffer, the FPC may crash. An example of such a malformed packet would be a multihop BFD packet with an incorrect length (larger than normal). PR1082878 • When a BGP session supports multiple address families, the inactive route of some of the address families might not be flushed correctly, leading to wrong behaviors for some of the features which need to advertise inactive routes(e.g.,. advertise-inactive, advertise-external, optimal-route-reflection, etc.). PR1097297 • After executing the CLI commands "show route detail" or "show route extensive," the routing protocol process (RPD) might get stuck in an infinite loop and might stop responding to any events such as CLI commands, protocol keepalives, etc. This would result in a timeout of all protocol adjacencies and a high CPU utilization by RPD might be seen on the device (over 90% used by RPD). In some cases, the memory that is used to store the command output might not be freed during executions, which might lead to an RPD restart because of memory exhaustion (RLIMIT exceeded). PR1104090 • Triggered S,G,RPT join is not being sent immediately upon receiving the *,G join or S,G join on RPT tree. Join to S,G,RPT will go over periodic join result in delay pulling traffic till the periodic join sent. PR1107896 Copyright © 2016, Juniper Networks, Inc. 167 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 168 • This issue is a regression defect introduced in Junos OS Release 11.4R11, 12.1R10, 12.2R8, 12.3R6, 13.2R4, 13.3R2, and 14.1R1. After upgrading to those releases containing the original fix, when there is no export policy configured for the forwarding table to select a specific LSP, whenever routes are resolved over RSVP (for example, due to aggressive auto-bandwidth), the resolver will spend a considerable amount of time on the resolver tree, which contributes to a baseline increase in rpd/Routing Engine CPU. PR1110854 • IGMPv2 working in v2/v1 compatibility mode does not ignore v2 Leave messages received on a bridge-domain's L2 member interface. Moreover, an IGMP snooping membership entry for the respective group at this L2 member interface will be timed out immediately upon IGMPv2 Leave reception, even when there are some other active IGMP hosts attached to this L2 member interface. It might breaks multicast forwarding for this L2 member interface. PR1112354 • When two (or more) route target communities of MP-BGP route match to two (or more) route target communities in VRF import policy of a RI, duplicate routing entries might be installed in the RI. In the output of “show route table <RI-name>.inet.0 detail”, two identical routing entries appear with one being marked as 'Inactive reason: Not Best in its group - No difference'. When such duplicate routing information is to be deleted, rpd process will crash. PR1113319 • On a dual Routing Engine router, BFD is configured for BGP with holddown-interval. After a BFD flap (disabling/enabling the interface) the BGP/BFD is up in master Routing Engine, but in backup Routing Engine still shows BGP/BFD down, it will never come up. PR1115429 • There may be a stale BFD session after channging physical in terface MTU, it may also cause BFD session flap to be continuous or stay in down state. PR1116666 • During many types of configuration changes, especially including import policy, BGP has the need to re-evaluate the routes it has learned from peers impacted by the configuration change. This re-evaluation involves re-running import policy to see if there ares any changes to the learned routes after applying the new policy. This work is done in the background as part of an "Import Evaluation" job. When BGP is reconfigured a second time, and the "Import Evaluation job" has not completed, it is necessary to re-run the job from the beginning if there's another change to policy or something with similar impact. This state is noted as "Import Evaluation Pending". However, in this case, there was a bug that caused BGP to always enter the pending state upon reconfiguration, regardless of whether relevant changes were made to import or other similarly impactful configuration. The result is that once it is necessary to start re-evaluation of the routes for a peer, even trivial configuration changes that happen too quickly will cause the "Import Evaluation job" to need to run again as a result of the "Pending" flag being set. To avoid the issue, please ensure that "ImportEval" is not present in a BGP peer's Flags output from the CLI (show bgp neighbor) prior to doing even trivial commits. PR1120190 • With BGP configured on CE-faced interfaces (in VRFs), doing “show route” frequently may cause rpd to slowly leak memory. The leak rate will be one memory block of the size necessary to hold the instance name of the routing instance for a BGP neighbor. If the rpd process memory is exhausted, the rpd process might crash, and the routing protocols are impacted and traffic disruption will be seen due to loss of routing Copyright © 2016, Juniper Networks, Inc. Resolved Issues information. You can check rpd memory usage with the "show task memory brief" command. PR1124923 • In multicast environment, when the RP is FHR (first-hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP-facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238 • In multicast environment with Protocol Independent Multicast sparse mode (PIM SM) used, if an upstream router of last-hop router receives the (S,G) SPT join while the shortest-path tree (SPT) is not yet established (only because multicast source is not reachable, a reachable route for SPT which is just not established yet will not cause this issue), when the multicast route gets deleted on the router (e.g., receives the (S,G) prune from the downstream PIM router), the router will incorrectly stop forwarding the multicast traffic even if a rendezvous-point tree (RPT) path exists. PR1130279 • On dual Routing Engine platforms, due to a software issue, the OSPF (including both OSPFv2 and OSPFv3) the "DoNotAge" bit (e.g., source of LSA has flood-reduction feature enabled) is not mirrored to the backup routing protocol process (rpd). In this situation, after performing nonstop active routing (NSR) switchover, the LSA on the new master rpd remains without the "DoNotAge" bit set. Once the LSA reaches OSPF max age, the router will flood LSA purge, hence route flapping might be seen on all routers under the OSPF topology. PR1131075 • In rare condition, mt tunnel interface flap causes backup Routing Engine core. The exact root cause is not known. While processing updates on the backup Routing Engine (received from master Routing Engine), accessing free pointer causes the core. PR1135701 • On dual Routing Engine platform with Bidirectional Forwarding Detection (BFD) protocol enabled, after graceful Routing Engine switchover (GRES), the periodic packet management process (ppmd) might crash on the backup Routing Engine due to a software defect. PR1138582 • Deleting mvpn configuration from routing instance "delete routing-instances <instance-name> protocols mvpn" might cause routing daemon on master RE to crash. PR1141265 • When multicast-only fast reroute (MoFRR) is enabled in PIM or multipoint LDP domain, memory leak will be observed on generation of the multicast FRR next hops. The leak rate is 8 bytes for IPv4 and 12 bytes for IPv6 addresses, per FRR next hop created. Eventually, the rpd process will run out of memory and crash when it cannot honor some request for a memory allocation. PR1144385 • With NSR configured, when the BFD sessions are replicated on the backup Routing Engine, the master will not send the source address, instead the backup Routing Engine will query the kernel to get the source address. In rare cases, the query might fail, resulting in the source address as all zeros. Later, if a GRES switchover happens, the new master will have this all-zeros source address. When a BFD packet with this source address is send out, the other end will drop the BFD session due to no matching session (source address). PR1145612 Copyright © 2016, Juniper Networks, Inc. 169 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In the BGP labeled unicast environment, the secondary route is configured with both add-path and advertise-external. If the best route and secondary route are changed in a routing table at the same time, add-path might miss to readvertise the changed route. The old route with the old label is still the last route advertised to one router, instead of updating the advertisement with the new route and new label. So the traffic forwarding might be affected. PR1147126 • This core is seen because of incorrect accounting of refcount associated with the memory block which composes the nhid (IRB nh). When the refcount prematurely reaches 0, we released the memory block while it was still referenced from a route. We may see this issue when mcsnoopd becomes a slow consumer of rtsock events generated by rpd (next-hop events in the current case) and messages get delivered in an out-of-order sequence, causing the refcount to be incorrectly decremented. In the testbed where the issue was reported, tracing was enabled for mcsnoopd (for logging all events), causing it to become a slow consumer. However, it may become slow also for other reasons, such as processing very high rate of IGMP snooping reports/leaves which could potentially trigger this issue. PR1153932 • OpenSSH client software supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. This functionality contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based). Refer to http://kb.juniper.net/JSA10734 for more information. PR1154016 • BGP Monitoring Protocol (BMP) feature is introduced in 13.3R1. When BMP is configured in passive mode and BMP session is closed ungracefully (e.g. No TCP FIN sent), in rare cases, the TCP session might not be cleaned up properly and rpd process crash might be observed during the re-establishment of the previous session. PR1154017 • When rib-group copy is done for a route change, the rib-group copy of the secondary route into the destination tables of the copy may not honor maximum-prefixes in some scenarios, such as upon damping changes. The traffic forwarding might be affected. PR1157842 Services Applications • The Point-to-Point Tunneling Protocol (PPTP) ALG is used for tunneling Point-to-Point Protocol (PPP) packets over an IP network. But if the router configures session-limit-per-prefix, the PPTP-ALG does not work. PR1128484 User Interface and Configuration 170 • When committing a configuration with a very long as-path, in this case the as-path is almost 12000 characters long, the commitd process might crash. The commitd process restart results in a minimal impact on the system. As a workaround, please configure as-path to be less than 4096 characters long. PR1119529 • When there are two or more sessions accessing the router, and one of the sessions (for example, session 1) is executing commit check in configuration private mode, if another session (for example, session 2) is keeping executing commit-and-quit in configuration private mode, because the commit check is not keeping the lock on the Copyright © 2016, Juniper Networks, Inc. Resolved Issues local Routing Engine for the entire session, there is a chance that session 2 will hit a Database opening error. The detailed sequence events are as follows: (1) Session 1: commit check is not keeping the lock on local Routing Engine for entire session, once commit check on local is a success, while it asked for lock on other Routing Engine. (2) Session 2: mgd acquired db lock on local Routing Engine. (3) Session 1: once commit check is completed on remote Routing Engine, it does cleanup and deletes the juniper.data+ (created by Session 2). (4) Session 2: juniper.data+ is still in use at local Routing Engine by daemons and daemons start complaining about it and emit the messages as "Database open failed for file '/var/run/db/juniper.data+' ". PR1141576 VPNs • On dual Routing Engine platforms with BGP L2VPN and NSR configured, there might be a chance that the block label allocation and deletion for L2VPN is out of order on the backup Routing Engine as following: Master rpd follows the below sequences (which is the correct order): Add Prefix P1 of Label L1 Delete Prefix1 of Label L1 Add Prefix P2 of Label L1. However, on backup rpd, it goes like this: Add Prefix P1 of Label L1 Add Prefix P2 of Label L1 <====== Delete Prefix1 of Label L1. In this situation, backup rpd cannot allocate the label L1 for P2 since L1 is already in use for P1, so it crashes. This occurs in scaling environments (10k L2VPN) where the router has multiple BGP peers, and different L2VPN routing-instances are deleted and added back. PR1104723 • In L2circuit environments, if one PE has pseudowire-status-tlv configured but remote hasn't, and at the same time, this PE doesn't support control-word but remote does, then it will not send changed local status code to remote PE, in a rare condition, after enable status-tlv support at remote end, the l2circuit might get stuck in "RD" state on the remote PE. PR1125438 Resolved Issues: 14.2R5 Class of Service (CoS) • On MX104 platforms, when we configure rate-limit for the logical tunnel (lt-) interface, the commit will fail. As a workaround, we can use firewall filter with policer to achieve the same function. PR1097078 • On MX Series platforms, when class-of-service (CoS) adjustment control profiles and "overhead-accounting" are configured, if the ANCP adjust comes before the logical interface (IFL) adding message and the IFL is in "UP" state when added (for example, it may occur when carrying scaling subscribers, for instance, 8K subscribers), for some of the subscribers, the local shaping rate from dynamic profile for the subscriber IFL may not be overridden by shaping-rate of ANCP. PR1098006 Forwarding and Sampling • This defect is seen only when an existing child link from an AE is moved to a newly created AE, simultaneously from both ends. The new AE is listed as a child link in the existing AE in the “show interface ae<>.0 extensive” CLI. PR965872 • The command "clear firewall all" will now clear the policer stats displayed by "show policer __auto_policer_template_1__", ... "show policer __auto_policer_template_8__". PR1072305 Copyright © 2016, Juniper Networks, Inc. 171 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • This issue is seen in Junos OS Release 14.2 and later. When Routing Engine based sampling is enabled and BGP session is using 4-byte AS, improper AS number can be found in sampling information. [router1]--------[DUT]--------[router2] AS 1,000 A AS 10,0000 | sampling 1.1.1.1 ---------------------->2.2.2.2 traffic --- traceoptions log --Aug 10 12:21:21 v5 flow entry Aug 10 12:21:21 Src addr: 1.1.1.1 Aug 10 12:21:21 Dst addr: 2.2.2.2 Aug 10 12:21:21 Nhop addr: 20.20.20.1 Aug 10 12:21:21 Input interface: 747 Aug 10 12:21:21 Output interface: 749 Aug 10 12:21:21 Pkts in flow: 594 Aug 10 12:21:21 Bytes in flow: 49896 Aug 10 12:21:21 Start time of flow: 4648545 Aug 10 12:21:21 End time of flow: 4707547 Aug 10 12:21:21 Src port: 0 Aug 10 12:21:21 Dst port: 2048 Aug 10 12:21:21 TCP flags: 0x0 Aug 10 12:21:21 IP proto num: 1 Aug 10 12:21:21 TOS: 0x0 Aug 10 12:21:21 Src AS: 1000 Aug 10 12:21:21 Dst AS: 34464 <<<<< Aug 10 12:21:21 Src netmask len: 32 Aug 10 12:21:21 Dst netmask len: 32 PR1111731 • This issue might be seen if following conditions are met: * AE sub-interface with firewall filters * FPC reboot or new FPC is coming up * shared-bandwidth-policer or regular policers (not a must - but easier to hit) If at the time of FPC restarting if a timing condition presents itself whereby the filter for that sub-interface isn't received, this can cause FPC to panic and crash. PR1113915 • On MX Series platform with MX-FPC/DPC, M7/10i with Enhance-FEB, M120, M320 with E3-FPC, when there are large-sized IPv6 firewall filters(for example, use prefix lists with 64k prefixes each) enabled, commit/commit check would fail and dfwd process would crash after configuration commit/commit check. There is no operational impact. PR1120633 • On all Junos OS platforms, when both the filter and the policer are configured for an interface, in rare cases, the policer template may not be received by the Packet Forwarding Engine (from the Routing Engine) when it is referenced by the filter term (normally the policer template gets received before the filter term referencing it which is ensured by mechanism in the Routing Engine kernel). In this situation, the FPC would crash due to this rare timing issue. This issue might be avoided by the following recommended steps: 1. Deactivate the physical interface (IFD) and commit 2. Enable any filter and policer that attached to the interface (e.g., IFL) and commit 3. Reactivate interface. PR1128518 General Routing 172 • In a Layer 3 wholesale configuration, DHCPv6 advertise messages might be sent out with source MAC all zeroes if the subscriber is terminated on the demux interface in a non-default routing instance. For subscribers on the default instance no such issue is observed. PR972603 • On MX Series platforms, when an aggregated Ethernet bundle participating as an interface within bridge-domain goes down, the following syslog messages could be observed. The messages would be associated with FPC0 even if there are no link(s) from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-3/3/2 mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 637, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-3/3/3 mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex 740, ifAdminStatus up(1), ifOperStatus down(2), ifName ae102 fpc0 LUCHIP(0) Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion Copyright © 2016, Juniper Networks, Inc. Resolved Issues Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC color=RED, class=CHASSIS, reason=FPC 0 Major Errors craftd[1601]: Major alarm set, FPC 0 Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED, class=CHASSIS, reason=FPC 0 Major Errors craftd[1601]: Major alarm cleared, FPC 0 Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15, PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count 10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized EDMEM[0x3f38b5] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 1 Uninitialized EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2 Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 3 Uninitialized EDMEM[0x3d81b6] Read (0x6db6db6d6db6db6d). These messages would be transient in nature. The discrepancy of next-hop handling that is addressed in this PR can also manifest itself in form of other issues in the system. Basically when the next hops go out of sync we are bound to see either Packet Forwarding Engine crashes/traps or Routing Engine crashes. The fix in this PR should take care of this behavior and ensure we handle the nexthops correctly to maintain the synchronization between master Routing Engine, backup Routing Engine, and all Packet Forwarding Engine peers. PR990023 • MPC with Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC (MIC-3D-4COC3-1COC12-CE) might crash. This problem is very difficult to replicate and a preventive fix will be implemented to avoid the crash. PR1050007 • It is observed that the syslog messages related to kernel and Packet Forwarding Engine may get generated at an excessive rate, especially in a subscriber management environment. Most of these messages may appear repeatedly, for example, more than 1.5 million messages may get recorded in 2 hours, and there are only 140 unique messages. Besides, these messages are worthless during normal operation and due to the excessive rate of log generation, high Routing Engine CPU consumption (for example, Routing Engine CPU utilization can be stuck at 100% for a long time [minutes or hours], it depends on the activity of subscribers (frequency of logins and logouts) and on the AI scripts used by the customer) by event process (eventd) might be observed on the device. PR1056680 • PR1060070 • When a labeled BGP route resolves over a route with MPLS label (e.g., LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP routes resolves over a direct route (e.g., a one-hop LSP), the rpd process might crash. PR1063796 • When "satop-options" is configured on an E1 with Structure-Agnostic TDM over Packet (SAToP) encapsulation, after Automatic Protection Switching (APS) switchover, some SAToP E1s on the previously protect interface (now working) start showing drops. PR1066100 • Upon BFD flapping on aggregate interfaces, the Lookup chip (XL) might send illegal packets to the center chip (XMCHIP) and compromise packet forwarding and an FPC restart is needed to recover from this condition. If the Fabric path side is affected, the Copyright © 2016, Juniper Networks, Inc. 173 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion fabric healing process will initiate this process automatically to recover from such conditions. Corrupted parcels from Lookup chip LU/XL to Center Chip (XM) can also compromise packet forwarding and report DRD parcel timeout errors. An additional parcel verification check is added to prevent sending corrupted parcels to the center chip (XM) PR1067234 • CFP2-100GBASE-ER4 is supported on MIC6-100G-CFP2/MPC6E/MPC5E from 13.3R8/14.1R6/14.2R3-S4/14.2R4-S1/14.2R5/15.1R2/15.2R1 PR1069112 • On MX Series platforms with MS-MPC/MS-MIC, when Network Address Translation (NAT), Stateful Firewall (SFW), Traffic Detection Function (TDF), or IPsec service is configured and traffic flows, an ordered packet might miss the descriptor due to the software defect. It results in prolonged flow-control, all data and control paths are blocked, the service PIC goes down and does not come up. PR1079745 • FPC/MIC usually performs i2c bus transactions to detect presence/absence of SFPs. When it fails to read SFP EEPROM due to i2c bus timing related and/or i2c bus hang issues, the FPC crashes with the interfaces flap. The i2c bus should be held up in bad state because faulty EEPROM SFP or non Juniper qualified SFP might be used. PR1080566 174 • The Scheduler: Protect: Parity error for tick table single messages might appear in MPC3E/MPC4E/MPC5E/MPC6E/T4000-FPC5. PR1083959 • The MIB counter or "show Packet Forwarding Engine statistics traffic" shows junk PPS and invalid total traffic output counter. PR1084515 • TCP messages do not have their MSS adjusted by the Multiservices MIC and MPC if they do not belong to an established session. PR1084653 • mspmand core is observed while taking ms-mic offline with IPsec and J-Flow configured on same ms-mic with dynamic IPsec tunnels. PR1086819 • On MX Series routers with MPCs/MICs, if a rlsq interface is receiving continuous fragmented traffic, doing rlsq switchovers a couple of times might cause the FPC to crash and reboot. PR1088300 • In a two-members MX Series Virtual Chassis (MXVC) environment, when "set virtual-chassis no-split-detection" is configured, if split master condition happens, which is caused by split events (i.e., loss of all adjacencies by link failure, FPC restarts, chassis power-down, Routing Engine reboots, etc.), then once the VCP adjacency is formed again, the current design could not determine the best chassis to win the protocol mastership election properly. Instead, only the final election step (that is choose the member device with the lowest MAC address) is used to elect the master device (protocol master of the VC, or VC-M). PR1090388 • Scuba MPC6E Temperature Intake shows as "Testing" in "show chassis environment", but "show chassis environment fpc" and "show chassis fpc detail" are OK and provide the correct Temp information. > show chassis hardware | match fpc FPC 0 REV 66 750-044130 ABDA3551 MPC6E 3D FPC 9 REV 31 750-031087 CADR7177 MPC Type 1 3D FPC 10 REV 66 750-044130 ABCZ2741 MPC6E 3D {master} > show chassis environment | match "intake |state" | match fpc FPC 0 Intake Testing <<<<<<<< Wrong info FPC 9 Intake OK 37 degrees C / 98 degrees F FPC 10 Intake Testing <<<<<<<< Wrong info {master} > show chassis environment fpc | match Copyright © 2016, Juniper Networks, Inc. Resolved Issues "fpc|intake|state" FPC 0 status: State Online <<<<<<<<<<<<<<<<<< Correct info Temperature Intake 36 degrees C / 96 degrees F FPC 9 status: State Online Temperature Intake 37 degrees C / 98 degrees F FPC 10 status: State Online <<<<<<<<<<<<<<<<<< Correct info Temperature Intake 42 degrees C / 107 degrees F {master} > show chassis fpc detail Slot 0 information: State Online Temperature 36 <<<<<<<<<<<<<< Correct info Total CPU DRAM 3584 MB Total XR2 518 MB Total DDR DRAM 49920 MB Start time: 2015-05-12 12:36:14 AST Uptime: 9 days, 1 hour, 31 minutes, 38 seconds Max Power Consumption 1088 Watts Slot 9 information: State Online Temperature 37 Total CPU DRAM 2048 MB Total RLDRAM 331 MB Total DDR DRAM 1280 MB Start time: 2015-05-12 12:38:00 AST Uptime: 9 days, 1 hour, 29 minutes, 52 seconds Max Power Consumption 239 Watts Slot 10 information: State Online Temperature 42 <<<<<<<<<<<<<< Correct info Total CPU DRAM 3584 MB Total XR2 518 MB Total DDR DRAM 49920 MB Start time: 2015-05-12 12:36:18 AST Uptime: 9 days, 1 hour, 31 minutes, 34 seconds Max Power Consumption 1088 Watts PR1090671 • Wrong diagnostic optics info might be seen for GE-LX10 SFP and SFP+ for SumitomoElectric. The issue only for a specific SFP type - "Xcvr vendor part number : SCP6F44-J3-ANE”, it can be seen with "show chassis pic fpc-slot X pic-slot Y". user@device> show chassis pic fpc-slot 0 pic-slot 0 .. PIC port information: Fiber Xcvr vendor Wave- Xcvr Port Cable type type Xcvr vendor part number length Firmware 0 GIGE 1000LX10 SM OPNEXT INC TRF5736AALB227 1310 nm 0.0 1 GIGE 1000LX10 SM FINISAR CORP. FTLF1318P2BTL-J1 1310 nm 0.0 2 GIGE 1000LX10 SM SumitomoElectric SCP6F44-J3-ANE 1310 nm 0.0 <Error SFP>PR1091063 • In a scaled Broadband Subscriber Management environment (in this case, 16K subscribers), when Access Node Control Protocol (ANCP) CoS adjustment is configured, the minimum rate instead of the shaping-rate might be wrongly applied to some subscribers and causes traffic loss. PR1094494 • The issue is because of the software problem. Just after the system reboots, the rpd process is determining the Routing Engine mastership mode too early before chassisd is determining the mastership , which would cause overload feature not to work properly. PR1096073 • Continuous error messages are seen after adding/deleting ae child link. MIC: unknown option 132, ifd 305/xe-4/0/11, cmic_eth_boolean_set IFFPC: 'IFD Ether boolean set' (opcode 55) failed ifd 305; Ether boolean set error (7) There is no known service impact due to these messages. PR1097262 • Occasionally , AFEB PCI reads from Cortona MIC with ATM OAM traffic might return garbage values even though the actual content in the MIC has the correct value. These corrupted values would lead to AFEB crash , and also PCI error logs such as : afeb0 PCI ERROR: 0:0:0:0 Timestamp 91614 msec. afeb0 PCI ERROR: 0:0:0:0 (0x0006) Status : 0x00004010 afeb0 PCI ERROR: 0:0:0:0 (0x001e) Secondary bus status : 0x00004000 afeb0 PCI ERROR: 0:0:0:0 (0x005e) Link status : 0x00000011 afeb0 PCI ERROR: 0:0:0:0 (0x0130) Root error status : 0x00000054 afeb0 PCI ERROR: 0:0:0:0 (0x0134) Error source ID : 0x02580258 afeb0 PCI ERROR: 0:2:11:0 Timestamp 91614 msec. afeb0 PCI ERROR: 0:2:11:0 (0x0006) Status : 0x00004010 afeb0 PCI ERROR: 0:2:11:0 (0x004a) Device status : 0x00000004 afeb0 PCI ERROR: 0:2:11:0 (0x0052) Link status : 0x00004001 afeb0 PCI ERROR: 0:2:11:0 (0x0104) Uncorrectable error status : 0x00000020 afeb0 PCI ERROR: 0:2:11:0 (0x0118) Advanced error cap Copyright © 2016, Juniper Networks, Inc. 175 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion & ctl : 0x000001e5 afeb0 PCI ERROR: 0:2:11:0 (0x011c) Header log 0 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0120) Header log 1 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0124) Header log 2 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0128) Header log 3 : 0x00000000 PR1097424 • After upgrading to Junos OS Release 14.1R1 and higher, loopback ISO family address may be stuck in KRT queue. PR1097778 • For Junos OS Release 13.3R1 and later, the DPC card might experience a performance degradation when it's transferring bidirectional short packets (64B) in inline rate. PR1098357 • On Trio-based platform, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is high (for instance, higher than 3.5Mpps), the packet re-ordering may occur. PR1098776 • When the clock sync process (clksyncd) is stopped and resumed during link flaps, the clksyncd process might get into an inconsistent state with various symptoms, and the clock source might be ineligible due to "Interface unit missing" or "Unsupported interface" with no Ethernet Synchronization Message Channel (ESMC) transmit interfaces. PR1098902 • In an MPLS L3VPN network with a dual-homed CE router connected to different PE routers, a protection path should be configured between the CE router and an alternate PE router to protect the best path. When BFD is enabled on the BGP session between the CE and the primary PE router, with local traffic flowing from another CE connected with the primary PE to this CE, after bringing down the interface on the best path, the local repair will be triggered by the BFD session down but it might fail due to a timing issue. This will cause slow converge and unexpected traffic drop. PR1098961 • When BGP multipath is enabled in a Virtual Routing and Forwarding (VRF), if "auto-export" and "rib-group" are configured to leak BGP routes from this VRF table to another, for example, the default routing table, then traffic coming from the default routing instance might not be properly load balanced because the multipath-route leaked into the default routing table is not the active route. This is a random issue. As a workaround, only use "auto-export" to exchange the routes among the routing tables. PR1099496 176 • On MX Series-based platform, before creating a new unilist next hop, there is a check to see if there is at least 512k DoubleWords (DW) free. So, even the attempting NH requires only a small amount of memory (for example, < 100 DWs), if there is no such enough free DWs (that is, 512k), the check will fail and the end result is that the control plane will quit adding this NH prematurely, stopping at ~80% of capacity. With the fix, it will check for 64k free DWs which is a lower reference watermark for available resource, thereby ensuring that it can allocate resource. PR1099753 • On XL-based cards such as MPC5/MPC6, PPE thread timeout errors (resulting in PPE trap files) can be triggered when the FPC allocates illegal memory space for the forwarding state of router operations. In certain cases, this can result in packet loss, depending on how many packets use this forwarding state. PR1100357 • In abnormal session close scenario like by pulling-out running ms-mpc or in scaled flow environments, some garbage object can remain due to a bug on internal flow Copyright © 2016, Juniper Networks, Inc. Resolved Issues state machine then would trigger mspmand coredump. The fix of this PR clears such a problematic status objects. PR1100363 • After Junos OS Release 13.3R1, IPCMON infra is added to debug IPCs between PFEMAN and the Routing Engine. When convergence occurs, string processing of IPCMOM will take added time. Then the slow convergence will be seen. It is a performance issue, it is visible in scaled scenarios (for example, more than 100K routes). As a workaround, execute the command "set pfe ipclog filter clear" to disable IPC logging on all FPCs. PR1100851 • A remote attacker can cause a denial of service to the MX Series router with MPC due to maliciously crafted uBFD packets that are received directly via VPN, MPLS, multicast, broadcast, on vt-interfaces, or otherwise. This issue affects both IPv4 and IPv6 traffic in both Ethernet, and non-Ethernet physical environments, such as ATM or SONET, where the crafted packet is received over physical interfaces. If processed from a DPC through to the MPC, then in-transit traffic will not be susceptible. In a 6PE scenario, if the system is not using LSI/vt, then it is not susceptible. If processed via MPC line card will be affected, the MPC line card will crash. If processed via the MPC line card will be affected, and the MPC line card will crash. If processed via endpoint receiving, the MPC line card terminating tunneling protocols such as MPLS/IPSec VPNs, etc., will be affected; this is considered an in-transit traffic scenario. This crash can happen when the crafted packet is directed directly to the lo0 interface, IP/physical interface, IP/broadcast IPv4 / IPv6 address of the physical interface. As a workaround, we can apply a control plane (lo0) filter to drop uBFD packets. This issue is assigned CVE-2015-7748. More detailed information in the following link: http://kb.juniper.net/InfoCenter/index?page=content=JSA10701=SIRT_1=LISTPR1102581 • On a QFX3500 switch with nonstop active routing (NSR) enabled, deleting a routing-instance or logical-system configuration might cause a soft assert of the rpd process. If NSR is not enabled, after you delete a routing-instance or logical-system configuration, executing "restart routing" might trigger this issue, too. This issue has no functional impact. PR1102767 • With "enhanced-ip" mode and AE interface configured, if SCU/DCU accounting is enabled, the MS-DPC might drop all traffic as regular discard. PR1103669 • Non-queuing MPC5E and MPC6E might crash continuously if rate-limit under transmit-rate for scheduler is applied. As a workaround, do not configure rate-limit and use firewall policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495 • When using "write coredump" to invoke a live coredump on an FPC in T-series, the contents of R/SR ASIC memory (Jtree SRAM) will get dumped. Ifthere is a parity error present in the SRAM, then the coredump will abort and the FPC will crash. As a workaround, configuring "set chassis pfe-debug flag disable-asic-sram-dump" before "write coredump" will help to avoid the issue. PR1105721 • When mspmand (which manages the Multiservice PIC) core dump (when the mspmand crash, it will dump a core file for analysis) is in progress in MS-MPC/MS-MIC and a GRES command is issued at the same time, it is seen that the MS PIC gets stuck and has to be recovered by offlining/onlining the PIC. PR1105773 • On MPC-3D-16XGE-SFPP line cards, when an optics (for example, 10G-LR-SFP) is disabled and then enabled administratively, if the SFP is not temperature tolerant Copyright © 2016, Juniper Networks, Inc. 177 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion (non-NEBS compliant), the TX laser may not be turned on due to the fact that the chassis process (chassisd) may keep sending the "disable-non-nebs-optics" command to the optics if the current temperature of FPC reaches the threshold temperature. PR1107242 • When bridge domain in PBB-EVPN routing instance is modified to add/remove ISIDs, bridge domain can get stuck in destroyed state. This happens when ISIDs in the bridge domain are changed from 1 to many or many to 1. This is only noticed during configuration changes or initial deployment. PR1107625 • Under an IPv6 VRRP scenario, when a host sends router solicitation messages to a VRRP virtual IPv6 address, the VRRP master replies router advertisement messages with physical MAC address instead of virtual MAC, the VRRP slave replies router advertisement messages with physical MAC address as well. As a result, the host has two default gateways installed and the host will send traffic directly to two devices but not to the VRRP virtual IP. This issue affects VRRP function and traffic. PR1108366 • On MX Series platforms, continuous error messages might be seen on the MICs (for 10G/40G/100G MICs) from MIC3 onwards (listed as below) when physical interface (IFD) settings are pushed (e.g., booting the MPC). Based on the current observation, the issue may not have any operational impact and the MICs that may encounter this issue are listed as follows: - 10G MICs: MIC3-3D-10XGE-SFPP, MIC6-10G, MIC6-10G-OTN, - 40G MICs: MIC3-3D-2X40GE-QSFPP, - 100G MICs: MIC3-3D-1X100GE-CFP, MIC3-3D-1X100GE-CXP, MIC6-100G-CXP, MIC6-100G-CFP2. PR1108769 178 • Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks strongly discourage the use of Junos software version 13.3R7.3 on routers with MQ-based MPC. This includes MX-Series with MPC1, MPC2; all mid-range MX-Series; and some of EX9200 line cards. PR1108826 • On MX Series routers , when using FTP Application-level gateway (ALG), if the FTP (including both active mode and passive mode) server requests client to use different IP address for control session and data session (i.e. after the control session is established, the destination IP address of FTP server is changed on which client should transfer the data), although the control session could be built, the data session could not be established due to wrong pinhole creation. The issue would not occur in the scenario that the port is changed while the destination IP address is the same. PR1111542 • In the scenario that the power gets removed from the MS-MPC, but Routing Engine is still online (for example, on MX960 platforms with high capacity power supplies which split into two separate power zones, when the power zone for the MS-MPC line card loses power by switching off the PEM that supports the MS-MPC situated slot), if the power goes back on(for example, switch on the PEM), the MS-MPC might be seen as "Unresponsive" (checked via CLI command "show chassis fpc") and not coming up back online due to failure of reading memory. PR1112716 • Under certain conditions, when the Junos OS Routing Engine tries to send an IP packet over an IPIP tunnel, the lookup might end up in an infinite loop between two IPIP tunnels. This is caused by a routing loop causing the tunnel destination for Tunnel#A to be learned through Tunnel#B and the other way round. PR1112724 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • On all Junos OS platforms, when the Junos OS Routing Engine tries to send an IP traffic over a GRE tunnel, the route lookup might end up in an infinite loop between two GRE tunnels (the infinite loop is caused by a routing loop causing the tunnel destination for Tunnel A to be learned through Tunnel B and the other way round), the kernel would crash as a result. As a workaround, the issue can be avoided by preventing the tunnel destination of a tunnel to be learned through a second tunnel (and the other way round). PR1113754 • On ACX Series routers with Junos OS Release 12.3X54-D20 or 12.3X54-D25, Inverse multiplexing for ATM (IMA) interfaces on MIC-3D-4COC3-1COC12-CE may not come up due to "Insufficient Links FE" alarm. This is due to data corruption on the physical layer. PR1114095 • On MX-VC with a heartbeat connection, if it is in a scaled subscribers environment, when powering down both VCM Routing Engines, there might be a delay (minutes) for the backup chassis to be master and during which time, traffic blackhole might be seen. PR1115026 • After VC Protocol Master Switch, new VCMm could allocate STP index of 1 (which is global discarding state) to new IFDs resulting in STP status incorrectly marked to discarding on the FPCs of the current VCBm. Please note for the fix to be effective, it is required that MXVC setup is rebooted once after upgrade of all the Routing Engines of the MXVC chassis with new fixed image following normal upgrade procedure, and hence unified ISSU based upgrades are not supported. PR1115677 • For MPC6E with CFP2, there was a race condition between the interrupt service routine and the periodic, as a result interface up/down will not happen for laser off/on. PR1115989 • On MX240/MX480/MX960 platforms with MS-DPC card, in some race conditions, after deactivating member interface of the aggregated multiservices (AMS) interface, the service PIC daemon (spd) might crash due to memory corruption. As a workaround, offline the member PICs before changing the AMS configuration and then online the PICs. PR1117218 • alg-logs and pcp-logs are not supported under [edit edit services service-set <ss-name> syslog host local class] on ms interface as of now. Added warning message for the same during configuration commit. PR1118900 • The rpd process might crash when executing the CLI command "show evpn database" with the combination of "vlan-id" and "mac-address". PR1119301 • In the multicast environment with pd interface (interface on the rendezvous point (RP) that de-encapsulates packets), if execute GRES multiple times, and the GRES interval is less than 30 minutes, the routes on master Kernel are added and deleted for a short while. In rare conditions, backup Kernel will not be able to see them. So after Routing Engine switchover, the new master Kernel will delete the next-hop ID for such routes, but Packet Forwarding Engines will not see this deleted message. As a result, the Kernel/Packet Forwarding Engine are out of sync for such particular next-hop ID, and might trigger a reset of all the Packet Forwarding Engines. As a workaround, do the Routing Engine switchover in more than 30 minutes intervals. PR1119836 Copyright © 2016, Juniper Networks, Inc. 179 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On MS-MPC equipped MX Series platforms, during the "three-way handshake" process, when receiving ACKs (e.g., after sending SYN and receiving SYN/ACK) with window size 0 (as reported, it is set to 0 by TCP client when using some proprietary protocol), the ACKs would be incorrectly dropped by the line card due to failure in TCP check. This issue could be avoided by preventing software from dropping packets that fail in the check. For example, by CLI command below, re# set interfaces ms-3/0/0 services-options ignore-errors tcp. PR1120079 • Router is using BFD with its ECMP neighbours, when FPCs are rebooted, normally FPC would resolve ARP one by one and update unilist and corresponding selector. But in this case, due to a software defect, unilists remained stale and disabled. So the traffic might be dropped or not be load balanced. PR1120809 • The commit latency will increase along with the increasing lines under [edit system services static-subscribers group <group-name> interface]. Use ranges to create static demux interfaces is a recommended option: [edit system services static-subscribers group PROFILE-STATIC_INTERFACE] + interface demux0.10001001 upto demux0.10003000; PR1121876 • ovs-vxlan -- irb mac address is missing in ovs data base PR1122826 • In multihoming EVPN scenarios and the customer-facing interface is an AE interface, after moving an interface from the EVPN instance into a VPLS instance, traffic loss might be seen on CE-facing FPC. PR1126155 • In an EVPN scenario, the EVPN route table between the master Routing Engine and backup Routing Engine would be different (unused garbage routes will appear) once Routing Engine switchover (e.g, by rebooting the "old" master Routing Engine or performing a graceful Routing Engine switchover) is performed, which might cause a kernel crash on the new master Routing Engine in some cases. PR1126195 • On MX Series platform, agentd daemon causes high disk (e.g. SSD) Input/Output activity (e.g. about 25MB/s I/O activity) due to new feature of SDN-telemetry (as known as agentd) added in Junos OS Release 14.2 onward and fabric statistics sensor is per default enabled updating the Database every 2 seconds. As more FPCs are installed in the system as higher the database record update rate. The CLI command "set system processes SDN-Telemetry disable" is not working and could not be used to disable the process. PR1130475 • In the PPP environment, when a subscriber is logged out, its IFL index is freed, but in rare conditions the session database (sdb) entry is not freed. When the IFL index is assigned to a new IFL, it is still mapped to an old sdb entry, so the jpppd process might crash because of mismatching. The issue is not really fixed, the developer just adds some debug information. PR1057610 • In dynamic subscriber management scenario, when we executing CLI command "show subscribers physical-interface <interface_name> count" from the master Routing Engine, the active and total subscriber counts might be always shown as zero. As a workaround, we can execute this command from the backup Routing Engine. PR1096348 • 180 FFP is a generic process that will be called during the commit process, and FFP calls the PDB initialization as part of its process. On the PDB-unsupported platforms (MX Copyright © 2016, Juniper Networks, Inc. Resolved Issues Series, M10i, M120, M320 is PDB-supported), when committing configuration, some error messages will be seen. PR1103035 • Log sdb_free_snapshot_handle: trying to free an already freed snapshot appearing in messages log after upgrade to 13.3R7. This message was intended to be a trace message but was mistakenly written to the messages log. There is no impact associated with this log message. PR1116795 High Availability (HA) and Resiliency • On dual Routing Engine platforms with NSR enabled, when committing scaling configuration (for example, deactivating 500 IFLs and performing commit, then activating 500 IFLs and commit, the process may need to be performed 3-6 times) to the device, the master Routing Engine would be busy processing the commit, due to which the backup does not get data or keepalive from master. In this situation, the protocols (for example, OSPF, or LDP) may get down on the backup Routing Engine due to keepalives timeout. PR1078255 • On MX Series Virtual Chassis (MX-VC) with scaled configuration, for example, 110000 DHCP and 11600 PPP subscribers, the unified in-service software upgrade (ISSU) might fail due to the management daemon (MGD) timer expiring before field-replaceable units (FRUs) update finish. PR1121826 Infrastructure • When the "show version detail" CLI command has been executed, it will call a separate gstatd process with parameter "-vvX". Because the gstatd could not recognize these parameters, it will run once without any parameter then exit. In the results of "show version detail", the following information could be seen: user@hostA> show version detail Hostname: hostA Model: mx960 Junos: 13.3R6-S3 JUNOS Base OS boot [13.3R6-S3] JUNOS Base OS Software Suite [13.3R6-S3] .. <snipped> file: illegal option -- v usage: gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] <snipped> At the same time, log lines like following might be recorded in syslog: file: gstatd is starting. file: re-initializing gstatd mgd[14304]: UI_CHILD_START: Starting child '/usr/sbin/gstatd' gstatd: gstatd is starting. gstatd: re-initializing gstatd gstatd: Monitoring ad2 gstatd: switchover enabled gstatd: read threshold = 1000.00 gstatd: write threshold = 1000.00 gstatd: sampling interval = 1 gstatd: averaged over = 30 mx960 mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status 0x4000 mgd[14304]: UI_CHILD_EXITED: Child exited: PID 14363, status 64, command '/usr/sbin/gstatd' PR1078702 • On dual Routing Engine platforms, if GRES is configured (triggered by "on-disk-failure"), when a disk I/O failure occurs on the master Routing Engine due to hardware issue (for example, SSD failure), the graceful Routing Engine switchover might not be triggered immediately after initial IO failure has been detected. As a result, Routing Engine might enter a state in which it responds to local pings and interfaces remain up, but no other processes are responding. PR1102978 Copyright © 2016, Juniper Networks, Inc. 181 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Interfaces and Chassis • dcd will crash if targeted-distribution is applied to ge ifd via dynamic-profile. PR1054145 • For Junos OS Release 13.3R1 or later, after multiple (e.g., 26) iterations of graceful Routing Engine switchover (GRES), the TNP address of management interface might be deleted incorrectly during switchover, which leads to all FPCs being offline. PR1060764 182 • Currently the redundant logical tunnel (rlt) interface only supports limited vlan range (0..1023), it should support the extended vlan range (0..4094) as the logical tunnel does. PR1085565 • On T4000/TXP-3D platform with HCFPCs (FPC Type-5) as source FPCs, if there are multiple online/offline/restart of FRUs(FPC/Sib) happening together, for example, at system boot time/GRES time/SPMB reboot time, the FM (Fabric Manager) will process these events sequentially and be busy. If one destination FPC flaps at this time, all HCFPCs might drop traffic to this FPC. PR1087798 • Trap messages are not logged on logical interface (ifl) after deleting the "no-traps" configuration statement, in spite of setting explicit "traps". PR1087913 • In anMX Series Virtual Chassis (MXVC) environment, when rebooting the system or the line cards which contain all the Virtual Chassis port (VCP) links, because line cards may fail to complete the rebooting process within 5 minutes, the timer (that is, the amount of time allowed for the LCC to connect to the SCC) started by the master router may expire which may cause the VCP links establishment failure. In addition, this issue is not specific to the line cards type, based on the observation, the timer (5 min) may expire on a MX2020 with all 20 FPCs equipped as well. PR1095563 • During failure notification state machine, CFM does not correctly transit from DEFECT CLEARING state to RESET once the error indication has been cleared. As a consequence, all the forthcoming errors will be considered post errors and will be reported right away without incurring the fngAlarmTime. This is a cosmetic problem. PR1096346 • On PB-2OC12-ATM2-SMIR PIC, port 0 and port 1 are configured with clock source as external, if Loss of signal (LOS) is inserted on port 0, the port 0 will go down; the expected behavior is clock being used from port 1. But in this case, port 0 down will results in port 1 flapping and reporting SONET phase lock loop (PLL) errors. PR1098540 • In VRRP environments, with VRRP configured over double-tagged interface and VRRP delegate-processing enabled, the PDUs are generated with only one tag and the outer tag is not added, because of which, the PDUs will get dropped at the receiving end. The similar configuration that may cause the issue might be seen as follows: .. protocols { vrrp { delegate-processing; <<<<< "delegate-processing" is enabled for VRRP } .. .. interfaces { xe-0/0/3 { flexible-vlan-tagging; unit 0 { vlan-tags outer 2000 inner 200; <<<<< VRRP is configured over double tagged interface family inet { address 10.10.10.147/29 { vrrp-group 17 { virtual-address 10.10.10.145; priority 100; accept-data; } } } } } } .. PR1100383 • After configuring related ae interface config, we might find some ae interfaces disappear in MX-VC. It seemed that ae interfaces are not allocated a MAC address from chassisd properly. * This issue only happens first configuration timing after rebooting/restarting Copyright © 2016, Juniper Networks, Inc. Resolved Issues chassisd. So even if you configure related ae interface config repeatedly, you cannot find this issue. When this issue happens, these messages will be found in messages logs: ------------------------------------------------- lab@router_re0> show log messages| match CHASSISD_MAC_ADDRESS_AE_ERROR Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 Jun 26 16:04:34.105 router_re0 /kernel: Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 ------------------------------------------------- Restore ae interfaces * This is not a workaround. Deactivate/activate ae interfaces. (We need to do this to all disappeared ae interfaces.) PR1100731 • VRRP inet6 group interface does not send Router Advertisement (RA) when the interface address and virtual address are same. run show ipv6 router-advertisement interface ge-0/2/0.430 Interface: ge-0/2/0.430 Advertisements sent: 0 Solicits received: 0 Advertisements received: 0 PR1101685 • Because of the error injection rate configured by the user on a Routing Engine via the CLI command "bert-error-rate" may not be programmed in the hardware register, the PE-4CHOC3-CE-SFP, PB-4CHOC3-CE-SFP, MIC-3D-4COC3-1COC12-CE, and MIC-4COC3-1COC12-CE-H may fail to inject bit errors during a Bit Error Ratio Test (BERT). PR1102630 • The 'optics' option will now display data for VCP ports: show interfaces diagnostics optics vcp-0/0/0. PR1106105 • On MX240 or MX480 platforms with at least two DC modules (PN: 740-027736) equipped, when shutting down one of the PEMs and then turning it on again, even the PEM is functioning, the "PEM Fan Fail" alarm might be observed on the device due to software logic bug. There is no way to clear the ALARM_REASON_PS_FAN_FAIL for I2C_ID_ENH_CALYPSO_DC_PEM once it has been raised. PR1106998 • On all Junos OS Series platforms, if the "HDD /var" slice (for example, "/dev/ad1s1f" depending on the type of Routing Engine) is not mounted (for example, label missing, file system corrupted beyond repair, HDD/SDD is removed from the boot list, etc.), the system may build emergency "/var/", however, no alarm or trap is generated due to the incorrect operation of the ata-controller. Although the boot messages may present the logs, it may not be sufficient to identify the issue before encountering other problems (for example, Junos OS upgrade failure and the Routing Engine may hang in a recovery shell). In addition, as a method to check where Routing Engine is running from, a manual check could be done as follows: user@re0> show system storage | match " /var$" /dev/ad2s1f 34G 18G 13G 57% /var <Indicate that "/var" is mounted from the HDD/SSD user@re0>show system storage | match " /var$" <<<No output here, it means that the Routing Engine is running from "emergency /var">PR1112580 • Junos OS Series now checks ifl information under the ae interface and prints only if it is part of it PR1114110 • Sometimes IQ2 PIC connection with kernel may drop after FEB redundancy switchover under N:1 scenario, which will cause packets to drop on this PIC. PR1120097 • When using Ethernet OAM Connectivity Fault Management (CFM), the CFM process (CFMD) may crash in either of the following scenarios, - Scenario 1 When CFMD is Copyright © 2016, Juniper Networks, Inc. 183 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion restarted or GRES. There is no specific defined configuration which could cause this crash, but normally this would be seen with VPLS or Bridge domain with multiple Mesh-groups. The crash happens rarely in this scenario. - Scenario 2 When configuring 2 interfaces in the same bridge-domain (BD) or routing-instance, and both interfaces have maintenance association end point (MEP) configuration along with action-profile enabled. Also there is no maintenance association intermediate point (MIP) configuration on that BD or routing-instance. The crash might be seen with the above configurations and when one of the interfaces is flapped or deleted and then re-created. In addition, in this scenario, this issue may not happen always as this depends on the ordering of kernel event. PR1120387 • On Junos OS platforms, an aggregateEthernet bundle having more than one member link can show incorrect speed which wouldn't match to the total aggregate bandwidth of all member links. The issue is seen when LFM is enabled on the aggregateEthernet bundle. The issue is triggered when one of the member link flaps. Although after the flap, the current master Routing Engine will show correct aggregate speed, the backup Routing Engine will report an incorrect value. In this state, when Routing Engine mastership is switched, the new master Routing Engine (which was backup) will show a value. One of the side effects of this issue is that RSVP also reflects incorrect bandwidth availability for the affected aggregateEthernet bundle, this can cause under-utilization of the link with LSP having bandwidth constraints. PR1121631 • Since a bug which was introduced in Junos OS Release 15.1R1, loopback sub-interfaces always have a Flag down in the output of the CLI command "show interfaces". PR1123618 • The connectivity fault management (CFM) log message "Adjacency up" should only be logged when the router first detects a remote MEP or the peer interface goes down and up causing adjacency failure for this remote MEP. Now it is wrongly logged when any peer sets/clears the Remote defect indication (RDI) bit in continuity check messages (CCMs). PR1125164 • With incomplete cfmd configuration, for example, only MD (maintenance-domain) configured and no MA (maintenance-association) configured, or MD and MA configured but no MEP configured, SNMP walk in CFM MD table results in infinite loop and process cfmd is spinning at around 90% CPU. PR1129652 J-Web • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1082543 • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085428 Junos Fusion Provider Edge 184 • On a Junos Fusion Provider Edge topology, broadcast Ethernet traffic with an unknown Ethertype might generate the following log entries: fpc0 XL[0:0]_PPE 1.xss[0] ADDR Error and fpc0 XL[0:0]_PPE 1 Errors async xtxn error. PR1123040 • When configuring "chassis satellite-management" for the first time on the aggregation device (AD) in a Junos Fusion environment, one of the initialization steps by the satellite Copyright © 2016, Juniper Networks, Inc. Resolved Issues discovery and provisioning daemon (sdpd) may not complete due to a timing issue. This will affect software upgrade and conversion of satellite devices. To recover from this state, restart the sdpd daemon using the CLI command “restart satellite-discovery-provision-process”. PR1131762 • On a Junos Fusion Provider Edge topology, if you configure Junos Fusion on an MX Series aggregation device, corresponding system log messages might not be received by a remote syslog server. PR1134269 Layer 2 Features • If equipped with both MPC/MSDPC and other type of DPCs, for local switching at mesh group level, split horizon on PW interfaces won't work and could cause packets to loop back to the same PW interface. PR1084130 • In MX Series Virtual Chassis (MXVC) environments, when packets come from a interface (for example, xe-16/0/1.542) situated on one member of VC (for example, VC member 1), if the ingress Packet Forwarding Engine (for example, FPC16 PFE0, which runs hash to determine which interface it should send the packet to) decides that it should send the packet via another interface (for example, xe-4/0/1.670) situated on a different member (for example, VC member 0), it will send the frame to member 0 via the vcpintf. If xe-4/0/1.670 belongs to an AE bundle which has multiple child links, a hash needs to be run on the Packet Forwarding Engine carrying the VCP port (receiving side on member 0) to determine which one is the egress Packet Forwarding Engine within member 0 to send the packet out after vcp- intf gets the packet. This hash result should get the same result as the ingress Packet Forwarding Engine. If it is not the case, then the packet would get dropped on the Packet Forwarding Engine on member 0. PR1097973 • In a scenario that BGP-based VPLS stitching with L2circuit, with "pseudowire-status-tlv" configured under L2circuit's mesh-group, if L2circuit neighbor doesn't configure "pseudowire-status-tlv", then the status of "Negotiated PW status TLV" of VPLS connection is "NO", and the BGP-based VPLS connection cannot up even the L2circuit is up due to the fact that check of neighbor state may incorrectly based on the presence of the configuration statement. PR1108208 Layer 2 Ethernet Services • With scaled subscribers connected, restarting one of MPCs might cause subscribers to be unable to log in for about 2 mins. PR1099237 • V44 defines the next generation of Juniper Fabric using MX Series as the aggregation device (AD) and EX4300/QFX5100Â’s as the Satellite Devices (SD). When V44 port extension is in use, after switching from Master to Backup Routing Engine, the ppman daemon on the SDs may crash and not be restarted. The aggregated Ethernet (ae) bundle over v44 extended ports does not come up. PR1101266 • On MX Series platforms with Dynamic Host Configuration Protocol (DHCP) maintain subscriber feature enabled, after rebooting the FPC hosts the Demux underlying interfaces, the next-hop for some DHCP subscribers might be marked as dead in the forwarding table. When this issue occurs, execute the CLI command "clear dhcp server binding <address>" to restore. PR1118421 Copyright © 2016, Juniper Networks, Inc. 185 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • For PVSTP/VSTP protocols, when an MX Series router inter-operates with a Cisco device, due to the incompatible BPDU format (there are additional 8 bytes after the required PVID TLV in the BPDU for the Cisco device), the MX Series might drop these BPDUs. PR1120688 • In a scenario where DHCP relay is used along with Virtual Extensible Local Area Network (VXLAN), if a DHCP discover packet is received with the broadcast bit set via a VXLAN interface on the MX Series platform (which is acting as DHCP relay), the OFFER back from the DHCP server will not be forwarded back to the client over the VXLAN interface. Unicast offers (that is, DHCP offer packet with unicast bit set) over VXLAN and both broadcast and unicast offers over native VLAN interfaces work fine. PR1126909 • In some rare scenarios, the MVRP PDU might unable to be transmitted, which could cause memory leak in layer 2 control plane daemon (l2cpd), and finally results in the l2cpd process crash. PR1127146 Multiprotocol Label Switching (MPLS) 186 • In Resource Reservation Protocol (RSVP) environments, if CoS-Based Forwarding (CBF) for per LSP (that filter out traffic not related to that LSP) is configured, and either the feature fast-reroute or link-protection is used on the device, when the primary link is down (for example, turning off the laser of the link), due to some next hops of the traffic may be deleted or reassigned to different class of traffic, and the RSVP local repair may fail to process more than 200 LSPs at one time and the traffic may get dropped by the filter on the device before the new next hop is installed. In this situation, the feature (fast reroute or link protection) may take longer (for example, 1.5 seconds) to function and the traffic loss might be seen in the meantime. In addition, the issue may not be seen if the CBF for per LSP is not configured on the device. PR1048109 • Junk characters are being displayed in output of “show connections extensive” command. PR1081678 • When an LSP is link-protected and has no-local-reversion configured, if the primary link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up, before the LSP switch to link3, if link1 is enabled and link3 is disabled, the LSP will get stuck in bypass LSP forever. This is a timing issue. PR1091774 • If LDP is enabled via the 'protocols ldp' configuration option on a device running Junos OS, receipt of a spoofed, crafted LDP packet may cause the RPD routing process to crash and restart. Refer to JSA10715 for more information. PR1096835 • On dual Routing Engine platforms with GRES, the kernel synchronization process (ksyncd) may crash on the backup Routing Engine when adding a route pointing to indirect next hop on the system. PR1102724 • In Junos OS Release 13.2R1 and later, in an MPLS L3VPN scenario, when the "l3vpn-composite-nexthop" configuration statement is enabled on a PE router and an interface style service set is attached to the ingress interface, the L3VPN packets with the MPLS labels will be sent to the service card and dropped. As a workaround, disable "l3vpn-composite-nexthop". PR1109948 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • If "optimize-timer" is configured under P2MP branch LSP, this branch LSP will not be re-established if the link flaps on egress node. If "optimize-timer" is configured at the protocols/mpls level, this issue could be avoided. PR1113634 • For an MPLS L3VPN using LDP-signaled LSPs, in a rare racing condition (e.g., large-scale environment or Routing Engine CPU utilization is high), the rpd process might crash after an LDP neighbor go down. PR1115004 • On MX Series router with FPC, when MPLS-labled fragmented IPv6 packets arriving at PE router (usually seen in 6PE and 6VPE scenario), the Packet Forwarding Engine might mistakenly detect such IPv6 headers and then drop these packets as "L3 incompletes" in the output of "show interface extensive". PR1117064 • When multipoint LDP (M-LDP) in-band signaling is enabled to carry multicast traffic across an existing IP/MPLS backbone and routing process is enabled to use 64-bit mode, the rpd might crash due to accessing uninitialized local variables. PR1118459 Network Management and Monitoring • The SNMPv3 message header has a 4-byte msgID filed, which should be in (0....2147483647), when the snmpd process has been running for a long time, the msgID might cross the RFC defined range and cause Net-SNMP errors, "Received bad msgID". PR1123832 • In Junos OS Release 14.1R1, SNMP informs are not sent out to the network management system (NMS) when significant events occur on a device running Junos OS. As a workaround, we can configure an dummy trap-group. PR1127734 Platform and Infrastructure • On MX Series-based line cards, when GRE keepalive packets are received on a Packet Forwarding Engine that is different from the tunnel interface hosted, the keepalive message will apply the firewall filter configured on the default instance loopback interface. PR934654 • Bad UDP checksum for incoming DHCPv6 packets as shown in monitor traffic interface output. The UDP packet processing is normal; this is a monitor traffic issue as system decodes checksum=0000. PR948058 • In the dual Routing Engines scenario with NSR configuration, the configuration statement "groups re0 interfaces fxp0 unit 0" is configured. If you disable interface fxp0, the backup Routing Engine is unable to proceed with commit processing due to SIGHUP not received, the rpd process on the backup Routing Engine might crash. PR974430 • Junos: Multiple vulnerabilities in cURL and libcurl; Refer to https://kb.juniper.net/JSA10743 for more information. PR1068204 • On Trio based platform, when delete/deactivate configuration of AE interfaces, FPC might crash due to de-referencing a NULL logical interface pointer. PR1069411 • Junos: Manipulating TCP timestamps can lead to resource exhaustion denial of service (CVE-2016-1269); Refer to https://kb.juniper.net/JSA10736 for more information. PR1073571 Copyright © 2016, Juniper Networks, Inc. 187 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 188 • On MX Series-based platforms, when learning the MAC address from the pseudo-IFL (for example, label-switched interface), if the MAC address is aged out in the source FPC where the MAC got learned, due to the delay (around 2 to 3 milliseconds) of MAC address deleting message processed in the source FPC and the egress FPC (destination FPC of the traffic), the MAC address might be deleted first from the egress Packet Forwarding Engine but get added again during these 2-3 millisecond time intervals. (As there is continuous traffic coming on the egress FPC destined to this MAC, the MAC query is generated and sent to the Routing Engine and source FPC. Since the source FPC has not yet processed the MAC-deleted message, it sends the response, so stale MAC will get added on the egress Packet Forwarding Engine.) In this situation, no L2 flooding would occur for the "unknown" unicast (since the MAC address is present on the egress Packet Forwarding Engine). PR1081881 • If there are scaling unicast routes (e.g., 500k) in NG-MVPN VRF, and the provider-tunnel is PIM, when PIM on PE has multiple upstream neighbors and any of them could be its rpf neighbor, performing GRES/NSR Routing Engine switchover might cause multicast traffic loss due to the different view of the rpf neighbor between the master Routing Engine and the slave Routing Engine. PR1087795 • Issue is specific to 64bbit RPD and config-groups wildcard config specific as in below case: set groups TEST routing-instances <*> routing-options multicast forwarding-cache family inet threshold suppress 200 set routing-instances vrf1 apply-groups TEST set routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 600. With this daemon(rpd) reads suppressed value ?200? (i.e., coming from groups) instead of reading value ?600?from foreground and customer sees unexpected behavior with respect to threshold-suppress. Workaround: Replace the wildcard with actual routing-instance name as in this example: set groups TEST routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 200 set routing-instances vrf1 apply-groups TEST set routing-instances vrf1 routing-options multicast forwarding-cache family inet threshold suppress 600 PR1089994 • On MX Series routers, if ifl (logical interface) is configured with VID of 0 and parent ifd (physical interface) with native-vlan-id of 0, when sending L2 traffic received on the ifl to the Routing Engine, the VID 0 will not be imposed, causing the frames to get dropped at the Routing Engine. PR1090718 • When a P2MP LSP is added or deleted at ingress LSR, traffic loss is seen to the existing sub-LSP(s) at the transit LSR which replicates and forwards packet to egress PEs. This issue only affects Junos OS-based line cards with MPCs/MICs. PR1097806 • The "shared-bandwidth-policer" configuration statement is used to enable configuration of interface-specific policers applied on an aggregated Ethernet bundle to match the effective bandwidth and burst-size to user-configured values. This feature is broken from Junos Release 14.1R1 when "enhanced-ip" is configured on MX Series platforms with pure MPCs/MICsbased line cards. The bandwidth/burst-size of policers attached to aggregated Ethernet interfaces are not dynamically updated upon member link flaps. PR1098486 • When BFD or VRRP is running on a multi LU (lookup chip) Packet Forwarding Engine (such as MPC3 or MPC4), some incoming BFD or VRRP packets might be incorrectly evaluated by a firewall filter configured on a loopback interface of a different logical Copyright © 2016, Juniper Networks, Inc. Resolved Issues system or routing instance. Therefore, packets might be unexpectedly discarded, leading to session/mastership flaps. PR1099608 • From Junos Release 14.1 and above, IPv6 mobility packets with Heartbeat option that the length of the mobility header (including the Ethernet encapsulation and main IPv6 header) extends beyond 128 bytes will be discarded as bad IPv6 option packets due to a logic error in packet handling. PR1100442 • Large-scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded with the minimum-interval value 50 ms. If FPC restarts, some BFD sessions might flap. PR1102116 • On an MPC3E or MPC4E or on an EX9200-2C-8XS line cards, when the flow-detection feature is enabled under the [edit system ddos-protection] hierarchy, if suspicious control flows are received, two issues might occur on the device. Issue 1: Sometimes, the suspicious control flow might not be detected on the MPC or line cards. Issue 2: Once the suspicious control flows are detected, they might never time out even if traffic flows no longer violate control parameters. PR1102997 • The following fields have been added to v10 Sampling (IPFIX) template and data packets: - SAMPLING RATE - SAMPLING INACTIVE TIMEOUT - SAMPLING ACTIVE TIMEOUT - TOTAL PACKETS EXPORTED - TOTAL FLOWS EXPORTED. PR1103251 • On T4000 platform equipped with FPC Type-5 , after performing unified ISSU, due to the fact that only 6 out of 16 temperature sensors may get initialized, the temperature reading for the line card may be shown as "Absent". PR1104240 • Any configuration or logical interface (IFL) change will introduce 160-bytes (20 bytes) memory leak on MPC heap memory when we have any type of inline sampling configured (ipfix or version 9). Only trigger of issue is the configuration of inline sampling, even without traffic being sampled. The leak is more evident in a subscriber management scenario when we have many IFL additions/deletions. Rebooting MPC in a controlled maintenance window is the only way to restore memory. PR1105644 • When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) and has more than one member link on the same Packet Forwarding Engine and the policer is configured with the "physical-interface-policer" configuration statement, if reconfiguration occurs (for example, adding/deleting new logical units, logical interface flap...), Packet Forwarding Engine may problem wrong policer during this reconfiguration process, which could ultimately lead to unexpected packet drop/loss within the referenced wrong shared policer. PR1106654 • When a filter with a policer is referenced by multiple IFLs of the same interface (A), with traffic coming into that interface A and going out from another interface B, whenever the policer is updated (for example, deactivating and activating interface A. Or adding/deleting AE legs when A is an AE interface and shared-bandwidth-policer is configured), it might be seen that there is counter statistics for the counter which is placed in the ingress direction of interface C, even though interface C is an unrelated interface which is not in the traffic path. Also FPC core dump and FPC going offline might be seen. PR1106887 • When a common scheduler is shared by multiple scheduler maps which apply to different VLANs of an aggregated Ethernet (AE) interface, if the configuration statement Copyright © 2016, Juniper Networks, Inc. 189 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion "member-link-scheduler" is configured at "scale", for some VLANs, the scheduler parameters are wrongly scaled among AE member links. As a workaround, we should explicitly configure different schedulers under the scheduler maps. PR1107013 • CVE-2015-5477 A vulnerability in ISC BIND's handling of queries for TKEY records may allow remote attackers to terminate the daemon process on an assertion failure. See http://kb.juniper.net/JSA10718. PR1108761 • DHCP End options (option 255) is missing by DHCP-relay agent (where 20 bytes DHCP options 82 inserted) for client DHCP discover message with 19 bytes padding. PR1110939 • An IPv4 filter configured to use the filter block with term that has both "from precedence" and another non 5-tuple (i.e., not port, protocol, address) will cause an XL/EA based board to reboot. Example: set firewall family inet filter FILTER fast-filter-lookup set firewall family inet filter FILTER term TERM from precedence PRECEDENCE set firewall family inet filter FILTER term TERM from tcp-established PR1112047 • When inline BFD sessions and inline J-Flow are configured on the same Packet Forwarding Engine, with the increasing of active flows (about 65k), the BFD session might flap constantly and randomly due to the outgoing BFD packets being dropped. PR1116886 • When inline static NAT translation is used, if two rules defined in two service sets are pointing to the same source-prefix or destination-prefix, changing the prefix of one of the rule and then rolling back the changes is not changing back all the pools correctly. PR1117197 190 • On Junos OS-based line cards with MPCs/MICs, the firewall filter may have some issues when matching on Authentication Header (AH) protocol. This can affect VRRP (among others) when authentication is used, and a Routing Engine (RE) firewall filter is matching on protocol AH. As a workaround, we can change the filter to match on other criteria (e.g., source or destination address). PR1118824 • Tnetd is a daemon used for internal communication between different components like Routing Engine (RE) and Packet Forwarding Engines. . It is used mainly to initialize the right server for rsh, rcp, rlogin, tftp, or bootp clients. It might crash occasionally due to the tnetd process not handling signals properly. PR1119168 • When the AC Single Phase Power Distribution Module (PDM) is installed on an MX2010 or MX2020 router running Junos OS Release 14.1 or 14.2, the system does not recognize the FRU and alarms are triggered as a result. PR1121068 • After changing an outer vlan-tags, the ifl is getting programmed with incorrect STP state (discarding), so the traffic is getting dropped. PR1121564 • With "fast-synchronize" configured, adding a new configuration-group that has configuration relevant to the rpd process and apply it and commit, then any configuration commits might cause the rpd process on the backup Routing Engine (RE) to crash. Reboot the backup Routing Engine to restore. PR1122057 • On Junos OS-based line cards with MPCs/MICs, for GRE over IPv6 packet with layer 4 length less than 8 bytes, it will be discarded by reason "L4 len too short". PR1126752 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • On MX Series platform, when fragmented packets go through the inline NAT (including source NAT, destination NAT, and twice NAT), the TCP/UDP checksum would not be correctly updated. In this situation, checksum error would occur on the remote end (inside and outside device). Non-fragmented packets would not be affected by the issue. If possible, this issue could be avoided by either of the following workarounds, * Enable "ignore-TCP/UDP-Checksum errors" at the inside or outside device which processes TCP/UDP data OR * Make sure there will not be any fragments subjected to inline NAT functionality by appropriate MTU adjustment or setting PR1128671 • Parity error at ucode location which has instruction init_xtxn_fields_drop_or_clip will lead to a LU Wedge. LU is lookup ASIC inside the Trio. The LU wedge will cause the fabric self ping to fail which will lead to a FPC reset. This is a transient HW fault, which will be repaired after the FPC reset. There is no RMA needed unless the same location continues to fail multiple times. PR1129500 • On Junos OS devices running with DHCP Relay configuration but without accounting config, and the accounting license does not exist, when the first DHCP control traffic is received, the following subscriber-accounting license grace period alarms might be triggered: alarmd[1650]: Alarm set: License color=YELLOW, class=CHASSIS, reason=License grace period for feature subscriber-accounting(30) is about to expire craftd[1592]: Minor alarm set, License grace period for feature subscriber-accounting(30) is about to expire. PR1129552 Routing Policy and Firewall Filters • On M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120, and MX Series with DPC, when the flood filter is configured in a VPLS instance on the Packet Forwarding Engine, if the Packet Forwarding Engine receives a filter change (for example, FPC reboot occur and comes up), the line card may fail to program the filter. PR1099257 Routing Protocols • Support for the Pragmatic General Multicast protocol (daemon pgmd) is being phased out from Junos. In Junos OS Release 14.2, the CLI is now hidden (although the component is still there and configurable). In Junos OS Release 15.1, the code and its corresponding CLI are removed. PR936723 • For FEC 129 VPLS (also known as LDP VPLS with BGP-based autodiscovery), if abandoned VRF and VPLS instances are left after all of the other pieces of configuration are removed, and the BGP protocol is deactivated in the master instance, the rpd process might crash continuously when committing a new configuration. As a workaround, remove all the unused VRF and VPLS instances. PR1006689 • In Junos OS Release 14.1R1 or later, the rpd process might crash while executing CLI command "show isis backup spf results". PR1037114 • During NSR switchover, inline BFD transmit entries might take long time to replicate to backup RE and BFD may flap. PR1063303 • When a multicast group in protocol independent multicast (PIM) dense mode has a large number of multicast sources, the RPD process can crash after a Routing Engine switchover. PR1069805 Copyright © 2016, Juniper Networks, Inc. 191 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • There are two issues in the PR: (1) In multicast environments, incoming interface list (IIF) list has only RPF interface, designated forwarder (DF) winners are not added in the list in backup Routing Engine. (2) "Number of downstream interfaces" in “show pim join extensive” is not accounting pseudo-VXLAN interface. PR1082362 • If the command to trace ppm is issued from the FPC shell and a malformed incoming packet (required to be handled by PPM) is in the buffer, the FPC may crash. An example of such a malformed packet would be a multihop BFD packet with an incorrect length (larger than normal). PR1082878 • On large-scale BGP RIB, the advertised-prefixes counter might show the wrong value due to a timing issue. PR1084125 • In BGP environments, when configuring RIB copy of routes from primary routing table to secondary routing table (for example, by using the CLI command "import-rib [ inet.0 XX.inet.0]") and if the second route-table's instance is type "forwarding", due to the BGP routes in secondary routing table may get deleted and not correctly re-created, the routes may be gone on every commit (even commit of unrelated changes). As a workaround, for re-creating the BGP routes in secondary route table, use the CLI command "commit full" to make configuration changes. PR1093317 • When route convergence occurred, the new gateway address is not updated correctly in inline-jflow route-record table (route-record table is used by sampling), and the sampling traffic forwarding might be affected, but normal routing would be not affected. PR1097408 192 • Due to software bug, Junos OS cannot purge so called doppelganger LSP, if such LSP is received over a newly formed adjacency shortly after receiving CSNP from the same neighbor. PR1100756 • When polling SNMP OID isisPacketCounterTable 1.3.6.1.2.1.138.1.5.3, the rpd process might crash. PR1101080 • When the ISIS configuration is removed, the ISIS LSDB contents get flushed. If at the same time of this deletions process, there is an SPF execution, which is trying to access the data structures at same time when a fraction of secs after freeing its content, a routing protocol process (rpd) crash occurs. PR1103631 • A vulnerability in OpenSSH may allow a remote network-based attacker to effectively bypass restrictions on the number of authentication attempts, as defined by MaxAuthTries settings on Junos OS. This may enable brute force password attacks to gain access to the device. Background: The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos, etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf, or /usr/local/etc/pam.d/<policy name>. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. This issue is assigned CVE-2015-5600. Refer to JSA10697 (http://kb.juniper.net/JSA10697) for more information. PR1106752 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • When the Multicast Source Discovery Protocol (MSDP) is used, if the RP itself is the First-Hop Router (FHR) (i.e., source is local), the MSDP source active (SA) messages are not getting advertised by the RP to MSDP peers after reverse-path forwarding (RPF) change (e.g., the RPF interface is changed). PR1115494 • When a logical unit of an interface is associated with a Bidirectional Forwarding Detection (BFD) session, if changing the unit number of the interface (for example, change the unit number for a running BFD session from ge-1/0/0.2071 to ge-1/0/0.285), the device may fail to change the name due to the missing check for logical interface (IFL) index change. PR1118002 • On dual Routing Engine platform, with nonstop active routing (NSR) and authentication of the Bidirectional Forwarding Detection (BFD) session enabled, BFD process (bfdd) memory leak may occur on the master Routing Engine and the process may crash periodically once it hits the memory limit (RLIMIT_DATA). The problem does not depend on the scale, but the leak will speed up with more BFD sessions (for instance 50 sessions). As a workaround, if possible, disabling BFD authentication will stop the leak. PR1127367 • When protocol MSDP is configured and then deleted, the NSR sync status for MSDP might stuck in "NotStarted", and ISSU might fail on the master Routing Engine with reason "CHASSISD_ISSU_ERROR: Daemon ISSU Abort -1(NSR sync not complete: MSDP)". PR1129003 • Deleting mvpn configuration from routing instance "delete routing-instances <instance-name> protocols mvpn" might cause routing daemon on master Routing Engine to crash. PR1141265 Services Applications • When an MX Series router configured as an LNS sends an Access-Request message to RADIUS for an LNS subscriber, the LNS now includes the Called-Station-ID-Attribute when it receives AVP 21 in the ICRQ message from the LAC. PR790035 • In the L2TP scenario with dual Routing Engines, after subscriber management infrastructure daemon (smid) is being restarted, because the delete notification to backup Routing Engine might be lost, the subscriber database (SDB) information does not synchronize between master Routing Engine and standby Routing Engine. After Routing Engine switchover is executed, the Layer 2 Tunneling Protocol daemon (jl2tpd) might crash, and new L2TP subscribers are unable to dial. PR968947 • On an L2TP access concentrator (LAC) device with more than 8K L2TP sessions up, if execute command "clear services l2tp session all" and then stop the command by using ctrl-C, the Layer 2 Tunneling Protocol process (jl2tpd) might crash. PR1009679 • When polling to jnxNatSrcNumPortInuse via SNMP MIB get, it might not be displayed correctly. PR1100696 • In Junos OS Release 13.3 and later, when configuring a /31 subnet address under a NAT pool, the adaptive services daemon (SPD) will continuously crash. PR1103237 • SIP one-way audio calls when using X-Lite SIP Softphone, in case that SIP media is switched to another media gateway through a SIP Routing Engine-Invite message. PR1112307 Copyright © 2016, Juniper Networks, Inc. 193 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In a CGNAT environment, when a service PIC is in heavy load continuously, there might be a thread yielding loop in CPUs, which will cause the CPU utilization to be high, and might cause one of the CPUs to be reset. PR1115277 • In a CGNAT scenario, when we establish simultaneous TCP connects, we need to install timers for each TCP connection/flow. Due to this bug, we ended up creating two timers for the forward and reverse flow separately. Ideally there needs to be only one timer for both the forward and reverse flow. Whenever the session was deleted due to timer expiry, the PIC crashed whenever the code tried to delete the same flow again. PR1116800 Software Installation and Upgrade • Add the "on <host> " argument to to "request system software validate" to allow validation on a remote host/Routing Engine running Junos OS. PR1066150 • In certain conditions, when /var is not mounted from a persistent filesystem, executing a Junos OS upgrade will have unexpected results. This is caused by an inexact check of whether it is running from an Emergency VAR. PR1112334 Subscriber Access Management • In scaled DHCP subscribers environment, the authd process might crash and generate a core file after clearing DHCP binding or logging out subscribers. PR1094674 • In subscriber management environment, the authentication process (authd) crash may occur. This issue is not reproduced yet, possibly, it might be seen when generating a CLI Change of Authorization (CoA) request (e.g. via CLI command "request network-access aaa subscriber add service-profile filter-service session-id 10"), then logging out the subscriber (the one with service just activated), if the management CLI session is closed before subscriber entry is reused, the crash may occur. PR1127362 VPNs • In NG-MVPN spt-only mode with a PE router acts as the rendezvous point (RP), if there are only local receivers, the unnecessary multicast traffic continuously goes to this RP and is dropped though it is not in the shortest-path tree (SPT) path from source to receiver. PR1087948 • In scenario involving pseudowire redundancy where the CE facing interface in the backup neighbor (can be non-standby, standby, or hot-standby type), if the virtual circuit (VC) is not present for the CE facing interface, the CE facing interface may go up after committing an unrelated VC interface configuration (e.g., changing description of another VC interface) even though the local pseudowire status is in a down state. PR1101886 194 • In an L2VPN or VPLS scenario with Junos OS Release 14.2R4, after executing some negative operations, e.g., deactivate/active BGP and IGP, or restart FPCs, the rpd process might crash due to a NULL pointer access in code. PR1104472 • In Internet multicast over an MPLS network by using next-generation Layer 3 VPN multicast (NG-MVPN) environment, when rib-groups are configured to use inet.2 as RPF rib for a Global Table Multicast (GTM, internet multicast) instance, the ingress PE Copyright © 2016, Juniper Networks, Inc. Resolved Issues may fail to add P-tunnel as downstream even after receiving BGP type-7 routes. In addition, this issue only affects GTM. PR1104676 • In Global Table Multicast (GTM) scenario (instance-type mpls-internet-multicast), when the GTM instance and master instance are used, if the name of the GTM instance is changed, the routing protocol process (rpd) may crash due to the usage of the incorrect routing table handle. PR1113461 Resolved Issues: 14.2R4 Class of Service (CoS) • In SNMP environments, when performing multiple walks or parallel snmpget for the same interface at the same time (for example, SNMP bulk get/walk, or SNMP polling from multiple devices) on CoS-related MIBs (jnxCos table), if the interface state changes or the request gets timed out when FPC is responding the request, a memory leak of Class-of-Service process (cosd) about 160 bytes (up to 1500 bytes) may occur, which may cause cosd to crash eventually when the limit is exceeded. PR1058915 • Starting in Junos OS Release 12.3R1, on MX Series platform configured for IP network-services (default) and with MS-DPC/Tunnel-Interface, virtual-tunnel (vt) interfaces are created automatically to support ultimate-hop-popping upon enabling "protocol rsvp". These interfaces are associated with default IP and MPLS classifiers along with MPLS re-write rule. When "protocol rsvp" is disabled/enabled or MS-DPC/FPC (with tunnel-service) restarts, the vt interfaces are deleted and re-added to the system. However, during the deletion, these interfaces are not getting released from the cosd process and this lead to a memory hold in cosd. PR1071349 • On MX Series platforms, when an aggregated Ethernet (AE) interface is in link aggregation group (LAG) Enhanced mode, after deactivating and then activating one child link of the LAG , the feature that runs on the AE interface rather than on the child link (for example, IEEE-802.1ad rewrite rule) may fail to be executed. PR1080448 • After restarting chassisd or doing an unified in-service software updgrade from Release 13.2R8.2 to 13.3R7.3 results in the following messages seen in the syslog: cosd_remove_ae_ifl_from_snmp_db ae40.0 error 2. These messages appear to be harmless with no functionality impact. PR1093090 • When performing the RE switchover without GRES enabled, due to the fact that the Class-of-Service process (cosd) may fail to delete the traffic control profile state attached to logical interface (IFL) index, the traffic-control-profile may not get programmed after the ifl index is reused by another interface. PR1099618 Forwarding and Sampling • On MX Series router with MPCs/MICs, when deleting a firewall filter and the routing instance it is attached to, in some race conditions, the filter might not be deleted and remains in resolved state indefinitely. PR937258 • The issue is seen while moving an interface from one mesh group to another. PR1077432 • In some rare cases, SNMP might get Output bytes of Local statistics instead of the Traffic statistics when retrieving Output bytes of Traffic statistics on a logical interface. PR1083246 Copyright © 2016, Juniper Networks, Inc. 195 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In rare cases, SSH or telnet traffic might hit incorrect filter related to SCU (Source Class Usage) due to the defect in kernel filter match; this issue comes when the filter has match condition on source class ID. PR1089382 • In rare cases, MX Series routers might crash while committing inline sampling-related configuration for INET6 family only. PR1091435 • In PTX Series Carrier-Grade Service Engine (CSE) jflow solution environment, because the sampling process (sampled) may get into a continuous loop when handling asynchronous event (for example, aggregated tethered services interface flapping, or route update, or IFL/IFD update), the sampled may never come out of that loop which may result in high CPU usage (up to 90 % sometimes). Because, sampled is not able to consume any states (such as route updates, interface updates) generated by kernel and this results in memory exhaustion, finally resulting in the router not making any updates and forcing a router reboot. PR1092684 General Routing 196 • Changing the static route configuration from next-hop to qualified-next-hop might result in static route getting missed from the routing table. Restarting routing process can bring back the routes but with the rpd will crash. PR827727 • On dual Routing Engine platforms, after performing unified graceful Routing Engine switchover (GRES) with 8K subscribers, the ksyncd process may crash due to the replication error on a next-hop change operation. The issue is hit when there's a memory pressure condition on the Routing Engine and in that case, it may lead to null pointer de-reference and ksyncd crash. Or in some cases, the kernel on the new master Routing Engine might crash after Routing Engine switchover if the Engine is under memory pressure due to missing null check when trying to add a next hop and the next hop is not found at the time. PR942524 • Optics lane#3 and lane#4 TX, RX power alarm data was ignored but the lane#1 and lane#2 data was used for lane#3 and lane#4, respectively. This causes incorrect/false alarm on lane#3 and lane#4. PR1001670 • When there are no services configured, datapath-traced daemon is not running. In the PIC, the plugin continues to try for the connection and continuous connection failure logs are seen. PR1003714 • On MPC5, MPC6, MIC6-10G, and MIC6-100G line cards, in order to increase the resiliency of the system, changes have been made to monitor board voltage levels and ASIC currents periodically against the expected values, and update current threshold values as per updated values provided by HW group. PR1004431 • Link flapping might cause data traffic corruption. On T-series platform running Junos OS 12.3R7, 13.1R4, 13.2R4-S1, 13.2R5, 13.3R2, 14.1R1, and later release and with FPC1/2/3/4-ES linecard installed, in rare cases, link flapping might lead to "IP - Pkt Len Mismatch error" followed by FPC reboot. PR1013522 • SNMP MIB walk of object "jnxSpSvcSet" gives hardcoded value as "EXT-PKG" for SvcType. PR1017017 • With Multiservices MPCs (MS-MPCs) or Multiservices MICs (MS-MICs) installed on MX Series platforms, when trying to view the Network Address Translation (NAT) Copyright © 2016, Juniper Networks, Inc. Resolved Issues mappings for address pooling paired (APP) and/or Endpoint Independent Mapping (EIM) from a particular private or a public IP address, all the mappings will be displayed. PR1019739 • On the Type 5 PIC, when the "hold-time down" of the interface is configured less than 2 seconds and the loss of signal (LOS) is set and cleared repeatedly in a short period (for example, performing ring path switchover within 50 ms), the "hold-time down" may fail to keep the interface in "up" state within the configured time period. PR1032272 • On a Virtual Chassis topology with SNMP enabled, the system might not send an SNMP traps (jnxVccpPortUp/jnxVccpPortDown) when the VCP up/down events occurring. PR1033723 • In an MX Series Virtual Chassis (MXVC) environment, if the VC-ports are configured on MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards for which is installed the corresponding Junos OS continuity package (Junos OS Continuity package is a feature that allows new hardware to be deployed on already shipping releases), the Virtual Chassis Port (VCP) ports are getting oscillated and the MPC is crashing MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line cards that are not supported on MX-VC in Junos OS Release 14.2R3. PR1034420 • FX sfp is supported on 20x1Ge -E/-EH mics in this release. PR1038923 • Queue stats on LSQ interfaces are not properly cleaned up when queuing is enabled on the IFD and the queues hosted at IFD level. This happens with a subsequent delete and create of LSQ interface (not always though) - 14.1R4.10. PR1044340 • The following message is generated every 5 second in MX104 on 14.2R1~R3 and 15.1R1. xxx chassisd[1362]: Cannot read hw.chassis.startup_time: No such file or directory .. PR1049015 • On all Junos based platforms, there are two different types of memory blocks that might be leaked. The first issue is rpd-trace memory block leak. There is one block each for any trace files opened for rpd. They could be leaked for each time a configuration commit is done. Around 40 bytes are leaked per operation. The issue does not occur in Junos OS Release prior to 14.1. The second issue is rt_parse_memory block leak which could happen during the configuration of aggregate routes, configuration information might not be freed. Around 16384 bytes are leaked per operation. This issue is a day-1 issue. PR1052614 • As a precautionary measure, a periodic sanity check is added to the FPC situated on M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120 and MX Series with DPC. It checks FPC error conditions and performs the appropriate actions in case of an error. PR1056161 • On MX Series routers, the interrupt-driven basis link down detection (an interrupt-driven link-down notification is generated to trigger locally attached systems to declare the interface down within a few milliseconds of failure) may fail after performing unified in-service software upgrade (ISSU). The interrupt might have been prevented after performing unified ISSU due to disabling the interrupt registers before unified ISSU, but never restored after. PR1059098 Copyright © 2016, Juniper Networks, Inc. 197 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • When a route points to an aggregated multiservices (AMS) logical interface, then after manually bouncing this logical interface by disabling it and then enabling it again, the aggregate next-hop referred by that route will have the child unicast next hop pointing to the .discard.0 interface instead of member interface (mams) interfaces. As a result, traffic ingress on MPC card and routed to that route will be discarded. PR1065944 • When setting the syslog to debug level (any any), you may note reoccurring messages of the form "ifa for this rt ia is not present, consider ifa as ready". These messages are logged for IPv6 enabled interfaces when receiving forwarded packets and cause no harm. Set a higher debug level to avoid seeing them. PR1067484 • The static route prefers the directly connected subnet route for resolving the next hop rather than performing a longest prefix match with any other available routes. In case of longest prefix route being desired in customer deployment, it will result in traffic loss issues. Now a new configuration statement "longest-match" is introduced to enable longest prefix matching behavior when desired: set routing-options static route <destination-prefix> next-hop <address> resolve longest-match. PR1068112 • With basic NAT44, when the router the receiving packets on a GRE tunnel, NAT was dropping all protocols other than PPTP on the GRE tunnel. PR1069872 • On MX Series routers with MPC based line cards in a setup involving Packet Forwarding Engine fast reroute (FRR) applications, when a BFD session flaps, the next-hop program in the Packet Forwarding Engine may get corrupted. It may lead to incorrect selection of next-hop or traffic blackhole. PR1071028 • Higher baseline CPU utilization and periodic CPU spikes might be seen on XM-based MPC as compared to MPC-3D-16XGE-SFPP cards due to the following reasons: On XM-based MPC, low priority threads which monitor various things in the background on a periodic basis such as voltage, temperature, stats counters, hardware status, and so on exist. When the system is idle, these threads are allowed to take more of the load and that is why higher baseline CPU/CPU spikes are seen. This does not prevent other higher priority threads from running when they have to, as these are non-critical activities being done in the background and hence this is a non-impacting issue. PR1071408 198 • The dfwd process might crash when kernel messages for objects such as IFL or IFF are sent to the dfwd process soon after its dynamic profile delete request. This is a race condition. PR1074068 • For Network Address Translation (NAT), Traffic Detection Function (TDF), or IPsec service configured on MX Series platforms with MS-MPC/MS-MIC, the received fragmented IPv4/IPv6 packets will be re-assembled and sent out. Under a scaled environment, the mspmand process might crash while MS-MPC/MS-MIC is under process of assembling the fragmented packets. PR1075454 • Traffic throughput test between the MPC1/1E/2/2E card and MPC2E/3E NG card, the flowing from MPC1/1E/2/2E card to MPC2E/3E NG card is lesser than from MPC2E/3E NG card to MPC1/1E/2/2E card. PR1076009 • When a router with AMS infrastructure has MAC flow control enabled, the continuous fragmented packets might crash the NPU and mspmand process (which manages the Multi-Services PIC). PR1076033 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Vendor provided the fix, which includes conditional check PR1076369 • On MX Series router, the CLI command “set interfaces interface-name speed auto-10m-100m” is not supported. PR1077020 • The license-check process may consume more CPU utilization. This is due to a few features trying to register with the license-check daemon which license-check would not be able to handle properly and result in high CPU on Routing Engine (RE). Optimization is done through this fix to handle the situation gracefully so that high CPU will not occur. PR1077976 • Starting from Junos OS Release 14.1R1, if the hidden configuration statement "layer-4 validity-check" is configured, the Layer4 hashing will be disabled for fragmented IP traffic. Due to a defect, the multicast MAC rewrite is skipped in this case, the fragmented multicast packets will be sent with an incorrect destination MAC. PR1079219 • In a subscriber management environment, the PPP daemon (jpppd) might crash repeatedly due to a memory double-free issue. PR1079511 • On MX Series platforms with MS-MPC/MS-MIC, in some mspmand process crash scenarios, after the mspmand coredump is finished or almost finished, PIC kernel also crashes and dumps vmcore. The mspmand cores in these scenario are readable but vmcores are not. PR1081265 • This may be a false log message - the risk of false log is minor, however, the underlying error, e.g., continuous fi recorder timeout, may impact traffic and can be major. When the specific log message is observed in the message file, please advise customer to investigate if there are continuous fabric errors, such as late cell, cell timeout, etc, on the reporting line card and recover those errors first. PR1081771 • MPC is showing the below log messages and will generate core as the logic for clearing references to JNH memory pools that have been discarded did not handle those in Bulk DMEM. jnh_private_mem_pool_free(898): No private mem_pool for 0x00300000/00100000 PR1081855 • When a MX Series chassis network-services is "enhanced-ip" and an AE is part of a Layer 2 bridge (bridge-domain or VPLS), there is a possibility that an incorrect forwarding path may be installed causing traffic loss. This could happen when first applying the configuration, restarting the system or restarting the line card. PR1081999 • In multi-homing and signal active EVPN scenario, if IRB interface is included in the instance, when the DF-CE link flaps, due to a timing issue, the DF might send L3 EVPN routes with label 0 to remote PEs, causing traffic to be dropped at remote PE. PR1082287 • “show interfaces queue <ifl>“ stats are not correct with RLSQ warm-standby mode. Issue seen on MPCs and MICs as well in 14.1R4.10. PR1082417 • On PTX platform, the FPC may crash when the interface goes down (e.g. disabling the interface or interface flap occurs) due to failure during CNH NH change (composite next hop, e.g. created in P2MP LSP scenario). Based on the current observation, the probability of the issue might be low. PR1082429 Copyright © 2016, Juniper Networks, Inc. 199 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 200 • OTN based SNMP traps such as jnxFruNotifOperStatus and jnxIfOtnNotificationOperStatus are raised by offline/online MIC although no OTN interface is provisioned. PR1084602 • Invalid Ethernet Synchronization (ESMC) frames may be transmitted by the MX Series router when activating LAG and tag-protocol-id under interfaces. PR1084606 • On a device with lt and ams interfaces configured, walking ifOutOctets or other similiar OID's may cause a "if_pfe_ams_ifdstat" message to print. This is a cosmetic debug-level entry, which was incorrectly set to critical-level. PR1085926 • In some rare conditions, depending on the order in which configuration steps were performed or the order in which hardware modules were inserted or activated, if PTP master and PTP slave are configured on different MPCs on the MX Series router acting as BC, it might happen that the clock is not properly propagated between MPCs. This PR fixes this issue. PR1085994 • MACsec using static secure association key (SAK) security mode does not work properly on MX80 routers and FPC slots other than slot 0 of MX104 routers. PR1086117 • mspmand core is observed while taking ms-mic offline with IPsec and J-Flow configured on same ms-mic with dynamic IPsec tunnels. PR1086819 • If the ALG is receiving UDP fragmented control traffic (e.g., SIP control packets) continuously, the mspmand process (which manages the service PIC) might crash due to buffer error. PR1087012 • In the specific configuration of an LT interface in a VPLS instance and the peer-unit of this LT interface configured with family inet6 using vrrp, the kernel may crash when the FPC is online. PR1087379 • In the dual Routing Engines scenario with GRES and ae0 interfaces configured, if GRES is disabled on the system, the backup Routing Engine should remove the ae0 bundle. However, it does not and ae0 remains in the backup Routing Engine. After switching Routing Engine mastership to make the other Routing Engine as master, the new master Routing Engine (which was backup earlier) continues to use the invalid MAC address "00:00:00:00:00:00". PR1089946 • On PTX platforms, some non-fatal interrupts (for example, CM cache or AQD interrupts) are logged as fatal interrupts. The following log messages will be shown on CM parity interrupt: fpc0 TQCHIP 0: CM parity Fatal interrupt,Interrupt status:0x10 fpc0 CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt has occurred 181 time(s) in 180010 msecs TQCHIP 0: CM cache parity Fatal interrupt has occurred 181 time(s) in 180005 msecs PR1089955 • Incorrect ESH checksum computation with non-Zero Ethernet padding in the Junos MX Series router. PR1091396 • The mspmand process might crash due to prolonged flow-control with TCP ALGs under the following possible scenario, mostly when the following conditions happen together. 1. When the system is overloaded with TCP ALG Traffic 2. There are lots of retransmissions and reordered packets PR1092655 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • When the control path is busy/stuck for service PIC, the AMS member interface hoisted by it might be down, but when the busy/stuck condition is cleared, the member interface might not recover, and AMS bundle still shows the PIC as inactive. PR1093460 • On TCP ALG, if there are a lot of retransmissions and reordered TCP packets, and the system is overloaded due to the TCP traffic, the mspmand (which manages the service PIC) process might crash. PR1093788 • There are entries for PEM in jnxFruEntry in VMX. It is not necessary and is cosmetic. PR1094888 • Extensive header integrity checks will be done for packets that match a service set that has NAT/SFW configured. 1. Enable header integrity checks by default when SFW or NAT is configured in same service set. This is inline with ukernel behavior. 2. Retain the configuration statement for use by other plugins such as IPsec which may want to enforce header integrity if needed. 3. Ensure that the command "show services service-sets statistics integrity-drops" works if SFW/NAT is configured. PR1095290 • If a service-PIC is configured to simultaneously function as both an MS interface and as a member of an AMS interface, then some settings under services-options may not apply correctly. These settings are A) syslog_rate_limit, B) fragment-limit, C) reassembly-timeout, and D) jflow_log_rate_limit. PR1096368 • On Junos OS-based platform, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is high (for instance, higher than 3.5 Mpps), the packet re-ordering may occur. PR1098776 • On MX Series-based line cards, when the prefix-length is modified from higher value to lower value for an existing prefix-action, heap gets corrupted. Due to this corruption, the FPC might crash anytime when further configurations are added/deleted. The following operations might be considered as a workaround: Step 1. Delete the existing prefix-action and commit Step 2. Then re-create the prefix-action with newer prefix-length PR1098870 • Non-queuing MPC5E and MPC6E might crash continuously if rate-limit under transmit-rate for scheduler is applied. As a workaround, do not configure rate-limit and use firewall policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495 • Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks strongly discourages the use of Junos OS Release 13.3R7.3 on routers with MQ-based MPCs. This includes MX-Series with MPC1, MPC2 and all mid-range MX-Series routers. PR1108826 Copyright © 2016, Juniper Networks, Inc. 201 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Infrastructure • When "show version detail" cli command has been executed, it will call a separate gstatd process with parameter "-vvX". Because the gstatd could not recognize these parameters, it will run once without any parameter then exit. In result of "show version detail", following information could be seen: user@hostA> show version detail Hostname: hostA Model: mx960 Junos: 13.3R6-S3 JUNOS Base OS boot [13.3R6-S3] JUNOS Base OS Software Suite [13.3R6-S3] .. <snipped> file: illegal option -- v usage: gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] <snipped> At the same time, log lines like following might be recorded in syslog: file: gstatd is starting. file: re-initializing gstatd mgd[14304]: UI_CHILD_START: Starting child '/usr/sbin/gstatd' gstatd: gstatd is starting. gstatd: re-initializing gstatd gstatd: Monitoring ad2 gstatd: switchover enabled gstatd: read threshold = 1000.00 gstatd: write threshold = 1000.00 gstatd: sampling interval = 1 gstatd: averaged over = 30 mx960 mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status 0x4000 mgd[14304]: UI_CHILD_EXITED: Child exited: PID 14363, status 64, command '/usr/sbin/gstatd' PR1078702 Interfaces and Chassis • Power-off by pushing the Offline button on the master Routing Engine causes lots of packets to be although GRES/NSR is configured. FPC gets rebooted after Routing Engine switchover, which also causes traffic loss. PR1034164 • Configuring ODU FRR on 2x100G DWDM under otn-options could result in an FPC core.PR1038551 • The "show chassis network-services" command might not show the correct configured value when executed on the backup Routing Engine. This command should only be executed on the master Routing Engine. PR1054915 • On DPC only chassis, after software upgrade or not graceful Routing Engine switchover, Ethernet OAM related LAG bundles might not come up due to the Link Fault Management (LFM) packets arriving on the AE interface instead of the physical link interface. PR1054922 • There is a mismatch in mac statistics, where few frames go unaccounted. This is a day-1 issue with the software fetching of mac statistics, the snap and clear bits wereset together on pm3393 chip driver software, so even before the copy of stats to shadow registers happened, clear was happening which used to go unaccounted. PR1056232 • On M120 router with scaled configuration, when restarting an FPC, the chassis management daemon (chassisd) might crash if it didn't get FPC offline ACK from one of the FEBs in time. PR1059475 • When the Maximum Receive Unit (MRU) value is not set under group-profile ppp-options hierarchy, a default value (1492) will be used. If MRU value is set, the new value will take effect. But if the configured MRU value is deleted from the group profile, the MRU value remains the configured one and fails to fall back to the default one. PR1059720 • 202 For transit traffic on INLINE LSQ redundancy (rlsq) interface, the input firewall-filter counters are logging zero packet count regardless of traffic flow. Output filter counters Copyright © 2016, Juniper Networks, Inc. Resolved Issues are logging correctly. For host-bound traffic, the firewall output counter will get double accounted on Classical rlsq and triple accounted on INLINE rlsq. This issue is targeted to be fixed in Junos OS Release 14.1R5. PR1060659 • In scaling PPP subscriber environment, when the device is under a high load condition (for example, high CPU utilization with 90% and above), the long delay in session timeout may occur. In this situation, the device may fail to terminate the subscriber session (PPP or PPPoE) immediately after three Link Control Protocol (LCP) keepalive packets are missed. As a result, subscriber fails in reconnect due to old PPP session, and corresponding Access-Internal routes are still active for some time. In addition to this, it is observed that the server is still sending KA packets after the session timed out. PR1060704 • On MX Series routers, INET MTU (PPP payload MTU, that is IP header plus data excluding any L2 overhead) is being set to lowest MRU of either MX (local device) or peer. This behavior is not inline with ERX behavior, which is set to min (local MTU, peer MRU). This might cause the packet drops in the customer network in the downstream path. PR1061155 • When adding new VCP port MX-VC, some of traffic drops are seen. PR1067111 • When the Ethernet Link Fault Management (LFM) action profile is configured, if there are some errors (refer to the configuration, for example, frame errors or symbol errors) happening in the past (even a long past), due to the improper handling of error stats fetching from kernel, the LFM process (lfmd) may generate false event PDUs and send the false alarm to the peer device. PR1077778 • On MX Series Virtual Chassis (MX-VC) platforms, due to a timing issue, the physical interface (ifd) on the same Modular Interface Card (MIC) with Virtual Chassis port (VCP) might not be created or take a very long time to be created after rebooting the hosted Modular Port Concentrator (MPC). PR1080032 • On MX-VC with SCB (no Enhanced SCB equipped), if the fabric redundant-mode is not explicitly configured, after rebooting whole VC, the VC-Mm will stay in Redundant mode but not Increased-bandwidth mode. PR1080301 • MAX-ACCESS value has been changed in jnx-otn.mib for the following oids: jnxOtnIntervalOdu15minIntervalNumber, jnxOtnIntervalOtu15minIntervalNumber, jnxOtnIntervalOtuFec15minIntervalNumber. The value has been changed from read-only to not-accessible to be inline with newer MIBs. PR1080802 • In MX Series Virtual Chassis (MXVC) scenarios, during unified ISSU operation, the new master Routing Engine does not have the MXVC SCC's system MAC address. It just has its local system MAC address. The address is not replicated between local Routing Engines, and the new master Routing Engine has not yet connected to the MXVC SCC to receive it. Hence, the possibility exists to overwrite the FPC with an address that does not match the previous address. PR1084561 • The VRRP preempt hold time is not being honored during NTP time sync and system time is changed. PR1086230 • On MX Series Virtual Chassis (MX-VC) platform swith "subscriber-management" enabled, after power up/reboot, the VC backup router (VC-B) experiences a rapid sequence of role transitions from no-role to VC master router (VC-M) to VC-B and the Copyright © 2016, Juniper Networks, Inc. 203 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion expected local GRES and a reboot of the former master Routing Engine might not happen on the VC-B, and some of the FPCs on it might be stuck in "present" state and eventually rebooted. PR1086316 • When an interface on SFPP module in MIC is set to disabled, after pulling out the SFPP and then inserting it, the remote direct connected interface might go up unexpectedly. PR1090285 • After removing a child link from AE bundle, in the output of "show interface <AE> detail", the packets count on the remaining child link spikes, then if we add the previous child link back, the count recovers to normal. PR1091425 • After configuring related ae interface config, we might find some of ae interfaces disappear in MX-VC. It seemed that ae interfaces are not allocated MAC address from chassisd properly. * This issue only happens first configuration timing after rebooting/restarting chassisd. So even if you configure related ae interface config repeatedly, you cannot find this issue. When this issue happens these message will be found in messages logs. ------------------------------------------------- lab@router_re0> show log messages| match CHASSISD_MAC_ADDRESS_AE_ERROR Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 Jun 26 16:04:34.105 router_re0 /kernel: Jun 26 16:04:34.064 router_re0 scchassisd[2008]: CHASSISD_MAC_ADDRESS_AE_ERROR: chassisd MAC address allocation error for ae4 ------------------------------------------------- Restore ae interfaces * This is not workaround. deactivate/activate ae interfaces. (We need to do this to all disappeared ae interfaces.) PR1100731 J-Web 204 • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085428 • Junos: Multiple vulnerabilities in J-Web (CVE-2016-1261); Refer to https://kb.juniper.net/JSA10723 for more information. PR1085470 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Layer 2 Features • In MX Series Virtual Chassis (MXVC) environment, when packets come from a interface (for example, xe-16/0/1.542) situated on one member of VC (for example, VC member 1), if the ingress Packet Forwarding Engine (for example,FPC16 PFE0,who runs hash to determine which interface it should send the packet to) decides that it should send the packet via another interface (for example, xe-4/0/1.670) situated on different member (for example, VC member 0), it will send the frame to member 0 via the vcpintf. In case of xe-4/0/1.670 belongs to an AE bundle which has multiple child links, a hash need to be run on Packet Forwarding Engine carrying the VCP port (receiving side on member 0) to determine which one is the egress Packet Forwarding Engine within member 0 to send the packet out after vcp- intf gets the packet. This hash result should get the same result as the ingress Packet Forwarding Engine. If it is not the case, then the packet would get dropped on Packet Forwarding Engine on member 0. PR1097973 Layer 2 Features • BGP peer configured between two routers over an lt (logical tunnel) interface, if deactivating and activing at scaled configuration a few times, in rare conditions, the lt interface might reject all the ARP reply packets. Hence, the ARP resolution does not happen over this interface, so the unicast routes are not in the correct states, and a ping to such an lt interface will fail. PR1059662 • With Dynamic Host Configuration Protocol (DHCP) maintain subscriber feature enabled, when the subscriber's incoming interface index is changed, for example, the interfaces go away and come back after changing the MTU configuration of interface, the existing subscribers may get dropped and new subscribers fail in connection. PR1059999 • LACP partner system ID is shown incorrectly when the AE member link is connected to a different device; which might misguide while troubleshooting the LAG issues. PR1075436 • On MX Series routers, when configuring the dynamic access routes for DHCP subscribers based on the Framed-Route RADIUS attribute, the access route may be created on the device; however, the framed routes may not be installed for subscriber interface (under the "Family Inet Source Prefixes"). PR1083871 • MTU change is not advised on the Ethernet ring protection (ERP) ring interfaces unless the ring is in idle condition. Changing ring interface MTU while a ring is not in idle state may result in change in the forwarding state of the interface, which can lead to loop in the ring. PR1083889 • When family bridge was configured and committed, l2ald repeated restarting with core. After l2ald repeated restarting several times, it stopped working due to thrashing condition. Core of l2ald will be seen with the following configuration: . set interfaces fxp0 unit 0 family bridge interface-mode access set interfaces fxp0 unit 0 family bridge vlan-id 100 When the configuration is committed, message like following is logged and core is generated. l2ald[1624]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[1734]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[1769]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: Copyright © 2016, Juniper Networks, Inc. 205 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion insist '!err' failed l2ald[1993]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed l2ald[2195]: ../../../../../src/junos/usr.sbin/l2ald/l2ald_vpls_flood.c:3117: insist '!err' failed ... init: l2-learning is thrashing, not restarted PR1089358 • During interface flaps, a high amount of TCN (Topology Change Notification) might get propagated, causing other switches to get behind due to a high amount of TCN flooding. This problem is visible after the changes done in Release 11.4R8 onwards which propagates TCN BPDU immediately and not in the pace of the 2-second BPDU Hello interval to speed up topology change propagation. The root cause is the TCNWHILE timer of 4 seconds is always reset upon receiving TCN notifications, causing the high churn TCN propagation. PR1089580 • V44 defines the next generation of Juniper Network Fabric using MX Series router as the aggregation device (AD) and EX4300/QFX5100Â’s as the Satellite Devices (SD). When V44 port extension is in use, after switching from master to backup Routing Engine, the ppman daemon on the SDs may crash and not be restarted. It results in the aggregated Ethernet (ae) bundle over v44 extended ports not to come up. PR1101266 MPLS • LDP is not distributing a label for BGP FEC/prefix to downstream on demand (DoD) sessions when Forwarding Equivalence Class (FEC)/prefix learned this from IBGP peer to whom ldp-tunneling is configured. PR1049329 • With the BGP prefix-independent convergence (PIC) edge feature enabled, more than one BGP next-hop association will be installed in the Packet Forwarding Engine for MPLS VPN and Internet transit traffic. Deactiving/activating the IGP protocol (IS-IS or OSPF) might cause the backup session to stay down on the Packet Forwarding Engine. PR1058190 • LDP peer will not advertise all labels to downstream LDP neighbor/s on rare occasions. PR1058694 206 • With BGP labeled-unicast egress protection enabled in a Layer 3 VPN, the protected node advertises primary BGP labeled unicast routes that needs protection. When there is next-hop change for a labeled route, for example, deactivating/activating egress-protection configuration statement or route churn, the memory might be exhausted which leads to the rpd process crash. PR1061840 • The point-to-multipoint (P2MP) label-switched path (LSP) is unable to be re-establish after certain links are down. This issue might be encountered when the links contain the primary and backup LSPs for the P2MP LSP. The P2MP LSP can be restored after the links are up. PR1064710 • When CSPF computes the path for node-protected bypass, it considers only the SRLG group configured on the next-hop interface along the primary path. However it doesn't consider the SRLG group on the next-to-next-hop interface to adequately provide a diverse path between primary and node-protected bypass. PR1068197 • In scaling l2circuits environments, the rpd process might crash due to a corruption in the LDP binding database. PR1074145 • In MPLS environment, if one of minimum-signaling-bandwidth, merging-bandwidth, splitting-bandwidth, maximum-s ignaling-bandwidth is configured, or derived as value Copyright © 2016, Juniper Networks, Inc. Resolved Issues 0, the routing protocol process (rpd) may crash when lsp-splitting or lsp-merging (for example, when the traffic comes up/down) occurs. As a workaround, due to the logic of the configuration statements, none of the following configuration statements could be configured or derived as zero: -merging-bandwidth, -minimum-signaling-bandwidth, -splitting-bandwidth, -maximum-signaling-bandwidth. PR1074472 • In race conditions, the rpd process on the backup Routing Engine might crash when BGP routes are exported into LDP by egress-policy and configuration changes during the rpd process synchronizing the state to backup rpd process. PR1077804 • On dual RE platform with GRES, the kernel synchronization process (ksyncd) may crash on the backup RE when adding of route pointing to indirect nexthop on system. PR1102724 Platform and Infrastructure • On April 22nd, 2009 FreeBSD announced that the db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file. Refer to JSA10756 for more information. PR442580 • When the Network Configuration Protocol (NETCONF) service is used on the device, after the NETCONF session is established, because all the output that contains <error> tag might be incorrectly converted into <rpc error>, the management daemon (mgd) may crash on the device. As in the following example, the output that contains the <error> tag may lead to the crash: user@re0> show subscribers address 1000 | display xml .. <error junos:style="input-error"> <<<<<< The output contains <error> tag and may trigger the crash. PR975284 • On a router with point-to-point(P2P) SONET/SDH interface, when a P2P interface is disabled, the corresponding host route might still be kept in the forwarding table, if a ping operation is performed, instead of returning message "No route to host" the message "Can't assign requested address" might be seen. PR984623 • On MX Series Virtual Chassis (MX-VC) platforms, mirroring of OAM packets may not work as expected if the OAM packet traversing through multiple Packet Forwarding Engines (for example, the mirrored port and VCP port are on separate Packet Forwarding Engines). PR1012542 • In EVPN scenarios, MPC may crash with core-dump when any interface is deleted and then add that interface to an aggregated Ethernet bundle or change the ESI mode from all-active to single-active. PR1018957 • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1019669 • LSI logical interface input packet and byte stats are also added to core logical interface stats, but when the LSI logical interface goes down and the core logical interface stats are polled, there is a dip in stats. The fix is to restore LSI logical interface stats to core logical interface before deleting the LSI logical interface. PR1020175 • Changes to the fowarding-table firewall filter list can cause an FPC/TFEB crash. The fowarding-table firewall filter list can be composed of user configured filters under the "forwarding-options" stanza but it can also contain auto-generated filters (also known Copyright © 2016, Juniper Networks, Inc. 207 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion as "internal" filters or "implicit" filters) and are needed by certain features. For example the "services traffic-load-balance" feature makes use of auto-generated fowarding-table filters and also the "forwarding-options dhcp-relay" feature makes use of auto-generated fowarding-table filters. PR1039003 • On MX Series routers with MPC3E/MPC4E/MPC5E/MPC6E if the Packet Forwarding Engine has inline NAT configured or is processing inline GRE decapsulation with packet-sizes between 100B-150B in some very corner cases, traffic blackhole might be seen due to incorrect cell packing handling. Another application exposed is Layer 2 family any output port-mirror configuration. On T4000 with FPC type 5, when these cards are processing any packets sizes between 133B-148B in certain sequences results in incorrect cell packing handling. PR1042742 • Due to a defect in the Junos OS software, when a telnet user experiences some undefined network disconnect, .perm and .env files under /var/run are left behind. This scenario happens only under certain unknown ungraceful network disconnects. When a considerable number of .perm/.env files get accumulated under /var/run, the issue is seen with telnet users who are not able to perform permitted operations on the router, post-login. PR1047609 • Under very rare situations, Packet Forwarding Engines on the following line cards, as well as the compact MX80/40/10/5 series, may stop forwarding transit traffic: 16x10GE MPC, MPC1, MPC2. This occurs due to a software defect that slowly leaks the resources necessary for packet forwarding. Interfaces handled by the Packet Forwarding Engine under duress may exhibit incrementing 'Resource errors' in consecutive output of “show interfaces extensive” output. A Packet Forwarding Engine reboot via the associated line card or chassis reload is required to correct the condition. PR1058197 • With the configuration "extend-size", if the user loads and commits the scaled configuration (in this case, 250K Unique Prefix list policy options), then deletes the configuration statement "extend-size", the dfwd process might crash. PR1058579 • If a Radius server is configured as accounting server, when it is non-reachable, the auditd process might get stressed with a huge number of audit logs to be sent to the accounting server, which might cause auditd to crash. PR1062016 • Chassisd had a software problem in FPC OFFLINE event handling code. When multiple offline events for a single FPC are coming in short period, chassisd might wrongly stop handling FPC offline process in the middle. As a result, the FPC and fabric state for that FPC will remain abnormal. This PR has resolved the problem. Now chassid will correctly continue the FPC offline process even for such condition. Resolved-In: 12.3R10 13.3R7 14.1R5 14.1X50-D100 14.2R4 15.1R1 15.1X49-D10 PR1063786 • Starting from Junos OS Release 14.2R1, the CLI command "set date ntp a.b.c.d" may not be working. PR1067107 • StartTime and EndTime of the flow in inline-jflow (version 9) has a future time stamp. PR1067307 • 208 In Junos release 13.3R6 or 14.2R3, for PPPoE subscribers over the aggregated Ethernet (ae) interface, the output of "show interface statistics <pp> detail" command shows the ingress/egress traffic statistics for the aggregate interface instead of the statistics for PP/DEMUX logical interface. PR1069242 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • With "shared-bandwidth-policer" on an aggregated Ethernet interface; if a member interface flapped, the NPC to which the interface belongs may restart. The similar issue may also happens when changing firewall policer configuration. PR1069763 • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1069867 • Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271); Refer to https://kb.juniper.net/JSA10739 for more information. PR1069873 • If with about 1M routes on an MX Series router, there might be more than 1-second (about 1.3s) packets dark window during unified ISSU. PR1070217 • If port-mirroring and VRRP over ae-irb are configured in a bridge-domain, enabling the Distributed Periodic Packet Management Process (ppmd) for VRRP in this BD might cause the VRRP to flap. PR1071341 • When inline-sampling is enabled, in race conditions, if a packet gets corrupted and the corrupted packet length shows 0, it may cause a "PPE_x Errors thread timeout error" and eventually cause the MPC card to crash. PR1072136 • VRRP advertisements might be dropped after enabling delegate-processing on the logical tunnel (lt) interface. It would result in a VRRP master state observed on both routers. PR1073090 • When integrated routing and bridging (IRB) interface is configured with Virtual Router Redundancy Protocol (VRRP) in Layer 2 VPLS/bridge-domain, in corner cases after interface flapping, MAC filter ff:ff:ff:ff:ff:ff is cleared from the Packet Forwarding Engine hardware MAC table, so the IRB interface may drop all packets with the destination’s MAC address FFFF:FFFF:FFFF (e.g., ARP packet). PR1073536 • In VXLAN environment, BUM traffic will be duplicated, the duplicate amount depends on how many Packet Forwarding Engines are included in that bridge domain. E.g If there?re 2 physical interfaces located in 2 different Packet Forwarding Engines in bridge domain , traffic leaving vtep will triple due to this issue. That is one copy from ingress Packet Forwarding Engine and other two copies from egress Packet Forwarding Engines where 2 physical interfaces are present. Issue is fixed on 14.1R5, 14.2R4, 15.1R2, 15.1R1 and above. PR1073778 • Problem: It tries to check allotted power for all the FPCs, here in the CHASSISD_I2CS_READBACK_ERROR logs it shows for the FPCs which are not present in chassis. It just calls i2cs_readback() to read i2c device and fails there as these FPCs? slots are blank and prints those readback errors. Also the errors are harmless: "CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC" Fix: Code to check 'if power has been allotted to this FPC', needs to be executed only if the FPC is present. PR1075643 • On this PR, It removes unwanted resolve filter log in ichip/Packet Forwarding Engine side and it was fixed since 12.3R10. PR1076563 • When an SFB on MX2020/MX2010 is experiencing a hardware issue, the SPMB might crash and cause FPC to reboot. Now with the fix, the bad Hardware issue will be handled gracefully and not crash. PR1077074 Copyright © 2016, Juniper Networks, Inc. 209 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In hierarchical class of service (H-CoS) environments, when the subscriber logs out from the reserved logical interface (ifl) ".32767" unit (for example, xe-x/x/x.32767), the CoS installation of the interface may get wrongly deleted on Packet Forwarding Engine. PR1077098 • From Junos 13.3, configuration changes like activating "fast-lookup-filter", adding or deleting "interface-specific" or any other filter property, adding or deleting any term, or changing any match condition in any term in the filter, which updates the firewall filter in a rare sequence might result in loss of DMEM and kernel memory resources or some free error messages. This issue only impacts Trio-based line card and occurs in rare cases. The following log messages might be observed from Junos 13.3 [LOG: Err] jnh_free(10040): ERROR [FW/0]:1 Paddr 0x00400000, addr 0x0, part_type 0call_stack 0x404906b4 0x418ecdbc 0x418ed2e0 0x418baca0 0x418becc8. And the following log messages might be observed from Junos 14.2 [LOG: Err] FREE ERR FW[0]: FW, 1 dw (1 blk) @ PA 0x7c63f00d addr 0x23f00d PR1077338 • Junos: Lazy race condition in RPC allows an authenticated user to improperly elevate privileges (CVE-2016-1267); Refer to https://kb.juniper.net/JSA10730 for more information. PR1078027 • On MX Series-based platforms, when learning the MAC address from the pseudo-IFL (for example, label-switched interface), if the MAC address is aged out in the source FPC where the MAC got learned, due to the delay (around 2 to 3 milliseconds) of MAC address deleting message processed in the source FPC and the egress FPC (destination FPC of the traffic), the MAC address might be deleted first from the egress Packet Forwarding Engine but get added again during these 2-3 millisecond time intervals. (As there is continuous traffic coming on the egress FPC destined to this MAC, the MAC query is generated and sent to the Routing Engine and source FPC. Since the source FPC has not yet processed the MAC-deleted message, it sends the response, so stale MAC will get added on the egress Packet Forwarding Engine.) In this situation, no L2 flooding would occur for the "unknown" unicast (since the MAC address is present on the egress Packet Forwarding Engine). PR1081881 • On Trio MPC, the log message are printed "ddos_clear_one_work_queue: can't return an item to store 4" if DDos violations for all hostbound traffic that exceed bandwiths. PR1082298 • MPC is showing the following log messages and will generate core: “jnh_private_mem_pool_free(898): No private mem_pool for 0x00300000/00100000” PR1081855 210 • When an MX Series chassis network-services is "enhanced-ip" and an AE is part of a Layer 2 bridge (bridge-domain or VPLS), there is a possibility that an incorrect forwarding path may be installed, causing traffic loss. This could happen when first applying the configuration, restarting the system, or restarting the line card. PR1081999 • LMEM is an internal memory in the LU/XL ASIC chip. It has private and shared regions for Packet Processing Engines. LMEM data errors are very rare events caused by environmental factors (this is not created by software). Due to a software defect, an error in the shared LMEM region will result in corruption of critical data structures of Packet Processing Engines that causes unpredictable communication of the LU/XL ASIC chip with the MQ/XM ASIC chip. These events will corrupt the state in MQ/XM Copyright © 2016, Juniper Networks, Inc. Resolved Issues and lead to an MQ/XM wedge. The MQ/XM wedge would cause fabric blackhole and finally reboot the line card. PR1082932 • On MX Series router with MPCs/MICs , the "RPF-loose-mode-discard" feature is not working when configured within a Virtual Router routing instance. The feature is working only when configured in the main instance. PR1084715 • In Junos OS Releases 13.3R3, 14.1R1, and 14.2R1, there is a new feature: an extra TLV term is added to accommodate the default action for the "next-interface" when the corresponding next-interface is down. While doing an unified ISSU from an image without the feature to an image with this feature, all MPCs might crash. PR1085357 • With MX Series routers with FPC, load balance hash seed will be changed after the unified ISSU. Since the hash seed value will be reverted to the original value by rebooting FPC, there would be a hash value inconsistency in the system which might introduce blackholing on multicast flavor traffic (mcast or BUM on vpls/l2-bridge). Affected versions: 12.3R7, 13.2R4-13.2R5, 13.3R2-13.3R3, 14.1R1, 14.1R3-14.1R4, and 14.2R1-14.2R3. PR1086286 • The prompt for the SSH password changed in Junos OS 13.3 Release, from "user@host's password:" to "Password:". This change breaks the logic in "JUNOS/Access/ssh.pm" which is located in /usr/local/share/perl/5.18.2/ on Ubuntu Linux, for example. PR1088033 • Junos: A race condition in the Op script Op URL option allows an authenticated remote attacker to fully compromise the system (CVE-2016-1264); Refer to https://kb.juniper.net/JSA10725 for more information. PR1088339 • On MX Series router with MPCs/MICs or T4000 FPC5, a TCP session with MS-Interface/AMS-Interface configuration is not established successfully with the "no-destination-port" or "no-source-port" configuration statements configured under the forwarding-options hierarchy level. PR1088501 • In a fib-localization scenario, IPv4 addresses configured on service PICs (SP) will not appear on FIB-remote FPCs although all local (/32) addresses should, regardless of FIB localization role, install on all Packet Forwarding Engines. There is no workaround for this and it implies that traffic destined to this address will need to transit through FIB-local FPC. PR1092627 • When an interface on an MQ-based FPC is going to link down state, in-flight packets on interface transmit path will be stuck on the interface and never drained until the interface comes up again. As a result, a small number of such stacked packets will be sent out when the interface is going to the UP state. In some cases it might also trigger Host Loopback:HOST LOOPBACK WEDGE DETECTED IN PATH ID [x] reported and traffic forwarding stopped for all interfaces belonging to this Packet Forwarding Engine. Once the interface comes back up, packet forwarding will continue for all interfaces and the Host Loopback wedge alarm gets cleared. The following FPCs are exposed to this symptom: MPC 3D 16x 10GE, MPC1 or MPC2. PR1093569 • On MX2020 or 2010 routers, an SPMB core file will be seen if there are bad XF chips (Fabric chip) on the SFB, which might trigger Routing Engine/CB switchover. PR1096455 • On MX Series routers with MPCs/MICs, when the type of the IPv6 traffic is non-TCP or non-UDP (for example, next header field is GRE or No Next Header for IPv6), if the Copyright © 2016, Juniper Networks, Inc. 211 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion traffic rate is high (for instance, higher than 3.5 Mbps), the packet re-ordering may occur. PR1098776 • On MX Series routers with MPCs/MICs,, when the prefix-length is modified from a higher value to a lower value for an existing prefix-action, heap gets corrupted. Due to this corruption, the FPC might crash anytime when further configurations are added/deleted. The following operations might be considered as a workaround: Step 1. Delete the existing prefix-action and commit, Step 2. Then re-create the prefix-action with newer prefix-length. PR1098870 • The "shared-bandwidth-policer" configuration statement is used to enable configuration of interface-specific policers applied on an aggregated Ethernet bundle to match the effective bandwidth and burst-size to user-configured values. But this feature is broken from Junos release 14.1R1 when "enhanced-ip" is configured on MX Seriesplatform with pure trio-based line cards. The bandwidth/burst-size of policers attached to Aggregated Ethernet interfaces are not dynamically updated upon member link flaps. PR1098486 • Starting in Junos OS Release 14.1 and later, IPv6 mobility packets with the Heartbeat option such that the length of the mobility header (including the Ethernet encapsulation and main IPv6 header) extends beyond 128 bytes will be discarded as bad IPv6 option packets due to a logic error in packet handling. PR1100442 • Large scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded with the minimum-interval value 50ms. If FPC restarts, some BFD sessions might flap. PR1102116 212 • When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) has more than one member link on the same Packet Forwarding Engine and the policer is configured with "physical-interface-policer" configuration statement, if reconfiguration occurs (for example, adding/deleting new logical units, logical interface flap...), Packet Forwarding Engine may problem wrong policer during this reconfiguration process, which could ultimately lead to unexpected packet drop/loss within the referenced wrong shared policer. PR1106654 • When a filter with a policer is referenced by multiple IFLs of the same interface (A), with traffic coming into that interface A and going out from another interface B, whenever the policer is updated (for example, deactivating and activating interface A. Or adding/deleting AE legs when A is an AE interface and shared-bandwidth-policer is configured), it might be seen that there is counter statistics for the counter which is placed in the ingress direction of interface C, even though interface C is an unrelated interface which is not in the traffic path. Also FPC core dump and FPC going offline might be seen. PR1106887 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Routing Policy and Firewall Filters • In Class-of-Service (CoS) environments, there is a possibility (happened twice so far and not reproducible in the lab) that the routing protocol process (rpd) may crash because the CoS memory getting incorrectly freed and then allocated again. PR1062616 Routing Protocols • On M and MX Series platforms with dual RE environment, when nonstop active routing (NSR) and graceful-switchover (GRES) are enabled, during internal pressure test with GRES operations, in very rare condition, the Routing protocol daemon (rpd) might crash and a core-dump would be generated. PR1019052 • Deletion of a routing-instance may lead to a routing daemon crash. This may happen if the routing-instance's Routing Information Base (RIB) is referenced in an active policy-option configuration. As a workaround, when deactivating the routing-instance, all associated configurations using the route-table names in the routing-instance should also be deactivated. PR1057431 • In Protocol Independent Multicast (PIM) sparse mode environments, in the situation where the router is being used as the rendezvous point (RP) and also the last-hop router, when the (*,G) entry is present on the RP and a discard multicast route (for example, due to receiving multicast traffic from non-RPF interface) already exists, if the (S,G) entry is learned after receiving source-active (SA) of the Multicast Source Discovery Protocol (MSDP), the SPT cutover may fail to be triggered. There is no traffic impact as receivers still can get the traffic due to the (*,G) route. PR1073773 • In multi-topologies IS-IS scenarios, there is a huge difference between estimated free bytes and actual free bytes when generating LSP with IPv6 prefix. It might cause LSP fragment exhaustion. PR1074891 • Receipt of a crafted IGMPv3 protocol message can create a denial of service to a portion of a multicast network. This issue only affects IGMPv3. IGMPv2 is unaffected by this vulnerability. See https://kb.juniper.net/JSA10714 PR1079503 • In an MPLS L3VPN core network, enabled BGP Prefix-Independent Convergence (PIC) Edge feature on a PE router, if the same VPN route is received with different multiple exit discriminators (MEDs) via two route reflectors (RRs). When the BGP PIC evaluates those two routes, it disregards the one with the higher MED, and hence fails to build a multipath protection/backup path entry. PR1079949 • When removing scaling BGP configuration, if the BGP sessions is holding stale routes for the benefit of a restarting peer, the routing protocol process (rpd) may crash. As a workaround, the administrator may use the CLI command "show route receive-protocol bgp <peer address> extensive | match STALE" to find the existing stale routes. If no STALE route can be found out, then removing the BGP configuration is safe. PR1081460 • If a policy statement referred to a routing-table, but the corresponding routing instance is not fully configured (i.e., no instance-type), committing such configuration might cause the rpd process to crash. PR1083257 • With Multicast Source Discovery Protocol (MSDP) and nonstop active routing (NSR) configured on the Protocol Independent Multicast (PIM) sparse-mode rendezvous Copyright © 2016, Juniper Networks, Inc. 213 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion point (RP), the rpd process might permanently get stuck when multicast traffic is received shortly after Routing Engine (RE) switchover. PR1083385 • The rpd process might crash on both master and backup Routing Engines when a routing instance is deleted from the configuration, if the routing instance is cleaned up before the interface delete is received from the device control daemon (dcd). This is a rare timing issue. PR1083655 • When there are a number of secondary BGP routes in inet.0, an SNMP walk of inet.0 by the bgp4 MIB can cause a core if the corresponding primary routes are being deleted. PR1083988 • When a BGP route is leaked to a routing-instance and there is an import policy to overwrite the route preference, if damping is also configured in BGP, the BGP routes which were copied to a second table can't be deleted after routes were deleted in the master table. This is a day-1 issue. PR1090760 • When removing BGP Prefix-Independent Convergence (PIC) from the configuration, the expected behavior is that any protected path would become unprotected. But in this case, the multipath entry that contains the protection path (which is supposed to be removed) remains active, until the BGP session flaps or the route itself flaps. As a workaround, we can use the "commit full" command to correct or to commit. PR1092049 • In Junos OS Release 9.1 and later, RFC 4893 introduces two new optional transitive BGP attributes: AS4_PATH and AS4_AGGREGATOR. These new attributes are used to propagate 4-byte AS path information across BGP speakers that do not support 4-byte AS numbers. In this case, when AS4_AGGREGATOR attribute (18) is received from a 2-byte AS peer (note that AS4_AGGREGATOR attribute is only received when the aggregator has 4-byte AS, but this peer only supports 2-byte AS), NSR synchronization with the standby RE would fail, causing the session to be constantly bouncing on the standby RE (hogging CPU). PR1093615 • The rpd process might crash when resolve-vpn and rib inet.3 are configured under separate levels (BGP global, group, and peer). The fix is if anybody configures a family at a lower level, reset the state created by either of the configuration statements from higher levels. This behavior conforms with our current behavior of family configuration, which is that any configuration at a lower level is honored and the higher level configuration is reset. PR1094499 • The OpenSSL project has published a set of security advisories for vulnerabilities resolved in the OpenSSL library in June and July 2015. Junos OS is affected by one or more of these vulnerabilities. Refer to JSA10694 (http://kb.juniper.net/JSA10694) for more information. PR1095598 • When BGP routes have multiple protocol next hops, including discard/reject and other IGP next hops, the discard/reject next hop will be selected as BGP next hop, which will cause traffic loss. PR1096363 • When route convergence occurred, the new gateway address is not updated correctly in inline-jflow route-record table (route-record table is used by sampling), and the sampling traffic forwarding might be affected, but normal routing would be not affected. PR1097408 214 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Services Applications • In IPsec environments, after performing the RE switchover (for example, performing graceful Routing Engine switchover) or chassis reboot (that is, whole device is powered down and powered UP again), because the key management daemon (kmd) may be launched before the RE mastership is finalized, it may stop running on the new master RE. PR863413 • The session-limit-per-prefix feature for the MX Series DS-Lite server does not take Softwire flow into account when calculating the the flow limit. PR1023439 • On M/MX/T Series routers with Multiservices 100, Multiservices 400, or Multiservices 500 PICs with "dump-on-flow-control" configured, if prolonged flow control failure occurs, the coredump file might generate failure. PR1039340 • On MX Series routers which are acting as LNS to provide tunnel endpoints, it is observed that the service interfaces are not usable if an MIC corresponding to them is not physically installed on the FPC. If only those service interfaces that belong to the removed PIC are added to service-device-pool, this results in no LNS subscribers being able to log in. Please note that once the MIC is inserted into the FPC, the features could be used. PR1063024 • Service PIC daemon (spd) might crash with core-dumps due to CGNAT pool's snmp-trap-thresholds configuration. PR1070370 • Earlier output from "show service l2tp tunnel" will not display tunnels with no sessions. This behavior have been changed, now empty tunnels are also displayed in this command. PR1071923 • In CG-NAT or stateful firewall environments, due to a null pointer check bug, the MS-DPC might crash every few hours. Note that this is a regression issue. PR1079981 • When using a Multiservices DPC (MS-DPC) for Carrier-Grade Network Address Translation (CGNAT), if in an HTTP flow, in rare condition, an IPv4 flow is treated as an IPv6 flow. However IPv6 flow objects are treated differently in the Junos Code and as a result the MS-DPC might crash due to memory allocation failure. There is no workaround, but the chances of hitting this issue is very low. PR1080749 • On Layer 2 Tunnel Protocol (L2TP) network server (LNS), during L2TP session establishment, when receiving Incoming-Call-Connected (ICCN) messages with Last Sent LCP CONFREQ Attribute Value Pair (AVP) but without Initial Received LCP CONFREQ and Last Received LCP CONFREQ AVPs, the jl2tpd process might crash. PR1082673 • In an L2TP tunnel-switching scenario, if a tunnel-switched tunnel is cleared with "clear services l2tp tunnel peer-gateway" AND an incoming ICRQ is received simultaneously from the LAC side destined for this tunnel-switched tunnel, this leads to jl2tpd crash. This defect has now been rectified. PR1088355 • On a Trivial File Transfer Protocol (TFTP) Application Layer Gateway (ALG) with NAT translation type "dynamic-nat44" configured, MS-DPC/MS-MPC/MS-MIC might crash when processing the TFTP packets. PR1091179 Copyright © 2016, Juniper Networks, Inc. 215 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • On M Series platforms, in a Layer 2 Tunneling Protocol (L2TP) network server (LNS) environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type, Framed-Protocol attributes) within the Accounting-Request packet are sending to the RADIUS server. PR1095315 • If MS-DPC is used in a CG-NAT environment, in a very rare condition, when the MS-DPC tries to delete a NAT mapping entry (e.g., entry timeout), an error might occur and the MS-DPC might get rebooted and then dump a core file. PR1095396 • Some values of the MIB object jnxSrcNatStatsEntry might be doubled when AMS (or rsp) interface and NAT are configured together. PR1095713 User Interface and Configuration • Customer wants visibility PR1029477 VPNs • For VPLS over VPLS topology, when the VPLS payload has two labels (Customer-VPLS-label and Customer-MPLS-label), the frame might be dropped by the core-facing interface hosted on the IQ2 PIC with "L2 mismatch timeout" error. This particular scenario is fixed. But there are some other worse scenarios which might hit this issue again due to the system architecture limitation, which are not fixed but need to be avoided: * Addition of VLAN tags on service provider's or CE's VPLS payload e.g., configuring QinQ. * Addition of MPLS tags on service provider or CE's VPLS payload. * Enabling VPLS payload load balancing on service provider's PE router. PR1038103 • With NSR, RPD on backup Routing Engine may crash and generate a memory dump when attempting to allocate an MPLS label for L2circuit. This can happen, for example, after configuring new l2circuit on a busy system. PR1068399 • On a dual Routing Engine, if the MVPN protocol itself is not configured, and nonstop routing is enabled, the show command "show task replication" on the master Routing Engine will list the MVPN protocol even though it is not configured. Other than the misleading show output which may be slightly confusing to the user/customer, there is no functional impact due to this issue. There is no workaround available. PR1078305 Resolved Issues: 14.2R3 Class of Service (CoS) 216 • For an ATM interface configured with hierarchical scheduling, when a traffic-control-profile attached at the ifd (physical interface) level and another output traffic-control-profile at the ifl (logical interface) level, flapping the interface might crash the FPC. PR1000952 • This error message "only per-unit and 2-level hierarchical scheduler are supported on this interface" is a cosmetic regression issue without any functional impact. PR1050512 • Forwarding class accounting stops working after Routing Engine switchover , this behavior has been corrected in 13.3X2 ,13.3R7,14.1R5,14.2R3,13.3R6 and 15.1 . Issue comes when MPC reboots for any reason with forwarding-class-accounting configured on AE/AS interface. In forwarding-class-accounting feature, counters are allocated based on number of forwarding classes configured in MPC. In error case on MPC reboot, AE Copyright © 2016, Juniper Networks, Inc. Resolved Issues interface is getting created before the message for configuring number of forwarding classes in MPC comes. As a result while enabling forwarding-class-accounting feature on AE interface, number of forwarding classes value in MPC is 0 and counters are not allocated causing issue. Cause: Race condition when on MPC reboot AE interface getting created before number of forwarding classes are configured. Fix: When number of forwarding classes are set after MPC reboot, check for any AE interface with forwarding-class-accounting configured and reprogram it. PR1060637 • 1. With “hierarchical-scheduler” configured at IFD level 2. Under class-of-service hierarchy “output traffic control profile” configured at “interface-set” as well as IFD level, for the same IFD/IFL. With the above two conditions met, when a Junos upgrade is performed on a dual RE system the configuration validation check would fail on the RE that is upgraded latter with the below error message. Error message: ?cannot configure a traffic control profile for this ifl when a parent has a traffic control profile that references a scheduler map: ifl xe-11/0/0.5000 refers to traffic-control-profile TCP_PE-CE_30M. It is also a member of interface set xe-11/0/0_OTag=80 which has traffic-control-profile TCP_PE-CE_80M which references scheduler-map SM_PE-CE? conditon-1: lab-re1> show configuration interfaces xe-11/0/0 { hierarchical-scheduler; <<< Condition-2: lab-re1> show configuration interfaces interface-set xe-11/0/0_OTag=80 { interface xe-11/0/0 { <...>; } } lab-re1> show configuration class-of-service interfaces interface-set xe-11/0/0_OTag=80 { output-traffic-control-profile TCP_PE-CE_80M; <<< } <..> xe-11/0/0 { output-traffic-control-profile TCP_Maxbuff; unit 5000 { output-traffic-control-profile TCP_PE-CE_30M <<< } } PR1069477 Forwarding and Sampling • When a firewall filter, which is used to de-encapsulate the IPv4 packets encapsulated in IPv6 GRE header, is attached to interface hosts on MX Series MPC/MIC, the IPv6 GRE header would be de-encapsulated but the inner IPv4 packet would ends up getting dropped and not forwarded. This issue affects the packet with IPv4 over IPv6 GRE header only, and those packets with IPv6 over IPv6 GRE header are not affected. PR1054039: This issue has been resolved. • If the template of the policer is changed (for example, change the bandwidth-limit value of policer), shared-bandwidth-policer configuration statement may not function properly anymore. PR1056098: This issue has been resolved. General Routing • On MX Series platforms with Enhanced DPCs equipped, after router is rebooted, the IRB broadcast channel is not enabled, all the broadcast packets that are received in the IRB interface will get dropped. Also when ping is given, the following L2Channel error increases as ping packets are sent: user@router>show interfaces ge-*/*/* extensive | match channel L3 incompletes: 0, L2 channel errors: 10, L2 mismatch timeouts: 0. PR876456: This issue has been resolved. • The configuration statement “gratuitous-arp-on-ifup” should send a gratuitous ARP on each unit of a physical interface, but in 12.3 and later versions, only the first unit is seeing the configured behavior. PR986262: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 217 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In the dual Routing Engines scenario, in rare conditions, while executing GRES and deleting interfaces at the same time, it is possible that a next hop delete message is not sent to the rpd process, causing rpd to keep a next hop index (NHID) that the kernel has already deleted. Later when the kernel allocates this NHID for next new next hop and sends it to the rpd process, the rpd process might crash due to a duplicate NHID. PR987102 • In Ethernet VPN (EVPN) routing and bridging (IRB) deployment, when all the access interfaces go down under an EVPN bridge domain, the IRB interface in the bridge domain remains up, causing the issue of the remaining IRB subnet being advertised in L3 routing which in turn attracts all L3 VPN traffic for the subnet. PR994909: This issue has been resolved. • In the dual Routing Engines scenario with NSR configuration, the backup peer proxy thread is hogging CPU for more than 1 second if there are multiple updates (>5000) going from master Routing Engine to backup Routing Engine. This leads to FPC socket disconnections. The traffic forwarding might be affected. PR996720 • On MX Series Virtual Chassis with the no-split-detection configured, in some rare circumstances, the transit traffic might get dropped if all of the virtual chassis ports (VCP) go down and come up quickly (within a few seconds). PR1008508: This issue has been resolved. • If with some groups has not been applied on a router, in some corner cases, the action that load override configuration might cause the routing process (rpd) to crash. PR1037527: This issue has been resolved. • On MX Series platform with nonstop active routing (NSR) is enabled, if with switchover-on-routing-crash configuration statement configured, issuing the CLI command "request system core-dump routing fatal" might not trigger RE switchover and might cause rpd on master RE stuck in inactive. PR1000220: This issue has been resolved. • The chassis daemon (chassisd) log file is filled by the following unimportant message. These messages are repeated and will fill up from the chassisd log file. These messages are harmless and are generated as part of fabric health check. “fm_hsl2_is_pb_adpc: jam_fabric: Not present in DB, key: fabric.lc.0x997.enable_grant_bypass fm_hsl2_get_combination_blackhole_pbs: jam_fabric: Not present in DB, key: fabric.lc.0x997.fabric_conct.supports_off_loading_xf” PR1014594: This issue has been resolved. • When destinations are pointing to protocol next-hops as unilist type or IP forwarding next-hops as unilist, which in scenarios like using Loop-Free Alternate Routes for OSPF (LFA-OSPF) with link protection or MPLS FRR is enabled. If flapping the active interface very fast, especially an interface comes back up before Kernel gets a chance to delete all the unilist next-hops, those unilist next-hops which have not been deleted yet would be reused. As a result, the corresponding destinations are pointing to discard next-hop(s) or replaced next-hop(s) in Packet Forwarding Engine Jtree. The "discard" next-hop(s) causes traffic blackhole while the "replaced" next-hop(s) diverts traffic to other active next-hop(s) in the unlist. Those unilist next-hops which have been already deleted are safe and get updated accordingly. This is a day-one timing issue. PR1016649: This issue has been resolved. 218 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • During ISSU on MX-VC platforms, there is a chance that the management process (mgd) on both VC-M and VC-B considers itself as protocol backup, resulting in a reboot of the entire VC. PR1020606: This issue has been resolved. • On MPC5E line cards, if a firewall filter with large-scale terms (more than 1300 etc.) is attached to an interface, traffic drop might be seen. PR1027516: This issue has been resolved. • Using jnxoptIfOTNPMFECIntervalTable and jnxOpticsPMIntervalTable, it was not possible to walk these tables from the middle before this fix. PR1039030: This issue has been resolved. • Incorrect SNMP interface index (index 0) is given to the VCP interface. Due to the wrong index value, the VCP interface description does not appear in SNMP interface table. PR1044331: This issue has been resolved. • On MX Series routers with one of the following protocols configurations, flapping the protocols will trigger the Composite Next-hop change operation. In rare conditions, since it is not properly programmed, the FPC might crash. This is a day-1 issue. - LDP MPLS - Point-to-multipoint LSP - RSVP - Static LSPs PR1045794: This issue has been resolved. • Once default route 0.0.0.0/0 is added, deleted, or changed, the PFEMAN thread running on the MPC/FPC5 needs more than 600 msec to program such changes. This is long enough to trigger LFM or BFD flap. Junos OS Release 13.3R2 or later is exposed to this symptom. PR1045828: This issue has been resolved. • For PTX router, the unilist next-hop member will have a 'replaced' status on Packet Forwarding Engine (PFE) after interface flapping with ARP timeout. While the problem is happening, routing-table will display correct next-hop status but cannot forward traffic since the forwarding next-hop in the Packet Forwarding Engine is in 'replaced' status and no longer active. PR1046778: This issue has been resolved. • This problem is because of a race condition, where other FPCs are not able to drain "which is 1 second" Fabric Streams connecting to the FPC which is going offline. With this situation, even when FPC comes online, other FPCs which have observed the message "xmchip_dstat_stream_wait_to_drain" will not able to send traffic to that particular FPC over fabric. There is no workaround. Rebooting FPCs which observed the error message "xmchip_dstat_stream_wait_to_drain" is a recovery. PR1052472: This issue has been resolved. • VCP links do not stay up during the unified ISSU. This causes traffic loss and control plane packet losss which can lead to control protocol flaps. PR1054344: This issue has been resolved. • OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 8th 2015: CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205. Refer to JSA10679 for more information. PR1055295: This issue has been resolved. • IFCM error messages may occur in logs when it is not used. We lowered the severity of the message to avoid confusion. PR1057712: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 219 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • When enabling pseudowire subscribers, the "show subscribers extensive" command does not display CoS policies applied to the subscriber interface. This issue was fixed in 13.3R6, 14.1R5 and 14.2R3. PR1060036: This issue has been resolved. • Due to an incomplete fix, in releases containing the PR869773 fix, rate limit drops are seen for ingress queuing even though rate-limit is not configured or supported for ingress. PR1061256: This issue has been resolved. • On MX Series platforms, after performing unified in-service software upgrade (ISSU) to 14.2R1/14.1X50-D40 and later releases, the clock synchronization might be stuck in "freerun" and the Enhanced SCB (SCBE) clocking interface might appear as down. PR1065308: This issue has been resolved. • On PTX series routers, the interrupt-driven basis link down detection (an interrupt-driven link-down notification is generated to trigger locally attached systems to declare the interface down within a few milliseconds of failure) may fail after performing unified In-Service Software Upgrade (ISSU). The interrupt might got prevented after performing unified ISSU due to disable the interrupt registers before ISSU but never restored after. PR1059098: This issue has been resolved. • On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration, if there are multiple FIB local FPCs or the FIB local is a multiple PFE FPC, the TCP packets might be out of order, and packet re-ordering would occur. This reduces the application level throughput for any protocols running over TCP. PR1049613: This issue has been resolved. • Problem scenario: Issue is seen only with VMX. It will be seen when the PPPoE session's Keep-alive timer expiry happens. This might be due to non-graceful termination of remote side or due to communication path failure with the remote end. Problem statement: When PPPoE session Keep-alive timer expires the local PPPoE session is NOT closed/logout. PR1034520: This issue has been resolved. • In the scenario where a router acts as both egress LSP for core network and BRAS for subscribers, RSVP-TE sends PathErr to the ingress router due to matching to subscriber interfaces wrongly when checking the explicit route object (ERO), if subscribers are associated with same lo0 address as used by RSVP LSP egress address. PR1031513: This issue has been resolved. • In IPv6 environments, after enabling the feature "solicit-router-advertisement-unicast", the IPv6 router may fail to reply the Router Advertisement (RA) to the IPv6 host as unicast only. To be exact, the IPv6 router may not only reply to the IPv6 host an RA as unicast to its link local address, but also send the RA as multicast to all nodes groups (Multicast Address: ff02::1). The sample configuration could be as follows: user@router> show configuration protocols router-advertisement interface ge-1/0/3.400 { ... solicit-router-advertisement-unicast; <<<<< "solicit-router-advertisement-unicast" feature is enabled ... } PR1056599: This issue has been resolved. • In LDP tunneling over single-hop RSVP-based LSP environment, after enabling "chained-composite-next-hop", the router may fail to create the chained composite next hops if the label value of VPN is equal to the label value of LDP. PR1058146: This issue has been resolved. • 220 If with accounting/sampling enabled, an unnecessary update from the routing protocol process (rpd) to the route record database might be triggered by certain configuration Copyright © 2016, Juniper Networks, Inc. Resolved Issues change. This process causes jump in CPU utilization of all Packet Forwarding Engines. PR1002107: This issue has been resolved. • On PTX or T Series platform running Junos OS Release 12.1 or later, for interfaces connected via optical systems like DWDM, when the interface is admin disabled, there might be a delay (300-400 msec) for the system to detect the event during which time, traffic blackhole might be seen. Please note if you disable the interface by breaking the Rx or Tx link, the issue will not happen. PR1043762: This issue has been resolved. • On PTX series routers, the interrupt-driven link down detection may stop working. When the line card is receiving multiple back-to-back fault in very short duration (no matter from remote or local), it may fail to detect all the received interrupts, and this failure may cause delay of the link-down detection (for example, it may take PTX ~300ms to make interface down). PR1060279: This issue has been resolved. • If Bidirectional Forwarding Detection (BFD) protocol is enabled via site-to-site IPsec tunnel, the BFD session may fail to come up. It is because, when the BFD protocol is trying to exchange the packet via IPsec tunnel, the value of the TTL in the inner IP header for packet may be decremented, hence the BFD packet gets dropped on the peer side and no BFD session would come up. PR1061342: This issue has been resolved. • On MX Series platforms with MS-MPC/MS-MIC, if the "dump-on-flow-control" configuration statement is configured, traffic loss and the mspmand process crash might be observed when the MS-PIC comes up with traffic. PR1037086: This issue has been resolved. • When the CPU usage is very high (e.g., 100%) on a Routing Engine, the MS-MIC might get stuck due to kernel deadlock, which triggers the card to crash and generate a core file. PR1038026: This issue has been resolved. • If you issue the "show services nat mappings details" command with a large number of service sets configured (such as 1000 service sets) and one or two NAT mappings specified, the command takes a certain amount of time to display the output. During this period, if you deactivate or activate the services, a multiservices PIC management daemon core file is generated. PR1019996: This issue has been resolved. • Incorrect flow count is reported in the field 'count' of the V9 header in all the packets sent to the collector. PR1050543: This issue has been resolved. • On MX104 routers with SONET/SDH OC3/STM1 (Multi-Rate) MIC. In rare conditions, if the MIC is unplugged from MX104, the Packet Forwarding Engine might crash, and the traffic forwarding will be affected. These MICs as follows belong to the SONET/SDH OC3/STM1 (Multi-Rate) MIC: * MIC-3D-8OC3OC12-4OC48 * MIC-3D-4OC3OC12-1OC48 * MIC-3D-8CHOC3-4CHOC12 * MIC-3D-4CHOC3-2CHOC12 * MIC-3D-8DS3-E3 * MIC-3D-8CHDS3-E3-B * MIC-3D-1OC192-XFP PR997821: This issue has been resolved. • For MLPPP interfaces on MX Series routers with MPCs/MICs, in some very rare conditions, the received fragmented packets might be dropped. PR1041412: This issue has been resolved. • In the PPP dual-stack subscribers environment, in rare conditions, if bringing up 1000 dual-stack subscribers quickly, the PPP negotiation might fail. When PPP retries negotiation, all subscribers fully establish. PR1050415: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 221 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In subscriber management environments, the Berkeley Database (DB) may get into a deadlock state. It is brought on by multiple daemons attempting to simultaneously access or update the same subscriber or service record. In this case, due to the access to the database being blocked by the device control daemon (dcd), the subscriber management infrastructure daemon (smid) fails to recover the DB. Consequently, the router may stop responding to all the login/logout requests, as well as statistics activity. This timing related issue is most likely to occur during login or logout and when the system is busy. PR1054292: This issue has been resolved. • In subscriber management scenarios, when a dynamic VLAN (DVLAN) demux interface configured on MX Series routers, the interface may get in a stuck stat. It could be observed that the statistics of demux0 may stop incrementing. This is because the Session Database (SDB) may incorrectly calculate the number of subscribers over DVLANs. When the issue occurs, for example, the router may not able to process any PPPoE Active Discovery Initiation (PADI) packets, and fail to establish the PPPoE session. PR1054914: This issue has been resolved. Interfaces and Chassis • REG_ERR errors might be observed on MX Series routers with Enhanced SCBs and a mix of MPC and DPC cards. PR821742: This issue has been resolved. • Ether OAM or DPC 10ge interface module changed link-fault status from down to up after being changed link status to down by "asynchronous-notification". PR973840: This issue has been resolved. 222 • The fix is available in 14.1R4 and 14.2R2. Need to apply the workaround before ISSU in 14.1 prior to R4 and in 14.2 prior to R2. PR997255: This issue has been resolved. • On MX Series routers, CFM sessions over AE interfaces, whose child links are on DPC FPC, can be scaled to a maximum of 300. PR1020222: This issue has been resolved. • If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE interfaces may not be distributed. PR1032604: This issue has been resolved. • Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the duplicate entries to fix the issue. PR1036026: This issue has been resolved. • Configuring ODU FRR under otn-options for 2x100G DWDM PIC is unsupported command on PTX router, wrongly add such configuration could result in an FPC crash and restart. PR1038551: This issue has been resolved. • PTX with 2x100Gig PIC might return incorrect values for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors. This is happening because 2x100Gig PIC is not supporting jnx-otn.mib. Instead please use jnx-ifotn.mib or jnx-bl.mib. With this fix, the jnx-otn.mib should not return anything on 2x100Gig PIC. $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnIntervalOtuFec15minCorrectedErrors jnxOtnIntervalOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnCurrentOtuFec15minCorrectedErrors jnxOtnCurrentOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID On 4x100Gig PIC using jnx-otn.mib for jnxOtnIntervalOtuFec15minCorrectedErrors and Copyright © 2016, Juniper Networks, Inc. Resolved Issues jnxOtnCurrentOtuFec15minCorrectedErrors, the correct values are reported if the error rate is below 900. Otherwise the CLI values will give us the right data. PR1038577: This issue has been resolved. • On Ethernet PICs with longer hold-down timer configured, a flapping interface within the hold time might cause traffic loss longer than the hold period. PR1040229: This issue has been resolved. • In case of the IQ2 or IQ2E PIC are working in tunnel-only mode, rebooting the tunnel PIC while the traffic is passing through the tunnel might cause the tunnel PIC to not transfer traffic anymore. PR1041811: This issue has been resolved. • “clear interfaces interface-set statistics all” fails due to memory limitation. PR1045683: This issue has been resolved. • On MX Series routers (platforms) with Enhanced Switch Control Board (SCBE), when the fan tray is inserted or pulled out, the chassisd process might crash. PR1048021: This issue has been resolved. • When configuring the Virtual Router Redundancy Protocol (VRRP) on an interface which is included in a routing-instance via applying groups settings, if changes are made to the interface, the VRRP process (vrrpd) memory leak might be observed on the device. PR1049007: This issue has been resolved. • dcd is cored by configuring the IPv6 address on fxp0.0 with master-only option under interfaces configuration. PR1049450: This issue has been resolved. • When Inherit is part of a lower IFL Unit, VRRPD parses it before Active. In this case, VRRPD attaches a dummy Active to the Inherit, with the assumption that the Active will be available soon and then replication of information from Active to Inherit will take place. However, the replication of the priority was not done correctly, due to which the Inherit group was stuck with priority of 0. PR1051135: This issue has been resolved. • In a Virtual Router Redundancy Protocol (VRRP) environment, after restarting the FPC, due to the Router Advertisement (RA) deletion being incorrectly sent to routing protocol process (rpd) by the VRRP process, the ICMPv6 may not be activated on the corresponding interfaces on the router that is acting as the master. In this case, no RA message can be sent out.PR1051227: This issue has been resolved. • Two redundant logical tunnels (rlt) interfaces are configured with the configuration statement "per-unit-mac-disable" enabled. After configuring the second one, the first rlt interface goes down: rlt0 { logical-tunnel-options { per-unit-mac-disable; <<<<<< } } PR1055005: This issue has been resolved. • The CLI description of the new 100-Gigabit Metro DWDM OTN PIC (PTX-2-100G-WDM-M) is different from the existing 100-Gigabit DWDM OTN PIC (P1-PTX-2-100G-WDM). The 100-Gigabit Metro DWDM OTN PIC's transceiver is identified as OTN-100G-M in the output from the “show chassis hardware” CLI command, and the cable type is identified as 100G METRO in the output from the “show chassis pic” CLI command. PR1055325: This issue has been resolved. • After performing a unified in-service software upgrade (ISSU) on the MX Series Virtual Chassis (MX-VC) platform, all physical interfaces may go down. The interfaces remain Copyright © 2016, Juniper Networks, Inc. 223 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion down until a graceful Routing Engine switchover (GRES) is performed. PR1055327: This issue has been resolved. • When a dynamic PPPoE subscriber with targeted-distribution configured on a dynamic VLAN demux interface over aggregated ethernet, the device control daemon (dcd) process might crash during a commit if the VLAN demux has mistakenly been removed. The end users can't visit internet after the crash. This is a rare issue and not easy to be reproduced. PR1056675: This issue has been resolved. • In subscriber management environment, PPP client process (jpppd) might crash as a result of a memory allocation problem. PR1056893: This issue has been resolved. • In multichassis link aggregation groups (MC-LAGs) environments, the MC-LAG peers have the MAC and port information and can forward the traffic appropriately. If a single VLAN is modified to a different VLAN, and then the administrator rolls back the VLAN configuration to the original one, the remote MAC might be stuck in the "Pending" state and not be installed in the bridge MAC-table, which cause traffic forwarding to be affected. PR1059453: This issue has been resolved. • For multichassis link aggregation groups (MC-LAGs) running in active-active mode with back-to-back square topology, when the Interchassis Control Protocol (ICCP) is broken between any MC-LAG devices, the non-preferred device reverts to its own local system ID. But its Link Aggregation Control Protocol (LACP) partner on the remote side does not remove the flap link from AE bundle and it remains UP. This might cause a network-wide loop, resulting in traffic outage until manual intervention. PR1061460: This issue has been resolved. • After chassis restart or non graceful RE switchover, few VRRP sessions may start sending VRRP packets while still in VRRP backup state. PR1062929: This issue has been resolved. • Error message is continuously logged every second after a particular copper-SFP [P/N:740-013111] is plugged into a disabled port on MIC: ***** error message **** mic_sfp_phy_program_phy: ge-*/*/* - Fail to init PHY link mic_periodic_raw: MIC(*/*) - Error in PHY periodic function PQ3_IIC(WR): no target ack on byte 0 (wait spins 2) PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x56) mic_i2c_reg_set - write fails with bus 86 reg 29 mic_sfp_phy_write:MIC(*/*) - Failed to write SFP PHY link 0, loc 29 mic_sfp_phy_mdio_sgmii_lnk_op: Failed to write: ifd = 140 ge-*/*/*, phy_addr: 0, phy_reg: 29 ala88e1111_reg_write: Failed (20) to write register: phy_addr 0x0, reg 0x1d Fails in function ala88e1111_link_init. PR1066951: This issue has been resolved. Layer 2 Features • LDP-VPLS with BGP autodiscovery stays down after a GRES event when NSR is enabled. PR1046887: This issue has been resolved. • On multiple Routing Engines systems with NSR enabled, if the FEC129 VPLS instance has "no-tunnel-service" configured, the VPLS might show status as "OL" (no outgoing label) after performing Routing Engine switchover. PR1050744: This issue has been resolved. 224 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • After change the way of getting site ID of VPLS from fixed site-id to automatic-site-id on one site while other sites are still using the fixed site-id in the network, the rpd process might crash because the site ID get by "automatic-site-id" may conflict with the site ID which was configured as the fixed site ID on other sites. PR1054985: This issue has been resolved. Layer 2 Ethernet Services • If a customer is using SNMP and performs an snmpwalk on the DHCP binding table not all of the entries may be displayed. This fix resolves that issue so that bindings for all ip addresses are displayed. PR1033158: This issue has been resolved. • In DHCP dynamic subscriber management scenarios, when maintain DHCP subscribers during interface delete is configured, some interface indices might be reused by a new interface if system is under stress (such as high connection speed, many clients and individual log files configured to be larger than 100M). In this case, it might result in subscriber being associated with an interface that no longer exists. PR1044002: This issue has been resolved. • If the ppmd does not send replies to lacpd's periodic request to gather port statistics, the lacpd process may crash and restart due to the process memory consumption being slowly increased and finally reaching RLIMIT_DATA value, which is 128 MB. PR1045004: This issue has been resolved. • The Layer 2 Control Protocol process (l2cpd) leaks memory when interface config is applied to LLDP-enabled interfaces using 'apply-groups'. Size of the leak is ~700 bytes per commit. PR1052846: This issue has been resolved. • When the MX Series router acts as the Virtual Extensible Local Area Network (VXLAN) Layer 3 gateway, the integrated routing and bridging (IRB) interfaces are configured to connect the VXLANs. The VXLAN packets are dropped when the route to reach a remote virtual tunnel endpoint (VTEP) interface is over an IRB interface. PR1057005: This issue has been resolved. • After FPC is rebooted, the filter under the Packet Forwarding Engine of ERPS bridge domain might program the incorrect ifl index, which will cause the router to be unable to receive any ERPS packets. PR1070791: This issue has been resolved. MPLS • Error "tag_icmp_route:failed to find a chain composite ahead of fwd nh" might be observed when doing traceroute. PR999034: This issue has been resolved. • On the P2MP LSP transit router with link protection enabled, if the LSP is the last subLSP, tearing the last subLSP (for example, a RESV tear message is received from downstream router) might crash the routing process (rpd). PR1036452: This issue has been resolved. • After upgrading Junos OS release to Junos OS release 13.2 or later from previous releases, logical-system cannot start and run. The rpd continuously crashes every time when trying to deactivate/activate the logical-system. PR1044781: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 225 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • When node-protection is enabled for a specified LSP and optimize-timer for a node-protecting bypass LSP is configured on router, the bypass route might get optimized in such a way that it traverses through the very node that the bypass is trying to protect during re-optimization. As a consequence, the node-protecting bypass LSP only provides link protection instead of node protection. PR1045055: This issue has been resolved. • In NG-MVPN extranet scenarios, if there are mix of VT interface and LSI (vrf-table-lable is used) interfaces on NG-MVPN egress node, after changing some vrf policies, the routing daemon (rpd) might crash and reset. PR1045523: This issue has been resolved. • In LDP link protection which is protected by a dynamic RSVP LSP scenario, when flaping the interface having LDP link-protection enabled, the rpd process might crash on the backup RE as soon as the bypass LSP is established. PR1053426: This issue has been resolved. • On M/MX/T/PTX Series routers, dynamic-rsvp-lsp is configured under interface link-protection hierarchy level. After interface flap, the bypass LSP does not come up. PR1054155: This issue has been resolved. • Please see CVBC section PR1054491: This issue has been resolved. • With graceful-restart configured, an inter-domain point-to-multipoint (P2MP) label-switched path (LSP) with ERO defined and CSPF enabled might fail to come up after rpd process restart. PR1058271: This issue has been resolved. • This is a regression issue on all Junos related to a timing factor. When an LDP session flaps, over which entropy label TLV or any unknown TLV is received, the LDP speaker might not send label withdraw for some prefixes to some neighbors. As a result, these neighbors will still use stale labels for the affected prefixes. PR1062727: This issue has been resolved. • From Junos 13.2 onwards, the "load-balance-label-capability" configuration statement is introduced to enable the router to push and pop the load balancing label and causes LDP and RSVP to advertise the entropy label TLV to neighboring routers. MX, T4000 and PTX platform have the capability and is reflected in their default forwarding-options configuration. A software defect is found in the way Entropy Label Capability (ELC) TLV is encoded in the LDP label mapping message. It might cause the LDP session between routers go down. PR1065338: This issue has been resolved. • Bypass enabled with optimize-timer will flap during every re-optimization event. PR1066794: This issue has been resolved. • 226 When a primary LSP gets re-routed due to better metric, Link/Node protection for this LSP is expected to come up within 7 seconds provided the bypass-lsp protecting the next-hop link/node is already available. However in some corner cases, the Link/Node protection for re-routed primary LSP will not come up within 7sec even with bypass-lsp availability. The PR fixes this issue and reduces the delay of associating bypass-lsp with primary-lsp from 7 seconds to 2 seconds. PR1072781: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. Resolved Issues Network Management and Monitoring • Customer requested visibility PR1043995: This issue has been resolved. • If the size of interface control process (dcd) trace file is configured to large (for example, 500M), restarting the dcd process when it is doing log rotation (due to size limit reached) might cause the dcd process unable to start anymore, in the same time, interface ports will be down and a "thrashing" error will be seen. PR1047330: This issue has been resolved. • SNMP MIB walk jnxMac does not return value with et- interfaces on MPC3/MPC4/MPC5/MPC6 PR1051960: This issue has been resolved. • There is no specific counter name in the MIB2D_COUNTER_DECREASING syslog message PR1061225: This issue has been resolved. • SNMP queries for LAG MIB tables while a LAG child interface is flapping, may cause mib2d grow in size and eventually crash with a core file. Mib2d will restart, and recover by itself. PR1062177: This issue has been resolved. Platform and Infrastructure • With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000) while copying packets count from hash record into flow export packet, the packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic impact but this may impact billing. PR886222: This issue has been resolved. • For inline BFD over aggregated Ethernet (AE) interface which member links are hosted on different FPCs, BFD packets coming on ingress line card will be steered to anchor Packet Forwarding Engine (PFE) through fabric. If FPC reconnect to master RE (such as RE switchover operation), the inline BFD session punts the BFD packet to host, the BFD packet should go through loopback interface filter of VRF on which it is received. But in this case, the BFD packet might hit the wrong loopback interface filter from the wrong routing-instance since the VRF information is not carried across fabric. PR993882: This issue has been resolved. • BFD session within default routing-instance are not coming up once inline-services PIC is configured and fixed class-of-service forwarding-class is assigned. BFD session operating in no-delegate-processing are not affected. PR999647: This issue has been resolved. • CPQ RLDRAM ECC single- and double-bit error will generate CM alarm. The "show chassis alarms" command can be used to view CM alarms. Details ======= 1> CPQ RLDRAM ECC single-bit error in last 10 secs will raise minor CM alarm. 2> No CPQ RLDRAM ECC single-bit error in last 10 secs will clear minor CM alarm. 3> CPQ RLDRAM ECC double-bit error will raise Major CM alarm (this alarm will not be cleared until the FPC is restarted). PR1023146: This issue has been resolved. • On MX Series platforms with scaled setup, after deactivating/activating or renaming a bridge domain (BD) which has an IRB interface associated, the IGMP snooping configured under the BD might not work anymore. This happens only when the router is in "network-services enhanced-ip" mode. PR1024613: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 227 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • A Packet Forwarding Engine memory leak is seen when multicast receivers are connected in a bridge domain where IGMP snooping is enabled and IGMP messages exchanged between the multicast receivers and the Layer 3 IRB (Integrated Routing and Bridging) interface. PR1027473: This issue has been resolved. • Inline BFD sessions, through AE interface when only the member interface of the AE is hosted on the MX Series MPC4E line card, might flap continuously. PR1029341: This issue has been resolved. • On Trio 3D MPC, when there is a congested Packet Forwarding Engine destination, the non-congested Packet Forwarding Engine destinations might experience an unexpected packet drop. PR1033071: This issue has been resolved. • The micro BFD sessions won't come up if incoming untagged micro BFD packets contain a source MAC where the last 12 bits are zero. PR1035295: This issue has been resolved. • configuration.yang had posix regex pattern, while as per the YANG RFC, it should have been xml regex, that is why it had compilation issues. Now it is fixed. PR1040151: This issue has been resolved. • When IRB interface is configured with VRRP in Layer 2 VPLS/bridge-domain, in corner cases IRB interface may not respond to ARP request targeting to IRB sub-interface IP address. PR1043571: This issue has been resolved. • In a scaled subscriber management environment, the output of the CLI command "show subscribers" and its sub-flavors might print more pages and has to be terminated by "Ctrl+c" or "q". But this was not closing the back-end Session Database (SDB) connection properly. Over a period of time, this caused inconsistency and the subscriber management infrastructure daemon (smid) failed to register and no new subscribers could connect. PR1045820: This issue has been resolved. • On T4000 and FPC Type 5-3D or TXP-3D platforms , BFD sessions operating in 100 msec intervals with default multiplier of 3 might randomly flap after the enhancements implemented via PR967013. BFD sessions with lower intervals of 100 msec or higher intervals are not exposed. The internal FPC thread, monitoring the High Speed Fabric links, had a run time of longer then 100 msec. PR1047229: This issue has been resolved. • On MX Series platforms with Extensible Subscriber Services Management (ESSM) subscribers configured using a Junos OS commit script, after performing a sequence of operations repeatedly with the same set of configurations (subscribers apply-macros'), like adding subscribers, then deleting same subscribers again, then adding, then deleting again and again, the memory would leak on mgd process. In a generic scenario where a script just commits transient change and then exits, the issue will not be experienced. PR1048770: This issue has been resolved. • By default, after 16x10GE MPCs comes up, about 75% of queues were allocated to support rich queuing with the MQ chip. Such allocation causes the MQ driver software module to poll stats. Polling stats causes this rise in CPU usage. PR1048947: This issue has been resolved. • 228 For a Routing Matrix, if different Routing Engine (RE) models are used on switch-card chassis (SCC)/switch-fabric chassis (SFC) and line-card chassis (LCC) (for example, RE-1600 on SCC/SFC and RE-DUO-C1800 on LCC), where the out-of-band (OoB) management interfaces are named differently (for example, fxp0 on SCC/SFC RE and Copyright © 2016, Juniper Networks, Inc. Resolved Issues em0 on LCC RE), then the OoB management interface configuration for LCC RE will not be propagated from SCC/SFC RE during commit. PR1050743: This issue has been resolved. • NTP.org has published a security advisory for multiple vulnerabilities resolved in ntpd (NTP daemon) that have been assigned four CVE IDs. Junos OS has been confirmed to be vulnerable to one of the buffer overflow vulnerabilities assigned CVE-2014-9295, which may allow remote unauthenticated attackers to execute code with the privileges of ntpd or cause a denial of service condition. Refer to JSA10663 for more information. PR1051815: This issue has been resolved. • After committing the Network Time Protocol (NTP) configuration, if the number of routing-instances per source-address exceeds 18, it may cause the NTP daemon (ntpd) crash. In this scenario, the NTP feature may not be functional. For example, there are 19 routing-instance names per source address statement in the following sample configuration: ntp { server X.X.X.X; source-address X.X.X.X routing-instance [ X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 X16 X17 X18 X19 ]; (19 routing-instance names) } PR1058614: This issue has been resolved. • On an MX Series router with MPCS/MICs with Junos 12.3R3 and later, the system does not push the configured Tag Protocol ID (TPID) value (for instance, 0x88a8) to the packets while sending out the packets, instead it pushes the default TPID 0x8100. This might lead to traffic drop on the peer device if it is expecting a particular TPID (for instance, 0x88a8) but it receives a different one. PR1059225: This issue has been resolved. • Modifying the IEEE-802.1ad rewrite-rule on the fly might be unable to change IEEE-802.1p ToS values for the inner VLAN in QinQ. PR1062817: This issue has been resolved. • Observation domain ID in exported flow records is incorrect in 100G and 10G line cards and in 200G 40X10G MPCs and 200G 40X100G MPCs. PR1066319: • On MX Series routers with MPCs and T4000 routers with Type 5 FPCs, the feature "enhanced-hash-key" is configured to select data used in the hash key for enhanced IP forwarding engines. If "type-of-service" is configured at the [edit forwarding-options enhanced-hash-key family inet] hierarchy level, or "traffic-class" is configured at the [edit forwarding-options enhanced-hash-key family inet6] hierarchy level, the last significant two bits of the TOS/TC bytes under the IPv4/IPv6 header are extracted incorrectly as load-sharing input parameters, and this might cause unexpected load balancing results. PR1066751: This issue has been resolved. • Firewall filters that have a prefix-action can't be configured under [edit logical-system <name> firewall family inet] because the Packet Forwarding Engine won't be programmed for the filter. PR1067482: This issue has been resolved. • On MX Series routers, when using Trio-based FPC with feature inline sampling activated, memory partition error messages and memory leak might be observed on the FPC. In some cases, this issue only affects sample route-records but not regular Packet Forwarding Engine routes or next-hops, however, in the extreme case, it is also possible to cause the Packet Forwarding Engine failing in installing routes into forwarding next-hops and hence traffic drop. On MX Series routers, when using Trio-based FPCs, Copyright © 2016, Juniper Networks, Inc. 229 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Junos 13.3R5 14.1R4 14.2R1 or higher is exposed. On T4k or TXP-3D routers, when using FPC-3D FPC's, Junos 14.2R1 or higher is exposed. PR1071289: This issue has been resolved. • VPLS filter applied under forwarding-options might drop a VPLS frame unexpectedly when it is coming from an lt- interface. There is no workaround. PR1071340: This issue has been resolved. • When inline-sampling is enabled, in race conditions, if packet gets corrupted and the corrupted packet length shows 0, this may cause "PPE_x Errors thread timeout error" and eventually cause the MPC card to crash. PR1072136: This issue has been resolved. • After IPv6 RPM (real-time performance monitor) support, the SNMP server cannot receive some of IPv6 PING-MIB info. For example, the SNMP server receives a "pingCtlRowStatus(23)" and "pingCtlAdminStatus(8)" errors and cannot get "pingResultsTable" and "pingProbeHistoryTable" info. << example >> ** The following logs are SNMP server logs: "snmpset -v 2c -c xxxxxx" commands are used. ----pingCtlRowStatus(23) error info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported in some way) Failed object: SNMPv2-SMI::mib-2.80.1.2.1.23.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ---pingCtlAdminStatus(8) error info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported in some way) Failed object: SNMPv2-SMI::mib-2.80.1.2.1.8.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ** The following logs are snmp server logs. "snmpwalk -v 2c -c xxxxxx" commands are used. pingResultsTable(3) SNMPv2-SMI::mib-2.80.1.3 = No Such Object available on this agent at this OID pingProbeHistoryTable(4) SNMPv2-SMI::mib-2.80.1.4 = No Such Object available on this agent at this OID. PR1072320: This issue has been resolved. Routing Protocols • If with the BGP PIC edge feature enabled and OSPF protocol as IGP, when the primary route is changed, there is a chance that the Packet Forwarding Engine forwarding entry will stay in reroute state, which causes session down. PR1015598: This issue has been resolved. • When BGP add-path feature is enabled on the BGP route-reflector (RR) router, and if the RR router has mix of add-path receive-enabled clients and add-path receive-disabled (which is default) clients, due to a timing issue, the rpd process on RR might crash when routes update/withdraw. PR1024813: This issue has been resolved. • When a BGP peer goes down, the route for this peer should be withdrawn. If an enqueued BGP route update for this peer has not been sent out, issuing the CLI command "show route advertising-protocol bgp <peer-addr>" might crash the routing protocol process (rpd). This is a very corner issue and will hardly be experienced. PR1028390: This issue has been resolved. • If labeled BGP routes are leaked from inet.3 table to inet.0, then activation of the BGP "add-path" feature might crash the routing process (rpd). PR1044221: This issue has been resolved. • 230 BFD session might reset on commit if version is configured. The adaptive RX interval gets set to 0, which results in the reset. A sample configuration of BFD version is as follows: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000; transmit-interval { minimum-interval 1000; } } } PR1045037: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. Resolved Issues • When BGP and ICCP are the client of the same multi-hop BFD session, BFD runs in centralized (non-distributed) mode. But if nonstop-routing configuration is added and enabled, the running mode of BFD is changed to distributed mode. This behavior is incorrect but it would not affect protocols that are clients of the BFD session. However, if Routing Engine switchover is performed after enabling NSR, the BFD session will become unstable and all the client protocols also become unstable. PR1046755: This issue has been resolved. • On MX Series routers with multiple Routing Engines, if an aggregate Ethernet (AE) interface spreads over multiple FPCs, the inline BFD session over the interface might flap during GRES. PR1048940: This issue has been resolved. • Junos Multicast Source Discovery Protocol (MSDP) implementation is closing an established MSDP session and underlying TCP session on reception of source-active TLV from the peer when this source-active TLV has an "Entry Count" field of zero. "Entry Count" is a field within the SA message which defines how many source/group tuples are present within the SA message. PR1052381: This issue has been resolved. • Either "rib inet.3" or "resolve-vpn" feature is available to be configured in the lower hierarchy for BGP labeled-unicast family routes. These two features are mutually exclusive and only one of them could be used at a single BGP group. If the administrator swaps the two features (for example, using the "resolve-vpn" first, then deactivate it and using "rib inet.3" instead, then use "resolve-vpn" back), the secondary routes (routes in inet.3 which including the ones from this BGP group and from other BGP groups) may got accidentally removed every time on "commit" operation take place. PR1052884: This issue has been resolved. • After deactivating/deleting a BFD configuration, the Packet Forwarding Engine receives a BFD session down event and it marks corresponding next hops as down and traffic drops consequently. PR1053016: This issue has been resolved. • The BGP session sending add-path prefixes can cause an rpd crash when the add-path IDs that it allocates roll over from 65535 to 0. If the routes contributing add-path prefixes are changing, the allocated path-id can eventually reach this value. This fix changes the allocation scheme to always use the lowest available free path-id, so a rollover will never occur. PR1053339: This issue has been resolved. • After multicast traffic source incoming interface and source IP RPF (reverse path forwarding) route switching to a different interface, the multicast route cache upstream interface might not be refreshed to be in sync with the PIM join upstream interface. This is incorrect and will cause packet blackhole for the affected multicast stream. PR1057023: This issue has been resolved. • BGP LINK STATE (BGP-LS) was using unofficial code point of '99' for the LINK-STATE path attribute. Starting with Junos OS Release 14.2R3, BGP-LS uses the IANA-assigned value of '29'. Therefore, previous versions of BGP-LS are not compatible with the code point change. Also, if the user was already running BGP-LS, they cannot do unified ISSU to this version of the code. PR1060162: This issue has been resolved. • When running Simple Network Management Protocol (SNMP) polling to specific IS-IS Management Information Base (MIB) with invalid variable, it will cause routing protocol process (rpd) crash. PR1060485: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. 231 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In PIM environments, Bootstrap Router (BSR) can be used only between PIMv2 enabled devices. When deactivating all the interfaces that are running PIM bootstrap, the system changes to operate in PIMv1. At this time, all the information learned about/from the current BSR should be cleaned, but actually, the BSR state is not cleaned. If the interface which was the previous “elected BSR” is activated, BSR state is PIM_BSR_ELECTED (should be cleaned previously) and the system assumes the BSR timer is still there. When the system tries to access the null BSR timer, the rpd process might crash. PR1062133: This issue has been resolved. • Allow the last 2-byte AS, 65535, to be used as local-as and peer-as, but it will be considered private in all other regards. PR1069307: This issue has been resolved. Routing Policy and Firewall Filters • RIP route in VRF getting removed once rib-groups are applied with import policy. PR1024946: This issue has been resolved. • In the BGP environment, if operator "!" exists in the regex for as-path, the commit operation fails. PR1040719: This issue has been resolved. • When configuring the unsupported IPv6 flow specification feature, that is, when configuring the inet6 address as source/destination of the inet-flow route, the configuration can pass the commit check and being committed. But it can cause the rpd process to crash eventually when trying to program this route to the firewall process (dfwd, which manages compilation and downloading of Junos OS firewall filters). If a flow route is received from a BGP neighbor and the prefix-length for source/destination is greater than 32, it can lead to an rpd process crash too. PR1059542: This issue has been resolved. • policy displaying is changed and bug fixed PR1060417: This issue has been resolved. Services Applications • The show cli command "service nat pool detail" always displays the Port range starting from 1024, even when privileged ports are used. PR1019783: This issue has been resolved. • Added support to bring up tunnel-switched sessions when tunnel-group is not configured at LTS and tunnel attributes are returned from RADIUS. PR1030799: This issue has been resolved. 232 • When NAT has multiple terms that refer to the same NAT pool, the command “show snmp mib walk jnxSvcsMibRoot ascii” always prints out jnxNatPoolTransHits for the count of jnxNatRuleTransHits in the first term. PR1035635: This issue has been resolved. • When using both Port Control Protocol (PCP) and traditional NAT (For example: DS-Lite), if you try to setup two pools with overlapping address ranges, this can leads to the MS-DPC to crash and generate a core file. PR1036459: This issue has been resolved. • In the context of DS-Lite softwire scenario, the MS-PIC/MS-DPC might crash in rare occasions when the DS Lite softwire concentrator is receiving a high volume of outer IPv6 fragmented packets. PR1044143: This issue has been resolved. Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Inline IPv6 L2TP on MPC subscriber terminated at an LNS breaks adaptive services SP unicast next hops on the MS-DPC. Even one subscriber causes the issue. PR1054589: This issue has been resolved. • When the tunnel between the L2TP access concentrator (LAC) and L2TP network server (LNS) is destroyed, the tunnel information will be maintained until destruct-timeout expires (if the destruct-timeout is not configured, the default value is 300 seconds). If the same tunnel is restarted within the destruct-timeout expiry, the LNS will use the previously negotiated non-default UDP port, which might lead to the tunnel negotiation failure. PR1060310: This issue has been resolved. • A Layer 2 Tunneling Protocol daemon (l2tpd) crash is seen sometimes when the L2TP service interface unit number is configured higher than 8192. A restriction has been added to force unit numbers below 8192. PR1062947: This issue has been resolved. • When configuring Remote Authentication Dial In User Service (RADIUS) authentication for Layer 2 Tunneling Protocol (L2TP), the RADIUS server cannot be recognized becaurse the source address is not being read correctly. As a result, the L2TP session cannot be established. PR1064817: This issue has been resolved. • L2TP daemon will core in an LTS scenario while the subscriber logs out. This happens when the subscriber has the "Called Number AVP" attribute. The "Called Number AVP" was not getting relayed correctly across the LTS boundary, hence the daemon cores. PR1065002: This issue has been resolved. Subscriber Access Management • This issue was introduced as part of another fix. Please contact JTAC for the recommended release for your deployment. PR1049955: This issue has been resolved. User Interface and Configuration • Customer wants visibility PR1025978: This issue has been resolved. VPNs • On MX-VC platforms, if with a scaled number of MVPN routes, after adding a new interface in the MVPN instance or changing the traceoptions with related configuration, the CPU on the Routing Engine might experience a high utilization for about 10 minutes. PR1027596: This issue has been resolved. • In NG-MVPN, after the route to C-RP flaps, traffic loss might be seen for a short period of time. PR1049294: This issue has been resolved. • In NG-MVPN scenarios with the non-zero selective provider tunnel threshold-rate configured and NSR enabled, the selective provider tunnel might flap a few seconds after Routing Engine switchover. The related Type 3 S-PMSI AD route and Type 4 leaf AD route also refreshed. The data traffic might fall to inclusive provider tunnel in a short time, depending on the configuration. This transition will cause packet loss due to unbinding from one tunnel to the other and back. PR1049352: This issue has been resolved. • In the VPLS environment with a multichassis link aggregation groups (MC-LAGs) configuration, the standby neighbor is configured with hot-standby mode. If the active Copyright © 2016, Juniper Networks, Inc. 233 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion link on MC-LAG members facing towards the CE is changed continually (that is active to standby and standby to active), in a rare conditions, the traffic might not shift correctly, and the rpd process might crash. PR1050737 • In NG-MVPN scenarios, when a source is directly connected to a PE router that is acting as an RP stops sending the traffic, the PE router never withdraws the Type 5 route. This causes the Type 7 routes and forwarding routes to remain on the egress and ingress PEs. PR1051799 • In L2VPN scenarios with local switching enabled, in corner cases, the rpd process might crash after flapping the PE-CE link. For example, if the L2VPN connection type changes from remote to local after link flaps, for a brief period of time, two route entries (for old remote VC connection and for the new local VC connection) might exist for the same egress route (with interface name as destination prefix). In that case, when deleting the remote VC connection and route entry associated with that remote connection, the rpd might crash due to trying to reset an internal variable which is already reset during route addition for the new local VC connection. PR1053887 • In the l2circuit environment, when l2ckt configuration has backup-neighbor, the flow-label operation is blocked at the configuration level. PR1056777 • With a static selective point-to-multipoint LSP configured for an MBGP MVPN, when sending a Type 3 S-PMSI A-D BGP route, the Juniper Networks implementation uses the values taken from the selective P-Tunnel configuration, which is not compliant with the RFC standard. Refer to RFC 6514, section 4.3, which specifies that the source and group length values in Type-3 must be same as the host prefix length. That is, if the Multicast Source field contains an IPv4 address, then the value of the Multicast Source Length field is 32; if the Multicast Source field contains an IPv6 address, then the value of the Multicast Source Length field is 128. The same is true for group length. PR1058193 • In MVPN RPT-SPT mode, with a mix of local and remote receivers all using (*,g) joins (spt-threshold infinity), the downstream interfaces may not get updated properly and there may be a stuck (s,g) forwarding route. This issue can occur with the following sequence of events: 1. Local receivers are joined 2. Traffic starts, then stops, and the route times out. 3. Remote receiver joins. Both a (*,g) and an (s,g) forwarding route are created. 4. Another local receiver is joined, or an existing one is pruned. 5. In the (*,g) route, the downstream interface list reflects the update, but in the (s,g) route, the downstream interface list does not. 6. When traffic starts again, the (s,g) route -which has the wrong interface list -- is used. The traffic flows to the wrong set of receivers. PR1061501 Resolved Issues: 14.2R2 234 • Class of Service (CoS) on page 235 • General Routing on page 235 • Interfaces and Chassis on page 237 • Layer 2 Features on page 238 • Layer 2 Ethernet Services on page 238 • MPLS on page 238 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Platform and Infrastructure on page 239 • Routing Protocols on page 239 • Services Applications on page 240 • VPNs on page 241 Class of Service (CoS) • For MX Series routers with DPCs, IQ2 PIC expects Forwarding Class (FC) index in the cookie from the DPC for packet queuing. For Transit traffic, fc index is coming in cookie where are for host outbound traffic, and queue number is coming in cookie to IQ2 PIC. As IQ2 PIC is not aware whether traffic is transit or host outbound, it treats the value received in cookie as FC value and looks into fc_to_q table to fetch the queue number. This is causing an issue in queueing of host outbound traffic in IQ2 PIC in incorrect queue. This is a day–one issue and will come if in FC to Queue mapping, fc ID, and queue number are not the same. PR1033572 General Routing • "show services accounting usage" doesnt populate cpu utilization for XLP based cards . Please use "show services service-sets cpu-usage" PR864104 • If the connection with an OpenFlow controller goes down then comes back up repeatedly, an OpenFlow interface on a QFX5100 switch might send an OFPT_ERROR packet with an XID ID 0 but no data to explain why the error packet was sent. PR1003538 • On MPC5, MPC6, MIC6-10G, and MIC6-100G line cards, in order to increase the resiliency of the system, changes have been made to monitor board voltage levels and ASIC currents periodically against the expected values, and update current threshold values as per updated values provided by HW group. PR1004431 • Under corner cases, if there are multiple back-to-back Virtual Chassis port (VCP) related CLI commands, Network Processing Card (NPC) core may be observed and FPC hosting the VC ports might reboot. PR1017901 • Enabling sampling on an ms- interface is not supported. If 'forwarding-options sampling sample-once' is subsequently deactivated, the FPC may reboot. PR1021946 • Log Message "MQCHIP(0) mqchip_get_q_forwarded_stats() invalid q_sys 0 q_num " are continously shown in logs. It will cause two GE or XGE interfaces to not forward traffic. PR1021951 • On TXP-3D platform, the chassisd process may hang in scenarios where an FPC restarts twice, one happening gracefully and the other ungracefully (due to reasons like panic, bad voltage etc). It will cause interfaces on this FPC down. PR1025732 • On multiple Routing Engines system with NSR enabled, performing GRES when an FPC is in the middle of restarting might cause the traffic to this FPC dropped permanently. PR1026214 • In ALG environment, the MS-MPC might crash with significant ftp/tftp/http/dns/nat traffic. PR1026562 • On MPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is attached to an interface, traffic drop might be seen. PR1027516 Copyright © 2016, Juniper Networks, Inc. 235 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • In Virtual Private LAN Service (VPLS) scenario with multicast traffic flowing, if the core-facing interface which is used to reach remote PE is hosted on Dense Port Concentrator (DPC) card and also the forwarding topology that is using unilist nexthop (The unilist is a list of nexthops and is used when router want to forward to one of the component nexthops. It is mostly used for load balancing among the multiple members. For example, a topology where VPLS PW is loadbalanced using a unilist over an aggregate Ethernet interface), the composite-nexthop might not be installed on the DPC card due to the Layer 2 forwarding information getting populated only for the first unicast nexthop. This issue will result in the multicast traffic drop on the egress DPC. PR1027827 • For Trio-based line cards, FPC memory exhaustion or memory churn might lead to FPC crash. PR1028066 • Inline BFD sessions, through AE interface when only member interface of the AE is hosted on MX MPC4E line card, might flap continuously. PR1029341 • In a rare case, rdd core is reported under /usr/sbin/rdd as soon as applying the group and commit is performed. PR1029810 • PCS statistics counter is now displayed for PTX 100GE interfces in below command: cli > monitor interface <intf> PR1030819 • With an unrecognized or unsupported Control Board (CB), mismatch link speed might be seen between fabric and FPCs, which results in FPCs CRC/destination errors and fabric planes offline. Second issue is in a race condition. Fabric Manager (FM) might process the stale destination disable event but the error is cleared indeed, which will result in the unnecessary FPC offline and not allowing Fabric Hardening action to trigger and recover. PR1031561 • This issue only affects OC-48 MICs. If an SFP is inserted into an OC-48 MIC port that has been disabled the SFP will not show up in a >show chassis hardware command. The issue is fixed with a patch. Contact JTAC to find out which version is best for you. PR1031851 236 • With VPLS BGP control word configured, intermittent packet loss might be seen in one direction on VPLS circuit due to the control-word not being programmed at Packet Forwarding Engine after member DPC reboot. The problem can happen on below conditions: 1. LSI interface exists across two or more physical interfaces. 2. Those physical interfaces located in different FPCs. 3. Those physical interfaces consist of equal-cost paths. So, LSI will not be flapped with one member FPC down. 4. Flap the member DPC where one of physical interfaces situated. PR1031863 • In scaled environment, the HTTP redirects might stop working while receiving continues HTTP traffic. PR1032392 • On MX Seriesplatforms with MPC5/MPC6 installed, in rare cases, a software bug that will cause Uninitialized EDMEM Read Errors (Uninitialized EDMEM Read Error, there could be various triggers. It may occur in a transient state (like during config change), or in a consistent state), the Uninitialized EDMEM Read Errors will trigger fatal CM error that will result in line card reboot (the default action of fatal CM error). PR1032958 • During an in-service software upgrade (ISSU), if the ISSU aborts after upgrading backup Routing Engine (RE) to the new release, it is possible that the backup RE fails to decode Copyright © 2016, Juniper Networks, Inc. Resolved Issues the message from the master RE which is running the old release, causing the ksyncd process crash on backup RE and vmcores (live core) generated on both REs. The master RE will not be upgraded and the backup RE will remain with the new release. There is no rollback to old release. We have to manually bring backup RE to old release. PR1035777 • In previous versions, a detection mechanism is added for FPC, when single RKME_INT error is encountered, the FPC will be restarted. Now, the behavior is changed, so that the FPC will not be restarted when the error occurs. PR1036506 • Sometimes AE vlan ifl output byte counters are shown as large value and it is a generic issue. PR1036813 • In a subscriber scenario with auto-sensed VLAN configured, after scaled subscribers (in this case, 16K subscribers) login/logout for several times, the subscriber management process might stuck and not able to restart due to a Session Database (SDB) deadlock issue. PR1041094 • On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration. If there are multiple FIB local FPCs or the FIB local is a multiple PFE FPC, the TCP packets might out of order, packets re-ordering would occur. It reduces the application level throughput for any protocols running over TCP. PR1049613 Interfaces and Chassis • With vrf-table-label configured on the routing-instances, when an FPC with Enhanced IQ (IQE) PIC is sharing the same Forwarding Engine Board (FEB) with another FPC, and the FEB has two core-facing interfaces configured with the family mpls on the aforementioned FPCs separately, the label-switched interface (LSI) might be removed incorrectly on the working FPC when the other FPC with IQE PIC is set to offline. PR1027034 • PTX with 2x100Gig PIC might return incorrect values for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors. This is happening because 2x100Gig PIC is not supporting jnx-otn.mib. Instead please use jnx-ifotn.mib or jnx-bl.mib. With this fix, the jnx-otn.mib should not return anything on 2x100Gig PIC. $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnIntervalOtuFec15minCorrectedErrors jnxOtnIntervalOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID $ snmpwalk -v 2c -Obs -c public [IP address] jnxOtnCurrentOtuFec15minCorrectedErrors jnxOtnCurrentOtuFec15minCorrectedErrors = No Such Instance currently exists at this OID On 4x100Gig PIC using jnx-otn.mib for jnxOtnIntervalOtuFec15minCorrectedErrors and jnxOtnCurrentOtuFec15minCorrectedErrors, the correct values are reported if the error rate is below 900. Otherwise the CLI values will give us the right data. PR1038577 • FRR switching time is much higher than 50 ms (e.g., might be 400-900 ms) when protected links are located on MX Series Gigabit Ethernet enhanced and hardened MICs (that is the MIC model name ends with -E or -EH, currently, the supported MICs are MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH). PR1038999 • Using PPP authentication with a specifically crafted PAP Authenticate-Request may cause the Juniper Networks PPP daemon (jpppd) to crash and restart. After PPPoE Copyright © 2016, Juniper Networks, Inc. 237 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Discovery and LCP phase is successfully negotiated, when the crafted PAP Authenticate-Request is received, jpppd crashes and no response is sent by the broadband edge router to the subscriber. The jpppd continues to crash every time the subscriber re-sends the PAP Authenticate-Request. Refer to JSA10665 for more information. PR1040665 • For Ethernet OAM/CFM, if maintenance-association (MA) ICC format name of length less than 13 characters (13 bytes) is used, deactivate/activate of “protocol oam” might cause CFM operation failures. The 'Cross-connect CCM received’ alarm will be seen. There can be other triggers also. ITU CARRIER CODE format uses fixed length size for MA NAME (13 octets). Junos OS creates and maintains the actual size configured by user. However, the length it maintains is 13 octets. For lower the size MA name, the value accessed is not deterministic. It would work fine if the subsequent memory is initialized to zero. Otherwise, it will declare cross-connect error as the accessed MA name to be different compared to the remote end. PR1041482 Layer 2 Features • LDP-VPLS with BGP autodiscovery stays down after GRES event when NSR is enabled. PR1046887 Layer 2 Ethernet Services • With Link Aggregation Control Protocol (LACP) enabled for aggregated Ethernet (AE) bundles, in rare cases, the interface add message for an old logical interface (IFL) exists in queue that has not got destroyed, while processing this, the old IFL does not exists and it leads to lacpd process crash and all AE bundles flap. PR1015989 MPLS 238 • In scenario of egress-protection using stub-alias advertise mode where Point of Local Repair (PLR) use 'dynamic-rsvp-lsp' in LDP link protection, if protected PE get isolated, unexpected packet drops will be observed. PR1030815 • When configuring point-to-multipoint (P2MP) Label Distribution Protocol (LDP) label-switched paths (LSPs), the labels will never be freed even though they are no longer needed. This could lead to MPLS label exhaustion eventually. To clear the state, the rpd process will restart with core files. PR1032061 • When an LDP-enabled router receives an LDP label mapping message that includes an unknown TLVs with an unknown and forward bit set, the unknown TLV will be re-advertised along with the LDP message to the upstream LSR. However, due to a merge issue, Junos OS appends these unknown TLVs multiple times during construction of the label mapping message and will have an unknown TLV(0x0000) with length 0 among the appended unknown TLVs. This causes the LDP session with the peer that receives this message to flap. PR1037917 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Platform and Infrastructure • With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000) while copying packets count from hash record into flow export packet, the packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic impact, but this may impact billing. PR886222 • All inline-services do not work for high MPC slot numbers on MX2020. It is due to generic issue in receiving packets. The egress Packet Forwarding Engine instance was chosen incorrectly. PR1012222 • When receiving traffic coming on MPC and going out on DPC, an Ethernet frame with known DMAC will be flooded to the whole bridge domain after flapping the link which the given MAC is learned for more than 32 times. PR1026879 • The commit synchronize command fails because the kernel socket gets stuck. PR1027898 • Junos OS reserves the prefix "junos-" for the identifiers of configurations defined within the junos-defaults configuration group. User-defined identifiers cannot start with the string "junos-". Due to a defect, prior to Junos OS Release 13.3R1, if you configured user-defined identifiers through the CLI using the reserved prefix, the commit would incorrectly succeed. This issue is fixed in 13.3R1 and above releases, configurations that currently contain the reserved prefix for user-defined identifiers other than junos-defaults configuration group identifiers will now correctly result in a commit error in the CLI. But these different behaviors will block software upgrade from Junos OS release before 13.3R1 to Junos OS release 13.3R1 or later. With the new fix, the behavior would be changed to display a warning when a reserved identifier is configured. But commit would go through as shown below: user@router# set applications application junos-tcp protocol tcp warning: Modifying reserved identifier junos-tcp is deprecated [edit] user@router# commit commit complete PR1032119 • Port-Scheduler:Queues are starving with Scheduler on egress port in WAN-PHY mode PR1035988 • On Trio-based platform, when using inline Two-Way Active Measurement Protocol (TWAMP) server (the server address is the inline service interface address), because the TWAMP server may incorrectly calculate the packet checksum, the packet may get dropped on the TWAMP client. PR1042132 • For Junos OS version 13.3R5, if an IPv6 firewall (FW) filter has matching condition 'from payload-protocol' or 'from payload-protocol-except', and the FW filter is applied on DPC card interface or loopback interface, the 'from payload-protocol' statement might be ignored and resulting in the IPv6 FW filter not working well. PR1049590 Routing Protocols • In Protocol Independent Multicast (PIM) environment, during processing assert event, routing protocol process (rpd) crash may occur while getting into situation where there is no SG node but there is assert state present. PR907797 • If with accounting/sampling enabled, an unnecessary update from the routing protocol process (rpd) to the route record database might be triggered by certain configuration Copyright © 2016, Juniper Networks, Inc. 239 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion change. This process causes jump in CPU utilization of all Packet Forwarding Engines. PR1002107 • When policy LFA is being used and backup path selection is first based on the root-metric criteria, the root-metric should be taken from the link metric connecting source to the backup neighbor (the one-hop neighbor or a remote router such as an RSVP backup LSP tail-end router), but it is now taken from the shortest-path-first (SPF) metric from source to backup neighbor if root-metric highest is configured. In some topologies, if the two metrics are different, IS-IS might select incorrect backup next-hop. PR1031408 • When "clear bfd session" is issued immediately (before the Poll - Final sequence is completed) post config check-in for interval change from higher to lower minimum-interval value, BFD sessions don't revert to lower interval. PR1033231 • OpenSSL released a Security Advisory on 15 Oct 2014 that included CVE-2014-3566 known as the "POODLE" vulnerability. The SSL protocol 3.0 (SSLv3) uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. OpenSSL has been upgraded to 0.9.8zc (pre-Junos OS 13.3) and 1.0.1j (Junos OS 13.3+), adding support for SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV). Refer to JSA10656 for more information. PR1033938 • The micro BFD sessions won't come up if incoming untagged micro BFD packets contain a source MAC where the last 12 bits are zero. PR1035295 • If an IFL is used as the qualified-next-hop (which implies the IFL has unnumbered-address configured), and there are changes in the IFL filter configuration, then the static route might disappear from routing table. To make it reappear, need to delete it from the configuration and add it back. PR1035598 • Issue in populating isisRouterTable values. Some entries are not filled correctly. This does not block/affect the functionality of ISIS or other components. PR1040234 • Junos: RPD cores on receiving a crafted L2VPN family BGP update (CVE-2016-1270). Refer to https://kb.juniper.net/JSA10737 for more information. PR1041189 • BFD session might reset on commit if version is configured. The adaptive RX interval gets set to 0 which results in the reset. A sample configuration of BFD version is as following: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000; transmit-interval { minimum-interval 1000; } } } PR1045037 Services Applications 240 • In L2TP scenario, when the LNS is flooded by high rate L2TP messages from LAC, the CPU on RE might keep too busy to bring up new sessions. PR990081 • The cause of the kmd crash is not known. This is not due to SA(Security Associations) memory corruption. The code looks that SA is getting freed without clearing the table entry. PR1036023 • On MX Seriesplatform, when using the MS-DPC with MPSDK to support Captive Portal Content Delivery (cpcd) service, the MAC may get stuck on the FPC due to processing the high rate of packets (for example, 5kpps HTTP traffic). In addition, reloading the Copyright © 2016, Juniper Networks, Inc. Resolved Issues affected FPC may only temporarily resolve the issue while it will appear again once scaling up. PR1037143 VPNs Related Documentation • Problem Description The problem is that MSDP is periodically polling PIM for S,G's to determine if the S,G is still active. This check helps MSDP determine if the source is active and therefore the SA still be sent. There is a possibility that PIM will return that the S,G is no longer active which causes MSDP to remove the MSDP state and notify MVPN to remove the Type 5. One of the checks PIM makes is to determine if it is the local RP for the S,G. During a re-configuration period where any commit is done, PIM re-evaluates whether it is a local RP. It waits until all the configuration is read and all the interfaces have come up before making this determination. The local rp state is cleared out early in this RP re-evaluation process, however, which allows for a window of time where the local RP state was cleared out but it has not yet been re-evaluated. During this window PIM may believe it is not the local rp and return FALSE to MSDP for the given source. If MSDP makes the call into PIM during this window after a configuration change(commit), then it is possible that the Source Active(Type 5) state will be removed. Fix The fix will be to clear out the local rp state right before it is re-evaluated ie after it reads configuration for all interfaces; to not allow any time gap where it could be inconsistent. PR1015155 • On MX-VC platform, if there is a scaling number of MVPN routes, after adding a new interface in the MVPN instance or changing the traceoptions related configuration, the CPU on RE might experience a high utilization for about 10min. PR1027596 • Upon receipt of a large set of label blocks containing an updated BGP local preference (due to configuration changes on IBGP peers), RPD may crash with a NULL pointer access exception. The crash was triggered by a large number of BGP-VPLS advertisements with updated BGP local preference values. Refer to JSA10687 for more information. WARNING:Juniper-Confidential-SIRT-PR:see-external-tab! PR1047437 • In the VPLS environment with Multichassis link aggregation groups (MC-LAGs) configuration, the standby neighbor is configured with hot-standby mode. If the active link on MC-LAG members facing towards CE is changed continually (i.e active to standby and standby to active), in rare condition, the traffic might not shift correctly, and the rpd process might crash. PR1050737 • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 Copyright © 2016, Juniper Networks, Inc. 241 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Documentation Updates This section lists the errata and changes in Junos OS Release 14.2R7 documentation for the M Series, MX Series, and T Series. • Adaptive Services Interfaces Feature Guide for Routing Devices on page 242 • Broadband Subscriber VLANs and Interfaces Feature Guide on page 243 • High Availability Feature Guide for Routing Devices on page 244 • Monitoring, Sampling, and Collection Services Interfaces Feature Guide for Routing Devices on page 244 • MPLS Applications Feature Guide for Routing Devices on page 245 • Overview for Routing Devices on page 245 • Release Notes on page 245 • Routing Policies, Firewall Filters, and Traffic Policers Feature Guide for Routing Devices on page 246 • Services Interfaces Configuration Guide on page 246 • Standards Reference on page 246 • Subscriber Access Protocols Feature Guide on page 246 • Subscriber Management Access Network Guide on page 247 • Subscriber Management Provisioning Guide on page 248 • Traffic Sampling, Forwarding, and Monitoring Feature Guide for Routing Devices on page 249 • Tunnel and Encryption Services Interfaces Feature Guide for Routing Devices on page 249 • User Access and Authorization Feature Guide for Routing Devices on page 249 • VPNs Library for Routing Devices on page 249 Adaptive Services Interfaces Feature Guide for Routing Devices • The following items describe updates for aggregated multiservices (AMS) interfaces information: • The description for the rejoin-timeout statement under the hierarchy [edit interfaces interface-name load-balancing-options member-failure-options drop-member-traffic] should be changed to the following: Configure the time by when failed members (members in the DISCARD state) should rejoin the aggregated multiservices (AMS) interface automatically. All members that do not rejoin by the configured time are moved to the INACTIVE state, and the traffic meant for each of the members is dropped. If multiple members fail around the same time, then they are held in the DISCARD state using a single timer. When the timer expires, all the failed members move to INACTIVE state at the same time. • 242 The following information should be added to the “Aggregated Multiservices Interface” section in the “Understanding Aggregated Multiservices Interfaces” topic: Copyright © 2016, Juniper Networks, Inc. Documentation Updates Member interfaces are identified as mams in the configuration. The chassisd process in routers that support AMS configuration creates a mams entry for every multiservices interface on the router. When you configure services-options at the ams interface level, the options apply to all member interfaces (mams) for the ams interface. The options also apply to service sets configured on ms- interfaces corresponding to the ams interface’s member interfaces. All settings are per PIC. For example, session-limit applies per member and not at an aggregate level. NOTE: You cannot configure services-options at both the ams (aggregate) and member-interface level. If services-options is configured on ms-x/y/z, it also applies to service sets on mams-x/y/z. When you want services-options settings to apply uniformly to all members, configure services-options at the ams interface level. If you need different settings for individual members (for example, because of a syslog configuration), configure services-options at the member-interface level. • The show interfaces load-balancing command topic should include the following description for Last change in the table: Time elapsed since the last change to the interface. Changes that affect the elapsed time displayed include internal events that might not have changed the state of any member. • The “Configuring Secured Port Block Allocation,” “port,” and “secured-port-block-allocation” topics should include the following note: If you make any configuration changes to a NAT pool that has secured port block allocation configured, you must delete the existing NAT address pool, wait at least 5 seconds, and then configure a new NAT address pool. We also strongly recommend that you perform this procedure if you make any changes to the NAT pool configuration, even if you do not have secured port block allocation configured. • The descriptions in the “Options” section of the IPsec protocol statement at the [edit services ipsec-vpn ipsec proposal proposal-name] and [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy levels fail to state that the ah and bundle options are not supported on MS-MPCs and MS-MICs on MX Series routers. Broadband Subscriber VLANs and Interfaces Feature Guide • The table in topic “AAA Access Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS,” incorrectly indicates that VSA 26-1 (Virtual-Router) supports CoA Request messages. VSA 26-1 does not support CoA Request messages. • The show subscribers topic in the Broadband Subscriber VLANs and Interfaces Feature Guide does not fully describe the vlan-id vlan-id option. This option displays information about active subscribers using a VLAN where the VLAN tag matches the specified Copyright © 2016, Juniper Networks, Inc. 243 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion VLAN ID. The topic fails to mention that these subscriber VLANs can be either single-tagged or double-tagged. The command output includes information about subscribers using double-tagged VLANs when the inner VLAN tag matches the specified VLAN ID. The command output does not distinguish between these two types of subscribers. To display only subscribers where the specified value matches only double-tagged VLANs, use the stacked-vlan-id stacked-vlan-id option to match the outer VLAN tag instead of the vlan-id vlan-id option. High Availability Feature Guide for Routing Devices • The "Nonstop Active Routing System Requirements" topic should include the inet-mvpn and inet6-mvpn protocol families for BGP in the list of supported family types. The topic previously documented that NSR supports next-generation MVPN starting with Junos OS 14.1R1, but didn't include the specific names of the next-generation MVPN protocol families in the list. • The topic “Improving the Convergence Time for VRRP” failed to include the following information: • Disable duplication address detection for IPv6 interfaces—Duplicate address detection is a feature of the Neighbor Discovery Protocol for IPv6. Duplicate address detection is enabled by default and determines whether an address is already in use by another node. When duplicate address detection is enabled, convergence time is high after an IPv6 interface that has been configured for VRRP tracking comes up. To disable duplicate address detection, include the ipv6-duplicate-addr-translation transmits 0 statement at the [edit system internet-options] hierarchy level. To disable duplicate address detection only for a specific interface, include the dad-disable statement at the [edit interfaces interface-name unit logical-unit-number family inet6] hierarchy level. Monitoring, Sampling, and Collection Services Interfaces Feature Guide for Routing Devices • The Options section for the flow-export-rate statement under the hierarchy [edit forwarding-options sampling instance instance-name family inet output inline-jlow] did not include the default value. The default value is: Default: 1 for each Packet Forwarding Engine on the FPC to which the sampling instance is applied. • The default value for the ipv6-flow-table-size statement at the [edit chassis fpc slot-number inline-services ipv6 flow-table-size] hierarchy level should state the following: “If the number of units is not specified, 1024 flow entries are allocated for IPv6.” • 244 The description for the max-packets-per-second, maximum-packet-length, and run-length statements at the [edit forwarding-options sampling instance instance-name input] hierarchy level failed to include the following: Copyright © 2016, Juniper Networks, Inc. Documentation Updates NOTE: This statement is not supported when you configure inline flow monitoring (by including the inline-jflow statement at the [edit forwarding-options sampling instance instance-name family (inet | inet6) output] hierarchy level). • The “Configuring RPM Timestamping” topic failed to mention that RPM timestamping is also supported on the MS-MPCs and MS-MICs on MX Series routers. MPLS Applications Feature Guide for Routing Devices • The "Configuring Miscellaneous LDP Properties," "Configuring the Authentication Key Update Mechanism for BGP and LDP Routing Protocols," "authentication-key-chain (LDP)," and "authentication-key-chain (BGP and BMP)” topics should include the following information: You must also configure the authentication algorithm using the authentication-algorithm algorithm statement. This statement must be included at the [edit protocols (bgp | ldp)] hierarchy level when you configure the authentication-key-chain key-chain statement at the [edit protocols (bgp | ldp)] hierarchy level. • The "Path Computation for LSPs on an Overloaded Router" topic should state that when you set the overload bit on a router running IS-IS, only new LSPs are prevented from transiting through the router. Any existing Constrained Path Shortest First (CPSF) LSPs remain active and continue to transit through the router. The documentation incorrectly states that any existing LSPs transiting through the router are also rerouted when you configure the overload bit on an IS-IS router. Overview for Routing Devices • The "Configuring Automatic Mirroring of the CompactFlash Card on the Hard Disk Drive" and the "mirror-flash-on-disk" topics should not include support for MX5, MX10, and MX40 3D Universal Edge Routers. On the MX Series, this feature is supported only on the MX104, MX240, MX480, MX960, MX2010, and MX2020 routers. Release Notes • The PR928128 was incorrectly included as a known issue in the release notes for the following Junos OS releases: • 14.2R1 Release Notes • 14.2R2 Release Notes • 14.2R3 Release Notes • 14.2R4 Release Notes • 14.2R5 Release Notes Copyright © 2016, Juniper Networks, Inc. 245 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion This issue was fixed before the 14.2R1 Release. Routing Policies, Firewall Filters, and Traffic Policers Feature Guide for Routing Devices • The table in the “Firewall Filter Nonterminating Actions” topic failed to mention that Juniper Networks recommends you do not use the nonterminating firewall filter action next-hop-group with the port-mirror-instance or port-mirror action in the same firewall filter. Services Interfaces Configuration Guide • The following information regarding the restriction on prefix lengths that can be configured in NAT pools on MS-MPCs and MS-MICs applies to the "Configuring Source and Destination Addresses Network Address Translation Overview " section of the "Network Address Translation Rules Overiew" topic: On MX Series routers with MS-MPCs and MS-MICs, if you configure a NAT address pool with a prefix length that is equal to or greater than /16, the PIC does not contain sufficient memory to provision the configured pool. Also, memory utilization problems might occur if you attempt to configure many pools whose combined total IP addresses exceed /16. In such circumstances, a system logging message is generated stating that the NAT pool name has failed to be created and that the service set is not activated. On MS-MPCs and MS-MICs, you must not configure NAT pools with prefix lengths greater than /16. Standards Reference • The Supported Network Management Standards topic incorrectly states that Junos OS supports mplsL3VpnIfConfTable as part of compliance with RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB. Junos OS does not support this table. Subscriber Access Protocols Feature Guide 246 Copyright © 2016, Juniper Networks, Inc. Documentation Updates • The LAC Tunnel Selection Overview, Configuring Weighted Load Balancing for LAC Tunnel Sessions and weighted-load-balancing (L2TP LAC) topics in the Junos OS Broadband Subscriber Management and Services libraries incorrectly describe how weighted load balancing works on an L2TP LAC. The topics state that the tunnel with the highest weight (highest session limit) within a preference level is selected until it has reached its maximum sessions limit, and then the tunnel with the next higher weight is selected, and so on. In fact, when weighted load balancing is configured, tunnels are selected randomly within a preference level, but the distribution of selected tunnels is related to their weight. The LAC generates a random number within a range equal to the aggregate total of all session limits for all tunnels in the preference level. Portions of the range—pools of numbers—are associated with the tunnels according to their weight; a higher weight results in a larger pool. The random number is more likely to be in a larger pool, so a tunnel with a higher weight (larger pool) is more likely to be selected than a tunnel with a lower weight (smaller pool). For example, consider a level that has only two tunnels, A and B. Tunnel A has a maximum sessions limit of 1000 and tunnel B has a limit of 2000 sessions, resulting in an aggregate total of 3000 sessions. The LAC generates a random number in the range from 0 through 2999. A pool of 1000 numbers, the portion of the range from 0 through 999, is associated with tunnel A. A pool of 2000 numbers, the portion of the range from 1000 through 2999, is associated with tunnel B. If the generated number is less than 1000, then tunnel A is selected, even though it has a lower weight than tunnel B. If the generated number is 1000 or larger, then tunnel B is selected. Because the pool of possible generated numbers for tunnel B (2000) is twice that for tunnel A (1000), tunnel B is, on average, selected twice as often as tunnel A. Subscriber Management Access Network Guide • The LAC Tunnel Selection Overview, Configuring Weighted Load Balancing for LAC Tunnel Sessions and weighted-load-balancing (L2TP LAC) topics in the Junos OS Broadband Subscriber Management and Services libraries incorrectly describe how weighted load balancing works on an L2TP LAC. The topics state that the tunnel with the highest weight (highest session limit) within a preference level is selected until it has reached its maximum sessions limit, and then the tunnel with the next higher weight is selected, and so on. In fact, when weighted load balancing is configured, tunnels are selected randomly within a preference level, but the distribution of selected tunnels is related to their weight. The LAC generates a random number within a range equal to the aggregate total of all session limits for all tunnels in the preference level. Portions of the range—pools of numbers—are associated with the tunnels according to their weight; a higher weight results in a larger pool. The random number is more likely to be in a larger pool, so a tunnel with a higher weight (larger pool) is more likely to be selected than a tunnel with a lower weight (smaller pool). For example, consider a level that has only two tunnels, A and B. Tunnel A has a maximum sessions limit of 1000 and tunnel B has a limit of 2000 sessions, resulting in an aggregate total of 3000 sessions. The LAC generates a random number in the range from 0 through 2999. A pool of 1000 numbers, the portion of the range from 0 Copyright © 2016, Juniper Networks, Inc. 247 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion through 999, is associated with tunnel A. A pool of 2000 numbers, the portion of the range from 1000 through 2999, is associated with tunnel B. If the generated number is less than 1000, then tunnel A is selected, even though it has a lower weight than tunnel B. If the generated number is 1000 or larger, then tunnel B is selected. Because the pool of possible generated numbers for tunnel B (2000) is twice that for tunnel A (1000), tunnel B is, on average, selected twice as often as tunnel A. • The Pseudowire Subscriber Logical Interfaces Overview and Configuring a Pseudowire Subscriber Logical Interface topics have been updated in Junos OS Release 14.2R6 to state that VLAN demux interfaces are not supported over pseudowire subscriber logical interfaces. Earlier versions of these topics omitted this information. Subscriber Management Provisioning Guide • The following topics erroneously include information about the Ignore-DF-Bit VSA (26-70): “RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework,” “Juniper Networks VSAs Supported by the AAA Service Framework”, and “AAA Access Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS.” Junos OS does not support VSA 26-70. Some versions of the RADIUS dictionary file also erroneously list 26-70 as supported by the Junos OS. • In the Broadband Subscriber Sessions Feature Guide, the show network-access aaa radius servers command topic includes a table that describes the output fields for the command. The table entry for the Status field does not clearly explain when a request starts and ends. The following information has been added to the NOTE in that table entry: For the purpose of marking a server as Down (DEAD), the request includes the original request and any retries that are configured. The 10-second timeout period starts after the initial request and all retries have expired without receiving a response from the server. The amount of the timeout period that elapses before the server is marked Down is not always exactly 10 seconds, and can vary depending on how frequently subscribers are logging in. When subscribers are continually and rapidly logging in, the server is marked as Down at 10 seconds. However, if subscribers are logging in less frequently and at a slower pace, then the server is not marked Down until a subsequent subscriber attempts to log in. For example, if the subsequent subscriber logs in a minute after the request and all retries lapse, and the 10-second timeout starts, the actual time until the server is marked Down is 50 seconds after the timeout starts (the one minute between subscriber login minus the 10-second timeout). 248 Copyright © 2016, Juniper Networks, Inc. Documentation Updates Traffic Sampling, Forwarding, and Monitoring Feature Guide for Routing Devices • The enhanced-hash-key configuration statement topic fails to mention that the src-prefix-len option is available for configuration at the [edit forwarding-options enhanced-hash-key family inet6 layer-3-services src-prefix-len] hierarchy level. You can use the src-prefix-len option to include the source prefix length in the hash key for enhanced IP forwarding engines. Tunnel and Encryption Services Interfaces Feature Guide for Routing Devices • The “Configuring Unicast Tunnels” topic incorrectly shows the backup-destination statement. This statement does not apply to unicast tunnels. User Access and Authorization Feature Guide for Routing Devices • The “Configuring the SSH Protocol Version” topic incorrectly states that both version 1 and version 2 of the SSH protocol are enabled by default. The topic should state that version 2 of the SSH protocol is enabled by default, and you must explicitly configure version 1 if you want to enable it. • The "Example: DHCP Complete Configuration" and "dchp" topics should not include support for the MX Series Universal Edge 3D Routers. This feature is supported only on the M Series and the T Series. VPNs Library for Routing Devices • The “Routing Instances Overview” topic should include the following instance types: Ethernet VPN (EVPN) and Internet Multicast over MPLS. Use the Ehternet VPN instance type, which is supported on the MX Series only, to connect a group of dispersed customer sites using a Layer 2 virtual bridge. Use the Internet Multicast over MPLS instance type to provide support for ingress replication provider tunnels to carry IP multicast data between routers through an MPLS cloud, using MBGP or next-generation MVPN. To configure an EVPN instance type, include the evpn statement at the [edit routing-instances routing-instance-name instance-type] hierarchy level. To configure an Internet Multicast over MPLS instance type, include the mpls-internet-multicast statement at the [edit routing-instances routing-instance-name instance-type] hierarchy level. Related Documentation • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 • Migration, Upgrade, and Downgrade Instructions on page 250 • Product Compatibility on page 260 Copyright © 2016, Juniper Networks, Inc. 249 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Migration, Upgrade, and Downgrade Instructions This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the M Series, MX Series, and T Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. • Basic Procedure for Upgrading to Release 14.2 on page 250 • Upgrade and Downgrade Support Policy for Junos OS Releases on page 253 • Upgrading a Router with Redundant Routing Engines on page 253 • Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 on page 254 • Upgrading the Software for a Routing Matrix on page 255 • Upgrading Using Unified ISSU on page 256 • Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 257 • Downgrading from Release 14.2 on page 258 • Changes Planned for Future Releases on page 258 Basic Procedure for Upgrading to Release 14.2 In order to upgrade to Junos OS 10.0 or later, you must be running Junos OS 9.0S2, 9.1S1, 9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or you must specify the no-validate option on the request system software install command. When upgrading or downgrading Junos OS, always use the jinstall package. Use other packages (such as the jbundle package) only when so instructed by a Juniper Networks support representative. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. NOTE: With Junos OS Release 9.0 and later, the compact flash disk memory requirement for Junos OS is 1 GB. For M7i and M10i routers with only 256 MB memory, see the Customer Support Center JTAC Technical Bulletin PSN-2007-10-001 at https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001 &actionBtn=Search 250 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions NOTE: Before upgrading, back up the file system and the currently active Junos OS configuration so that you can recover to a known, stable environment in case the upgrade is unsuccessful. Issue the following command: user@host> request system snapshot The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the routing platform, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files) might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS Administration Library for Routing Devices. Copyright © 2016, Juniper Networks, Inc. 251 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion The download and installation process for Junos OS Release 14.2 is different from previous Junos OS releases. 1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage: http://www.juniper.net/support/downloads/ 2. Select the name of the Junos platform for the software that you want to download. 3. Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page. 4. Select the Software tab. 5. In the Install Package section of the Software tab, select the software package for the release. 6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. 7. Review and accept the End User License Agreement. 8. Download the software to a local host. 9. Copy the software to the routing platform or to your internal software distribution site. 10. Install the new jinstall package on the routing platform. NOTE: We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process. Customers in the United States and Canada, use the following command: user@host> request system software add validate reboot source/jinstall-14.2R6.5-domestic-signed.tgz All other customers, use the following command: user@host> request system software add validate reboot source/jinstall-14.2R6.5-export-signed.tgz Replace source with one of the following values: • /pathname—For a software package that is installed from a local directory on the router. • 252 For software packages that are downloaded and installed from a remote location: • ftp://hostname/pathname • http://hostname/pathname • scp://hostname/pathname (available only for Canada and U.S. version) Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release. Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful. NOTE: After you install a Junos OS Release 14.2 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software. Upgrade and Downgrade Support Policy for Junos OS Releases Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. You can upgrade or downgrade to the EEOL release that occurs directly before or after the currently installed EEOL release, or to two EEOL releases before or after. For example, Junos OS Releases 11.4, 12.3, and 13.3 are EEOL releases. You can upgrade from Junos OS Release 11.4 to Release 12.3 or even from Junos OS Release 11.4 to Release 13.3. However, you cannot upgrade directly from a non-EEOL release that is more than three releases ahead or behind. For example, you cannot directly upgrade from Junos OS Release 12.1 (a non-EEOL release) to Junos OS Release 13.3 or directly downgrade from Junos OS Release 13.3 to Junos OS Release 12.1. To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html Upgrading a Router with Redundant Routing Engines If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows: 1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines. 2. Install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine. Copyright © 2016, Juniper Networks, Inc. 253 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 3. After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software. 4. Install the new software on the original master Routing Engine that is now active as the backup Routing Engine. For the detailed procedure, see the Installation and Upgrade Guide. Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS Release 10.1 In releases prior to Junos OS Release 10.1, the draft-rosen multicast VPN feature implements the unicast lo0.x address configured within that instance as the source address used to establish PIM neighbors and create the multicast tunnel. In this mode, the multicast VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages. In Junos OS Release 10.1 and later, you can use the router’s main instance loopback (lo0.0) address (rather than the multicast VPN loopback address) to establish the PIM state for the multicast VPN. We strongly recommend that you perform the following procedure when upgrading to Junos OS Release 10.1 if your draft-rosen multicast VPN network includes both Juniper Network routers and other vendors’ routers functioning as provider edge (PE) routers. Doing so preserves multicast VPN connectivity throughout the upgrade process. Because Junos OS Release 10.1 supports using the router’s main instance loopback (lo0.0) address, it is no longer necessary for the multicast VPN loopback address to match the main instance loopback adddress lo0.0 to maintain interoperability. NOTE: You might want to maintain a multicast VPN instance lo0.x address to use for protocol peering (such as IBGP sessions), or as a stable router identifier, or to support the PIM bootstrap server function within the VPN instance. Complete the following steps when upgrading routers in your draft-rosen multicast VPN network to Junos OS Release 10.1 if you want to configure the routers’s main instance loopback address for draft-rosen multicast VPN: 1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the loopback address for draft-rosen Multicast VPN. NOTE: Do not configure the new feature until all the M7i and M10i routers in the network have been upgraded to Junos OS Release 10.1. 2. After you have upgraded all routers, configure each router’s main instance loopback address as the source address for multicast interfaces. Include the default-vpn-source interface-name loopback-interface-name] statement at the [edit protocols pim] hierarchy level. 254 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions 3. After you have configured the router’s main loopback address on each PE router, delete the multicast VPN loopback address (lo0.x) from all routers. We also recommend that you remove the multicast VPN loopback address from all PE routers from other vendors. In Junos OS releases prior to 10.1, to ensure interoperability with other vendors’ routers in a draft-rosen multicast VPN network, you had to perform additional configuration. Remove that configuration from both the Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address. This configuration is not required when you upgrade to Junos OS Release 10.1 and use the main loopback address as the source address for multicast interfaces. NOTE: To maintain a loopback address for a specific instance, configure a loopback address value that does not match the main instance address (lo0.0). For more information about configuring the draft-rosen Multicast VPN feature, see the Multicast Protocols Feature Guide for Routing Devices. Upgrading the Software for a Routing Matrix A routing matrix can be either a TX Matrix router as the switch-card chassis (SCC) or a TX Matrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade software for a TX Matrix router or a TX Matrix Plus router, the new image is loaded onto the TX Matrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or sfc option) and distributed to all line-card chassis (LCCs) in the routing matrix (specified in the Junos OS CLI by using the lcc option). To avoid network disruption during the upgrade, ensure the following conditions before beginning the upgrade process: • A minimum of free disk space and DRAM on each Routing Engine. The software upgrade will fail on any Routing Engine without the required amount of free disk space and DRAM. To determine the amount of disk space currently available on all Routing Engines of the routing matrix, use the CLI show system storage command. To determine the amount of DRAM currently available on all the Routing Engines in the routing matrix, use the CLI show chassis routing-engine command. • The master Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and all LCCs connected to the SCC or SFC are all re0 or are all re1. • The backup Routing Engines of the TX Matrix or TX Matrix Plus router (SCC or SFC) and all LCCs connected to the SCC or SFC are all re1 or are all re0. • All master Routing Engines in all routers run the same version of software. This is necessary for the routing matrix to operate. • All master and backup Routing Engines run the same version of software before beginning the upgrade procedure. Different versions of the Junos OS can have incompatible message formats especially if you turn on GRES. Because the steps in Copyright © 2016, Juniper Networks, Inc. 255 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion the process include changing mastership, running the same version of software is recommended. • For a routing matrix with a TX Matrix router, the same Routing Engine model is used within a TX Matrix router (SCC) and within a T640 router (LCC) of a routing matrix. For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using two RE-1600s is supported. However, an SCC or an LCC with two different Routing Engine models is not supported. We suggest that all Routing Engines be the same model throughout all routers in the routing matrix. To determine the Routing Engine type, use the CLI show chassis hardware | match routing command. • For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G or RE-DUO-C1800-16G Routing Engines. BEST PRACTICE: Make sure that all master Routing Engines are re0 and all backup Routing Engines are re1 (or vice versa). For the purposes of this document, the master Routing Engine is re0 and the backup Routing Engine is re1. To upgrade the software for a routing matrix, perform the following steps: 1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine (re0) and save the configuration change to both Routing Engines. 2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping the currently running software version on the master Routing Engine (re0). 3. Load the new Junos OS on the backup Routing Engine. After making sure that the new software version is running correctly on the backup Routing Engine (re1), switch mastership back to the original master Routing Engine (re0) to activate the new software. 4. Install the new software on the new backup Routing Engine (re0). For the detailed procedure, see the Routing Matrix with a TX Matrix Router Deployment Guide or the Routing Matrix with a TX Matrix Plus Router Deployment Guide. Upgrading Using Unified ISSU Unified in-service software upgrade (ISSU) enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the High Availability Feature Guide for Routing Devices. 256 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the following PIM features are not currently supported with NSR. The commit operation fails if the configuration includes both NSR and one or more of these features: • Anycast RP • Draft-Rosen multicast VPNs (MVPNs) • Local RP • Next-generation MVPNs with PIM provider tunnels • PIM join load balancing Junos OS Release 9.3 introduced a new configuration statement that disables NSR for PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit protocols pim] hierarchy level. (Note that this statement disables NSR for all PIM features, not only incompatible features.) If neither NSR nor PIM is enabled on the router to be upgraded or if one of the unsupported PIM features is enabled but NSR is not enabled, no additional steps are necessary and you can use the standard upgrade procedure described in other sections of these instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use the standard reboot or ISSU procedures described in the other sections of these instructions. Because the nonstop-routing disable statement was not available in Junos OS Release 9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to be upgraded from Junos OS Release 9.2 or earlier to a later release, you must disable PIM before the upgrade and reenable it after the router is running the upgraded Junos OS and you have entered the nonstop-routing disable statement. If your router is running Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR or PIM–simply use the standard reboot or ISSU procedures described in the other sections of these instructions. To disable and reenable PIM: 1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and disable PIM: [edit] user@host# deactivate protocols pim user@host# commit 2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate for the router type. You can either use the standard procedure with reboot or use ISSU. 3. After the router reboots and is running the upgraded Junos OS, enter configuration mode, disable PIM NSR with the nonstop-routing disable statement, and then reenable PIM: Copyright © 2016, Juniper Networks, Inc. 257 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion [edit] user@host# set protocols pim nonstop-routing disable user@host# activate protocols pim user@host# commit Downgrading from Release 14.2 To downgrade from Release 14.2 to another supported release, follow the procedure for upgrading, but replace the 14.2 jinstall package with one that corresponds to the appropriate release. NOTE: You cannot downgrade more than three releases. For example, if your routing platform is running Junos OS Release 11.4, you can downgrade the software to Release 10.4 directly, but not to Release 10.3 or earlier; as a workaround, you can first downgrade to Release 10.4 and then downgrade to Release 10.3. For more information, see the Installation and Upgrade Guide. Changes Planned for Future Releases • Introduction of the all keyword to prevent accidental execution of certain clear commands—The all keyword is introduced in Junos OS Release 14.2 (as an optional keyword) and is planned to be introduced in Junos OS Release 15.2 (as a mandatory keyword) for certain clear commands that are used for clearing protocol and neighbor sessions. This makes users explicitly select the all keyword to clear all protocol or session information. Thus, it prevents accidental clearing or resetting of protocols or neighbor sessions, which might disrupt network operations. The all keyword is planned to be introduced for the following clear commands: 258 • clear arp • clear bgp neighbor • clear bfd adaptation • clear bfd session • clear igmp membership • clear isis adjacency • clear isis database • clear ldp neighbor • clear ldp session • clear mld membership • clear mpls lsp • clear msdp cache • clear multicast forwarding-cache Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions • clear (ospf | ospf3) database • clear (ospf | ospf3) neighbor • clear pim join • clear pim join-distribution • clear pim register • clear rsvp sessions In Junos OS Release 14.2 and Release 15.1—The all keyword is optional. When you type any of these clear commands followed by the ? in the CLI, the all keyword is listed as an option after the <[Enter]> keyword. You can execute the clear command directly or with the all keyword to clear all information. For example, when you type clear mpls lsp ?, the following possible completions are displayed: user@host> clear mpls lsp ? Possible completions: <[Enter]> Execute this command all Reset 'all' the nontransit or egress LSPs originating on this router <<<<<<<<<<<< autobandwidth Clear LSP autobandwidth counters logical-system Name of logical system, or 'all' name Regular expression for LSP names to match optimize Perform nonpreemptive optimization computation now ... Both clear mpls lsp or clear mpls lsp all will function identically in these releases. In Junos OS Release 15.2 and later—The all keyword is mandatory. When you type a clear command followed by the ? in the CLI, the <[Enter]> option to execute the command directly (without specifying any options) is not available. For example, when you type clear mpls lsp ?, you see all listed as an option but not <[Enter]> to execute the command directly. You have to type clear mpls lsp all and then press <[Enter]> if you want to clear information about all the nontransit or egress LSPs originating on the router. user@host> clear mpls lsp ? Possible completions: all Reset 'all' the nontransit or egress LSPs originating on this router <<<<<<<<<<<< autobandwidth Clear LSP autobandwidth counters logical-system Name of logical system, or 'all' name Regular expression for LSP names to match optimize Perform nonpreemptive optimization computation now ... Related Documentation • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 Copyright © 2016, Juniper Networks, Inc. 259 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Documentation Updates on page 242 • Product Compatibility on page 260 Product Compatibility • Software Compatibility on page 260 • Hardware Compatibility on page 260 Software Compatibility The Juniper Networks implementation of OVSDB on MX Series routers is supported with the following VMware NSX versions: • Starting with Junos OS Release 14.2R1, NSX version 4.0.3. • Starting with Junos OS Release 14.2R2, NSX version 4.2 and later versions. The Juniper Networks implementation of OVSDB on MX Series routers supports the following OVSDB schema for physical devices versions: • Starting with Junos OS Release 14.2R1, OVSDB schema version 1.11.90 is compatible with NSX version 4.0.3. • Starting with Junos OS Release 14.2R4, OVSDB schema version 1.3.0 is compatible with NSX version 4.0.3 and with NSX version 4.2 and later. Hardware Compatibility To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product. To determine the features supported on M Series, MX Series, and T Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/ Related Documentation 260 • New and Changed Features on page 65 • Changes in Behavior and Syntax on page 104 • Known Behavior on page 119 • Known Issues on page 121 • Documentation Updates on page 242 • Migration, Upgrade, and Downgrade Instructions on page 250 Copyright © 2016, Juniper Networks, Inc. Junos OS Release Notes for PTX Series Packet Transport Routers Junos OS Release Notes for PTX Series Packet Transport Routers These release notes accompany Junos OS Release 14.2R7 for the PTX Series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software. You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at http://www.juniper.net/techpubs/software/junos/. CAUTION: This release introduces some behavior changes to the unified in-service software upgrade (ISSU) functionality for PTX Series routers. We do not recommend using unified ISSU to upgrade from an earlier Junos OS release to Junos OS Release 14.2. • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Resolved Issues on page 274 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 New and Changed Features This section describes the new features and enhancements to existing features in Junos OS Release 14.2R7 for the PTX Series. • Hardware on page 262 • Class of Service (CoS) on page 263 • Interfaces and Chassis on page 263 • Management on page 266 • MPLS on page 266 • Multicast on page 266 • Network Management and Monitoring on page 266 • Routing Policy and Firewall Filters on page 267 • Routing Protocols on page 268 • Software Installation and Upgrade on page 268 • User Interface and Configuration on page 268 Copyright © 2016, Juniper Networks, Inc. 261 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Hardware • Support for 4-port 100 Gigabit Ethernet OTN PIC (PTX5000)—Starting with Junos OS Release 14.2, a 4-port 100-Gigabit Ethernet OTN PIC—P2-100GE-OTN—is supported on the FPC2-PTX-P1A FPC in PTX5000 routers. [See Understanding the P2-100GE-OTN PIC.] • New AC PSM and PDU (PTX5000)—Starting with Junos OS Release 14.2, new AC power supply modules (PSMs) and power distribution units (PDUs) are added to provide power to the FPC2-PTX-P1A FPC and other components in a PTX5000 router. You can install two redundant AC PDUs, and each AC PDU supports up to eight PSMs. All PSMs are considered to be a part of single zone to provide power to a common power bus. Run the show chassis hardware operational mode command to view the AC PSM and PDU details. [See show chassis hardware.] • Support for P2-10G-40G-QSFPP PIC on the FPC2-PTX-P1A FPC (PTX5000)—Starting with Junos OS Release 14.2, the PTX5000 supports the P2-10G-40G-QSFPP PIC on the FPC2-PTX-P1A FPC. You can configure the P2-10G-40G-QSFPP PIC to operate in 10-Gigabit Ethernet mode or in 40-Gigabit Ethernet mode. [See P2-10G-40G-QSFPP PIC Overview.] • SFPP-10G-DT-ZRC2 (PTX Series)—The SFPP-10G-DT-ZRC2 tunable transceiver provides a duplex LC connector and supports the 10GBASE-Z optical interface specification and monitoring. The transceiver is not specified as part of the 10-Gigabit Ethernet standard and is instead built according to Juniper Networks specifications. The SFPP-10G-DT-ZRC2 transceiver supports WAN-PHY and LAN-PHY modes. On PTX Series routers, the SFPP-10G-DT-ZRC2 transceiver also supports OTN rates of 10.70923 Gbps (OTU2) and 11.0957 Gbps (OTU2E). To configure the wavelength on the transceiver, use the wavelength statement at the [edit interfaces interface-name optics-options] hierarchy level. The following interface modules support the SFPP-10G-DT-ZRC2 transceiver: PTX Series PICs: • 10-Gigabit Ethernet LAN/WAN OTN PIC with SFP+ (model number: P1-PTX-24-10G-W-SFPP)—Supported in Junos OS Release 13.2R5, 13.3R3, 14.1R2, 14.2, and later • 10-Gigabit Ethernet PIC with SFP+ (model number: P1-PTX-24-10GE-SFPP)—Supported in Junos OS Release 13.2R5, 13.3R3, 14.1R2, 14.2, and later For more information about interface modules, see the “Cables and Connectors” section in the Interface Module Reference for your router. [See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications, PTX Series Interface Module Reference, and wavelength.] • 262 CFP-100GBASE-ZR (PTX Series)—In Junos OS Release 13.3R6, 14.1R4, 14.2R3, and 15.1R1 and later, the CFP-100GBASE-ZR transceiver provides advanced dual Copyright © 2016, Juniper Networks, Inc. New and Changed Features polarization-quadrature phase shift keying (DP-QPSK) coherent digital signal processing (DSP) and forward error correction (FEC)-enabled robust tolerance to optical impairments and supports 80 km reach over single-mode fiber. The transceiver is not specified as part of IEEE 802.3, but is built according to Juniper Networks specifications. The following interface module supports the CFP-100GBASE-ZR transceiver: • 100-Gigabit Ethernet PIC with CFP (P1-PTX-2-100GE-CFP) For more information about the interface modules, see the “Cables and Connectors” section in the PTX Series Interface Module Reference. [See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported Network Interface Standards by Transceiver for PTX Series Routers.] Class of Service (CoS) • Per-port pseudowire class-of-service classification (PTX Series)—Starting with Junos OS Release 14.2, port-based pseudowire class-of-service (CoS) classification is supported on the PTX Series router. [See Pseudowire Subscriber Logical Interfaces Overview.] • Change in scaling number for rewrite rules (PTX Series)—Starting in Junos OS Release 14.2R4, the scaling number for a rewrite rule is reduced by one when the default EXP rewrite is used. This change in scaling number is introduced to: • Support all possible combinations of EXP rewrite rules. • Fix the issue of incorrect modification of EXP bits of the inner label by the default MPLS EXP rewrite rule during the label pop operation. [See CoS Features and Limitations on PTX Series Routers.] Interfaces and Chassis • 100-Gigabit Ethernet DWDM OTN PIC (PTX Series)—Starting in Junos OS Release 14.2, the 100-Gigabit dense wavelength division multiplexing (DWDM) optical transport network (OTN) PIC enhances the transport performance monitoring feature by adding new functionality. Transport performance monitoring includes the ability to configure threshold crossing alerts (TCAs) by using the tca configuration statement under the [edit interfaces interface-name otn-options] or [edit interfaces interface-name optics-options] hierarchy level. Configuring the TCA values enable you to receive early warnings, which makes it possible to proactively manage the link. In addition, the following new commands have been added: • show interface transport pm • clear interface transport pm [See tca.] • OTN support (PTX Series)—Starting with Junos OS Release 14.2, OTN features are supported on the 24-port 10-Gigabit Ethernet OTN PIC P1-PTX-24-10G-W-SFPP. This PIC is supported on the FPCs FPC-PTX-P1-A and FPC2-PTX-P1A in PTX5000 routers, Copyright © 2016, Juniper Networks, Inc. 263 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion and the FPCs FPC-SFF-PTX-P1-A and FPC-SFF-PTX-T in PTX3000 routers. The following OTN framing modes are supported: • 10-Gigabit Ethernet LAN PHY over OTU2e or OTU1e • 10-Gigabit Ethernet WAN PHY over OTU2 The following forward error correction (FEC) types are supported: • GFEC (G.709) • EFEC (G.975.1 I.4) • UFEC (G.975.1 I.7) • None (no-FEC) The performance and state of packet transport for OTN and optics modules are monitored by using the transport-monitoring statement at the [edit interfaces] hierarchy level. [See Understanding the P1-PTX-24-10G-W-SFPP PIC and transport-monitoring.] • Support for REST interfaces (PTX Series)— Starting with Junos OS Release 14.2, PTX Series routers support REST interfaces for secure connection to Junos OS devices and execution of remote procedure calls, a REST API Explorer GUI enabling you to conveniently experiment with any of the REST APIs, and a variety of formatting and display options, including JSON support. [See REST API Guide.] • Synchronous Ethernet clock synchronization (PTX Series)—Beginning with Junos OS Release 14.2, Synchronous Ethernet clock synchronization is supported on the PTX Series router. This feature enables the selection of the best timing source based upon the Synchronization Status Message (SSM) TLV carried in the Ethernet Synchronization Message Channel (ESMC), specified in ITU-T G.8264. This selection process is used when primary and secondary clock sources are not already configured by the user. [See Configuring an External Clock Synchronization Interface for PTX Series Packet Transport Routers.] • Support for mixed-rate aggregated Ethernet bundles (PTX Series)—Beginning with Junos OS Release 14.2, bundling of mixed-rate links is supported on the same aggregated Ethernet interface on the PTX Series router. This feature supports aggregated Ethernet bundles composed of links with differing line speeds (10G, 40G, and 100G) on the same aggregated Ethernet interface, enabling egress unicast traffic load balancing based upon the egress link rate. NOTE: Mixed-rate aggregated Ethernet bundling is not applicable to multicast traffic. [See Configuring Aggregated Ethernet Interfaces on PTX Series Packet Transport Routers.] • 264 Unified ISSU support on FPC2-PTX-P1A FPC and P2-100GE-CFP2 PIC (PTX5000)—Starting with Junos OS Release 14.2R2, unified in-service software Copyright © 2016, Juniper Networks, Inc. New and Changed Features upgrade (ISSU) is supported on the FPC2-PTX-P1A FPC and on the P2-100GE-CFP2 PIC in PTX5000 routers. Unified ISSU enables you to upgrade from an earlier Junos OS release to a later one with no disruption on the control plane and with minimal disruption of traffic. • Support for dual-rate speed (PTX Series)—Starting in Junos OS Release 13.3R3, 14.1R3, 14.2R2, and later for PTX3000, and Junos OS 14.2R2 and later for PTX5000, support for dual rate for the 24-port 10-Gigabit Ethernet PIC (P1-PTX-24-10GE-SFPP) enables you to switch all port speeds to either 1-Gigabit Ethernet or 10-Gigabit Ethernet. The default is 10 Gbps. All ports are configured to the same speed; there is no mixed-rate-mode capability. You can use either the SFP-1GE-SX or the SFP-1GE-LX transceiver for 1 Gbps. Changing the port speed causes the PIC to reboot. To configure all ports on the P1-PTX-24-10GE-SFPP to operate at 1 Gbps, use the speed 1G statement at the [edit chassis fpc fpc-number pic pic-number] hierarchy level. To return all ports to the 10-Gbps speed, use the delete chassis fpc fpc-number pic pic-number speed 1G command. [See speed (24-port and 12-port 10 Gigabit Ethernet PIC) and 10-Gigabit Ethernet PIC with SFP+ (PTX Series).] Copyright © 2016, Juniper Networks, Inc. 265 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Management • YANG module that defines the Junos OS configuration hierarchy (PTX Series)—Starting with Junos OS Release 14.2, Juniper Networks provides a YANG module that defines the Junos OS configuration hierarchy. You can download the YANG module that defines the complete Junos OS configuration hierarchy for all devices running that Junos OS release from the Juniper Networks website at http://www.juniper.net/. You can also generate a YANG module that defines the device-specific configuration hierarchy by using the show system schema module configuration format yang operational mode command on the local device. The Juniper Networks YANG module, configuration, is bound to the namespace URI http://yang.juniper.net/yang/1.1/jc and uses the prefix jc. [See Understanding YANG on Devices Running Junos OS.] MPLS • Egress peer engineering of service labels (BGP, MPLS) and egress peer protection for BGP-LU (PTX Series)—Beginning with Junos OS Release 14.2R4, you can enable traffic engineering of service traffic, such as MPLS LSP traffic between autonomous systems (ASs), using BGP-labeled unicast for optimum utilization of the advertised egress routes. You can specify one or more backup devices for the primary egress AS boundary router. Junos OS installs the backup path in addition to the primary path in the MPLS forwarding table, which enables MPLS fast reroute (FRR) when the primary link fails. [See Egress Peer Protection for Labeled BGP Overview.] Multicast • Multicast make-before-break feature (PTX Series)—Beginning with Junos OS Release 14.2, multicast make-before-break (MBB) transitioning between Multicast Beam Table (MBT) trees is supported on PTX Series routers. This feature improves multicast performance by making the new tree before breaking the existing tree, minimizing the amount of multicast traffic dropped during the transition. [See Multicast Overview.] Network Management and Monitoring • Enhancements to SNMP statistics operational mode commands (PTX Series)—Beginning with Junos OS Release 14.2, you can use the show snmp stats-response-statistics command to view the statistics of SNMP statistics responses sent from the Packet Forwarding Engine during the MIB II process (mib2d). In addition, you can use the subagents option in the show snmp statistics command to view the statistics of the protocol data units (PDUs) and the number of SNMP requests and responses per subagent. The subagents option also helps you to view the SNMP statistics received from each subagent per logical system. [See show snmp stats-response-time and show snmp statistics.] 266 Copyright © 2016, Juniper Networks, Inc. New and Changed Features • Enhancement to reduce the time taken for performing system commit (PTX Series)—Beginning with Junos OS Release 14.2, you can configure the delta-export statement at the [edit system commit] hierarchy level to reduce the time taken to commit the configuration changes. [See commit (system) and delta-export.] Routing Policy and Firewall Filters • Input filter-based forwarding (PTX Series)—Beginning with Junos OS Release 14.2, filter-based forwarding on ingress traffic is supported on the PTX Series router. This feature enables the user to configure a filter that classifies packet flows based upon packet fields and redirect the packets through different user-configured forwarding tables. Input filter-based forwarding is supported for IPv4 and IPv6 traffic only. [See Filter-Based Forwarding Overview.] • New walkup statement available (PTX Series)—Starting in Junos OS Release 14.2, a new walkup feature is available. The walkup feature allows the user to change the default route filter prefix match behavior, so that the evaluation walks up multiple route filters contained within a single policy term, in order to allow matches on terms other than the default longest match. This can be applied globally or locally to a single policy. This feature can be configured in the main routing instance and in logical systems, but not in routing instances. • Support for logical queue-depth in the PFE for IP options packets for a given protocol (PTX Series)—Starting with Junos OS Release 14.2R6, you can configure logical queue-depth in the PFE for IP options packets for a given protocol. The queue-depth indicates the number of IP options packets which can be enqueued in the PFE logical queue, beyond which it would start dropping the packets. Copyright © 2016, Juniper Networks, Inc. 267 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Routing Protocols • Remote LFA support for LDP in IS-IS (PTX Series)—Beginning with Junos OS Release 14.2, you can configure a remote loop-free alternate (LFA) to extend the backup provided by the LFA in an IS-IS network. This feature is useful especially for Layer 1 metro-rings where the remote LFA is not directly connected to the PLR. The existing LDP implemented for the MPLS tunnel setup can be reused for the protection of IS-IS networks and subsequent LDP destinations, eliminating the need for RSVP-TE backup tunnels for backup coverage. To configure remote LFA over LDP tunnels, include the remote-backup-calculation statement at the [edit protocols isis backup-spf-options] hierarchy level and the auto-targeted-session statement at the [edit protocols ldp] hierarchy level. [See Example: Configuring Remote LFA over LDP Tunnels in IS-IS Networks.] Software Installation and Upgrade • Unified ISSU support (PTX3000)—Beginning with Junos OS Release 14.2R3, unified in-service software upgrade (ISSU) is supported on the PTX3000 router. Unified ISSU enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified ISSU is not supported on the P1-PTX-24-10G-W-SFPP PIC. [See Unified ISSU System Requirements.] User Interface and Configuration • Support for allowing commands in a Junos OS op script (PTX Series)—Starting with Junos OS Release 14.2, you can specify a regular expression that defines which commands to explicitly allow during execution of a Junos OS op script. The commands that you specify are performed even if a user login class denies that command. The permission to perform commands within a script applies to all users. [See Defining Commands to Allow in an Op Script.] Related Documentation 268 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Copyright © 2016, Juniper Networks, Inc. Changes in Behavior and Syntax Changes in Behavior and Syntax This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 14.2R7 for the PTX Series. • Class of Service (CoS) on page 269 • ipv6 on page 269 • Junos OS XML API and Scripting on page 269 • Network Management and Monitoring on page 269 • Routing Protocols on page 270 • User Interface and Configuration on page 270 Class of Service (CoS) • Change to interpolated WRED drop probability (PTX Series)—In Junos OS Releases 13.2R4, 13.3R2, and 14.1 and later releases, the interpolated fill level of 0 percent has a drop probability of 0 percent for weighted random early detection (WRED). In earlier Junos OS releases, interpolated WRED can have a nonzero drop probability for a fill level of 0 percent, which can cause packets to be dropped even when the queue is not congested or the port is not oversubscribed. ipv6 • IPv6 addresses with padded zeros in MIC or MS-MPC system log messages (PTX Series)—Starting with Junos OS Release 14.2R4, all system log messages originating from MIC or MS-MPC line cards displays padded zeros in IPv6 addresses to make them compatible with MS-DPC line cards. Earlier, the system log messages from MIC or MS-MPC line cards displayed IPv6 addresses with ’::’ instead of padded zeros. Junos OS XML API and Scripting • Escaping of special XML characters required for request_login (PTX Series)—Beginning with Junos OS Release 14.2R4, you must escape any special characters in the username and password elements of a request_login XML RPC request. The following five symbols are considered special characters: greater than (>), less than (<), single quote (’), double quote (“), and ampersand (&). Both entity references and character references are acceptable escape sequence formats. For example, &amp; and &#38; are valid representations of an ampersand. Previously no escaping of these characters was required. Network Management and Monitoring • New system log message indicating the difference in the Packet Forwarding Engine counter value (PTX Series)—In Junos OS Release 14.2R2 and later, if the counter value of a Packet Forwarding Engine is reported lesser than its previous value, then the residual counter value is added to the newly reported value only for that specific counter. In that case, the CLI shows the MIB2D_COUNTER_DECREASING system log message for that specific counter. Copyright © 2016, Juniper Networks, Inc. 269 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion [See MIB2D_COUNTER_DECREASING.] • Enhancement for SONET interval counter (PTX Series)—Starting with Junos OS Release 14.2R6, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces is reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm. [See show interfaces interval.] Routing Protocols • Modification to the default BGP extended community value (PTX Series)—Starting in Release 14.1, Junos OS has modified the default BGP extended community value used for MVPN IPv4 VRF route import (RT-import) to the IANA-standardized value. The default behavior has changed such that the behavior of the mvpn-iana-rt-import statement has become the default. The mvpn-iana-rt-import statement is deprecated and we recommend that you remove it from configurations. • OSPFv3-TTL propagation policy for TE-Shortcuts and FA-LSPs in line with other modules in the system (PTX Series)—Starting in Junos OS Release 14.2, the OSPFv3-TTL propagation policy is dictated by the MPLS-TTL propagation policy which, by default, allows propagation of TTL. This change makes the behavior of OSPFv3 in line with the default behavior of rest of the system, allowing you to disable TTL propagation for the above mentioned LSPs, and for traffic-engineering-shortcuts (TE-Shortcuts) and forwarding adjacency LSPs (FA-LSPs) using OSPFv3 as the IGP, by configuring the no-propagate-ttl statement at the [edit protocols mpls] hierarchy level. User Interface and Configuration • Configuring regular expressions (PTX Series)—In all supported Junos OS releases, you can no longer configure regular expressions if they require more than 64 MB of memory or more than 256 recursions for parsing. This change in the behavior of Junos OS is in line with the FreeBSD limit. The change was made in response to a known consumption vulnerability that allows an attacker to cause a denial-of-service (resource exhaustion) attack by using regular expressions containing adjacent repetition operators or adjacent bounded repetitions. Junos OS uses regular expressions in several places within the CLI. Exploitation of this vulnerability can cause the Routing Engine to crash, leading to a partial denial of service. Repeated exploitation can result in an extended partial outage of services provided by the routing protocol process (rpd). • New warning message for the configurational changes to extend-size (PTX Series)—Starting with Junos OS Release 14.2R5, any operation on the system configuration-database extend-size configuration statement, such as, deactivate, delete, or set, generates the following warning message: Change in 'system configuration-database extend-size' will be effective at next reboot only. 270 Copyright © 2016, Juniper Networks, Inc. Known Behavior Related Documentation • New and Changed Features on page 261 • Known Behavior on page 271 • Known Issues on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Known Behavior This section contains the known behavior, system maximums, and limitations in hardware and software in Junos OS Release 14.2R7 for the PTX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • General Routing on page 271 General Routing Related Documentation • The PIC P2-100GE-CFP2 supports 100GBASE-LR4 and 100GBASE-SR10 transceivers on the FPC FPC2-PTX-P1A in a PTX5000 router. The CFP2-100G-SR10-D2 transceiver is dual-rate, but only when used in a PIC that supports OTN, such as P2-100GE-OTN. • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Issues on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Known Issues This section lists the known issues in hardware and software in Junos OS Release 14.2R7 for the PTX Series. For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application. • General Routing on page 272 • Class of Service (CoS) on page 272 • Infrastructure on page 272 • Interfaces and Chassis on page 272 Copyright © 2016, Juniper Networks, Inc. 271 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • MPLS on page 273 • Routing Protocols on page 273 General Routing • The IFL count is incorrect and will not be repaired until a PIC restart. PR882406 • CCG configuration change does not reprogram hardware automatically. PR896226 • jnxOperatingDRAMSize MIB is deprecated because this is 32-bit MIB in bytes and new memory size cannot be expressed using this MIB. Please use jnxOperatingMemory that gives memory size in megabytes. PR949656 • Without explicit EXP rewrite configuration, the EXP bits of the top label are rewritten on the egress MPLS frame following the default EXP rewrite profile. There is no workaround. PR976481 • IS-IS adjacencies starts to flap at higher scale(2k+) with default timers. Issue is not seen at lower scale (<100 adjacencies). As a workaround, please increase the default timers. PR1036914 • On FPC3, strict priority mode scheduling may not be accurate with large packet sizes. PR1099387 • Traffic may drop during Routing Engine switchover. PR1164107 Class of Service (CoS) • In case of member links of an AE (aggregated Ethernet) interface scatter over multiple Packet Forwarding Engines, if the FPC where member links of the AE interface reside gets reset or interface is disabled, there may be a dip in the output of SNMP walk on AE related queue MIB (such as jnxCosQstatTxedPkts). The behavior is intermittent and not seen every time. PR1122343 Infrastructure • The 'show system memory' command does not work on 64-bit systems. The implementation requires the use of loadable kernel module to gather data. This module has known issues and has been the root cause of numerous kernel panics. In addition the pmap utility which provides the data for the CLI has known, rare, crashes on 32-bit kernels. In the case when the pmap utility crashes, no information will be reported by the CLI. PR883953 Interfaces and Chassis 272 • During an Routing Engine switchover in which OAM-AH (LFM) is configured, the peer router may see syslog entries which indicate an LFM session new state of up. These logs are harmless, however rightfully cause concern that the LFM session had dropped, which is not the case. PR775616 • Kernel crash may happen when a router running a Junos OS install with the fix to PR 937774 is rebooted. This problem will not be observed during the upgrade to this Junos Copyright © 2016, Juniper Networks, Inc. Known Issues OS install. It occurs late enough in the shutdown procedure then it shouldn't interfere with normal operation. PR956691 • On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and committing, due to the device control process (dcd) on the backup Routing Engine might fail to process the configuration and keep it in the memory. In some cases (not happening all the time), it might be observed that the memory of the dcd keeps increasing on the backup Routing Engine. PR1014098 • During subscriber login/logout, the following error log might occur on the device configured with GRES/NSR: /kernel: if_process_obj_index: Zero length TLV! /kernel: if_pfe: Zero length TLV (pp0.1073751222) PR1058958 MPLS • Delay in showing LDP traffic statistics for any particular route; e.g., show ldp traffic-statistics | grep "101.0.1.0/" takes couple of minutes to throw the output. PR1077587 • In an RSVP-based P2MP scenario, if a sub-LSP switchover to bypass LSP due to PIC offline, then when a new sub-LSP is established via setup-protection, the deletion of the old sub-LSP might result in deletion of both sub-LSPs. PR1132050 Routing Protocols Related Documentation • When we have two paths for the same route, the route gets pointed to Unilist NH which in turn gets pointed to two separate Unicast NHs. The route is determined by OSPF and we have BFD enabled on one of the paths, which runs through an l2circuit path. When the link on the l2circuit gets cut, the link flap is informed by BFD as well as through OSPF LSAs. Ideally the BFD should inform the link down event before the OSPF LSA. But at the current situation, the OSPF LSAs update the current event a second before BFD. Due to this reason, we do get the route to be pointing to a new Unilist NH with the weights swapped. But the Unicast NH for which the L3 link is down, gets added to the Unilist NH, the BFD assumes the link to be up, and hence updates the weights inappropriately and hence we do see traffic loss. Once the BFD link down event is processed at OSPF protocol level, now the route points to only Unicast NH and hence we do see traffic flowing through the currently active link. The traffic outage would be hardly for less than a second during FRR. Also, this can be avoided if the BFD keepalive intervals are maintained around 50 ms with multiplier of 3 as opposed to 100 ms with a multiplier of 3. PR1119253 • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Copyright © 2016, Juniper Networks, Inc. 273 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Resolved Issues This section lists the issues fixed in the Junos OS main release and the maintenance releases. The identifier following the description is the tracking number in the Juniper Networks Problem Report (PR) tracking system. • Resolved Issues: 14.2R7 on page 274 • Resolved Issues: 14.2R6 on page 275 • Resolved Issues: 14.2R5 on page 276 • Resolved Issues: 14.2R4 on page 279 • Resolved Issues: 14.2R3 on page 279 • Resolved Issues: 14.2R2 on page 281 Resolved Issues: 14.2R7 • Forwarding and Sampling on page 274 • General Routing on page 274 • MPLS on page 275 • Platform and Infrastructure on page 275 • Routing Protocols on page 275 Forwarding and Sampling • SRRD (Sampling Route-Record Daemon) process doesn't delete routes when the DELETE is received from RPD in few configuration cases. This results in build-up of memory in SRRD daemon and once SRRD reaches the limit, it crashes and restarts itself. This happens only when one certain family is not configured on all of the FPC clients (e.g., FPC with inline jflow enabled or PIC with PIC-based sampling enabled is one client). For example, only IPv4 family is configured in all the clients, and IPv6 and MPLS families are not configured for sampling in any of the clients. PR1180158 General Routing • The FPC on PTX router might crash and reboot when the Packet Forwarding Engine is handling a fatal error; when the error happens, "TQCHIP0: Fatal error pqt_min_free_cnt is zero" log message will be seen. PR1084259 • If a static or protocol learned route points to a set of interfaces, effectively resulting in static route pointing to a unilist nexthop, it is possible that the selector weights may not be initialized correctly, resulting in traffic drop. You can mitigate this issue by deactivating and then activating the static route configuration. PR1120370 • Due to buffer size issue for FPC-SFF-PTX-P1-A (PTX3000) and FPC2-PTX-P1A (PTX5000), will be hitting "ISSU RECONNECT TIMEOUT" or "READY Message Without Reconnect" during unified ISSU (it will be hit if this fix not available in the from build). PR1155936 • 274 As per design, whenever configuration is committed in PTX3000 platform, chassisd tries to bring the offline SIBs online. The SIB might not have power because of hardware issues (such as seen in this scenario where the SIB couldn't be brought online because Copyright © 2016, Juniper Networks, Inc. Resolved Issues of a voltage rail failure). In such cases, software shouldn't try to online the SIB. This attempt is resulting in the software state for this SIB getting stuck in "transition" state thereby resulting in all future offline/online commands to not take effect on this SIB. Fixed software to check if there are any hard errors on that SIB before trying to bring it online. Fix comes in 14.2R7, 15.1F5-S2, 15.1F6, 15.1R4, and 16.1R1. PR1161110 • For PTX routers, the IPv6 unilist next-hop member will become "replaced" status on Packet Forwarding Engine (PFE) after interface flapping with IPv6 ND (Neighbor Discovery) timeout. While the problem is happening, routing-table will display all right next-hop status but cannot forward traffic since forwarding next-hop in Packet Forwarding Engine is in "replaced" status and no longer active. PR1177023 MPLS • In P2MP with NSR scenario, it might be observed about 100 ms traffic loss during Routing Engine switchover in steady state with link protection enabled. It is because the nexthops added by applications in the backup Routing Engine do not match nexthops fetched from kernel. This nexthops mismatch causes LSPs to reestablish after switchover. PR1095488 Platform and Infrastructure • In certain cases, with some events such as disable/enable of links followed by Routing Engine rebooting or GRES enabled switchover, below error message could be seen due to a software bug where it doesn't handle an internal flag properly: “KERNEL/Packet Forwarding Engine APP=NH OUT OF SYNC: error code 1 REASON: invalid NH add received for an already existing nh ERROR-SPECIFIC INFO:” PR1107170 • Configuring one group with configuration of routing-instances and applying this group under routing-instances, then the rpd process will crash after executing "deactivating/activating routing-instances" commands. As a workaround, you can avoid using "apply-groups" under routing-instances hierarchy. PR1109924 Routing Protocols • In multicast environment, when the RP is FHR (first-hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238 Resolved Issues: 14.2R6 • Class of Service (CoS) on page 276 • General Routing on page 276 • High Availability (HA) and Resiliency on page 276 • Routing Protocols on page 276 • VPNs on page 276 Copyright © 2016, Juniper Networks, Inc. 275 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Class of Service (CoS) • This PR does optimization in AE SNMP handling. If all the links in an AE bundle go down, then any CoS SNMP query for this AE IFD/IFL will return cached values. General Routing • It is reported that on PTX platforms, when the firewall filter is configured on the loopback interface of the device, due to bad error handling or NULL pointer, all the FPC on device may continuously crash and unstable. Because the issue is not reproducible, the trigger of the issue is not clear. PR996749 • When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the rpd process might crash. PR1063796 • When hold-time Up is configured on IFDs of PTX, SyncE line clocks can fail by restarting the associated FPCs. In a paticular test scenario with relatively large hold-time Up 60,000 ms, SyncE line clock can fail by restarting the associated FPC, and it is never recovered until the IFD is dis/enabled. Both 10GbE and 100GbE interfaces indicate the same clock fail issue. PR1130084 High Availability (HA) and Resiliency • With NSR enabled on multiple Routing Engine systems, when a dynamic GRE tunnel is configured, performing Routing Engine switchover might causing rpd to crash repeatedly on backup the Routing Engine. PR1130203 Routing Protocols • In multicast environment, when the RP is FHR (first hop router) and it has MSDP peers, when the rpf interface on RP changed to MSDP facing interface, due to the multicast traffic is still on the old rpf interface, a multicast discard route will be installed and traffic loss will be seen. PR1130238 VPNs • For Layer 2 circuit, PTX3000 uses different VCCV (Virtual Circuit Connectivity Verification) BFD control packet format from that of MX and the other PTX platforms. PTX3000 negotiates Router-alert control channel type, and uses PW Associated Channel Header of Channel Type : 0x0021. However, MX and the other PTX platforms use the Channel Type is 0x0007 without IP/UDP headers. JUNOS takes the Channel-type 0x0007 as default. MX and the other PTX platforms work as expected. This is PTX3000 specific issue. PR1116356 Resolved Issues: 14.2R5 276 • General Routing on page 277 • Interfaces and Chassis on page 278 • MPLS on page 278 Copyright © 2016, Juniper Networks, Inc. Resolved Issues • Network Management and Monitoring on page 279 • Platform and Infrastructure on page 279 • Routing Protocols on page 279 • Software Installation and Upgrade on page 279 General Routing • When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP routes), after clearing the LDP/RSVP routes, in the short window before the LDP/RSVP routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the rpd process might crash. PR1063796 • When a switchover is done from one Routing Engine to the other, in graceful-switchover redundancy mode, there is a brief period early in the transition of the SIB to online state, during which unsoliciited (not corresponding to an attempt by the CPU to access the SIB via PCIe) errors are received at the downstream PCIe port on the CB to the SIB. The fix is to mute the generation of such errors during this brief period of the switchover. PR1068237 • On PTX5000 platform with FPC2 equipped, if 48x10G/12x40G PIC or 4X100G PIC is inserted into the FPC, continuous "pmbus_get_devaccess: fpc PMBUS dev table not initialized" error logs might be seen on the device due to memory corruption. These errors are mostly seen when making the OTN related configuration change (e.g. set up OTN rates). But it is not the only trigger. For example, physical interface (IFD) disable/enable may result in the issue too. The messages might disappear for some time by restarting the FPC, however, the corruption will still exist. PR1077985 • The FPC on PTX Series router might crash and reboot when the Packet Forwarding Engine is handling a fatal error, when the error happened, "TQCHIP0: Fatal error pqt_min_free_cnt is zero" log message will be seen. PR1084259 • On PTX Series platform with external clock synchronization interface configured, when both BITS external clocks are disconnected at the same time, the 100GbE-LR4 FINISAR interface might flap. This link flap issue is narrowed down to the operation of data-path FIFO within CFP. When both the BITS clocks are disconnected, the reference clock jumps to "free-running" mode. This transition leads to a phase shift in reference clock. Due to this phase shift, the data rates into and out of the FIFO will temporarily not match, leading to a FIFO over-run or under-run condition. This over-run or under-run condition forces a FIFO reset, and the output signal is distorted. So the far-end interface detects 'local-fault', then return 'remote-fault' back to the near-end, hence a link flap. After change for this PR: - User need to manually config FPC recovered clock port for each clock put into "chassis synchronization source". - Only one clock of each FPC can be put into "chassis synchronization source". PR1091228 • On PTX platform, if there are scaling configurations (for example,5000 routes and each of them with 64 ECMP paths configured) on a single interface and L2 rewrite profile is applied for the interface, the FPC may crash when deactivating and then activating the CoS configuration of the interface. PR1096958 • Entropy Label Capability is enabled by-default on all Juniper Networks PTX Series platforms. On PTX Series transit LSRs that carry LSPs with Entropy Label Capability, packet loss can be observed due to data errors when one or more labeled route entries Copyright © 2016, Juniper Networks, Inc. 277 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion are not properly removed from the hash table (ie. following LSP optimization or MBB event) because the 'stale' entries are pointing to corrupted route memory. As a result, when the MPLS label that is associated with the 'stale' entry is re-used, data errors are seen for packets using the corresponding label. PR1100637 • FFP is a generic process that shall be called during commit process, and FFP calls the PDB initialization as part of its process. On the PDB-unsupported platforms , when committing configuration, some error messages will be seen. PR1103035 • On PTX Series platform, when yanking out FPC or SIB ungracefully (for example, pulling the line card out of the chassis unintentionally when the line card is carrying the traffic), there might be small probability that it can impact any of the FPCs with Grant Scheduler (GS) and Request Table (RT) fatal interrupt occurred. PR1105079 Interfaces and Chassis • On PTX platform, if the configurations that have per-unit-scheduler configured on the interface, but without proper class-of-service configuration for the same interface, due to lack of commit check, the device control daemon (dcd) may fail to return "commit error" and pass the configuration. Following is an example, user@re0# set interfaces et-0/0/1 per-unit-scheduler vlan-tagging unit 0 <<<<< The configuration for interface et-0/0/1 user@re0# commit check error: per-unit-scheduler is configured but class-of-service is blank <<<<< This is correct behavior error: configuration check-out failed <<<<< .. user@re0# set class-of-service forwarding-classes queue 7 q7 <<<<< user@re0# commit check configuration check succeeds <<<<< This is wrong behavior because et-0/0/1 does not have class-of-service configuration * If reboot this router after committing, the administrator cannot access without console because the router cannot read this configuration. When deleting the above configuration after rebooting, telnet and so on could be used. PR1097829 MPLS 278 • In the output of the CLI command "traceroute mpls ldp", the addresses of the interfaces on transit PTX Series routers might be shown as "127.0.0.1". PR1081274 • When an LSP is link-protected and has no-local-reversion configured, if the primary link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up, before the LSP switch to link3. If link1 is enabled and link3 is disabled, the LSP will stuck in bypass LSP forever. This is a timing issue. PR1091774 Copyright © 2016, Juniper Networks, Inc. Resolved Issues Network Management and Monitoring • Due to inappropriate cleanup in async library, disable multiple interfaces while SNMP is polling interface oids might cause mid2d process crashing. PR1097165 Platform and Infrastructure • The MIB counter or "show Packet Forwarding Engine statistics traffic" shows junk PPS and invalid total traffic output counter. PR1084515 Routing Protocols • In Junos OS release 14.1R1 and later, the rpd process might crash while executing CLI command "show isis backup spf results". PR1037114 Software Installation and Upgrade • In certain conditions, when /var is not mounted from a persistent filesystem, executing a Junos OS upgrade will have unexpected results. This is caused by an inexact check of whether we're running from an Emergency VAR. PR1112334 Resolved Issues: 14.2R4 • General Routing on page 279 General Routing • CLI commands are enabled for PTX5000, which were supported earlier on MX Series only. PR1038995 Resolved Issues: 14.2R3 • General Routing • Interfaces and Chassis • MPLS • Platform and Infrastructure • Routing Protocols General Routing • Prior to this fix "show interface diagnostics optics" command shows output for all four lanes for 10G ports of 48x10GE 12x40GE QSFP+ PIC. Normal behavior would be to display output for only the lane that the port belongs to. PR959514 • On PTX5000, the packet drop is observed along with the parity error read from l3bnd_ht entry corresponding to certain addresses. With this SRAM parity error, ASIC will unconditionally drop the packet even if PTX Series does not use l3bnd_ht during lookup. The parity check for l3bnd_ht lookup for PTX5000 will be disabled to avoid the SRAM parity error and packet drop as a workaround. We also add new log message to report the counter value change for slu.hw_err trap count - TL[<num>]: SLU hw error count <xxx> (prev count <yyy>). PR1012513 • A reboot might be required when chassis is powered up the first time. PR1034662 Copyright © 2016, Juniper Networks, Inc. 279 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 280 • Using jnxoptIfOTNPMFECIntervalTable and jnxOpticsPMIntervalTable it is not possible to walk these tables from the middle before this fix. PR1039030 • When there is link/node protection/ECMP for RSVP/LDP transit or egress LSPs with huge scaling and continuous flapping of LSPs like auto-bandwidth case, traffic might get black-holed upon LSP re-optimizations. The issue would get triggered if the same unilist list-id (unilist list-id is a unique id for unilist nexthop) is allocated for two different unilist forwarding topologies. This situation arises when the unilist list-id wraps around after max value of 65535. After the wraparound, if there is a long living list-id (which can be due to some node/link protected LSP that has not been re-optimized for a long time), the Packet Forwarding Engine assigns the same list-id during allocation (upon other LSP re-optimizations), and this will trigger the issue as the new unilist will be directed to incorrect interface. PR1043747 • On PTX Series platform running Junos OS Release 12.1 and later, for interface connected via optical system such as DWDM, when the interface is administratively disabled, there might be a delay (300-400msec) for the system to detect the event and during which time, traffic blackhole might be seen. Note if you disable the interface by breaking the Rx or Tx link, the issue will not happen. PR1043762 • On PTX Series platform with one of the following protocols configured, flapping the protocols will trigger the Composite Next-hop change operation. In rare condition, since it is not properly programmed, the FPC might crash. This is a day-1 issue. - LDP MPLS - Point-to-Multipoint LSP - RSVP - Static LSPs PR1045794 • For PTX Series router, the unilist next-hop member will have a 'replaced' status on the Packet Forwarding Engine after interface flapping with ARP timeout. While the problem is happening, the routing table will display an all right next-hop status but cannot forward traffic since the forwarding next-hop in the Packet Forwarding Engine is in 'replaced' status and no longer active. PR1046778 • On PTX Series platform, non-revertive feature for clock synchronous sources does not work correctly. After deleting the primary clock and then adding it back, it will fallback to the primary clock but not stay in secondary. PR1052549 • When the port on 24x 10GE(LWO) SFP+ (which never went link up since the PIC is onlined) is configured as CLI loopback, the ports will receive framing error during until the interface gets physically linked up. (that is, with real fiber instead of CLI loop). There would be no problem in normal use. This is only seen in self-loopback testing with CLI loopback. PR1057364 • In LDP tunneling over single hop RSVP-based LSP environment, after enabling "chained-composite-next-hop", the router might fail to create the chained composite next hops if the label value of VPN is equal to the label value of LDP. PR1058146 • On PTX Series routers, the interrupt-driven basis link-down detection (an interrupt-driven link-down notification is generated to trigger locally attached systems to declare the interface down within a few milliseconds of failure) might fail after performing unified in-service software upgrade (ISSU). The interrupt might be prevented Copyright © 2016, Juniper Networks, Inc. Resolved Issues after performing unified ISSU due to disable the interrupt registers before unified ISSU but never restored afterwards. PR1059098 • On PTX Series routers, the interrupt-driven link-down detection might stop working. When the line card is receiving a multiple back-to-back fault in a very short duration (no matter from remote or local), it might fail to detect all the received interrupts, and this failure might cause delay of the link-down detection (for example, it might take PTX Series ~300ms to make interface down). PR1060279 Interfaces and Chassis • Configuring ODU FRR under otn-options for 2x100G DWDM PIC is an unsupported command on PTX Series router. Adding such configuration could result in an FPC crash and restart. PR1038551. MPLS • On P2MP MPLS LSP transit router with NSR enabled, when RSVP refresh reduction feature is enabled and LSP link protection is configured on all interfaces, slight P2MP traffic loss might be seen after the graceful Routing Engine switchover (GRES) is done. PR1023393 • This is a regression issue on all Junos OS releases related to a timing factor. When LDP session flaps, over which entropy label TLV or any unknown TLV is received, the LDP speaker might not send label withdraw for some prefixes to some neighbors. As a result, these neighbors will still use stale labels for the affected prefixes. PR1062727 Platform and Infrastructure • In some rare conditions, setting up configuration access privilege using the "allow-configuration-regexps" or "deny-configuration-regexps” statements will crash the management daemon (mgd), which serves a central role in the user interface component of Junos OS. PR1029384 Routing Protocols • After adding Shared Risk Link Group (SRLG) configuration on an interface, the interface would be deleted from the TED database. If the interface is traversed by LSP optimal path, in some cases, the re-optimization that occurs selects a sub-optimal path. PR1035359 • In MPLS TE scenario, if IS-IS shortcuts for family inet6 are enabled, the LSP flapping might cause memory leak, which could result in traffic blackhole or FPC crash. PR1049675 • When running Simple Network Management Protocol (SNMP) polling to specific IS-IS Management Information Base (MIB) with invalid variable, it will cause the routing protocol process (rpd) to crash. PR1060485 Resolved Issues: 14.2R2 • General Routing • MPLS Copyright © 2016, Juniper Networks, Inc. 281 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion • Routing Protocols • User Interface and Configuration General Routing • LACP on AE interfaces currently does not support unified ISSU on PTX Series platform, so a warning message is present before performing unified ISSU with LACP configured. Then the user can discontinue the ISSU process. PR1018233 • On PTX Series, route installation might fail. PR1029548 • On PTX Series platform with equal-cost multipath (ECMP) route, bouncing the route next-hop interface hosted PIC, the Packet Forwarding Engine might get the route next-hop change message before the interface up message when the PIC is coming up, which results in the next-hop not installed in Packet Forwarding Engine leading to traffic black-holing. PR1035893 • PCS statistics counter is now displayed for PTX Series 100GE interfaces in this command: cli > monitor interface <intf> PR1030819 MPLS • In MPLS traffic engineering with link or node protection enabled, after adding Shared Risk Link Group (SRLG) configuration, the bypass LSP might ignore the constraint and use an unexpected path. PR1034636 Routing Protocols • With any single hop BFD session and MPLS OAM BFD session configured over same interface, when the interface is disabled and enabled back immediately (e.g. a delay of 10 sec between the two commit check in), the single hop BFD session might get stuck into Init-Init state due to Down packet is received from other end for MPLS BFD session on the same interface might get demultiplexed to single hop BFD session wrongly. PR1039149 User Interface and Configuration Related Documentation 282 • Commit Error happens with load patch or load replace, while applying commit difference on backup Routing Engine as part of fast commit process. Error looks like - user@host# commit check re0: configuration check succeeds re1: /var/tmp/juniper.db-2233-patch.sync:9:(0) syntax error error: remote load-configuration failed on re1. PR1029474 • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Copyright © 2016, Juniper Networks, Inc. Documentation Updates Documentation Updates There are no outstanding issues with the published documentation for Junos OS Release 14.2R7 for the PTX Series. Related Documentation • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Migration, Upgrade, and Downgrade Instructions on page 283 • Product Compatibility on page 286 Migration, Upgrade, and Downgrade Instructions This section contains the procedure to upgrade Junos OS, and the upgrade and downgrade policies for Junos OS for the PTX Series. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. • Upgrading Using Unified ISSU on page 283 • Upgrading a Router with Redundant Routing Engines on page 283 • Basic Procedure for Upgrading to Release 14.2 on page 284 Upgrading Using Unified ISSU CAUTION: This release introduces some behavior changes to the unified in-service software upgrade (ISSU) functionality for PTX Series routers. We do not recommend using unified ISSU to upgrade from an earlier Junos OS release to Junos OS Release 14.2. Unified in-service software upgrade (ISSU) enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic. Unified in-service software upgrade is only supported by dual Routing Engine platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active routing (NSR) must be enabled. For additional information about using unified in-service software upgrade, see the High Availability Feature Guide for Routing Devices. Upgrading a Router with Redundant Routing Engines If the router has two Routing Engines, perform a Junos OS installation on each Routing Engine separately to avoid disrupting network operation as follows: 1. Disable graceful Routing Engine switchover (GRES) on the master Routing Engine and save the configuration change to both Routing Engines. 2. Install the new Junos OS release on the backup Routing Engine while keeping the currently running software version on the master Routing Engine. Copyright © 2016, Juniper Networks, Inc. 283 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 3. After making sure that the new software version is running correctly on the backup Routing Engine, switch over to the backup Routing Engine to activate the new software. 4. Install the new software on the original master Routing Engine that is now active as the backup Routing Engine. For the detailed procedure, see the Installation and Upgrade Guide. Basic Procedure for Upgrading to Release 14.2 When upgrading or downgrading Junos OS, use the jinstall package. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. Use other packages, such as the jbundle package, only when so instructed by a Juniper Networks support representative. NOTE: Back up the file system and the currently active Junos OS configuration before upgrading Junos OS. This allows you to recover to a known, stable environment if the upgrade is unsuccessful. Issue the following command: user@host> request system snapshot NOTE: The installation process rebuilds the file system and completely reinstalls Junos OS. Configuration information from the previous software installation is retained, but the contents of log files might be erased. Stored files on the router, such as configuration templates and shell scripts (the only exceptions are the juniper.conf and ssh files), might be removed. To preserve the stored files, copy them to another system before upgrading or downgrading the routing platform. For more information, see the Junos OS Administration Library for Routing Devices. 284 Copyright © 2016, Juniper Networks, Inc. Migration, Upgrade, and Downgrade Instructions NOTE: We recommend that you upgrade all software packages out of band using the console because in-band connections are lost during the upgrade process. The download and installation process for Junos OS Release 14.2 is different from previous Junos OS releases. 1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage: http://www.juniper.net/support/downloads/ 2. Select the name of the Junos OS platform for the software that you want to download. 3. Select the release number (the number of the software version that you want to download) from the Release drop-down list to the right of the Download Software page. 4. Select the Software tab. 5. In the Install Package section of the Software tab, select the software package for the release. 6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. 7. Review and accept the End User License Agreement. 8. Download the software to a local host. 9. Copy the software to the routing platform or to your internal software distribution site. 10. Install the new jinstall package on the router. NOTE: After you install a Junos OS Release 14.2 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software. The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release. Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful. Customers in the United States and Canada, use the following command: user@host> request system software add validate reboot source/jinstall-14.2R5.5-domestic-signed.tgz Copyright © 2016, Juniper Networks, Inc. 285 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion All other customers, use the following command: user@host> request system software add validate reboot source/jinstall-14.2R5.5-export-signed.tgz Replace the source with one of the following values: • /pathname—For a software package that is installed from a local directory on the router. • For software packages that are downloaded and installed from a remote location: • ftp://hostname/pathname • http://hostname/pathname • scp://hostname/pathname (available only for Canada and U.S. version) The validate option validates the software package against the current configuration as a prerequisite to adding the software package to ensure that the router reboots successfully. This is the default behavior when the software package being added is a different release. Adding the reboot command reboots the router after the upgrade is validated and installed. When the reboot is complete, the router displays the login prompt. The loading process can take 5 to 10 minutes. Rebooting occurs only if the upgrade is successful. NOTE: After you install a Junos OS Release 14.2 jinstall package, you cannot issue the request system software rollback command to return to the previously installed software. Instead you must issue the request system software add validate command and specify the jinstall package that corresponds to the previously installed software. Related Documentation • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Documentation Updates on page 283 • Product Compatibility on page 286 Product Compatibility • 286 Hardware Compatibility on page 287 Copyright © 2016, Juniper Networks, Inc. Product Compatibility Hardware Compatibility To obtain information about the components that are supported on the devices, and special compatibility guidelines with the release, see the Hardware Guide and the Interface Module Reference for the product. To determine the features supported on PTX Series devices in this release, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/ Related Documentation • New and Changed Features on page 261 • Changes in Behavior and Syntax on page 269 • Known Behavior on page 271 • Known Issues on page 271 • Documentation Updates on page 283 • Migration, Upgrade, and Downgrade Instructions on page 283 Copyright © 2016, Juniper Networks, Inc. 287 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Third-Party Components This product includes third-party components. To obtain a complete list of third-party components, see Overview for Routing Devices. For a list of open source attributes for this Junos OS release, see Open Source: Source Files and Attributions. Finding More Information For the latest, most complete information about known and resolved issues with Junos OS, see the Juniper Networks Problem Report Search application at: http://prsearch.juniper.net. Juniper Networks Feature Explorer is a Web-based application that helps you to explore and compare Junos OS feature information to find the correct software release and hardware platform for your network. Find Feature Explorer at: http://pathfinder.juniper.net/feature-explorer/. Juniper Networks Content Explorer is a Web-based application that helps you explore Juniper Networks technical documentation by product, task, and software release, and download documentation in PDF format. Find Content Explorer at: http://www.juniper.net/techpubs/content-applications/content-explorer/. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: • Online feedback rating system—On any page of the Juniper Networks TechLibrary site at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/. • E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC. • 288 JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/customers/support/downloads/710059.pdf . Copyright © 2016, Juniper Networks, Inc. Requesting Technical Support • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/. • JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • Find CSC offerings: http://www.juniper.net/customers/support/ • Search for known bugs: http://www2.juniper.net/kb/ • Find product documentation: http://www.juniper.net/techpubs/ • Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ • Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/. Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html . If you are reporting a hardware or software problem, issue the following command from the CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to ftp.juniper.net/pub/incoming. Then send the filename, along with software version information (the output of the show version command) and the configuration, to support@juniper.net. For documentation issues, fill out the bug report form located at https://www.juniper.net/cgi-bin/docbugreport/. Copyright © 2016, Juniper Networks, Inc. 289 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion Revision History 20 September 2016—Revision 4, Junos OS Release 14.2R7– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 25 August 2016—Revision 3, Junos OS Release 14.2R7– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 19 August 2016—Revision 2, Junos OS Release 14.2R7– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 11 August 2016—Revision 1, Junos OS Release 14.2R7– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 14 July 2016—Revision 8, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 10 June 2016—Revision 7, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 9 June 2016—Revision 6, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 5 May 2016—Revision 5, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 29 April 2016—Revision 4, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 26 April 2016—Revision 3, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 20 April 2016—Revision 2, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 12 April 2016—Revision 1, Junos OS Release 14.2R6– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 16 March 2016—Revision 5, Junos OS Release 14.2R5– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 15 March 2016—Revision 4, Junos OS Release 14.2R5– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 6 January 2016—Revision 3, Junos OS Release 14.2R5– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 7 December 2015—Revision 2, Junos OS Release 14.2R5– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 30 November 2015—Revision 1, Junos OS Release 14.2R5– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 290 Copyright © 2016, Juniper Networks, Inc. Requesting Technical Support 9 November 2015—Revision 6, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 8 October 2015—Revision 5, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 21 September 2015—Revision 4, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 15 September 2015—Revision 3, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 8 September 2015—Revision 2, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 31 August 2015—Revision 1, Junos OS Release 14.2R4– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 2 July 2015—Revision 6, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 9 June 2015—Revision 5, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 29 May 2015—Revision 4, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 28 May 2015—Revision 3, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 21 May 2015—Revision 2, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 15 May 2015—Revision 1, Junos OS Release 14.2R3– EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion. 7 April 2015—Revision 6, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. 27 March 2015—Revision 5, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. 12 March 2015—Revision 4, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. 12 February 2015—Revision 3, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. 5 February 2015—Revision 2, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. 29 January 2015—Revision 1, Junos OS Release 14.2R2– EX Series, M Series, MX Series, PTX Series, and T Series. Copyright © 2016, Juniper Networks, Inc. 291 Release Notes: Junos OS Release 14.2R7 for the EX Series, M Series, MX Series, PTX Series, T Series, and Junos Fusion 19 November 2014—Revision 3, Junos OS Release 14.2R1– EX Series, M Series, MX Series, PTX Series, and T Series. 12 November 2014—Revision 2, Junos OS Release 14.2R1– EX Series, M Series, MX Series, PTX Series, and T Series. 5 November 2014—Revision 1, Junos OS Release 14.2R1– EX Series, M Series, MX Series, PTX Series, and T Series. Copyright © 2016, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 292 Copyright © 2016, Juniper Networks, Inc.