1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOS OS 10.4 RELEASE NOTES
  6. Release note

Juniper JUNOS OS 10.4 - RELEASE NOTES Release Note

Hide thumbs
Table of Contents

Advertisement

Quick Links

®
Junos
OS 10.4 Release Notes
Release 10.4R1
08 December 2010
Revision 1
Contents
Copyright © 2010, Juniper Networks, Inc.
These release notes accompany Release 10.4R1 of the Junos operating system (Junos
OS). They describe device documentation and known problems with the software. Junos
OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX
Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Series, MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
MPLS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
http://www.juniper.net/techpubs/software/junos
.
1

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOS OS 10.4 - RELEASE NOTES

Summary of Contents for Juniper JUNOS OS 10.4 - RELEASE NOTES

  • Page 1: Table Of Contents

    OS). They describe device documentation and known problems with the software. Junos OS runs on all Juniper Networks M Series, MX Series, and T Series routing platforms, SRX Series Services Gateways, J Series Services Routers, and EX Series Ethernet Switches.
  • Page 2 Downgrade from Release 10.4 ........78 Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers .
  • Page 3 Resolved Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers ..... . 161 Copyright © 2010, Juniper Networks, Inc.
  • Page 4 Spanning Tree Protocols ........188 Copyright © 2010, Juniper Networks, Inc.
  • Page 5 Revision History ........... . 197 Copyright © 2010, Juniper Networks, Inc.

  • Page 6: Junos Os Release Notes For Juniper Networks M Series Multiservice Edge Routers, Mx Series Ethernet Service Routers, And T Series Core Routers

    JUNOS OS 10.4 Release Notes Junos OS Release Notes for Juniper Networks M Series Multiservice Edge Routers, MX Series Ethernet Service Routers, and T Series Core Routers New Features in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 6 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX...

  • Page 7: Interfaces And Chassis

    All Ethernet type ports are supported on MX80 routers and MX Series routers with MPCs ESMC support as per G.8264 CLI command selection of clock sources Monitoring clock sources (maximum of two clock sources can be monitored simultaneously) Revertive and nonrevertive modes Copyright © 2010, Juniper Networks, Inc.
  • Page 8 When the router transitions from a state where SIBs are online or spare to a state where there are no SIBs are online, then all the FPCs in the system are rebooted. An ERRMSG Copyright © 2010, Juniper Networks, Inc.
  • Page 9 IPv6 network using softwires. DS-Lite creates the IPv6 softwires that terminate on the services PIC. Packets coming out of the softwire can then have other services such as NAT applied on them. [Services Interface, System Basics and Services Command Reference] Copyright © 2010, Juniper Networks, Inc.
  • Page 10 SA multicast forwarding-mode mode, for proprietary connection of two Juniper Networks 100-Gigabit Ethernet PICs, uses the Ethernet header SA MAC address multicast bit to steer the packets to the appropriate PFE. VLAN steering mode allows the PIC to connect to non-Juniper Networks equipment.
  • Page 11 The PIC AE working in VLAN steering mode includes both links of this PIC, and only the links of this PIC. The PIC AE working in SA multicast steering mode can include more than one PIC to achieve more than 100-gigabit capacity. Copyright © 2010, Juniper Networks, Inc.
  • Page 12 Untagged IS-IS packets When the control queue feature is disabled, untagged ARP/IS-IS and other untagged Layer 2 control packets will go to the restricted queue corresponding to the forwarding class associated with queue 0. [Network Interfaces] Copyright © 2010, Juniper Networks, Inc.

  • Page 13: Junos Os Xml Api And Scripting

    NONE get_bios_version_information <get-cos- show class-of-service congestion-notification <cos-congestion-notification-information> congestion- notification- information> get_cos_congestion_notification_information <get-firewall-log-information> show firewall filter version <firewall-information> get_firewall_log_information <get-interface-information> show ingress-replication <ingress-replication-information> get_interface_information <get-isis-context- show isis context-identifier <isis-context-identifier- information> identifier-origin- information> get_isis_context_ identifier_origin_information Copyright © 2010, Juniper Networks, Inc.
  • Page 14 <bsg-charging-status> get_service_bsg_denied_messages charging status <get-services-l2tp-radius- show services l2tp destination <service-l2tp-destination- information> accounting-statistics-information> get_services_l2tp_radius_acco unting_statistics_information <get-service-softwire-statistics-information> show services sessions <msp-session-table> get_service_softwire_statistics _information <get_service_sfw_ show services softwire <service-softwire-table- information> conversation_ information> get_service_sfw_conversation _information Copyright © 2010, Juniper Networks, Inc.

  • Page 15: Layer 2 Ethernet Services

    OAM IEEE 802.1ag Phase 4 MIP support, LLDP, BPDU guard and loop guard, IRB support for interworking of LDP-VPLS and BGP-VPLS, BGP multihoming for Inter-AS VPLS, VPLS Ethernet as a core-facing interface, and limitations on next-hop flooding. [Layer 2 Configuration] Copyright © 2010, Juniper Networks, Inc.

  • Page 16: Mpls Applications

    The RPD_PLCY_CFG_NH_NETMASK system log message provides information about ignored netmasks. If you have a policy statement with a term that contains a next-hop address with a netmask, the netmask is ignored. Copyright © 2010, Juniper Networks, Inc.

  • Page 17: Routing Protocols

    To disable and stop receiving notifications for state changes in a passive OSPF interface, include the statement at the following hierarchy levels: no-interface-state-traps edit logical-systems logical-system-name protocols ospf area area-id interface interface-name edit logical-systems logical-system-name routing-instances routing-instance-name protocols ospf area area-id interface interface-name Copyright © 2010, Juniper Networks, Inc.

  • Page 18: Services Applications

    NAT-PT with DNS ALG support (M Series and T Series routers)—You can configure Domain Name Service (DNS) application-level gateways (ALGs) using NAT with protocol translation (NAT-PT) for IPv6 to IPv4. The implementation is described in RFC 2766 and RFC 2694. Copyright © 2010, Juniper Networks, Inc.
  • Page 19 [edit services hierarchy level. For a list of the flow-monitoring version9 template template-name] template fields, see the Junos OS Services Interfaces Configuration Guide. You can apply Copyright © 2010, Juniper Networks, Inc.
  • Page 20 1 { pic 2 { adaptive-services { service-package { extension-provider { control-cores 1; data-cores 1; object-cache-size 512; policy-db-size 64; package jservices-rpm; syslog daemon any; Copyright © 2010, Juniper Networks, Inc.
  • Page 21 The specified routers now support loading multiple IDP detectors simultaneously. When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already being used by Copyright © 2010, Juniper Networks, Inc.
  • Page 22 Multiservice interface. To check the configuration, use the show command. To show the run time (dynamic state) configuration services stateful-firewall information on the interface, use the command. show services sessions [Services Interfaces] Copyright © 2010, Juniper Networks, Inc.

  • Page 23: Subscriber Access Management

    No configuration is required for this tunnel selection method. You can include the fail-over-within-preference statement at the [edit services l2tp] hierarchy level to configure tunnel selection failover within a preference level. With this Copyright © 2010, Juniper Networks, Inc.
  • Page 24 [edit class-of-service hierarchy level. interfaces] A new Juniper Networks VSA (attribute 26-130) is now supported for the interface set name, and includes a predefined variable, . The VSA is $junos-interface-set-name supported for RADIUS Access-Accept messages only; change of authorization (CoA) requests are not supported.
  • Page 25 IP header to the outer IP header of the L2TP packet. For ingress tunnels, you configure fixed or behavior aggregate (BA) classifiers for the PPP interface or an underlying VLAN interface at Layer 2. You can configure Layer 3 Copyright © 2010, Juniper Networks, Inc.
  • Page 26 You can optionally configure the remaining tunnel attributes. Include the remote-gateway name server-name statement to configure the LNS hostname. Include statement and the source -gateway address client-ip-address source-gateway name statements to configure the local (LAC) tunnel endpoint. Although you client-name Copyright © 2010, Juniper Networks, Inc.
  • Page 27 The following table shows the RADIUS VSAs that are now supported for defining a tunnel. Attribute Number Attribute Name Description Value 26-8 Tunnel-Virtual-Router Virtual router name for tunnel string: connection. tunnel-virtual-router Copyright © 2010, Juniper Networks, Inc.
  • Page 28 Subscriber management uses dynamic profiles to obtain the ADF rules from the RADIUS server. You can use the new Junos OS predefined variables ( $junos-adf-rule-v4 family inet and for inet6) to map ADF rules to Junos OS functionality, $junos-adf-rule-v6 or you can statically create ADF rules. Copyright © 2010, Juniper Networks, Inc.
  • Page 29 In Junos OS Release 10.3 and earlier releases, DHCP relay drops stray requests and forwards a NAK to the client when authentication is configured. Otherwise, DHCP relay attempts to bind the requesting client. In those releases, DHCP relay proxy always Copyright © 2010, Juniper Networks, Inc.
  • Page 30 NOTE: In this release, Layer 2 wholesaling supports the use of only the default logical system using multiple routing instances. The Juniper Networks Layer 2 wholesale solution is similar to the Layer 3 wholesale solution in many ways. However, when configuring the Juniper Networks Layer 2...
  • Page 31 $junos-vlan-map-id dynamic variable. Include the statement at the output-vlan-map [edit dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit $junos-interface-unit] hierarchy level and specify the action that you want the output VLAN map to take. See the Network Copyright © 2010, Juniper Networks, Inc.
  • Page 32 NOTE: This encapsulation type can support multiple TPIDs and does not have a VLAN ID limitation. Specify the option for the statement for any retailer routing vpls instance-type instances you plan to use at the [edit routing-instances instance-name] hierarchy level. Copyright © 2010, Juniper Networks, Inc.

  • Page 33: System Logging

    System Logging New and deprecated system log tags—The following system log messages are new in this release: ASP_SFW_DELETE_FLOW CHASSISD_FM_FABRIC_DOWN CHASSISD_FPC_FABRIC_DOWN_REBOOT CHASSISD_FRU_INTEROP_UNSUPPORTED CHASSISD_RE_CONSOLE_FE_STORM RPD_AMT_CFG_ADDR_FMLY_INVALID RPD_AMT_CFG_ANYCAST_INVALID RPD_AMT_CFG_ANYCAST_MCAST RPD_AMT_CFG_LOC_ADDR_INVALID RPD_AMT_CFG_LOC_ADDR_MCAST RPD_AMT_CFG_PREFIX_LEN_SHORT RPD_AMT_CFG_RELAY_INVALID RPD_BGP_CFG_ADDR_INVALID RPD_BGP_CFG_LOCAL_ASNUM_WARN RPD_CFG_TRACE_FILE_MISSING RPD_LDP_GR_CFG_IGNORED RPD_MC_CFG_FWDCACHE_CONFLICT Copyright © 2010, Juniper Networks, Inc.

  • Page 34: Vpns

    T Series routers—Layer 3 VPN composite next hops can now be enabled on T Series routers with Enhanced Scaling FPCs by including the l3vpn-composite-nexthop statement at the [edit routing options] [edit logical-systems logical-system-name Copyright © 2010, Juniper Networks, Inc.
  • Page 35 PE routers to repair the connection within tens of milliseconds. An egress protection LSP addresses the problem of when a link failure occurs at the edge of the network (for example, a link failure between a PE router and a CE device). Copyright © 2010, Juniper Networks, Inc.
  • Page 36 Changes in Default Behavior and Syntax in Junos OS Release 10.4 for M Series, MX Documentation Series, and T Series Routers on page 37 Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48 Copyright © 2010, Juniper Networks, Inc.

  • Page 37: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    TLV events transmitted since the OAM layer was reset and displays the number of errored frames detected since the OAM layer was reset. Copyright © 2010, Juniper Networks, Inc.
  • Page 38 IMA Group state : NE: Firmware Error IMA Link state : Line: Firmware Error The customer must contact JTAC for a PIC firmware upgrade to proceed with IMA. [Interfaces Command Reference, System Log Messages Reference] Copyright © 2010, Juniper Networks, Inc.

  • Page 39: Junos Os Xml Api And Scripting

    —Force the commit on the other Routing Engine (ignore any force-synchronize warnings). —Write the specified message to the commit log. This is identical to the CLI configuration mode command commit comment —Synchronize the commit on both Routing Engines. synchronize Copyright © 2010, Juniper Networks, Inc.

  • Page 40: Mpls Application

    [edit protocols rsvp] revertive mode as specified in RFC 4090, Fast Reroute Extensions to RSVP-TE for LSP). RSVP local revertive mode is supported on all Juniper Networks routers running the Junos OS software by default. If you configure the no-local-reversion statement, the Juniper Networks router uses global revertive mode instead.

  • Page 41: Platform And Infrastructure

    BGP community entries. To configure the number of community entries, specify the statement and include the from community-count value (equal | orhigher | orlower) match condition statement at the following hierarchy levels: [edit policy-options policy-statement policy-name term term-name] Copyright © 2010, Juniper Networks, Inc.
  • Page 42 Jun 15 21:54:43.831533 RPD_PIM_NBRDOWN: Instance PIM.master: PIM neighbor 11.1.1.2 (so-0/1/3.0) removed due to: the interface is purged Jun 15 21:53:28.941198 RPD_PIM_NBRUP: Instance PIM.master: PIM new neighbor 11.1.1.2 interface so-0/1/3.0 [System Log Messages Reference] Copyright © 2010, Juniper Networks, Inc.

  • Page 43: Services Applications

    Preserve-parity destination ports, and odd ports for packets with odd destination ports. Preserve-range allocates ports within a range of 0 through 1023 assuming the original packet contains Copyright © 2010, Juniper Networks, Inc.

  • Page 44: Subscriber Access Management

    DSL subscriber and data rate. The attributes are defined in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes. Junos OS uses the vendor ID 3561, which is assigned by the Internet Assigned Numbers Authority (IANA), for the DSL Forum VSAs. Copyright © 2010, Juniper Networks, Inc.
  • Page 45 “$junos-interface-unit”] subhierarchy must include the name of the underlying Ethernet interface, pppoe-options represented by the $junos-underlying-interface predefined dynamic variable, and the statement. For example: server [edit] dynamic-profiles { pppoe-profile { interfaces { pp0 { Copyright © 2010, Juniper Networks, Inc.

  • Page 46: User Interface And Configuration

    Include this statement in the configuration to reduce the detection time for PPP client session timeouts or failures if you have configured the keepalive timeout interval (using the statement). keepalive [System Basics] Copyright © 2010, Juniper Networks, Inc.
  • Page 47 M120 and M320 routers [System Basics and Services Command Reference] Enhancement to the show chassis fpc command—The show chassis fpc command now displays accurate temperature readings for the FPC. [System Basics and Services Command Reference] Copyright © 2010, Juniper Networks, Inc.

  • Page 48: Vpns

    PLP rewrite, a two time PLP rewrite occurs with the PLP bits of the packets matching the filter condition set on the PLP set action in the policer, and later the PLP set action is set on the firewall filter. [PR/566896] Copyright © 2010, Juniper Networks, Inc.
  • Page 49 When an ATM II interface is configured as a Layer 2 circuit with cell transport mode on a router running Junos OS Release 8.2 or lower, interoperability issues with other network equipment and another Juniper Networks routers running Junos OS Release 8.3 or higher might occur. [PR/255622] Upon a link up event, old packets from the previous link down are still dequeued.
  • Page 50 To deactivate or deconfigure the relay, clear all the bindings before you deactivate or delete the relay. [PR/498920] The PIM neighborship does not appear over the IRB interface after the dense port concentrator (DPC) is restarted. [PR/559101] Copyright © 2010, Juniper Networks, Inc.
  • Page 51 Packet Forwarding Engine. When this occurs, the error messages similar to the following are displayed: Copyright © 2010, Juniper Networks, Inc.
  • Page 52 "jsr_sdrl_set_data: No space dlen." [PR/552945] When a default route target is sent by a BGP peer, th eBGP does not track the VPN routes covered by this route target. When the default route target goes away, the BGP Copyright © 2010, Juniper Networks, Inc.
  • Page 53 The data channel applications for protocols such as FTP, TFTP, RTSP, and SIP are not in the same application group as their control channel applications. For example, control channel application junos:ftp is in the group junos:file-server, but the corresponding data application junos:system:ftp-data is not in any group. [PR/507865] Copyright © 2010, Juniper Networks, Inc.
  • Page 54 [PR/535574] When a HTTPS connection is used for the J-Web interface in the Internet Explorer to save a report from the View Events page (Monitor->Events and Alarms->View events), Copyright © 2010, Juniper Networks, Inc.

  • Page 55: Previous Releases

    When a logical interface set has a shaping-rate less than the sum of transmit-rates of its queues and when the configuration is corrected so that the logical interface set gets the correct shaping-rate, ADPC might crash. [PR/523507: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 56 [PR/540891: This issue has been resolved.] A GRE interface might experience an incoming packet loss if a firewall filter is configured on the forwarding table. [PR/541901: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 57 MX960 and SRX5800 routers: MX960 /kernel: PCF8584(WR): transmit failure on byte 1 MX960 /kernel: PCF8584(WR): (i2c_s1=0x80, group=0xe, device=0x54) MX960 /kernel: PCF8584(WR): busy at start, attempting to clear MX960 /kernel: PCF8584(WR): (i2c_s1=0x00, group=0xe, device=0x54) Copyright © 2010, Juniper Networks, Inc.
  • Page 58 When neither the per-unit scheduler nor the hierarchical-scheduler is configured on a physical interface and the physical interface has the overhead-accounting bytes configured, it does not take effect. [PR/544608: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 59 Because of this, the AE interface gets stuck in the detached state after it is rebooted from both ends. Additionally, the AE interface flaps when the backup Routing Engine is rebooted and a graceful Routing Engine switchover (GRES) is performed. [PR/547739: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 60 MBB re-routing of a P2MP LSP occurs, an MPLS route can become stale. This can cause a routing protocol process assertion failure on a transit router. [PR/555219: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 61 After the MS-PIC’s homing PE interfaces used for MVPN are taken offline and brought back online, the following message may be logged: “flip-re0 fpc3 SLCHIP(0): %PFE-3: Channel 8189 (iif=701) on stream 32 already exists.” [PR/527813: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 62 SFP Gigabit Ethernet PICs are located on the same Packet Forwarding Engine. [PR/546835: This issue has been resolved.] In Junos OS Release 9.3 and later, when routers using Enhanced FPCs (T640-FPCx-ES or T1600-FPC4-ES FPCs) have a configuration involving CBF LSPs and aggregate Copyright © 2010, Juniper Networks, Inc.
  • Page 63 [PR/540674: This issue has been resolved.] The routing protocol process might crash when a BGP connection attempt meets with an RST from the peer. This is due to an unlikely race condition. [PR/540895: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 64 On M Series routers configured for L2TP tunneling with several thousands of PPP connections, when all the PPP sessions expire at the same time, the MS-PIC might hang and become unusable. To recover the service, restart the PIC. [PR/541793: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 65 CPU utilization. [PR/531987: This issue has been resolved.] Under certain circumstances, the container interfaces might not send the proper martini modes to the routing protocol process. This results in incorrect control-word-related Copyright © 2010, Juniper Networks, Inc.

  • Page 66: Errata And Changes In Documentation For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    The configuration examples are applicable to Junos OS Release 10.2 and later. The Junos OS Layer 2 Configuration Guide provides an overview of the Layer 2 functions supported on Juniper Networks routers, including configuring bridge domains, MAC addresses and VLAN learning and forwarding, and spanning-tree protocols. It also details the routing instance types used by Layer 2 applications.

  • Page 67: Errata

    This configuration is correct and interoperates with routers running all versions of Junos However, the chapter does not mention that you can also include the encapsulation statement at the atm-ccc-cell-relay [edit interfaces interface-name unit Copyright © 2010, Juniper Networks, Inc.
  • Page 68 This configuration interoperates only between Juniper Networks routers running Junos OS Release 8.2 or earlier. This configuration does not interoperate with other network equipment, including a Juniper Networks router running Junos OS Release 8.3 or later, unless it is also configured with the same statement.
  • Page 69 Access Configuration Guide erroneously states that dynamic CoS is supported for dynamic VLANs on the Trio MPC/MIC family of products. In the current release, dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces. Copyright © 2010, Juniper Networks, Inc.

  • Page 70: Upgrade And Downgrade Instructions For Junos Os Release 10.4 For M Series, Mx Series, And T Series Routers

    Upgrading the Software for a Routing Matrix on page 75 Upgrading Using ISSU on page 76 Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and NSR on page 76 Copyright © 2010, Juniper Networks, Inc.

  • Page 71: Basic Procedure For Upgrading To Release 10.4

    When upgrading or downgrading the Junos OS, always use the package. Use other jinstall packages (such as the package) only when so instructed by a Juniper Networks jbundle support representative. For information about the contents of the jinstall package and details of the installation process, see the Junos OS Installation and Upgrade Guide.
  • Page 72 If you are not familiar with the download and installation process, follow these steps: Using a Web browser, follow the links to the download URL on the Juniper Networks Web page. Choose either Canada and U.S. Version or Worldwide Version: (customers in the United https://www.juniper.net/support/csc/swdist-domestic/...

  • Page 73: Upgrading A Router With Redundant Routing Engines

    VPN loopback address is used for reverse path forwarding (RPF) route resolution to create the reverse path tree (RPT), or multicast tunnel. The multicast VPN loopback address is also used as the source address in outgoing PIM control messages. Copyright © 2010, Juniper Networks, Inc.
  • Page 74 Juniper Networks routers and the other vendors’ routers. This configuration should be on Juniper Networks routers and on the other vendors’ routers where you configured the lo0.mvpn address in each VRF instance as the same address as the main loopback (lo0.0) address.

  • Page 75: Upgrading The Software For A Routing Matrix

    | match routing command For a routing matrix with a TX Matrix Plus router, the SFC contains two model RE-DUO-C2600-16G Routing Engines, and each LCC contains two model RE-DUO-C1800-8G Routing Engines. Copyright © 2010, Juniper Networks, Inc.

  • Page 76: Upgrading Using Issu

    PIM only, so that you can activate incompatible PIM features and continue to use NSR for the other protocols on the router: the nonstop-routing disable statement at the [edit hierarchy level. (Note that this statement disables NSR for all PIM features, protocols pim] not only incompatible features.) Copyright © 2010, Juniper Networks, Inc.

  • Page 77: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either 10.0 or 9.3. To downgrade from release 10.4 to 8.5, you first need to downgrade to 10.0 or 9.3, and then perform a second downgrade to Release 8.5. Copyright © 2010, Juniper Networks, Inc.

  • Page 78: Downgrade From Release 10.4

    Issues in Junos OS Release 10.4 for M Series, MX Series, and T Series Routers on page 48 Errata and Changes in Documentation for Junos OS Software Release 10.4 for M Series, MX Series, and T Series Routers on page 66 Copyright © 2010, Juniper Networks, Inc.

  • Page 79: Junos Os Release Notes For Juniper Networks Srx Series Services Gateways And J Series Services Routers

    Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers Junos OS Release Notes for Juniper Networks SRX Series Services Gateways and J Series Services Routers Powered by Junos OS, Juniper Networks SRX Series Services Gateways provide robust networking and security services.

  • Page 80: Software Features

    Web management URL. Three other wizards in the J-Web interface enable you to configure basic firewall policies, basic IPsec VPN settings, and basic NAT settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 81 The new log structure is as follows: <67>1 2009-08-18T19:47:23.191 srx5800-00 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.26 attack-name="SYN flood Src-IP based!" source-address="112.0.0.110" source-port="80" destination-address="111.0.0.113" destination-port="3033" source-zone-name="mobiles" interface-name="reth1.112" action="alarm-without-drop"] [Junos OS Security Configuration Guide] Copyright © 2010, Juniper Networks, Inc.
  • Page 82 Disabling SIP registration to the peer call server—The SRX Series MGW sends registration messages to the peer call server. For some network environments in which all media gateways are known to the peer call server, the SRX Series MGW is not Copyright © 2010, Juniper Networks, Inc.
  • Page 83 RTP packets and direct them to a higher priority queue in order to achieve better voice quality when packet traffic is congested. Juniper Networks devices provide classification, priority queuing, and other kinds of class-of-service (CoS) configuration under the CoS configuration hierarchy.
  • Page 84 This feature is supported when the SRX Series SCS is in control. Under normal conditions when it is reachable, the peer call server provides this service if it is supported. [Junos OS Integrated Convergence Services Configuration and Administration Guide] Copyright © 2010, Juniper Networks, Inc.
  • Page 85 NOTE: IKE is not supported in a custom VR (virtual router). The IKE gateway external interface must reside in the default virtual router (inet.0). Manual key management Transit traffic Self-traffic VPN monitoring Hub-and-spoke VPNs Encapsulating Security Payload (ESP) protocol Authentication Header (AH) protocol Copyright © 2010, Juniper Networks, Inc.
  • Page 86 Series and J Series devices. MIBs are not used in the IPv6 flow. IPv6 security is available to avoid impact on the existing IPv4 system. If IPv6 security is enabled, extended sessions and gates are allocated. The existing address fields and Copyright © 2010, Juniper Networks, Inc.
  • Page 87 Host inbound and outbound traffic—IPv6 advanced flow supports all route and management protocols running on the Routing Engine, including OSPF v3, RIPng, Telnet, and SSH. Note that flow label is not used in the flow. Tunnel traffic—IPv6 advanced flow supports the following tunnel types: Copyright © 2010, Juniper Networks, Inc.
  • Page 88 IPv4 packet, and transmits it across the softwire. The SC receives an IPv4 packet in the IPv6 softwire packet and decapsulates the IPv6 software packet to retrieve the inner IPv4 packet. Multiple SIs can have the same SC as the endpoint of the softwires. Copyright © 2010, Juniper Networks, Inc.
  • Page 89 [Junos OS CLI Reference, Junos OS Interfaces Configuration Guide for Security Devices, Junos OS Security Configuration Guide] FTP ALG for routing—This feature is supported on all SRX Series and J Series devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 90 Translates an ICMPv4 error message to an ICMPv6 error message and translates its embedded IPv4 packet to an IPv6 packet Translates an ICMPv6 error message to an ICMPv4 error message and translates its embedded IPv6 packet to an IPv4 packet Copyright © 2010, Juniper Networks, Inc.
  • Page 91 In IPv6 multicast flow, a mulitcast router has the following three roles: Designated router Intermediate router Rendezvous point [Junos OS Class of Service Configuration Guide] NAT—This feature is supported on all SRX Series and J Series devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 92 Note that you can now use the host inbound traffic configuration to permit traffic from the following IPv6-related services and protocols: DHCPv6, neighbor discovery (ND) protocol, OSPF3, and RIPng. [Junos OS Security Configuration Guide] Copyright © 2010, Juniper Networks, Inc.
  • Page 93 Port colors change to indicate the port link status. For example, the port lights steadily green when the port is up and red when the port is down. Displays Help tips when your hover the mouse over a port. Copyright © 2010, Juniper Networks, Inc.
  • Page 94 The only features supported on a virtual channel are queuing, packet scheduling, and accounting. Rewrite rules and routing protocols apply to the entire logical interface. [LN1000 Mobile Secure Router User Guide] Copyright © 2010, Juniper Networks, Inc.
  • Page 95 When event activity occurs, you can quickly drill down to detailed information about the specific item. In Junos OS Release 10.4, on-box reporting capabilities include: Real-time threat event monitoring Dynamic visuals for quick threat identification, tracking, and analysis Copyright © 2010, Juniper Networks, Inc.
  • Page 96 USB flash drive into the USB port of the SRX Series device and performing a few simple steps. NOTE: USB upgrades are not supported on chassis clusters. Copyright © 2010, Juniper Networks, Inc.
  • Page 97 Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set configured and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection. Copyright © 2010, Juniper Networks, Inc.
  • Page 98 Assigns attributes such as wins server and name-server address. Updates the associated client entry in the session database. Note: For client applications that rely on a RADIUS or other external server for authentication, AUTHD might not assign IP addresses. Copyright © 2010, Juniper Networks, Inc.
  • Page 99 The shared-ike-id and group-ike-id allow you to configure VPN once for multiple users. All users connecting through a shared-ike-id configuration use the same IKE ID and preshared key. The user credentials are verified in the extended authentication (XAuth) Copyright © 2010, Juniper Networks, Inc.

  • Page 100: Hardware Features-Srx210, Srx220, And Srx240 Services

    This Mini-PIM can be used in copper and optical environments to provide maximum flexibility when upgrading from an existing infrastructure to Metro Ethernet. This Mini-PIM is supported on the following devices: SRX210 Services Gateway SRX220 Services Gateway SRX240 Services Gateway Copyright © 2010, Juniper Networks, Inc.

  • Page 101: Gateways

    Hardware Features—SRX220 Services Gateway with Power Over Ethernet Overview The Juniper Networks SRX220 Services Gateway with Power over Ethernet (PoE) offers complete functionality and flexibility for delivering secure, reliable data over IP, along with multiple interfaces that support WAN and LAN connectivity.
  • Page 102 For more details on the SRX220 Services Gateway software features and licenses, see the Junos OS Administration Guide for Security Devices. Hardware Interfaces Table 4 on page 103 summarizes the interface ports supported on the SRX220 Services Gateway. Copyright © 2010, Juniper Networks, Inc.
  • Page 103 Uses an RJ-45 serial cable connector To provide the console interface Supports the RS-232 (EIA-232) To function as a management port to standard log into a device directly To configure the device using the CLI Copyright © 2010, Juniper Networks, Inc.

  • Page 104: Hardware Features-Srx1400 Services Gateway

    NOTE: We strongly recommend that only transceivers provided by Juniper Networks be used on an SRX220 Services Gateway. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used. Contact Juniper Networks for the correct transceiver part number for your device. Hardware Features—SRX1400 Services Gateway...
  • Page 105 The SRX1400 Services Gateway allows two power supplies for redundancy. The following types of power supplies are supported: AC power supply (for AC-powered devices) DC power supply (for DC-powered devices) Ethernet port (10/100/1000 Mbps) Console port Universal Serial Bus (USB) ports Copyright © 2010, Juniper Networks, Inc.
  • Page 106 2.4 lb (1.1 kg) Fan tray weight 2.93 lb (1.33 kg) Air filter weight 0.11 lb (0.054 kg) DC power supply weight 2.9 lb (1.3 kg) AC power supply weight 3.1 lb (1.4 kg) Copyright © 2010, Juniper Networks, Inc.

  • Page 107: Hardware Features-Srx3400 And Srx3600 Services Gateways

    1 IOCs 2 IOCs 1 IOC 0 IOCs supported In the SRX3600 Services Gateway, the supported SPC, NPC, and IOC configurations are the same for both the standard and the enhanced DC power supply. Copyright © 2010, Juniper Networks, Inc.

  • Page 108: Advertising Bandwidth For Neighbors On A Broadcast Link Support

    GDOI in a networking environment that includes both Juniper Networks security devices and Cisco routers. This topic discusses important items to note when using Cisco routers with GET VPN and Juniper Networks security devices with group VPN.

  • Page 109: Changes In Default Behavior And Syntax In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    According to Cisco documentation, the Cisco GET VPN server triggers rekeys 90 seconds before a key expires and the Cisco GET VPN member triggers rekeys 60 seconds before a key expires. When interacting with a Cisco GET VPN server, a Juniper Networks security device member would match Cisco behavior.

  • Page 110: Application Identification

    —Uninstall from your configuration all custom application definitions customer-defined that you created, but maintain the predefined application definition package. predefined —(Default) Uninstall from your configuration the predefined application definition package, but maintain all custom application definitions that you have created. Copyright © 2010, Juniper Networks, Inc.

  • Page 111: Application Layer Gateways (Algs)

    | display set | match order command. You will need to change the order number of the custom signature if it conflicts with another application signature. Copyright © 2010, Juniper Networks, Inc.

  • Page 112: Command-Line Interface (Cli)

    1 Channel 1 2 Channel 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 Channel 7 8 Channel 8 9 Channel 9 10 Channel 10 11 Channel 11 12 Channel 12 Copyright © 2010, Juniper Networks, Inc.
  • Page 113 Radio Frequency -a an Radio Frequency -an [edit] Example 2: user@host# set wlan access-point mav0 radio 2 radio-options mode ? Possible completions: 2.4GHz Radio Frequency --2.4GHz-n bg Radio Frequency -bg bgn Radio Frequency -bgn Copyright © 2010, Juniper Networks, Inc.

  • Page 114: Configuration

    24M /config s3f 342M /var s4a 30M recovery Configuration J Series devices no longer allow a configuration in which a tunnel's source or destination address falls under the subnet of the same logical interface’s address. Copyright © 2010, Juniper Networks, Inc.

  • Page 115: Dynamic Vpn

    Copyright © 2010, Juniper Networks, Inc.
  • Page 116 Junos OS Release 10.4 to 9.6 and earlier releases. Rename lsq-0/0/0 ls-0/0/0 in all its occurrences. Remove from the hierarchy level and from fragmentation-map [class-of-service] , if configured. [class-of-service interfaces lsq-0/0/0] Copyright © 2010, Juniper Networks, Inc.

  • Page 117: Installation

    DHCP client on the interface and remains in the DHCP client mode. In previous releases, after a certain period, the interface changed from being a DHCP client to a DHCP server. Copyright © 2010, Juniper Networks, Inc.

  • Page 118: Intrusion Detection And Prevention (Idp)

    When no attack is seen within the 60-second period and the BFQ entry is flushed out, the match count starts afresh, and the new attack match shows up in the attack table, and the log is generated as explained above. Copyright © 2010, Juniper Networks, Inc.

  • Page 119: J-Web

    To disable J-Web, the administrator must configure a loopback interface of for HTTP or HTTPS. This ensures that the webserver rejects all J-Web access requests. web-management { traceoptions { level all; flag dynamic-vpn; flag all; Copyright © 2010, Juniper Networks, Inc.
  • Page 120 VPN login Not Found page dynamic VPN login dynamic VPN is page page configured. Case 2: J-Web and dynamic VPN do share the same interface. Scenario http(s)://server http(s)://server http(s)://server host host//configured attribute host//dynamic-vpn Copyright © 2010, Juniper Networks, Inc.

  • Page 121: Management And Administration

    By default, only the internal CompactFlash is enabled, and an option to take a snapshot of the configuration from the internal CompactFlash to the external compact flash is not supported. This can be done only by using a USB storage device. Copyright © 2010, Juniper Networks, Inc.

  • Page 122: Multilink

    S3 priority high Configure the following scheduler map set class-of-service scheduler-maps lsqlink_map forwarding-class best-effort scheduler set class-of-service scheduler-maps lsqlink_map forwarding-class assured-forwarding scheduler S2 set class-of-service scheduler-maps lsqlink_map forwarding-class network-control scheduler S3 Copyright © 2010, Juniper Networks, Inc.

  • Page 123: Power Over Ethernet (Poe)

    Table 9: VLAN IDs Reserved for Internal Use VLAN IDs Reservations SRX100 SRX210 SRX220 SRX240 SRX650 3968-4047 ——— ——— ——— Reserved Reserved 4093 Reserved Reserved Reserved Reserved Reserved 4094 Reserved* Reserved* Reserved* Reserved* Reserved* Copyright © 2010, Juniper Networks, Inc.

  • Page 124: Wireless Lan (Wlan)

    CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set chassis craft-lockout set chassis routing-engine on-disk-failure Copyright © 2010, Juniper Networks, Inc.

  • Page 125: Class-Of-Service Hierarchy

    CLI editor, they appear to succeed and do not display an error message. Aggregated Interface CLI on page 126 ATM Interface CLI on page 126 Ethernet Interfaces on page 127 GRE Interface CLI on page 127 IP Interface CLI on page 128 Copyright © 2010, Juniper Networks, Inc.
  • Page 126 0 compression-device set interfaces at-1/0/0 unit 0 epd-threshold set interfaces at-1/0/0 unit 0 inverse-arp set interfaces at-1/0/0 unit 0 layer2-policer set interfaces at-1/0/0 unit 0 multicast-vci set interfaces at-1/0/0 unit 0 multipoint Copyright © 2010, Juniper Networks, Inc.
  • Page 127 The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces gr-0/0/0 unit 0 ppp-options set interfaces gr-0/0/0 unit 0 layer2-policer Copyright © 2010, Juniper Networks, Inc.
  • Page 128 T1 Interface CLI The following CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set interfaces t1-1/0/0 receive-bucket Copyright © 2010, Juniper Networks, Inc.

  • Page 129: Protocols Hierarchy

    However, if you enter these commands in the CLI editor, they will appear to succeed and will not display an error message. set protocols bfd no-issu-timer-negotiation set protocols bgp idle-after-switch-over Copyright © 2010, Juniper Networks, Inc.

  • Page 130: Routing Hierarchy

    SNMP hierarchy CLI commands are not supported. However, if you enter these commands in the CLI editor, they appear to succeed and do not display an error message. set snmp community 90 logical-system set snmp logical-system-trap-filter set snmp trap-options logical-system set snmp trap-group d1 logical-system Copyright © 2010, Juniper Networks, Inc.

  • Page 131: System Hierarchy

    Copyright © 2010, Juniper Networks, Inc.
  • Page 132 Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 143 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 166 Copyright © 2010, Juniper Networks, Inc.

  • Page 133: Known Limitations In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On SRX Series device failover, access points on the Layer 2 switch reboot and all wireless clients lose connectivity for 4-6 minutes. On VDSL mini-PIM, chassis cluster is not supported for VDSL mode. Queuing on aggregated Ethernet interface is not supported. (ae) Copyright © 2010, Juniper Networks, Inc.

  • Page 134: Command-Line Interface (Cli)

    For SRX240 devices: six CLI users and five J-Web users On SRX210 devices with Integrated Convergence Services, TDM configuration change might interrupt existing TDM calls. The voice calls do not work. Run the CLI restart rtmd command after making a configuration change. Copyright © 2010, Juniper Networks, Inc.

  • Page 135: Dynamic Host Configuration Protocol (Dhcp)

    CPU intensive commands, SNMP Walks etc causes the BFD to flap while processing large BGP updates. For other limitations in flow and processing, see “Limitations of Flow and Processing” in the Junos OS Security Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 136: Hardware

    In the packet processor on an IOC, the maximum number of three-color-policers is 2000. The maximum burst size of a policer or three-color-policer is 16 MB. 1G half-duplex mode of operation is not supported in the autonegotiation mode for the following devices: Copyright © 2010, Juniper Networks, Inc.

  • Page 137: Interfaces And Routing

    On SRX240 High Memory devices, traffic might stop between SRX240 device and CISCO switch due to link mode mismatch. As a workaround, Juniper Networks recommends setting auto-negotiation parameters on both ends to the same value. On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a workaround, run the command and restart the FPC.

  • Page 138: Intrusion Detection And Prevention (Idp)

    Administrators must update the detector by using the request security idp command followed by security-package download full-update request security idp command. security-package install IDP does not allow header checks for nonpacket contexts. Copyright © 2010, Juniper Networks, Inc.

  • Page 139: Ipv6 Support

    Dashboard page. You can enable or disable it using options in the Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes the Chassis View to be displayed. Copyright © 2010, Juniper Networks, Inc.

  • Page 140: Netscreen-Remote

    Table 10: Number of Rules on SRX Series and J Series Devices NAT Rule SRX3400 SRX5600 Type SRX100 SRX210 SRX2 40 SRX650 SRX3600 SRX5800 J Series Source NAT 1024 1024 8192 8192 rule Destination 1024 1024 8192 8192 NAT rule Copyright © 2010, Juniper Networks, Inc.

  • Page 141: Point-To-Point Protocol Over Ethernet (Pppoe)

    On SRX100, SRX210, SRX240 and SRX650 devices, on the routed VLAN interface, the following features are not supported: IPv6 (family inet6) ISIS (family ISO) Class-of-service Encapsulations (Ether CCC, VLAN CCC, VPLS, PPPOE etc) on VLAN interfaces CLNS Copyright © 2010, Juniper Networks, Inc.

  • Page 142: Unified Threat Management (Utm)

    Issues in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 143 Errata and Changes in Documentation for Junos OS Release 10.4 for SRX Series Services Gateways and J Series Services Routers on page 166 Copyright © 2010, Juniper Networks, Inc.

  • Page 143: Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    On J Series devices in a chassis cluster, a high load of SIP ALG traffic might result in some call leaks in active resource manager groups and gates on the backup router. [PR/268613] On SRX3400, SRX3600, SRX5600, and SRX5800 devices, 8-queue configurations are not reflected on the chassis cluster interface. [PR/389451] Copyright © 2010, Juniper Networks, Inc.
  • Page 144 One node is primary; the other node is secondary. Both nodes have nonzero priority values unless a monitored interface is down. Copyright © 2010, Juniper Networks, Inc.
  • Page 145 Dual-stack lite concentrator could take effect on the traffic flow. [PR/541516] On SRX5600 devices, with heavy DS-Lite traffic, flowd might stop responding with flow table corruption because of a function related to flow table operation (for example, flow_table_find_flow_v6). [PR/548790] Copyright © 2010, Juniper Networks, Inc.
  • Page 146 MAC address because multicast switching is based on the Layer 2 address. [PR/418519] On SRX650 devices, the input DA errors are not updated when packets are dropped because of MAC filtering on the following: SRX240 device SRX210 device Copyright © 2010, Juniper Networks, Inc.
  • Page 147 On SRX240 PoE and J4350 devices, the first packet on each multilink class is dropped on reassembly. [PR/455023] On SRX5600 and SRX5800 devices, system log messages are not generated when CPU utilization returns to normal. [PR/456304] Copyright © 2010, Juniper Networks, Inc.
  • Page 148 (IP shifting) [PR/540816] On SRX3600 devices, if the interface address is changed to a new address that is also the dual-stack lite concentrator address with the background traffic target to the Copyright © 2010, Juniper Networks, Inc.
  • Page 149 BIOS configuration mode does not Clear NVRAM work as expected. This issue can be seen on the J4350 and J6350 routers with BIOS Version 080011 and on the J2320 and J2350 routers with BIOS Version 080012. To Copyright © 2010, Juniper Networks, Inc.
  • Page 150 PRI. [PR/516021] On SRX210 and SRX240 devices with Integrated Convergence Services, if you have the accounting feature configured (Services>Convergence services>Features), you cannot configure the account code on a per-station basis. [PR/516681] Copyright © 2010, Juniper Networks, Inc.
  • Page 151 On J Series devices, one member link goes down in a Multilink (ML) bundle during bidirectional traffic with Multilink Frame Relay (MFR). [PR/445679] On SRX210 devices, the modem moves to the dial-out pending state while connecting or disconnecting the call. [PR/454996] Copyright © 2010, Juniper Networks, Inc.
  • Page 152 On SRX240 and SRX650 devices, IGMP reports are flooded on all ports that are part of the same multicast group instead of being sent on only the router interface. [PR/546444] On SRX650 devices, the speed for the interface shows the interface speed and not the negotiated speed. [PR/553339] Copyright © 2010, Juniper Networks, Inc.
  • Page 153 Key sizes of 1024 bits and 2096 bits are OK to process because their processing time is below the watchdog threshold, but the key size of 4096 bits should not be used when sending stress traffic. Also, IDP uses SSL hardware for <= Copyright © 2010, Juniper Networks, Inc.
  • Page 154 (AS) and mask length. The AS or mask length values of packets show while sampling cflowd the packet on the virtual router interface. [PR/419563] Copyright © 2010, Juniper Networks, Inc.
  • Page 155 IPS rule in IDP policy page. You must use the Move down button in the landing page. [PR/499499] On SRX Series and J Series devices, in the J-Web interface, the button does move/edit not work for the exempt rulebase on the IDP Policy configuration page. As a workaround, Copyright © 2010, Juniper Networks, Inc.
  • Page 156 On SRX240 devices, the Scheduler Oinker messages are seen on the console at various instances with various Mini-PIM combinations. These messages are seen during bootup, while restarting fwdd, while restarting chassisd, and during configuration commits. [PR/437553] Copyright © 2010, Juniper Networks, Inc.
  • Page 157 AX411 Access Point. [PR/471357] On SRX210 PoE devices, high latencies might be observed for the Internet Control Message Protocol (ICMP) pings between two wireless clients when 32 virtual access points (VAPs) are configured. [PR/472131] Copyright © 2010, Juniper Networks, Inc.
  • Page 158 On SRX650 devices operating under stress conditions, the UTM subsystem file partition might fill up faster than UTM can process and clean up existing temporary files. In that case, the user might see error messages. As a workaround, reboot the system. [PR/435124] Copyright © 2010, Juniper Networks, Inc.
  • Page 159 On SRX100, SRX210, and SRX240 devices, the packets are not sent out of the physical interface when the VLAN ID associated with the VLAN interface is changed. As a workaround, you need to clear the ARP. [PR/438151] Copyright © 2010, Juniper Networks, Inc.
  • Page 160 On SRX3400 and SRX3600 devices, the VPN monitor status in the DEP server side stays down for some time after RG0 and RG1 failover because there is no active state sync up for VPN monitoring. [PR/532952] Copyright © 2010, Juniper Networks, Inc.

  • Page 161: Resolved Issues In Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    The following are the issues that have been resolved since Junos OS Release 10.3 for Juniper Networks SRX Series Services Gateways and J Series Services Routers. The identifier following the descriptions is the tracking number in the Juniper Networks Problem Report (PR) tracking system.
  • Page 162 [PR/522657: This issue has been resolved.] On SRX3600 devices, transit traffic to the VRRP MAC address was not policed by simple-filter policing on the IOC. [PR/528402: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 163 On SRX240 devices with voice capability and Avaya ASM set up, the DTMF tone was not heard when the last added party in a 3-way conference call hangs up. [PR/529115: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 164 (NAT-T) for IKE Gateway in J-Web did not reflect properly. [PR/527151: This issue has been resolved.] On SRX100, SRX210, SRX220, and SRX240 devices, the J-Web setup wizard did not work in IE. [PR/536027: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.
  • Page 165 On SRX210 High Memory devices, when using an IKE preshared key of more than 41 ASCII characters for dynamic VPN, the IKE phase 1 connection failed to establish. [PR/523231: This issue has been resolved.] Copyright © 2010, Juniper Networks, Inc.

  • Page 166: Errata And Changes In Documentation For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    This section lists outstanding issues with the software documentation. Enterprise-Specific MIBs and Traps Guides The SRX100, SRX210, SRX220, SRX240, and SRX650 Services Gateways MIB Reference, the SRX1400, SRX3400, and the SRX3600 Services Gateways MIB Reference, and Copyright © 2010, Juniper Networks, Inc.
  • Page 167 TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Copyright © 2010, Juniper Networks, Inc.
  • Page 168 IPv6. Please consult the NSM release notes for version compatibility, required schema updates, and up-to-date support information. ALG configuration examples in the Junos OS Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based. Copyright © 2010, Juniper Networks, Inc.
  • Page 169 On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000. The correct information is as follows: The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000 on SRX240 devices, and 128,000 on SRX650 devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 170: Errata For The Junos Os Hardware Documentation

    The correct text for Step 2 is as follows: [edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://192.168.0.100/?target=my%2Dwebsite%2Ecom Errata for the Junos OS Hardware Documentation This section lists outstanding issues with the hardware documentation. Copyright © 2010, Juniper Networks, Inc.
  • Page 171 DC-powered SRX1400 Services Gateways: SRX1400BASE-XGE-DC SRX1400BASE-GE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. Fan tray LED table in the “Replacing the Fan Tray on the SRX1400 Services Gateway”...
  • Page 172 DC-powered SRX1400 Services Gateways: SRX1400BASE-GE-DC SRX1400BASE-XGE-DC These models are not available in Junos OS Release 10.4. Contact your Juniper Networks customer service representative for information on these models. In the SRX1400 Services Gateway Getting Started Guide, some of the graphics are shown with grounding lug attached on the front panel of the device.
  • Page 173 In the answer, the sentence "The antenna will have a magnetic mount with ceiling and wall mount kits within the package" is incorrect and redundant. Copyright © 2010, Juniper Networks, Inc.

  • Page 174: Hardware Requirements For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    SRX Series and J Series interface modules. Different transceiver types (long-range, short-range, copper, and others) can be used together on multiport SFP interface modules as long as they are provided by Juniper Networks. We cannot guarantee that the interface module will operate correctly if third-party transceivers are used.

  • Page 175: J Series Compactflash And Memory Requirements

    512 MB 512 MB 2 GB J6350 512 MB 1 GB 2 GB Related New Features in Junos OS Release 10.4 for SRX Series Services Gateways and J Series Documentation Services Routers on page 79 Copyright © 2010, Juniper Networks, Inc.

  • Page 176: Maximizing Alg Sessions

    Integrated Convergence Services is no longer supported. The Media-Gateway (MGW) versions of SRX Series low-end devices have been discontinued and are no longer supported. If you have an ICS-supported SKU, please contact Juniper Networks for further guidance. Copyright © 2010, Juniper Networks, Inc.

  • Page 177: Upgrade And Downgrade Instructions For Junos Os Release 10.4 For Srx Series Services Gateways And J Series Services Routers

    This policy remains unchanged. For more information on EEOL releases and to review a list of EEOL releases, see http://www.juniper.net/support/eol/junos.html Copyright © 2010, Juniper Networks, Inc.

  • Page 178: Junos Software Release Notes For Ex Series Switches

    —The XRE200 External Routing Engine is used to XRE200 External Routing Engine create a Virtual Chassis composed of Juniper Networks EX8200 Ethernet Switches. A Virtual Chassis is multiple switches connected together that operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis...

  • Page 179: Bridging, Vlans, And Spanning Trees

    J-Web interface support for the 40-port SFP+ line card for EX8200 switches interface support has been added for the 40-port SFP+ line card for EX8200 switches. —You can now specify an egress or ingress rate at sFlow technology enhancements which packets can be sampled. Copyright © 2010, Juniper Networks, Inc.

  • Page 180: Packet Filters

    For releases earlier than Junos OS Release 10.2, EX8200 switches supported a single global rewrite rule assigned to all Layer 2 interfaces and routed VLAN interfaces (RVIs). Copyright © 2010, Juniper Networks, Inc.

  • Page 181: Limitations In Junos Os Release 10.4 For Ex Series Switches

    On EX3200 and EX4200 switches, when interface ranges or VLAN ranges are used in configuring firewall filters, egress firewall filter rules take more than five minutes to install. On EX3200 and EX4200 switches, IGMP packets are not matched by user-configured firewall filters. Copyright © 2010, Juniper Networks, Inc.

  • Page 182: Hardware

    In the J-Web interface, changing the port role from Desktop, Desktop and Phone, or Layer 2 Uplink to another port role might not remove the configurations for enabling dynamic ARP inspection and DHCP snooping. Copyright © 2010, Juniper Networks, Inc.

  • Page 183: Interfaces

    Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 180 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 184 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 189 Copyright © 2010, Juniper Networks, Inc.

  • Page 184: Outstanding Issues In Junos Os Release 10.4 For Ex Series Switches

    (on the order of 50 or more) of routed VLAN interfaces (RVIs), in some cases, the STP topology might change for a short period of time during the commit process. [PR/564689] Copyright © 2010, Juniper Networks, Inc.

  • Page 185: Ethernet Switching

    Layer 3 domain when another line card that is on the same switch and is connected to a Layer 2 domain is taken offline. [PR/548225] Copyright © 2010, Juniper Networks, Inc.

  • Page 186: Interfaces

    When you use the Microsoft Internet Explorer browser to open a report from the following pages in the J-Web interface, the report opens in the same browser session: Files page (Maintain > Files) History page (Maintain > Config Management > History) Copyright © 2010, Juniper Networks, Inc.
  • Page 187 J-Web interface, the error message “Internet Explorer was not able to open the Internet site” is displayed: Files page (Maintain > Files) History page (Maintain > Config Management > History) Copyright © 2010, Juniper Networks, Inc.

  • Page 188: Spanning Tree Protocols

    Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 189 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 191 Upgrade and Downgrade Instructions for Junos OS Release 10.4 for EX Series Switches on page 191 Copyright © 2010, Juniper Networks, Inc.

  • Page 189: Resolved Issues In Junos Os Release 10.4 For Ex Series Switches

    [PR/551739: This issue has been resolved.] Interfaces In an EX4200 Virtual Chassis, on consecutive reboots of the master switch, the peer device connected to the EX4200 switch over Link Aggregation Control Protocol (LACP) Copyright © 2010, Juniper Networks, Inc.

  • Page 190: J-Web Interface

    New Features in Junos OS Release 10.4 for EX Series Switches on page 178 Documentation Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 180 Limitations in Junos OS Release 10.4 for EX Series Switches on page 181 Copyright © 2010, Juniper Networks, Inc.

  • Page 191: Switches

    You can use this procedure to upgrade Junos OS on an EX Series switch with a single Routing Engine, including an individual member of an EX4200 Virtual Chassis or all members of an EX4200 Virtual Chassis or an EX8200 switch using a single Routing Copyright © 2010, Juniper Networks, Inc.
  • Page 192 Reboot to start the new software: user@switch> request system reboot After the reboot has completed, log in and verify that the new version of the software is properly installed: user@switch> show version Copyright © 2010, Juniper Networks, Inc.

  • Page 193: Upgrade Policy For Junos Os Extended End-Of-Life Releases

    New Features in Junos OS Release 10.4 for EX Series Switches on page 178 Documentation Changes in Default Behavior and Syntax in Junos OS Release 10.4 for EX Series Switches on page 180 Limitations in Junos OS Release 10.4 for EX Series Switches on page 181 Copyright © 2010, Juniper Networks, Inc.
  • Page 194 Outstanding Issues in Junos OS Release 10.4 for EX Series Switches on page 184 Resolved Issues in Junos OS Release 10.4 for EX Series Switches on page 189 Errata in Documentation for Junos OS Release 10.4 for EX Series Switches on page 191 Copyright © 2010, Juniper Networks, Inc.

  • Page 195: Junos Os Documentation And Release Notes

    Juniper Networks website at http://www.juniper.net/techpubs/ Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices.
  • Page 196 CLI before contacting support: user@host> request support information | save filename To provide a core file to Juniper Networks for analysis, compress the file with the gzip utility, rename the file to include your company name, and copy it to .

  • Page 197: Revision History

    Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

This manual is also suitable for:

Junos os 10.4

Table of Contents