Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 15.1F6 for the MX Series and T Series.

General Routing

  • Modified output of the clear services sessions | display xml command (MX Series)—In Junos OS Release 14.1X55-D30, the output of the clear services sessions | display xml command is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output of this command includes the <sess-removed> tag. The replacement of the <sess-removed> tag with the <sess-marked-for-deletion> tag aims at establishing consistency with the output of the clear services sessions command that includes the field Sessions marked for deletion.

Interfaces and Chassis

  • Support for fabric self-pings and Packet Forwarding Engine liveness in single-chassis systems (T Series)—In Junos OS Release 15.1 F6, T Series single-chassis systems support the fabric self-ping and Packet Forwarding Engine liveness mechanisms to detect fabric degradation and avoid a traffic black hole. If any error is detected by these two mechanisms, the fabric manager raises a fabric degraded alarm and initiates recovery by restarting the FPC. In a single-chassis system, FPC restart is enabled by default, unlike in a multichassis system where FPC restart is disabled by default.
  • Support for automatic enabling of flow control for MACsec (MX Series)—Starting in Junos OS Release 15.1F6, when Media Access Control Security (MACsec) is enabled on an interface, the interface flow control capability is enabled by default, regardless of the configuration that you set using the (flow-control | no-flow-control) statement at the [edit interfaces interface- name gigether-options] hierarchy level. When MACsec is disabled, interface flow control is restored to the configuration that you set using the flow-control statement at the [edit interfaces] hierarchy level. When MACsec is enabled, additional header bytes are added to the packet by the MACsec PHY. With line rate traffic, when MACsec is enabled and flow control is disabled, the pause frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet Forwarding Engine, causing framing errors. Therefore, when MACsec is enabled on an interface, flow control is also automatically enabled on such an interface.

IPv6

  • IPv6 addresses with padded zeros in MIC or MS-MPC system log messages (MX Series)—Starting with Junos OS Release 15.1F5, all system log messages originating from MIC or MS-MPC line cards display padded zeros in IPv6 addresses to make them compatible with MS-DPC line cards. Earlier, the system log messages from MIC or MS-MPC line cards displayed IPv6 addresses with ’::’ instead of padded zeros.

MPLS

  • Inline BFD support on IRB interfaces (MX Series routers with MPCs or MICs)—Starting with Junos OS Release 15.1F4, the inline BFD sessions transmitted or received from FPC hardware are supported on integrated routing and bridging (IRB) interfaces. This enhancement is available only on MX Series routers with MPCs/MICs that have configured the enhanced-ip option.

Network Management and Monitoring

  • New 64-bit counter of octets for interfaces (MX Series)—Starting with Release 15.1F4, Junos OS supports two new Juniper Networks enterprise-specific Interface MIB Extension objects—ifHCIn1SecOctets and ifHCOut1SecOctets—that act as 64-bit counters of octets passing through an interface.
  • Enhancement for SONET interval counter (MX Series)—Starting with Junos OS Release 15.1F5, only the Current Day Interval Total output field in the show interfaces interval command for SONET interfaces is reset after 24 hours. In addition, the Previous Day Interval Total output field displays the last updated time in hh:mm.

    [See show interfaces interval.]

Routing Policy and Firewall Filters

  • Support for logical queue-depth in the Packet Forwarding Engine for IP options packets for a given protocol (MX Series)— Starting with Junos OS Release 15.1F6, you can configure logical queue-depth in the Packet Forwarding Engine for IP options packets for a given protocol. The queue-depth indicates the number of IP options packets which can be enqueued in the Packet Forwarding Engine logical queue, beyond which it would start dropping the packets.

Routing Protocols

  • Support for RFC 5492, Capabilities Advertisement with BGP-4—Beginning with Junos OS Release 15.1F5, BGP sessions can be established with legacy peers that do not support optional parameters, such as capabilities. In earlier Junos OS releases from 15.1R1 through 15.1R3 and 15.1F1 through 15.1F4, BGP sessions with legacy routers without BGP capabilities were not supported. Starting with Junos OS Release 15.1F5, support for BGP sessions with legacy routers without BGP capabilities is restored.

Services Applications

  • Anycast address 0/0 must not be accepted in the from-clause of Detnat rule (MX Series)—Starting with Junos OS release 15.1F5, for multiservices (ms-) interfaces, anycast configuration is not allowed as the source-address when translation type is deterministic NAT.
  • Change to show services nat pool command output—Starting in Junos OS Release 15.1F5, the show services nat pool command output includes this new field: AP-P port limit allocation errors. When AP-P is configured, this field indicates the number of out-of-port errors that are due to a configured limit for the number of allocated ports in the limit-ports-per-address statement at the [edit services nat pool nat-pool-name] hierarchy level.
  • Disabling NAT-traversal for IPsec-protected packets (MX Series)—Starting in Junos OS release 15.1F6, you can include the disable-natt statement at the [edit services ipsec-vpn] hierarchy level to disable NAT-traversal (NAT-T) on MX Series routers. When you disable NAT-T, the NAT-T functionality is globally switched off. Also, even when a NAT device is present between the two IPsec gateways, only Encapsulating Security Payload (ESP) is used when you disable NAT-T. When NAT-T is configured, IPsec traffic is encapsulated using the UDP header and port information provided for the NAT devices. By default, Junos OS detects whether either one of the IPsec tunnels is behind a NAT device and automatically switches to using NAT-T for the protected traffic. However, in certain cases, NAT-T support on MX Series routers might not work as desired. Also, you might require NAT-traversal to be disabled if you are aware that the network uses IPsec-aware NAT. In such cases, you can disable NAT-T.

Subscriber Management and Services (MX Series)

  • Local DNS configurations available when authentication order is set to none (MX Series)—Starting in Junos OS Release 15.1F2, subscribers get the DNS server addresses when both of the following are true:
    • The authentication order is set to none at the [edit access profile profile-name authentication-order] hierarchy level.
    • A DNS server address is configured locally in the access profile with the domain-name-server, domain-name-server-inet, or domain-name-server-inet6 statement at the [edit access profile profile-name] hierarchy level.

    In earlier releases, subscribers get an IP address in this situation, but not the DNS server addresses.

  • Support for longer CHAP challenge local names (MX Series)—Starting in Junos OS Release 15.1F4, the supported length of the CHAP local name is increased to 32 characters. In earlier releases, only eight characters are supported even though the CLI allows you to enter a longer name. You can configure the name with the local-name statement at the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit” ppp-options] or [edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit” ppp-options] hierarchy levels. The maximum length of the local name for PAP authentication remains unchanged at eight characters.
  • Increased maximum limits for accounting and authentication retries and timeouts (MX Series)—Starting in Junos OS Release 15.1F5, you can configure a maximum of 100 retry attempts for RADIUS accounting (accounting-retry statement) or authentication (retry statement). In earlier releases, the maximum value is 30 retries. You can also configure a maximum timeout of 1000 seconds for RADIUS accounting (accounting-timeout statement) or authentication (timeout statement). In earlier releases, the maximum timeout is 90 seconds.

    Note: The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

  • Extended range for RADIUS request rate (MX Series)—Starting in Junos OS Release 15.1F6, the range for the request-rate statement at the [edit access radius-options] hierarchy level has been extended to 100 through 4000 requests per second. In earlier releases, the range is 500 through 4000 requests per second. The default value is unchanged at 500 requests per second.

System Logging

  • New JSERVICES system log messages (MX Series)—In Junos OS Release 15.1F6, you can configure MX Series routers with MS-MPCs to log the following messages:

    Table 1: JSERVICES System Logs

    Name

    System Log Message

    Description

    Severity

    JSERVICES_ALG_FTP_ACTIVE_ACCEPT

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    An FTP data connection from client to server is established. The matching packet contains the indicated information about its protocol name, application, source (logical interface name, IP address, and port number), and destination (IP address and port number). If the flow requires NAT services, NAT information appears in the message.

    LOG_NOTICE

    JSERVICES_ALG_FTP_PASSIVE_ACCEPT

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    An FTP data connection from server to client is established. The matching packet contains the indicated information about its protocol name, application, source (logical interface name, IP address, and port number), and destination (IP address and port number). If the flow requires NAT services, NAT information appears in the message.

    LOG_NOTICE

    JSERVICES_DROP_FLOW_DELETE

    softwire-string src-ip:src-port [xlated-src-ip:xlated-src-port]->[xlated-dst-ip: xlated-dst-port]dst-ip:dst-port (protocol-name)

    The session with the indicated characteristics is removed and it had drop flow. The NAT data is available in the message if the session requires NAT.

    LOG_NOTICE

    JSERVICES_ICMP_ERROR_DROP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP error packet was dropped because it did not belong to an existing flow.

    LOG_NOTICE

    JSERVICES_ICMP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP packet was discarded because the length field in the packet header was shorter than the minimum 8 bytes required for an ICMP packet.

    LOG_NOTICE

    JSERVICES_ICMP_PACKET_ERROR_LENGTH

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The ICMP packet was discarded because the packet contained fewer than 48 bytes or more than 576 bytes of data.

    LOG_NOTICE

    JSERVICES_IP_FRAG_ASSEMBLY_TIMEOUT

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet and all related IP fragments previously received were discarded because all fragments did not arrive within the reassembly timeout period of 4 seconds.

    LOG_NOTICE

    JSERVICES_IP_FRAG_OVERLAP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the contents of two fragments overlapped.

    LOG_NOTICE

    JSERVICES_IP_PACKET_CHECKSUM_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because checksum was incorrect.

    LOG_NOTICE

    JSERVICES_IP_PACKET_DST_BAD

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its destination address was either a multicast address or was in the range reserved for experimental use (248.0.0.0 through 255.255.255.254).

    LOG_NOTICE

    JSERVICES_IP_PACKET_FRAG_LEN_INV

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the length of a fragment was invalid.

    LOG_NOTICE

    JSERVICES_IP_PACKET_INCORRECT_LEN

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The IP packet is discarded because packet length was invalid.

    LOG_NOTICE

    JSERVICES_IP_PACKET_LAND_ATTACK

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source and destination address for the packet were the same (referred as land attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_LAND_PORT_ATTACK

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source and destination address for the packet were the same and also its source and destination ports were same (referred as land port attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_NOT_VERSION_4

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet version was not IPv4.

    LOG_NOTICE

    JSERVICES_IP_PACKET_NOT_VERSION_6

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet version was not IPv6.

    LOG_NOTICE

    JSERVICES_IP_PACKET_PROTOCOL_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because it used invalid IP protocol.

    LOG_NOTICE

    JSERVICES_IP_PACKET_SRC_BAD

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because its source address was one of the following: (1) a multicast address (2) a broadcast address (3) in the range 248.0.0.0 through 255.255.255.254, which is reserved for experimental use.

    LOG_NOTICE

    JSERVICES_IP_PACKET_TTL_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet with the indicated characteristics is discarded because the packet had a time-to-live (TTL) value of zero.

    LOG_NOTICE

    JSERVICES_IP_PACKET_TOO_LONG

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet contained more than 64 kilobytes (KB) of data (referred to as a ping-of-death attack).

    LOG_NOTICE

    JSERVICES_IP_PACKET_TOO_SHORT

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet did not contain the minimum amount of data required.

    LOG_NOTICE

    JSERVICES_NO_IP_PACKET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    Packet received was not an IPv4 or IPv6 packet.

    LOG_NOTICE

    JSERVICES_SYN_DEFENSE

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet with the indicated characteristics was discarded because the TCP handshake that is used to establish a session did not complete within the set time limit. The time limit is set by the 'open-timeout' statement at the [edit interfaces <services-interface> services-options] hierarchy level. If the time limit is not set, the session uses the default timeout value.

    LOG_NOTICE

    JSERVICES_SFW_NO_POLICY

    source-ip:destination-ip No policy

    The stateful firewall received packets with the indicated source and destination addresses. There was no matching policy for the traffic.

    LOG_NOTICE

    JSERVICES_SFW_NO_RULE_DROP

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The stateful firewall discarded the packet with the indicated characteristics, because the packet did not match any stateful firewall rules. In this case, the default action is to discard the packet. The discarded packet contained the indicated information about its protocol (numerical identifier and name), source (logical interface name, IP address, and port number), and destination (IP address and port number).

    LOG_NOTICE

    JSERVICES_TCP_FLAGS_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the flags in the packet were set in one of the following combinations: (1) FIN and RST (2) SYN and one or more of FIN, RST, and URG.

    LOG_NOTICE

    JSERVICES_TCP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the length field in the packet header was shorter than the minimum 20 bytes required for a TCP packet.

    LOG_NOTICE

    JSERVICES_TCP_NON_SYN_FIRST_PACKET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The TCP packet was discarded because it was the first packet in the TCP session but the SYN flag was not set.

    LOG_NOTICE

    JSERVICES_TCP_PORT_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the source or destination port specified in the packet was zero.

    LOG_NOTICE

    JSERVICES_TCP_SEQNUM_AND_FLAGS_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet's sequence number was zero and no flags were set.

    LOG_NOTICE

    JSERVICES_TCP_SEQNUM_ZERO_FLAGS_SET

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The packet was discarded because the packet's sequence number was zero and one or more of the FIN, PSH, and URG flags were set.

    LOG_NOTICE

    JSERVICES_UDP_HEADER_LEN_ERROR

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The UDP packet was discarded because the length field in the packet header was shorter than the minimum 8 bytes required for an UDP packet.

    LOG_NOTICE

    JSERVICES_UDP_PORT_ZERO

    proto protocol-id (protocol-name), source-interface-name:source-address:source-port -> destination-address:destination-port, event-description

    The UDP packet was discarded as the source or destination port specified in the packet was zero.

    LOG_NOTICE

System Management

  • Change to process health monitor process (MX Series)—Starting in Junos OS Release 15.1F5, the process health monitor process (pmond) is enabled by default on the Routing Engines of MX Series routers, even if no service interfaces are configured. To disable the pmond process, include the disable statement at the [edit system processes process-monitor] hierarchy level.

Virtual Chassis

  • SNMP MIB walk on MX Series Virtual Chassis —Starting with Junos OS Release 15.1F5, snmp mib walk operations no longer return invalid PCMCIA card information for Routing Engines on MX Series Virtual Chassis.

VPNs

  • Clear all Internet key exchange (IKE), traffic encryption key (TEK), key encryption key (KEK), and security associations (SAs) for group VPN (MX Series)—The clear security group-vpn member group CLI command has been introduced in the Release 15.1F3 of Junos OS for MX Series routers to clear all Internet key exchange (IKE), traffic encryption key (TEK), key encryption, and key (KEK) security associations (SAs) for a group VPN.
    user@host> clear security group-vpn member group

Related Documentation

Modified: 2017-03-22