JUNOSe 7.0.4 Release Notes > Release 7.0.4 > Known Behavior

Known Behavior

This section briefly describes E-series router behavior and related issues. In some cases the behavior differs from non-E-series implementations; in others the behavior is included to emphasize how the router works.

AAA

• The JUNOSe software does not support accounting for ATM 1483 subscribers. The atm1483 keyword for the aaa accounting default command is present in the CLI, but it is not supported.

BGP

• When a routing policy changes, you can use the clear ip bgp and clear bgp ipv6 commands to clear the current BGP session and implement the new policy. Because clearing a BGP session (a hard clear) can create a major disruption in the network operation, you can use the soft in and soft out options of the command (a soft clear) to activate policies without disrupting the BGP session.

Resetting the BGP connection is slightly different when you change outbound policies for peer groups for which you have enabled Adj-RIBs-Out. You cannot merely perform a hard clear or outbound soft clear for individual peer group members because that causes BGP to resend only the contents of the Adj-RIBs-Out table. If you change the outbound policy for such a peer group and want to fill the Adj-RIBs-Out table for that peer group with the results of the new policy, you must use the clear ip bgp peer-group command to perform a hard clear or outbound soft clear of the peer group.

• The E-series router does not include the link-local IPv6 address in the next-hop field of an MP-BGP update message carrying IPv6 routing information over IPv4 transport. This behavior is compliant with RFC 2545 but might have interoperability issues with other implementations that depend on a link-local IPv6 address in the next-hop field on a directly connected external BGP peering.

Work-around: Enable EBGP multihop configuration on the remote (non-Juniper Networks) peer.

• The following message might be displayed under certain conditions:

bgpConnections (default,0.0.0.0): TCP error code xx (...) occurred while accepting 
inbound TCP connection 

The message is generated when an unconfigured peer attempts to establish a TCP session with an E-series router and a valid route to the source address of the peer is absent from the router's routing table.

If a valid route exists in the routing table, the following message is displayed when an unconfigured peer attempts to establish a TCP session with an E-series router; X.X.X.X is the source address of the unconfigured peer:

NOTICE 08/29/2001 16:50:11 bgpConnections (default,X.X.X.X): Inbound 
connection refused - no peer X.X.X.X configured in core

BGP/MPLS VPNs

• NAT does not function properly with secondary routing table lookup (fallback global) or global export mapping on the VRF.

B-RAS

• Pool groups are not supported; although the ip local pool group command appears in the CLI, it is not supported.

Bulkstats

• When you use the bulkstats interface-type command, you cannot use an interface location string longer than 10 characters.
• With subinterfaces, such as ATM1483, IP, PPP, or Frame Relay, you cannot restrict the statistics to those of a specific subinterface. Although you can configure a specific subinterface as a location, bulkstats collects all subinterfaces that are configured in that port.
• Defining all interface types before you map a collector to the if-stats schema ensures that you display statistics for all configured interfaces in the first interval.

CLI

• When you issue the reload command on an ERX-310 router, the command might display a warning message that erroneously indicates that a synchronizing operation will be performed. Any references to synchronization that appear in command output or system messages do not apply to the ERX-310 router, which does not support SRP module redundancy. [Defect ID 47563]
• The following commands have been deprecated in the JUNOSe software and might be removed completely in a future release. If a command has been deprecated for only a particular command mode, the table specifies any modes for which it is still available.
  

  Deprecated Command	Command Mode	Preferred Command
  classifier-list	Global Configuration	ip classifier-list
  color	Policy List Configuration	color in Classifier Group Configuration mode
  description	Interface Configuration Still available in Controller Configuration and VRF Configuration modes	ip description
  filter	Policy List Configuration	filter in Classifier Group Configuration mode
  forward next-hop	Policy List Configuration	forward next-hop in Classifier Group Configuration mode
  forward next-interface	Policy List Configuration	forward next-interface in Classifier Group Configuration mode
  hostname	Domain Map Tunnel Configuration Still available in Global Configuration mode	client-name
  [ no ] ike crl	Global Configuration	[ no ] ipsec crl
  [ no ] ip inspect strict	Global Configuration	Use stateful firewall commands ip inspect [ keyword ]
  ip mirror	Global Configuration	ip policy secure-input and ip policy secure-output
  ip policy local-input	Interface Configuration, Profile Configuration	None
  [ no ] ipsec isakmp-policy rule	Global Configuration	[ no ] ipsec ike-policy-rule
  ipv6 policy local-input	Interface Configuration, Profile Configuration	None
  license l2tp-session	Global Configuration	None
  log	Policy List Configuration	log in Classifier Group Configuration mode
  loopback	Domain Map Configuration Still available in Controller Configuration and Interface Configuration modes	local-interface
  mark	Policy List Configuration	mark in Classifier Group Configuration mode
  mark-de	Policy List Configuration	mark-de in Classifier Group Configuration mode
  mark-exp	Policy List Configuration	mark-exp in Classifier Group Configuration mode
  mark-user-priority	Policy List Configuration	mark-user-priority in Classifier Group Configuration mode
  [ no ] next-hop	Policy List Configuration	forward next-hop in Classifier Group Configuration mode
  [ no ] next-interface	Policy List Configuration	forward next-interface in Classifier Group Configuration mode
  no ospf enable	Router Configuration	ospf shutdown
  policy-list	Global Configuration	ip policy-list
  radius disconnect client	Global Configuration The Radius Disconnect Configuration mode has been removed from the CLI.	subscriber disconnect
  rate-limit-profile	Policy List Configuration	rate-limit-profile in Classifier Group Configuration mode
  show ike certificates	User Exec, Privileged Exec	show ipsec certificates
  show ike configuration	User Exec, Privileged Exec	show ipsec ike-configuration
  show ike identity	User Exec, Privileged Exec	show ipsec identity
  show ike policy-rule	User Exec, Privileged Exec	show ipsec ike-policy-rule
  show ike sa	User Exec, Privileged Exec	show ipsec ike-sa
  show ip mirror interface	Privileged Exec	show secure policy-list
  show license l2tp-session	User Exec, Privileged Exec	None
  t1 lineCoding	Controller Configuration	None. This command never had any effect.
  traffic-class	Policy List Configuration	traffic-class in Classifier Group Configuration mode
  tunnel mpls label-dist	Interface Configuration, Tunnel Profile Configuration	None
  user-packet-class	Policy List Configuration	user-packet-class in Classifier Group Configuration mode
  virtual-router	Domain Map Configuration Still available in Privileged Exec and Global Configuration modes	router-name

  
  

The router displays a notice when you issue the command manually. If the command is in a script, the router automatically maps the deprecated command to the preferred command. If the deprecated command no longer has a function, then that command has no effect when you run a script containing the command.

• The show configuration command normally takes a long time to finish for extremely large configurations. If you specify a search string (with the begin, exclude, or include options) with the command for a string that is not present in the configuration, then the CLI session appears to be busy for a prolonged period. The CLI filtering feature for show commands does not speed up execution of the command.

DHCP

• ARP Spoof Checking and DHCP Relay Configuration

The Address Resolution Protocol (ARP) performs spoof checking on all incoming ARP requests by default. For each incoming packet, ARP does a route lookup on the source IP address to determine the interface on which that IP address was routed. ARP then verifies that the interface on which the packet was received matches the routed interface. If the interface on which the packet was received does not match the routed interface, the router drops the packet.

When you configure applications such as DHCP relay that automatically install routes, you must ensure that the routes are correctly installed for your configuration. DHCP relay installs host routes by default, which is required in certain configurations to enable address renewals from the DHCP server to work properly. However, the default installation of host routes might cause a conflict when you configure DHCP relay with static subscriber interfaces.

For example, to configure multiple subscribers over a particular static subscriber interface (ip53001 in this example), you might use commands similar to the following to create demultiplexer table entries and a subnet route that points to the static subscriber interface.

1. Create a shared IP interface.

host1(config)#interface ip ip53001

2. Associate the shared IP interface with a static layer 2 interface.

host1(config-if)#ip share-interface gigabitEthernet 1/0

3. Make the shared interface an unnumbered interface.

host1(config-if)#ip unnumbered loopback 53

4. Specify the source addresses that the subscriber interface uses to demultiplex traffic.

host1(config-if)#ip source-prefix 10.10.10.0 255.255.255.252

5. Exit Interface Configuration mode.

host1(config-if)#exit

6. Create a static route that sends traffic for destination address 10.10.10.0 to subscriber interface ip53001.

host1(config)#ip route 10.10.10.0 255.255.255.252 ip53001

DHCP relay installs host routes for clients by default. In this example, the host routes are associated with the primary IP interface on Gigabit Ethernet 1/0. Because the host routes in this example are statically configured with the subscriber interface, there is no need for the router to install DHCP host routes. Unless you prevent DHCP relay from installing host routes by issuing the set dhcp relay inhibit-access-route-creation command, a configuration similar to this example can result in a conflict that causes undesirable ARP behavior.

Specifically, the ARP spoof-checking mechanism associates the ARP traffic with the primary IP interface (Gigabit Ethernet 1/0), although packets actually arrive on the subscriber interface (ip53001). The resulting behavior causes the router to detect a spoof and drop the packet.

To avoid these configuration conflicts, use the set dhcp relay inhibit-access-route-creation command to prevent DHCP relay from installing host routes by default.

• You cannot configure both the DHCP local server and either the DHCP external server application or the DHCP relay in the same virtual router.

Dynamic Interfaces

• Dynamic IPv6 interfaces over static PPP interfaces are not supported.

Ethernet

• When counting bits per second on a Fast Ethernet or Gigabit Ethernet interface, an E-series router includes 12 bytes for interpacket gap, 7 bytes for preamble, and 1 byte for start frame delimiter, for a total of 20 bytes (160 bits) per packet more than some non-E-series routers. This value therefore shows the total bandwidth utilization on the interface, including both data and overhead.
• Transparent bridge forwarding performance is less than IP forwarding performance on the GE-2 line module or the GE-HDE line module when it is installed in a high-speed slot. To bridge unicast known-DA packets at line rate on 2-Gbps ports, the minimum packet size must be at least 256 bytes.

When installed in the ERX-1440 router, the GE-2 module delivers full bandwidth of 2 GB per port only when installed in slot 2 or slot 4, and when the SRP-40G+ module is used in the router. When installed in any other ERX-1440 slot, the GE-2 module delivers a maximum bandwidth of 2 GB per line module (1 GB maximum at the ingress and 1 GB maximum at the egress). Therefore, of the maximum 24 possible ports for the module in an ERX-1440 chassis (that is, two ports in each of 12 slots), full bandwidth is delivered only on a maximum of four ports (those in slots 2 and 4).

When installed in the ERX-1440 router, the GE-HDE line module delivers full bandwidth of 4 GB per line module (2 GB at the ingress and 2 GB at the egress) only when installed in slot 2 or slot 4, and when the SRP-40G+ module is used in the router. When installed in any other ERX-1440 slot, the GE-HDE module delivers a maximum bandwidth of 2 GB per line module (1 GB maximum at the ingress and 1 GB maximum at the egress). Therefore, of the maximum 96 possible ports for the module in an ERX-1440 chassis (that is, 8 ports in each of 12 slots), full bandwidth is delivered only on a maximum of 16 ports (those in slots 2 and 4).

When the GE-2 line module or the GE-HDE line module is installed in either the ERX-1440 router or the ERX-310 router and both ports are active, line rate performance is achieved only with packets that are 174 bytes or larger. The line module might not achieve line rate with packets that are smaller than 174 bytes.

Flash

• Flash cards manufactured by Wintec are present on some currently deployed routers. When you upgrade the JUNOSe software on such routers, the firmware on the flash card controller is automatically updated during diagnostics. During this reboot, the software runs an integrity check on the file system to verify that the firmware update did not corrupt the contents of the flash card. This integrity check is an expected side effect of the enhanced firmware available in this release. The integrity check does not indicate a problem with the flash card or its contents.

GRE

• When you shut down the only outgoing IP interface to the IP destinations of GRE/IP tunnels, the tunnels remain in the up state rather than transitioning to down. As a consequence, all IP routes that use these tunnels as next hops also remain in the routing table.

Hardware

• PCMCIA NVS Card Warning
  

  CAUTION: Before you insert or remove PCMCIA NVS (flash) cards from a running router, we strongly recommend that you halt the SRP module or shut down the router. Failure to do this can result in file corruption in one or both cards.

  
  
• The 4XOC3 APS MULTIMODE and 4XOC3 APS SINGLE MODE I/O modules are incompatible with the following versions of the OCx/STMx ATM and OCx/STMx POS line modules:

• OCx/STMx ATM line modules with assembly numbers 350-00039-xx, 350-80039-xx, and 350-90039-xx
• OCx/STMx POS line modules with assembly number 350-10039-xx

• When you configure 1:5 line module redundancy by using either the 4XOC3 APS MULTIMODE or 4XOC3 APS SINGLE MODE I/O module, the spare R-Mid OCX I/O module you install must have assembly number 350-00094-01 Rev. A01 or later. Spare R-Mid OCX I/O modules with an earlier assembly number are not supported for 1:5 redundancy configurations that use either the 4XOC3 APS MULTIMODE or 4XOC3 APS SINGLE MODE I/O module.
• There is a very small chance that some line modules can have an improperly modified keying block that prevents the module from proper seating in the top slot of an older ERX-7xx chassis or a preproduction ERX-310 chassis. For example, this problem has been observed for an OCx/STMx module in slot 2 of an early-test ERX-310 chassis.

Work-around: Remove the keying block to insert the module into the top slot, or insert the module into a different slot.

• Because the FE-2 line module connects directly to its I/O module rather than to a midplane, installing one module can unseat the other module.

Work-around: Ensure that the screws fastening the I/O module to the chassis are tight to prevent separation between the modules and a resulting poor connection.

HDLC

• By design, on certain modules (CT3, CT3/T3, and cOC12/STM4) you cannot delete a serial interface while data for the interface is still enqueued. The enqueued data can drain only when the interface is operationally up. Therefore you must ensure that the interface is operationally up before you delete it. For example, if you have issued the shutdown command for the interface before you try to delete the interface, issue the no shutdown command, then delete the interface.

IP

• If you have enabled ipInterface logging at a priority of debug, the acknowledgment that an interface has been deleted from the line modules can return to the SRP module after the layers beneath IP have deleted their interfaces. Consequently, the original name of the interface cannot be resolved or displayed in the log, and the system instead displays the ifIndex of the IP interface. This behavior has no functional effect other than that the log is misleading. However, previous log events indicate that the interface deletion was beginning.
• When you want to use a configuration script to configure IP shared interfaces that reference a physical interface, you must issue the service show configuration format 2 command before you generate the script. If the default show configuration format (format 1) is enabled instead, the generated script cannot properly configure the IP shared interfaces because they are created before the physical interfaces. To properly configure the shared interfaces in this event, run the generated format 1 script twice.
• ASIC line modules can accommodate routing tables of up to 2M entries. Non-ASIC line modules are limited to 100K entries (although more routes can still work because a routing table of up to 1M entries can be compressed to 100K or fewer nonconsecutive routes). See ERX Module Guide, Chapter 1, Module Combinations, for information about which modules are ASIC and which are non-ASIC.
• When you issue the show ip forwarding-table command for a particular slot, it is normal and appropriate behavior when the Status field indicates Valid while the Load Errors field is increasing daily for that VR. The Load Errors field records any failed routing table distribution attempt as an error. Attempts can fail for many reasons during normal operation; a failed attempt does not necessarily indicate a problem. It is normal to see many load errors per day. If the Status field indicates Invalid, then the routing table distribution has failed constantly for that VR and a real problem exists. You might occasionally see a status of Updating. However, if the Status field always indicates Updating, then again the routing table distribution has failed constantly for that VR, and a real problem exists.
• The enhancement to the CLI to support unnumbered reference to any kind of interface rather than just loopback interfaces has consequences such as the following: [Defect ID 47743]

• If the references to shared interfaces appear in the show configuration output before the configuration for the interfaces they refer to, trying to restore such a configuration with a script generated from show configuration generates errors like the following:

% Error, line 3929:

host1(config-if)#ip share-interface FastEthernet 3/0.2

% No such interface

• Unnumbered interfaces that refer to nonloopback interfaces (for example, ip unnumbered fastEthernet 3/0.2) and that appear in the show configuration output before the interface referred to might generate similar no such interface errors.

Work-around: Run the script twice.

IPSec

• When you shut down the only outgoing IP interface to the IP destinations of IPSec tunnels, the tunnels remain in the up state rather than transitioning to down. As a consequence, all IP routes that use these tunnels as next hops also remain in the routing table. You can use DPD to avoid this situation. DPD must be active, which requires both IPSec tunnel endpoints to support DPD.

IS-IS

• When IS-IS is configured on a static PPP interface, the IS-IS neighbor does not come up if you remove the IP address from the interface and then add the IP address back to the interface.

Work-around: When you remove and add back the IP address, you must also remove the IS-IS configuration from the interface and then add the configuration back to the interface by issuing the no router isis and router isis commands.

L2TP

• NAT dynamic translation generation affects the LNS session creation time. When NAT dynamic translations and LNS sessions are created simultaneously, NAT dominates the TSM CPU cycles, resulting in a delay in the LNS session creation rate. The LNS session creation rate returns to its normal rate when NAT dynamic translations are no longer being generated. [Defect ID 53191]

Work-around: When signaling performance must be optimal, avoid the simultaneous configuration of NAT and LNS.

• If you create an L2TP destination profile profileName, establish tunnels with the profile, and then remove the profile, you cannot subsequently create another destination profile using that same profileName until all the tunnels drain from the previous instance of this destination profile. If you do not wait, the E-series router displays a message similar to the following:

l2tp: Discarding incoming sccrq from vr default, remote address 192.168.100.1 - 
no destination profile.

If you do not want to wait for the tunnels to drain, use a different name for the destination profile. [Defect ID 32973]

Line Module Redundancy

• On E320 routers, redundant IOAs have a temperature sensor, and the show environment all command lists the temperature of IOAs in their associated slots.

On E-series routers other than the E320 router, redundant IOAs do not have a temperature sensor. Therefore, the show environment all command output lists the primary IOA temperature in the slot of the line module that is responsible for the IOA.

• When you install an ES2-S1 Redundancy IOA with a hardware revision number of -02 or less in slot 0 or slot 11 of the E320 router, do not install an OCx/STMx ATM IOA or an OCx/STMx POS IOA in the lower adapter bay of slot 1 or slot 12. When the spare line module is controlling another slot and you revert back to the primary line module, the ATM or POS IOAs can become unusable or cause the line module to reset. [Defect ID 69760]

Work-around: This problem is not present for ES2-S1 Redundancy IOAs with a hardware revision number of -03 or higher.

MLPPP

• Do not configure both MLPPP fragmentation (with the ppp fragmentation command) and IP fragmentation of L2TP packets (with the ip mtu command) on the same interface. Instead, you must choose only one of the fragmentation configurations by setting it to the necessary value and set the other fragmentation configuration to the maximum allowable value.
• If you want to run MLPPP over L2TP, you must have at least one SM or TSM in the chassis. MLPPP over L2TP is not supported on a GE-2 module.

MPLS

• An E-series router does not support multiple FEC elements in a single label-mapping message, which is the default behavior for Juniper Networks M-series routers. When communicating with an M-series router that uses the default setting, an E-series router might display the following error message:

ERROR 04/09/2003 19:46:00 mplsGeneral (default): 
LDPGetFecElemsFromTlv:too many FEC Elements in TLV. Maximum number 
supported is 1.

Work-around: Use the set protocol ldp deaggregate command on the M-series router to specify that the router not include multiple FEC elements in a single label mapping.

• The aal5autoconfig, aal5mux ip, and aal5snap encapsulation keywords are not currently supported when you create a PVC for an ATM layer 2 services over MPLS configuration. Use either the aal5all encapsulation keyword or the aal0 encapsulation keyword for ATM layer 2 services over MPLS configurations.

Policy Management

• Traffic shaping is not supported on non-ASIC modules. For information about which modules are ASIC or non-ASIC, see ERX Module Guide, Chapter 1, Module Combinations.
• Multiple Forwarding Solution Rules for a Single Classifier List in a Policy

Before Release 5.2.0, it was possible to configure a policy with multiple rules that specified forwarding solutions where all of these rules were associated with a single classifier list. This typically was a configuration error, but the CLI accepted it. Beginning with Release 5.2.0, the CLI no longer accepts this configuration.

• Multiple forwarding rules behavior before Release 5.2.0:

• If multiple forward or filter rules were configured to reference the same classifier list in a single policy, then all rules except the first rule configured were marked as eclipsed in the show policy command display. Next-interface and next-hop rules were treated in the same manner. The eclipsed rules were not applied.
• If a policy were configured with one rule from the [forward, filter] pair and one rule from the [next-hop, next-interface] pair, and if both rules referenced the same classifier list, then no visible eclipsed marking occurred. However, these two rules were mutually exclusive, and only one of them defined the forwarding behavior. The rule action that was applied was in the order (from highest to lowest preference): next interface, filter, next hop, forward. The applied rule was the rule whose behavior was seen by forwarded packets.

For example, if a policy had both a next-interface and a filter rule, then the next interface was applied. If a policy had a next-hop and a filter rule, then the filter rule was applied.

• Multiple forwarding rules behavior for Release 5.2.0 and later:

Beginning with Release 5.2.0, the multiple rules behavior is designed so that when a forwarding solution conflict occurs within a policy, such as those described earlier, the second forwarding solution overwrites the preceding solution. That is, the last forwarding rule configured for the given classifier list within a policy is the forwarding behavior that is used. Also, a warning message is now displayed when this type of conflict occurs.

Example 1—In this example, the filter rule action overwrites the forward 
rule, and is therefore applied. 

host1(config)#policy-list wstPolicyList

host1(config-policy-list)#forward classifier-group svaleClacl1

host1(config-policy-list)#filter classifier-group svaleClacl1

WARNING: This rule has replaced a previously configured rule.

host1(config-policy-list)#exit

host1(config)#

Example 2—In this example, three forwarding solution conflicts result in 
rules being overwritten. The filter rule is the last rule configured, and is 
therefore applied.

host1(config)#policy-list bostTwo

host1(config-policy-list)#forward classifier-group clacl5

host1(config-policy-list)#next-hop 1.1.1.1 classifier-group clacl5

WARNING: This rule has replaced a previously configured rule.

host1(config-policy-list)#next-interface atm 1/0.0 classifier-group clacl5

WARNING: This rule has replaced a previously configured rule.

host1(config-policy-list)#filter classifier-group clacl5

WARNING: This rule has replaced a previously configured rule.

host1(config-policy-list)#exit

host1(config)#

 NOTE: When you upgrade the nonvolatile memory to Release 5.2.0 or later, the upgrade removes eclipsed rules and rules whose behavior was not applied in the previous release. This removal ensures that the postupgrade forwarding behavior is the same as the preupgrade behavior.
 NOTE: If you upgrade to Release 5.2.0 or later and then configure your router using a script generated before Release 5.2.0, the postupgrade and preupgrade forwarding behaviors might not be the same. The new Release 5.2.0 configuration behavior is applied—the last policy rule configured for a given classifier list that specifies a forwarding behavior is the only rule remaining.



 

POS

• The default behavior for POS interfaces was changed at Release 3.2.2 to conform with RFC 2615 so that payload scrambling (pos scramble-atm) is enabled by default; in earlier versions it was disabled by default. When you upgrade from a release numbered lower than Release 3.2.2 to Release 3.2.2 or higher, POS links that were configured in the lower release do not come up. You must manually change the configuration on either side of the link.

PPP

• The GE-2 line module does not support dynamic IP interfaces over static PPP interfaces when the PPPoE subinterface is also static. The OC3/STM1 GE/FE line module does not support dynamic IP interfaces over static PPP interfaces when the ATM interface column is also static.
• Accounting Statistics for Terminated and Tunneled PPP Sessions

For terminated PPP sessions, the JUNOSe software begins the collection of accounting statistics following, but not including, authentication acknowledgement from the E-series router. The acknowledgment is either a CHAP success or PAP acknowledgement packet. All subsequent traffic is counted up to the point that PPP at the router terminates the subscriber's session. PPP session termination can be initiated through a number of mechanisms: PPP shutdown at the client or router interface, subscriber logout at the router (by means of the logout subscriber command), lower layer down events, and silent client termination.

Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and Acct-Output-Octets) for terminated PPP customers include the following data:

• All upper layer control traffic, including IPCP, IPCPv6, OSICP, and MPLSNCP
• All data traffic, including IP, IPv6, MPLS, and OSI
• All PPP LCP echo requests and responses following authentication
• Other PPP LCP packets following the PAP or CHAP acknowledgment
• Retransmits of the PAP or CHAP traffic

Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and Acct-Output-Octets) for terminated PPP customers exclude the following data:

• PPP traffic prior to completion of authentication
• PPP LCP terminate-request or terminate-acknowledgement packets
• PPPoE padding for PPP control and data packets

Accounting statistics reported in RADIUS packet counts (Acct-Input-Packets and Acct-Output-Packets) for terminated PPP customers are based on packets delivered to or received from the upper transport layer: IP, IPv6, MPLS, and OSI.

For tunneled subscribers at the L2TP LAC, the JUNOSe software counts the payload that PPP passes to or receives from L2TP for transport. At this stage in the protocol processing, any padding outside PPP, such as that for PPPoE, has been removed. Accounting includes the authentication acknowledgement packet, CHAP success packets, and PAP acknowledgment packets. Accounting ends when L2TP has been notified to terminate the session. Termination of a tunneled session can result from PPP termination, L2TP shutdown, subscriber logout, or lower layer down events. When the session is terminated through PPP, the software counts both the PPP terminate-request and the PPP terminate-acknowledgement packets.

Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and Acct-Output-Octets) for tunneled PPP customers at the L2TP LAC include the following data:

• All upper layer control traffic, including IPCP, IPCPv6, OSICP, and MPLSNCP
• All data traffic, including IP, IPv6, MPLS, and OSI
• PPP PAP or CHAP acknowledgments, and also retransmission of PAP or CHAP that take place after the session is active (even when proxy authentication is accepted)
• All PPP PAP or CHAP negotiations in the case where proxy authentication is disabled or required to renegotiate at the LNS
• All LCP traffic when proxy LCP is disabled or required to renegotiate at the LNS
• All PPP LCP echo requests and their responses
• PPP LCP terminate-request or terminate-acknowledgement packets from the client or LNS when PPP initiates termination of the session
• If present, the two PPP header bytes (Address Field 0xFF and Control Field 0x03) as part of the L2TP payload

Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and Acct-Output-Octets) for tunneled PPP customers at the L2TP LAC exclude the following data:

• LCP when Proxy LCP is enabled and accepted at the LNS
• Initial PPP PAP request
• Initial PPP CHAP challenge and response

Accounting statistics reported in RADIUS packet counts (Acct-Input-Packets and Acct-Output-Packets) for tunneled PPP customers at the L2TP LAC are based on packets delivered to or received from the L2TP session. These statistics exclude L2TP control traffic and L2TP hello messages.

QoS

• On ERX-310, ERX-7xx, and ERX-14xx routers, the qos-mode-port command supports configuration of only ATM port zero interfaces. If you upgrade from an earlier release in which you had configured QoS port mode on nonzero ports, you must access Interface Configuration mode for each of those ports and issue the no qos-mode-port command to remove the unsupported configuration.

SNMP

• SNMP MIBs

Information about all the SNMP MIBs (both standard and proprietary) that the router supports in this release is available in the MIBs folder on the JUNOSe Software CD.

• Some Juniper Networks SNMPv1-formatted traps contain an incorrect object identifier (OID) in the SNMPv1-Trap-PDU enterprise field. An SNMPv2 trap is typically identified by an OID that ends in the form ...x.y.z.0.n. This OID appears, in full, as the value of the snmpTrapOID.0 object in the varbind list of an SNMPv2-formatted trap. In the corresponding SNMPv1-formatted trap, this OID is broken down into subcomponents that fill the SNMPv1-Trap-PDU enterprise field (...x.y.z) and specific trap number field (n); the zero is unused.

The SNMPv1-formatted versions of the following Juniper Networks traps incorrectly contain ...x.y.z.0 in the SNMPv1-Trap-PDU enterprise field. That is, a zero is mistakenly appended to the correct enterprise OID value.

 Trap Name
 Expected Enterprise OID
 Enterprise OID Sent by SNMP Agent

 junidApsEventSwitchover

 .1.3.6.1.4.1.4874.3.2.2.1.2

 .1.3.6.1.4.1.4874.3.2.2.1.2.0


 junidApsEventModeMismatch

 .1.3.6.1.4.1.4874.3.2.2.1.2

 .1.3.6.1.4.1.4874.3.2.2.1.2.0


 junidApsEventChannelMismatch

 .1.3.6.1.4.1.4874.3.2.2.1.2

 .1.3.6.1.4.1.4874.3.2.2.1.2.0


 junidApsEventPSBF

 .1.3.6.1.4.1.4874.3.2.2.1.2

 .1.3.6.1.4.1.4874.3.2.2.1.2.0


 junidApsEventFEPLF

 .1.3.6.1.4.1.4874.3.2.2.1.2

 .1.3.6.1.4.1.4874.3.2.2.1.2.0


 juniAddressPoolHighAddrUtil

 .1.3.6.1.4.1.4874.2.2.21.3

 .1.3.6.1.4.1.4874.2.2.21.3.0


 juniAddressPoolAbatedAddrUtil

 .1.3.6.1.4.1.4874.2.2.21.3

 .1.3.6.1.4.1.4874.2.2.21.3.0


 juniAddressPoolNoAddresses

 .1.3.6.1.4.1.4874.2.2.21.3

 .1.3.6.1.4.1.4874.2.2.21.3.0


 juniDhcpLocalServerPoolHighAddrUtil

 .1.3.6.1.4.1.4874.2.2.22.3

 .1.3.6.1.4.1.4874.2.2.22.3.0


 juniDhcpLocalServerPoolAbatedAddrUtil

 .1.3.6.1.4.1.4874.2.2.22.3

 .1.3.6.1.4.1.4874.2.2.22.3.0


 juniDhcpLocalServerPoolNoAddresses

 .1.3.6.1.4.1.4874.2.2.22.3

 .1.3.6.1.4.1.4874.2.2.22.3.0


 pimNeighborLoss

 .1.3.6.1.3.61.1

 .1.3.6.1.3.61.1.0



 

Work-around: Use the OIDs that the SNMP agent sends.

SRP Module Redundancy

• On a router with redundant SRP modules, you can specify the configuration that both the primary and redundant modules load in the event of a reload or switchover. A switchover can result from an error on the primary SRP module or from an srp switch command. The following behavior takes place only in the event of a cold restart; it does not take place in the event of a warm restart.

When you arm a configuration (.cnf) file by issuing the boot config cnfFilename command, a subsequent SRP switchover causes the redundant SRP module to take the role of primary SRP module with the configuration specified by the .cnf file. The new primary SRP module does not use the running configuration.

If you want the redundant SRP module to instead use the running configuration when it assumes the primary role, then you must first arm a configuration file with the boot config cnfFilename once command. To exhaust the once option, you must then cause the redundant SRP module to reload for some reason, such as by issuing a reload command or by arming a new JUNOSe release or a hotfix file.

When a switchover subsequently occurs, the redundant SRP module reloads with the running configuration and takes the primary role.

Stateful SRP Switchover (High Availability)

• Additional processing is required to maintain and mirror the necessary state information that enables subscriber sessions to stay up across an SRP failover. As a result, the performance of other control plane functions is reduced. Specifically, call setup rates are lower than in previous releases.
  

  NOTE: Rapid call setup rates are most important following an outage that causes all subscribers to drop, because many of the dropped subscribers will immediately attempt to reconnect. This type of outage occurs far less frequently with stateful SRP switchover.

  
  

We have ongoing development activities to characterize and improve call setup rates in future releases.

• High availability remains inactive for 20 minutes after an initial cold-start or cold-restart of the router. This delay enables the system to reach a stable configuration before starting high availability.

If you want to override the 20-minute timer, turn high availability off by using the mode file-system-synchronization command, and then on again by using the mode high-availability command.

Subscriber Interfaces

• DHCP relay installs host routes by default, which is required in certain configurations to enable address renewals from the DHCP server to work properly. However, the default installation of host routes might cause a conflict when you configure DHCP relay with static subscriber interfaces.

For details about the cause of this conflict and the work-around for it, see ARP Spoof Checking and DHCP Relay Configuration.

System

• ERX routers and E320 routers display different behavior when reporting modules as inactive.

ERX routers report a module as inactive when either:

• The I/O module is not present
• The primary line module is fully booted and ready to resume operation. In this case, the standby is currently providing services.

E320 routers report a module as inactive when either:

• The primary line module has no IOAs.
• The primary line module has IOAs, but they have failed diagnostics.
• The standby line module has taken over for the primary line module, and has control of the IOAs.

Because the E320 router can accommodate up to two IOAs per slot, at least one IOA must be online. If the second IOA fails, the line module is still online, but does not use both IOAs. You can ensure that every module is up and active in the system and not in a failed state by issuing the show version all command.

• In a router with a redundancy group that does not span quadrants (for example, a three-slot redundancy group that spans slots 0, 1, and 2 in a 14-slot chassis), the potential bandwidth of the redundant module is erroneously included in the quadrant bandwidth calculation. The show utilization command might indicate that the bandwidth is exceeded for modules in that group. [Defect ID 31034]
• When you copy the running configuration to NVS, the E-series router verifies whether it has available space equal to at least twice the size of the .cnf file. If the space is insufficient, you cannot complete the copy. [Defect ID 40655]

Work-around: Make sufficient space on the NVS by deleting .rel or .cnf files.

• If you upgrade the system software on a router with redundant SRP modules, the secondary SRP module does not run the new software until it reboots. If, before it is booted, you issue the srp switch command or the primary SRP module fails, the secondary SRP module runs with the old release when it takes control.
• The show version command displays how long the router has been running; it does not reflect the uptime of a particular SRP module.
• You cannot delete the ipInterface log after you delete the corresponding IP interface. This does not prevent you from adding filters to other interfaces, nor does it prevent you from adding a filter to the same interface if you recreate it after deletion. [Defect ID 34842/45063]

Work-around: Remove the filter before you remove the interface. Alternatively, if you remove the interface first, then you must remove all filters associated with all IP interfaces.

System Logging

• If you enable engineering logs and set the control network logs to a level of notice or lower (down from the default of error), you might see erroneous controlNetwork log messages like the following that are generated because SNMP polling on line modules (correctly) detects no fabric: [Defect ID 43168]

NOTICE 09/01/2002 18:47:52 CEST controlNetwork (slot 11): Control Bus 
Master slave error 0x5 while accessing slot