Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Release Notes for MX Series 5G Universal Routing Platforms and T Series Core Routers

 

These release notes accompany Junos OS Release 16.1R7 for the MX Series and T series. They describe new and changed features, limitations, and known and resolved problems in the hardware and software.

You can also find these release notes on the Juniper Networks Junos OS Documentation webpage, located at https://www.juniper.net/documentation/product/en_US/junos-os.

New and Changed Features

This section describes the new features and enhancements to existing features in the Junos OS main release and the maintenance releases for MX Series.

Release 16.1R7 New and Changed Features

High Availability (HA) and Resiliency

  • ISSU Feature Explorer—The ISSU Feature Explorer is an interactive tool that you can use to verify your device’s ISSU compatibility with different Junos OS releases.

    [See ISSU Feature Explorer.]

Subscriber Management and Services

  • Controlling search behavior for address allocation from linked pools (MX Series)—Starting in Junos OS Release 16.1R7, you can use the linked-pool-aggregation statement at the [edit access] hierarchy level to change how addresses are allocated from linked IP address pools. When you configure the statement, addresses can be assigned from a later pool in the chain before an earlier pool is depleted. When the statement is not configured, IP addresses are assigned contiguously, so that all addresses are allocated from the matching pool and then the first pool in the chain before addresses are assigned from a linked pool.

    [See Configuring Address-Assignment Pool Linking.]

Release 16.1R6 New and Changed Features

Services Application

  • Traffic Load Balancer (MX Series with MS-MPCs)—Starting in Junos OS Release 16.1R6, the Traffic Load Balancer (TLB) application supports 2000 TLB instances for virtual services that use the direct-server-return or translated mode, supports tracing at the instance level or at the virtual services level, supports the display of real server up and down counts, and lets you limit the number of instances for which statistics are displayed.

    For virtual services that use the layer2-direct-server-return mode, TLB supports only 32 TLB instances. To perform the same function as the layer2-direct-server-return mode and have support for 2000 TLB instances, you can use the direct-server-return mode and use a service filter with the skip action.

    After you commit a large TLB configuration, run the show services traffic-load-balance commit-status command. Verify that the the Config Status shows Complete before you perform any further commits.

    To enable tracing at the instance level, use the instance-name instance-name statement at the [edit services traffic-load-balance traceoptions monitor monitor-name] hierarchy level.

    To enable tracing at the virtual services level, use the virtual-service-name virtual-service-name statement at the [edit services traffic-load-balance traceoptions monitor monitor-name instance-name instance-name] hierarchy level.

    To limit the number of instances for which statistics are displayed, use the num-instances number option in the show services traffic-load-balance statistics command.

    To display the real server up and down counts, use the show services traffic-load-balance statistics virtual-service virtual-service-name command.

    The SNMP Walk for TLB slows down as you increase the number of TLB instances.

    [See Configuring TLB.]

Release 16.1R5 New and Changed Features

Multicast

  • Improved multicast performance using distributed IGMP (MX Series)—Starting in Junos OS Release 16.1R5, you can improve multicast performance by using the distributed Internet Group Management Protocol (IGMP). Distributed IGMP moves IGMP processing from the Routing Engine to the Packet Forwarding Engine. When you configure distributed IGMP, join and leave events are processed across multiple Modular Port Concentrators (MPCs) on the Packet Forwarding Engine. Instead of being processed through a centralized routing protocol process (rpd) on the Routing Engine, this improves performance and decreases join and leave latency.

    For distributed IGMP to function properly, you must configure enhanced IP network services by including the enhanced-ip statement at the [edit chassis network-services] hierarchy level. To enable distributed IGMP on static interfaces, include the distributed statement at the [edit protocols igmp interface interface-name] hierarchy level. To enable distributed IGMP on dynamic interfaces, include the distributed statement at the [edit dynamic-profiles profile-name protocols igmp interface $junos-interface-name] hierarchy level.

    You can optionally configure specific multicast groups to join statically by including the distributed option at one of the following hierarchy levels:

    • [edit protocols pim static]

    • [edit protocols pim static group multicast-group-address]

    • [edit protocols pim static group multicast-group-address source source-address]

    [See Understanding IGMP.]

Services Applications

  • NAT with deterministic IP address and port mapping (MX Series router with MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R5, support for deterministic NAT mapping for NAPT44 is extended to the MS-MPC and MS-MIC. Deterministic NAT mapping ensures that a given internal IP address and port are always mapped to the same external IP address and port range, and the reverse mapping of a given translated external IP address and port are always mapped to the same internal IP address. Deterministic NAT mapping eliminates the need for logging address translations.

    Configure deterministic NAT translation in a NAT rule by including the translation-type deterministic-napt44 statement at the [edit services nat rule rule-name term term-name then translated] hierarchy level.

    Configure the range low value to be at least 1024 and the range high value to be no more than 65,535 at the [edit services nat pool pool-name port] hierarchy level. If you configure any ports below 1024, they are readjusted.

    You can configure up to 64,512 available ports for each internal subscriber by including the deterministic-port-block-allocation block-size block-size statement at the [edit services nat pool pool-name port] hierarchy level. If you do not include this statement, the default value is 512. If you configure the block-size as 0, Junos OS automatically calculates the block size by using the number of configured subscriber IP addresses, the number of external translated IP addresses, and the port range.

    [See Configuring Deterministic Port Block Allocation].

  • CoS revert and direction awareness on services interfaces (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R5, you can configure a services interface CoS rule to store the DSCP and forwarding class of a packet that is received in the match direction of the rule and then apply that DSCP and forwarding class to packets that are received in the reverse direction of the same session. You can also configure a services interface CoS rule to create a CoS session if a packet is first received in the wrong match direction, resulting in the CoS rule values being applied as soon as a packet in the correct match direction is received.

    To apply the stored DSCP and forwarding class to packets in the reverse direction, include the revert statement at the [edit services cos rule rule-name term term-name then] hierarchy level. If you use the revert statement, you cannot use the reflexive or reverse statements.

    To create the CoS session if a packet is first received in the wrong match direction, include the match-rules-on-reverse-flow statement at the [edit services service-set service-set-name cos options] hierarchy level.

    [See Configuring CoS Rules.]

  • MX Series Virtual Chassis NAT and BNG support (MX240, MX480, and MX960 routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R5, you can configure a two-member MX Series Virtual Chassis to use the Juniper broadband network gateway (BNG) with IPv4-to-IPv4 basic network address translation (NAT), dynamic NAT, static destination NAT, dynamic NAT with port mapping, and stateful NAT64. A two-member MX Series Virtual Chassis configuration supports a maximum of four MS-MPCs and four MS-MICs per Virtual Chassis.

Subscriber Management and Services

  • Support for excluding tunnel attributes from RADIUS Access-Request messages (MX Series)—Starting in Junos OS Release 16.1R5, you can use the exclude statement at the [edit access profile profile-name radius attribute] hierarchy level to exclude the following tunnel attributes from RADIUS Access-Request messages in addition to the previously supported Accounting-Start, and Accounting-Stop messages:

    • acct-tunnel-connection—RADIUS attribute 68, Acct-Tunnel-Connection

    • tunnel-assignment-id—RADIUS attribute 82, Tunnel-Assignment-Id

    • tunnel-client-auth-id—RADIUS attribute 90, Tunnel-Client-Auth-Id

    • tunnel-client-endpoint—RADIUS attribute 66, Tunnel-Client-Endpoint

    • tunnel-medium-type—RADIUS attribute 65, Tunnel-Medium-Type

    • tunnel-server-auth-id—RADIUS attribute 91, Tunnel-Server-Auth-Id

    • tunnel-server-endpoint—RADIUS attribute 67, Tunnel-Server-Endpoint

    • tunnel-type—RADIUS attribute 64, Tunnel-Type

  • Configurable grace period for unresponsive RADIUS servers (MX Series)—Starting in Junos OS Release 16.1R5, you can use the timeout-grace statement at the [edit access radius-options] hierarchy level to configure a grace period that determines when an unresponsive RADIUS authentication server is marked as down or unreachable. When the server fails to respond to any of the attempts made for an authentication request, it times out, the time is noted, and the grace period begins. If the server is unresponsive for subsequent authentication requests, the grace period is checked each time the server times out. When the check determines that the grace period has expired, the server is marked as down or unreachable.

    You can configure the grace period in the range 0 through 30 seconds; the default is 10 seconds. Use a short grace period to declare servers unavailable sooner and direct requests to available servers. Use a long grace period to give unresponsive servers more opportunities to respond.

    In earlier releases, the grace period is 10 seconds and is not configurable.

    [See Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable.]

Release 16.1R4 New and Changed Features

Class of Service

  • Propagating CoS shaping rate adjustments that are based on multicast traffic (MX Series)—Starting in Junos OS Release 16.1R4, you can set up CoS shaping rate adjustments that are based on multicast traffic to be propagated to the parent in the scheduler hierarchy. For service providers that are using interface sets to deliver services such as voice and data and multicast VLANs (M-VLANs) to deliver broadcast television, you can set up CoS so that when a subscriber begins receiving multicast traffic, the shaping rate of the subscriber interface is adjusted to account for the multicast traffic.

    You can now set up the CoS multicast adjustment to be propagated from the subscriber interface to the interface set, which is the parent in the scheduler hierarchy. This feature prevents oversubscription of the subscriber, which can result in dropped traffic and service disruption.

EVPN

  • VPWS service with EVPN mechanisms (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS enables Ethernet VPN-virtual private wire service (EVPN-VPWS) to present a framework for delivering point-to-point EVC (E-Line) VPWS service with EVPN-signaling mechanisms. VPWS service with EVPN-signaling mechanisms enables single-active and all-active multihoming capabilities and support for inter-autonomous system (AS) options associated with BGP-signaled virtual private network service (VPNS).

    The Metro Ethernet Forum (MEF) describes two models for E-Line service, Ethernet private line (EPL) and Ethernet virtual private line (EVPL). EPL provides a point-to-point Ethernet virtual connection (EVC) between a pair of dedicated user-to-network interfaces (UNIs), with transparency. EVPL differs from EPL in that it enables service multiplexing; that is, multiple EVCs per UNI.

    Associating MEF definitions with EVPN terms, the services are defined as:

    • EVPL—Service between Ethernet segment identifier (ESI) and VLAN pairs {ESI,VLAN}.

    • EPL—Service between two ESIs. For this service, the circuit maps to a whole port; that is, all VLANs coming into a port are trunked together to the other endpoint of the service.

    The EVPN-VPWS feature enables using an autodiscovery route per ESI and an autodiscovery route per Ethernet private instance (EVI) for E-Line service. There is no bridging for EVPN-VPWS service. Type 2 and Type 3 routes are not required. Type 4 routes are used for designated forwarder election, as they are for EVPN multipoint-to-multipoint EVC (E-LAN) services. However, designated forwarder election is useful only for single-active service. For all-active service, designated forwarder election is not required, because there is no broadcast, unknown unicast, and multicast (BUM) traffic in VPWS.

  • EVPN MAC Pinning (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS enables MAC pinning for Ethernet VPN (EVPN), including customer edge (CE) interfaces and EVPN over MPLS core in both all-active mode or active-standby mode.

    MAC pinned over CE interfaces in EVPN is synchronized to remote EVPN PEs by adding the Sticky bit (in accord with RFC 7432, Section 7.7, MAC Mobility Extended Community). On a remote EVPN PE, MAC received with Sticky bit enabled is pinned over MPLS core. Therefore, MAC address advertisement and learning that is conducted through the control plane is enabled according the design of the MAC Mobility Extended Community.

  • EVPN E-Tree (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS enables you to configure an Ethernet VPN E-Tree service.

    The EVPN E-Tree feature implements E-Tree service as defined by the Metro Ethernet Forum (MEF) in draft-sajassi-l2vpn-evpn-etree-03. The E-Tree service is a rooted-multipoint service that is supported only with EVPN over MPLS in the core.

    In an EVPN E-Tree service, each circuit attached to the service is either a root or a leaf. The service adheres to the following forwarding rules:

    • A leaf can send or receive traffic only from a root.

    • A root can send traffic to another root or any of the leaves.

    • A leaf or root can be connected to provider edge (PE) devices in single homing mode or multihoming mode.

  • Ethernet VPN Multihoming with Ethernet Segment Identifier Per Interface (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS enables the Ethernet VPN (EVPN) multihoming feature, with which you can connect a customer site to two or more provider edge (PE) devices to provide redundant connectivity. A customer edge (CE) device can be multihomed to different PE devices or the same PE device. A redundant PE device can provide network service to the customer site as soon as a failure is detected. EVPN multihoming helps to maintain EVPN service and traffic forwarding to and from the multihomed site if one of the following types of network failure occurs:

    • PE device to CE device link failure

    • PE device failure

    • MPLS-reachability failure between the local PE device and a remote PE device

  • NSR for EVPN (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS ensures minimal loss of traffic when a Routing Engine switchover occurs with nonstop active routing (NSR) and graceful Routing Engine switchover (GRES) enabled. The forwarding state of the Packet Forwarding Engine remains intact during switchover. The signaling state on the primary Routing Engine and on the standby Routing Engine are built in parallel.

    Note

    Expect a traffic loss pertaining to a topology change if the topology change occurs during a switchover.

    EVPN reproduces dynamically generated data (such as labels and sequence numbers), and data obtained from peers on the primary Routing Engine, on the standby Routing Engine. EVPN also monitors BGP ingress and egress routing table messages on the standby Routing Engine to populate its signaling plane data structures. Local MAC addresses are obtained by the Layer 2 address learning process, which transfers the data to the EVPN module in the route processing software. In the network layer reachability information (NLRI) fields of its packets, BGP transfers the MAC addresses to peers in the network.

General Routing

  • Enhancement to memory utilization (MX Series)—Junos OS Release 16.1R4 supports an enhanced method for calculating the memory utilization by a Routing Engine. The inactive memory is now considered free and is no longer included in the calculation of memory utilization. That is, the value for used memory shown in the output of the show chassis routing-engine command decreases and results in more memory to be available for other processes.

High Availability and Resiliency

  • Support for unified ISSU on MX Series routers and MX Series Virtual Chassis with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, MPC2E-3D-NG-Q, and MPC5E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 16.1R4, Junos OS supports unified in-service software upgrade (ISSU) on MX Series routers and MX Series Virtual Chassis with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, MPC2E-3D-NG-Q, and MPC5E.

    Unified ISSU is supported on MPC5E with the following MICs in non-optical transport network (non-OTN) mode:

    • 3X40GE QSFPP

    • 12X10GE-SFPP OTN

    • 1X100GE-CFP2

    • 2X10GE SFPP OTN

    Note

    Unified ISSU is not supported on MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, and MPC2E-3D-NG-Q with the following MICs:

    • MS-MIC-16G

    • MIC-3D-8DS3-E3

    • MIC-3D-1OC192-XFP

    Unified ISSU enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic.

Interfaces and Chassis

  • Enhancement to policer configuration—Starting in Junos OS Release 16.1R4, you can configure the MPC to take a value in the range 0 through 5 for the policer tick byte by using the policer-limit statement at the [edit chassis] hierarchy level. If this statement is not configured, the policer tick byte can take values till 7, which is the default behavior. You can use the set chassis policer-limit command to enable this feature.

    You must restart the MPC or the router for the changes to take effect.

IPV6

  • Preserving and restoring IPv6 prefixes assigned using DHCPv6 PD (MX Series)—Starting in Junos OS Release 16.1R4, when IPv6 addresses are assigned using DHCPv6 prefix delegation (PD), you can configure the router to preserve and restore a subscriber's delegated prefix through multiple logins. This feature prevents an IA-PD change, which triggers renegotiation for all hosts attached to the residential gateway. This feature requires the use of agent circuit identifiers (ACIs) to identify subscribers.

Layer 2 VPN

  • Support for FEC 128 and FEC 129 in the same routing instance—Starting in Junos OS Release 16.1R4, Junos OS supports t forwarding equivalence class (FEC) 128 or FEC 129-based mesh groups in a FEC 129 VPN instance. You can configure a FEC 129 VPLS instance to support both BGP autodiscovery as defined in FEC 129 as well as statically configured LDP neighbors as defined by FEC 128. This feature allows a router to use a common MAC table to forward traffic between a FEC 128 LDP VPLS domain and a FEC 129 domain.

Management

  • Support for gRPC streaming for Junos Telemetry Interface firewall filter statistics (MX Series)—Starting with Junos OS Release 16.1R4, you can use gRPC interfaces to provision sensors to subscribe to and receive firewall filter telemetry data. If your Juniper Networks device is running a version of Junos OS with the upgraded FreeBSD kernel, you must download the Junos Network Agent package, which provides the interfaces to manage gRPC subscriptions. The package is available on the All Junos Platforms software download URL on the Juniper Networks webpage. Hierarchical policer statistics are included in telemetry data for firewall filters. Use the /junos/system/linecard/firewall/ path to provision a sensor for firewall filter statistics.

    [See Guidelines for gRPC Sensors.]

  • Support for gRPC streaming for Junos Telemetry Interface LSP statistics (MX Series)—Starting with Junos OS Release 16.1R4, you can use gRPC interfaces to provision sensors to subscribe to and receive telemetry data for label-switched paths (LSPs). If your Juniper Networks device is running a version of Junos OS with the upgraded FreeBSD kernel, you must download the Junos Network Agent package, which provides the interfaces to manage gRPC subscriptions. The package is available on the All Junos Platforms software download URL on the Juniper Networks webpage. Data is collected only for ingress LSPs, bypass LSPs, and bidirectional LSPs for ultimate-hop popping (UHP). The router should operate in enhanced mode. You must also configure the sensor-based-stats statement at the [edit protocols mpls] hierarchy level. Use the /junos/services/label-switched-path/usage/ path to provision a sensor for LSP statistics.

    [See Guidelines for gRPC Sensors.]

  • Support for gRPC streaming for Junos Telemetry Interface physical interface queue statistics (MX Series)—Starting with Junos OS Release 16.1R4, physical interface sensors provisioned through gRPC interfaces also collect egress and ingress queue statistics. If your Juniper Networks device is running a version of Junos OS with the upgraded FreeBSD kernel, you must download the Junos Network Agent package, which provides the interfaces to manage gRPC subscriptions. The package is available on the All Junos Platforms software download URL on the Juniper Networks webpage. On MX Series routers, queue statistics are exported by each slot on which an interface is configured. Use the /junos/system/linecard/interface/ path to provision sensors for physical interface statistics.

    [See Guidelines for gRPC Sensors.]

Network Management and Monitoring

  • Support for kernel features on MPC7E, MPC8E, and MPC9E line cards (MX Series)—In Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support the following features:

    • Addressing the IPv6 NDP DoS issue —You can address the IPv6 Neighbor Discovery Protocol (NDP) denial-of-service (DoS) issue at the Routing Engine by using NDP inspection or protection to prioritize NDP activities on the Routing Engine.

    • Maximum period for autogeneration of keepalives by the kernel using precision timer feature—Precision timers in the kernel automatically generate keepalives on behalf of BGP for a specified maximum period of time after a switchover event from standby to master.

    • IPv6 support for traceroute with AS number lookup—IPv6 is supported for traceroute with the as-number-lookup option. Traceroute is an application used to display a list of routers between the device and a specified destination host.

    • Targeted aggregated Ethernet distribution—You can direct traffic through specified links of a logical interface of an aggregate Ethernet bundle that is configured without link protection. By configuring targeted aggregated Ethernet distribution, you can create distribution lists consisting of specific child member links.

    • Reduction in the number of IPCs between master agent and subagent- The SNMP GetBulk requests are converted to AgentX GetNext for the repetitions specified in the request. This might result in several inter-process communication (IPCs) between the master agent snmpd and subagent AgentX in proportion to the number of max-repetitions specified in the GetBulk request. The number of IPCs between the master agent and subagent can be reduced by translating GetBulk requests with a high max-repetitions count to a single request between the master agent snmp and the subagent AgentX.

    • l3-level liveness detection mechanism for child links of ethernet LAG interface.

    • Match-string functionality for efficient syslog message filtering.

  • New indicators for the jnxLEDState MIB (MX960, MX2020, and MX2010)—In Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E include the following indicators for the jnxLEDState MIB object in the jnxLEDEntry MIB table:

    • Off—Offline, not running.

    • BlinkingGreen—Entering state of OK, good, normally working.

  • Support for mplsL3VpnIfConfTable object (MX Series, and T Series)— Starting in Junos OS Release 16.1R4, support is provided for the mplsL3VpnIfConfTable object described in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB. The mplsL3VpnIfConfTable object represents the Layer 3 VPN enabled interfaces that are associated with a specific Virtual Routing and Forwarding (VRF) instance and shows the bitmask values of the supported protocols. The mplsL3VpnIfConfTable object creates entries for the interfaces that are associated with the VRF instances. If an interface is later removed from a VRF instance, the corresponding entry in the mplsL3VpnIfConfTable object gets deleted. To view details of the mplsL3VpnIfConfTable object, use the show snmp mib walk mplsL3VpnIfConfTable command.

    [See SNMP MIB Explorer.]

  • Support for features on MPC7E, MPC8E, and MPC9E line cards (MX Series)—In Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support the following features:

    • LDP in an IPv6 network only, and in an IPv6 or IPv4 dual-stack network.

    • The IS-IS protocol can restrict flooding of LSAs to control sharing of routes between multiple level-2 metro ring networks.

    • For routers operating in Enhanced IP Network Services mode, you can configure a threshold that triggers fast failover in next-generation MVPNs with hot-root standby on the basis of aggregate flow rate.

    • Control word feature for LDP VPLS and FEC 129 VPLS.

    • You can specify route prefix priority of high or low through the existing import policy in protocols. Through priority, you can control the order in which the routes get updated from LDP/OSPF to RPD, and RPD to kernel.

    • RSVP with traffic engineering (RSVP-TE) protocol extensions for fast reroute (FRR) facility protection to allow greater scalability of LSPs and faster convergence times.

    • The Junos OS implementation of MPLS RSVP-TE is scaled to enhance the usability, visibility, configuration, and troubleshooting of label-switched paths (LSPs).

    • Tables and objects defined in RFC 5132, IP Multicast MIB, except the ipMcastZoneTable table.

    • Agent Capabilities MIB provides information about the implementation characteristics of an Agent subsystem in a network management system.

    • You can prioritize BGP route updates by using output queues.

    • Flow-aware transport (FAT) label for BGP-signaled pseudowires such as Layer 2 VPN and VPLS.

    • The NLRI format available for BGP VPN multicast is changing from the existing format of SAFI 128 to SAFI 129 as defined in RFC 6514.

    • You can use the import-labeled-routes statement at the [edit routing-instances routing-instance-name protocols vpls] hierarchy level to specify one or more nondefault routing instances where you want MPLS pseudowire labeled routes to be leaked from the mpls.0 path routing table in the master routing instance.

    • You can configure BGP-ORR with IS-IS as the interior gateway protocol (IGP) on a route reflector to advertise the best path to the BGP-ORR client groups by using the shortest IGP metric from a client's perspective, instead of the route reflector's view.

OAM

  • Support for Ethernet OAM features on MPC7E, MPC8E, and MPC9E (MX Series)—Starting in Release 16.1R4, Junos OS supports the following Ethernet OAM features on MPC7E, MPC8E, and MPC9E:

    • IEEE 802.3ah standard for OAM

    • IEEE 802.1ag standard for OAM

    • Technical Specification MEF-36-compliant performance monitoring

    • Configuration of multiple maintenance endpoints (MEPs) for a single combination of maintenance association and maintenance domain IDs for interfaces belonging to a particular VPLS service, circuit cross-connect (CCC), or bridge domain.

Platform and Infrastructure

  • Virtual broadband network gateway support on virtual MX Series router (vMX)—Starting in Junos OS Release 16.1R4, vMX supports most of the subscriber management features available with Junos OS Release 16.1R4 on MX Series routers to provide a virtual broadband network gateway on x86 servers.

    Because vBNG runs on vMX, it has similar exceptions. The following subscriber management features available on MX Series routers are not supported for vBNG:

    • High availability features such as hot-standby backup for enhanced subscriber management and MX Series Virtual Chassis

    • CoS features such as shaping applied to an agent circuit identifier (ACI) interface set and its members

    To deploy a vBNG instance, you must purchase these licenses:

    • vMX PREMIUM application package license with 1 Gbps, 5 Gbps, 10 Gbps, or 40 Gbps bandwidth

    • vBNG subscriber scale license with 1000, 10 thousand, 100 thousand, or 1 million subscriber sessions for one of these tiers: Introductory, Preferred, or Elite

Routing Policy and Firewall Filter

  • Support for Packet Forwarding Engine features on MPC7E, MPC8E, and MPC9E line cards (MX Series)—In Junos OS Release 16.1R4, MPC7E, MPC8E, and MPC9E support the following features:

    • Protection against label spoofing or errant label injection across ASBRs—You can use regular BGP implicit and explicit export policies to restrict VPN ASBR peer route advertisement to a given routing instance.

    • Policer overhead adjustment at the interface level—The policer overhead adjustment for ingress and egress policers is defined on a per IFL/direction granularity in order to address MEF CE 2.0 requirements to the bandwidth profile.

    • Configuration support to improve MC-LAG Layer 2 and Layer 3 convergence—You can configure multichassis link aggregation (MC-LAG) interfaces to improve Layer 2 and Layer 3 convergence time to subsecond values when a multichassis aggregated Ethernet link goes down or comes up in a bridge domain.

    • Support for packet-marking schemes on a per-customer basis—A packet-marking scheme, called policy map, enables you to define rewrite rules on a per-customer basis.

    • MPLS encapsulated payload load-balancing—Configure the zero-control-word option to indicate the start of an Ethernet frame in an MPLS Ethernet pseudowire payload.

    • Latency fairness optimized multicast—You can reduce latency in the multicast packet delivery by optimizing multicast packets sent to the Packet Forwarding Engines.

Routing Protocols

  • Support for unique AS path count ( MX Series)—Starting with Junos OS Release 16.1R4, you can configure a routing policy to determine the number of unique autonomous systems (ASs) present in the AS path. The unique AS path count helps determine whether a given AS is present in the AS path multiple times, typically as prepended ASs. In earlier Junos releases it was not possible to implement this counting behavior using the as-path regular expression policy. This feature permits the user to configure a policy based on the number of AS hops between the route originator and receiver. This feature ignores ASs in the as-path that are confederation ASs, such as confed_seq and confed_set.

    To configure AS path count, include the as-path-unique-count count (equal | orhigher | orlower) configuration statement at the [edit policy-options policy-statement policy_name from] hierarchy level.

Services Applications

  • Support for Inline-JFlow multiple collectors on MX Series routers—Starting in Junos OS Release 16.1R4, you can export flow records to four collectors under a family with the same source IP address for Inline-JFlow. The Packet Forwarding Engine (PFE) can export the flow record, flow record template, option data, and option data template packet to all configured collectors. You can configure the multiple collectors at the [edit forwarding-options sampling instance instance name] hierarchy level.

    Note

    You cannot change the source IP address for collectors under the same family.

  • Support for inline Two-Way Active Measurement Protocol (TWAMP) server and client on MPC7E (MX240, MX480, MX960)—Starting in Junos OS Release 16.1R4, MX Series routers with MPC7E cards support the inline Two-Way Active Measurement Protocol (TWAMP) control-client and server for transmission of TWAMP IPv4 UDP probes between the session-sender (control-client) and the session-reflector (server). The TWAMP control-client and server can also work with a third-party server and control-client implementation.

    TWAMP is an open protocol for measuring network performance between any two devices that support TWAMP. To configure the TWAMP server, specify the logical interface on the service PIC that provides the TWAMP service by including the twamp-server statement at the [edit interfaces si-fpc/pic/ port unit logical-unit-number rpm] hierarchy level. To configure the TWAMP client, include the twamp-client statement at the [edit interfaces si-fpc/pic/ port unit logical-unit-number rpm] hierarchy level.

  • Support for AMS warm standby on MS-MPC and MS-MIC (MX Series routers)—Starting in Junos OS Release 16.1R4, one service interface can be the backup interface for multiple service interfaces. This feature is called AMS warm standby. To make a service interface the backup for multiple service interfaces, you configure an AMS interface for each service interface you want to protect. Each of these AMS interfaces has two member interfaces—a primary member interface, which is the service interface you want to protect, and the secondary member interface, which is the backup service interface. You can use the same secondary member interface in multiple AMS interfaces.

    To configure a warm-standby AMS interface, include the primary mams-a/b/0 statement and the secondary mams-a/b/0 statement at the [edit interfaces amsn redundancy-options] hierarchy level.

    If you use redundancy-options in an AMS interface, you cannot use load-balancing-options in the same AMS interface.

    You cannot use the same member interface in both an AMS interface that includes load-balancing-options and an AMS interface that includes redundancy-options.

    To show the state of an AMS interface configured with warm standby, issue the show interfaces redundancy command.

    To switch from the primary interface to the secondary interface, issue the request interface switchover amsn command.

    To revert to the primary interface from the secondary interface, issue the request interface revert amsn command.

Software Installation and Upgrade

  • CFM enhancement for interoperability during unified ISSU (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS connectivity fault management (CFM) works during a unified in-service software upgrade (ISSU) when the peer device is not a Juniper Networks router. Interoperating with the router of another vendor, the Juniper Networks router retains session information and continues to transmit CCM PDU (continuity check messages) during the unified ISSU upgrade. CFM interoperability during a unified ISSU is supported on MPC1, MPC2, MPC2-NG, MPC3-NG, MPC5, and MPC6 cards.

    To provide this interoperability, enable inline (Packet Forwarding Engine) keepalives with the hardware-assisted-keepalives statement at the [edit protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level. You must also configure the continuity-check interval to 1 second with the interval statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance-association ma-name continuity-check] hierarchy level. Interoperability during unified ISSU is not supported for any other interval value.

Subscriber Management and Services

  • Subscriber management and services feature parity (MX240, MX480, MX960)—Starting in Junos OS Release 16.1R4, the MX240, MX480, and MX960 routers with the Routing Engine RE-S-X6-64G support all subscriber management and services features. These services include DHCP, PPP, L2TP, VLAN, and pseudowire.

  • Subscriber termination supported in dynamic-bridged GRE tunnels (MX Series)—Starting in Junos OS Release 16.1R4, dynamic-bridged generic routing encapsulation (GRE) tunnels are created and terminated at the broadband network gateway (BNG) to support the MX Series deployed as a Wi-Fi Gateway model. Dynamic Host Configuration Protocol (DHCP) subscribers are transported through GRE tunnels as either VLAN-tagged or untagged. Subscriber services such as authentication, authorization, and accounting (AAA); address assignment; and class of service (CoS) are supported for individual DHCP subscribers within the GRE tunnels.

  • Support for parameterized filters for protocol-independent packets (MX Series)—Starting in Junos OS Release 16.1R4, you can use family any for parameterized firewall filters in dynamic service profiles. You can also specify a precedence order for family any filters when they are attached to a dynamic logical interface. Parameterization enables you to create basic or boilerplate filters under a dynamic profile and have specific values for certain attributes provided only when the dynamic session is activated.

  • Enhancement to subscriber services (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS supports a maximum of 100 services per subscriber. However, the total number of residential services allowed per subscriber is limited to 12. In earlier releases, the maximum number of services allowed per subscriber is limited to 12, irrespective of the type of service.

    Note

    If you upgrade to Junos OS Release 16.1R4 from an earlier release through unified ISSU, the increase in the number of services applies only to those subscriber sessions that are established after the upgrade. Existing subscribers must log out and log in again to apply this enhancement.

  • Reporting of effective shaping rate and session rate limit from LAC to LNS in L2TP (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS reports connect speed updates from the L2TP access concentrator (LAC) to the L2TP network server (LNS) for class -of-service (CoS) effective shaping rates. This includes both AVP 24 (the Tx speed) and AVP 38 (the Rx speed). These speed updates are reported in the L2TP CSUN message.

    A new Tx connect speed method, service-profile, is added to the tx-connect-speed-method configuration statement, replacing the actual Tx connect speed method. The service-profile method is also added to the RADIUS dictionary for the VSA attribute Tunnel-Tx-Speed-Method (26-94). You configure service-profile as the Tx connect speed method with the set tx-connect-speed method service-profile statement at the [edit services l2tp] hierarchy level.

    To provide the Rx connect speed for the new service-profile method, use the set report-ingress-shaping-rate statement at the [edit dynamic-profiles profile-name class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.

    To display the configured Tx connect speed method, use the show services lt2p session extensive command.

  • Reporting of effective shaping rate and session rate limit from LAC to LNS in L2TP (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS reports connect speed updates from the L2TP access concentrator (LAC) to the L2TP network server (LNS) for class -of-service (CoS) effective shaping rates. This includes both AVP 24 (the Tx speed) and AVP 38 (the Rx speed). These speed updates are reported in the L2TP CSUN message.

    A new Tx connect speed method, service-profile, is added to the tx-connect-speed-method configuration statement, replacing the actual Tx connect speed method. The service-profile method is also added to the RADIUS dictionary for the VSA attribute Tunnel-Tx-Speed-Method (26-94). You configure service-profile as the Tx connect speed method with the set tx-connect-speed method service-profile statement at the [edit services l2tp] hierarchy level.

    To provide the Rx connect speed for the new service-profile method, use the set report-ingress-shaping-rate statement at the [edit dynamic-profiles profile-name class-of-service interfaces interface-name unit logical-unit-number] hierarchy level.

    To display the configured Tx connect speed method, use the show services lt2p session extensive command.

  • Support for parameterized filters for protocol-independent packets (MX Series)—Starting in Junos OS Release 16.1R4, you can use family any for parameterized firewall filters in dynamic service profiles. You can also specify a precedence order for family any filters when they are attached to a dynamic logical interface. Parameterization enables you to create basic or boilerplate filters under a dynamic profile and have specific values for certain attributes provided only when the dynamic session is activated.

  • DHCP and DHCPv6 asymmetric lease support (MX Series)—Starting in Junos OS Release 16.1R4, you can configure a shorter lease for DHCP and DHCPv6 that overrides the original lease configuration. The shorter lease is also known as an asymmetric lease. When the client successfully requests a lease extension, the client renews the short lease for the same duration. The short lease continues until the original or long lease offered by DHCP or DHCPv6 expires. The short lease provides a means to force a lease renewal for particular hosts or clients before the original lease expires and a form of liveness detection. When the client is no longer using the lease, the client stops requesting a lease renewal; this is reported to the DHCP server or DHCP relay agent as an expiration of the short lease. In the absence of a short lease, client inactivity can be detected only when the long lease expires. The short lease enables earlier detection and frees up address resources earlier than is possible with the long lease.

    Configure the short lease duration for DHCP or DHCPv6 globally or by group with the following statement at any [edit...(dhcp-local-server | dhcp-relay)...overrides] hierarchy level:

    • asymmetric-lease-time seconds, where seconds is in the range 600 through 86,400

    Configure the short lease duration for DHCPv6 delegated prefix addresses globally or by group with the following statement at any [edit...(dhcp-local-server | dhcp-relay)...overrides] hierarchy level:

    • asymmetric-prefix-lease-time seconds, where seconds is in the range 600 through 86,400

  • Shared memory log supports filter-based debugging (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS supports filter-based debugging using the shared memory log.

    Junos OS uses a shared memory space to store log entries for subscriber service daemons, such as jpppd, jdhcpd, jl2tpd, autoconfd, bbe-smgd, authd, cosd, and dfwd. The shared memory log, or shmlog, output can be displayed using the show shmlog entries logname (logname | all) <filter filter> <flag-name flag> command.

    By default, shared memory logging is enabled. To disable the shmlog, at the [edit system services subscriber-management] hierarchy level, enter the set overrides shmlog disable; configuration statement.

    By default, shmlog filtering is disabled. To enable shmlog filtering, at the [edit system services subscriber-management overrides] hierarchy level, enter the set shmlog filtering enable; configuration statement.

    To display shmlog output for all daemon logs, use the logname all option in the show shmlog entries command. To limit shmlog output to a specific daemon log, provide the daemon name after the logname option followed by an asterisk. For example, logname jpppd* or logname authd*.

    To filter shmlog output, use the filter filter option in the show shmlog entries logname all command. To display a list of valid filters, enter the command show shmlog entries logname all ?.

    Output can also be limited to shmlog entries with specific flags, such as transmit-packets, configuration, and sessionDb, using the flag-name flag option in the show shmlog entries logname all command. To display a list of valid flags, enter the command show shmlog entries logname all flag-name ?.

    To direct shmlog output to a file, at the [edit system services subscriber-management overrides] hierarchy level, enter the set shmlog file <filename>; configuration statement. To view shmlog output stored in a text file, use the command show shmlog entries filename filename.

  • Support for ANCP-triggered dynamic VLANs (MX Series)—Starting in Junos OS Release 16.1R4, you can configure the instantiation of autosensed dynamic VLANs for Layer 2 wholesale services, triggered by out-of-band ANCP messages rather than by in-band control packets. These VLANs accommodate both subscribers wholesaled to a retailer and subscribers belonging to the wholesaler. An ANCP Port Up message triggers VLAN instantiation and conveys several ANCP DSL attributes. During VLAN authorization, RADIUS determines which traffic belongs to the access provider’s own subscribers and which belongs to the wholesale customer (retail ISP) based on identification of the subscriber’s access line by the agent remote identifier. The outer VLAN ID provided by the access node is swapped for an inner VLAN ID to convey wholesaled traffic to the retailer’s unique, nondefault routing instance.

    The wholesaler uses Layer 2 cross-connects to implement the retail networks with 1:1 autosensed, dynamic VLANs and VLAN tag swapping. Core-facing physical interfaces are dedicated to forwarding subscriber connections to the retailer’s router. The traffic for an entire outer VLAN can be wholesaled this way. This direct-connect model supports any combination of wholesaler-owned and wholesaled connections for the entire access-facing VLAN range.

  • Enhanced performance in provisioning and deprovisioning of ESSM services (MX Series)— Starting in Junos Release 16.1R4, you can load and commit configurations into an ephemeral configuration database through an operation (op)script, thereby improving the performance of provisioning and deprovisioning of ESSM services. The total number of business services supported is increased to 100 business services per subscriber and 8000 business services per chassis. Before you commit a configuration, you must validate the op script because committing an invalid configuration might result in unexpected behavior.

    The ephemeral configuration database is an alternate database that provides a configuration layer separate from both the static configuration database and the configuration layers of other client applications. The ephemeral commit model enables devices running Junos OS to simultaneously commit and merge changes from multiple clients and execute the commits with significantly greater throughput than when committing data to the static configuration database.

  • Extended support for service-accounting, service-filter-hit, and force-premium firewall match conditions and actions (MX Series)—Starting in Junos OS Release 16.1R4, the service-filter-hit firewall match condition and the service-filter-hit, force-premium, service-accounting, and service-accounting-deferred firewall actions are extended to the family any filter on MX Series routers. This support is in addition to existing support on the family inet and family inet6 filters.

  • Processing multiple activation and deactivation requests in a single CoA message (MX Series)—Starting in Junos OS Release 16.1R4, subscriber management processes RADIUS-initiated Change of Authorization (CoA) messages in a more efficient manner. When receiving a CoA message that has multiple activation and deactivation requests, the router groups the requests together, by type. The router then processes all deactivation requests before processing the activation requests.

    Processing deactivation requests first helps the router provide a consistent behavior for activated services. For example, a particular service might be activated multiple times, using different parameters. It is more efficient for the router to process the deactivation requests for existing instances of the service before attempting to activate the same service with different parameters.

    In earlier releases, the router processed all activation requests first, before processing the deactivation requests in the CoA message.

  • Captive portal content delivery (HTTP redirect) and converged services supported on the Routing Engine (MX Series)—Starting in Junos OS Release 16.1R4, you can configure Routing Engine-based captive portal content delivery (HTTP redirect) with converged services. HTTP redirect and HTTP rewrite traffic are supported on the si logical interface. The Routing Engine-based captive portal supports a walled garden as a firewall service filter only.

  • ANCP agent adjustment of downstream data rate and overhead for SDSL, VDSL, and VDSL2 subscriber lines (MX Series)—Starting in Junos OS Release 16.1R4, you can configure the Access Node Control Protocol (ANCP) agent to provide two independent, adjusted values to CoS for downstream subscriber traffic on frame mode DSL types (SDSL, VDSL, and VDSL2), enabling CoS to more accurately adjust the effective shaping rate for the downstream subscriber traffic. You can specify a percentage value that is applied to the actual, unadjusted data rate received in ANCP Port Up messages. You can also specify a number of bytes that is added to or subtracted from the frame overhead for the traffic.

    To adjust the received values, first include the qos-adjust statement at the [edit protocols ancp] hierarchy level to enable the ANCP agent to report values to CoS. Then include one or more of the following statements at the [edit protocols ancp qos-adjust] hierarchy level to specify a percentage adjustment value: sdsl-overhead-adjust, vdsl-overhead-adjust, or vdsl2-overhead-adjust. To adjust the frame overhead, include one or more of the following statements at the same hierarchy level: sdsl-bytes, vdsl-bytes, or vdsl2-bytes.

    Use the show ancp cos command to view the adjustment configuration and the last updated values sent to CoS. The show class-of-service interface interface-name command displays the adjusted rate and overhead values CoS has received from the ANCP agent.

  • Enhancement to MAC limit function (MX Series with MPCs)—Starting in Junos OS Release 16.1R4, the handling of a burst of packets with new source MAC addresses is improved to reduce resource use and processing time. In earlier releases, new source MAC addresses are learned and placed in the MAC table even after the limit is exceeded. The Routing Engine later deletes the MAC address entries that are over the limit.

    Now, the learning limit configured with the interface-mac-limit statement for new source MAC addresses is enforced at all levels: global, bridge domain, and VPLS. The MAC table is not updated with any new addresses after the limit has been reached. When any static MAC addresses are configured, the learning limit is the configured limit minus the number of static addresses.

    When the configured packet action is drop, all subsequent packets with new source MAC addresses are dropped when the MAC address limit is reached. Otherwise, all such packets are forwarded when the MAC address limit is reached.

    This enhancement applies to the MAC address learning limit at all levels: global, bridge domain, and VPLS. It does not apply to bridge domain trunk ports, because those have no counters for the individual domains, which might have different MAC address learning limits. The enhancement also does not apply to aggregated Ethernet interfaces or to label-switched interfaces. In these cases, the behavior is to learn all the addresses and later delete the excess.

  • PIM support for enhanced subscriber management (MX Series)—Starting in Junos OS Release 16.1R4, you can use the Protocol Independent Multicast (PIM) protocol with enhanced subscriber management. Use the protocols pim command at the [edit dynamic-profiles profile-name] hierarchy level to enable PIM for subscribers within the specified profile. To selectively disable PIM for an individual subscriber, use the new PIM-enable RADIUS VSA and set the integer value to 0.

    The routing-services and protocols pim commands under the [edit dynamic-profiles profile-name] hierarchy level are mutually exclusive and should not be configured together in the same client dynamic profile.

  • Authenticating dynamic VLANs ranges using different profiles (MX Series)—Starting in Junos OS Release 16.1R4, you can set up the software to authenticate and authorize different sets of VLAN ranges on the same interface each using a different access profile. In earlier releases, all dynamic VLAN ranges on the same interface, are authenticated and authorized using the same access profile.

    With this feature, you can have different access profiles for different types of VLANs; for example, voice or data VLANs. If an S-VLAN being used for voice traffic goes down, and the NASREQ server is also down, you can set up the access profile for the S-VLAN so that it comes up without requiring authorization. At the same time, you can configure access profiles for data VLANs that require authorization before the VLAN comes back up.

    To configure this feature, assign a different access profile to each dynamic profile configured on a VLAN. For example:

    Use the following command to configure an access profile that does not require authorization if the NASREQ is down:

    If you configure access profiles for dynamic VLANs in a dynamic profile, you must configure an access profile in each dynamic profile configured on the VLAN.

    If you configure multiple access profiles at different levels of the hierarchy, and a conflict occurs, the router applies the access profiles based on the following precedence rules:

    • If you assign multiple access profiles, the most specific access profile assignment takes precedence over any other access profile assignment.

    • If you assign an access profile at a new level, it takes precedence over any other access profile assignment.

  • Broadband PCEF (MX Series)—Starting in Junos OS Release 16.1R4, Junos OS supports broadband policy and charging enforcement function (BPCEF). BPCEF provides PCEF functionality interacting with external PCRF and OCF resources.

    To configure BPCEF:

    • Configure the BPCEF partition parameters.

    • Configure BPCEF dynamic-profile parameters.

    • Configure access profile parameters.

    Use the following configuration statements at the [edit access] hierarchy level to configure the properties for the BPCEF partition:

    Use the following configuration statements at the [edit access] hierarchy level to configure the rules and parameters for the dynamic-profile:

    Use the following configuration statements at the [edit access] hierarchy level to configure the access profile parameters. Note that if the provisioning order is set to pcrf, then the accounting order should be set to ocf. If the provisioning order is set to ocf, then the accounting order should be set to pcrf.

    To display subscriber command output, use the show network-access aaa subscribers session-id session-id detail command.

  • Targeted distribution of subscriber traffic over aggregated Ethernet—Starting in Junos OS Release 16.1R4, for a demux configuration whose underlying interface is an aggregated Ethernet interface, Junos OS provides targeted distribution of subscriber traffic while also allowing subscriber traffic redundancy. This ensures equal distribution of bandwidth and CoS resources among subscribers.

    Service providers can now:

    • Provide DPC and port redundancy for subscriber traffic.

    • Apply per-subscriber hierarchical QoS and firewall filters on subscriber traffic over LAG.

    To set targeted distribution in the demux logical interfaces configuration, use the targeted-distribution at the [edit interfaces demux0 unit logical-unit-number] hierarchy level.

    To schedule an automatic periodic rebalance on an aggregated Ethernet bundle, use the rebalance-periodic start-time <hh:mm> interval <hours> option at the [edit interfaces aenumber aggregated-ether-options targeted-options] hierarchy level.

    To provide module redundancy for demux subscribers on aggregated Ethernet bundles configured with targeted distribution, use the logical-interface-fpc-redundancy statement at the [edit interfaces aenumber aggregated-ether-options targeted-options] hierarchy level.

    To manually rebalance the subscribers on an aggregated Ethernet bundle with targeted distribution enabled, use the request interface rebalance <interface-name> command.

    To display status information about the distribution of subscribers on different links in an aggregated Ethernet bundle, use the show interfaces targeting aex command.

    To view status information about the specified demux interface, use show interfaces demux0.logical-interface-number command.

    To set targeted distribution in the VLAN logical interface configuration, use the targeted-distribution at the [edit interfaces interface-set <interface-set name> demux0 unit logical-unit-number] hierarchy level.

  • Dynamic subscriber and service management on statically configured interfaces (MX Series)—Starting in Junos OS Release 16.1R4, enhanced subscriber management supports dynamic service activation and deactivation for static subscribers. These static subscribers work with the native Juniper Networks Session and Resource Control (SRC), or you can configure RADIUS to activate and deactivate the services with change of authorization (CoA) messages. Note, however, that with RADIUS, authentication failure does not prevent the underlying interface from coming up and forwarding traffic. Instead, it prevents the subscriber from coming up, and thus service activation/deactivation. Authorization parameters such as IP addresses, net masks, policy lists, and QoS are also not imposed when using RADIUS.

    Use the following commands to provide administrative control of static subscribers:

    • request services static-subscribers login interface interface-name

    • request services static-subscribers logout interface interface-name

    • request services static-subscribers login group group-name

    • request services static-subscribers logout group group-name

    Use the following commands to monitor static subscribers:

    • show static-subscribers

    • show static-subscribers interface interface-name

    • show static-subscribers group group-name

  • Logging and reporting function (MX Series with MS-MPC and MS-MIC)—Starting in Junos OS Release 16.1R4, the logging and reporting function (LRF) enables you to log data for subscriber application-aware data sessions and send that data in an IP Flow Information Export (protocol) (IPFIX) format to an external log collector, using UDP-based transport. These data session logs can include subscriber information, application information, HTTP metadata, data volume, time-of-day information, and source and destination details. An external collector, which is not a Juniper Networks product, can then use this data to perform analytics that provide you with insights about subscriber and application usage.

    To configure logging and reporting:

    1. Install the LRF service package jservices-lrf at the [edit chassis fpc slot-number pic pic-number service-package extension-provider package] hierarchy on any MS-MPC PICs and MS-MICs that perform LRF.

    2. Configure an LRF profile to specify a set of logging and reporting parameters, which includes data templates, collectors, and LRF rules. See Configuring an LRF Profile for Subscribers.

    3. Assign the LRF profile to the service set that handles application-aware policy control.

    4. Configure activation of an LRF rule with a PCC rule. See Configuring the Activation of an LRF Rule by a Static PCC Rule. That topic shows the pcef objects at the [edit unified-edge pcef] hierarchy level, but for subscriber management, configure the pcef objects at the [edit services pcef] hierarchy level.

    For a description of the LRF, see the following topics:

  • Subscriber login session with optional services (MX Series)—Starting in Junos OS Release 16.1R4, you can use the service activation statement at the [edit access profile profile-name radius options] hierarchy level to specify whether successful activation of services referenced in the Activate-Service VSA (26-65) in the RADIUS Access-Accept message is required or optional for subscriber login access.

    When activation is required, failure for any reason causes the Network-Family-Activate-Request for that network family to fail. If no other network family is already active for the subscriber, then the client application logs out the subscriber.

    When activation is optional, subscribers can still log in when a service fails to activate because of a configuration error. Failures for any other reason do not allow successful login.

    By default, activation is required for services applied with a dynamic profile and is optional for services applied by an Extensible Subscriber Services Manager (ESSM) operation script. In earlier releases, only the default behavior is available.

    Note

    This configuration does not apply to services activated by means of RADIUS CoA requests, JSRC Push-Profile-Request (PPR) messages, or subscriber secure policy.

  • Support for per-subscriber application-aware policy control (MX Series with MS-MPCs)—Starting in Junos OS Release 16.1R4, the MS-MPC supports per-subscriber policy control based on Layer 7 application identification information for the IP flow (for example, YouTube) or Layer 3 and Layer 4 information for the IP flow (for example, the source and destination IP address). Subscriber application-aware policy actions can include:

    • Redirecting HTTP traffic to another URL or IP address

    • Setting the forwarding class

    • Setting the maximum bit rate

    • Setting the gating status to blocked or allowed

    • Setting the allowed burst size

    • Logging and reporting application-aware data sessions

    To configure per-subscriber application-aware policy control or Layer 3 and Layer 4 policy control:

    1. Install the jservices-mss, jservices-jdpi, and jservices-pcef service packages at the [edit chassis fpc slot-number pic pic-number service-package extension-provider package] hierarchy level on any MS-MPC that performs policy control.

    2. Configure policy control with policy and charging control (PCC) rules and policy and charging enforcement function (PCEF) profiles. PCC rules define the Layer 7 or Layer 3 and Layer 4 conditions to match and the actions to take on packets that match. A PCEF profile points to a set of PCC rules to assign to a subscriber. To use Layer 7 matching conditions, you must either install predefined application identification signatures (see Downloading and Installing Predefined Junos OS Application Signature Packages) or configure custom application signatures (see Configuring Custom Application Signatures). To use Layer 3 and Layer 4 matching conditions, configure flow descriptions. Configure PCC action profiles to specify the actions for a PCC rule.

      Configure PCC rules, PCEF profiles, flow descriptions, and PCC action profiles at the [edit services pcef] hierarchy level.

      You can find details about configuring PCC rules and PCEF profiles in the Subscriber-Aware and Application-Aware Traffic Treatment Feature Guide. The guide shows the pcef objects at the [edit unified-edge pcef] hierarchy level, but for subscriber management, configure the pcef objects at the [edit services pcef] hierarchy level. See the following topics:

    3. Configure a service set to identify the service interface that handles application-aware policy control.

      The application-identification-profile and pcef-profile statements must include names, but these names are dummy variables and are not used.

      The service-interface can be an aggregated multiservices (AMS) interface (see Configuring Aggregated Multiservices Interfaces).

    4. Configure one or more dynamic profiles that specify the PCEF profile and the service set to use.

      1. In the dynamic profile at the [edit dynamic-profile profile-name interfaces interface-name unit logical-unit-number service pcef] hierarchy level, point to the PCEF profile. In the client dynamic profile, you can identify the PCEF profile with the variable $junos-pcef-profile. All of a subscriber’s dynamic profiles that include a PCEF profile must point to the same PCEF profile.

      2. Activate one or more PCC rules in the dynamic profile at the [edit dynamic-profile profile-name interfaces interface-name unit logical-unit-number service pcef profile-name] hierarchy level. Activate a specific rule name with the activate rule-name statement or activate all the rules in the PCEF profile with the activate-all statement. In the client dynamic profile, you can identify a specific rule name with the variable $junos-pcef-rule.

        If you activate PCC rules in multiple dynamic profiles, all of those PCC rules are applied to the subscriber.

      3. In the dynamic profile at the [edit dynamic-profile profile-name interfaces interface-name unit logical-unit-number family family service (input | output) service-set] hierarchy level, point to the service set. In the client dynamic profile, you can identify the service set with a variable ($junos-input-service-set | $junos-output-service-set | $junos-input-ipv6-service-set | $junos-output-ipv6-service-set). You must use the same service set for both the input and output service.

      4. (Optional) In the dynamic profile at the [edit dynamic-profile profile-name interfaces interface-name unit logical-unit-number family family service (input | output) service-set service-set-name service-filter] hierarchy level, point to the service filter. In the client dynamic profile, you can identify the service filter with a variable ($junos-input-service-filter | $junos-output-service-filter | $junos-input-ipv6-service-filter | $junos-output-ipv6-service-filter).

      Table 2 provides a list of the new predefined variables for application-aware policy control in the dynamic profile.

    Table 2: Junos OS PCEF Predefined Variables

    Junos OS Predefined Variable

    RADIUS Attribute

    Description

    $junos-pcef-profile

    204

    PCEF profile name.

    $junos-pcef-rule

    205

    PCC rule name. The RADIUS server can provide multiple PCC rule names for a dynamic profile.

    The following commands have been added or modified to support application-aware policy control:

    • show services pcef subscribers—(New) Displays statistics for subscribers that are using PCEF profiles. You can include any of the options that are available for show subscribers (see show subscribers).

    • show services pcef pic <fpc-slot fpc-slot> <pic-slot pic-slot>—(New) Displays the number of subscribers on each service PIC. The output is zero when a service PIC is down or is coming up after a reboot because the information is taken from the service PIC, and this will not match the show services pcef subscribers count, which is taken from the Routing Engine.

    • show subscribers—(Modified) Displays additional fields that show the service set, service filter, PCEF profile, and PCC rules for the subscriber.

  • Support for mapping VLAN session termination cause (MX Series)—Starting in Junos OS Release 16.1R4, new internal identifiers indicate the reasons that autoconfd initiates termination of individual VLAN out-of-band subscriber sessions. In earlier releases, the termination cause for a VLAN session is always 6 (administrative reset) and cannot be modified.

    The session termination causes map to default code values that are reported in the RADIUS Acct-Terminate-Cause attribute (49) in Acct-Stop messages for the service. You can use the new vlan option with the terminate-code aaa statement at the [edit access] hierarchy level to remap any of the new termination causes to any number in the range 1 through 4,294,967,295.

    You can use the new vlan option with the show network-access aaa terminate-code vlan command to display only the VLAN termination causes and their current code values.

    [See VLAN Termination Causes and Code Values.]

  • Enhancement to Gx-Plus application (MX Series)—Starting in Junos OS Release 16.1R4, the following enhancements to the Gx-Plus client application on the BNG are available:

    • When a monitored service is deactivated separate from a subscriber logout, the CCR-U indicates that the service is no longer active and includes the service’s usage data.

    • The router updates the monitoring key and threshold values when they are received in an RAR message from the PCRF.

    • A CCR-U is sent to the PCRF after the router sends an RAA message in response to an RAR message that requests service activations or deactivations.

    • When the PCRF returns threshold values that are lower than the current values, the new threshold becomes the sum of the current value and the returned value.

    • The PCEF has default minimum threshold values. If the change between the current value and the value returned by the PCRF is less than the minimum value, then the new value is adjusted to the minimum.

    • The CCR-I message includes the Diameter AVP Subscription-Id attribute (443) with the Subscription-Id-Type Diameter AVP sub-attribute (450) set to 4 (END_USER_PRIVATE) and the Subscription-Id-Data Diameter AVP sub-attribute (444) set to reserved.

    [See Understanding Gx-Plus Interactions Between the Router and the PCRF and Messages Used by Diameter Applications.]

System Management

    • Support for asynchronous batch commits (MX Series)—Starting in Junos OS Release 16.1R4, batch commit behavior is enhanced to allow asynchronous commits, scheduling of commit jobs, and fair scheduling among jobs with different priorities.

      By default, batch commit behavior is synchronous, meaning that the CLI waits until the commit completes before displaying the command prompt. By default, high-priority commit jobs are always processed before low-priority jobs, blocking the completion of low-priority jobs. This default behavior is not suitable for situations where there is a hard requirement to commit certain configurations in a predefined time period or to see the command-prompt within a predefined time limit, especially in a scaled environment.

      Now you can configure asynchronous batch commits, which allow the CLI to display the command prompt immediately following the commit request when the job is added to the commit queue. Two new CLI commands are introduced to commit the jobs asynchronously: commit asynchronous commits the low-priority jobs asynchronously, and commit priority asynchronous commits the high-priority jobs asynchronously. A new CLI configuration statement commit async/asynchronous is introduced that returns a job-id which can be used for status on these jobs. The CLI returns a job-id that you can use to monitor status with the show commit server queue id commit-id command.

      Use the commit async statement from batch configuration mode [edit batch] to batch an asynchronous job in the commit queue as a low-priority commit job. You can specify a high-priority asynchronous commit job with the commit priority async statement. The commit operation proceeds in the background, depending on priority and scheduling, and the CLI is available for further inputs.

      Best Practice

      We recommend that you use the and-quit option for either asynchronous statement.

      There is a schedule attached to low-priority asynchronous commits. The schedule specifies the time duration and maximum load under which the commit server should process the low-priority jobs. If there is no schedule specified, no schedule is used, and the commit will proceed as a normal batch commit.

      You can use the new commit-schedule-profile profile-name statement at the [edit system commit server] hierarchy level to define one or more sets of scheduling parameters that can be attached to low-priority commit jobs. For example, you might configure different schedules for day versus night. An example schedule has the following attributes:

      • start-time hh:mm—Time when the schedule starts.

      • end-time hh:mm—Time when the schedule ends.

      • interruptible—Flag indicating that any commit job in the schedule can be interrupted by a high-priority job. If this attribute is not configured, a high-priority job must wait for an ongoing low-priority job to finish before it can be processed; the high-priority job is then processed ahead of any pending low-priority jobs.

      • load-average average—Preferred load-average before schedule kicks in. This is the maximum system utilization or load average that allows the schedule to start. For example, if you specify a load average of 0.66, the schedule is not applied unless the system utilization is less than or equal to 0.66 (66 percent).

        The commitd daemon determines when to remove from the queue and process a job based on the priority of the job and the schedule configured on the commit server. The schedule is checked every time a batch job is removed from the queue and committed.

        Apart from receiving system log messages, you can also use the redirect-completion-status url statement at the [edit system commit server] hierarchy level to post status for asynchronous commits to the URL configured. The status includes a job ID, job status, and job cookie for the specified URL.

Release 16.1R3 New and Changed Features

General Routing

  • Support for OpenConfig—Starting in Junos OS Release 16.1R3, you can configure your MX and PTX Series network devices by using OpenConfig data models. The data models are written in YANG, a data modeling language that can be used to model both configurational data as well as operational data and can be managed on the router by using the CLI or with NETCONF.

    Junos OS Release 16.1R3 supports the following OpenConfig data models:

    • Border Gateway Protocol

    • Routing Policy

    • Local Routing

    • Telemetry

    • Interface

    • MPLS

    [See OpenConfig Feature Guide.]

High availability and Resiliency

  • Note

    This feature is documented but not supported in Junos OS Release 16.1R1.

    High availability for IPsec on MS-MPCs (MX Series)—Starting in Junos OS Release 16.1R3, you can use the new one-to-one statement at the [edit interfaces interface-name load-balancing-options high availability-options] hierarchy level to configure one-to-one (1:1) redundancy between a pair of interfaces. If the active interface fails, the backup interface takes over. The one-to-one statement configures synchronization between the two interfaces, which creates support for IPsec connections over the redundant interfaces.

Layer 2 Features

  • Implicit maximum bandwidth for inline services for L2TP LNS (MX Series)—Starting in Junos OS Release 16.1R3, you are no longer required to explicitly specify a bandwidth for L2TP LNS tunnel traffic using inline services. If you do not specify a bandwidth, the maximum bandwidth supported on the PIC is automatically available for the inline services; inline services can use up to this maximum value. For example:

    user@host> show interfaces si-3/0/0
    user@host> show interfaces si-3/1/0

    In earlier releases, you must specify a bandwidth to enable inline services by including the bandwidth statement with the inline-services statement.

Management

  • Enhancements to the Junos Telemetry Interface (MX Series)—The Junos Telemetry Interface enables you to export telemetry data from supported interface hardware. Line-card sensor data, such as interface events, are sent directly to configured collection points without requiring polling.

    Starting with Junos OS Release 16.1R3, telemetry sensors for the following system resources are now also supported:

    • CPU memory

    • BGP peers (gRPC streaming only)

    • Memory utilization for routing protocol tasks (gRPC streaming only)

    • Network processing unit (NPU) memory and memory utilization

    • Optical interfaces

    • Inline flow sampling process (UDP streaming only)

    • Chassis components

    • Aggregated Ethernet interfaces configured with LACP (gRPC streaming only)

    • ARP (gRPC streaming only)

    • Ethernet interfaces configured with LLDP (gRPC streaming only)

    • RSVP interface events (gRPC streaming only)

    • Network Discovery Protocol table state (gRPC streaming only)

    • Routing Engine internal interfaces (gRPC streaming only)

    [See Junos Telemetry Interface Feature Guide.]

  • Support for adding nonnative YANG RPCs to the Junos OS schema (MX Series and T Series)—Starting with Junos OS Release 16.1R3, you can load custom YANG RPCs on devices running Junos OS. Creating custom RPCs enables you to precisely define the input parameters and operations and the output fields and formatting for your specific operational tasks on those devices. The ability to add custom RPCs to a device is also beneficial when you want to create RPCs that are device-agnostic and vendor-neutral. You can load YANG modules that add custom RPCs by using the request system yang add operational command.

  • gRPC support for the Junos Telemetry Interface (MX Series)—Starting with Junos OS Release 16.1R3, you can use a set of gRPC remote procedure call (gRPC) interfaces to provision sensors and to subscribe to and receive telemetry data. gRPC is based on an open source framework and provides for interoperability as well as the secure and reliable transport of data. Use the telemetrySubscribe RPC to specify telemetry parameters and stream data for a specified list of OpenConfig command paths. Telemetry data is generated as Google protocol buffers (gpb) messages in a universal key/value format. If your Juniper Networks device is running a version of Junos OS with the upgraded FreeBSD kernel, you must download the Network Agent package, which provides the interfaces to manage gRPC subscriptions. The package is available on the All Junos Platforms software download URL on the Juniper Networks webpage. On MX Series routers, supported hardware for gRPC telemetry data streaming is MPC1 through MPC9E. On PTX Series routers, supported hardware is FPC1, FPC2, and FPC3.

    [See Junos Telemetry Interface Feature Guide.]

  • Junos SDK is end of life (EOL)—Starting in Junos OS Release 16.1, the Juniper Extension Toolkit (JET) provides a rich set of APIs to program the Junos control plane. JET allows users to build applications on top of Junos OS and, hence, replaces the legacy Junos SDK. With the support of JET APIs in Junos OS Release 16.1R1, Junos SDK is now EOL. Junos SDK will be supported as long as the equivalent Junos OS Release is supported. So, a customer running Junos OS Release 14.2 can still download and use Junos SDK until Junos OS Release 14.2 is end of support (EOS).

    [For JET, see Juniper Extension Toolkit (JET). For, Junos SDK downloads, see https://www.juniper.net/support/csc/swdist-junos-sdk/.]

MPLS

  • Enhancements to MPLS RSVP-TE LSP (T Series)—The Junos OS implementation of MPLS RSVP-TE is scaled to enhance the usability, visibility, configuration, and troubleshooting of label-switched paths (LSPs) in Junos OS Release 16.1R2 and later releases.

    These enhancements make the RSVP-TE configuration easier by:

    • Ensuring LSP data-plane readiness during LSP resignaling (before traffic traverses the LSP) by using the RSVP-TE LSP self-ping mechanism.

    • Removing the current hard limit of 64000 LSPs on an ingress router, and thereby enabling scaling to be constrained only by the total number of LSPs, RSVP-TE signaling can sustain.

    • Preventing abrupt tearing down of LSPs by the ingress router because of delay in signaling the LSP at the transit routers.

Services Applications

  • IPsec multipath forwarding with UDP encapsulation (MX Series routers with MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R3, you can enable the UDP encapsulation of the IPsec encapsulated packets between peers, which appends a UDP header after the ESP header. Doing this provides Layer 3 and 4 information to the intermediate routers, and the IPsec packets are forwarded over multiple paths, which increases the throughput.

    [See IPsec Multipath Forwarding With UDP Encapsulation.]

Subscriber Management and Services

  • Enhanced DHCP dual-stack support (MX Series)—Starting in Junos OS Release 16.1R3, subscriber management supports a single-session DHCP dual-stack model that provides a more efficient configuration and management of dual-stack subscribers.

    The single-session dual-stack model addresses session-related inefficiencies that exist in the traditional dual-stack—for example, the new model requires single sessions for authentication and accounting, as opposed to multiple sessions that are often needed in a traditional dual-stack configuration. The single-session dual-stack model also simplifies router configuration, reduces RADIUS message load, and improves accounting session performance for subscriber households with dual-stack environments.

    See Single-Session DHCP Dual-Stack Overview.

  • Flat-file accounting (MX Series)—Starting in Junos OS Release 16.1R3, you can collect accounting statistics from the Packet Forwarding Engine to be reported in an XML flat file. Flat file accounting is typically used to record accounting statistics on logical interfaces for Extensible Subscriber Services Manager (ESSM) business subscribers. You can also use flat-file accounting to collect and archive accounting statistics for wholesaler and retailer subscriber activity in a Layer 2 wholesale environment by applying it to a core-facing physical interface. You can configure multiple accounting profiles with different combinations of fields for specific accounting requirements, and then assign the profiles as needed to provisioned interfaces to satisfy the accounting requirements for each interface depending on how it is used.

    Best Practice

    We recommend that you use separate flat-file profiles for Layer 2 wholesale core-facing physical interfaces and ESSM business subscriber logical interfaces.

    You can create an accounting profile template to define the flat-file attributes, such as the statistics fields to collect, the name and format of the file, the frequency at which the Packet Forwarding Engine is polled for statistics, and the schema version.

    The file typically uses the IP Detail Record (IPDR) format; in this case, a file header includes information, such as the name of the host where the statistics are collected, a timestamp, a file identification number, and the name of the schema. The schema is associated with a specific XML format and output based on the flat-file configuration and defines the information conveyed in the file. The schema enables an external file processor to correctly interpret the file contents.

    [See Flat File Accounting Overview.]

  • Flat-file accounting options (MX Series)—Starting in Junos OS Release 16.1R3, you can configure accounting options for flat files, which are typically used to record accounting statistics on logical interfaces for Extensible Subscriber Services Manager (ESSM) business subscribers.

    Flat file accounting options include the size, number of files saved before overwriting, how long backed-up files are saved, archive sites, frequency, the location where files are saved in the event of a Routing Engine switchover, and more. You can configure the router to save a backup copy of the accounting files to the /var/log/pfedBackup directory.

    The accounting files are transferred at regular intervals; configuring multiple archive sites increases the likelihood of a successful transfer. If a transfer fails, all remaining sites are tried in order until the transfer is successful or all sites have failed. If backup-on-failure is configured, an attempt is made at the next scheduled interval to transfer any backed-up files from /var/log/pfedBackup.

    If you do not configure backup-on-failure, the file is saved on failure into the local directory that is specified as the last site in the list of archive sites. No further attempts are made to transfer the file. You must configure an event script or some other means to transfer files from the local directory to a remote site.

    [See Flat File Accounting Overview.]

  • Monitoring only ingress traffic for subscriber idle timeouts (MX Series)—Starting in Junos OS Release 16.1R3, you can specify that only ingress data traffic is monitored for subscriber idle timeout processing. If you Include the client-idle-timeout-ingress-only statement in addition to the client-idle-timeout statement at the [edit access-profile profile-name session-options] hierarchy level, subscribers are logged out or disconnected when no ingress traffic is received for the duration of the idle timeout period. Egress traffic is not monitored. If you do not include the client-idle-timeout-ingress-only statement, both ingress and egress data traffic are monitored during the timeout period to determine whether subscribers are logged out or disconnected.

    This configuration is useful in cases where the LNS sends traffic to the remote peer even when the peer is not up, such as when the LNS does not have PPP keepalives enabled and therefore is not aware that the peer is not up. In this situation, because by default the LAC monitors both ingress and egress traffic, it detects the egress traffic from the LNS and either does not log out the subscriber or delays detection of inactivity until the egress traffic ceases. When you specify that only ingress traffic be monitored, the LAC can detect that the peer is inactive and then initiate logout.

  • Support for maximum session limits on L2TP service interfaces (MX Series)—Starting in Junos OS Release 16.1R3, you can include the l2tp-maximum-session number statement at the [edit interfaces service-interface] hierarchy level to specify the maximum number of sessions that are allowed on an individual service interface (si) or aggregated service interface (asi). New session requests on an interface are accepted only when the session count is less than the maximum session limit. If the limit has been reached, subsequent requests are dropped and the LNS responds with a CDN message (Result Code 2, Error Code 4). If a pool of interfaces is configured, interfaces at the maximum limit are ignored in favor of an interface in the pool that has a lower session count. For an asi interface, the configuration applies to all member interfaces; you cannot configure the limit for individual member interfaces.

  • Enhanced load balancing on L2TP physical service interfaces (MX Series)—Starting in Junos OS Release 16.1R3, when a service interface in a service device pool is rebooted, sessions reconnect and new session requests are distributed based on the number of sessions on the available interfaces in the pool. The sessions are assigned to the interface with the fewest sessions. If more than one interface has the minimum number of sessions, then a random selection determines which interface gets the session.

    In earlier releases, session load balancing is a simple round-robin distribution among the interfaces. Consequently, fewer sessions are assigned to a newly rebooted interface than to the other interfaces. For example, consider a pool with two si interfaces, si-0/0/0 and si-1/0/0. Each has 100 sessions. If si-1/0/0 reboots, it drops all 100 sessions. As the sessions reconnect, they alternate between the two interfaces so that when all sessions have reconnected, si-0/0/0 has 150 sessions and the reconnected si-1/0/0 interface has only 50 sessions.

    Consider the same pool with the new behavior. As sessions reconnect, si-1/0/0 has fewer sessions (0 to start) than si-0/0/0 (100). Because the interface with the fewest sessions is selected, all sessions are assigned to si-1/0/0 until it reaches the same count as si-0/0/0.

    For asi interfaces, the interface with the lowest session count is selected from the pool for new or reconnect session requests. When the active si interface in the asi bundle goes down, all the active sessions on that primary interface fail over to the secondary interface.

  • DHCPv6 subscriber identification criteria and automatic logout(MX Series)—Starting in Junos OS Release 16.1R3, the DHCPv6 local server and the DHCPv6 relay agent can identify a DHCPv6 client by using the incoming-interface option in addition to the client identifier. The incoming interface allows only one client device to connect on the interface. If the client device changes—that is, if DHCPv6 receives a solicit message from a client whose incoming interface matches the existing interface—DHCPv6 automatically logs out the existing client without waiting for the normal lease expiration. It deletes the existing client binding and creates a binding for the newly connected device.

    See DHCPv6 Match Criteria for Identifying DHCPv6 Subscribers.

  • Changes to show ancp subscriber and clear ancp subscriber commands (MX Series)—Starting in Junos OS Release 16.1R3, multiple simultaneous filtering options are no longer allowed for the show ancp neighbor, show ancp subscriber, and clear ancp subscriber commands. In earlier releases, you can issue commands with both the identifier and neighbor options or both the ip-address and system-name options on the same line. Now you can enter only one of these options at a time.

    To improve consistency, the neighbor option has been replaced with ip-address for the show ancp subscriber command, to match the show ancp neighbor, clear ancp neighbor, and clear ancp subscriber commands. For example, to display information about subscribers connected to a specific access node identified by its address, use the show ancp subscriber ip-address ip-address command; in earlier releases, you use the show ancp subscriber neighbor ip-address command.

    The system-name mac-address option is now available for the show ancp subscriber and clear ancp subscriber commands.

Release 16.1R2 New and Changed Features

High Availability and Resiliency

  • Support for unified ISSU on MX Series routers with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, and MPC2E-3D-NG-Q (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 16.1R2, Junos OS supports unified in-service software upgrade (ISSU) on MX Series routers with MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, and MPC2E-3D-NG-Q.

    Unified ISSU enables you to upgrade between two different Junos OS releases with no disruption on the control plane and with minimal disruption of traffic.

    Note

    Unified ISSU is not supported on MPC3E-3D-NG, MPC3E-3D-NG-Q, MPC2E-3D-NG, and MPC2E-3D-NG-Q with the following MICs:

    • MS-MIC-16G

    • MIC-3D-8DS3-E3

    • MIC-3D-1OC192-XFP

IPv6

  • Forced IPv6 DNS server address insertion (MX Series)—Starting in Junos OS Release 16.1R2, MX Series devices can dynamically provision IPv6 DNS Server addresses for DHCPv6 clients. The IPv6 DNS Server addresses are provided in DHCPv6 Advertise and Reply messages, even if the Solicit message or Request message from the client does not request the IPv6 DNS Server address.

Management

  • Support for Junos Telemetry Interface (MX Series)—Junos Telemetry Interface enables you to export telemetry data from supported interface hardware. Line card sensor data is sent directly to configured collection points without involving polling. Starting with Junos OS Release 16.1R2, you can export logical interface statistics and firewall filter statistics in addition to physical interface statistics. Junos Telemetry Interface is supported only on MPC1 through MPC9E. All parameters are configured at the [edit services analytics] hierarchy level.

MPLS

  • Support for LDP signaling over native IPv6 (T Series)— IPv6 connectivity often relies on tunneling IPv6 over an IPv4 MPLS core with IPv4-signaled MPLS label-switched paths (LSPs). To enable such tunneling, you need to configure the IPv4-signaled LSPs statically or have them configured dynamically by provider edge routers. To overcome these challenges, and to meet the growing demand of IPv6, Junos OS supports LDP signaling for native IPv6.

    Starting in Junos OS Release 16.1R2, LDP is supported in:

    • IPv6 network only

    • IPv6 or IPv4 dual-stack network

    [ See Configuring LDP Native IPv6 Support and Example: Configuring LDP Native IPv6 Support.]

Operation Administration and Management

  • Support for sender ID TLV—Starting with Junos OS Release 16.1R2, you can configure Junos OS to send the sender ID TLV along with the packets. The sender ID TLV is an optional TLV that is sent in continuity check messages (CCMs), loopback messages, and Link Trace Messages (LTMs), as specified in the IEEE 802.1ag standard. The sender ID TLV contains the chassis ID, which is the unique, CFM-based MAC address of the device, and the management IP address, which is an IPv4 or an IPv6 address.

    You can enable Junos OS to send the sender ID TLV at the global level by using the set protocols oam ethernet connectivity-fault-management sendid-tlv and the set protocols oam ethernet connectivity-fault-management sendid-tlv send-chassis-tlv commands. If the sender ID TLV is configured at the global level, then the default maintenance domain, maintenance association, and the maintenance association intermediate point (MIP) half function inherit this configuration.

    You can also configure the sender ID TLV at the following hierarchy levels:

    • Maintenance domain—At the [edit protocols oam ethernet connectivity-fault-management maintenance-domain maintenance-domain-name mip-half-function default] hierarchy level. Configuration performed at this level applies to all the maintenance associations under the maintenance domain.

    • Default maintenance domain and the MIP half function—At the [edit protocols oam ethernet connectivity-fault-management maintenance-domain default-maintenance-domain-name mip-half-function default] hierarchy level.

    • Maintenance association—At the [edit protocols oam ethernet connectivity-fault-management maintenance-domain maintenance-domain-name maintenance-association maintenance-association-name continuity-check] hierarchy level.

    The sender ID TLV, if configured at the hierarchy levels mentioned above, takes precedence over the global-level configuration.

    Note

    Sender ID TLV is supported only for 802.1ag PDUs and is not supported for performance monitoring protocol data units (PDUs).

Platform and Infrastructure

  • Virtual MX Series router (vMX)—Starting in Junos OS Release 16.1, you can deploy vMX routers on x86 servers. FreeBSD 10 is the underlying OS for Junos OS for vMX.

    vMX supports most of the features available on MX Series routers and allows you to leverage Junos OS to provide a quick and flexible deployment. vMX provides the following benefits:

    • Optimizes carrier-grade routing for the x86 environment

    • Simplifies operations by consistency with MX Series routers

    • Introduces new services without reconfiguration of current infrastructure

Routing Protocols

  • Selective advertising of BGP multiple paths—Beginning with Junos OS Release 16.1R2, you can restrict BGP add-path to advertise contributor multiple paths only. Advertising all available multiple paths might result in a large overhead of processing on device memory and is a scaling consideration, too. You can limit and configure up to six prefixes that the BGP multipath algorithm selects. Selective advertising of multiple paths facilitates Internet service providers and data centers that use route reflector to build in-path diversity in IBGP.

  • BGP advertises multiple add-paths based on community value—Beginning with Junos OS 16.1R2, you can define a policy to identify eligible multiple path prefixes based on community values. BGP advertises these community-tagged routes in addition to the active path to a given destination. If the community value of a route does not match the community value defined in the policy, then BGP does not advertise that route. This feature allows BGP to limit the number of multiple paths that are processed and not advertise more than 20 paths to a given destination. You can limit and configure the number of prefixes that BGP considers for multiple paths without actually knowing the prefixes in advance. Instead, a known BGP community value determines whether or not a prefix is advertised.

Security

  • Global configuration for flow detection and tracking (MX Series)—Starting in Junos OS Release 16.1R2, you can configure the mode of operation for flow detection and tracking globally for all protocol groups and packet types. In earlier releases, although you enable flow detection and tracking globally, you can configure the behavior only at the individual flow aggregation levels: physical interface, logical interface, or subscriber; you cannot configure the behavior globally. The new the global configuration applies to all packet types in the traffic flow unless it is overridden by the configuration for a protocol group or packet type at the flow aggregation levels.

    To configure the global behavior for flow detection, include the flow-detection-mode statement at the [edit system ddos-protection global] hierarchy level and specify one of the following modes:

    • automatic—Detect flows only when the policer is being violated. This is the default mode.

    • on—Monitor and detect all flows even when no policer is being violated.

    • off—Disable flow detection.

    To configure the global behavior for how traffic in the detected flow is controlled, include the flow-level-control statement at the [edit system ddos-protection global] hierarchy level and specify one of the following control behaviors:

    • drop—Drop all traffic in the flow. This is the default behavior.

    • keep—Keep all traffic in the flow.

    • police—Police the traffic in the flow to within its allowed bandwidth.

    Use the show ddos-protection statistics command to display the current global configuration.

Services Applications

  • Network attack protection for MS-MPCs (MX Series)—Starting in Junos OS Release 16.1R2, the MS-MPC can detect and prevent network probing attacks, network flooding attacks, suspicious packet pattern attacks, and header anomaly attacks. The configuration of IDS rules for MS-MPCs differs from the configuration of IDS rules for MS-DPCs.

    Network probing attacks and network flooding attacks—Use the following hierarchy to configure an intrusion detection service (IDS) rule and assign the IDS rule to a service set to protect against network probing attacks and network flooding attacks. The IDS rule has no from statement, and we recommend that you also configure a stateful firewall rule to limit the packets that the IDS rule processes. Only the first IDS input rule and the first IDS output rule for a service set are used, and only the first term of an IDS rule is used. If you configure an IDS rule to protect against suspicious packet pattern attacks (see Suspicious packet pattern attacks) in addition to network attacks, all configuration must be in the first term of the same rule.

    You can configure the following IDS rule options for protecting against network probing attacks and network flooding attacks:

    • match-direction (input | input-output |output)—Specify whether the IDS rule is applied to input traffic, output traffic, or both.

    • aggregation—Specify a prefix length for source or destination packets for IPv4 or IPv6. This applies session limits to an aggregation of all attacks from within a subnet of the specified length. For example, if you configure a value of 24 for source-prefix, then attacks from 10.1.1.2 and 10.1.1.3 are counted as attacks from the 10.1.1/24 subnet. However, if a single host on a subnet generates a large number of network probing or flooding attacks, the flows for the entire subnet might be stopped. For IPv4, use a value from 1 through 32; for IPv6, use a value from 1 through 128.

    • maximum number—Specify the maximum number of concurrent sessions allowed for a destination or source address or subnet. You can configure this value for specific protocols for the destination or source or for the destination or source independent of a protocol.

    • packets number—Specify the maximum packets per second allowed for a destination or source address or subnet. You can configure this value for specific protocols for the destination or source or for the destination or source independent of a protocol. For TCP sessions, we recommend that you do not configure packets, or configure a very high value.

    • rate number—Specify the maximum number of connections per second allowed for a specific destination or source address or subnet. You can configure this value for specific protocols for the destination or source or for the destination or source independent of a protocol.

    Configure the maximum number, packets number, or rate number at the following hierarchies:

    • Configure the value for the destination, independent of the protocol, at the [edit services ids rule rule-name term term-name then session-limit by-destination] hierarchy level. This value overrides the value for a specific protocol.

    • Configure the value for the destination and for a specific protocol at the [edit services ids rule rule-name term term-name then session-limit by-destination by-protocol (tcp | udp | icmp)] hierarchy level.

    • Configure the value for the source, independent of the protocol, at the [edit services ids rule rule-name term term-name then session-limit by-source] hierarchy level. This value overrides the value for a specific protocol.

    • Configure the value for the source and for a specific protocol at the [edit services ids rule rule-name term term-name then session-limit by-source by-protocol (tcp | udp | icmp)] hierarchy level.

    If the service set is associated with an AMS interface, the limits you configure are applicable to each member interface.

    Suspicious packet pattern attacks—Use the following hierarchy to configure an IDS rule to protect against suspicious packet pattern attacks. The IDS rule has no from statement, and we recommend that you also configure a stateful firewall rule to limit the packets that the IDS rule processes. Only the first IDS input rule and the first IDS output rule for a service set are used, and only the first term of an IDS rule is used. If you configure an IDS rule to protect against network probing attacks and network flooding attacks (see Network probing attacks and network flooding attacks) in addition to suspicious pattern attacks, all configuration must be in the first term of the same rule.

    You can configure the following IDS rule options for protecting against suspicious packet pattern attacks:

    • match-direction (input | input-output |output)—Specify whether the IDS rule is applied to input traffic, output traffic, or both.

    • allow-ip-options—Specify the type of IPv4 options that the packet can include. If the packet includes an option that is not configured, the packet is blocked. If the packet includes a configured option whose length is an illegal value, the packet is dropped. Specifying any allows all options.

    • allow-ipv6-extension-header—Specify the type of IPv6 extension headers that the packet can include. If the packet includes an extension header that is not configured, the packet is blocked. If the packet includes a configured extension header whose length is an illegal value, the packet is dropped. Specifying any allows all extension headers.

    • tcp-syn-defense—Use to close unestablished TCP connections when the open-timeout value at the [edit interfaces interface-name service-options] hierarchy level expires.

    • tcp-syn-fragment-check—Use to identify and drop TCP SYN packets that are IP fragments.

    • tcp-winnuke-check—Use to identify and drop TCP segments that are destined for port 139 and have the urgent (URG) flag set.

    • icmp-fragment-check—Use to identify and drop ICMP packets that are IP fragments.

    • icmp-large-packet-check—Use to identify and drop ICMP packets that are larger than 1024.

    • land-attack-check—Use to identify and drop SYN packets that have the same source and destination address or port.

    Header anomaly attacks—To protect against header anomaly attacks, use either of the following methods:

    • Configure a stateful firewall rule, a NAT rule, or an IDS rule and apply it to the service set. A header integrity check is automatically enabled.

    • If you do not apply a stateful firewall rule, NAT rule, or IDS rule to a service set, use the following hierarchy to configure a header integrity check:

    Header integrity checks now include;

    • ICMP ping of death

    • IP unknown protocol

    • TCP no flag

    • TCP SYN FIN

    • TCP FIN no ACK

    If you want to skip IDS rule processing for some traffic, configure a stateful-firewall rule that matches the traffic, and configure skip-ids at the [edit services stateful-firewall rule rule-name term term-name then accept] hierarchy level.

    If the service set is associated with an AMS interface, and a NAT rule and an IDS rule are assigned to the service set, we recommend that you configure source-ip at the [edit interfaces interface-name load-balancing-options hash-keys ingress-key] hierarchy level.

    You can enable logging of IDS events at the [edit services service-set service-set-name syslog host hostname] hierarchy level. To log header-integrity and suspicious packet pattern packet drops, configure packet-logs. To log limit-based packet drops, configure ids-logs.

    The show services service-set statistics ids drops <interface interface-name> <service-set service-set-name> <terse> command displays counters for IDS violations on service sets. The interface interface-name option lists the counters for the service sets hosted on the specified service interface. The service-set service-set-name option lists counters for the specified service set. The terse option displays only the nonzero values.

  • Service redundancy daemon support for redundancy across multiple gateways (MX Series with MPC)—Starting in Junos OS Release 16.1R2, you can configure redundancy across multiple service gateways. The redundancy actions are based on the results of monitoring system events, including:

    • Interface and link down events

    • FPC and PIC reboots

    • Routing protocol daemon (rpd) aborts and restarts

    • Peer gateway events, including requests to acquire or release mastership, or to broadcast warnings

    [See Service Redundancy Daemon Overview.]

  • Traffic Load Balancer (MX Series with MS-MPCs or MS-MICs)—Starting in Junos OS Release 16.1R2, traffic load balancing is supported on MS-MPCs and on MS-MICs. The Traffic Load Balancer (TLB) application distributes traffic among multiple servers in a server group, and performs health checks to determine whether any servers should not receive traffic. TLB supports multiple VRFs.

    [See Traffic Load Balancer Overview.]

  • Support for IKE and IPsec on NAPT-44 and NAT64 (MX Series with MS-MPCs and MS-MICs)—Starting in Junos OS Release 16.1R2, you can enable the passing of IKE and IPsec packets through NAPT-44 and NAT64 filters between IPsec peers that are not NAT-T compliant by using the IKE-ESP-TUNNEL-MODE-NAT-ALG application-level gateway (ALG) on MS-MPCs and MS-MICs.

    Use the following hierarchy to enable IKE-ESP-TUNNEL-MODE-NAT-ALG:

  • Class-of-service (CoS) marking and reclassification for MS-MICs and MS-MPCs—Starting with Junos Release OS 16.1R2, MS-MICs and MS-MPCs support CoS configuration, which enables you to configure Differentiated Services code point (DSCP) marking and forwarding-class assignment for packets transiting the MS-MIC or MS-MPC. You can configure the CoS service alongside the stateful firewall and NAT services, using a similar rule structure.

    [See Configuring CoS Rules.]

  • New options to stop creating sessions for TCP non-SYN packets(MX Series with MS-MPC or MS-DPC)—On routers with MS-MPC and MS-DPC and with stateful firewall configured, a session is created when a packet hits the services set and matches the stateful firewall rule even if the packet is a non-SYN packet. However, in certain scenarios, a session must not be created if the first packet is a non-SYN packet even if it matches the stateful firewall rule.

    To ensure that a session is not created, include either the tcp-non-syn drop-flow or the tcp-non-syn drop-flow-send-rst statement at the [edit services service-set service-set-name service-set-options] hierarchy level. If either of the two options is configured, and if the first packet is a TCP non-SYN packet, the packet is dropped and a drop flow is created. If the tcp-non-syn drop-flow-send-rst statement is configured, in addition to the creation of a drop flow, the originator of the non-SYN packet receives a reset frame.

  • CLI command parity for carrier-grade NAT and stateful firewall (MX Series with MS-MPC)—Starting in Junos OS Release 16.1R2, new operational commands and configuration options provide information previously available only when using the MS-DPC as the services PIC.

    • To display information equivalent to that provided by show services stateful-firewall flow-analysis for the MS-DPC, use show services sessions analysis for the MS-MPC.

    • To display information equivalent to that provided by show services stateful-firewall subscriber-analysis for the MS-DPC, use show services subscriber analysis for the MS-MPC.

    • To drop sessions after a certain session setup rate is reached, include the new CLI option max-session-creation-rate at the [edit services service-set service-set-name] hierarchy level.

  • Enhancements to stateful synchronization (MS-MIC, MS-MPC)—Starting in Junos OS Release 16.1R2, stateful synchronization for long-running flows is available for MS-MPC services PICs. These enhancements include:

    • Automatic replication of NAT flows for all service sets: NAT44 flows are automatically synchronized for all eligible service sets. You can selectively disable replication for individual service sets by including the disable-replication-capability statement at the [edit services service-set service-set-name replicate-services] hierarchy level.

    • Checkpointing of IPv4 and IPv6 stateful firewall flows and NAPT-44 with address pooling paired (APP). To configure the timeout for checkpointing, include the replication-threshold seconds statement at the [edit interfaces interface-name redundancy-options] hierarchy level.

    [See Configuring Inter-Chassis Stateful Synchronization for Long Lived Flows (MS-MPC, MS-MIC).]

Subscriber Management and Services

Note

Although present in the code, the subscriber management features are not supported in Junos OS Release 16.1R2. Documentation for subscriber management features is included in the Junos OS Release 16.1 documentation set.

  • Support for username stripping per routing instance (MX Series)—Starting in Junos OS Release 16.1R2, you can configure a subscriber access profile so that a portion of each subscriber login string is discarded and the remaining characters are used as a modified username by an external AAA server for session authentication and accounting. The modified username appears in RADIUS Access-Request, Acct-Start, and Acct-Stop messages; RADIUS-initiated disconnect requests; and change of authorization (CoA) requests. This username stripping configuration replaces a domain map configuration, but can be overridden by a AAA server.

    Use the following statements at the [edit access profile profile-name session-options strip-user-name] hierarchy level to configure username stripping:

    • delimiter delimiter—Specify up to eight characters that the router uses to determine the boundary between the new modified username and the part of the original username that is discarded. There is no default delimiter.

    • parse-direction (left-to-right | right-to-left)—Specify the direction in which the login string is examined until one of the configured delimiters is identified; left-to-right is the default. The delimiter and all characters to the right of the delimiter are discarded.

    For example, consider a login string of drgt21@example.com$84 with the delimiters configured to be /@$%#. If the parse direction is left-to-right, the @ delimiter is reached first and the modified username is drgt21. If the parse direction is right-to-left, then the $ delimiter is reached first and the modified username is drgt21@example.com.

    Best Practice

    We recommend that you do not configure username stripping either when multiple user authentications are needed or when a global domain map is configured for the same subscribers covered by the AAA options configuration.

    The show network-access aaa subscribers session-id id-number detail command displays the modified username in the Session Authentication Username field. The clear network-access aaa subscriber username username command requires you to specify the original, unstripped username (login string). The output of the show subscribers command displays the unstripped username, and when you issue the show subscribers user-name username command, you must specify the unstripped username.

  • AAA option sets to authorize and configure subscribers per routing instance to support username stripping (MX Series)—Starting in Junos OS Release 16.1R2, you can include one or more of the following statements at the new [edit access aaa-options aaa-options-name] hierarchy level to define a set of AAA options for a subscriber or set of subscribers that username stripping is applied to:

    • access-profile profile-name—Specify the name of the access profile that includes the username stripping configuration.

    • aaa-context aaa-context-name—Specify the logical-system:routing-instance that the subscriber session uses for AAA (RADIUS) interactions like authenticating and accounting.

    • subscriber-context subscriber-context-name—Specify the logical-system:routing-instance in which the subscriber interface is placed.

    Note

    Only the default (master) logical system is supported.

    Use the aaa-options aaa-options-name statement at the [edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit ppp-options] hierarchy level to apply the attributes to PPP subscribers tunneled from the LAC to the LNS inline service interface.

    Alternatively, use the aaa-options aaa-options-name statement at the [edit access group-profile profile-name ppp-options] hierarchy level to apply the attributes to PPP subscribers tunneled from LACs that are members of the user group.

    Usernames are examined and modified according to the subscriber and AAA contexts specified in the option set. In the event of a conflict between option sets configured in both a group profile and a dynamic profile, the dynamic profile takes precedence.

Release 16.1R1 New and Changed Features

Hardware

  • New Routing Engine RE-S-X6-64G (MX240, MX480, and MX960)—Starting in Junos OS Release 16.1, the Routing Engine RE-S-X6-64G is supported on MX240, MX480, and MX960 routers. This Routing Engine has an increased computing capability and scalability to support the rapid rise in the data plane capacity. The Routing Engine is based on a modular, virtualized architecture and leverages the hardware-assisted virtualization capabilities.

    The Routing Engine has a 64-bit CPU and supports a 64-bit kernel and 64-bit applications. With its multicore capabilities, the Routing Engine supports symmetric multiprocessing in the Junos OS kernel and hosted applications.

    Note

    The Routing Engine RE-S-X6-64G is supported only on SCBE2, and it is not compatible with the SCB or the SCBE.

  • New MPC variants that support higher scale and bandwidth (MX Series)—Starting with Junos OS Release 16.1, MPC7E (Multi-Rate), MPC7E 10G, MPC8E, and MPC9E are supported on MX Series routers. Table 3 lists the platforms that support these MPCs.

    Table 3: Supported Platforms

    MPC

    Supported Platforms

    MPC7E (Multi-Rate)

    MX240, MX480, MX960, MX2010, and MX2020

    MPC7E 10G

    MX240, MX480, MX960, MX2010, and MX2020

    MPC8E

    MX2010 and MX2020

    MPC9E

    MX2010 and MX2020

    See MIC/MPC Compatibility for supported MICs on these MPCs.

    Note

    MPC7E(Multi-Rate) MPC is also supported in Junos OS Release 15.1F4. MPC7E 10G, MPC8E, and MPC9E MPCs are also supported in Junos OS Release 15.1F5. To use these MPCs in these releases, you must install Junos Continuity software. See Junos Continuity Software for more details.

Authentication, Authorization, and Accounting

  • Logging out idle root users from C shell or CLI console session (MX Series)— Starting with Junos OS Release 16.1, idle users (including root users) are logged out of their C shell or CLI console session after the expiry of the configured maximum idle timeout period.

Class of Service (CoS)

  • Support for suppressing the default classifier (MX Series)—Beginning with Junos OS Release 16.1R1, you can disable the application of the default classifier on an interface or a routing instance to preserve the incoming classifier. This is done by applying the no-default option at the [edit class-of-service routing-instances routing-instance-name classifiers] hierarchy level. This is useful, for example, in a bridge domain, where the default classifier for the interface overrides the configured classifier for the domain.

    [See Applying Behavior Aggregate Classifiers to Logical Interfaces.]

  • Support for queuing features on built-in ports to provide customized traffic shaping services (MX80, MX104)—Starting with Junos OS Release 16.1, support for hierarchical class-of-service (HCoS) features such as per-unit scheduling and hierarchical scheduling is extended to the built-in (fixed) ports on MX80 and MX104 routers. The MX104 has four built-in ports: xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3. The MX80 also has four built-in ports: xe-0/0/0, xe-0/0/1, xe-0/0/2, and xe-0/0/3. You can enable scheduling and shaping on a logical interface and provide customized traffic shaping services for the logical interface, and this configuration is independent of any configuration on other logical interfaces on a given physical interface. You can configure per-unit scheduling by including the per-unit-scheduler statement at the [edit interfaces interface-name] hierarchy level. To configure hierarchical scheduling, include the hierarchical-scheduler statement at the [edit interfaces interface-name] hierarchy level.

  • Timestamping of class-of-service (CoS) queues for a configured Flexible PIC Concentrator (MX Series)—Starting in Junos OS Release 16.1, you can configure the Packet Forwarding Engine to collect the timestamp for all inbound and outbound queue counters for all subscribers that are configured on the Flexible PIC Concentrator (FPC) and, when requested, also return statistics corresponding to data traffic on the router.

    To configure the timestamp for an FPC, include the packet-timestamp enable statement at the [edit chassis fpc slot-number traffic-manager] hierarchy level.

    [See Enabling a Timestamp for Ingress and Egress Queue Packets.]

  • Support for packet-marking schemes on a per-customer basis (MX Series)—Traditionally, packet marking in the Junos OS uses the forwarding class and loss priority determined from a BA classifier or multifield classifier. This approach does not allow rewrite rules to be directly assigned for each customer because of the limited number of combinations of forwarding class and loss priority.

    Beginning with Junos OS Release 16.1R1, a new packet-marking scheme, called policy map, enables you to define rewrite rules on a per-customer basis. Policy maps are defined at the [edit class-of-service policy-map] hierarchy level and can be assigned to a customer through a firewall action, an ingress interface, or a routing policy.

    [See Assigning Rewrite Rules on a Per-Customer Basis Using Policy Maps Overview.]

  • Enhanced ingress queuing support for built-in ports (MX80, MX104)—Starting with Junos OS Release 16.1, support for ingress queuing is extended to the built-in (fixed) ports on MX80 and MX104 routers. The MX104 has the following four built-in ports: xe-2/0/0, xe-2/0/1, xe-2/0/2, and xe-2/0/3. The MX80 also has four built-in ports: xe-0/0/0, xe-0/0/1, xe-0/0/2, and xe-0/0/3. In this release, for the MX80 and MX104, the maximum number of ports that can support ingress queuing is increased from 10 to 12. You can distribute the 12 ingress queuing ports among MIC ports and built-in ports. Therefore, you can select a combination of ports (including MIC ports and built-in ports) for ingress queuing. To enable ingress queuing, specify ingress-and-egress as the value of the mode statement at the [edit chassis fpc fpc-slot-number pic pic-slot-number traffic-manager] hierarchy level.

    Note

    The systemwide hierarchical queuing bandwidth remains the same and is shared by built-in ports and MIC ports. Enabling ingress queuing on built-in ports results in a Packet Forwarding Engine restart, and requires a two-step commit operation.

    In releases before Junos OS Release 16.1, ingress queuing is supported only on MIC ports and not on built-in ports, and the maximum number of ports that support ingress queuing is 10.

  • Hierarchical CoS support for GRE tunnel interface output queues (MX Series routers with MPC5E)—Starting with Junos OS Release 16.1R1, you can manage output queuing of traffic entering GRE tunnel interfaces hosted on MPC5E line cards in MX Series routers. Support for the output-traffic-control-profile configuration statement, which applies an output traffic scheduling and shaping profile to the interface, is extended to GRE tunnel physical and logical interfaces. Support for the output-traffic-control-profile-remaining configuration statement, which applies an output traffic scheduling and shaping profile for remaining traffic to the interface, is extended to GRE tunnel physical interfaces.

    Note

    Interface sets (sets of interfaces used to configure hierarchical CoS schedulers on supported Ethernet interfaces) are not supported on GRE tunnel interfaces.

EVPNs

  • Active-active multihoming support for EVPNs (MX Series with MPCs and MICs only)—Starting with Junos OS Release 15.1F6 and 16.1R1, the Ethernet VPN (EVPN) solution on MX Series routers with MPC and MIC interfaces is extended to provide multihoming functionality in the active-active redundancy mode of operation. This feature enables load balancing of Layer 2 unicast traffic across all the multihomed links on and toward a customer edge device.

    The EVPN active-active multihoming feature provides link-level and node-level redundancy along with effective utilization of resources.

    To enable EVPN active-active multihoming, include the all-active statement at the [edit interfaces esi] hierarchy level.

    [See EVPN Multihoming Overview, and Example: Configuring EVPN Active-Active Multihoming.]

  • Distribution of VXLAN VNIDs using EVPN (MX Series)—Starting in Release 16.2, Junos OS enables Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN) encapsulation to provide Layer 2 connectivity for endpoints within a virtual network that Contrail virtualization software creates. Endpoints in this scheme include virtual machines (VMs) connected to a virtual server, and non-virtual bare-metal servers (BMSs) connected to a top-of-rack (ToR) platform. An MX Series router performs as a default gateway for non-virtual BMSs for the traffic among the endpoints that belong to different virtual networks.

    The virtual network uses two types of encapsulation:

    An MX Series router supports all-active L3 gateways for redundancy and load balancing to ensure failure protection for the default gateway.

General Routing

  • Support for fabric management on MPC7E-MRATE and MPC7E-10G MPCs (MX240, MX480, and MX960 routers)—Fabric management is implemented on MPC7E-MRATE and MPC7E-10G MPCs and is supported in Junos OS Release 16.1R1. The MX960 router supports a maximum of six fabric planes (two per MX-SCBE2), and the MX240, and MX480 routers support a maximum of eight fabric planes (four per MX-SCBE2).

    Note

    The MPC7E-MRATE and MPC7E-10G MPCs are supported only on MX-SCBE2.

    Note

    Fabric management is supported on the MPC7E-MRATE and MPC7E-10G MPCs in Junos OS Releases,15.F4, 15.1F5 with respective JAM packages, and in 15.1F6.

  • Support for virtualization on RE-S-X6-64G (MX240, MX480, MX960, MX2010, and MX2020)—The Routing Engine RE-S-X6-64G supports virtualization for the following platforms:

    • MX240, MX480, and MX960—Junos OS Release 15.1F3, 16.1R1, and later

    • MX2010 and MX2020—Junos OS Release 15.1F5, 16.1R2, and later

    Virtualization enables the router to support multiple instances of Junos OS and other operating systems on the same Routing Engine. However, for Junos OS Release 15.1F3, one instance of Junos OS, which runs as a guest operating system, is launched by default. The user needs to log in to this instance for operations and management. For more information see, Routing Engines with VM Host Support.

    With virtualization of the Routing Engine, Junos OS supports new request and show commands associated with host and hypervisor processes. The commands are related to:

    • Reboot, halt, and power management for the host

    • Software upgrade for the host

    • Disk snapshot for the host

High Availability and Resiliency

  • Support for unified in-service software upgrade (MX Series)—Starting in Release 16.1, Junos OS extends support for unified in-service software upgrade (unified ISSU) for the following MICs:

    • Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (MIC-3D-4COC3-1COC12-CE)

    • Channelized E1/T1 Circuit Emulation MIC (MIC-3D-16CHE1-T1-CE)

    • SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-4OC3OC12-1OC48)

    • SONET/SDH OC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-8OC3OC12-4OC48)

    Unified ISSU is a process to upgrade the system software with minimal disruption of transit traffic and no disruption of the control plane. You can use unified ISSU only to upgrade to a later version of the system software. When unified ISSU completes, the new system software state is identical to that of the system software when the system upgrade is performed through a cold boot.

  • Support for unified in-service software upgrade on MX Series routers with MPC5E and MPC6E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 15.1F2 and 16.1R1, Junos OS supports unified in-service software upgrade (unified ISSU) on MX Series routers with MPC5E (MPC5E-40G10G, MPC5E-100G10G), MPC5EQ (MPC5EQ-40G10G, MPC5EQ-100G10G), and MPC6E (MX2K-MPC6E). Also, in this release, Junos OS extends support for unified ISSU on the following MICs that are supported on MPC6E:

    • 10-Gigabit Ethernet MIC with SFP+ (24 Ports)

    • 10-Gigabit Ethernet OTN MIC with SFP+ (24 Ports) (non-OTN mode only)

    • 100-Gigabit Ethernet MIC with CFP2 (non-OTN mode only)

    • 100-Gigabit Ethernet MIC with CXP (4 Ports)

    Unified ISSU is a process to upgrade the system software with minimal disruption of transit traffic and no disruption of the control plane. You can use unified ISSU only to upgrade to a later version of the system software. When unified ISSU completes, the new system software state is identical to that of the system software when the system upgrade is performed through a cold boot.

  • Configure BFD over LAG using AE interface addresses (MX Series)—Beginning with Junos OS Release 16.1, you can configure BFD over child links of an AE or LAG bundle using AE interface addresses also, thereby conserving routable IP addresses. In earlier Junos releases, you could configure BFD over LAG using loopback addresses only. To configure BFD over LAG using AE interface addresses or loopback addresses, include the bfd-liveness-detection statement at the [edit interfaces aex aggregated-ether-options bfd-liveness-detection] hierarchy level. Disable duplicate address detection before configuring this feature for the IPv6 address family.

    [See Understanding Independent Micro BFD Sessions for LAG.]

Interfaces and Chassis

  • Maximum generation rate for ICMP and ICMPv6 messages is configurable (MX Series)—Starting in Junos OS Release 16.1, you can configure the maximum rate at which ICMP and ICMPv6 messages that are not ttl-expired are generated by using the icmp rate limit and icmp6 rate limit configuration statements at the [edit chassis] hierarchy level.

  • Clock synchronization feature support on non-Ethernet MICs—Starting in Release 16.1R1, Junos OS extends clock synchronization support for the MIC-3D-1OC192-XFP on the MX104 router. This feature enables the selection of the best timing source based upon the Synchronization Status Message (SSM).

  • Support for GPS external clock interface on the MX2020 Control Board (MX2020)—Starting with Junos OS Release 16.1, you can configure the external clock interface on the MX2020 Control Board to select the global positioning system (GPS) clock source as an input clock source to the centralized timing circuit. You can also configure the external clock interface to select either the chassis clock source or a recovered line clock source with GPS timing signals of 1 MHz, 5 MHz, or 10 MHz with 1 pulse per second (PPS) as the output clock source.

  • Support for inline Two-Way Active Measurement Protocol (TWAMP) server on MPC5E (MX240, MX480, MX960, MX2010, and MX2020)—You can now configure an inline TWAMP server as part of the inline services (si-) interface processing for MPC5E interfaces. TWAMP is an open protocol for measuring network performance between any two devices that support TWAMP. To configure the TWAMP server, specify the logical interface on the service PIC that provides the TWAMP service by including the twamp-server statement at the [edit interfaces si-fpc/pic/port unit logical-unit-number family inet] hierarchy level. You can also specify the TWAMP server properties by including the server statement at the [edit services rpm twamp] hierarchy level.

  • Support for higher MTU size on MX Series MPCs—Starting in Junos OS Release 16.1R1, the maximum transmission unit (MTU) size for a media or protocol is increased from 9192 to 9500 for Ethernet interfaces on the following MX Series MPCs:

    • MPC1

    • MPC2

    • MPC2E

    • MPC3E

    • MPC4E

    • MPC5E

    • MPC6E

    See https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/mtu-edit-interfaces-ni.html

  • Support to monitor physical Ethernet (10G, 40G, and 100G) links, detect link degradation, and trigger fast-reroute to minimize packet loss (MX Series Routers with MPC3, MPCE, and MPC4E)—Starting with Junos OS Release 16.1R1, you can monitor the physical link degrade (indicated by bit error rate BER levels) and take corrective actions when [BER] levels drop in the range of 10-13 to 10 -5.

    Layer 2 and Layer 3 protocols support the monitoring of a physical link degrade and so does the Ethernet link through the Link Fault System (LFS). However, for both these monitoring mechanisms, the BER range of 10-13 to 10-5 is very low. Due to its low BER level, the physical link degrade goes undetected, causing disruption and packet loss on an Ethernet link.

    Following new configurations have been introduced at the [edit interfaces interface-name] hierarchy level to support this feature in Junos OS:

    • To monitor physical link degrade on Ethernet interfaces, configure the link-degrade-monitor statement.

    • To configure the BER threshold value at which the corrective action should be triggered or cleared from an interface, use the link-degrade-monitor thresholds (setvalue | clearvalue) statement. The value is the BER threshold value in a scientific notation. You can configure this value in the 1E-n format, where 1 is the mantissa (remains constant) and n is the exponent. For example, a threshold value of 1E-3 refers to the BER threshold value of 1X10-3.

      The supported exponent range is 1 through 16 and the default value is

    • To configure the link degrade interval value, use the link-degrade-monitor thresholds interval value statement. The interval value configured, determines the number of consecutive link degrade events that are considered before taking any corrective action. The supported value range for the interval is 1 through 256, and the default interval is 10.

    • To configure link degrade warning thresholds, use the link-degrade-monitor thresholds (warning-set value | warning-clear value) statement. The value is again specified in the 1E-n format and the supported value range for n is 1 through 16. With this configuration, every time the BER threshold value is reached, a system message is logged to indicate that a link degrade has occurred (warning-set) or the link degrade has been cleared (warning-clear) on an interface.

    • To configure the link degrade action that is taken on reaching the configured BER threshold levels, use the link-degrade action media-based statement. A media-based action brings down the physical interface at the local end of the interface, and stops BER monitoring on the interface (though link fail is active at the local end and the recovery fail is active on the remote end of the degraded link) until an autorecovery mechanism is triggered.

    • To configure the link degrade recovery options, use the link-degrade recovery (auto interval value | manual) statement. The recovery mechanism triggers the recovery of a degraded link.

      auto recovery is used with the media-based action when there are no Layer 2 or Layer 3 protocols configured on the interface. With the auto recovery option, you must configure the interval in seconds, after which the system triggers the auto recovery mechanism on a degraded link. The default interval is 1800 seconds.

      The manual recovery option is configured with media-based action configuration when Layer 2 and Layer 3 protocols are configured on an interface. To trigger manual recovery, use the request interface link-degrade-recovery interface-name statement.

  • Support for ITU-T Y.1731 ETH-LM, ETH-SLM, and ETH-DM on aggregated Ethernet interfaces (MX Series routers with MPCs)—Starting in Junos OS Release 16.1, you can configure ITU-T Y.1731 standard-compliant Ethernet loss measurement (ETH-LM), Ethernet synthetic loss measurement (ETH-SLM), and Ethernet delay measurement (ETH-DM) capabilities on aggregated Ethernet (AE) interfaces. These performance monitoring functionalities are supported on MX Series routers with MPCs, where the same level of support for the Ethernet services OAM mechanisms as the level of support on non-aggregated Ethernet interfaces is available on AE interfaces. ETH-DM is supported on MPC3E and MPC4E modules with only software timestamping. ETH-SLM is supported on MPC3E and MPC4E modules.

  • Optical transceiver support for MX104 —Starting with Release 16.1R1, Junos OS extends support for the following optical transceivers on MX104 routers:

    • SFP-1FE-FX-Manufactured by Fiberxon—Supports Gigabit Ethernet MIC with SFP (MIC-3D-20GE-SFP), Gigabit Ethernet MIC with SFP (E) (MIC-3D-20GE-SFP-E), and Gigabit Ethernet with SFP (EH) (MIC-3D-20GE-SFP-EH)

    • SFP-1FE-FX-Manufactured by Avago—Supports Gigabit Ethernet MIC with SFP (E) (MIC-3D-20GE-SFP-E) and Gigabit Ethernet with SFP (EH) (MIC-3D-20GE-SFP-EH), but does not support Gigabit Ethernet MIC with SFP (MIC-3D-20GE-SFP)

    • SFP-1GE-FE-E-T

    • SFP-1GE-LH

    • SFP-1GE-LX

    • SFP-1GE-SX-ET

    • SFP-GE10KT13R14

    • SFP-GE10KT14R13

    • SFP-GE40KM

    • SFP-GE40KT13R15

    • SFP-GE40KT15R13

    • SFP-GE80KCW1470-ET

    • SFP-GE80KCW1550-ET

    • SFP-GE80KCW1610-ET

    • SFP-T-ET

    • SFP-LX-ET

    • SFPP-10GE-ER

    • SFPP-10GE-ZR

  • Increased tunnel bandwidth for inline tunnel services (MX240, MX480, MX960, MX2010, and MX2020 routers)—Starting with Junos OS Release 16.1R1, the tunnel bandwidth is increased for MPC7E-10G, MPC7E-MRATE, MX2K-MPC8E, and MX2K-MPC9E. The maximum bandwidth per tunnel is 120 Gbps for MPC7E-10G, MPC7E-MRATE, and MX2K-MPC8E, and 200 Gbps for MX2K-MPC9E. The bandwidth command for tunnel services is enhanced to configure the tunnel bandwidth from 1 Gbps through 400 Gbps, with increments of 1 Gbps.

  • Support for Ethernet OAM on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)— Starting in Release 16.1R1, Junos OS extends MPLS support for MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E.

  • Support for Ethernet OAM on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)— Starting in Release 16.1R1, Junos OS extends Ethernet OAM support for MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E.

  • Support for scaling on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020 routers)—Starting in Junos OS Release 16.1R1, MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E are supported on MX Series routers. These MPCs support scaling and performance values that are equivalent to the scaling and performance values supported by MPCs such as MPC6E, MPC5E, MPC2E-3D-NG/NG-Q, and MPC2E-3D-NG/NG-Q.

  • Support for hyper mode feature on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)—The hyper mode feature is supported on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E. The hyper mode feature enhances the performance and throughput of a router by increasing the data packet processing rate and optimizes the lifetime of a data packet.

    To configure the hyper mode feature, use the hyper-mode statement at the [edit forwarding-options] hierarchy level.

    Support for flexible queuing on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)— The flexible queuing feature is supported on non-hierarchical quality-of-service (non-HQoS) MPCs MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E. By default, the non-HQoS MPCs do not support flexible queuing. You can enable flexible queuing on these MPCs by including the flexible-queuing-mode statement at the [edit chassis fpc] hierarchy level. When flexible queuing is enabled, non-HQoS MPCs support a limited queuing capability of 32,000 queues per slot, including ingress and egress.

  • Configuration support to improve convergence (MX Series)—Starting with Junos OS Release 16.1R1, you can configure multichassis link aggregation (MC-LAG) interfaces to improve Layer 2 and Layer 3 convergence time to subsecond values when a multichassis aggregated Ethernet link goes down or comes up in a bridge domain.

    To use this feature, ensure that the interchassis link (ICL) is configured on an aggregated Ethernet interface. For Layer 2 convergence, configure the enhanced-convergence statement at the [edit interfaces aeX aggregated-ether-options mc-ae] hierarchy level. For Layer 3, configure the enhanced-convergence statement at the [edit interfaces irb unit unit-number] hierarchy level for an integrated routing and bridging (IRB) interface.

    Note
    • If the enhanced-convergence feature is configured on an multichassis aggregated Ethernet interface of a bridge domain that has an IRB interface, the IRB interface must also be configured for the convergence feature.

    • All multichassis aggregated Ethernet interfaces that are part of a bridge domain must be configured for enhanced convergence in order to utilize this feature on any of them.

    • On enabling or disabling the enhanced convergence feature, all services get deleted and re-created.

    [ See Configuring Active-Active Bridging and VRRP over IRB in Multichassis Link Aggregation on MX Series Routers, Configuring Multichassis Link Aggregation on MX Series Routers.]

  • LACP hold-up timer configuration support on LAG interfaces—Starting with Junos OS Release 16.1R1, you can configure a Link Aggregation Control Protocol (LACP) hold-up timer value for link aggregation group (LAG) interfaces.

    You configure the hold-up timer to prevent excessive flapping of a child (member) link of a LAG interface due to transport layer issues. With transport layer issues, it is possible for a link to be physically up and still cause LACP state-machine flapping. LACP state-machine flapping can adversely affect traffic on the LAG interface. To prevent this, a hold-up timer value is configured. LACP monitors the PDUs received on the child link for the configured time value, but does not allow the member link to transition from the expired or defaulted state to current state. This configuration thus prevents excessive flapping of the member link.

    To configure the LACP hold-up timer for LAG interfaces, use the hold-time up timer-value statement at the [edit interfaces ae aeX aggregated-ether-options lacp] hierarchy level.

    • Initialization delay timer feature support on LAG interfaces (MX Series)—Starting with Junos OS Release 16.1R1, you can configure an initialization delay timer value on link aggregation group (LAG) interfaces.

      When a standby multichassis aggregated Ethernet (MC-AE) interface reboots to come up in active-active MC-AE mode, the Link Aggregation Control Protocol (LACP) protocol comes up faster than the Layer 3 protocols. As soon as LACP comes up, the interface is UP and starts receiving traffic from the neighboring interfaces. In absence of the routing information, the traffic received on the interface is dropped, causing traffic loss.

      The initialization delay timer, when configured, delays the MC-AE node from coming UP for a specified amount of time. This gives the Layer 3 protocols time to converge on the interface and prevent traffic loss.

      To configure the initialization delay timer on an MC-AE interface, use the init-delay-timer statement at the [edit interfaces ae-interface-name aggregated-ether-options mc-ae] hierarchy level.

  • Setting ARP cache limit to protect against DoS attacks (MX Series and T Series)—Starting in Junos OS Release 16.1R1, you can configure an Address Resolution Protocol (ARP) cache limit for resolved and unresolved IPv4 next-hop entries in the cache. By setting this limit, you restrict the maximum number of IPv4 next hops created and, as a result, protect the device from denial-of service (DoS) attacks.

    You can configure the cache limit at the system level (using the arp-system-cache-limit statement) at the [edit system] hierarchy level or at the interface level (using arp-max-cache statement) at the [edit interfaces interface-name unit interface-unit-number family inet] hierarchy level. To view the ARP cache statistics, run the show system statistics arp or show interfaces interface-name command.

    Note

    The ARP cache limit feature is enabled by default.

    [See Example: Configuring ARP Cache Protection, arp-new-hold-limit, arp-system-cache-limit, and arp-max-cache]

  • Synchronous Ethernet support on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Junos OS Release 16.1R1, Synchronous Ethernet with Ethernet Synchronization Message Channel is supported on MPC7E-MRATE, MPC7E-10G, MX2K-MPC8E, and MX2K-MPC9E.

  • Disabling fabric grant bypass mode for better performance (MX2010 and MX2020)—Fabric grant bypass mode is enabled, by default, for all MPCs on MX2010 and MX2020 routers. Disabling fabric grant bypass mode controls congestion and thus improves system behavior and performance on MX2010 and MX2020 routers. Starting with Junos OS Release 16.1, you can disable fabric grant bypass mode on MX2010 and MX2020 routers by including the disable-grant-bypass configuration statement at the [edit chassis fabric] hierarchy level.

    Note

    After disabling fabric grant bypass mode on the MX2010 and MX2020, you must reboot the router for the changes to take effect. MPC1 (MX-MPC1-3D), MPC2 (MX-MPC2-3D), and the 16-port 10-Gigabit Ethernet MPC (MPC-3D-16XGE-SFP) do not power on after you disable fabric grant bypass mode and reboot the router.

  • Support for aysnchronous notification on MIC-8OC3OC12-4OC48-SFP and MIC-1OC192-HO-VC-XFP (MX240, MX480, MX960, MX2010, and MX2020 routers)—Starting in Junos OS Release 16.1R1, the asynchronous-notification command is supported at the [edit interfaces interface-name sonet-options] hierarchy level for the MICs MIC-8OC3OC12-4OC48-SFP and MIC-1OC192-HO-VC-XFP.

    In a network comprising SONET and Ethernet interfaces connected through a TCC circuit, if an interface goes down, you can use the asynchronous–notification command to disable the physical interface on the remote end, thereby notifying the loss of signal (LOS) and loss of connection.

  • Routing Engine failover detection (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Junos OS Release 16.1, you use the on-re-to-fpc-stale configuration statement at the [edit chassis redundancy failover] hierarchy level to instruct the backup Routing Engine to take the mastership if the em0 interface fails on the master Routing Engine.

  • Upgrading MPC8E bandwidth from 960 Gbps to 1600 Gbps (MX2010 and MX2020)—Starting in Junos OS Release 16.1R1, you can upgrade MPC8E to provide an increased bandwidth of 1600 Gbps (1.6 Tbps), by using an add-on license. After you purchase the license and perform the upgrade, MPC8E provides a bandwidth of 1.6 Tbps, which is equivalent to that of MPC9E. However, the MPC continues to be identified as MPC8E.

    Note

    After you upgrade MPC8E to provide a bandwidth of 1.6 Tbps, the power consumption by MPC8E increases and is equivalent to the power that MPC9E consumes.

    You upgrade the bandwidth by using the set chassis fpc slot bandwidth 1.6T command. You can disable this feature by using the delete chassis fpc slot bandwidth 1.6T command.

    [See MPC8E on MX Series Routers Overview.]

  • Configuration support for multiple up MEPs for interfaces belonging to a single VPLS service or a bridge domain (MX Series with MPC)—Starting with Junos OS Release 16.1R1, you can configure multiple up maintenance association endpoints (MEP) for a single combination of maintenance association ID and maintenance domain ID for interfaces belonging to a particular VPLS service or a bridge domain.

    To configure multiple up MEPs, specify the mep mep-id statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance association ma-name] hierarchy level, when the MEP direction is configured as direction up.

  • Starting in Junos OS Release 16.1, the show pfe statistics traffic command now displays the following fabric statistics:

    • Fabric Input packets—Number and rate of incoming fabric packets

    • Fabric Output packets—Number and rate of outgoing fabric packets

    See show pfe statistics traffic.

  • Enhancement to ambient-temperature statement (MX Series)—Starting in Junos OS Release 16.1R1, the default ambient temperature is set at 40° C on MX480, MX960, MX2010, and MX2020 Universal Routing Platforms. You can override ambient temperature by setting the temperature at 55° C or 25° C.

    When a router restarts, the system adjusts the power allocation or the provisioned power for the line cards on the basis of the configured ambient temperature. If enough power is not available, a minor chassis alarm is raised. However, the chassis continues to run with the configured ambient temperature. You can configure a new higher ambient temperature only after you make more power available by adding new power supply modules or by taking a few line cards offline. By using the provisioned power that is saved by configuring a lower ambient temperature, you can bring more hardware components online.

  • Support for fabric black-hole detection and recovery in TX Matrix Plus routers—TX Matrix Plus routers can detect and recover from fabric faults that are not caused by hardware failure but might be a result of a fabric black-hole condition.

    To recover from a fabric black-hole condition, the routing matrix uses the following options:

    • SIB reboot

    • FPC reboot

    • Destination reprogramming

    • Related faults recovery

    You can disable the automatic recovery feature by using the auto-recovery-disable statement at the [edit chassis fabric degraded] hierarchy level. You can configure the FPCs to go offline when a traffic black-hole condition is detected in the routing matrix by using the fpc-offline-on-blackholing statement at the [edit chassis fabric degraded] hierarchy level.

    You can configure the FPCs to restart when a traffic black-hole condition is detected in the routing matrix by using the fpc-restart statement at the [edit chassis fabric degraded] hierarchy level.

    [See auto-recovery-disable and fpc-offline-on-blackholing.]

IP Address Management

  • DHCPv6 relay agent supports multiple addresses or prefixes per DUID (MX Series)—Starting in Junos OS Release 16.1R1, DHCPv6 relay agent supports multiple address or network prefix leases assigned to a single DHCP Unique ID (DUID). Existing operational commands that display DHCPv6 relay bindings now display multiple addresses and network prefixes. When you are configuring DHCPv6 relay agent, if service accounting is required separately for each address or network prefix issued to a single subscriber, you must configure a separate address pool at the DHCPv6 server for each address or network prefix allocated.

    [See Using DHCPv6 Prefix Delegation Overview.]

IPv4

  • IPv4 address conservation method for hosting providers (MX Series)—Starting with Junos OS Release 14.2R4, Release 15.1R1, Release 16.1R1, and later releases, you can configure a static route on an integrated routing and bridging (IRB) interface with or without pinning to a specific underlying interface, thereby conserving the usage of IP address space.

    When a customer needs servers to be assigned within a block of IP addresses, several IP addresses are consumed. These include the network and broadcast IP addresses, the addresses for the router gateway that the servers are connected to, and the addresses of the individual servers. When this effect is multiplied across thousands of hosting providers, IP address space is underutilized.

    This issue can be resolved by configuring the router interface with an address from the reserved IPv4 prefix for shared address space (RFC 6598) and by using static routes pointed at that interface. Internet Assigned Numbers Authority (IANA) has recorded the allocation of an IPv4 /10 for use as shared address space. The shared address space address range is 100.64.0.0/10.

    This way, the router interface is allocated an IP address from the shared address space, so it is not consuming publicly routable address space, and connectivity is handled with static routes on the interface. The interface in the server is configured with a publicly routable address, but the router interfaces are not. Network and broadcast addresses are consumed out of the shared address space rather than the publicly routable address space.

Junos OS XML API and Scripting

  • Support for Python language for commit, event, op, and SNMP scripts (MX Series and T Series)—Starting in Junos OS Release 16.1, you can author commit, event, op, and SNMP scripts in Python on devices that include the Python extensions package in the software image. Creating automation scripts in Python enables you to take advantage of Python features and libraries as well as leverage Junos PyEZ APIs supported in Junos PyEZ Release 1.3.1 and earlier releases to perform operational and configuration tasks on devices running Junos OS. To enable execution of Python automation scripts, which the root user must own, configure the language python statement at the [edit system scripts] hierarchy level, and configure the filename for the Python script under the hierarchy level appropriate to that script type. Supported Python versions include Python 2.7.x.

    [See Understanding Python Automation Scripts for Devices Running Junos OS.]

Layer 2 Features

  • Support for MAC pinning to prevent loops (MX Series)—A MAC move occurs when a MAC address frequently appears on a different physical interface than the one it was learned on. Frequent MAC moves indicate the presence of loops in Layer 2 bridges and in VPLS networks. To avoid loops, you can enable the MAC pinning feature on an interface.

    Starting in Junos OS Release 16.1, support for MAC pinning is provided to prevent loops in Layer 2 bridges and in VPLS networks.

    When you enable MAC pinning on an interface in a bridge domain or VPLS domain, a MAC address learned over that interface cannot be relearned on any other interface in the same bridge domain or VPLS domain until the MAC address either ages out on the first interface or is cleared from the MAC table. If a packet with the same MAC address arrives at any other interface in the same bridge domain, then the packet is discarded. This action, effectively, controls MAC moves and prevents the creation of loops in Layer 2 bridges and VPLS domains.

    Note

    If you do not specify the timeout interval for the MAC addresses by configuring the mac-table-aging-time statement, the MAC addresses learned over the MAC pinning interface are pinned to the interface until the default timeout period expires.

  • Enhanced convergence time required for IRB ARP resolution (MX Series)—Starting with Junos OS Release 16.1, the convergence of IRB ARP resolution when the underlying L2 IFL association with the MAC changes due to link failure or MAC move improves when both enhanced-convergence and enhanced-ip chassis is configured. The show arp and show ipv6 neighbor command does not display the underlying IFL information if the destination interface is IRB.

  • Support for Layer 2 port mirroring to a remote collector over a GRE Interface (MX Series)—Starting with Junos OS Release 16.1, Layer 2 port mirroring to a remote collector over a GRE interface is supported.

Management

  • YANG module that defines CLI formatting for RPC output (MX Series and T Series)—Starting with Junos OS Release 16.1, Juniper Networks provides the junos-extension-odl YANG module. The module contains definitions for Junos OS Output Definition Language (ODL) statements, which determine the CLI formatting for RPC output when you execute the operational command corresponding to that RPC in the CLI or when you request the RPC output in text format. You can use statements in the junos-extension-odl module in custom RPCs to convert the XML output into a more logical and human-readable representation of the data. The junos-extension-odl module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jodl and uses the prefix junos-odl.

    [See Understanding Junos OS YANG Extensions for Formatting RPC Output.]

  • YANG module that defines Junos OS operational commands (MX Series and T Series)—Starting with Junos OS Release 16.1, Juniper Networks provides the juniper-command YANG module, which represents the operational command hierarchy and collective group of modules that define the remote procedure calls (RPCs) for Junos OS operational mode commands. You can download Juniper Networks YANG modules from the website, or you can generate the modules by using the show system schema format yang module juniper-command operational command on the local device. The juniper-command module is bound to the namespace URI http://yang.juniper.net/yang/1.1/jrpc and uses the prefix jrpc.

    [See Understanding the Juniper Networks YANG Modules for Operational Commands.]

  • Support for adding non-native YANG modules to the Junos OS schema (MX Series and T Series)–Starting with Junos OS Release 16.1, you can load standard (IETF, OpenConfig) or custom YANG models on devices running Junos OS to add data models that are not natively supported by Junos OS but can be supported by translation. Doing this enables you to augment the configuration hierarchies with data models that are customized for your operations. The ability to add data models to a device is also beneficial when you want to create device- and vendor-agnostic configuration models that enable the same configuration to be used on different devices from one or more vendors. You can load YANG modules that add configuration hierarchies by using the request system yang add operational command.

    [See Understanding the Management of Non-Native YANG Modules on Devices Running Junos OS.]

  • Juniper Extension Toolkit for Junos (JET for Junos) provides a modern programmatic interface for developers of third-party applications—As of Junos OS Release 16.1, JET for Junos, an evolution of the Junos SDK, allows customers and partners to build and run applications either directly on Junos OS devices or off-box. These applications can interact with Junos OS native features. A framework is provided in the Python language for Python JET for Junos application developers. This framework allows your applications to run directly on Junos OS devices. JET for Junos is based on Apache Thrift; thus, it also supports multiple languages running off-box to interact with the same JET for Junos APIs. This gives developers true flexibility to adapt Junos OS devices to business processes.

    Developers can view JET guides at Juniper Extension Toolkit, Release 1.0. For the JET Applications Guide, see Understanding JET Interaction with Junos OS.

MPLS

  • Longest matching route for label mapping (MX Series)— Starting with Junos OS Release 16.1, LDP uses the longest match to learn the routes aggregated or summarized across OSPF areas or IS-IS levels in the interdomain.

  • Explicit notifications for pseudowire termination (MX Series)—Starting with Junos OS Release 16.1R1, MX Series routers can provide notifications on the service node when the access pseudowire goes down, and provide efficient termination capabilities when Layer 2 and Layer 3 segments are interconnected. This feature also provides termination of pseudowire into virtual routing and forwarding (VRF) and virtual private LAN service (VPLS) routing instances without pseudowire redundancy, which includes:

    • Termination of an access pseudowire into VRF.

    • Termination of an access pseudowire into a VPLS instance.

    [See Pseudowire Termination: Explicit Notifications for Pseudowire Down Status.]

  • Support for NIST Deterministic Random Bit Generator (DRBG) recommendations (MX Series)—Starting with Release 16.1, Junos OS supports NIST computer security standards recommended in Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST Special Publication 800-90A; Recommendation for the Entropy Sources Used for Random Bit Generation, NIST DRAFT Special Publication 800-90B; and Recommendation for Random Bit Generator (RBG) Constructions, DRAFT NIST Special Publication 800-90C.

    Note

    Junos OS supports Recommendation for the Entropy Sources Used for Random Bit Generation, NIST DRAFT Special Publication 800-90B and Recommendation for Random Bit Generator (RBG) Constructions, DRAFT NIST Special Publication 800-90C only when the system is operating in Junos-FIPS mode.

  • BGP Prefix-Independent Convergence (PIC) Edge for RSVP (MX Series)—Starting with Junos OS Release 16.1, BGP PIC Edge for RSVP enables you to implement a solution where a protection path is calculated in advance to provide an alternative forwarding path in case of path failure.

    With BGP PIC Edge in an MPLS VPN network, IGP failure triggers a repair of the failing entries and causes the Packet Forwarding Engine to use the pre-populated protection path until global convergence has re-resolved the VPN routes. This feature helps to reduce the convergence time taken to repair the remote provider edge (PE) link failure, when compared to the traditional approach of re-resolving each prefix. The convergence time is no longer dependent on the number of prefixes.

    Earlier, this feature used LDP as the transport protocol, which is now extended to support BGP PIC Edge with RSVP as the transport protocol. When RSVP receives a tunnel down notification at the ingress PE router, it sends a notification to the Packet Forwarding Engine to start making use of the tunnel to the alternate egress PE router. The tunnel route to the alternate egress PE router is calculated and installed in advance.

    [See show rsvp version.]

  • Protection against incorrect label injection across ASBRs (MX Series)—Starting in Junos OS Release 16.1, you can use regular BGP export policies to control route advertisement to a VPN ASBR peer in a given routing instance. This is especially useful in the service provider context of Inter-AS VPN Option-B ASBRs because it prevents peer ASBRs in a neighboring AS from injecting a VPN label intended for a different peer-AS, or intra-AS PEs, into the common ASBR. The common ASBR only accepts MPLS packets from a peer ASBR that has explicitly advertised the label to the common ASBR.

    To support this new functionality, the statement forwarding-context is introduced at the [edit protocols bgp group] hierarchy level, and the instance type mpls-forwarding is introduced at the [edit routing-instances] hierarchy level.

  • Support for inet and inet6 families on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 16.1R1, inet and inet6 families are supported on the services side of an MPLS pseudowire subscriber as well as non-subscriber logical interfaces. You use family inet6 to assign an IPv6 address. You use family inet to assign an IPv4 address. A logical interface can be configured with both an IPv4 and IPv6 address.

    [See Pseudowire Subscriber Logical Interfaces Overview.]

  • Support for Inline IPFIX on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 16.1R1, Inline IPFIX is supported on the services side of an MPLS pseudowire subscriber logical interface. With Inline IPFIX you can configure active sampling to be performed on an inline data path without the need for a services Dense Port Concentrator (DPC). To enable this feature, define a sampling instance with specific properties. One Flexible PIC Concentrator (FPC) can support only one instance. For each instance, either services PIC-based sampling or inline sampling is supported per family. As a result, a particular instance can define PIC-based sampling for one family and inline sampling for a different family. Both IPv4 and IPv6 are supported for inline sampling.

  • RSVP scalability (MX Series and T Series)—Starting with Junos OS Release 16.1, RSVP Traffic Engineering (TE) protocol extensions for fast reroute (FRR) facility protection are introduced to allow greater scalability of LSPs and faster convergence times. RSVP-TE runs in enhanced FRR profile mode by default and includes FRR extensions as defined in RFC 2961. In mixed environments, where a subset of LSPs traverse nodes do not include this feature, RSVP-TE behavior is unchanged—backward compatibility is fundamentally supported in the design.

  • Enhancements to MPLS RSVP-TE LSP (MX Series and T Series)—The Junos OS implementation of MPLS RSVP-TE is scaled to enhance the usability, visibility, configuration, and troubleshooting of label-switched paths (LSPs) in Junos OS Release 16.1 and later releases.

    These enhancements make the RSVP-TE configuration easier at scale by:

    • Ensuring that the LSP data-plane readiness during LSP resignaling (before traffic traverses the LSP) by using the RSVP-TE LSP self-ping mechanism.

    • Removing the current hard limit of 64K LSPs on an ingress router, and thereby enabling scaling to be constrained only by the total number of LSPs RSVP-TE signaling can sustain.

    • Preventing abrupt tearing down of LSPs by the ingress router because of delay in signaling the LSP at the transit routers.

    • Enabling flexible view of LSP data-sets to facilitate LSP characteristic data visualization.

  • Leaking MPLS routes to nondefault routing instances (MX Series with MPC/MIC interfaces)—Starting in Junos OS Release 16.1, you can use the import-labeled-routes statement to specify one or more nondefault routing instances where you want MPLS pseudowire labeled routes to be leaked from the mpls.0 path routing table in the master routing instance.

    This capability prevents traffic loss in an L2VPN/VPLS configuration where the remote PE router is learned from the IGP in a nondefault routing instance. Because ingress-labeled routes are installed only in the master mpls.0 table by default, no route is found in the routing-instance-name.mpls.0 table when L2VPN/VPLS traffic is received on the core-facing interface, and that traffic is dropped.

  • Subnet-match authentication for LDP sessions (MX Series)—Starting in Junos OS Release 16.1R1, support for Hashed Message Authentication Code (HMAC) and MD5 authentication for LDP sessions is extended from a per-session configuration to a subnet-match (that is, longest-prefix-match) configuration.

    This feature provides flexibility in configuring authentication for automatically targeted LDP (TLDP) sessions, making the deployment of remote loop-free alternate (LFA) and FEC 129 pseudowires easy.

    To enable this feature, configure the session-group option at the [edit protocols ldp] hierarchy level, and then enable the required authentication for the configured session group.

    [See Configuring the TCP MD5 Signature for LDP Sessions.]

  • Support for Ethernet circuit cross-connect (CCC) encapsulation on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and later releases, CCC encapsulation is supported on the transport side of an MPLS pseudowire subscriber logical interface. This feature helps in migrating or deploying seamless MPLS architectures in access networks. Customers deploying either business edge or broadband residential edge access networks use this feature to configure interfaces over the virtual Ethernet interface similar to what is already available on physical Ethernet interfaces.

    You can define only one transport logical interface per pseudowire subscriber logical interface. Although the unit number can be any valid value, we recommend that unit 0 represent the transport logical interface. Two types of pseudowire signaling are allowed: Layer 2 circuit and Layer 2 VPN.

    [See Pseudowire Subscriber Logical Interfaces Overview.]

  • Support for DDoS on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and later releases, distributed denial-of-service (DDoS) protection is supported on the services side of an MPLS pseudowire subscriber logical interface. DDoS protection identifies and suppresses malicious control packets while enabling legitimate control traffic to be processed. This protection enables the device to continue functioning, even when attacked from multiple sources. Junos OS DDoS protection provides a single point of protection management that enables network administrators to customize a profile appropriate for the control traffic on their networks.

  • Support for Policer and Filter on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and later releases, Policer and Filter are supported on the services side of an MPLS pseudowire subscriber logical interface. Policer defines a set of traffic rate limits and sets consequences for traffic that does not conform to the configured limits. Firewall filters restrict traffic destined for the Routing Engine based on its source, protocol, and application. Also, firewall filters limit the traffic rate of packets destined for the Routing Engine to protect against flood or denial-of-service (DoS) attacks.

  • Support for accurate transmit logical interface statistics on pseudowire subscriber logical interface (MX Series)—Starting with Junos OS Release 15.1R3 and 16.1R1 and later releases, accurate transmit statistics on logical interface are supported on the services side of an MPLS pseudowire subscriber logical interface. These statistics report actual transmit statistics instead of the offered load statistics given by the router for the pseudowire subscriber service logical interfaces.

    [See Pseudowire Subscriber Logical Interfaces Overview.]

  • Egress peer engineering of service labels (BGP, MPLS) and egress peer protection for BGP-LU (MX Series)—Beginning with Junos OS Release 14.2R4, you can enable traffic engineering of service traffic, such as MPLS LSP traffic between autonomous systems (ASs), using BGP-labeled unicast for optimum utilization of the advertised egress routes. You can specify one or more backup devices for the primary egress AS boundary router. Junos OS installs the backup path in addition to the primary path in the MPLS forwarding table, which enables MPLS fast reroute (FRR) when the primary link fails.

  • MPLS Encapsulated Payload load-balancing (MX Series)—Starting with Junos OS Release 16.1, configure zero-control-word option to indicate the start of Ethernet frame in an MPLS ether-pseudowire payload. On seeing this control word, four bytes having numerical value of all zeros, the hash generator assumes the start of the Ethernet frame and continues to parse the packet from here and generate hash. For DPC I-chip based cards, configure the zero-control-word option at the [edit forwarding-options hash-key family mpls ether-pseudowire] hierarchy level, and for MPC cards, configure zero-control-word option at the [edit forwarding-options enhanced-hash-key family mpls ether-pseudowire] hierarchy level.

  • LDP native IPv6 support (MX Series)— Starting with Junos OS Release 16.1, LDP is supported in an IPv6 network only, and in an IPv6 or IPv4 dual-stack network. Configure the address family as inet for IPv4 or inet6 for IPv6. By default, IPv6 is used as the TCP transport for an LDP session with its peers when both IPv4 and IPv6 are enabled. The dual-transport statement allows Junos OS LDP to establish the TCP connection over IPv4 with IPv4 neighbors, and over IPv6 with IPv6 neighbors as a single-stack LSR. The inet-lsr-id and inet6-lsr-id are the two LSR IDs that have to be configured to establish an LDP session over IPv4 and IPv6 TCP transport. These two IDs should be non-zero and must be configured with different values.

  • MPLS-TP enhancements for on-demand connectivity verification (MX Series)—Starting with Junos OS Release 16.1, the transport profile (TP) of MPLS supports two additional channel types for the default LSPING channel type. These additional channel types provide on-demand connectivity verification (CV) with and without IP/UDP encapsulation.

    With this feature, the following channel types are supported in the MPLS-TP mode:

    • On-demand CV (0x0025)—This channel type is a new pseudowire channel type and is used for on-demand CV without IP/UDP encapsulation, where IP addressing is not available or non-IP encapsulation is preferred.

    • IPv4 (0x0021)—This channel type uses the IP/UDP encapsulation and provides interoperability support with other vendor devices using IP addressing.

    • LSPING (0x0008)—This is the default channel type for Junos OS, and the GACH-TLV is used along with this channel type.

    As per RFC 7026, GACH-TLV is deprecated for 0x0021 and 0x0025 channel types.

    To configure a channel type for MPLS-TP, include the lsping-channel-type channel-type statement at the [edit protocols mpls label-switched-path lsp-name oam mpls-tp-mode] and [edit protocols mpls oam mpls-tp-mode] hierarchy levels.

Multicast

  • Improved multicast convergence and RPT-SPT support for BGP-MVPN (MX Series)—Starting with Junos OS Release 16.1, support for multicast forwarding-cache threshold is extended to rendezvous-point tree shortest-path tree (RPT-SPT) mode for BGP-MVPN. In addition, for both Rosen and next-generation MVPNs, PE routers across all sites should see the same set of multicast routes even if the configured forwarding-cache limit is exceeded.

    To configure a specific threshold for MVPN RPT, set one or both of the mvpn-rpt-suppress and mvpn-rpt-reuse statements at the [edit routing-instances name routing-options multicast forwarding-cache] or [edit logical system name routing-instances name routing-options multicast forwarding-cache] hierarchy level.

    In addition, the show multicast forwarding-cache statistics command provides information about both the general and RPT suppression states. Likewise, a list of suppressed customer-multicast states can be seen by running the show mvpn suppressed general| mvpn-rpt inet| inet6 instance name summary command.

  • Improved scaling for multicast OIFs (MX Series)—Starting with Junos OS Release 16.1, for both Rosen and NGEN-MVPN, improvements have been made to increase the number of possible outgoing interfaces (OIFs) used in virtual routing and forwarding (VRF). Changes have also been made to improve the efficiency of PIM Join/Prune message processing and to support the increased scaling.

    These changes are implemented by default and do not need to be explicitly enabled. The following operational commands support the increased scale:

    • show multicast next-hops terse

    • show multicast route oif-count

    • show multicast statistics interface

    • show pim join downstream-count

  • Fast-failover according to flow rate (MX Series with MPCs)—Starting in Junos OS Release 16.1, for routers operating in Enhanced IP Network Services mode, you can configure a threshold that triggers fast failover in NG MVPNs with hot-root standby on the basis of aggregate flow rate. For example, fast failover (as defined in Draft Morin L3VPN Fast Failover 05) is triggered if the flow rate of monitored multicast traffic from the provider tunnel drops below the set threshold.

  • SAFI 129 NLRI compliance with RFC 6514 (MX Series)—Starting in Junos OS Release 16.1, the Network Layer Reachability Information (NLRI) format used for BGP VPN multicast has changed. Now Junos OS uses Subsequent Address Family Identifier (SAFI) 129, as defined in RFC 6514, which is length, prefix. Previous releases of Junos OS use SAFI 128 (which is length, label, prefix).

  • Latency fairness optimized multicast (MX Series)—Starting with Junos OS Release 16.1R1, you can reduce latency in the multicast packet delivery by optimizing multicast packets sent to the Packet Forwarding Engines. You can achieve this by enabling the ingress or local-latency-fairness option in the multicast-replication configuration statement at the [edit forwarding-options] hierarchy level. The multicast-replication statement is supported only on platforms with the enhanced-ip mode enabled. This feature is not supported in VPLS networks and Layer 2 bridging.

Network Management and Monitoring

  • Support for RFC 4878 (MX Series and T Series)—Starting with Release 16.1, Junos OS supports IETF standard RFC 4878, Definitions and Managed Objects for Operations, Administration, and Maintenance (OAM) Functions on Ethernet-Like Interfaces.

    To enable generation of SNMP traps, dot3OamThresholdEvent and dot3OamNonThresholdEvent, you must configure the new dot3oam-events statement at the [edit snmp trap-groups <group-name> categories] hierarchy level.

    Note
    • Junos OS does not support the dot3oamFramesLostDueToOam object in the dot3OamStatsEntry table. In addition, Junos OS does not support the SNMP set operations for the OAM MIBs.

    • On an Aggregated Ethernet bundle if link fault management (LFM) is configured, you must do SNMP operations individually for each interface in the AE bundle because some OAM MIB tables are maintained only for member interfaces in the AE bundle.

  • SNMP support to monitor the total number of subscribers per PIC and per slot—Starting in Junos OS Release 16.1R1, you can monitor the total number of subscribers per PIC and per slot. The MIB tables jnxSubscriberPicCountTable and jnxSubscriberSlotCountTable are added to the Juniper Networks enterprise-specific Subscriber MIB to support this feature. In releases earlier than Junos OS Release 16.1, you need to use the show subscribers summary pic and show subscribers summary slot operational commands, respectively, to display the total number of subscribers per PIC and per slot.

  • SNMP support for the timing feature on MPC5E and MPC6E—Starting in Junos OS Release 16.1R1, SNMP supports the timing feature on MPC5E and MPC6E. Currently, SNMP support is limited to defect and event notifications through SNMP traps. The enterprise-specific MIB, Timing Feature Defect/Event Notification MIB, allows you to monitor the operation of PTP clocks within the network. The trap notifications are disabled by default. To enable trap notifications for timing events and defects, include the timing-event statement at the [edit snmp trap-group trap-group object categories] hierarchy level.

  • Support for Entity State MIBs (T Series)—Starting with Junos OS Release 16.1, support for IETF standard RFC 4268, Entity State MIB, is extended to the T Series. Junos OS provides only read-only support to Entity State MIB.

  • IPv6 support for traceroute with AS number lookup (MX Series and T Series)—Starting with Junos OS Release 16.1R1, IPv6 is supported for traceroute with the as-number-lookup option. Traceroute is an application used to display a list of routers between the device and a specified destination host. Traceroute also provides an option to look up the autonomous system (AS) number of each intermediate hop on the path from the host to the destination.

    [See traceroute.]

  • Support for the interface-set SNMP index (MX Series)—Starting with Release 16.1, Junos OS supports the interface-set SNMP index that provides information about interface-set queue statistics. The following interface-set SNMP index MIBs are introduced in the Juniper Networks enterprise-specific Class-of-Service MIB:

    • jnxCosIfTable in jnxCos MIB

    • jnxCosIfsetQstatTable in jnxCos MIB

  • SNMP support for fabric queue depth, WAN queue depth, and fabric counter (MX240, MX480, MX960, MX2010, and MX2020)—Starting with Release 16.1, Junos OS provides SNMP support for WAN queue depth, fabric queue depth, and fabric counter. The following SNMP MIB tables include the associated objects:

    • jnxCosQstatTable table

    • jnxCosIngressQstatTable table

    • jnxFabricMib table

    In addition, this feature supports the following traps for the Packet Forwarding Engine resource monitoring MIBs:

    • jnxPfeMemoryTrapVars

    • jnxPfeMemoryNotifications

  • New SNMP MIB object for RADIUS accounting subscribers (MX Series)—Starting with Release 16.1R1, Junos OS supports a new SNMP MIB object, jnxSubscriberAccountingTotalCount, in JUNIPER-SUBSCRIBER-MIB whose object identifier is {jnxSubscriberGeneral 7}. The jnxSubscriberAccountingTotalCount object provides information about the total number of subscribers that have RADIUS accounting enabled.

  • Support for Agent Capabilities MIB (MX Series)—Starting with Release 16.1, Junos OS introduces the Agent Capabilities MIB, which provides information about the implementation characteristics of an Agent subsystem in a network management system. The MIB provides you details of the MIB objects and tables that are supported by an Agent, the conformance and variance information associated with the managed objects in the Agent, and the access level of each object. Currently, the Agent Capability MIB is applicable only for the MPLS and multicast MIBs.

  • New indicators for the jnxLEDState MIB (MX5, MX10, MX40, MX80, MX104, and MX240 routers)—Starting with Release 16.1, Junos OS introduces the following six new indicators for the jnxLEDState MIB object in the jnxLEDEntry MIB table:

    • off—Offline, not running

    • blinkingGreen—Entering state of ok, good, normally working

    • blinkingYellow—Entering state of alarm, warning, marginally working

    • blinkingRed—Entering state of alert, failed, not working

    • blinkingBlue—Entering state of ok, online as an active primary

    • blinkingAmber—Entering state of offline, not running

  • Support for RFC 5132, IP Multicast MIB (MX Series and T Series)—Starting with Junos OS Release 16.1, Junos OS supports tables and objects defined in RFC 5132, IP Multicast MIB, except the ipMcastZoneTable table. RFC 5132, IP Multicast MIB, obsoletes RFC 2932, IPv4 Multicast Routing MIB.

Operation Administration and Management

  • Configuration support for multiple up MEPs for interfaces belonging to a single VPLS service or a bridge domain (MX Series with MPC)—Starting with Junos OS Release 16.1R1, you can configure multiple up maintenance association endpoints (MEP) for a single combination of maintenance association ID and maintenance domain ID for interfaces belonging to a particular VPLS service or a bridge domain.

    To configure multiple up MEPs, specify mep mep-id statement at the [edit protocols oam ethernet connectivity-fault-management maintenance-domain domain-name maintenance association ma-name] hierarchy level, when the MEP direction is configured as direction up.

  • Ethernet loss measurement counter support for each class in a multiclass environment—Junos OS supports Ethernet loss measurement (ETH-LM) for multiclass services. The ETH-LM feature is used by operators to collect frame loss counter values for ingress and egress service frames. Starting with Junos OS Release 16.1R1, the ETH-LM feature is extended to support the frame loss measurement counters for each class of packets in a multiclass environment. Counters for each class of packets are supported for point-to-point services only.

    Note

    ETH-LM is currently supported for VPWS services only.

    ETH-LM maintains counters based on the forwarding class and loss priority of a packet. The loss priority determines the color of a packet—for example, green indicates loss priority low for committed information rate (CIR) and yellow indicates loss priority medium-high for excess information rate (EIR). The color (green and yellow) counters are maintained for each class of packets. Based on the counters supported on an interface, you can configure accounting modes with color or without color for Ethernet loss measurement:

    • Forwarding class-based accounting with color—In this mode, traffic is serviced based on packet loss priority and forwarding class. Two counters—green and yellow—are maintained for each forwarding class on each service interface. In this mode, an OAM (operation, accounting, and maintenance) packet collects counters based on the forwarding class.

      To configure this mode of loss measurement accounting, use the enable-multiclass-loss-measurement statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration.

    • Forwarding class-based accounting without color—In this mode, traffic is serviced based on the forwarding class only. Only one counter is maintained for each forwarding class in each service interface.

      To configure this mode of loss measurement accounting, use the enable-multiclass-loss-measurement and colorless-loss-measurement statements at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration.

    • Color-based accounting—In this mode, traffic is serviced based on the loss priority. Two counters—green and yellow—are maintained for each service interface. Color-based accounting is the default loss measurement mode and requires no configuration.

    • Code point-based accounting (without color)—In this mode, traffic is serviced based on the 802.1p priority bits. One counter is maintained for each code point (priority bit) on each service interface. If there are user virtual LAN or 802.1p rewrite rules configured, loss measurement accounting is done before applying the rewrite rules.

      To configure this mode, use the code-point-based-lm-accounting statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration

      Note

      Code point-based accounting mode does not work if virtual LAN pop or push is configured on the interface. If pop or push is configured, the 802.1p bits are removed from the data packets. Therefore in such cases, you can use forwarding class-based accounting if a one-to-one mapping exists between a forwarding class and the 802.1p bits value; else you can use the priority-based accounting mode.

    • Priority-based accounting—In this mode, four counters are maintained for each forwarding class for each interface, with each counter corresponding to either green or yellow colors. To configure this mode, use the priority-based-lm-accounting statement at the [set protocols oam ethernet connectivity-fault-management performance-monitoring] hierarchy level for global configuration or at the [set protocols oam ethernet connectivity-fault-management performance-monitoring interface interface-name] hierarchy level for interface-level configuration.

  • Support extended for IEEE 802.1ag Ethernet OAM (MX Series routers with MPC2E, MPC3E, MPC5E, and MPC6)—Support for the IEEE 802.1ag standard for Operation, Administration, and Maintenance (OAM) is now available on MX Series routers with MPC2E, MPC3E, MPC5E, and MPC6. The IEEE 802.1ag specification provides for Ethernet connectivity fault management (CFM), which monitors Ethernet networks that might comprise one or more service instances for network-compromising connectivity faults.

  • Support for MEF-36-compliant performance monitoring (MX Series)—Starting in Release 16.1R1, Junos OS supports performance monitoring that is compliant with Technical Specification MEF 36. You can enable MEF-36-compliant performance monitoring by configuring the measurement-interval statement at the [edit protocols oam ethernet cfm performance-monitoring] hierarchy level.

    Note

    When MEF-36-compliant performance monitoring is enabled, an SNMP get next request for a variable might not fetch the current value unless an SNMP walk is performed before performing the get next request. This limitation applies only to the current statistics for delay measurement, loss measurement, and synthetic loss measurement.

    When MEF-36-compliant performance monitoring is enabled:

    • The output for the field Current delay measurement statistics might display a measurement interval of 0 (zero) and an incorrect timestamp until the first cycle time has expired.

    • Supported data TLV size for performance monitoring protocol data units (PDUs) is 1386 bytes when MEF-36-compliant performance monitoring is enabled. The TLV size is 1400 bytes in legacy mode.

    • The maximum configurable value for the lower threshold bin is 4,294,967,294.

    • Frame loss ratio (FLR) is excluded in loss measurements during period of unavailability for synthetic loss measurement only. In case of loss measurement, FLR is included even during period of unavailability.

    • During a period of loss of continuity (adjacency down), although SOAM PDUs are not sent, FLR and availability calculations are not stopped. These calculations are performed with the assumption of 100% loss.

    • The number of SOAM PDUs that are sent during the first measurement interval might be less than expected. This is because of a delay in detecting the adjacency state at the performance monitoring session level.

    • The number of SOAM PDUs transmitted during a measurement interval for a cycle time of 100 ms might not be accurate. For example, in a measurement interval of two minutes with a cycle time 100 ms, the SOAM PDUs transmitted might be in the range of 1198—2000.

Routing Policy and Firewall Filters

  • New load-balancing options using source or destination IP address only (MX Series)–Starting in Junos OS Release 16.1, new load-balancing options based solely on the source or destination IP address are available. Using only source IP or destination IP as the basis for generating load-balancing hashes helps service providers to ensure that both incoming and outgoing traffic through provider edge (PE) routers is sent toward the content server that maintains subscriber state for a given subscriber. These options are intended for use in deep packet inspection (DPI) networks with per-subscriber awareness and in environments that employ transparent caching.

  • Policer overhead adjustment at the interface level (MX Series)—Starting in Junos OS Release 16.1, policer-overhead adjustment for ingress and egress policers is defined on a per IFL/direction granularity in order to address MEF CE 2.0 requirements to the bandwidth profile. The policer-overhead adjustment is the range of -16 bytes to +16 bytes. It is applied for all the policers that take into account L1/L2 packet length that are exercised in the specified IFL/direction, including corresponding IFF feature policers, and is applied only to interface/filter-based policers.

    [See Configuring the Accounting of Policer Overhead in Interface Statistics.]

  • New packet-per-second (pps)-based policer for transit and control traffic (MX Series)–Starting in Junos OS Release 16.1, a new pps-based policer is available at the [edit firewall policer policer-name] hierarchy level. This new policer is configured using the if-exceeding-pps configuration statement. Compared to bandwidth-based policers, the pps-based policer is more effective at combating low-and-slow types of DDoS attacks. The pps-based policer can be applied in the same manner and the same locations as bandwidth-based policers, but it cannot be used as a percentage-based policer.

  • New route-filter-list and source-address-filter-list configuration statements (MX Series)–Starting in Junos OS Release 16.1, the new route-filter-list and source-address-filter-list statements provide an additional means of configuring route filters and source address filters. Now you can configure route-filter-list or source-address-filter-list at the [edit policy-options] hierarchy level for later use in a policy statement. The lists are used in the same contexts as the route-filter and source-address-filter statements. You can use the lists in multiple policy statements.

    [See Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions.]

  • Priority for Route Prefixes in RPD Infrastructure (MX Series)—Starting in Junos OS Release 16.1, you can specify a priority of high or low through the existing import policy in protocols. Through priority, you can control the order in which the routes get updated from LDP/OSPF to RPD, and RPD to kernel. In the event of a topology change, high priority prefixes are updated in the routing table first, followed by low priority prefixes. Routes that are not explicitly assigned a priority are treated as medium priority.

    [See Example: Configuring the Priority for Route Prefixes in the rpd Infrastructure.]

  • New multifield ingress queuing classifier filter (MX Series with MPCs)–Starting in Junos OS Release 16.1, you can apply the ingress-queuing-filter filter-name statement at the [edit interfaces interface-name family family-name] hierarchy level for the following protocol families: bridge, cc, inet, inet6, mpls, and vpls. The ingress-queuing-filter statement allows you to set the forwarding class and loss priority for a packet prior to ingress queue selection by applying a previously configured firewall filter. Multiple fields within the packet header can be matched based on the configured protocol family within the firewall filter.

  • Support for logical queue-depth in the Packet Forwarding Engine for IP options packets for a given protocol (MX Series)— Starting with Junos OS Release 16.1R1, you can configure logical queue-depth in the Packet Forwarding Engine for IP options packets for a given protocol. The queue-depth indicates the number of IP options packets which can be enqueued in the Packet Forwarding Engine logical queue, beyond which it would start dropping the packets.

Routing Protocols

  • BGP flow specification for IPv6 (MX Series)—Starting with Junos OS Release 16.1, this feature extends IPv6 support to the BGP flow specification and allows propagation of traffic flow specification rules for IPv6 and IPv6 VPN. The BGP flow specification automates coordination of traffic filtering rules in order to mitigate distributed denial-of-service attacks. In earlier Junos OS releases, flow-specific rules were propagated for IPv4 over BGP as network layer reachability information.

    To enable the BGP flow specification for IPv6, include the flow statement at the [edit routing-options] hierarchy level for global configuration or at the [edit routing-instances routing-instance-name routing-options] hierarchy level for instance-level configuration.

    [See flow-ipv6.]

  • Support for PTP over Ethernet (MX Series)—Starting in Junos OS Release 16.1R1, the Precision Time Protocol (PTP) is supported over IEEE 802.3 or Ethernet links on MX Series routers. This functionality is supported in compliance with the IEEE 1588-2008 specification.

    For the base station vendors that support only packet interfaces by using Ethernet encapsulation for PTP packets for time and phase synchronization, you can configure any node (an MX Series router) that is directly connected to the base station to use the Ethernet encapsulation method for PTP on a master port to support a packet-based timing capability.

    To configure Ethernet as the encapsulation type for transport of PTP packets on master or slave interfaces, use the transport 802.3 statement at the [edit protocols ptp slave interface interface-name multicast-mode] or [edit protocols ptp master interface interface-name multicast-mode] hierarchy level.

  • Maximum period for autogeneration of keepalives by the kernel using precision timer feature (MX Series)— Starting with Junos OS Release 16.1, precision timers in the kernel autogenerate keepalives on behalf of BGP after a switchover event from standby to master for a specified maximum period of time.

  • IS-IS Layer 2 mapping (MX Series and T Series)—Beginning with Junos OS Release 16.1, you can enable Layer 2 mapping of next-hop addresses using the IS-IS LAN and point-to point Hellos that supply all relevant Layer 2 and Layer 3 binding address information for address resolution. The device at the receiving end can extract the information and populate the ARP or Neighbor Discovery table even before the installation of routes. Layer 2 mapping is a topology driven rather than traffic driven next-hop resolution that minimizes traffic loss while activating an Ethernet link.

    [See Layer 2 Mapping for IS-IS.]

  • IPv6 support for IS-IS BFD (MX Series and T Series)—Starting with Junos OS Release 16.1, you can configure IS-IS BFD sessions for IPv6. You can enable IS-IS BFD sessions by including the bfd-liveness-detection statement at the [edit protocols isis interface interface-name family inet|inet6] hierarchy level. Currently, IS-IS BFD configuration is available at the [edit protocols isis interface interface-name] hierarchy level. At present, BFD configuration is supported at both of these hierarchy levels.

    [See bfd-liveness-detection.]

  • IS-IS FRR route convergence (MX Series)—Starting with Junos OS Release 16.1R1, IS-IS fast reroute (FRR) route convergence enables you to restore sub-second service. Sub-second service restoration is a key requirement for service providers on MPLS and native IP-based networks.

    There are many ways to achieve fast reroute with suboptimal next hop to reach a destination, such as loop-free alternate (LFA) and remote loop-free alternate (RLFA). In these cases, IGP downloads the primary and backup next hops beforehand in the forwarding information base (FIB). The Packet Forwarding Engine does a local repair when the primary next hop loses its reachability to a given destination. Because the Packet Forwarding Engine already has an alternative path to reach its destination, sub-second restoration is possible. If the destination is reachable through equal-cost multipath (ECMP), only the primary path is downloaded to the FIB. When the bandwidth of the ECMP links is lower than the required bandwidth for a destination, fast convergence is not possible.

    The best ECMP links are grouped as a unilist of primary next hops to reach the destination. Suboptimal ECMP links are grouped as a unilist of backup next hops to reach the destination. If the bandwidth of the primary next hops falls below the desired bandwidth, the Packet Forwarding Engine does a local repair and traffic switch to back up the unilist next hops.

    [See IS-IS Fast Reroute Route Convergence Overview.]

  • Advertising IPv4 routes over BGP IPv6 sessions(MX Series and T Series)—Beginning with Junos OS Release 16.1, you can configure BGP to advertise IPv4 unicast reachability with IPv4 next hop over an IPv6 BGP session. In earlier Junos OS releases, BGP could advertise only inet6 unicast, inet6 multicast, and inet6 labeled unicast address families over BGP IPv6 sessions. This feature allows BGP to exchange all the BGP address families over an IPv6 BGP session.

    [See Advertising IPv4 Routes over IPv6 Overview.]

  • BGP route prefix prioritization (MX Series and T Series)–Starting in Junos OS Release 16.1, you can prioritize BGP route updates using output queues. The output queues are serviced using a token mechanism that allows you to assign routes to queues using policies. There is an expedited queue and 16 numbered queues that range in priority from lowest priority (1) to highest priority (16). The lowest priority queue (1) is designated as the default queue. Routes that are not explicitly assigned to a queue by automatic protocol determination or by user policy are placed in this queue.

  • Weighted ECMP support for one-hop IS-IS neighbors (MX Series)—Beginning with Junos OS Release 15.1F4, you can configure the IS-IS protocol to get the logical interface bandwidth information associated with the gateways of equal-cost multipath (ECMP) next hop. During per-packet load balancing, traffic distribution is based on the available bandwidth to facilitate optimal bandwidth usage for incoming traffic on an ECMP path of one hop distance. The Packet Forwarding Engine does not distribute the traffic equally, but considers the balance values and distributes the traffic according to the bandwidth availability. However, this feature is not available for ECMP paths that are more than one hop away.

    [See Weighted ECMP Traffic Distribution on One Hop IS-IS Neighbors Overview.]

  • Statements introduced to delay the DHCP-OFFER and DHCP-ADVERISE for DHCPv4 and DHCPv6 server bindings—Starting in Junos OS 16.1R1, you can delay the DHCP-OFFER/DHCP-ADVERTISE sent to the subscribers. This feature is applicable only for DHCPv4 and DHCPv6 server bindings. You can configure the OFFER/ADVERTISE delay per ACI/ARI. You can configure the delay time between 1 and 30 seconds. If you don't configure any delay time, then the default value of 3 seconds will be used.

    To configure the DHCP-OFFER delay for DHCPv4 server bindings, use the delay-offer delay-time <time in seconds> statement at the [edit system services dhcp-local-server overrides] hierarchy level. The delay will take effect only if at least one of the options (option-60/option-70/option-82) are configured. To configure options, go to the [edit system services dhcp-local-server overrides based-on] hierarchy level.

    To configure the DHCP-ADVERTISE delay for DHCPv6 server bindings, use delay advertise delay-time <time in seconds> at the [edit system services dhcp-local-server dhcpv6 overrides] hierarchy level. The delay will take effect only if at least one of the options (option-15/option-16/option-17/option-37) are configured. To configure options, go to the [edit system services dhcp-local-server dhcpv6 overrides based-on] hierarchy level.

  • Support for BGP Optimal Route Reflection (BGP-ORR) (MX Series)—Starting with Junos OS Release 16.1R1, you can configure BGP-ORR with IS-IS as the interior gateway protocol (IGP) on a route reflector to advertise the best path to the BGP-ORR client groups by using the shortest IGP metric from a client's perspective, instead of the route reflector's view.

    To enable BGP-ORR, include the optimal-route-reflection statement at the [edit protocols bgp group group-name] hierarchy level.

    Client groups sharing the same or similar IGP topology can be grouped as one BGP peer group. You can configure optimal-route-reflection to enable BGP-ORR in that BGP peer group. You can also configure one of the client nodes as the primary node (igp-primary) in a BGP peer group so that the IGP metric from that primary node is used to select the best path and advertise it to the clients in the same BGP peer group. Optionally, you can also select another client node as the backup node (igp-backup), which is used when the primary node (igp-primary) goes down or is unreachable.

  • Flow-aware transport pseudowire for BGP L2VPN and BGP VPLS (MX Series)— Starting with Junos OS Release 16.1, the flow-aware transport (FAT) label that is supported for BGP-signaled pseudowires such as L2VPN and VPLS is configured only on the label edge routers (LERs). This causes the transit routers or label-switching routers (LSRs) to perform load balancing of MPLS packets across equal-cost multipath (ECMP) paths or link aggregation groups (LAGs) without the need for deep packet inspection of the payload. The FAT flow label can be used for LDP-signaled forwarding equivalence class (FEC 128 and FEC 129) pseudowires for VPWS and VPLS pseudowires.

  • Control word feature for LDP VPLS and FEC129 VPLS (MX Series)— Starting with Junos OS Release 16.1, the control word feature is supported for LDP VPLS and FEC129 VPLS.

  • Flow-aware transport pseudowire for BGP L2VPN and BGP VPLS (MX Series)— Starting with Junos OS Release 16.1R1, the flow-aware transport (FAT) label is supported for BGP-signaled pseudowires such as L2VPN and VPLS. Configuring flow-label-receive and flow-label-trasmit on the label edge routers (LERs) enables the transit routers or label-switching routers (LSRs) to perform load balancing of MPLS packets across equal-cost multipath (ECMP) paths or link aggregation groups (LAGs) without the need for deep packet inspection of the payload.

Security

  • Support for IPv6 NDP DoS issue (MX Series)—Starting with Junos OS Release 16.1R1, you can address the IPv6 Neighbor Discovery Protocol (NDP) denial-of-service (DoS) issue at the Routing Engine.

    Unlike IPv4 subnets, IPv6 subnets have large address spaces in which a majority of them remain unassigned. When a network scan tool or an attacker initiates traffic to nonexistent hosts through a router on a subnet that is directly connected to the router, the router attempts to perform address resolution on a large number of destinations. This condition can cause the inability to resolve new neighbors, unreachability to the existing neighbors, and can also result in a DoS attack.

    NDP inspection or protection addresses the NDP DoS issue by implementing the prioritization of NDP activities on the Routing Engine. At the ingress router, neighbor discovery (ND) packets are classified and handled according to a predefined priority with multiple ingress queues. On the egress path, neighbor solicitations (NS) sent for previously not seen hosts are handled with a lower priority by deferring the process of next-hop creation and sending out the packet.

    [See Supported IPv6 Standards.]

  • Support for mitigating potential DDoS issues with IPv6 NDP and resolve traffic (MX Series)—Starting with Junos OS Release 16.1R1, you can resolve potential distributed denial-of-service (DDoS) issues with the IPv6 Neighbor Discovery Protocol (NDP) and traffic.

    The fundamental challenge of IPv6 NDP DDoS is the large address space of IPv6 that allows attackers to trigger a huge number of resolves that exhaust the router resources. The resolution mechanism and DDoS NDP policer help mitigate the problem to some extent.

    The functionality primarily extends the flow-detection CLI and optimizes the hostbound classification (HBC) filter to make packet-type searching faster. It also extends the NDP DDoS protocol group to classify the NDP types. Full Ethernet or IPv6 fields support is added by allowing destination addresses.

    [See Understanding Distributed Denial-of-Service Protection with IPv6 Neighbor Discovery Protocol.]

Services Applications

  • Data plane inline support for 6rd and 6to4 tunnels connecting IPv6 clients to IPv4 networks (MX Series with MPC5E and MPC6E)—Starting with Release 16.1R1, Junos OS supports inline 6rd and 6to4 on MPC5E and MPC6E line cards. In releases earlier than Junos OS Release 16.1R1, inline 6rd and 6to4 was supported on MPC3E line cards only.

  • Support for inline MPLS Junos Traffic Vision with IPFIX and v9 (MX Series)—Starting in Junos OS Release 15.1F2 and 16.1R1, support of the MX Series routers for the inline Junos Traffic Vision feature is extended to the MPLS family (MPLS and MPLS-IPv4 templates) consisting of the IP Flow Information Export (IPFIX) protocol and flow monitoring version 9 (v9). In previous releases, the inline Junos Traffic Vision feature is supported only for IPv4, IPv6, and VPLS families. In this release, Inline Junos Traffic Vision feature is extended to MPC5E and MPC6E for the VPLS address family.

  • Support for inline video monitoring on MPC2E-NG, MPC3E-NG, MPC5E, and MPC6E (MX Series routers)—Starting in Junos OS Release 16.1, support for video monitoring using media delivery indexing (MDI) criteria is expanded to include the MPC2E-NG, MPC3E-NG, MPC5E, and MPC6E.

    [See Inline Video Monitoring Overview.]

  • Support for RFC 2544-based benchmarking tests (MX Series)—Junos OS Release 16.1 extends support for the reflector function and the corresponding RFC 2544-based benchmarking tests on MX Series routers with MPC1 (MX-MPC1-3D), MPC2 (MX-MPC2-3D), and the 16-port 10-Gigabit Ethernet MPC (MPC-3D-16XGE-SFP). The RFC 2544 tests are performed to measure and demonstrate the service-level agreement (SLA) parameters before activation of the service. The tests measure throughput, latency, frame loss rate, and back-to-back frames.

    RFC 2544-based benchmarking tests on MX Series routers support the following reflection functions:

    • Ethernet pseudowire reflection (ingress and egress direction) (ELINE service—supported for family ccc)

    • Layer 2 reflection (egress direction) (ELAN service—supported for family bridge, vpls)

    • Layer 3 IPv4 reflection (limited support)

    To run the benchmarking tests on the MX Series routers, you must configure reflection (Layer 2 or pseudowire) on the supported MPC. To configure the reflector function on the MPC, use the chassis fpc fpc-slot-no slamon-services rfc2544 statement at the [edit] hierarchy level.

  • Support for RPM probes with IPv6 sources and destinations (MX Series routers with MPCs)—Starting in Junos OS Release 16.1, the RPM client router (the router or switch that originates the RPM probes) can send probe packets to the RPM probe server (the device that receives the RPM probes) that contains an IPv6 address. To specify the destination IPv6 address used for the probes, include the target (url ipv6-url | address ipv6-address) statement at the [edit services rpm probe owner test test-name] hierarchy level. You can also define the RPM client or the source that sents RPM probes to contain an IPv6 address. To specify the IPv6 protocol-related settings and the source IPv6 address of the client from which the RPM probes are sent, include the inet6-options source-address ipv6-address statement at the [edit services rpm probe owner test test-name] hierarchy level.

  • Provide egress VLAN ID and flow direction information in sampling records (MX Series)—Starting in Junos OS Release 16.1R1, Junos OS can include flow direction and egress VLAN ID information in the output records when you perform inline sampling on IPv4 or IPv6 traffic by using the IPFIX or version 9 templates. You can optionally include VLAN IDs in both the ingress and egress directions in the flow key.

    [See Configuring Flow Aggregation to Use Version 9 Flow Templates and Configuring Flow Aggregation to Use IPFIX Flow Templates.]

  • Support for inline MPLS Junos Traffic Vision with IPFIX and v9 (MX Series)—Starting in Junos OS Release 16.1, support for the inline Junos Traffic Vision feature on MX Series routers is extended to the MPLS family (MPLS and MPLS-IPv4 templates), consisting of the IP Flow Information Export (IPFIX) protocol and flow monitoring version 9 (v9). In previous releases, the inline Junos Traffic Vision feature is supported only for IPv4, IPv6, and VPLS families.

    The inline Junos Traffic Vision feature is extended to the MPC5E and MPC6E for VPLS address family. Also, Inline Junos Traffic Vision support using version 9 templates is extended to the VPLS family.

  • Note

    This feature is documented but not supported in Junos OS Release 16.1R1.

    Subscriber-aware and application-aware traffic treatment (MX Series with MS-MPC)—Although present in the code, the subscriber-aware and application-aware traffic treatment features are not supported in Junos OS Release 16.1R1. Subscriber-aware and application-aware traffic treatment identifies the mobile or fixed-line subscriber and enforces traffic treatment based on policies assigned to the subscriber. A subscriber policy can be based on Layer 7 application information for the IP flow (for example, YouTube) or can be based on Layer 3/Layer 4 information for the IP flow (for example, the source and destination IP address). Subscriber policy actions can include:

    • Redirecting HTTP traffic to another URL or IP address

    • Forwarding packets to a routing instance so that packets are directed to external service chains (predefined sequence of services)

    • Setting the forwarding class

    • Setting the maximum bit rate

    • Performing HTTP header enrichment

    • Setting the gating status to blocked or allowed

  • Exclude interfaces support in flowspec (rpd-infra) (MX Series)—Starting in Release 15.1, Junos OS excludes applying the flowspec filter to traffic received on specific interfaces. A new term is added at the beginning of the flowspec filter that accepts any packet received on these specific interfaces. The new term is a variable that creates an exclusion list of terms attached to the forwarding table filter as a part of the flow specification filter.

    To exclude the flowspec filter from being applied to traffic received on specific interfaces, you must first configure a group-id on such interfaces by including the family inet filter group group-id statement at the [edit interfaces] hierarchy level and then attach the flowspec filter with the interface group by including the flow interface-group group-id exclude statement at the [edit routing-options] hiearchy level. You can configure only one group-id per routing instance with the set routing-options flow interface-group group-id statement.

    [See Understanding BGP Flow Routes for Traffic Filtering.]

Software Installation and Upgrade

  • Validate system software against running configuration on remote host—Beginning with Junos OS Release 16.1R1, you can use the on (host host <username username> | routing-engine routing-engine) option with the request system software validate package-name command to verify candidate system software against the running configuration on the specified remote host or Routing Engine.

  • Validate system software add against running configuration on remote host or routing engine—Beginning with Junos OS Release 16.1R1, you can use the validate-on-host hostname and validate-on-routing-engine routing-engine options with the request system software add package-name command to verify a candidate software bundle against the running configuration on the specified remote host or Routing Engine.

    [See request system software add.]

  • Unified ISSU support for upgrading from FreeBSD 6.1-based Junos OS to FreeBSD 10.x-based Junos OS (MX Series)—Starting with Junos OS Release 16.1R1, you can upgrade from a FreeBSD 6.1-based Junos OS MX Series router to a FreeBSD 10.x-based Junos OS MX Series router by peUpgrading Junos OS with Upgraded FreeBSDrforming unified in-service software upgrade (ISSU). A unified (ISSU) enables you to upgrade between two different Junos OS releases with minimal disruption on the control plane and with minimal disruption of traffic.

    Before performing a unified ISSU from a FreeBSD 6.1-based Junos OS to an upgraded FreeBSD 10.x-based Junos OS, the configuration must be validated on a remote host or on a Routing Engine. The remote host or the Routing Engine must be running a Junos OS with an upgraded FreeBSD.

    [See Example: Performing a Unified ISSU and Upgrading Junos OS with Upgraded FreeBSD.]

  • New way to provision new routers automatically (MX Series)—As of Junos OS Release 16.1, zero touch provisioning (ZTP) allows you to provision new routers in your network automatically either by executing a script file or by loading a configuration file. In either case, the information is detected in a file on the Dynamic Host Control Protocol (DHCP) server. In releases earlier than Junos OS Release 16.1, automatically provisioning a new device was available only for switches.

    [See Configuring Zero Touch Provisioning.]

  • Limited encryption Junos image (“Junos Limited”) created for customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia (MX80, MX104, MX240, MX480, MX960, MX2010, MX2020)—Starting in Junos OS Release 16.1R1, customers in the Eurasian Customs Union (currently composed of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) should use the “Junos Limited” image for MX240, MX480, MX960, MX2010, and MX2020 routers instead of the “Junos Worldwide” image. The “Junos Limited” image does not have data-plane encryption and is intended only for countries in the Eurasian Customs Union because these countries have import restrictions on software containing data plane encryption. Unlike the “Junos Worldwide” image, the “Junos Limited” image supports control plane encryption through Secure Shell (SSH) and Secure Sockets Layer (SSL), thus allowing secure management of the system.

    Note

    The limited encryption Junos image (“Junos Limited”) is to be used by customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia. Customers in all other countries should use “Junos” image which was introduced in 15.1R1 to replace “Junos Domestic” image.

  • Limited encryption Junos image (“Junos Limited”) created for customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia (MX80 and MX104)—Starting in Junos OS Release 16.1R1, customers in the Eurasian Customs Union (currently composed of Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia) should use the “Junos Limited” image for MX80 and MX104 routers instead of the “Junos Worldwide” image. The “Junos Limited” image does not have data-plane encryption and is intended only for countries in the Eurasian Customs Union because these countries have import restrictions on software containing data plane encryption. Unlike the “Junos Worldwide” image, the “Junos Limited” image supports control plane encryption through Secure Shell (SSH) and Secure Sockets Layer (SSL), thus allowing secure management of the system.

    Note

    The limited encryption Junos image (“Junos Limited”) is to be used by customers in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia.

Software Defined Networking

  • Support of Internet draft draft-ietf-pce-stateful-pce-07 for the stateful PCC implementation (MX Series and T Series)—The partial client-side implementation of the stateful Path Computation Element (PCE) architecture is currently based on version 2 of Internet draft draft-ietf-pce-stateful-pce. Starting with Junos OS Release 16.1, this implementation is upgraded to support version 7, as defined in Internet draft draft-ietf-pce-stateful-pce-07.

    Releases prior to 16.1 support the older version of the PCE draft, causing interoperability issues between a Path Computation Client (PCC) running a previous release and a stateful PCE server that adheres to Internet draft draft-ietf-pce-stateful-pce-07.

    [See Support of the Path Computation Element Protocol for RSVP-TE Overview.]

  • Support for PCEP-based reporting of point-to-multipoint LSPs (MX Series and T Series)—A stateful Path Computation Element (PCE) provides external path computation of traffic engineered (TE) label-switched paths (LSPs) for a Path Computation Client (PCC) in an MPLS network. After a PCEP session is established between a PCE and a PCC, the PCC reports all the LSPs in the system to the PCE for LSP state synchronization. Currently, this includes PCC-controlled, PCE-delegated, and PCE-initiated point-to-point RSVP-TE LSPs. Starting with Junos OS Release 15.1F6 and 16.1R1, this capability of a PCC is extended to report point-to-multipoint RSVP-TE LSPs as well.

    By default, a PCC does not support reporting of point-to-multipoint LSPs to a PCE. To add this capability, include the p2mp-lsp-report-capability statement at the [edit protocols pcep pce pce-name] or [edit protocols pcep pce-group group-id] hierarchy levels.

    A PCC configured with the capability of reporting point-to-multipoint LSPs to a PCE enables the PCE to have greater visibility of individual per-LSP, per-device bandwidth demands in the MPLS netwrok.

    [See Support of Path Computation Element Protocol for RSVP-TE Overview and Example: Configuring Path Computation Element Protocol with Support for PCE Controlled Point-to-Multipoint RSVP-TE LSPs.]

  • Support for securing PCEP sessions using MD5 authentication (MX Series and T Series)—Starting with Junos OS Release 16.1, you can secure a Path Computation Element Protocol (PCEP) session using TCP-MD5 authentication as per RFC 5440. To enable the MD5 security mechanism for a PCEP session, it is recommended that you define and bind the MD5 authentication key at the [edit protocols pcep pce pce-id] hierarchy level for a PCEP session. You can, however, also use a predefined keychain from the [edit security authentication-key-chains key-chain] hierarchy level to secure a PCEP session. In this case, you should bind the predefined keychain into the PCEP session at the [edit protocols pcep pce pce-id] hierarchy level.

    The following configuration is executed on the Path Computation Client (PCC) to establish a secure PCEP session with a Path Computation Element (PCE):

    • Using MD5 authentication key:

    • Using predefined authentication keychain:

    For secure PCEP sessions to be established successfully, the MD5 authentication should be configured with the pre-shared authentication key on both the PCE and the PCC. The PCE and PCC use the same key to verify the authenticity of each segment sent on the TCP connection of the PCEP session.

    This feature protects the communication between a PCE and PCC over a PCEP session, which might be subject to an attack, and can disrupt network services.

    You can view the authentication keychain used by a PCEP session by executing the show path-computation-client status and show protocols pcep commands.

    [See Support of Path Computation Element Protocol for RSVP-TE Overview.]

Subscriber Management and Services

Note

Although present in the code, the subscriber management features are not supported in Junos OS Release 16.1R1. Documentation for subscriber management features is included in the Junos OS Release 16.1 documentation set.

  • Wildcard domain map (MX Series)—Starting in Junos OS Release 16.1R1, you can configure a wildcard domain map that is used by subscribers when there is no exact match to the subscriber’s domain name, but there is a partial match. For example, if you create a wildcard domain map with the name xyz*.com, subscribers with the domain names xyz-eastern.com and xyz-northern.com are both mapped to that wildcard domain when there was no exact match for the subscriber’s domain name.

    To configure a wildcard domain map, you include the asterisk wildcard character in the map domain-map-name statement at the [edit access domain] hierarchy level.

    Wildcard domain mapping is also useful to provide a partial match when subscriber management derives subscriber usernames from the DHCPv4 Agent Remote ID (option 82 suboption 2) or the DHCPv6 Remote-ID (option 37). For example, a username might be EricSmith#premiumTier1#314159265#0000 (where the # character is the delimiter). For domain mapping for this subscriber, you might create the wildcard domain map, domain map premiumTier1*.

    [See Configuring a Wildcard Domain Map.]

  • DHCP-initiated service change based on client Remote ID (MX Series)—Starting in Junos OS Release 16.1R1, DHCP local server enables you to update a client’s current service based on the client’s remote ID. DHCP-initiated service updates are particularly useful in dual-stack environments and other networks that do not include RADIUS support.

    When a DHCP client is initially established, DHCP preserves the client’s incoming remote ID in the DHCP client database. You can configure DHCP local server to compare the client’s initial remote ID to the remote ID that the server subsequently receives in DHCP Renew or Rebind messages. If DHCP local server detects a mismatch between the two remote IDs, the server tears down the existing binding, which initiates a client reconnect sequence. The service change is encoded within the new remote ID string, and is activated when the client reconnects.

    DHCP local server receives the remote ID in option 82, suboption 2 for DHCPv4 clients, and in DHCPv6 option 37 for DHCPv6 clients.

    To configure DHCP local server to support the remote ID service change feature, use the remote-id-mismatch disconnect statement at the [edit system services dhcp-local-server] hierarchy level. You can configure support globally or for a specific group.

    [See DHCP-Initiated Service Change Based on Remote ID.]

  • New support for Framed-IP-Netmask for access-internal routes (MX Series)—Starting in Junos OS Release 16.1, the mask value returned by RADIUS in the Framed-IP-Netmask attribute during PPP negotiation is considered for application to the access-internal route for the subscriber session. In earlier releases, the attribute mask is ignored and a /32 netmask is always applied, with the consequence that the address is set to the value of the Framed-IP-Address attribute returned by RADIUS.

    Now, when the SDB_FRAMED_PROTOCOL attribute is equal to AUTHD_FRAMED_PROTOCOL_PPP, the value of SDB_USER_IP_MASK is set to 255.255.255.255 by default. This value is overridden by the Framed-IP-Netmask value, if present.

    When the SDB_FRAMED_PROTOCOL attribute is equal to AUTHD_FRAMED_PROTOCOL_PPP, the show subscribers command now displays the actual value of Framed-IP-Netmask in the IP Netmask field. Otherwise, the field displays the default value of 255.255.255.255.

  • Disabling DHCP snooping filters for DHCP traffic that can be directly forwarded (MX Series)—Starting in Junos OS Release 16.1, you can disable DHCP snooping filters for an address family in the routing context in which snooping is configured.

    When you first enable DHCP snooping, all DHCP traffic is snooped by default and only DHCP packets associated with subscribers (or their creation) will be handled; all other DHCP packets will be discarded. You can optionally modify this dropping behavior based on the type of interface: configured interfaces, non-configured interfaces, or all interfaces. All snooped DHCP traffic is still forwarded to the routing plane in the routing instance, and in some cases, this results in excessive DHCP traffic being sent to the routing plane for snooping. The no-snoop statement disables snooping filters for DHCP traffic that can be forwarded directly from the hardware control plane, such as Layer 3 unicast traffic with a valid route, preventing that DHCP traffic from being forwarded to the slower routing plane of the routing instance.

    [See DHCP Snooping Support.]

  • Changes to AAA accounting statistics counters (MX Series)—Starting in Junos OS Release 16.1, 17 new statistics counters have been added to the output of the show network-access aaa statistics accounting detail command to report accounting information that is backed up when RADIUS accounting servers are unreachable and RADIUS backup accounting options are configured.

    In earlier releases, the general statistics counters display aggregate values for original accounting events plus backup events. Now the Accounting response success, Accounting retransmissions, and Requests received counters no longer include requests that are sent to the backup accounting mechanism.

    Two non-backup statistics counters have also been added, Accounting request failures and Accounting request success.

    The Timed out requests counter has been renamed to Accounting request timeouts.

    [See show network-access aaa statistics.]

  • New option for service type added to test aaa commands (MX Series)—Starting in Junos OS Release 16.1, you can include the service-type option with the test aaa ppp user and test aaa dhcp user commands to test the AAA configuration of a subscriber. You can use this option to distinguish a test session from an actual subscriber session. The option specifies a value for the Service-Type RADIUS attribute [6] in the test Access-Request message; when you do not include this option, the test uses a service type of Framed. You can specify a number in the range 1 through 255, or you can specify a string that corresponds to an RFC-defined service type. When the Service-Type RADIUS attribute [6] is received in an Access-Accept message, it overrides the value inserted in the Access-Request message by this command.

    [See test aaa dhcp user and test aaa ppp user.]

  • New predefined variable for dynamic underlying interfaces (MX Series)—Starting in Junos OS Release 16.1, you can use the Juniper Networks predefined variable, $junos-underlying-ifd-name, to reference the underlying physical interface when you configure CoS properties for an underlying logical interface in a dynamic profile. The new variable is useful when the $junos-interface-ifd-name variable already references a different physical interface, such as in configurations with stacked logical interfaces. For example, in a PPPoE session where the PPP logical interface is stacked over a demux VLAN logical interface, $junos-interface-ifd-name is set to the pp0 physical interface. In this case you can specify the $junos-underlying-ifd-name predefined variable with the interfaces statement at the [edit dynamic-profiles profile-name class-of-service] hierarchy level to reference the underlying physical interface.

  • Support for service session termination causes (MX Series)—Starting in Junos OS Release 16.1, new internal identifiers are available that identify the reasons that authd initiates termination of individual service sessions. In earlier releases, the termination cause for a service session is the same as that for the parent subscriber session.

    The service termination causes map to default code values that are reported in the RADIUS Acct-Terminate-Cause attribute (49) in Acct-Stop messages for the service. You can use the new service-shutdown option with the terminate-code aaa statement at the [edit access] hierarchy level to remap any of the new termination causes to any number in the range 1 through 4,294,967,295:

    • network-logout—Termination was initiated by deactivation of one family for a dual-stack subscriber, typically triggered by termination of the corresponding Layer 3 access protocol. Default code value is 6.

    • remote-reset—Termination was initiated by an external authority, such as a RADIUS CoA service-deactivation. Default code value is 10.

    • subscriber-logout—Overrides the default inheritance of the subscriber session value with a different value when you map it to a different value. Default code value is 1, meaning that it inherits the terminate cause from the parent subscriber session.

    • time-limit—Service time limit was reached. Default code value is 5.

    • volume-limit—Service traffic volume limit was reached. Default code value is 10.

    The show network-access aaa terminate-code aaa detail command displays the new termination causes and their current code values.

    [See Understanding Session Termination Causes and RADIUS Termination Cause Codes.]

  • Support for a static unnumbered interface with $junos-routing-instance (MX Series)—Starting in Junos OS Release 16.1, you can configure a static logical interface as the unnumbered interface in a dynamic profile that includes dynamic routing instance assignment by means of the $junos-routing-instance predefined variable.

    Note

    This configuration fails commit if you also configure a preferred source address, either statically with the preferred-source-address statement or dynamically with the $junos-preferred-source-address predefined variable for IPv4 (family inet) addresses or the $junos-preferred-source-ipv6-address predefined variable for IPv6 (family inet6) addresses.

    Note

    The static interface must belong to the routing instance; otherwise the profile instantiation fails.

    In earlier releases, when the dynamic profile includes the $junos-routing-instance predefined variable, you must do both of the following, else the commit fails:

    • Use the $junos-loopback-interface-address predefined variable to dynamically assign an address to the unnumbered interface. You cannot configure a static interface address.

    • Use the $junos-preferred-source-address or $junos-preferred-source-ipv6-address predefined variable to dynamically assign a secondary IP address to the unnumbered interface. You cannot configure a static preferred source address.

    [See Configuring an Unnumbered Interface.]

  • Logical interface option for show ptp port command (MX Series)—Starting in Junos OS Release 16.1, you can display PTP port information for a specific logical interface by using the ifl logical-interface-name option with the show ptp port command:

    user@host> show ptp port ifl ge-1/0/5.0
  • Enhancements to test aaa statements for VLAN-OOB subscribers (MX Series)—Starting in Junos OS Release 16.1, you can use the no-address-request option with the test aaa dhcp user and test aaa ppp user statements for testing subscribers in a Layer 2 scenario where no address allocation request is required.

    The output of these two statements now displays two additional user attributes. Dynamic Profile is the name of the profile received in the Client-Profile-Name VSA (26-174). Routing Instance is the name of the routing instance conveyed by the Virtual-Router VSA (26-1). The existing Virtual Router Name attribute is the locally configured name of the logical system.

    [See Testing a Subscriber AAA Configuration.]

  • New predefined variable to group subscribers on a physical interface (MX Series)—Starting in Junos OS Release 16.1, you can specify the new Juniper Networks predefined variable, $junos-phy-ifd-interface-set-name, with the interface-set statement at the [edit dynamic-profiles profile-name interfaces] hierarchy level to configure an interface set associated with the underlying physical interface in a dynamic profile. This predefined variable enables you to group all the subscribers on a specific physical interface so that you can apply services to the entire group of subscribers.

    Another use case is optimizing CoS level 2 node resources by grouping residential subscribers into an interface set associated with the physical interface in a topology where residential and business subscribers share the interface, enabling the use of CoS level 2 nodes for the interface set rather than for each residential interface.

    [See CoS for Interface Sets of Subscribers Overview.]

  • New predefined variables and Juniper Networks VSAs for family any interface filters (MX Series)—Starting in Junos OS Release 16.1R1, you can use the $junos-input-interface-filter and $junos-output-interface-filter predefined variables to attach a filter to a dynamic interface created for family any. The filter names are derived from the Juniper Networks VSAs, Input-Interface-Filter (26-191), and Output-Interface-filter (26-192). These VSAs are conveyed in the following RADIUS messages: Access-Request, Acct-Start, Acct-Stop, and Acct-Interim-Interval. You can specify the variables as the filter names with input and output statements at the [edit dynamic-profiles profile-name interfaces interface-name unit logical-interface-number filter] hierarchy level.

    [See Juniper Networks VSAs Supported by the AAA Service Framework.]

  • Configuring default values for routing instances (MX Series)—Starting in Junos OS Release 16.1, you can define a default value for the Juniper Networks predefined variable, $junos-routing-instance. This value is used in the event RADIUS does not supply a value for $junos-routing-instance. To configure a default value, use the predefined-variable-defaults statement at the [edit dynamic-profiles] hierarchy level. For example, to set the default value to RI-default:

  • Address-assignment pool hold-down (MX Series)—Starting in Junos OS Release 16.1, you can place an active address-assignment pool in a hold-down state. When a pool is in the hold-down state, no additional addresses are allocated from that pool. However, the hold-down state does not affect any existing subscribers that are using addresses previously assigned from the pool.

    As the existing subscribers disconnect, their IP addresses are marked as free in the pool, but the addresses are not reallocated because of the pool’s hold-down state. Eventually, when all subscribers have disconnected and their addresses are returned to the pool, the pool becomes inactive. When the pool is in the inactive state, you can safely perform maintenance on the pool (such as adding, changing, or deleting addresses) without affecting any active subscribers.

    [See Configuring Address-Assignment Pool Hold Down.]

  • Support for subscriber management and services feature parity (MX104)—Starting in Release 16.1, the MX104 supports all subscriber management and services features that are supported on the MX240, MX480, and MX960 routers as of Junos OS Release 14.1R1. Previously, the MX104 matched feature support with the MX80 as of Junos OS Release 13.3R1.

  • PPPoE-over-ATM support and other enhancements to PPPoE subscriber session lockout (MX Series)—Starting in Junos OS Release 16.1, PPPoE subscriber session lockout supports PPPoE-over-ATM subscriber interfaces and also adds the following enhancements:

    • Persistence of the lockout condition after automatic removal of dynamic VLAN or VLAN demultiplexing (demux) subscriber interfaces.

    • Termination of the lockout condition after administratively clearing the lockout or resetting the interface module.

    • Ability to clear the lockout condition or display information about the lockout status by specifying encapsulation type identifier characteristics when no underlying interface exists for the subscriber session:

      • VLAN identifiers (device name, S-VLAN ID, and VLAN ID) in the clear pppoe lockout vlan-identifier and show pppoe lockout vlan-identifier commands

      • ATM identifiers (device name, VPI, and VCI) in the clear pppoe lockout atm-identifier and show pppoe lockout atm-identifier commands

    [See PPPoE Subscriber Session Lockout Overview.]

  • New reject action for a LAC receiving change requests from the LNS (MX Series)—Starting in Junos OS Release 16.1, you can configure the LAC to reject change requests received in SCCRP messages from the LNS. During tunnel establishment, the LNS might include a request for the LAC to change the destination IP address, UDP port, or both, that it uses to communicate with the LNS. When a LAC that is configured to reject these requests receives one, it sends a StopCCN message to the original address or port and then terminates the connection to that LNS. This reject option is in addition to the previously available accept and ignore options.

    [See Configuring How the LAC Responds to Address and Port Changes Requested by the LNS.]

  • Enhanced subscriber management support for Ethernet OAM on S-VLANs with associated C-VLANs and subscriber interfaces (MX Series routers with MPCs/MICs)—This feature is supported in Junos OS Release 16.1 with no changes from the original 13.2R1 implementation. As such, when Ethernet IEEE 802.1ag Operation, Administration, and Maintenance (OAM) connectivity fault management (CFM) is configured on a static single-tagged service VLAN (S-VLAN) logical interface on a Gigabit Ethernet, 10-Gigabit Ethernet, or Aggregated Ethernet physical interface, you can configure the router to propagate the OAM state of the S-VLAN to the associated dynamic or static double-tagged customer VLAN (C-VLAN) logical interfaces. If the CFM continuity check protocol detects that the OAM state of the S-VLAN is down, you can configure the underlying physical interface to bring down all associated C-VLANs on the interface with the same S-VLAN (outer) tag as the S-VLAN interface. In addition, the router brings down all DHCP, IP demultiplexing (IP demux), and PPPoE logical subscriber interfaces configured on top of the C-VLAN. Propagation of the S-VLAN OAM state to associated C-VLANs ensures that when the OAM state of the S-VLAN link is down, the associated C-VLANs and all subscriber interfaces on top of the C-VLANs go down as well.

    To enable propagation of the S-VLAN OAM state to associated C-VLAN logical interfaces, use the oam-on-svlan option when you configure a Gigabit Ethernet (ge), 10-Gigabit Ethernet (xe), or Aggregated Ethernet (ae) interface.

    Ethernet OAM support for S-VLANs and associated C-VLANs is not currently supported for use with dynamic profiles, S-VLAN trunk interfaces, or C-VLAN trunk interfaces.

  • Support for manual targeting—Starting in Junos OS Release 16.1R1, service providers can configure manual targeting, assigning specific member links as primary and backup links per subscriber so that all traffic goes through those links. Manual targeting enhances the distribution of targeted VLANs or subscribers across member links of an aggregated Ethernet bundle by making it bandwidth-aware.

    You configure the targeting options by including the targeted-options statement at the [edit interfaces aex aggregated-ether-options] hierarchy level.

    You can select the targeting type for an aggregated Ethernet bundle as manual or auto at the [edit interfaces aex aggregated-ether-options targeted-options] hierarchy level.

    When you configure manual targeting, you must always configure a primary link. Configuring a backup link is optional. You specify the primary and backup links for a subscriber in the individual interface configuration.

    If the aggregated Ethernet bundle is configured for manual targeting, then all the subscribers in that bundle can be optionally configured for manual targeting, but none of them can be configured for autotargeting (targeted distribution). That is, you cannot have a configuration that contains a mix of manual targeting and autotargeting among subscribers. If the aggregated Ethernet bundle is not configured for manual targeting, then you can optionally configure autotargeting for all the subscribers, but you cannot configure manual targeting for any of them. Manual targeting and autotargeting are supported only on static interfaces.

  • Grouping of subscribers with similar bandwidth usage—Junos OS Release 16.1R1 supports grouping of subscribers with similar bandwidth usage and ensures even distribution of subscribers in each group across the member links of an aggregated Ethernet bundle. Service providers can group together subscribers with similar bandwidth usage and optionally assign a group name. Subscribers that are configured for targeted distribution without a group name are added to the default group and distributed evenly across member links. Grouping of subscribers is supported only for static subscribers.

    You can specify the group name by including the group statement at the [edit interfaces interface-nameunit logical-unit-number targeted-options] hierarchy level.

  • Configurable session limits for L2TP (MX Series)—Starting in Junos OS Release 16.1, you can configure a limit on the maximum number of L2TP sessions allowed for the chassis, for all tunnels, for a tunnel-group, for a client group, and for a client. When the session limit is reached, no new sessions can be established until the number of current sessions drops below the configured limit. One use of this feature is to control the number of sessions from an enterprise customer that is connected over LACs in multiple locations. These configured session limits have no effect on the maximum supported chassis limits that are imposed through the Juniper Networks license.

    [See Limiting the Number of L2TP Sessions Allowed by the LAC or LNS.]

  • Ensuring IPCP negotiation for IPv4 DNS addresses (MX Series)—Starting in Junos OS Release 16.1, the router can prompt customer premises equipment (CPE) to negotiate both primary and secondary IPv4 DNS addresses during IPCP negotiation. This feature is useful when the CPE fails to send DNS address options in the IPCP configure request message, or when the options are sent but rejected. In earlier releases, either situation results in no DNS address negotiation even though IPv4 DNS addresses are available on the router. This DNS option enables the router to control IPv4 DNS address provisioning for dynamic and static, terminated PPPoE and LNS subscribers.

    [See Ensuring IPCP Negotiation for Primary and Secondary DNS Addresses.]

  • Filters for duplicate RADIUS accounting interim reports (MX Series)—Starting in Junos OS Release 16.1, you can specify which accounting servers receive the RADIUS accounting interim reports when RADIUS accounting duplicate reporting is active.

    Subscriber management supports the following filtering for RADIUS accounting duplicate reporting:

    • Duplicated accounting interim messages—The accounting messages are sent only to RADIUS accounting servers in the subscriber’s access profile.

    • Original accounting interim messages—The accounting messages are sent only to servers in a duplication access profile other than the subscriber’s access profile.

    • Excluded RADIUS attributes—RADIUS attributes in accounting messages are filtered based on the exclude statement configuration.

      The exclude statement supports new attributes.

      [See Understanding RADIUS Accounting Duplicate Reporting.]

  • Multiple DHCPv6 IA_NA and IA_PD requests (MX Series)—Starting in Junos OS Release 16.1, DHCPv6 relay agent supports multiple DHCPv6 IA_NA or IA_PD requests within the same Solicit message, up to a maximum of eight requests. This support enables each negotiated lease to have its own lease expiration time and also allows one lease to expire without tearing down any other active leases. The multiple IA address support also enables customers to delegate multiple address blocks to a CPE router, which simplifies flow classification and service monetization.

    In Junos OS releases before Release 16.1, the router supports one IA_NA request or one IA_PD request, or a combination of one of each type of request.

    [See Multiple DHCPv6 IA_NA and IA_PD Requests Per Client Interface.]

  • New VSAs for IPv4 and IPv6 link addresses of first DHCP relay into RADIUS Auth and Accounting Messages (MX Series)—Starting in Junos OS Release 16.1, two new VSAs, DHCP-First-Relay-IPv4-Address and DHCP-First-Relay-IPv6-Address, are available for configuration of a RADIUS server. The values of these new VSAs are the link address of the first relay of a DHCPv4 or DHCPv6 client/server binding. These new VSAs are sent to RADIUS as part of Access-Request, Accounting-Start, Accounting-Interim, and Accounting-Stop Messages. These VSAs enable RADIUS to identify clients uniquely for your business purposes, such as keeping track of your billing clients.

    [See Juniper Networks VSAs Supported by the AAA Service Framework.]

  • Five-level hierarchical CoS (MX240, MX480, MX960, and MX2020 Series)—Starting in Junos OS Release 16.1, the Broadband Network Gateway (BNG) supports five-level hierarchical CoS (HCoS) in dynamic configurations. It allows you to differentiate and shape traffic at the following levels:

    • Level 1—Physical interface (port level)

    • Level 2—Interface set, for example, S-VLAN (access node)

    • Level 3—Customer VLAN (C-VLAN)

    • Level 4—Session logical interface (ppp or dhcp)

    • Level 5—Service queues (up to 8)

    The use cases that five-level HCoS supports include:

    • Residential and business traffic on the same access node (if business interfaces are dynamic).

    • Multiple retail ISPs on the same access node.

    • Multiple subscriber sessions for a household on the same C-VLAN.

    This feature is not supported on agent circuit identifier (ACI) sets or aggregated Ethernet (AE) interfaces.

    [See Understanding Hierarchical CoS for Subscriber Interfaces.]

  • Support for IP reassembly on an L2TP connection (MX Series routers with MPC5E)—Starting in Junos OS Release 16.1, you can configure the service interfaces on MX Series routers with MPC5E to support IP packet reassembly on a Layer 2 Tunneling Protocol (L2TP) connection. The IP packet is fragmented over an L2TP connection when the packet size exceeds the maximum transmission unit (MTU) defined for the connection. Depending on the direction of the traffic flow, the fragmentation can occur either at the L2TP access concentrator (LAC) or at the L2TP network server (LNS), and reassembly occurs at the peer interface. (In an L2TP connection, a LAC is a peer interface for the LNS and vice versa.)

    You can configure the service interfaces on the LAC or on the LNS to reassemble the fragmented packets before they can be further processed on the network. On a router running Junos OS, a service set is used to define the reassembly rules on the service interface. The service set is then assigned to the L2TP service at the [edit services l2tp] hierarchy level to configure IP reassembly for L2TP fragments.

    [See IP Packet Fragment Reassembly for L2TP Overview.]

  • Diameter Network Access Server Requirements (NASREQ) authentication and authorization (MX Series)—Starting in Junos OS Release 16.1, Junos OS supports the Diameter-based Network Access Server Requirements (NASREQ) protocol for authentication and authorization at login. NASREQ is described in RFC 7155. Junos OS supports the following NASREQ protocol exchanges:

    • AA-Request/Answer—The authentication/authorization request at login.

    • Session-Termination-Request/Answer—Notification that the subscriber’s session has been terminated.

    • Abort-Session-Request/Answer—Request to terminate the subscriber’s session from a NASREQ server.

    [See Diameter Network Access Server Requirements (NASREQ).]

  • Communicating with RADIUS servers over IPv6 (MX Series)—Starting in Junos OS Release 16.1, subscriber management supports RADIUS connectivity over IPv6, in addition to IPv4 connectivity. This support enables you to specify the IPv6 addresses of your targeted RADIUS servers, and also enables you to specify IPv6 addresses for the source address configuration of your RADIUS servers.

    Also in Release 16.1, the AAA process now supports the NAS-IPv6-Address RADIUS attribute (attribute 95), which identifies the IPv6 address of the NAS that requests subscriber authentication.

    [See Configuring Router or Switch Interaction with RADIUS Servers.]

  • Limiting the subscriber sessions per aggregated Ethernet or Packet Forwarding Engine bundle (MX Series)—Starting in Junos OS Release 16.1, you can restrict the number of Point-to-Point Protocol over Ethernet (PPPoE) subscriber sessions per aggregated Ethernet or Packet Forwarding Engine bundle by using the existing PPPoE Service-Name table. You can modify the existing PPPoE Service-Name table by changing its default configuration to eliminate the default empty Service-Name entry in the Service-Name table.

    In earlier releases, each PPPoE service name table in the service (PPPoE) configuration statement included one empty service entry by default.

  • Support for unlocking destinations during LAC tunnel selection (MX Series)—Starting in Junos OS Release 16.1, the tunnel selection process for a subscriber login enables the LAC to cycle through the tunnel preference levels until it establishes a session to a destination or has attempted to contact every valid destination but failed.

    In earlier releases, if the LAC reaches the lowest level and all valid destinations at that level are locked, it selects the destination with the shortest remaining lockout time, removes the lockout, and attempts to connect to that destination. If it fails, it does not cycle back through the preference levels.

    You can use the new clear services l2tp destination lockout command to manually clear all locked destinations or only locked destinations that match the specified local or remote gateway address.

    [See LAC Tunnel Selection Overview.]

  • Support for DHCPv6 duplicate client DUIDs (MX Series)—Starting in Junos OS Release 16.1, you can configure DHCPv6 relay agent and DHCPv6 local server to support DHCP clients that have the same DHCP unique identifier (DUID) when the DHCPv6 requests are received on different underlying interfaces.

    Typically, the router treats a request from a duplicate client as a renegotiation, and replaces the existing client entry with a new entry. However, in some cases, the duplicate request is from a different client, and replacement is not desired. When you enable duplicate client support, the router uses the underlying interfaces to differentiate between two clients with the same DUID, enabling both clients to be granted leases. The router retains the existing client entry, and creates a new entry for the duplicate client.

    [See DHCPv6 Duplicate Client DUIDs.]

  • Improved multicast convergence and RPT-SPT support for BGP-MVPN (MX Series)—Starting with Junos OS Release 16.1, support for multicast forwarding-cache threshold is extended to rendezvous-point tree shortest-path tree (RPT-SPT) mode for BGP-MVPN. In addition, for both Rosen and next-generation MVPNs, PE routers across all sites should see the same set of multicast routes even if the configured forwarding-cache limit is exceeded.

    To configure a specific threshold for MVPN RPT, set one or both of the mvpn-rpt-suppress and mvpn-rpt-reuse statements at the [edit routing-instances name routing-options multicast forwarding-cache] or [edit logical system name routing-instances name routing-options multicast forwarding-cache] hierarchy level.

    In addition, the show multicast forwarding-cache statistics command provides information about both the general and RPT-suppression states. Likewise, a list of suppressed customer-multicast states can be seen by running the show mvpn suppressed general|mvpn-rpt inet|inet6 instance name summary command.

  • Wildcard domain map (MX Series)—Starting in Junos OS Release 16.1R1, you can configure a wildcard domain map that is used by subscribers when there is no exact match to the subscriber’s domain name, but there is a partial match. For example, if you create a wildcard domain map with the name xyz*.com, subscribers with the domain names xyz-eastern.com and xyz-northern.com are both mapped to that wildcard domain when there was no exact match for the subscriber’s domain name.

    To configure a wildcard domain map, you include the asterisk wildcard character in the map domain-map-name statement at the [edit access domain] hierarchy level.

    Wildcard domain mapping is also useful to provide a partial match when subscriber management derives subscriber usernames from the DHCPv4 Agent Remote ID (option 82 suboption 2) or the DHCPv6 Remote-ID (option 37). For example, a username might be EricSmith#premiumTier1#314159265#0000 (where the # character is the delimiter). For domain mapping for this subscriber, you might create the wildcard domain map, domain map premiumTier1*.

    [See Configuring a Wildcard Domain Map.]

  • DHCP-initiated service change based on client Remote ID (MX Series)—Starting in Junos OS Release 16.1R1, DHCP local server enables you to update a client’s current service based on the client’s remote ID. DHCP-initiated service updates are particularly useful in dual-stack environments and other networks that do not include RADIUS support.

    When a DHCP client is initially established, DHCP preserves the client’s incoming remote ID in the DHCP client database. You can configure DHCP local server to compare the client’s initial remote ID to the remote ID that the server subsequently receives in DHCP Renew or Rebind messages. If DHCP local server detects a mismatch between the two remote IDs, the server tears down the existing binding, which initiates a client reconnect sequence. The service change is encoded within the new remote ID string, and is activated when the client reconnects.

    DHCP local server receives the remote ID in option 82, suboption 2 for DHCPv4 clients, and in DHCPv6 option 37 for DHCPv6 clients.

    To configure DHCP local server to support the remote ID service change feature, use the remote-id-mismatch disconnect statement at the [edit system services dhcp-local-server] hierarchy level. You can configure support globally or for a specific group.

    [See DHCP-Initiated Service Change Based on Remote ID.]

System Logging

  • System log messages to indicate checksum errors on the DDR3 interface—Starting in Junos OS Release 16.1R1, two new system log messages, XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR and XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR, are added to indicate memory-related problems on the interfaces to the double data rate type 3 (DDR3) memory. These error messages indicate that an FPC has detected a checksum error, which is causing packet drops.

    The following error threshold values classify the error as a major error or a minor error:

    • Minor error— 6-254 errors per second

    • Major error—255 and more errors per second

  • New configuration statement for filtering text substring in system log messages (MX Series and T Series)—Starting with Junos OS Release 16.1, a new configuration statement, match-string <string-name>, helps you display specified text substrings in the system log messages when using the show system syslog statement. The match-string <string-name> configuration statement can be configured at the following hierarchy levels:

    • edit system syslog file <file-name>

    • edit system syslog host <host-name>

    • edit system syslog user <user-name>

    This statement can be configured along with the match <string-name> configuration statement. In addition, it reduces the CPU usage while filtering the text substring in the system log messages.

    [See match-string.]

System Management

  • Blocking hidden commands and defining confirmation for commands before execution—Starting in Junos OS 16.1R1 release, you would be able to do the following:

    • Deny hidden commands to all or certain login class users except the root users.

    • Option to allow only certain hidden commands to users.

    • Option to define commands to have a confirmation from users before execution.

    To deny hidden commands to all users except the root users, use the set no-hidden-commands statement at the [edit system] hierarchy level. This statement can also be used under a certain login class to deny all hidden commands for users under that login class. Use the except <regexp_string> option at the edit system no-hidden-commands hierarchy level to specify the exempted hidden commands which can be used by the users.

    To define commands to have a confirmation from the users before execution, include the confirm-commands <exempted-hidden-command> statement at the [edit system login class <class-name>] hierarchy level.

    [See no-hidden-commands, and confirm-commands.]

Timing and Synchronization

User Interface and Configuration

  • Support for JSON format for configuration data (MX Series and T Series)–Starting with Junos OS Release 16.1, you can configure devices running Junos OS using configuration data in JavaScript Object Notation (JSON) format in addition to the existing text, Junos XML, and Junos OS set command formats. You can load configuration data in JSON format in the Junos OS CLI by using the load (merge | override | update) json command or from within a NETCONF or Junos XML protocol session by using the <load-configuration format="json"> operation. You can load JSON configuration data either from an existing file or as a data stream. Configuration data that is provided as a data stream must be enclosed in a <configuration-json> element.

    [See load, Defining the Format of Configuration Data to Upload in a Junos XML Protocol Session, and Mapping Junos OS Configuration Statements to JSON.]

  • Extend the Junos CLI command set with custom scripts (MX Series)–Starting with Junos OS Release 16.1, you can configure devices running Junos OS to allow your custom scripts to be invoked in the Junos OS CLI or from within a NETCONF or Junos XML protocol session. The custom script can be written in either SLAX or Python. Configure your custom script to act as a native command using Yang’s RPC keyword extension. Its location in the command schema is specified in a Yang module.

    [See Junos Automation Scripting Overview,Using Juniper Networks YANG Modules.]

Virtual Chassis

  • MX Series Virtual Chassis support for L2TP LNS (MX Series)—Starting in Junos OS Release 16.1, MX Series Virtual Chassis configurations support L2TP LNS functionality.

    [See L2TP for Subscriber Access Overview.]

  • MX Series Virtual Chassis commit time improvements (MX Series with MPCs/MICs)—Starting in Junos OS Release 16.1, the commit process for MX Series Virtual Chassis is optimized to provide faster commit times. No additional configured is required to take advantage of the improved commit times. You can use the commit | display detail command to monitor the steps of the new commit process.

  • MX Series Virtual Chassis support for MX240 and MX480 member routers in a VC containing MX2010 or MX2020 member routers (MX Series with MPCs/MICs)—Starting in Junos OS Release 16.1, you can configure a MX240 router or MX480 router as a member router in an MX Series Virtual Chassis that contains a MX2010 or MX2020 member router. In earlier releases, MX2010 routers and MX2020 routers could only interoperate with MX960 routers.

    The following member router combinations are introduced in Junos OS Release 15.2 for a two-member Virtual Chassis configuration:

    • MX240 router and MX2010 router

    • MX240 router and MX2020 router

    • MX480 router and MX2010 router

    • MX480 router and MX2020 router

  • MX Series Virtual Chassis Unified ISSU support for MPC6E line cards (MX Series Virtual Chassis)—Starting in Junos OS Release 16.1R2, MPC6E line cards support Unified ISSU in MX Series Virtual Chassis environments.

VPNs

  • Redundant virtual tunnels on MPCs (MX Series)—In multicast Layer 3 VPNs, virtual tunnel (VT) interfaces are needed to facilitate virtual routing and forwarding (VRF) table lookup based on MPLS labels. Beginning with Junos OS Release 16.1, support for redundant VTs at the Packet Forwarding Engine level is provided to improve resiliency in delivering multicast traffic.

    [See Redundant Virtual Tunnels Providing Resiliency in Delivering Multicast Traffic Overview.]

  • MVPN source-active upstream multicast hop selection and redundant source improvements (MX Series)–Starting in Junos OS Release 16.1, you can use new configuration statements available at the [edit protocols mvpn] hierarchy level to influence the source-active upstream multicast hop selection process. You can use the umh-selection-additional-input statement to influence the upstream multicast hop selection by making the MVPN consider a combination of route preference and RSVP tunnel status. You can use the source-redundancy statement so that the MVPN acts on all redundant sources sending to a specific group address as the same source.

  • Support for common Public Key Infrastructure (PKI) functionality (MX Series)—Starting in Junos OS Release 16.1R3, MX Series devices support the following common PKI functionalities:

    • Certificate chaining—Certificate-based authentication is an authentication method supported on MX Series devices during IKE negotiation. In large networks, multiple certificate authorities (CAs) can issue end entity (EE) certificates to their respective end devices. It is common to have separate CAs for individual locations, departments, and organizations. With a single-level hierarchy for certificate-based authentication, all EE certificates in the network must be signed by the same CA. All firewall devices must have the same CA certificate enrolled for peer certificate validation. The certificate payload sent during IKE negotiation only contains EE certificates.

      In Junos OS Release 16.1R3, the certificate payload sent during IKE negotiation can contain a chain of EE and CA certificates. A certificate chain is the list of certificates required to certify the subject in the EE certificate. The certificate chain includes the EE certificate, intermediate CA certificates, and the root CA certificate. CA certificates can be enrolled using the Simple Certificate Enrollment Process (SCEP) or loaded manually. There is no new CLI configuration statement or command for certificate chains; however, every end device must be configured with a CA profile for each CA in the certificate chain.

      The network administrator needs to ensure that all peers participating in IKE negotiation have at least one common trusted CA in their respective certificate chains. The common trusted CA does not have to be the root CA. The number of certificates in the chain, including certificates for EEs and the topmost CA in the chain, cannot exceed 10.

    • Online Certificate Status Protocol (OCSP)—OCSP checks the revocation status of X509 certificates. Requests are sent to the OCSP server(s) configured in a CA profile with the ocsp url statement at the [edit security pki ca-profile profile-name revocation-check] hierarchy level. The use-ocsp option must also be configured. If there is no response from the OCSP server, the request is then sent to the location specified in the certificate's AuthorityInfoAccess extension.

    • Digital certificate validation—The PKI daemon on MX Series devices performs X509 certificate policy, path, key usage, and distinguished name validation, as specified in RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

  • New configuration statement to manage VCCV BFD session state (MX Series)—Starting with Junos OS Release 16.1, the ping-multiplier statement is introduced to delay the virtual circuit connectivity verification (VCCV) Bidirectional Forwarding Detection (BFD) session from going down by the specified number of LSP ping packets. The VCCV BFD session is signaled down only after the specified number of LSP ping packets are lost. This feature is supported for Layer 2 Circuit, Layer 2 VPN, and VPLS technologies.

    To configure the LSP ping multiplier feature, include the ping-multiplier number-of-packets statement at the [edit protocols l2circuit neighbor neighbor-address interface interface-name oam], [edit routing-instances routing-instances-name protocols l2vpn oam], and [edit routing-instances routing-instances-name protocols vpls oam] hierarchy levels for Layer 2 circuit, Layer 2 VPN, and VPLS, respectively.

Changes in Behavior and Syntax

This section lists the changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands from Junos OS Release 16.1R7 for MX Series and T Series.

Authentication, Authorization and Accounting

  • Statement introduced to enforce strict authorization—Starting in Junos OS Release 15.2, customers can use the set system tacplus-options strict-authorization statement to enforce strict authorization to the users. When a user is logging in, Junos OS issues two TACACS+ requests—first is the authentication request and then the authorization request. By default, when the authorization request is rejected by the TACACS+ server, Junos OS ignores this and allows full access to the user. When the set system tacplus-options strict-authorization statement is set, Junos OS denies access to the user even on failure of the authorization request.

Authentication and Access Control

  • Change in range of client alive messages for SSH—Starting with Junos OS Release 16.1R1, you can configure 0 through 255 as the range for configuring the number of client alive messages that can be sent without sshd receiving any messages back from the client. In releases before Junos OS Release 16.1R1, the range for configuring client alive messages is 1 through 255.

    [See client-alive-count-max.]

  • Starting from Junos OS Release 16.1R1, for configuring the root login through SSH to control user access, the system services ssh root-login deny-password is the default option. In previous releases, the system services ssh root-login allow was the default option. Now, you must explicitly configure the set system services ssh root-login allow option to allow users to log in to the device as root through SSH.

Class of Service

  • Support for 48 classifiers per family (MX Series)—Starting with Junos OS Release 16.1R5, you can configure up to 48 classifiers per family at the [edit class-of-service classifiers] hierarchy level. In earlier releases, you could only configure up to 32 classifiers per family.

    [See CoS Features and Limitations on MX Series Routers.]

Flow-Based Packet Based Processing

  • Correction for inline J-Flow reporting (MX Series)—Starting in Junos OS Release 15.2, when a destination is reachable through multiple paths, inline J-Flow reports OIF, GW, DST_MASK, and DST_AS data incorrectly in flow records. The new configuration statement set services flow-monitoring <version-ipfix | version9> template <template_name> nexthop-learning enable corrects OIF, GW, DST_MASK, and DST_AS data reporting.

General Routing

  • New option introduced under show | display xml | display—Starting in Junos OS 16.1R1, you can use the show | display xml | display | mark-changed statement to view the "mark-changed" status of the nodes. This is useful for debugging purposes.

  • Enhancement to request support information command—Starting in Junos OS Release 16.1R1, the request support information command is enhanced to capture the following additional details:

    • file list detail/var/rundb/—Displays the size of configuration databases.

    • show system configuration database usage—Displays the actual usage of configuration database.

      Note

      This information will be displayed only if the show system configuration database usage command is supported in the release.

    • file list detail /config/—Contains the db_ext file and shows the size of it to indicate whether extend_size is enabled or disabled.

  • Modified output of the clear services sessions | display xml command (MX Series)—In Junos OS Release 16.1, the output of the clear services sessions | display xml command is modified to include the <sess-marked-for-deletion> tag instead of the <sess-removed> tag. In releases before Junos OS Release 14.1X55-D30, the output of this command includes the <sess-removed> tag. The replacement of the <sess-removed> tag with the <sess-marked-for-deletion> tag aims at establishing consistency with the output of the clear services sessions command that includes the field Sessions marked for deletion.

  • For the routing command, starting in Junos 15.1F3, 15.1R2, 15.1R3, and 15.2R1, 64-bit mode is enabled by default on systems that support it and which have at least 16 GB of RAM.

  • The as-path-ignore command is supported for routing instances starting with Junos OS Release 14.1R8, 14.2R7, 15.1R4, 15.1F6, and 16.1R1.

  • Support for deletion of static routes when the BFD session goes down (MX Series)—Starting with Junos OS 16.1R5, the default behavior of the static route at the [edit routing-options static static-route bfd-admin-down] hierarchy level is active. So, the static routes are deleted when the BFD receives a session down message. [See Enabling BFD on Qualified Next Hops in Static Routes for Route Selection.]

Interfaces and Chassis

  • Change in enforcement of vtmapping restriction for Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (H)—Starting with Junos OS Release 16.1, a commit error occurs when you include the vtmapping statement under the [edit interfaces interface-name sonet-options] hierarchy for cau4 interfaces on the Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP (H). Prior to Junos OS Release 16.1R1, a commit error was not displayed when this restriction was violated.

  • Starting in Junos OS Release 16.1R4, the show interfaces queue remaining-traffic command now displays egress remaining queue statistics on the aggregated Ethernet interfaces on the MX Series routers.

  • Support for automatic enabling of flow control for MACsec (MX Series)—Starting in Junos OS Release 16.1R2, when Media Access Control Security (MACsec) is enabled on an interface, the interface flow control capability is enabled by default, regardless of the configuration that you set using the (flow-control | no-flow-control) statement at the [edit interfaces interface- name gigether-options] hierarchy level. When MACsec is disabled, interface flow control is restored to the configuration that you set using the flow-control statement at the [edit interfaces] hierarchy level. When MACsec is enabled, additional header bytes are added to the packet by the MACsec PHY. With line rate traffic, when MACsec is enabled and flow control is disabled, the pause frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet Forwarding Engine, causing framing errors. Therefore, when MACsec is enabled on an interface, flow control is also automatically enabled on such an interface.

  • Starting in Junos OS Release 16.1, the show pfe statistics traffic command now displays the following fabric statistics:

    • Fabric Input packets—Number and rate of incoming fabric packets

    • Fabric Output packets—Number and rate of outgoing fabric packets

    [See show pfe statistics traffic.]

  • Changes to show interfaces interface-name extensive output—Starting in Junos OS Release 16.1R5, the MAC Control Frames field of the show interface interface-name extensive command for a specified 10-Gigabit Ethernet interface displays a value of zero. In previous releases, the value for this field was calculated. Because of continuous traffic and as a result of the calculations, the value displayed for this field changed continuously.

  • Recovery of PICs that are stuck because of prolonged flow controls (MS-MIC, MS-MPC, MS-DPC, MS-PIC 100, MS-PIC 400, and MS-PIC 500)—Starting in Junos OS Release 16.1R7, if interfaces on an MS-PIC, MS-MIC, MS-MPC, or MS-DPC are in stuck state because of prolonged flow control, Junos OS restarts the service PICs to recover them from this state. However, if you want the PICs to remain in stuck state until you manually restart the PICs, configure the new option up-on-flow-control for the flow-control-options statement at the [edit interfaces mo-fpc/pic/port multiservice-options] hierarchy level. In releases before Release 16.1R7, there is no action taken to recover service PICs from this state unless one of the options for the flow-control-options statement is configured, or service PIC is manually restarted.

    [See flow-control-options.]

Junos OS XML API and Scripting

  • Support for a configuration revision identifier to enable NMS determine synchronization status of devices (MX Series and T Series)—Starting in Junos OS Release 16.1, a configuration revision identifier string, the <commit-revision-information> tag, is supported within the <commit-results> tag. The configuration revision identifier is used to determine whether the configuration settings on devices being managed by a network management server (NMS) application is in synchronization (sync) with the CLI of devices running Junos OS. In a real- world network deployment, out-of-band configuration commits might occur on a device, such as during a maintenance window for support operations. In such cases, the NMS application queries Junos OS to retrieve the latest revision number and compares it against the revision number stored locally to validate whether it is out-of-sync or in-sync with the device to detect the out-of-band commits.

  • Changes to Python automation script execution requirements and access privileges (MX Series and T Series)—Starting in Junos OS Release 16.1R3, unsigned Python commit, event, op, and SNMP scripts must be owned by either the root user or a user in the Junos OS super-user login class, and only the file owner can have write permission for the file. In Junos OS Release 16.1R2 and earlier releases, unsigned Python scripts must be owned by the root user.

    Furthermore, starting in Junos OS Release 16.1R3, you can execute Python automation scripts using the access privileges of authorized users. Interactive Python scripts, such as commit and op scripts, run with the access privileges of the user who executes the command or operation that invokes the script. Noninteractive Python scripts, such as event and SNMP scripts, by default, execute under the privileges of the *nix user and group nobody. To execute the scripts under the access privileges of a specific user, configure the python-script-user username statement at the [edit event-options event-script file filename] hierarchy level for event scripts, or the [edit system scripts snmp file filename] hierarchy level for SNMP scripts. In Junos OS Release 16.1R2 and earlier releases, Python commit, event, op, and SNMP scripts are executed using the access privileges of only the user and group nobody.

Layer 2 Features

  • Discrepancy in the reported BUM traffic—There is a discrepancy in the amount of BUM traffic reported on the aggregated Ethernet (AE) link between a designated forwarder (DF) and non-DF router. In an active-active configuration, the interface on the router in a DF role reports receiving twice as many packets as was sent from the interface of the router in a non-DF role.

  • Option to display the age of a single MAC entry—Beginning with Junos OS Release 16.1, a new option age is added to the command show vpls mac table to display the age of a single MAC address for a given VPLS instance. For GE interfaces, age displays the MAC address aging time for a given VPLS instance. For AE interfaces, the age is reported for a given VPLS instance, separately for all the line cards.

    [See show vpls mac-table.]

  • Option to display the age of a single MAC entry—Beginning with Junos OS Release 16.1, a new option age is added to the command show bridge mac table to display the age of a single MAC address for a given bridge. For GE interfaces, age displays the MAC address aging time for a given bridge instance. For AE interfaces, the age is reported for a given bridge instance, separately for all the line cards.

    [See show bridge mac-table.]

  • Option to display the age of a single MAC entry—Beginning with Junos OS Release 16.1, a new option age is added to the command show evpn mac table to display the age of a single MAC address for a given evpn instance.

    [See show evpn mac-table.]

  • Support for configuring MAC move parameters globally (MX Series)—Starting in Junos OS Release 16.1, you can configure parameters for media access control (MAC) address move reporting by including the global-mac-move statement and its substatements at the [edit protocols l2-learning] hierarchy level. When a MAC address appears on a different physical interface or within a different unit of the same physical interface and this behavior occurs frequently, it is considered a MAC move. You can configure the router to report a MAC address move based on the following parameters: the number of times a MAC address move occurs, a specified period of time over which the MAC address move occurs, and the specified number of times a MAC address move occurs in one second.

Layer 2 VPN

  • Support for LSP on EVPN-MPLS—Starting in Junos OS Release 16.1R7, Junos supports the mapping of EVPN traffic to specific label-switched paths (LSPs). Prior to this release, the traffic policies mapping extended community to specific LSPs did not work properly.

    [See community.]

Management

  • Support for status deprecated statement in YANG modules (MX Series and T Series)—Starting with Junos OS Release 16.1R2, Juniper Networks YANG modules include the status deprecated statement to indicate configuration statements, commands, and options that are deprecated.

  • XPath expressions for specific YANG keywords disabled during commit operations (MX Series and T Series)—Starting in Junos OS Release 16.1R2, XPath expression evaluations for the following YANG keywords are disabled by default during commit operations: leafref, must, and when. Prior to Junos OS Release 16.1R2, Junos OS evaluates the constraints for these keywords, which can result in longer commit times.

MPLS

  • LSPs displayed in lexicographic order (MX Series)—Starting with Junos OS Release 16.1, the LSPs are displayed in lexicographic order in the output of the show mpls lsp command. In earlier releases, this command displayed the LSPs in the order in which they were configured.

  • Inline BFD support on IRB interfaces (MX Series routers with MPCs or MICs)—Starting with Junos OS Release 16.1, the inline BFD sessions transmitted or received from FPC hardware are supported on integrated routing and bridging (IRB) interfaces. This enhancement is available only on MX Series routers with MPCs/MICs that have configured the enhanced-ip option.

  • Point-to-multipoint LSP ping echo reply ignored on Juniper side in Cisco-Juniper interoperability (MX Series and T Series)—Curently, in a Juniper-Cisco interoperation network scenario, a point-to-multipoint LSP ping echo reply message from a Cisco device in a different IGP area is dropped on the Juniper device when the source address of the reply message is an interface address other than the loopback address or router ID.

    Starting with Junos OS Release 14.2R6, 15.1R4, 16.1, and later releases, such point-to-multipoint LSP ping echo reply messages are accepted by the Juniper device and the messages get logged as uncorrelated responses.

  • Bandwidth underflow sample on LSPs (MX Series)—Starting in Junos OS Release 14.1R9, 15.1R7, and 16.1R5, all zero value bandwidth samples are considered as underflow samples, except for the zero value samples that arrive after an LSP comes up for the first time, and the zero value samples that arrive first after a Routing Engine switchover.

  • Support for inet.0 and inet.3 labeled unicast BGP route for protocol LDP (MX Series)— Starting in Junos OS Release 16.1R7, LDP egress policy is supported on both inet.0 and inet.3 routing Information bases (RIBs), also known as routing table for labeled unicast BGP routes. If a routing policy is configured with a specific (inet.0 and inet.3) RIB, the egress policy is applied on the specified RIB. If no RIB is specified and a prefix is present on both inet.0 and inet.3 RIBs for labeled unicast BGP routes, then inet.3 RIB is preferred. However, prior to Junos OS Release 12.3R1 and starting with Junos OS Release 16.1R1, LDP egress policy is always preferred on inet.0 RIB and support for inet.3 RIB egress policy for labeled unicast BGP routes was disabled. In Junos OS Release 12.3R1 and later releases up to Junos OS Release 16.1R1, LDP egress policy was supported in inet.3 RIBs, in addition to inet.0 RIBs, for labeled-unicast BGP routes. [See Configuring the Prefixes Advertised into LDP from the Routing Table and Configuring Policers for LDP FECs]

  • Starting in Junos OS Release 16.1R7, the previously hidden configuration statement, session, can be configured at the [edit protocols ldp] hierarchy level. This statement enables you to configure the LDP session parameters by specifying the session destination address.

    [See session.]

  • Support for RESV message formats recommended in RFC 6510 (MX Series)—Starting with Junos OS 16.1R1, Junos OS RSVP adheres to the RESV message format recommended in RFC 6510 to indicate per-LSP and per-S2L operational status.

    [See Supported MPLS Standards]

Network Management and Monitoring

  • Updated unified container set in enterprise-specific Chassis MIB (MX Series)—Starting with Junos OS Release 16.1, the Juniper Networks enterprise-specific Chassis MIB (jnxBoxAnatomy) provides a unified container set that represents all supported MX Series chassis types when MX Series Virtual Chassis mode is active.

  • New lease query and bulk lease query definitions for the DHCP MIB (MX Series)—Starting in Junos OS Release 16.1R1, the DHCP mib, jnx-jdhcp.mib, now includes the following definitions to collect statistics for DHCP lease query and bulk lease query messages for DHCP local server and DHCP relay:

    In jnxJdhcpLocalServerStatistics

    In jnxJdhcpRelayStatistics

    jnxJdhcpLocalServerLeaseQueryReceived

    jnxJdhcpRelayLeaseQuerySent

    jnxJdhcpLocalServerBulkLeaseQueryReceived

    jnxJdhcpRelayBulkLeaseQuerySent

    jnxJdhcpLocalServerLeaseActiveSent

    jnxJdhcpRelayLeaseActiveReceived

    jnxJdhcpLocalServerLeaseUnknownSent

    jnxJdhcpRelayLeaseUnknownReceived

    jnxJdhcpLocalServerLeaseUnAssignedSent

    jnxJdhcpRelayLeaseUnAssignedReceived

    jnxJdhcpLocalServerLeaseQueryDoneSent

    jnxJdhcpRelayLeaseQueryDoneReceived

  • SNMP proxy feature (MX Series)—Starting with Junos OS Release 16.1, you must configure interface <interface-name> statement at the [edit snmp] hierarchy level for the proxy SNMP agent. Earlier, configuring interface for the proxy SNMP agent was not mandatory.

  • MIB object ifOutErrors to display four types of errors---Starting in Junos OS Release 16.1, the MIB object ifOutErrors, which used to display only the errors on a particular interface, will now display the sum of the following four types of errors to match the CLI output of the command show interfaces interface_name extensive:

    • oerrors

    • oqdrops

    • oresourcerrors

    • bo_tx_drops

    Previously, SNMP ifOutErrors always showed as zero.

    [See SNMP MIB Explorer.]

  • Change in the output of snmp mib walk of the jnxVpnIfStatus MIB object (MX Series)—Starting with Junos OS Release 16.1R1, the show snmp mib walk jnxVpnIfStatus command provides information for all interfaces, except the Juniper Networks specific dynamic interfaces.

  • SNMP syslog messages changed (MX Series)—In Junos OS Release 16.1R5, two misleading SNMP syslog messages have been rewritten to accurately describe the event:

    • OLD --AgentX master agent failed to respond to ping. Attempting to re-register

      NEW –- AgentX master agent failed to respond to ping, triggering cleanup!

    • OLD –- NET-SNMP version %s AgentX subagent connected

      NEW --- NET-SNMP version %s AgentX subagent Open-Sent!

    [See the MIB Explorer.]

  • MIB buffer overruns only be counted under ifOutDiscard (MX Series)---The change done via PR 1140400 Introduced a CVBC where qdrops (buffer overruns) were counted under ifOutErrors along with ifOutDiscards. This is against RFC 2863 where buffer overruns should only be counted under ifOutDiscards and not under ifOutErrors. In Junos OS Release 16.1R4, this is now fixed.

    [See SNMP MIB Explorer.]

  • Enhancement to SMNPv3 traps for contextName field (MX Series)—Starting in Junos OS Release 16.1R5 and Release 17.2R1, the contextName field in SNMPv3 traps generated from a non-default routing instance is populated with the same routing-instance information as is given in SNMPv2 traps. SNMPv2 traps provide the routing-instance information as context in the form of context@community. This information gives the network monitoring system (NMS) the origin of the trap, which is information it might need. Previously in SNMPv3, the contextName field was empty. For traps originating from a default routing instance, this field is still empty, which now indicates that the origin of the trap is the default routing instance.

    [See SNMP MIB Explorer.]

  • Juniper MIBs loading errors fixed (MX Series)—In Junos OS Release 16.1R3, duplicated entries and errors while loading MIBs on ManageEngine MIB browser are fixed for the following MIB files:

    • jnx-chas-defines.mib

    • jnx-gen-set.mib

    • jnx-ifotn.mib

    • jnx-optics.mib

    [See MIB Explorer.]

  • Customer-visible SNMP trap name changes (MX Series)—In Junos OS Release 16.1R7, on the Enhanced Switch Control Board (SCBE), name changes include the Control Board slot when jnxTimingFaultLOSSet and jnxTimingFaultLOSClear traps are generated in the case of BITS interfaces (T1 or E1). SNMP traps for the backup Routing Engine clock failure event have been added, and the Control Board name is included in the SNMP trap interface name (jnxClksyncIntfName), for example, value: "external(cb-0)".

    [See SNMP MIB Explorer.]

  • Update to SNMP support of apply-path statement (MX Series)—Starting in Junos OS Release 16.1R5, SNMP implementation for the apply-path configuration statement supports only two lists:

    • apply-path "policy-options prefix-list <list-name> <*>"

      This configuration has been supported from day 1.

    • apply-path "access radius-server <*>"

      This configuration is supported as of Junos OS Release 16.1R5.

    [See SNMP MIB Explorer.]

Operation, Administration, and Maintenance (OAM)

  • Change in behavior of the Ethernet OAM CFM process (MX Series)—Starting in Junos OS Release 16.1R1, when you deactivate the connectivity fault management (CFM) protocol, the CFM process (cfmd) stops. When you activate CFM protocol, cfmd starts.

    In releases before Junos OS Release 16.1R1, when you deactivate the CFM protocol, the CFM process continues to run.

  • Support for damping connectivity fault management (CFM) performance monitoring traps and notifications to prevent congestion (MX Series routers)—Starting with Junos OS Release 16.1R4, you can dampen the performance monitoring threshold-crossing traps and notifications that are generated every time a threshold-crossing event occurs to prevent congestion of the network management system (NMS). Damping limits the number of jnxSoamPmThresholdCrossingAlarm traps sent to the NMS by summarizing the flap occurrences over a period of time, known as the flap trap timer, and sends a single jnxSoamPmThresholdFlapAlarm notification to the NMS. You can configure the duration of the flap trap timer to any value from 1 through 360 seconds.

    The jnxSoamPmThresholdFlapAlarm notification is generated and sent when the following conditions are met:

    • At least one flap has occurred when the flap timer has expired.

    • You changed the value of the flap trap timer, which caused the timer to stop.

    To enable damping at the global level, for the iterator, use the following command: set protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name flap-trap-monitor.

    To enable damping at the threshold type of an iterator—for instance, avg-fdv-twoway-threshold—use the following command: set protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name avg-fdv-twoway-threshold flap-trap-monitor.

    To disable damping at the global level, for the iterator, use the following command: delete protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name flap-trap-monitor.

    To disable damping at the threshold type of an iterator—for instance, avg-fd-twoway-threshold—use the following command: delete protocols oam ethernet cfm performance-monitoring sla-iterator-profiles profile-name avg-fd-twoway-threshold flap-trap-monitor.

Platform and Infrastructure

  • The length of TACACS messages allowed on Junos OS devices has been increased from 8150 to 65535 bytes. PR1147015

Routing Policy and Firewall Filters

  • New policy actions to set and modify AIGP attribute (MX Series and T Series)—Beginning with Junos OS 16.1, a new policy action metric-aigp is added to configure the accumulated interior gateway protocol (AIGP) metric value as the IGP metric and aigp-adjust is introduced to modify this configured accumulated interior gateway protocol (AIGP) attribute at the [edit policy-options policy statement policy-name term term-name then] and [edit policy-options policy-statement policy-name then] hierarchy levels. You can make minor adjustments on the AIGP from another AS or for scaling from one IGP domain to another.

    [See aigp-adjust.]

Routing Protocols

  • New option to configure the bandwidth-based metric (MX Series)—Beginning with Junos OS Release 16.1, you can configure the delay time that the IS-IS takes before replacing the metric with a new metric value when the bundle changes from a worse metric to a better metric. The new configuration option interface-group-holddown-delay is available at the [edit protocols isis interface interface-name] hierarchy level.

    A new show command show isis interface-group displays the status information for the specified interface group.

    [See show isis interface-group.]

  • New option to configure IPv6 router advertisement preference (MX Series)—Beginning with Junos OS Release 16.1, you can configure preference for routers, which is communicated to IPv6 hosts through router advertisements. A new configuration statement preference is introduced at the [edit protocols router-advertisement interface interface-name] hierarchy level.

    [See preference.]

  • Change in command output for system statistics for IP and IP6—Beginning with Junos OS Release 16.1, the output of show system statistics ip and show system statistics ip6 operations commands is modified. The output now displays the field fragment sessions dropped (queue overflow) for IP instead of fragments dropped (queue overflow), and fragment sessions dropped (queue overflow) for IP6, instead of fragments that exceeded limit.

  • Support for generate route with table next-hop (MX Series)—Starting with Junos OS Release 15.1R3 onwards, the generate route with table next-hop feature is supported.

    Generated routes are used as the route of last resort. A packet is forwarded to the route of last resort when the routing tables have no information about how to reach that packet’s destination.

    A generated route becomes active when it has one or more contributing routes. A contributing route is an active route that is a more specific match for the generated destination.

    A route can contribute only to a single generated route. However, an active generated route can recursively contribute to a less specific matching generated route.

    Note

    The generate route pointing to table next-hop feature is platform independent as long as the Packet Forwarding Engine of the platform supports table next-hop.

  • Support of sham-links on default instances—Starting with Junos OS Release 16.1, OSPF sham-links are supported on default instances. The cost of the sham-link is dynamically set to the aigp-metric of the BGP route if no metric is configured on the sham-link by the user.

  • New option to delay BGP route advertisements (MX Series)—Beginning with Junos OS Release 15.1F6, you can delay BGP route updates to its peers until the forwarding table is synchronized. This is to avoid premature route advertisements that might result in traffic loss. A new configuration statement delay-route-advertisements is available at the [edit routing-instances routing-instance-name protocols bgp group group-name family inet unicast] hierarchy level. You can configure both minimum and maximum delay periods to suit your network requirements.

    [See delay-route-advertisements.]

  • Contradictory configuration options not allowed—Beginning with Junos OS Release 15.1R4, you cannot configure both resolve and retain options for a statically configured route at the [edit routing-options] hierarchy level because they behave contradictorily. Resolved next hops cannot be retained, therefore you can configure only one of these options at a time.

  • Support for BGP flow specification for IPv6 on MPC7 line cards—Starting with Junos OS Release 16.1R2, the BGP flow specification for IPv6 feature is supported on MPC7 line cards. BGP flow specification automates coordination of traffic filtering rules in order to mitigate distributed denial-of-service attacks.

  • Change in default behavior of router capability (MX Series and PTX Series)—In Junos OS Releases 15.1F7, 16.1R4, 16.2R2, 16.1X65, and 17.1R1 and later releases, router capability TLV distribution flag (S-bit), that controls IS-IS advertisements, will be reset, so that the segment routing capable sub-TLV is propagated throughout the IS-IS level and not advertised across IS-IS level boundaries.

Security

  • Changes to DDoS protection protocol group and packet type support (MX Series)—Starting in Junos OS Release 16.1, the following changes have been made to the protocols statement at the [edit system ddos-protection] hierarchy level and to the output of the show ddos-protection protocols command:

    • Removed the firewall-host protocol group.

    • Removed the unclassified packet type from the mcast-snoop protocol group.

    • Added the unclassified packet type to the tcp-flags protocol group.

  • Changes to distributed denial of service (DDoS) protection protocol groups and packet types (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, the following syntax changes have been made:

    • The mlp protocol group has been modified as follows to provide DDoS protection with full control of the bandwidth:

      • The aging-exc, packets, and vxlan packet types have been removed from the mlp protocol group.

      • The add, delete, and lookup packet types have been added to the mlp protocol group. These packets correspond to the MAC learning command codes.

    • The keepalive protocol group has been renamed to tunnel-ka.

    • The firewall-host protocol group and the mcast-copy packet type in the unclassified protocol groups have been removed from the CLI. They are now classified by the internal host-bound classification engine on the line card.

  • Changes to distributed denial of service (DDoS) protection default values for MLP packets (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, the following default bandwidth (pps) and burst (packets) values apply for MLP packets by line card:

    Policer

    MPC1, MPC2, MPC5, and MPC6

    MPC3, MPC4, and FPC5

     

    Bandwidth

    Burst

    Bandwidth

    Burst

    aggregate

    10,000

    20,000

    5000

    10,000

    add

    4096

    8192

    2048

    4096

    delete

    4096

    8192

    2048

    4096

    lookup

    1024

    2048

    512

    1024

    unclassified

    1024

    1024

    512

    512

  • Changes to distributed denial of service (DDoS) protection flow detection defaults (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, flow detection defaults to disabled for the following protocol groups and packet type, because they do not have typical Ethernet, IP, or IPv6 headers. Global flow detection does not enable flow detection for these groups and the packet type.

    • Protocol groups: fab-probe, frame-relay, inline-ka, isis, jfm, mlp, pfe-alive, pos, services.

    • Packet type: unclassified in the ip-opt protocol group.

  • Changes to show ddos-protection protocols command output (MX Series, T4000 with FPC5)—Starting in Junos OS Release 16.1, when you disable DDoS protection policers on the Routing Engine or on an FPC for a specific packet type, an asterisk is displayed next to that field in the CLI output. For example, if you issue the following statements:

    the fields are marked as in the following sample output:

    user@host> show ddos-protection protocols mlp lookup

Services Applications

  • Support for RPM probes for IPv4 and IPv6 sources and targets (TX Matrix Plus)—Starting with Junos OS Release 16.1, you can configure the TXP-T1600, TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time performance monitoring (RPM) client router (the router or switch that originates the RPM probes) to send probe packets to the RPM probe server (the device that receives the RPM probes) that contains an IPv4 or IPv6 address. RPM enables you to configure active probes to track and monitor traffic. The support for configuring RPM probes and RPM clients on TX Matrix Plus routers is in addition to the support for RPM that existed on MX Series, T1600, and T4000 routers in previous releases.

  • Class pcp-logs and alg-logs are not configured for ms-interface (MX Series)—Starting with Junos OS Release 16.1R1, for multiservices (ms-) interfaces, you cannot configure system logging for PCP and ALGs by including the pcp-logs and alg-logs statements at the [edit services service-set service-set-name syslog host hostname class] hierarchy level. An error message is displayed if you attempt to commit a configuration that contains the pcp-logs and alg-logs options to define system logging for PCP and ALGs for ms- interfaces.

  • Support for configuring maximum number of measured video flows—Starting in Junos OS Release 16.1, you can configure the maximum number of video flows that can be measured at a time. To configure the maximum number of flows measured, include the flow-table-size max-flows statement at the [edit chassis fpc slot inline-video-monitoring] hierarchy level.

    [See Configuring Inline Video Monitoring.]

  • Anycast address 0/0 must not be accepted in the from-clause of Detnat rule (MX Series)—Starting with Junos OS Release 16.1R1, for multiservices (ms-) interfaces, anycast configuration is not allowed as the source-address when translation type is deterministic NAT.

  • Disabling NAT-traversal for IPsec-protected packets (MX Series)—Starting in Junos OS release 16.1R1, you can include the disable-natt statement at the [edit services ipsec-vpn] hierarchy level to disable NAT-traversal (NAT-T) on MX Series routers. When you disable NAT-T, the NAT-T functionality is globally switched off. Also, even when a NAT device is present between the two IPsec gateways, only Encapsulating Security Payload (ESP) is used when you disable NAT-T. When NAT-T is configured, IPsec traffic is encapsulated using the UDP header, and port information is provided for the NAT devices. By default, Junos OS detects whether either one of the IPsec tunnels is behind a NAT device and automatically switches to using NAT-T for the protected traffic. However, in certain cases, NAT-T support on MX Series routers might not work as desired. Also, you might require NAT-traversal to be disabled if you are aware that the network uses IPsec-aware NAT. In such cases, you can disable NAT-T.

  • Exclude interfaces support in flowspec (rpd-infra) (MX Series)—Starting release 16.1, Junos OS excludes applying the flowspec filter to traffic received on specific interfaces. A new term is added at the beginning of the flowspec filter that accepts any packet received on these specific interfaces. The new term is a variable that creates an exclusion list of terms attached to the forwarding table filter as a part of the flow specification filter.

    To exclude the flowspec filter from being applied to traffic received on specific interfaces, you must first configure a group-id on such interfaces by including the family inet filter group group-id statement at the [edit interfaces] hierarchy level, and then attach the flowspec filter with the interface group by including the flow interface-group group-id exclude statement at the [edit routing-options] hierarchy level. You can configure only one group-id per routing instance with the set routing-options flow interface-group group-id statement.

  • Forwarding class and DSCP configuration for sampled packets (MX Series)—Starting with Junos Release OS 16.1R1, you can configure the forwarding class and the Differentiated Services Code Point (DSCP) mapping that is applied to exported packets for inline active flow monitoring. Configure forwarding-class class-name and dscp dscp-value at the [edit forwarding-options sampling instance instance-name family (inet | inet6) output flow-server hostname] hierarchy level.

    The dscp-value range is 0 through 63 (the default is 0). When the same flow-server is configured under both the inet and inet6 families in a sampling instance, use the same dscp value for both flow-server appearances.

    The dscp-value is overwritten by the CoS DSCP value if you configure dscp at the [edit class-of-service] hierarchy level.

  • Support for deterministic NAPT (MX Series)—You can configure deterministic port block allocation for Network Address Port Translation (NAPT) on MX Series routers with MS-MPCs or MS-MICs. By configuring deterministic NAPT, you ensure that translation of internal host IP(private IP to public IP and vice versa) is deterministic thus eliminating the need for address translation logging for each connection. To use deterministic port block allocation, you must specify deterministic-napt44 as the translation type in your NAT rule.

  • Deprecated security idp statements (MX Series)—The [edit security idp] configuration statements are deprecated for the MX Series for Junos OS Release 16.1R3 and earlier.

  • Change in the default behavior for memory utilization (MX Series)—Starting in Junos OS Release 16.1R1, by default, the software allocates 1024 (1K) entries for IPv4 flow tables. To allocate fifteen units of 256,000 (256K) IPv4 flow tables, which is the former default value, enter this configuration from the [edit] hierarchy level:

    Note

    Including this statement might result in an FPC restart. Therefore, we recommend that you make this configuration change only during a maintenance window to prevent disruption of network operations.

Software Installation and Upgrade

  • Asia/Kolkata option replaces Asia/Calcutta option in time-zone statement—Beginning with Junos OS Release 16.1, the time-zone statement has replaced the Asia/Calcutta option with Asia/Kolkata.

  • request system software add command options updated (MX Series and T Series)—As of Junos OS Release 16.1, the upgrade-with-config-format option in the request system software add command is removed. The upgrade-with-config option applies to the file indicated. Specify .text or .xml. The upgrade-with-config option does not accept files with the extension .txt.

Subscriber Management and Services

Note

Although present in the code, the subscriber management features are not supported in Junos OS Release 16.1R2. Documentation for subscriber management features is included in the Junos OS Release 16.1 documentation set.

  • Including termination reason for user logout events (MX Series)—Starting in Junos OS Release 16.1, when the you enable the user-access flag at the [edit system processes general-authentication-service traceoptions] hierarchy level, the system log messages generated for authd include a termination reason for user logout events. In earlier releases, the log does not report any termination reasons.

    Sample output before the behavior change:

    Sample output after the behavior change:

  • Change in support for L2TP statistics-related commands (MX Series)—Starting in Junos OS Release 16.1, statistics-related show services l2tp commands cannot be issued in parallel with clear services l2tp commands from separate terminals. In earlier releases, you can issue these show and clear commands in parallel. Now, when any of these clear commands is running, you must press Ctrl+c to make the clear command run in the background before issuing any of these show commands.

    Note

    You cannot run multiple clear services l2tp commands from separate terminals. This behavior is unchanged.

    [See clear services l2tp destination, clear services l2tp session, and clear services l2tp tunnel.]

  • Support for longer CHAP challenge local names (MX Series)—Starting in Junos OS Release 16.1, the supported length of the CHAP local name is increased to 32 characters. In earlier releases, only 8 characters are supported even though the CLI allows you to enter a longer name. You can configure the name with the local-name statement at the [edit dynamic-profiles profile-name interfaces pp0 unit “$junos-interface-unit” ppp-options] or [edit dynamic-profiles profile-name interfaces "$junos-interface-ifd-name" unit “$junos-interface-unit” ppp-options] hierarchy level. The maximum length of the local name for PAP authentication remains unchanged at 8 characters.

    [See Configuring the PPP Challenge Handshake Authentication Protocol.]

  • Local DNS configurations available when authentication order is set to none (MX Series)—Starting in Junos OS Release 16.1, subscribers get the DNS server addresses when both of the following are true:

    • The authentication order is set to none at the [edit access profile profile-name authentication-order] hierarchy level.

    • A DNS server address is configured locally in the access profile with the domain-name-server, domain-name-server-inet, or domain-name-server-inet6 statement at the [edit access profile profile-name] hierarchy level.

    In earlier releases, subscribers get an IP address in this situation, but not the DNS server addresses.

  • Increased maximum limits for accounting and authentication retries and timeouts (MX Series)—Starting in Junos OS Release 16.1, you can configure a maximum of 100 retry attempts for RADIUS accounting (accounting-retry statement) or authentication (retry statement). In earlier releases, the maximum value is 30 retries. You can also configure a maximum timeout of 1000 seconds for RADIUS accounting (accounting-timeout statement) or authentication (timeout statement). In earlier releases the maximum timeout is 90 seconds.

    Note

    The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

    [See Configuring Router or Switch Interaction with RADIUS Servers.]

  • Change in Routing Engine-based CPCD (MX Series)—Starting in Junos OS Release 16.1, you must specify a URL with the redirect statement. You must also specify destination-address address with the rewrite statement. In earlier releases, you can successfully commit the configuration without these options.

  • Change in displayed value of LCP State field for tunneled subscriber sessions (MX Series)—Starting in Junos OS Release 16.1, when a subscriber session has been tunneled from the LAC to the LNS, the LCP State field displayed by the show interfaces pp0.unit command has a value of Stopped, which correctly reflects the actual state of the LCP negotiation (because at this stage LCP is terminated at the LNS).

    In earlier releases, this field incorrectly shows a value of Opened, reflecting the state of LCP negotiation before tunneling started. In earlier releases, you must issue the show ppp interface.unit command to display the correct LCP state.

  • Improved result code reporting in stopCCN and CDN messages (MX Series)—Starting in Junos OS Release 16.1, the LAC provides more accurate result codes and always includes error messages in the Result-Error Code AVP (1) included in the stopCCN and CDN messages that it sends to the LNS. Packet captures display the relevant information in the Result code, Error code, and Error Message fields of the AVP.

    In earlier releases, the result code is does not provide sufficient information about the cause of the event, and the error message is omitted for some result codes.

  • Improved show interfaces interface-set command output (MX Series)—Starting in Junos OS Release 16.1R3, the output of the show interfaces interface-set command can now display mixed-protocol member interfaces when interface-sets are configured in the dynamic profile using the predefined variable, $junos-phy-ifd-interface-set-name.

    This display enhancement is necessary for a heterogeneous topology where both residential PPPoE subscribers and wholesaled (L2BSA) subscribers share the same access-facing physical interface. In earlier releases, the command output displays member interfaces only of the same type; for example, either PPPoE or L2BSA.

  • Syntax change for the show ancp neighbor command (MX Series)—Starting in Junos OS 16.1, to specify a neighbor for display, the show ancp neighbor command allows you to enter either an IP address or a MAC address for the neighbor:

    In earlier releases, the CLI permitted you to use enter both an IP address and a MAC address to specify a neighbor.

  • Changes to show ancp subscriber and clear ancp subscriber commands (MX Series)—Starting in Junos OS Release 16.1, multiple simultaneous filtering options are no longer allowed for the show ancp neighbor, show ancp subscriber, and clear ancp subscriber commands. In earlier releases, you can issue commands with both the identifier and neighbor options or both the ip-address and system-name options on the same line. Now you can enter only one of these options at a time.

    To improve consistency, the neighbor option has been replaced with ip-address for the show ancp subscriber command, to match the show ancp neighbor, clear ancp neighbor, and clear ancp subscriber commands. For example, to display information about subscribers connected to a specific access node identified by its address, use the show ancp subscriber ip-address ip-address command; in earlier releases you use the show ancp subscriber neighbor ip-address command.

    The system-name mac-address option is now available for the show ancp subscriber and clear ancp subscriber commands.

  • Enhancements to test aaa statements for VLAN-OOB subscribers (MX Series)—Starting in Junos OS Release 16.1, you can use the no-address-request option with the test aaa dhcp user and test aaa ppp user statements for testing subscribers in a Layer 2 scenario where no address allocation request is required.

    The output of these two statements now displays two additional user attributes. Dynamic Profile is the name of the profile received in the Client-Profile-Name VSA (26-174). Routing Instance is the name of the routing instance conveyed by the Virtual-Router VSA (26-1). The existing Virtual Router Name attribute is the locally configured name of the logical system.

    [See Testing a Subscriber AAA Configuration.]

  • Subscriber secure policies and service change of authorization requests (MX Series)—Starting in Junos OS Release 16.1, a subscriber secure policy cannot be instantiated by a CoA that includes any other subscriber service activation or deactivation. Use a separate CoA to apply a subscriber secure policy.

  • Change to test aaa commands (MX Series)—Starting in Junos OS Release 16.1R2, the following changes have been made to the test aaa ppp user, test aaa dhcp user, and test aaa authd-lite user commands:

    • Attributes not supported by Junos OS no longer appear in the output.

    • The Virtual Router Name and Routing Instance fields have been combined into the new Virtual Router Name (LS:RI) field. The value of this field matches the Juniper Networks Virtual-Router VSA (26-1), if present; otherwise the field displays default:default.

    • The value for any attribute that is not received (except for 26-1), or set locally, is displayed as <not set>.

    • The Redirect VR Name field has been renamed to Redirect VR Name (LS:RI).

    • In the CLI output header section, the Attributes area has been renamed to User Attributes.

    • Supported attributes now always appear in the display, even when their values are not set.

    • The IGMP field has been renamed to IGMP Enable.

    • The IGMP Immediate Leave and the MLD Immediate Leave default values have changed from disabled to <not set>.

    • The Chargeable user identity value has changed from an integer to a string.

    • The Virtual Router Name field has been added to the display for the DHCP client.

  • Change to using the UID as part of a variable expression (MX Series)—Starting in Junos OS Release 16.1, you cannot use the UID (the unique identifier of variables defined in dynamic profiles) as part of a variable expression, because the hierarchy of evaluation is as follows:

    • The user variable expressions are first evaluated for the UIDs to be resolved.

    • If the expression contains UIDs, it might result in unpredictable results.

    Using a variable expression with a UID now results in a commit check failure.

  • Change to the show network-access aaa commands (MX Series)—Starting in Junos OS Release 16.1, the outputs from the show network-access aaa statistics authentication detail command and the show network-access aaa radius-servers detail command have changed as follows:

    • The Accounting request timeouts field displayed by the show network-access aaa statistics authentication detail command has been renamed to Timed out requests.

    • The Round Trip Time field of the show network-access aaa radius-servers detail command has been renamed to Last Round Trip Time.

  • Subscriber management support for rpd in 64-bit mode (MX Series)—Starting in Junos OS Release 16.1, subscriber management is now supported when the routing protocol daemon (rpd) is running in 64-bit mode. In earlier releases, subscriber management support required rpd to run in 32-bit mode.

  • Extended range for RADIUS request rate (MX Series)—Starting in Junos OS Release 16.1, the range for the request-rate statement at the [edit access radius-options] hierarchy level has been extended to 100 through 4000 requests per second. In earlier releases, the range is 500 through 4000 requests per second. The default value is unchanged at 500 requests per second.

  • Enhancements for subscriber secure policy mirroring (MX Series)—Starting in Junos OS Release 16.1R1, the following changes increase the security of trap notifications and restrict authorization for configuring the target mediation devices:

    • You must configure the target parameters for mediation devices so that the SNMPv3 traps are sent with privacy (encrypted). Targets without privacy configured cannot receive the trap notifications. In earlier releases, you can configure target parameters without privacy, allowing unencrypted notifications to be sent to the mediation devices.

    • You must explicitly configure a list of trap targets with the notify-targets statement at the [edit services radius-flow-tap snmp] hierarchy level. This means that authorization to configure the target mediation devices is limited to users with flow-tap-control permission; that is, only users allowed to configure subscriber secure policies. In earlier releases, any user with snmp-control permission can configure targets to receive the trap messages, and notifications are sent to all targets in a trap group.

    [See Subscriber Secure Policy Overview.]

  • Variable substitution change of authorization (CoA) behavior now the same as service activation CoA—Starting with Junos OS Release 16.1R2, variable substitution change of authorization (CoA) now behaves the same as service activation CoA. Variable substitution CoA, however, only occurs after the login, the authentication phase, and the service activation phase have occurred.

    The authentication phase occurs at login.

    The service activation phase occurs:

    • During login with the reception of an Access-Accept message from the RADIUS server in response to an Access-Request message

    • After login, when a CoA request message is sent from the RADIUS server

    Note

    Service activation is independent of variable substitution CoA. While service activation can occur at login, it can also occur afterward, with or without variable substitution CoA, in any order, and can occur multiple times.

    In both cases, the Access-Accept and CoA-Request messages sent from the RADIUS server contain the name of a service profile configured in the router that is to be applied to the client.

    A variable substitution CoA is processed in the same way as a service profile CoA with respect to the Class of Service (CoS) Adjustment Control Profile when the overhead accounting mode, or bytes, or both, are not provided in the variable substitution CoA, and differ from those specified in the client profile. If the overhead accounting mode or bytes, or both, are not specified, these values come from the client profile; otherwise the defaults (which are typically Frame Mode and 0 bytes, respectively) are used.

    The entire client profile is modified, if not replaced, with service activation. In the case of a variable substitution CoA, only specified variables in the existing client profile are modified. With this change, if the shaping rate is specified in the variable substitution CoA, but the overhead accounting mode, bytes, or both are not specified, the unspecified values come from the last configured values (sourced from the TCP, whether explicitly defined, or populated from a RADIUS server) in the client profile. The unspecified values do not come from the adjusting application (ANCP, PPPOE, or DHCP) values in the client profile, which may be presently applied. The overhead accounting mode, bytes, or both are now modified if left unspecified in a variable substitution CoA that modifies the shaping rate. This has always been the case for service activation, but now a variable modification CoA also correctly handles this case.

  • L2TP statistics now included in the output of the show system subscriber-management statistics command—Starting in Junos OS Release 16.1, a new option displays the L2TP plugin statistics in the output of the show system subscriber-management statistics command.

    The possible completions for the show system subscriber-management statistics command are:

    • <[Enter]> executes this command

    • all—Displays all statistics

    • dhcp—Displays the DHCP statistics

    • dvlan—Displays the DVLAN statistics

    • l2tp—Displays the L2TP statistics

    • ppp—Displays the PPP statistics

    • pppoe—Displays the PPPoE statistics

    • /—Pipes through a command

  • Error messages generated for L2TP access concentrator (LAC) logins can be prevented from appearing in the syslogs—Starting with Junos OS Release 16.1, setting the syslogs log level to WARNING or higher prevents error messages generated for Layer 2 Tunneling Protocol (L2TP) subscribers from appearing in the syslogs. The syslogs are L2TP packet statistics counters (Rx/Tx) that are displayed every minute. If no packets are received or L2TP is not configured, these messages do not appear in the syslogs.

    In earlier releases, the severity of the log level was ERROR, which now has changed to NOTICE. The error messages are filtered out if the log level is set to WARNING or higher (ERROR, CRITICAL, ALERT, or EMERGENCY). Setting the log level to NOTICE or lower (INFORMATIONAL or DEBUG) allows the error messages to appear in the syslogs.

  • VLAN demux interfaces over pseudowire interfaces (MX Series)—Starting in Junos OS Release 16.1, VLAN demux interfaces are supported over pseudowire subscriber logical interfaces.

  • Configuring a pseudowire subscriber interface for a logical tunnel (MX Series)—Starting in Junos OS release 16.1R2, you can configure a pseudowire subscriber interface and anchor it to a logical tunnel interface without explicitly specifying the tunnel bandwidth. In earlier releases, if you do not explicitly specify the tunnel bandwidth, or the tunnel bandwidth is anything other than 1G or 10G, the pseudowire interface is not created.

  • Automatic limit set for transmit window size (MX Series)—Starting in Junos OS Release 16.1R2, when the LAC receives a receive window size of more than 128 in the Start-Control-Connection-Reply (SCCRP) message, it sets the transmit window size to 128 and logs an Error level syslog message.

    In earlier releases, the LAC accepts any value sent in the Receive Window Size attribute-value pair (AVP 10) from an L2TP peer. Some implementations send a receive window size as large as 65530. Accepting such a large value causes issues in the L2TP congestion/flow control and slow start. The router may run out of buffers because it can support only up to a maximum of 60,000 tunnels.

  • Change in range for PPP keepalive interval (MX Series)—Starting in Junos OS Release 16.1R3, you can configure the PPP keepalive interval for subscriber services in the range 1 second through 600 seconds. Subscriber PPP keepalives are handled by the Packet Forwarding Engine. If you configure a value greater than 600 seconds, the number is accepted by the CLI, but the Packet Forwarding Engine limits the interval to 600 seconds. The interval is configured in a PPP dynamic profile with the interval statement at the [edit dynamic-profiles profile-name interfaces pp0 unit $junos-interface-unit keepalives] hierarchy level.

    In earlier Junos OS 16.1x releases, the range is from 1 second through 60 seconds. The Packet Forwarding Engine limits any higher configured value to an interval of 60 seconds.

    PPP keepalives for nonsubscriber services are handled by the Routing Engine with an interval range from 1 second through 32,767 seconds.

  • New option to display all pending accounting stops (MX Series)—Starting in Junos OS Release 16.1R4, the brief option is added to the show accounting pending-accounting-stops command. This option displays the current count of pending RADIUS Acct-Stop messages for subscribers, services, and total combined value:

    user@host> show accounting pending-accounting-stops brief
  • DNS servers displayed by the show subscribers extensive command (MX Series)—Starting in Junos OS Release 16.1R4, the display of DHCP domain name servers (DNS) by the show subscribers extensive command has changed. When DNS addresses are configured at multiple levels, the command displays only the preferred address according to this order of precedence: RADIUS > access profile > global access. The command does not display DNS addresses configured as DHCP local pool attributes.

    DNS addresses from RADIUS appear in the following fields: Primary DNS Address, Secondary DNS Address, IPv6 Primary DNS Address, IPv6 Secondary DNS Address.

    DNS addresses from the access profile or the global access configuration appear in the following fields: Domain name server inet, Domain name server inet6.

    In earlier releases, the command displays only DHCP DNS addresses provided by RADIUS.

  • Traffic shaping and L2TP tunnel switches (MX Series)—Starting in Junos OS Release 16.1R4, when a dynamic profile attaches a statically configured firewall filter to an L2TP tunnel switch (LTS) session, the filter polices traffic from the LTS (acting as a LAC) to the ultimate endpoint LNS, in addition to the previously supported traffic from the LAC to the LTS (acting as an LNS). In previous releases, the firewall filter applied to only the traffic from the LAC to the LTS.

  • Default L2TP resynchronization method changed and statement deprecated (MX Series)—Starting in Junos OS Release 16.1R5, the default resynchronization method for L2TP peers in the event of a control connection failure is changed to silent failover. In earlier releases, the default method is failover-protocol-fall-back-to-silent-failover. The silent failover method is preferred because it does not keep tunnels open without traffic flow, waiting for the failed peer to recover and resynchronize. You can use the new failover-resync statement at the edit services l2tp tunnel hierarchy level to specify either failover protocol or silent failover as the resynchronization method.

    Because silent failover is now the default, the disable-failover-protocol statement is no longer needed and has been deprecated. If you upgrade to this release with a configuration that includes this statement, it is supported, but the CLI notifies you it is deprecated.

  • IPv6 Link-local addresses assigned to underlying static demux interfaces (MX Series)—Starting in Junos OS Release 16.1R5, when you are using Router Advertisement for IPv6 subscribers on dynamic demux interfaces that run over underlying static demux interfaces, configure the software to use the same link-local address for both interfaces. In this case, the link-local address for the underlying interface should be based on the MAC address of the underlying interface. The following statement causes the system to assign an address using the 64-bit Extended Unique Identifier (EUI-64) as described in RFC 2373:

    [See Configuring the IPv6 Link-Local Address for Dynamic Demux Interfaces over Static Demux VLAN Interfaces.]

  • Source-specific multicast (SSM) CLI changes for dynamic IGMP and dynamic MLD (MX Series)—Starting in Junos OS Release 16.1R5, the ssm-map ssm-map-name statement at the [edit dynamic-profiles profile-name protocols (igmp | mld) interface interface-name] hierarchy level is deprecated and is no longer supported. Instead, you define an SSM map policy with the policy-statement statement at the [edit policy-options] hierarchy level. Apply the policy for dynamic IGMP or dynamic MLD with the ssm-map-policy ssm-map-policy-name statement at the [edit dynamic-profiles profile-name protocols (igmp | mld) interface interface-name] hierarchy level.

    If you upgrade from a release that does not support enhanced subscriber management (any release earlier than Junos OS Release 15.1R4) with a configuration that includes ssm-map, the configuration is allowed. However, the configuration has no effect and subscribers cannot log in.

  • Memory mapping statement removed for Enhanced Subscriber Management (MX Series)— In Junos OS Release 16.1R6, use the following command when configuring database memory for Enhanced Subscriber Management:

    set system configuration-database max-db-size

    CLI support for the set configuration-database virtual-memory-mapping process-set subscriber-management command has been removed to avoid confusion. Using the command for subscriber management now results in the following error message:

    WARNING: system configuration-database virtual-memory-mapping not supported. error: configuration check-out failed.

    [See Interface Configuring Junos OS Enhanced Subscriber Management for an example of how to use the max-db-size command.]

  • Change to ICRQ message inclusion of the ANCP Access Line Type AVP (MX Series)—Starting in Junos OS Release 16.1R7, the ICRQ message includes the ANCP Access Line Type AVP (145) when the received ANCP Port Up message includes a DSL-type of 0 (OTHER). In earlier releases, the AVP is not sent when the value is 0.

    [See Subscriber Access Line Information Handling by the LAC and LNS Overview.]

  • Wildcard supported for show subscribers agent-circuit-identifier command (MX Series)—Starting in Junos OS Release 16.1R7, you can specify either the complete ACI string or a substring when you issue the show subscribers agent-circuit-identifier command. To specify a substring, you must enter characters that form the beginning of the string, followed by an asterisk (*) as a wildcard to substitute for the remainder of the string. The wildcard can be used only at the end of the specified substring; for example:

    In earlier releases, starting with Junos OS Release 14.1, the command requires you to specify the complete ACI string to display the correct results. In Junos OS Release 13.3, you can successfully specify a substring of the ACI without a wildcard.

  • Correction to CLI for L2TP tunnel keepalives (MX Series)—Starting in Junos OS Release 16.1R7, the CLI correctly limits to 3600 seconds the maximum duration that you can enter for the hello interval of an L2TP tunnel group. In earlier releases, the CLI allows you to enter a value up to 65,535, even though only 3600 is supported.

    See hello-interval (L2TP).

  • Support for IPv6 all-routers address in nondefault routing instance (MX Series)—Starting in Junos OS Release 16.1R7, the well-known IPv6 all-routers multicast address, FF02::2, is supported in nondefault routing instances. In earlier releases it is supported only for the default routing instance; consequently IPv6 router solicitation packets are dropped in nondefault routing instances.

  • Change to DHCP option 82 suboptions support to differentiate duplicate clients (MX Series)—Starting in Junos OS Release 16.1R5, only the ACI (suboption 1) and ARI (suboption 2) values from the option 82 information are considered when this information is used to identify unique clients in a subnet. Other suboptions, such as Vendor-Specific (suboption 9), are ignored.

    [See DHCPv4 Duplicate Client In Subnet Overview.]

  • Change in display of IPv6 Interface Address field by the show subscribers extensive command (MX Series)—Starting in Junos OS 16.1R5, the show subscribers extensive command displays the IPv6 Interface Address field only when the dynamic profile includes the $junos-ipv6-address predefined variable.

    In earlier releases, the command always displays this field, even when the variable is not in the profile. In this case, the field shows the value of the first address from the Framed-IPv6-Prefix attribute (97).

    [See show subscribers.]

System Logging

  • Support for system log message: UI_SKIP_SYNC_OTHER_RE (MX Series)—Starting with Junos OS Release 16.1R1, configuration synchronization with a remote Routing Engine is skipped when the configuration is already in sync with another Routing Engine with database revision.

    Note

    This system log message is generated when the graceful Routing Engine switchover feature is enabled.

    This system log message reports an event, not an error, and has notice as Severity and LOG_AUTH as Facility.

    [See Understanding Graceful Routing Engine Switchover in the Junos OS.]

System Management

  • Change to process health monitor process (MX Series)—Starting in Junos OS Release 15.1R2, the process health monitor process (pmond) is enabled by default on the Routing Engines of MX Series routers, even if no service interfaces are configured. To disable the pmond process, include the disable statement at the [edit system processes process-monitor] hierarchy level.

    [See process-monitor.]

  • New option to suppress ARP response from kernel to non-subscribers—Beginning with Junos OS Release 13.3R9, you can suppress the ARP response from the kernel when there is an ARP request for a loopback interface from non-subscribers. To drop ARP requests from non-subscribers, include the non-subscriber-no-response statement at the [edit system arp] hierarchy level.

    [See non-subscriber-no-response.]

User Interface and Configuration

  • New default implementation for serialization for JSON configuration data (MX Series and T Series)—Starting with Junos OS Release 16.1, the default implementation for serialization for configuration data emitted in JavaScript Object Notation (JSON) has changed. The new default is as defined in Internet drafts draft-ietf-netmod-yang-json-09, JSON Encoding of Data Modeled with YANG, and draft-ietf-netmod-yang-metadata-06, Defining and Using Metadata with YANG.

    [See Mapping Junos OS Configuration Statements to JSON.]

  • output-file-name option for show system schema command is deprecated (MX Series and T Series)—Starting with Junos OS Release 16.1, the output-file-name option for the show system schema operational command is deprecated. To direct the output to a file, use the output-directory option and specify the directory. By default, the filename for the output file uses the module name as the filename base and the format as the filename extension. If you also include the module-name option in the command, the specified module name is used for both the name of the generated module and for the filename base for the output file.

    [See show system schema.]

  • Enhanced output regarding per CPU usage introduced in Junos OS Release 16.1R3 for Junos OS with upgraded FreeBSD (MX Series, QFX Series,EX9200, PTX5000)---A new field in the output of the show system processes extensive command gives the breakdown of the percent usage on a per-CPU basis into the following categories: % user, % nice, % system, % interrupt, % idle. This field shows up in the second frame of output. To see which platforms run Junos OS with upgraded FreeBSD, see Understanding Junos OS with Upgraded FreeBSD.

  • SLAX scripts included as part of the Junos OS image (MX Series)—Starting in Junos OS Release 16.1R4, the Stylesheet Language Alternative Syntax (SLAX) scripts services-oids-ev-policy.slax, services-oids.slax, and utils.slax are included as part of the Junos OS image and automatically copied to the required location on the router when you install Junos OS.

    [See SLAX Overview.]

VLAN Infrastructure

  • ACI and ARI from PADI messages included in Access-Request messages for VLAN authentication (MX Series)—Starting in Junos OS Release 16.1R5, when the PPPoE PADI message includes the agent circuit identifier (ACI), agent remote identifier (ARI), or both, these attributes are stored in the VLAN shared database entry. If the VLAN needs to be authenticated, then these attributes are included in the RADIUS Access-Request message as DSL Forum VSAs 26-1 and 26-2, respectively (vendor ID 3561). The presence of these attributes in the Access-Request enables the RADIUS server to act based on the attributes.

    [See DSL Forum Vendor-Specific Attributes.]

VPNS

  • EVPN E-Tree extended community (MX Series)—Starting in Junos OS Releases 16.1R5, 17.1R2, and 17.2R1 and later releases, the E-Tree leaf indication bit and leaf label in EVPN E-Tree extended community follows the E-Tree Extended Community as defined in the E-Tree Support in EVPN & PBB-EVPN IET IETF draft. A mixed network environment with routers running versions of Junos OS without this fix and routers with this fix would encounter unexpected forwarding behavior. Junos OS Release 16.1R4 has the incorrect label indication bit and leaf label encoding.

    [See EVPN-ETREE Overview.]

  • Support for ping on a virtual gateway address (MX Series)—Starting in Junos OS Release 16.1R5, Junos OS supports pinging an IPv4 or IPv6 address on the preferred virtual gateway interface. To set up support for ping, you must include both the virtual-gateway-accept-data and the preferred statements at the [edit interfaces irb unit] hierarchy of the preferred virtual gateway. This enables the interface on the preferred virtual gateway to accept all packets for the virtual IP address, including ping packets.

    [See virtual-gateway-address.]

Known Behavior

This section contains the known behavior, system maximums, and limitations in hardware and software in Junos OS Release 16.1R7 for MX Series and T Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Forwarding and Sampling

  • On MX Series routers, starting in Junos OS Release 15.1R5, 16.1R3 or later, a new mechanism is added to the Packet Forwarding Engine to improve forwarding performance. A noticeable behavior of the mechanism is to increase the CPU utilization periodically.

General Routing

  • Jitter transfer might fail on MX104 router with non-Ethernet MICs—Jitter transfer might fail on MX104 routers with MIC-3D-1OC192-XFP. This is due to a hardware limitation and there is no workaround.

  • The date and time zones are synchronized from the admin guest Junos OS to host OS on the MX240, MX480, MX960, MX2010, and MX2020 routers and use same time zones. Therefore, there is no difference in the timestamp in system log files of Junos OS and the host OS.

  • The temperature conditions of the Routing Engine FRU for RE-MX-X8 are now displayed correctly. The show chassis zones command now displays the accurate temperature conditions.

  • FIFO handles of SSD-monitoring smartd are not cleared on the host OS after multiple commits or checks. Smartd stops working when the FIFO limit reaches a maximum. Therefore, we recommend that you do not change smartd configurations too often and perform SSD smart checks after long intervals of time. When the FIFO limit reaches a maximum, reboot the host OS.

Interfaces and Chassis

  • Reordering of MAC addresses after a Routing Engine switchover—In Junos OS Release 14.2 and later, if you configure multiple aggregated Ethernet interfaces, the MAC address of the aggregated Ethernet interfaces displayed in the show interfaces ae number command output might get reordered after a Routing Engine switchover or restart.

    As a workaround, you can configure static MAC addresses for aggregated Ethernet interfaces. Any external dependency, such as filtering of the MAC addresses that are assigned before the reboot, becomes invalid if the MAC address changes.

  • Change in naming and enumeration of storage devices—Starting in Junos OS Release 15.1R1, on systems running Junos OS with upgraded FreeBSD, the output of the show chassis hardware detail command displays a new naming and enumeration convention for the storage devices. The Compact Flash and Disk0 details on the Routing Engine are displayed as ada1 and ada0. The Compact Flash and Disk 0 details were previously displayed as ad0 and ad1, respectively.

    However, the naming and enumeration convention of the storage devices on systems running Junos OS based on older versions of the FreeBSD kernel, even in Junos OS Release 15.1R1 and later, remain the same.

MPLS

  • Removal of SRLG details from the SRLG table only on the next reoptimization of the LSP—If an SRLG is associated with a link used by an ingress LSP in the router, then on deleting the SRLG configuration from that router, the SRLG gets removed from the SRLG table only on the next reoptimization of the LSP. Until then, the output displays Unknown-XXX instead of the SRLG name and a nonzero srlg-cost of that SRLG for the run show mpls srlg command.

  • The configuration flow-label-transmit and flow-label-receive statements are not supported in OAM CFM session over L2Circuit.

  • Non-compliance with RFC 6424 causes MPLS LDP traceroute loop—Use of the traceroute mpls ldp command on devices that do not support RFC 6424, Mechanism for Performing Label Switched Path Ping (LSP Ping) over MPLS Tunnels, results in a loop creation. As a workaround, use the pipe-mode option with the traceroute mpls ldp command to avoid loops. This can cause some of the intermediate nodes to return a non-complaint probe status, which is acceptable.

    [See traceroute mpls ldp.]

Multicast

  • IGMP snooping does not map router interface when source IP address is 0.0.0.0 (MX Series)—When a snooping switch sends an IGMP query on an interface with a source IP address of 0.0.0.0, that interface is not marked as a router interface. The show igmp snooping interface command displays Router Interface: no for that interface. This is the expected behavior. To correct IGMP mapping, provide the querying interface with an IP address other than 0.0.0.0.

Network Management and Monitoring

  • SNMP— The configuration flow-label-transmit and flow-label-receive statements are not supported in OAM CFM session over L2Circuit.

  • Configuration recommendation for use with the Junos Space Network Management Platform (MX Series)—Starting in Junos OS 16.1R3, we recommend that you use the following configuration for an encryption cipher on any router or switch used with the Junos Space Network Management Platform. The recommended configuration enables the Junos Space Network Management Platform to more easily discover the device. Other configurations may result in a failed SSH negotiation.

  • SNMP traps for certain interfaces in admin down state (MX Series)—SNMP traps are generated when an interface that supports the Digital Optical Monitoring (DOM) MIB is placed in an administrative down state. This behavior informs the operator of any interface fault, alarm, or threshold condition.

Routing Protocols

  • BGP advertises inactive routes when advertise-inactive statement is not configured—When BGP advertises a network layer reachability information (NLRI) with a label, and the advertised route resides in xxx.xxx.3 routing table such as inet.3, Junos OS automatically advertises such inactive routes even if you have not configured the advertise-inactive statement.

Software Installation and Upgrade

  • Option upgrade-with-config Accepts Only Configuration Files with Extension .text or .xml (MX Series and T Series)—In the request system software add command, the upgrade-with-config option does not apply the configuration if the configuration file has the extension .txt. This option accepts only files with the extension .text or .xml.

  • Unified ISSU with active BBE subscribers using advanced services supported only to Junos OS Release 16.1R7 and later 16.1 releases—If you have active broadband edge subscribers that are using advanced services, you cannot perform a successful unified ISSU to a Junos OS 16.1 release earlier than 16.1R7. If you perform an ISSU to a 16.1 release earlier than 16.1R7, the advanced services PCC rules are not attached to subscribers.

Subscriber Management and Services

  • On MX Series routers, when you configure the subscriber-awareness statement on a service set by committing the set services service-set service-set-name service-set-options subscriber-awareness statement, the service sessions fail to create. To avoid this issue, on MX Series routers that support the Service Control Gateway solution, ensure that the Junos OS Mobility package software is installed on the router.

    The Service Control Gateway solution is supported only in 14.1X55 releases. For Junos OS Releases 14.2, 15.1, and 16.1, ensure that the subscriber-awareness statement is not set.

  • Enhanced subscriber management performance and scale (MX Series)—Starting in Junos OS Release 16.1, subscriber management supports a denser subscriber scale per platform, per line card, and per port. It also provides improved performance of call setup rates. These enhancements are available through a software upgrade, which retains feature parity with existing broadband edge implementations, except as noted for “enhanced subscriber management” in these release notes. New hardware is not required.

    The increased scale and faster setup rates apply to PPP client scaling, PPP LAC sessions, LAC and termination and aggregation (PTA) combinations, and PPP client scaling over LNS on the PPP interface for IPv4, IPv6, and concurrent sessions. It also applies to DHCP client scaling stateless address autoconfiguration (SLAAC), IPv6 over Ethernet, and DHCPv4 clients.

  • Dynamic provisioning in Layer 2 wholesaling (MX Series)—Starting with Release 15.1R3, Junos OS does not support dynamic VLAN mapping into VPLS instances. (You can still configure static VLAN interface mapping to VPLS instances.) By extension, dynamic provisioning for Layer 2 wholesaling is also not supported in this release.

    The following example shows the statements that are not currently available (encapsulation vlan-vpls and family vplsat the [edit dynamic interfaces] hierarchy level):

  • The all option is not intended to be used as a means to perform a bulk logout of L2TP subscribers. We recommend that you do not use the all option with the clear services l2tp destination, clear services l2tp session, or clear services l2tp tunnel statements in a production environment. Instead of clearing all subscribers at once, consider clearing subscribers in smaller group, based on interface, tunnel, or destination end point.

  • Before you make any changes to the underlying interface for a demux0 interface, you must ensure that no subscribers are currently present on that underlying interface. If any subscribers are present, you must remove them before you make changes.

  • For dual-stacked clients over the same PPP over L2TP LNS session, enhanced subscriber management does not support configurations where both of the following are true:

    • The CPE sends separate DHCPv6 solicit messages for the IA_NA and the IA_PD.

    • The solicit messages specify a type 2 or type 3 DUID (link-layer address).

    As a workaround, you must configure the CPE to send a single solicit message for both IA_NA and IA_PD when the other configuration elements are present.

System Logging

  • On MX Series routers, when you configure a rate limit for system log messages by setting the message-rate-limit statement for a multiservices interface, ensure that the syslog host option for that interface is configured. This configuration ensures that the system log statistics reflect the rate limit set for the interface.

User Interface and Configuration

  • Modification to configurable link degrade threshold values (MX Series)—Starting with Junos OS Release 15.1F7 and 16.1R1, the values of the user configurable link degrade thresholds, have to be configured as per the following guidelines:

    • set threshold value must be greater than warning set threshold value

    • set threshold value must be greater than clear threshold value

    • warning set threshold value must be greater than warning clear threshold value

    If the threshold values are not configured as per these guidelines, the configuration fails and a Commit Error message is displayed.

VPNs

  • Default export EVPN policy has been removed (MX Series)—Starting in Junos OS Release 16.1R2 and forward, the hidden default EVPN export policy statement (evpn-pplb) has been removed. To enable and configure load balance per packet for EVPN, use the existing policy statements:

    • set routing-options forwarding-table export evpn-pplb

    • set policy-options policy-statement evpn-pplb from protocol evpn

    • set policy-options policy-statement evpn-pplb then load-balance per-packet

    Note

    To support EVPN multihoming, you must configure the load-balance per-packet statement.

Known Issues

This section lists the known issues in hardware and software in Junos OS Release 16.1R7 for MX Series and T Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

EVPN

  • Routing instances of type evpn configured with a VLAN ID will advertise MAC (type 2) routes with the VLAN value in the Ethernet tag field of the MAC route. Advertising MAC routes with a non-zero VLAN is incompatible with the EVPN VLAN-based service type. To enable interop between a Junos OS routing instance of type evpn and a remote EVPN device operating in VLAN-based mode, the Junos OS routing instance should be configured with vlan-id none so that the Ethernet tag in advertised MAC routes is set to zero. PR945247

  • EVPN uses several different subtypes of routes within the EVPN address family, which are advertised through the control plane between provider edges using BGP. Multihoming provider edges use Ethernet segment (ES) routes to advertise that the provider edges are connected to a given multihomed segment. All other multihoming provider edges attached to the same multihomed segment import those Ethernet segment routes, and combined with their own local state, elect a single designated forwarder (DF) for each EVPN instance that is part of the multihomed segment. When a new provider edge is added to an existing EVPN, the new provider edge needs to download the full set of EVPN routes advertised by the other existing provider edges. In case of high MAC scaling, it is possible that remote provider edges will generate and send BGP updates for MAC routes (or other EVPN route types) before generating and sending the ES routes. If the time taken by the original multihoming provider edge(s) to send the ES routes is longer than the DF election hold timer on the new provider edge, the new provider edge and an existing multihoming provider edge might both consider themselves to be the DF for the same EVPN ES simultaneously. In this situation, broadcast traffic could be flooded by both provider edges. Additionally, in the case of single-active multihoming, transient/spurious MAC moves could happen between the two provider edges both considering themselves to be the DF, causing unnecessary BGP update churn and slowing convergence. PR968428

  • A provider edge (PE) device running EVPN IRB with an IGP configured in a VRF associated with the EVPN instance will be unable to establish an IGP adjacency with a CE device attached to a remote PE device. The IGP instance running in the VRF on the PE might be able to discover the IGP instance running on the remote CE through broadcast or multicast traffic, but will be unable to send unicast traffic directly to the remote CE device. PR977945

  • In a provider backbone bridging EVPN scenario, after configuration changes of the EVPN routing instance, rarely, an internal reference count might unexpectedly become zero when some deletes are yet to be processed. As a result, the Layer 2 address learning (l2ald) process crashes. L2ald runs on the Routing Engine to mainly manage MAC learning, aging, removal, and so on. The crash of L2ald might impact the MAC learning related feature. The impact might last around 3-4 seconds. PR1015297

  • On MX Series routers with EVPN, the routing protocol process might crash when MAC moves between multihomed PE routers, resulting in traffic loss. PR1216144

  • There will be no warning for the mismatched etree-role on the same ESI. Clients must watch for such misconfiguration. PR1224685

  • An incorrect PE router is attached to an ESI when the router receives two copies of the same AD/ESI route (for example, one through eBGP and another one received from an iBGP neighbor). This causes a partial traffic black hole and stale MAC entries. You can confirm the issue by checking the members of the ESI: user@router> show evpn instance extensive ... Number of ethernet segments: 5 ESI: 00:13:78:00:00:00:00:00:00:01 Status: Resolved Number of remote PEs connected: 3 Remote PE MAC label Aliasing label Mode 87.233.39.102 0 0 all-active 87.233.39.1 200 0 all-active (this PE is not part of the ESI) 87.233.39.101 200 0 all-active.PR1231402

  • In a Junos OS platform, the l2ald process might crash when a MAC address is processing. The MAC learning process will be impacted during the period of the l2ald crash. The l2ald will recover itself. PR1347606

Forwarding and Sampling

  • When a policing filter is applied to an active LSP carrying traffic, the LSP resignals and drops traffic for approximately 2 seconds. It might take up to 30 seconds for the LSP to come up under the following conditions:

    • Creation of the policing filter and application of the same to the LSP through configuration occurs in the same commit sequence

      and

    • Load override of a configuration file that has a policing filter and applying the policing filter application to the LSP, followed by a commit. PR1160669

  • In some stress test conditions, the sampled process crashes and generates a core file when connecting to Layer 2 Bitstream Access (L2BSA) and EVPN subscribers aggressively. PR1293237

  • Heap memory leaks occur on a DPC when the flow specification route is changed. PR1305977

General Routing

  • This issue occurs when the configured global-MAC limit is less than the interface MAC limit and the same interface is configured with packet action. When the traffic is sent with a higher packet rate, all the MAC entries are learned by the Packet Forwarding Engine. Routing Engine later trims this to the configured global-MAC limit. When the traffic is sent with a lower packet rate, the Routing Engine learns somewhat more than the configured global-MAC limit and subjects the remaining packets (with newer MACs) to the configured drop action. PR1002774

  • The enhanced IP address or enhanced Ethernet network-services mode and MS-DPC card are not compatible and should not be configured or inserted in the chassis at the same time. The enhanced IP address or enhanced Ethernet mode extends the range of logical interfaces (IFLs) configurable to 0-256K while MS-DPCs are limited to support 0-64K logical interfaces. The enhanced-IP or enhanced-Ethernet and MS-DPC card will become compatible only after a code change is introduced by this PR. To implement a new configuration statement to limit the logical interface scaling to 64,000 (default), the enhanced IP address or enhanced Ethernet mode is configured as follows: # set chassis network-services enhanced-ip limited-ifl-scaling Note: the new configuration statement will require the system to reboot if the router already had a configuration for the network services enhanced IP. PR1035484

  • Starttime and endtime of the flow in inline J-Flow (version 9) has future timestamp. PR1067307

  • There are some configuration-related functions in the routing protocol process and L2cpd that use special memory APIs called lite pools. These pools, when reset, were not freeing control information related to these pools, thereby resulting in a leak. This is not a day-one issue. This bug was introduced in Junos OS Release 15.1 when LIBJTASK memory subsystem was implemented. This PR impacts all the processes that use LIBJTASK (including rpd) on all platforms, provided memory lite pools are used by those processes. PR1071191

  • On chassis based line cards, the FI: Protect: Parity error for CP freepool SRAM SRAM parity error might be seen. It is harmless and can be ignored. PR1079726

  • On MX Series routers with MS-MPC or MS-MIC, memory leaks can be seen with jnx_msp_jbuf_small_oc object, upon sending millions of Point-to-Point Tunneling Protocol control connections (3 through 5 million) alone at higher cells per second (cps) (greater than 150K cps). This issue is not seen with up to 50,000 control connections at 10,000 through 30,000 cps. PR1087561

  • On XL-based cards such as MPC or IOC3, Packet Processing Engine (PPE) thread timeout errors are triggered when the FPC allocates illegal memory space for the forwarding state of routing operations. In certain cases, this results in packet loss depending on the number of packets using this forwarding state. PR1100357

  • On an MX104 platform, when using snmpbulkget or snmpbulkwalk (for example, used by the SNMP server) on a chassisd related component (for example, jnxOperatingEntry), chassis process (chassisd) high CPU usage and slow response might be seen due to hardware limitation, which might also lead to query timeout on the SNMP client. In addition, the issue might not be seen when using SNMP query for interface statistics. As a workaround, perform either of the following:

    • Use snmpget or snmpwalk instead of snmpbulkget or snmpbulkwalk. Include -t 30 options when doing SNMP query. For example, snmpget -v2c -c XX -t 30.

    • Use the -t 30" option with snmpbulkget or snmpbulkwalk. For example, snmpbulkget -v2c -c XX -t 30. PR1103870

  • In some scenarios, on executing the show services sessions and show services sessions extensive commands, the CLI might collect information about the sessions as and when the packets for that particular session are being processed. Under these circumstances, the frame count and byte count of both the forward and reverse flow in a session show zero for a few seconds. After a few seconds, once the processing of the packet is complete, the frame count and byte count show proper values. PR1110303

  • In case of IPsec, the member interface, for example, mams-x/y/z, is part of an aggregated multiservices (AMS) bundle in one-to-one mode. The same numbered ms-x/y/z interface should not be used for IPsec or any other services. PR1134645

  • When successive back-to-back commits are performed on a scaled configuration, there could be a timeout or a delay in completing the commit check operation. PR1139206

  • Dynamic tunnel interface bounces are causing memory corruption and are leading to an rpd crash. The new rpd process synchronizes with the kernel, which might have stored the information about the GRE tunnel logical interface created by the previous rpd process. The new rpd process uses this information from the kernel, leading to subsequent rpd crashes being triggered. The following logs might be seen when this issue occurs: user@router>show log messages| match "Address already in use" %DAEMON-3: Error creating dynamic logical interface from sub-unit 32792: Address already in use %DAEMON-3-RPD_KRT_Q_RETRIES: kqp 0x49df00d0: op add queue low-add attempts 4010 ifd index 284, ifl unit 32792, family 2 instance id 0, state CreateIFL RPD_KRT_Q_RETRIES: IFL IFF Update: Address already in use PR1152912

  • On MX Series routers with MS-MICs and MS-MPCs with the syslog statement included at the [edit services cos rule rule-name term term-name then] hierarchy level, a system log message is not generated when a CoS rule term is matched, in contrast to the expected behavior in which system log messages are generated when a NAT rule term is matched. PR1159231

  • An intermittent issue occurs when an aggregated Ethernet interface is configured with the bypass-queuing-chip configuration statement. The follow-up configuration changes are such that, removing a child link from an aggregated Ethernet bundle and configuring per-unit-scheduler on the removed child link in a single commit causes intermittent issues with the per-unit-scheduler configuration updates to cosd and the Packet Forwarding Engine. Hence, dedicated scheduler nodes might not be created for all units or logical interfaces. PR1162006

  • When pulling a SIB out without it being offline on routers with FPC3, it is possible that traffic might be dropped, resulting in an overall reduction in traffic throughput. PR1162977

  • When using MS-MPC or MS-MIC service cards, a single pool cannot be used in different service sets. Separate pools with different names would then need to be used. Additionally, pools created automatically by a source-prefix or destination-prefix statement will not work if the same source-prefix or destination-prefix statement appears in a different service set. PR1175664

  • Some older Routing Engines (RE-2000) have insufficient storage on the CF to hold a complete recovery snapshot for Junos OS Release 16.1 and later. In such cases, a minimal recovery snapshot will be created. This minimal recovery snapshot does not include any line card software. Once the Routing Engine has been recovered, if the management Ethernet interface is connected, the full Junos OS interface can be downloaded and added, or they can be fetched to the other Routing Engine and then it can be transferred to the recovered Routing Engine. PR1178536

  • Starting in Junos OS Release 15.1F5-S2, 15.1F6, 16.2R1, 17.1R1, and on vMX Series, the new CLI command set chassis fpc X performance-mode num-of-ucode-workers Y is introduced to support dedicated users for control and multicast traffic. This command prevents the unicast traffic from being hashed to the users doing ucode processing. Typically, vMX X86 can be configured to run in lite-mode or performance-mode. With this new CLI option, users are allowed to configure number of ucode workers to process multicast and control traffic on separate worker core files. The intention of this command is to separate flow cache and non-flow cache traffic. But as part of this fix, only control and multicast traffic are separated from the remaining traffic. Whenever there is a change in num-of-ucode-workers, RIOT will be rebooted and the first Y workers process control and multicast traffic and the remaining workers process the flow cache traffic. PR1178811

  • For NAT64: source-prefix filtering and protocol filtering of the CGNAT sessions are incorrect. For example, show services sessions extensive protocol udp source-prefix <0:7000::2>displays incorrect filtering of the sessions. PR1179922

  • Chef for Junos OS supports additional resources to enable easier configuration of networking devices. These are available in the form of netdev resources. The netdev resource developed for interface configuration has a limitation to configuring the XE interface. The netdev interface resource determines that speed is a configurable parameter that is supported on a GE interface but not on an XE interface. Hence, the netdev interface resource cannot be used to configure an XE interface due to this limitation. This limitation is applicable to packages chef-11.10.4_1.1.*.tgz chef-11.10.4_2.0_*.tgz in all platforms {i386/x86-32/powerpc}. PR1181475

  • If you want to deactivate the global DDoS parameters (to keep only the protocol-specific DDoS configurations for flow detection), use the following commands: deactivate system ddos-protection global flow-detection-mode and deactivate system ddos-protection global flow-level-control. Using only deactivate system ddos-protection global' flow-detection-mode results in disabling the flow detection completely because this command also deactivates the master flow-detection configuration statement under it. PR1182078

  • On MX2010 and MX2020 routers with SFB2 and empty fabric slots, a system defect that fetches incorrect fabric information might prevent MPC7E/8E/9E from coming online. PR1182404

  • As described in RFC 7130, when LACP is used and considers the member link to be ready to forward traffic, the member link must not be used by the load balancer until all the micro-BFD sessions of the particular member link are in the up state.PR1192161

  • IR-mode configuration statement commit failure is seen with MPC7, MPC8, and MPC9. PR1192228

  • AMS soft gives a failover message Switchover failed:sync state unknown when you execute the request interface command load-balancing switchover mams-x/x/x. PR1194094

  • The DDoS MTU-exceeded exception is detected on the egress side, and if you do not have enough information to generate physical interface information to create physical interface flows. As a result, physical interface flows must not be created for an MTU exceeded packet type. Hence, it is expected that the physical interface level-flow detection does not occur with flow-level-detection and flow-level-control for [edit system ddos-protection protocols exceptions mtu-exceeded]'. PR1196738

  • GUMEM errors for the same address might continually be logged if a parity error occurs in a locked location in GUMEM. Since GUMEM utilizes ECC memory, any error is self-correcting and has no impact on the operation of the router. In a rare case, such a parity error might appear repeatedly at a specific location. As a workaround, the error can be cleared by rebooting the FPC. PR1200503

  • When a large number of IPsec tunnels (for example, 1000) are up, Junos OS sends bidirectional traffic to create 1 Million sessions and a few sessions are dropped. PR1204566

  • Changing members from the AMS bundle impacts traffic and SAs. The correct behavior is to reboot members after new members are added to the existing AMS bundle. PR1205932

  • In certain cases, the subscriber created on the MS-MPC is not cleared even though all the sessions associated with that subscriber are cleared. Any new sessions for that subscriber create a session based on the rules configured and the subscriber will be reused. No new sessions will be automatically allowed, because of the existing subscriber. PR1210820

  • In certain interface scaling scenarios, during configuration commit or rollback, the following message might appear for a few seconds: fpcx list_get_head list has bad magic (0xdeadbeef). This message can be safely ignored due to the FPGA monitor mechanism on DPC cards for logical interface mapping (ifl_map). When physical interface is deleted and then monitored, this mechanism checks through the stored logical interfaces. While trying to find the family of one such recently deleted logical interface that is not cleaned from ifl_map, messages were seen populating in the messages log file. PR1210877

  • MPC might crash during a unified ISSU starting Junos OS Release 15.1R1 and later when QSFP/CXP/CFP2 optics are present. PR1216924

  • PIC gets rebooted without generating a core file, despite of having dump-on-flow-control configured. PR1217167

  • The /etc/passwd file is created in the process of the first commit when a pristine jinstall image is used to boot for the first time. If event-options is configured, the system will try to read the configuration from the available event scripts, which requires privileges obtained from the /etc/passwd file. That causes a circular dependency because the commit will not pass if the configuration includes event-options the first time a pristine image boots up, which is the case of an upgrade performed with vi sh create. PR1220671

  • Multicast processing is processor intensive on vMX because flow cache is not supported. Ucode workers are hyperthreaded, so they are sharing a physical core. PR1221036

  • There is no unified ISSU from Junos OS Release 15.1 and earlier to Junos OS Release 16.2R1. PR1222540

  • Change of behavior of reflexive keyword. If the "reflexive" keyword is configured in a CoS rule, then the COS-service-plugin will store COS-VALUES [DSCP, Forwarding class] received in the forward flow and apply the same COS-VALUES [DSCP, Forwarding class] to packets going in reverse flow. PR1227021

  • When virtual switch type is changed from IRB type to regular bridge, interfaces under the OpenFlow protocol are removed. The openflow process (daemon) fails to program any flows. PR1234141

  • Due to a hardware failure of QX chip, an FPC does not reply to some SNMP configuration polls. The issue can be checked by running show qxchip <> driver. On the affected card, the output is QXCHIP <> does not exist'. PR1236837

  • In a BGP or MPLS scenario, if the next-hop type of label route is indirect, then the following changing events about the next-hop interface MPLS family might cause the route to be in DEAD state, and the route will remain dead even when the family MPLS is again activated. The following events occur:

    • Deactivating and activating the interface family MPLS

    • Deleting and adding back the interface family MPLS

    • Changing maximum labels for the interface PR1242589

  • In a Junos Telemetry interface scenario using Junos OS Release 16.1R3 and later with non-upgraded freeBSD, if openconfig is used, na-grpcd memory leak or memory increase might occur continuously (that is, continuous subscribing/unsubscribing or aggressive timers for interfaces for about 2 seconds or other conditions), eventually causing na-grpcd crash due to memory exhaustion. The impact of this issue is that collector does not get the streaming data during the na-grpcd crash. PR1254794

  • Errors such as : mspmand[190]: msvcs_session_send: Plugin id 3 is not present in the svc chain for session. The issue is usually cosmetic. PR1258970

  • On an MX Series Virtual Chassis system in a scaled subscriber management scenario, if a unified ISSU is performed while the BGP protocol sessions are active and such BGP sessions are clients of BFD, then these BGP sessions might go down and come back up again, causing traffic loss. PR1265407

  • On MX Series routers, the device might become unaccessible and services might go down after executing GRES switchover. PR1266636

  • Customers have reported that the Routing Engine (RE) is stuck in backup state after RE reboot, while master RE (by election priority) is halted. Initial scenario is as following:

    - RE0 - current state MASTER, election priority BACKUP

    - RE1 - current state BACKUP, election priority MASTER

    RE1 is in Present state: user@router> show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Backup ... Routing Engine status: Slot 1: Current state Present When we are performing "request system reboot" on RE0, it is coming up in BACKUP state and not acquiring mastership, even after a 5 minute interval. Only "request chassis routing-engine master acquire" command on RE0 resolve this issue: user@router> request system reboot Reboot the system ? [yes,no] (no) Shutdown NOW! [pid 6514] user@router> *** FINAL System shutdown message from user@router *** System going down IMMEDIATELY Connection closed by foreign host. telnet 172.30.156.247 Trying 172.30.156.247... Connected to lab. Escape character is '^]'. login: username Password: Last login: Tue Jul 25 12:41:41 from 172.26.124.150 --- JUNOS 16.1R4-S4.3 Kernel 64-bit JNPR-10.3-20170607.351421_build user@router> show chassis hardware Aborted! This command can only be used on the master routing engine. user@router> request chassis routing-engine master acquire warning: Traffic will be interrupted while the PFE is re-initialized Attempt to become the master routing engine ? [yes,no] (no) yes Resolving mastership... The other routing engine not responding. Forcing mastership. Complete. The local routing engine becomes the master. user@router> show chassis routing-engine Routing Engine status: Slot 0: Current state Master Election priority Backup .. Routing Engine status: Slot 1: Current state Present. PR1295729

  • lo0.0 interface should be used in default VRF for subscriber services. PR1303254

  • When certain Modular Port Concentrator (MPC) model like MPC4E has very specific hardware failure and it fails to boot up because of Flexible PIC Concentrator(FPC) internal I2C error, other FPCs might go offline. PR1319560

  • On MX240/MX480/MX960 series, the intermittent and transient errors with PCF8584 are observed. PR1312336

  • IPsec operations are optimized for smaller packet size (up to ~1900 bytes) on MS-MPC/MS-MIC platforms thus yielding higher throughput and lower latency for more common network deployments. Customers might see slightly higher latency if there are jumbo packets in the network. PR1307867

  • Enhanced Subscriber Management: For subscribers terminated in a routing instance, targeting is will be supported starting in Junos OS Release 17.3R2 and later. With current code subscribers, traffic might come up but traffic towards a subscriber might be dropped at the MX Series as it is not support in the current release. PR1308000

  • When a unified ISSU is performed with the interface-set configuration from Junos OS Releases 15.1F3, and 15.1R2 and later, the following issues are seen: 1. MPC line cards and interfaces on those cards go down. 2. When the card is restarted, it is struck in ready state. 3. Traffic loses are observed on all the interfaces that went down. To avoid this issue the static interface-sets have to be disabled over unified ISSU. The disabled interface sets can be reenabled/reactivated after the upgrade.PR1312522

  • Point-to-point encryption traps are seen with continuous flaps of real servers, every minute interval, lasting for an hour or so, along with SNMP walk for Traffic Load Balancer (TLB). There is no impact on the traffic. PR1323174

  • After successive flaps on core interfaces In an active/active Multihoming EVPN VXLAN, some race conditions might trigger constant high CPU usage on the backup Routing Engine, where rpd shows very high CPU usage , rpd subsystem does not respond, and NSR task is in a non-complete state. During multiple EVPN/VXLAN core interface flaps, RPD does not process the learned next-hop entries by L2 learning in Junos OS and goes into an infinite loop, causing 98% CPU usage on the backup Routing Engine. Issue is fixed in Junos OS rpd code to add a preventive check during LB next-hop learned by L2 learning. PR1334235

  • If unit 0 under the MS interface is defined, unit 0's IFL will handle exporting sampling records regardless of what you have defined as the source-address under the sampling configuration.

    If both a non-zero unit is used (unit 20, for example) and MS unit 0 is also defined, then:

    • 1. MS unit 0 interface has to be defined with family inet because sampling records will be exported through this IFL even if the source-address sits under unit 20.

    • 2. MS unit 0 interface should be part of the default routing table. There is no additional configuration required for this, by default the interface will be in the default routing table. Also the Route towards the collector should be available in the default routing table.

    If a non-zero unit is used and ms unit 0 is not defined, then:

    • 1. The exports makes use of .local (instead of MS unit 0, as MS unit 0 is not defined) to send out the packet.

    • 2. Route to the collector should be available in default routing table. PR1334682

  • With Certificate Hierarchy, where intermediate CA profiles are not present on the device, in some corner cases, the PKId can become busy and stop responding. PR1336733

  • On all MX Broadband Network Gateway (BNG) platforms with Junos OS Release 15.1 or higher which support Dynamic Host Configuration Protocol version 6 (DHCPv6) local server, if it is connected to a DHCPv6 client through a static interface, and the client uses a non-EUI64 link-local address, the IPv6 Neighbor Discovery Protocol (NDP) process will fail to resolve the MAC address for the client. All the IPv6 ping and the other related IPv6 traffic destined to the client will be dropped. PR1347173

  • When performing unified ISSU from Junos OS Release 15.1 to 16.1R6.7 onwards image with KDDI config ae interfaces will be flapping. This flap will be seen towards the end of the unified ISSU operation when new backup Routing Engine comes up and synchronizes with new master Routing Engine. PR1348863

  • When ephemeral DB instance is configured, if committing changes which are unrelated to IGMP/MLD (such as "set interfaces ge-0/0/1.0 description"), and the number of ephemeral commits reaches to ephemeral DB maximum size, the ephemeral DB purge might happen. Then it would purge all the commits and rollover. On this purge the mgd gives all the applications a FULL COMMIT view. And on this FULL COMMIT view IGMP/MLD deletes all configurations and adds it back again. This might cause PIM to prune the groups on those interfaces and send join messages again. Finally, the multicast traffic flapping and drop might be seen. PR1352499

  • Issue seen when performing ISSU from one 16.1R6 build to 16.1R7 build. PR 1360246

Infrastructure

  • The issue is seen only on T1600/T640/T320 when the Routing Engine type is RE-A-2000, which has only 1GB of RAM. In addition, the image size was increased for Junos OS Release 15.1F6.2 and later. Both these factors are causing the used space on the partition /dev/ad0s1a to be exceeded. Hence, the reserved space for root is getting occupied, which is why a negative value is seen in the available column. In conclusion RE 2000 is not supported for these platforms with Junos OS Release 15.1F6.2 and later releases or Junos OS Release 16.1R1 and later. Additionally, due to low memory , upgrade or downgrade from Junos OS Release 15.1F6 or 16.1R2 to any other build, and it works only if there is a force option during upgrade or downgrade. PR1191244

  • Starting in Junos OS Release 14.2R3, the show class-of-service fabric statistics CLI command might fail with Error = Operation timed out message in some cases (especially if there are many FPCs in the chassis). This occurs because data structures that are used to query fabric statistics become significantly larger in later releases. Thus when multiple FPCs start transmitting data to the Routing Engine at the same time some packets might get dropped in the internal Ethernet switch on the Control Board. If re-transmission does not happen within the timeout, the Operation timed out error is seen. PR1228293

  • The configuration statement set system ports console log-out-on-disconnect, logs the user out from the console and closes the console connection. If the configuration statement set system syslog console any warning is used with the earlier configuration and when there is no active telnet connection to the console, the process tries to open the console and hangs as it waits for a "serial connect" that is received only by doing a telnet to the console. As a workaround, remove the later configuration by using set system syslog console any warning, which solves the issue. PR1230657

  • Syslog messages are observed when one of the following CLI commands is executed: system syslog file messages kernel any or system syslogfile messages any any. These syslog messages do not indicate any functionality, breakage, or impact. If you need to enable “anyany”, then you would need to skip these logs with an appropriate match condition. PR1239651

  • Juniper Routing Engines with a HAGIWARA CF card installed, after upgrading to Junos OS Release 15.1 and later releases, the Routing Engine reports the following failure message (every 30 minutes): root@router> show log messages| match ada1 Jan 15 21:18:28 router smartd[4357]: Device: /dev/ada1, failed to read SMART Attribute Data Jan 15 21:48:28 router smartd[4357]: Device: /dev/ada1, failed to read SMART Attribute Data Jan 15 22:18:28 router smartd[4357]: Device: /dev/ada1, failed to read SMART Attribute Data <...> Issue related with Smartd daemon reading the SSD attributes with HAGIWARA SYS-COM MFD10 Compact Flash. Routing Engine 0 REV 05 740-031116 xxxxxxxxxxx RE-S-1800x4 <...> ada1 3671 MB HAGIWARA SYS-COM MFD10 xxxxxxxxxxxx Compact Flash PR1333855

  • Rarely, M/Mx: might observe a crash after Multicast Traffic Failover Upstream AR deactivate MPLS.PR1351611

Interfaces and Chassis

  • After changing the MTU on the physical interface, an IPv6 link local address is missing on the static VLAN demux interface. PR1063404

  • During the configuration to change and to reuse of the VIP address on an interface, you must stop the configuration, do a commit, and then add the interface address configuration in the next commit. PR1191371

  • The first IP address from the framed prefix (returned in Framed-IPv6-Prefix) is assigned to the subscriber interface. PR1214647

  • In case there is a iflset configuration present, the following issue might be seen with the MPC5E line card interfaces: - After ISSU from FreeBSD 6.1-based to Junos OS Release 15.1F and later, interfaces of MPC5E line card stay down. When the card is restarted, it goes to ready state. - After ISSU from FreeBSD 6.1-based to Junos OS Release 16.1 and later, MPC5E line card interfaces stay down but MPC1/MPC2 line cards go to ready state.PR1242627

  • If there is an iflset configuration present, the following issue might be seen: After a unified ISSU from FreeBSD 6.1-based Junos OS to Junos OS Release 15.1F throttle, interfaces of the MPC5E line card stay down. When the card is restarted, it goes to ready state. After unified ISSU from FreeBSD 6.1-based Junos OS to Junos OS Release 16.1, the MPC5E line card interfaces stay down but the MPC1/MPC2 line cards go to ready state. This issue is seen if the unified ISSU is done from Junos OS Release 14.2 to Junos OS Release 15.1 or later with the interface set. Before performing unified ISSU upgrade to Junos OS Release 15.1 or later, static interface sets have to be disabled. The disabled interface sets can be reenabled after the upgrade. PR1252360

  • In a VPLS multihoming scenario, the CFM packets are forwarded over the standby PE device link, resulting in duplicate packets or a loop between the active and standby link. PR1253542

  • Upgrades involving Junos OS Release 14.2R5 (and earlier for 14.2 maintenance releases) and Junos OS Release 16.1 and earlier for mainline releases with a CFM configuration can cause a cfmd crash after the upgrade. This is due to the old version of /var/db/cfm.db.PR1281073

  • In a subscriber management scenario with dynamic demultiplexing Interfaces(DEMUX) configured, in the case where subscribers belonging to one aggregated Ethernet (AE) interface are migrated to a newly configured AE interface, subscribers might fail to access the device after deleting the old AE configuration. PR1322678

  • With hardware-assisted-timestamping knob configured, for DM over aggregated Ethernet, invalid timestamp(s) or for iterators DMR received with invalid time stamps are observed. The DM packets (either DMM or DMR) are not time stamped on the RX path for both on-demand and iterator DM packets. PR1365772

Junos Fusion Provider Edge

  • On a Junos Fusion topology, if you issue the request support information operational mode command, the logs do not include satellite device information. PR1220575

  • Adding a physical port having CoS configuration to an aggregated Ethernet (AE) bundle should not be done in a single commit operation. Same holds true for the other way round too. Not following this guideline might result in incorrect CoS behavior on the physical interface and the aggregated Ethernet (AE) link.PR1334018

Layer 2 Features

  • When input-vlan-map with a push operation is enabled for dual-tagged interfaces in "enhanced-IP" mode, there is a probability that the broadcast, unknown unicast, and multicast (BUM) traffic might be dropped or discarded silently on some of the child interfaces of the egress ae interfaces or on some of the equal-cost multipath (ECMP) core links. PR1078617

  • For routers equipped with following line cards: T4000-FPC5-3D MX-MPC3E-3D MPC5E-40G10G MPC5EQ-40G10G MPC6E MX2K-MPC6E. If the router is working as VPLS PE, due to MAC aging every 5 minutes, the VPLS unicast traffic is flooded as unknown unicast every 5 minutes. PR1148971

Layer 2 Ethernet Services

  • When an MX Series router functions as a DHCP local server, the configuration used to deactivate the local server is invalid and could cause the server to be halted but the subscriber entries to remain active and stranded. This, in turn causes unexpected consequences, such as the inability to deactivate all dynamic profiles prior to the upgrade to enable the dynamic-profile versioning feature, and the inability to ping the subscribers after upgrade. PR935931

  • If the customer configures the passive-client-processing override because of a network configuration requirement and the network configuration subsequently changes so that passive client processing is no longer required (or if the override is configured by mistake). Then de-configuring the override does not clear it from the interfaces the configuration was originally associated with. As a result, binding of a client from a renew packet (where the client binding did not previously exist) may fail. PR1197728

  • When MSTP is configured under a routing instance, both the primary and standby VPLS pseudowires get stuck in ST state due to a bug in the software. That has been fixed and now the PW status is set correctly.PR1206106

  • After changing the underlying physical interface (IFD) for a static VLAN demux interface, the NAS Port ID formed is based on the previous physical interface. PR1255377

MPLS

  • When using mpls traffic-engineering bgp-igp-both-ribs with LDP and RSVP both enabled, CSPF for interdomain RSVP LSPs cannot find the exit area border router (ABR) when there are two or more such ABRs. This causes interdomain RSVP LSPs to break. RSVP LSPs within the same area are not affected. As a workaround, you can either run only RSVP on OSPF ABR or IS-IS L1/L2 routers and switch RSVP off on other OSPF area 0/IS-IS L2 routers, or avoid LDP completely and use only RSVP. PR1048560

  • In a BGP prefix-independent convergence (PIC) edge scenario, when the ingress route (the primary route) fails, because the LDP might fail to send the session down-event to the Packet Forwarding Engine correctly, the Packet Forwarding Engine might still use the primary path to forward traffic until (in some cases, 3-5 seconds for 30,000 prefixes) the global convergence is completed by the interior gateway protocol (IGP). This issue might also be seen when the delay-delete CLI command is configured. In this scenario, the session-down event might get sent to the Packet Forwarding Engine correctly. However, due to local reversion, the primary path might also be chosen as the forwarding path when it is deleted. PR1097642

  • The issue occurs when graceful Routing Engine switchover (GRES) is done between the master and backup Routing Engines of different memory capabilities. For example, one Routing Engine has only enough memory to run a routing protocol process (rpd) in 32-bit mode while the other is capable of 64-bit mode. The situation could be caused by using Junos OS Release 13.3 or later with the configuration statement auto-64-bit configured, or by using Junos OS Release 15.1 or later even without the configuration statement. Under these conditions, the rpd might crash on the new master Routing Engine. As a workaround, this issue can be avoided by using the CLI command set system processes routing force-32-bit". PR1141728

  • In some Inter-op scenarios, sometimes a new label is advertised without withdrawing the old label by the peer. Under such a scenario, Junos OS rejects the new label advertised (as per RFC 3036 behavior). The following logs are generated in such an event: LDP: LabelMap FEC L2CKT NoCtrlWord ETHERNET VC 40347 label 53 - received unsolicited additional label for FEC, releasing new label. PR1168184

  • When configuring CCC remote-interface switch or LSP switch, self-ping should be disabled on the LSPs, referred to in the CCC configuration, by configuring the following: [edit protocols mpls label-switched-path lsp1] + no-self-ping. If this configuration is not set, LSPs will not complete the make-before-break (MBB) process. PR1181407

  • In a CE-CE setup, traffic loss might be observed over a secondary LSP on primary failover. PR1240892

  • A new configuration, protocols mpls traffic-engineering bgp-igp-both-ribs in the routing instance is required to make channelized optical carrier (COC) work. PR1252043

  • Because of the current way of calculating bandwidth, a minimal discrepancy between MPLS statistics and adjusted bandwidth are reported. The algorithm should be enhanced so that both values match 100 percent. PR1259500

  • The throughput measurement might be inaccurate when doing performance measurement on an MPLS label-switched path. PR1274822

  • MTU mismatch under the family MPLS interface is noticed. This is a display issue; functionality works correctly. PR1282597

  • Packets destined to the master Routing Engine might be dropped in the kernel due to excessive network traffic on the internal Ethernet interface. This excessive traffic results from routing protocol daemon (RPD) requesting Multiprotocol Label Switching (MPLS) traffic statistics from all the online FPCs, when the jnxLdp* SNMP MIBs are queried. PR1359956

Network Management and Monitoring

  • SNMP traps are generated when an ethernet-switching interface goes down or comes up are prefixed with the key word default-switch@<community string>”. PR1227034

  • On an MX Series Virtual Chassis platform, one Routing Engine (RE) does not reply to an SNMP request after power-on or RG0 failover at a devices cluster. PR1240178

  • Because of a software issue, "COUNTER_DECREASING: pfes_stats_delta: counter PFES_TRAFFIC_INPUT decreasing" syslog messages randomly shown up on a PTX Series platform. This is totally a cosmetic issue. PR1240837

Platform and Infrastructure

  • FPC reports the following errors and the FPC is not able to connect any subscribers: "Pkt Xfer:** WEDGE DETECTED IN PFE 0 TOE host packet transfer: %PFE-0: reason code 0x1" Also, the MQ FI may be wedged and the following log can be seen: Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Reorder cell timeout Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) FI Enqueuing error, type 1 seq 404 stream 0 Apr 11 12:09:11.945 2013 NSK-BBAR3 fpc7 MQCHIP(0) MALLOC Pre-Q Reference Count underflow - decrement below zero. PR873217

  • On T Series routers, when reloading the chassis that has SONET Clock Generators (SCGs) equipped, due to the timing issue, the "No CG online" RED alarm might be displayed on the LCD panel and not cleared, even though the SCGs are coming up later and this alarm should be cleared. PR991533

  • When TCP authentication is enabled on a TCP session, the TCP session might not use the selective acknowledgement (SACK) TCP extensions. PR1024798

  • When using the show | compare method to commit, part of configuration might be treated as noise and return syntax error. PR1042512

  • On MX Series routers with MPCs/MICs, when the flow-control feature is disabled (enabled by default) by using the CLI command no-flow-control (for example, under the [gigether-options] hierarchy), after bringing up or rebooting the MPC, status of the hardware might not be updated correctly and the flow control on that MAC might remain enabled. PR1045052

  • In configurations with IRB interfaces, during times of interface deletion (for example, FPC reboot), the Packet Forwarding Engine might log errors stating nh_ucast_change:291Referenced l2ifl not found. This condition should be transient, with the system reconverging on the expected state. PR1054798

  • On MX Series routers, parity memory errors might occur in pre-classifier engines within an MPC. Packets are silently discarded because such errors are not reported and hence harder to diagnose. Cable modem errors such as syslog messages and alarms should be raised when parity memory errors occur. PR1059137

  • Starting Junos OS Release 15.1F5 and later, the hidden configuration statement filter-list-template is enabled by default for all firewall filters on MX Series based platforms to use a common program on MX Series boards for all interfaces that use the same filter list. This can save MX Series board microkernel memory and DMEM memory. The hidden configuration statement no-filter-list-template can be configured to disable this behavior. PR1157079

  • On MPC5E and MPC6E line cards, automatic next-hop tracing on PPE traps might have permanent impact on packet forwarding and is now disabled. PR1166479

  • Multicast traffic might get dropped when the STP port role is changed. As a workaround, toggle the IGMP snooping membership. PR1193325

  • The Junos OS key attribute, which is emitted in the XML format of the configuration, will not be emitted in the JSON format of the configuration. PR1195928

  • Due to a code defect related to the ephemeral database, rpd might crash if the ephemeral database is enabled. PR1214298

  • The logs like trinity_dfw_ifl_impl_filter_delete:187 There is no IFL impl filter feature list to delete dfw 4198021 might be seen if there is no filter attached to IFL to be deleted. As far as this DFW log message is concerned, it should not affect services. PR1225634

  • FPC memory leak might be seen on T4000 with FPC Type 5 if line card polls for checking temperature of the line card. PR1233003

  • The following message is seen sporadically during a commit after upgrading to Junos 16.1R4. Oct 18 10:34:10 jtac-mx480-r2043 jlaunchd: commit-batch is thrashing, not restarted. PR1284271

  • This issue occurs when 120 bridge domains (among a total of 1000 bridge domains) have XE/GE links towards the downstream switch and LAG bundles as uplinks towards upstream routers. The XE/GE link is part of the physical loop in the topology. Spanning tree protocols such as VSTP/RSTP/MSTP are used for loop avoidance. Some MAC addresses are not learned on DUT when LAG bundles that are part of such bridge domains are flapped and other events such as spanning tree root bridge change occur. PR1275544

  • In an scaled label-switched interface (LSI) VPLS environment (such as H-VPLS environment), if massive VPLS LSI addition or removal events happen at the VPLS PE, the source MACs might be leaked (or not learned) between different VPLS instances at the received VPLS PEs. PR1306293

  • RPD was not sending all the address family information with next-hop types UNICAST/UNILIST during network churn, which led to a race condition with PFEs having a different view of UNILIST load-balance selectors. This was causing different PFEs to select different outgoing interface and eventually drop if the outgoing interfaces is not local on the egress PFE for a multicast traffic flow. PR1335302

  • For Junos OS Release 15.1F6-S10: If GRES is performed back-to back around 10 times, a Packet Forwarding Engine crash is possible.PR1352718

  • Packets destined to the master Routing Engine(RE) might be dropped in the kernel due to excessive network traffic on the internal ethernet interface. This excessive traffic results from LACP reprogramming all the LACP member links periodically at 30 second interval. PR1355299

  • PPE traps can be observed on FPCs during the unified ISSU upgrade. PR1357443

Routing Protocols

  • On MX Series routers, when an instance type is changed from VPLS to EVPN, and in the same commit an interface is added to the EVPN instance, the newly added EVPN interface might not be able to come up. PR1016797

  • With Shared Risk Link Group (SRLG) enabled under corner conditions, after executing the command clear isis database, the rpd might crash because the IS-IS database tree gets corrupted. PR1152940

  • JTASK_SCHED_SLIP for rpd might be seen on performing restart routing or ospf protocol disable with scaled BGP routes in an MX104 router.PR1203979

  • PIM NSR design :- with GRES and NSR enabled, the master Routing Engine (RE) replicates kernel states and protocol states on the backup RE. - Both kernel state (ifstates) and protocol state replication are independent processes. - ksyncd takes care of ifstates replication - RPD infra takes care of replication (mirror) connection between two Routing Engines. - And NSR supported protocols have their own mechanism to replicate their database using mirror connection - As per PIM/MVPN NSR design, on backup RE, it walks through the replication database (RDB) once a PIM/MVPN state is processed on the backup RE and , the associated RDB is deleted. If kernel replication is restarted. it can lead to interface deletions and additions only on the backup RE. PIM states on backup RE go out of sync . That is a caveat. - kernel replication? restart lead to interface delete/add on the backup RE only - PIM/MVPN does not have RDB on Backup RE, so - On interface delete, it delete the relevant PIM state - Once an interface is added by the kernel, PIM has no state to consume - No change occurs on the master RE to reinitiate the protocol replication. This PIM/MVPN out-of-sync issue can be seen with the following events : - Manually "restart kernel-replication" - PIM out of sync - ksyncd cored & restarted - PIM out of sync - ksyncd restarted as workaround of kernel replication issues- PIM out of sync. PR1224155

  • In Junos OS Release 16.1R5 and later, the routing protocol process (rpd) generates core files in the ASBR when BGP is deactivated in the AS boundary router (ASBR) before all stale labels have been cleaned up. PR1233893

  • Certain BGP traceoption flags (for example, "open", "update", and "keepalive") might result in (trace) logging of debugging messages that do not fall within the specified traceoption category, which results in some unwanted BGP debug messages being logged to the BGP traceoption file. PR1252294

  • BGP-LU does not react to family MPLS up/down and invalidate BGP-LU routes received with label-operations. In this situation, BGP-LU label might go into "dead" state in the forwarding table after the MPLS address family on the next-hop interface is removed and re-added. PR1262180

  • When route-distinguisher-id is configured and a VRF with a route distinguisher is automatically assigned with the auto-rd feature configured, the MX Series BNG allows commit followed by an rpd process crash.PR1278582

  • RPD-PFE goes out of sync during MoFRR convergence. PR1284463

  • In Resource Public Key Infrastructure (RPKI) scenario, the validation replication database might have much more entries than the validation database after restarting RPKI cache server and the validation session is reestablished. PR1325037

  • PR 1216696 added additional checking on the 'type' field of each extended community. Currently, com_dump_iana_ext_com() checks for 0x00 leading value for SRC-AS external community, which corresponds to the Transitive Two-Octet AS-Specific Extended Community Sub-Types. However, a value of 0x02 is valid for Transitive Four-Octet AS-Specific Extended Community Sub-Types, so the check must also allow 0x02 as a leading value. PR1353210

Services Applications

  • In an L2TP scenario, when the L2TP network server (LNS) is flooded by high-rate L2TP messages from LAC, the CPU on the Routing Engine might become too busy to bring up new sessions. PR990081

  • Session counters for cleartext traffic are not updated after decryption. Decrypted packet count can, however, be obtained by running the following command: show security group-vpn member ipsec statistics. PR1068094

  • When polling to jnxNatSrcNumPortInuse through SNMP MIB get, information might not be displayed correctly. PR1100696

  • In Junos OS Release 13.3 and later, when configuring a /31 subnet address under a NAT pool, the adaptive services process (SPD) will continuously crash.PR1103237

  • We do not recommend configuring the ms- interface when the aggregated multiservices (AMS) bundle in one-to-one mode has the same member interface. PR1209660

  • Once you disable the stateful high availability feature for an interface and then reenable it for the same interface, it comes up as the backup, and a delay might be seen before the session synchronizes. PR1214015

  • Account session ID, interface identifier, and subscriber user name trigger attributes are optimized for a scaled subscriber management environment. If you include any of the other, non-optimized, trigger attributes in a scaled subscriber management environment, a significant delay might be observed between the time when the DTCP ADD message is sent and the time when forwarding starts for the mirrored traffic. For example, if there are 10,000 subscriber sessions on the router, forwarding of the mirrored traffic might be delayed for 20 minutes. This delay occurs when you specify any non-optimized attribute, with or without any optimized attribute. The delay occurs regardless of the order of attributes in the DTCP packet. PR1269770

  • The NAT auto-injected routes might fail to install when back-to-back commits with changes are made and service sets or NAT rules are performed. This issue occurs with a unique configuration where thousands of routes are added by the service PIC process (spd), which manages installation of NAT return routes and destination routes. PR1223729

  • One of the internal HA queues gets corrupted, which results in the mspmand process generating a core file on the backup SDG. This issue occurs because sometimes different threads of mspmand might have different timestamps. PR1291664

  • In corner case, a race condition might be simulated by multiple daemon restart (authd, jl2tpd, and jpppd), which might abort cleanup of a few subscribers, leaving behind them stale. Once the stale sessions are found, they can be cleaned up by another jpppd restart. PR1363194

Software Installation and Upgrade

  • Due to an increase in software requirement and hardware limitation of older hardware, the USB installation image might not work correctly in platforms with RE-A-2000 or their variants. The result of using a USB install image with a Routing Engine is for the Routing Engine to be in a boot loop.PR1196232

Subscriber Access Management

  • In a subscriber management environment, after performing the graceful Routing Engine switchover (GRES), if the Routing Engine switchover happens before the Acct-Start response is received, and the timeout on the service session happens before the timeout on the subscriber session, the authentication process (authd) might crash. PR1074011

  • In a Point-to-Point Protocol over Ethernet (PPPoE) subscriber scenario with many subscribers (for example, 3000), during operation of login and logout, some subscribers might be stuck in an error state of Terminated. This issue will impact the traffic for these error subscribers. PR1262219

VPNs

  • In the Layer 2 circuit environment, when the l2ckt configuration includes the backup-neighbor statement, the flow label operation is blocked at the configuration level. PR1056777

  • In a next-generation MVPN scenario, when forwarding-cache timeout never non-discard-entry-only is configured for an MVPN instance, even though the cache lifetime is shown as forever in the output of the CLI command show multicast route instance X extensive, the route disappears after 7-8 minutes. PR1212061

  • Starting in Junos OS Release 15.1F5, under next generation MVPN environment, when multicast production data stops, the VRF S,G entry and MVPN/BGP routes might persist, whereas they should be deleted. PR1236733

  • In a multicast virtual private network with BGP (next-generation MVPN) scenario with only a shortest-path tree (SPT) mode configuration, under certain conditions the PIM register-stop packet might be sent before the Source Tree Join (Type-7) packet, which might cause some multicast packets to drop. PR1238916

Resolved Issues

This section lists the issues fixed in the Junos OS main release and the maintenance releases for MX Series and T Series.

For the most complete and latest information about known Junos OS defects, use the Juniper Networks online Junos Problem Report Search application.

Resolved Issues:16.1R7

Authentication and Access Control

  • In Power over Ethernet (PoE) using a Link Layer Discovery Protocol(LLDP) scenario, the LLDP power-via-MDI TLV and LLDP Media Endpoint Discovery (LLDP-MED) TLV will transmit the incorrect Power Class type. PR1296547

  • If dynamic assignment of VoIP VLAN is used, the switch might not send the correct VoIP VLAN information in LLDP MED packets after any configuration change and commit. PR1311635

Class of Service (CoS)

  • After router restart, the class-of-service (CoS) wildcard configuration might be applied incorrectly. PR1325708

  • If excess-bandwidth-share is configured under class-of-service interfaces, the mgd will fail to validate the configuration during the Routing Engine reboot and the validation failure will cause the Routing Engine to get into amnesiac mode. PR1348698

Flow-Based and Packet-Based Processing

EVPN

  • In VXLAN-EVPN, vlan tag of egress ARP reply is removed if egress inteface is LT- lt interface peer-unit family ccc through irb broken post upgrade to PR1118540 fixed releases. PR1252522

  • Ethernet A-D per Ethernet segment route (Type-1 PER ES) is not generated with a new route target after changing the route target. PR1279529

  • The policies that map Ethernet VPN (EVPN) traffic to specific label-switched paths (LSPs) based on community matching do not work properly. PR1281415

  • EVPN-VXLAN control-plane stress testing was performed by restarting RPDs, one node at a time in the test bed. At some point, rpd generated core files on a QFX1000 at the evpn_mirror_mac_db_getnext( ) routing. PR1320408

  • In some scenario, the same MAC message is added twice (without deleting in between) from L2-learning module to routing protocol process (rpd). The backup of rpd might generate a core file. PR1336881

Forwarding and Sampling

  • The mib2d core file is seen in a rare condition. It is difficult to reproduce and mainly linked to a sequence of parallel events between learning during configuration check and SNMP MIB walking for the same filter under change. PR1286448

  • When subscriber services that are enabled for interim volume accounting go down it could rarely generate a core file in Packet Forwarding Engine process with backtrace pfed_timer_manager_c::remove_serv_id. PR1296969

  • With firewall filters configured on the physical and loopback interfaces, the SNMP queries on the firewall filters might get timed out if the FPC in which the firewall filters are attached periodically restart. The query timeout could cause the mib2d memory leak. PR1302553

  • In a subscriber-management environment, the dfwd process might crash during execution of the show firewall templates-in-use command if a CLI session disconnects before the complete output of this command is received. PR1305284

  • If two archive sites are configured under the [accounting-options file <filename>] configuration hierarchy, and the first archive site listed uses the SFTP protocol and is not currently reachable, then the backup accounting files must occur to the second site listed. Due to a defect in the backup logic, addressed with this PR, this does not occur. PR1311749

  • With a certain number of accounting files, the system might fail to perform an accounting-file backup due to reaching the PFED process fork limit and retry the backup operation later. When this retry happens, some accounting files that do not contain any records (for example, have no associated accounting profile or event script to log the data in) might get uploaded to the archive site. This is not correct, as only files with accounting data must be uploaded. PR1313895

  • The commit might fail if the nexthop-learning command is enabled for jflow v9. PR1316349

  • In a subscriber management environment, if shared bandwidth policer ( shared-bandwidth-policer command is configured, then the Flexible PIC Concentrator (FPC) CPU might reach 100% constantly. PR1320349

  • In setups with a scale configuration and/or intense SNMP pooling, there could be timeouts for all the stats queries by snmpd/mib2d to pfe or kernel. This happens with all statistics but it recovers after some settling time. Due to an issue tracked by this PR, the stats for some firewall counters do not try to recover and the counters are not created in the SNMP MIB. PR1335828

  • On MX Series platforms with virtual private LAN service (VPLS) configured, if multiple logical interfaces on the same physical interface are configured under a VPLS instance and the enable-mac-move-action option is configured for VPLS, after MAC moving on the logical interfaces, the error logical interface will be blocked. It might cause traffic to be dropped wrongly. PR1335880

  • Commit failed when attempting to delete any demux0 unit numbers that are greater than or equal to 1,000,000,000. user@router# delete interfaces demux0 unit 1000000000 {master}[edit] lab@mx480-J10_01# commit re0: error: Failed to read config commit-check failed commit-check failed error: configuration check-out failed PR1348587

General Routing

  • Memory leak is seen in LSP attributes object for "RSVP 16" memory block. When there is an error during the creation of the RSVP path state (the PSB data structure), the data structure itself is freed but some associated memory is not freed. This is causing a memory leak. It is very unlikely that this error condition ever happens on a NSR master Routing Engine (or when no NSR is configured). But on the NSR backup Routing Engine, there are more likely to be conditions that cause the path state creation to fail, thus exposing the memory leak in the error handling code. Thus this memory leak was seen on the NSR backup RE. PR1115686

  • The Junos OS supports the setting of interface-mode trunk even though vlan-tagging or flexible-vlan-tagging is not in effect on the local interface. This results in a MTU that is 4 bytes smaller than the one when vlan-tagging is set. The difference in supported MTU can lead to an unexpected fragmentation issue, which results in silent discard in a Layer 2 network. Be sure to deploy consistent trunk configurations on all Junos OS routers that are part of the domain. PR1154024

  • On MX240, MX480, and MX960 platforms, due to a resources contention during multiple commit processes, the kernels might display I2C bus errors. PR1174001

  • In a corner scenario and with rare race condition (for example, unified ISSU, GRES, and so on), if the rpd sends two deleted requests to the kernel for the same next-hop, it might cause kernel to delete the second nexthop for multiple times, and it might cause the kernel to crash. PR1186334

  • The SNMP trap is implemented when a single input feed fails for an MX960 equipped with high-capacity PEMs. PR1189641

  • When PIC PB-4OC3-4OC12-SON-SF (4x OC-12-3 SFP) is replaced with PB-4OC3-1OC12-SON2-SFP (4x OC-3 1x OC-12 SFP) and a CLI commit is done, the replacement PIC type bounces. PR1190569

  • On MPC5E, the following error might be seen during a PIC offline/power off.CMIC:CMIC(0/1): Unable to deregister sub error (131072) for error(0x1b0001) for module MIC . These messages are false errors and can be safely ignored. There is no real impact on the behavior of the line card/pic underneath. PR1221337

  • A pfed core file is observed after deleting apply-groups from the configuration. PR1223847

  • The following log is not an error and also does not indicate any functionality break or impact. error log cc_mic_irq_status: CC_MIC(5/2) irq_status(0x1d) does not match irq_mask(0x20), enable(0x20), latch(0x1d) seen continuously for "MIC-3D-4OC3OC12-1OC48" This PR fix converts this error into a debug message. PR1231084

  • FPCs on an MX960 platform might be stuck in offline state with FPC Incompatible with SCB due to a delayed PEM startup. PR1235132

  • After a chassis control restart, chassisd[9132]: LIBJSNMP_NS_LOG_NOTICE: NOTICE: netsnmp_ipc_client_connection: unix connection error: socket(-1) main_session(0x9812f80), error messages might be observed. These messages have no functionality impact. PR1243364

  • After detaching the last traffic bearing an IFD stream, the clean-up is not proper and it might result in issues. PR1243547

  • Sensors are not reused when the subscriptions have non-common paths. When subscribed from multiple servers for the same subscription, sensor reusage is not happening. PR1245902

  • In rare cases, if the unicast reverse path forwarding (URPF) is used, the rpd might crash and a core file might be generated during the next-hop change. PR1258472

  • vMX FPC generates core file panic (format_string=format_string@entry=0x9e509c4 "Thread %s attempted to %s with irq priority at %d\n").PR1263117

  • In a scaled number of VRF instances scenario with vrf-table-label configured, the rpd might crash after deleting some VRF instances. PR1264464

  • PCC controlled LSP metric is not getting updated on the controller, and as a result PCE-delegated LSPs do not come up. PR1265864

  • On MPC2E-NG, MPC3E-NG, MPC5E, MPC6E, MPC7E, MPC8E and MPC9E cards, a firewall performance feature "fast-lookup-filter" can be activated. Due to transient parity error, the packet will be dropped within the PPE with the sync xtxn error message. This issue will affect traffic, which might eventually affect the service. PR1266879

  • Even if the traffic load balancing (TLB) feature is not configured, RSI output contains detailed composite next-hop (CNH) information. In case of large-scale CNHs (thousands), the output bloats the size of the file and might increase command runtime and contribute to the overall CPU utilization. PR1268460

  • In an OpenFlow scenario, an OpenFlow filter is automatically created for each OpenFlow logical interface. In a rare race condition, when an OpenFlow filter is deleted and queried at the same time (for example, delete an OpenFlow logical interface on one terminal while executing show openflow filters on another terminal), the openflowd process might get stuck in a loop, which might lead to 100% CPU usage. The OpenFlow filter query command as follows: show openflow filters show openflow filters interface show openflow filters switch. PR1268527

  • The show chassis led command on MX Series routers should not be displayed in possible completions of the show chassis command, as this command is not valid for this platform. The issue is purely cosmetic. PR1268848

  • In an L2BSA scaling scenario, after bringing up about 12,000 subscribers, one or more FPCs will reboot. PR1273353

  • On all Junos OS platforms and in a L3VPN environment, the IPv6 ping does not work after a route leaking policy deployment is done between two L3VPN routing instances, whereas IPv4 ping works fine. Using a route leaking policy between VRF, IPv6 prefix learned through vrf2 is installed in the vrf1 routing table. When trying to ping the same IPv6 prefix from a vrf1 instance, ICMP echo requests go out of a PE1-CE2 interface, and CE2 sends echo replies, the PE1-CE2 interface also receives echo replies when capturing packet through the monitor traffic interface. However, IPv6 ping from vrf1 instance is not successful. PR1274339

  • Starting in Junos OS Release 16.1 and earlier,, the kernel routing table (KRT) asynchronous queue might be stuck after a large scale of routes churning (for example, more than 4000), which might cause the routing information base (RIB or routing table) and forwarding information base (FIB or forwarding table) to be out of sync. PR1277079

  • On MX Series platforms, in a subscriber scenario, if you apply class-of-service (CoS) to subscriber, when issuing some changes to an Aggregated Ethernet (AE) bundle, CoS might not work as expected. PR1279788

  • In a rare corner case, the kernel crash might happen and a core file will be generated. PR1282573

  • For MPC7E/MPC8E/MPC9E on an MX Series platform, there is an enhancement to increase the threshold of corrected single-bit error from 32 to 1024 and change the alarm severity from Major to Minor for those error messages. There is no operational impact upon corrected single bit errors. And a log message is added to display how many single-bit error had been corrected between the reported events as follows: EA[0:0]: HMCIF Rx: Link0: Corrected single bit errordetected in HMC 0 - Total count 25 <<<<< EA[0:0]: HMCIF Rx: Link0: Corrected single bit errordetected in HMC 0 - Total count 26. PR1285315

  • LC/PFH/PFE interface is not coming up on RE1 in an MX104 platform if the router booted with a single Routing Engine on slot1. PR1285606

  • Sample Topology: setup:

    LDP over RSVP is configured as transport tunnel from R15 to R33 in stitched fashion.

    • RSVP session initiated by R15 is terminated by R22.

    • RSVP session initiated by R22 is terminated by R33.

    • Tunneled LDP is also stitched the same as RSVP is.

    CE1 in L3VPN site generates assured forwarding (AF) and best effort (BE) traffic toward CE2 site.

    Using CoS-based forwarding, a specific next hop LSP is assigned to each type of traffic.

    For convenience, call LSPs AF LSP and BE LSP, respectively.

    • AF LSP : primary path: R22 -> R21 -Link A-> R32 -> R33 secondary path: R22 -> R33

    • BE LSP : primary path: R22 -> R21 -Link B-> R32 -> R33 secondary path: R22 -> R33

    Issue: As the link B between R21 and R32 is brought down then up, the path for BE LSP is switched to secondary then back to primary again. With this operation AF traffic should not be affected; however, the primary path comes up, AF traffic gets load-balanced across Link A and C, where primary and seconday paths for AF LSP get through respectively. PR1285979

  • A process (daemon) running on a Routing Engine communicates with the process on a line card to help maintain synchronization of the line-card wall clock to the Routing Engine. When receiving a synchronization request sent by the line card, a timestamp is added by the kernel. This timestamp is sent back to the line card. In some cases, the Routing Engine process might truncate this timestamp. As a result, the message sent back to the line card contains an inaccurate timestamp. This causes the line card time to slip away slowly. PR1286286

  • The message Shared bandwidth policer is not supported for interface ge-x/x/x is seen during a failed commit in Junos OS Release 16.1R3. PR1286330

  • With IKEv1 aggressive mode, dead peer detection and NAT-T might not work, because there is no vendor-ID shared. PR1290689

  • On MPC5, MPC6, MPC7, MPC8, or MPC9, when using the commands show chassis fpc and show chassis fpc detail, the temperature column displays a different value because the commands support different temperature sensor infrastructures. PR1290771

  • The routing protocol process (rpd) might generate a core file while restarting the process through the CLI command. PR1291110

  • This will occur only at corner case where Routing Engine mastership role are interpreted differently by rpd and JSR_JSM thread in kernel.PR1291247

  • The kernel might not install the route when the static route or static LSP next-hop address is the same as the address on the outgoing interface. PR1291917

  • During PPPoE subscriber login, errors like [ vbf_flow_src_lookup_enabled]" and [ failed to find iff structure,ifl ] were seen on FPC. PR1294710

  • With Resource Reservation Protocol (RSVP)/Label Distribution Protocol (LDP) label-switched paths (LSPs) configured, the krt queue might be stuck when RSVP/LDP LSPs flap or optimize. This is a timing issue due to a race condition. PR1295756

  • On MX Series platforms with MPC7E-10G card, some random number of ports on MPC7E-10G might not come up after the remote system/line card connected to MPC7E-10G restarts or interface flaps. PR1298115

  • In case of reaching fire alarm threshold, chassis might trigger shutdown with a incorrect high-temperature timer log message that does not indicate a fire condition. In case of a fire condition, chassis shutdown wait time is 5 seconds. However, in case of high temperature, it is 240 seconds. PR1298414

  • This PR is to address the I2C bus errors for NON-HC AC PEM and it is made with the help of software enhancements on I2C polling. PR1299284

  • On MX Series platforms with MS-MPC/MS-MIC installed, ICMP/ICMPv6 error messages generated by the intermediate node might be discarded while traversing through an AMS bundle with the multiservices interfaces configured as members. PR1301188

  • If nonstop active routing (NSR) is enabled, BGP will use Rsync (a TCP-based protocol for synchronizing files) to synchronize data between the rpd on master Routing Engine and the backup Routing Engine. When some routing-instance specific configurations are committed and BGP Rsync error occurs (such as a transport error that causes the BGP Rsync connection to go down) at the same time, a timing issue might occur that leads to rpd crash. PR1301986

  • The default interrupt threshold might cause unwanted MIC reset when interfaces on Enhanced MIC flap continuously. The fix of this PR introduces a new hidden CLI configuration: set chassis fpc <> pic <> interrupt-threshold <> (pic-slot takes only 0 or 2 as valid PIC slots). It gives flexibility to the user to make the interrupt threshold configurable to avoid false positive (unwanted MIC reset). PR1302246

  • The chassisd might crash when aborting unified ISSU during FRU upgrade phase on MX Series routers. PR1303086

  • On routers with XM-chip based line cards (for example, MX Series platform with MPC3E/4E/5E/6E/2E-NG/3E-NG), log messages might report fan speed changes between full and normal speed continuously, due to the XM-chip reaching a temperature threshold. PR1303459

  • Kernel messages: GENCFG: op for <Type> failed; err <id> <error string>. For example: %KERN-1-GENCFG: op 15 (Firewall) failed; err 1 (Unknown). It might be incorrectly classified as Alert message (Severity 1). Those are debug messages, and can be safely ignored. This PR reclassifies those messages as Debug (Severity 7). PR1303637

  • This issue occurs when using MPLS LSPs and RSVP-TE self-ping. When rpd sends out a self-ping packet and an RSVP packet at the same time, these packets might overwrite the kernel's packet buffers causing memory corruption and the kernel to panic. PR1303798

  • In some rare cases in case if the filter aci command is present in the configuration the output of the show pppoe lockout CLI command might be truncated as shown in the following example below: user@router> show pppoe lockout xe-0/0/0.1100 Index 368 Short Cycle Protection: circuit-id, Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 13 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 89 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 35 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 1 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 1 Total clients in lockout grace period: 25 Client Address Current Elapsed Next IXIA#1#05#40:0.35 300 228 300 00:07:72:00:A1:42 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 0 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 1 Lockout Time (sec): Min: 1, Max: 300 Total clients in lockout: 0 Total clients in lockout grace period: 5 .PR1304016

  • On MX2010/MX2020 platform, restarting the line cards with SFB2 (Enhanced Switch Fabric Board) used might cause link errors and training failure. Ultimately, the fabric planes might go into "check" state. PR1304095

  • On MX2000 line with MPC9E and MX2000 Enhanced Switch Fabric Board (SFB2) installed, certain high traffic volume (exceeding the supported reorder threshold) might cause transient traffic drops with cell underflow messages at the fabric input block. The fabric parameters are tuned to avoid such traffic underflow conditions and traffic drops. If traffic drop conditions continue at a sustained rate, it might lead to permanent impact on traffic forwarding. PR1304801

  • This type of core file indicates simultaneous operation on an ephemeral instance; for example, when a process wants to open ephemeral configuration in merge view, and some other activity (like purging, deletion/re-creation) is being carried out on this ephemeral instance. The occurrence of this core file is rare. PR1305424

  • Platforms running 32-bit Junos OS might cause rpd process crash when traceoptions are enabled. PR1305440

  • The start shell pfe network fpc command is not working on MX960. PR1306236

  • If syslog errors pfeman_inline_ka_steering_gencfg_handler: nh not found for nh=<pfh nhid> are seen on the FPC after it reboots, it is likely that steering rules used for BFD packet redirectlon are not installed correctly. This might be caused due to unexpected replay order of IPC messages from kernel when the FPC reboots. It might be advisable to reconfigure the impacted BFD sessions that use the respective for the redirect rules. PR1308884

  • On MX Series platforms with Pseudowire Headend Termination (PWHT) subscribers brought up on one FPC, if restarting another FPC, all the MICs on the FPC that has the PWHT subscribers might go offline. PR1308995

  • After performing a smooth fabric upgrade from SFB to SFB2 on an MX2010/MX2020 chassis, if a plane/SFB restarts, any MPC6E card installed in the chassis will be unable to perform fabric link training, which means the MPC6 cards cannot recognize the upgraded fabric. PR1309309

  • MX960 BNG might send two authentication requests per subscriber when changing the MTU of the LACP Ethernet link bundled A10NSP interfaces. The first attempt to bring up the subscriber fails sometimes but the second attempt is always successful. PR1309599

  • In the subscriber management scenario a profile-add-request for a dynamic VLAN might fail. This might cause subsequent subscriber logins for the same VLAN to fail. This is due to issues with internal data structure cleanup following the failed profile-adds. PR1309770

  • Subscriber management unified ISSU bug fix. PR1309983

  • Starting with Junos OS Release 15.1, with subscriber management configured (next-generation subscriber-management release), the bbe-smgd process might report memory leak after deleting/adding the address pool. It might impact the new subscriber login. PR1310038

  • In the subscriber management scenario with CGNAT configured, if the device is accessing by millions of sessions that both do not match any CGNAT rule and are later then be put in the dropflow, the MS-MIC/MS-MPC memory utilization might stay at high level (RED zone) because the load on the dropflow is overloaded. This might also cause disruption of traffic flows if the device works in above situation. PR1310064

  • The krt_junos_sanity_check_ctrl_resp: rtsock request finally succeeded after error 16 syslog message is seen in Junos OS Release 17.1R1.8. PR1310678

  • In the dynamic profile, when variable $junos-ipv6-address is used under family inet6 address, a /128 local interface will be created, but it is not removed when the subscriber session terminates. When the subscriber session is up, the assigned ndra prefix is added along with the local 2a02:ed0:6000:b78::1/128 intf: 2a02:ed0:6000:b78::/64 user 0 ucst 61920 974 si-0/1/0.2147483650 2a02:ed0:6000:b78::1/128 intf 0 2a02:ed0:6000:b78::1 locl 52255 Logical interface si-0/0/0.2147483649 (Index 432) (SNMP ifIndex 755) ...... Addresses, Flags: Is-Primary Local: 2a02:ed0:6000:1::1 Addresses Local: 2a02:ed0:6000:a::1 Addresses Local: 2a02:ed0:6000:13::1 Addresses Local: 2a02:ed0:6000:19::1. PR1310752

  • In some cases after a BSYS reboot, rpd might be unresponsive on a GNF. PR1310765

  • Syslog messages with prefix %DAEMON-3-RPD_KRT_Q_RETRIES might report an incorrect error number. PR1310812

  • The FPC memory might be exhausted on QFX10002/10008/10016 platforms. After reaching 100 percent utilization, the FPC will stop processing the control traffic and the SHEAF leak messages will be seen in the syslog. PR1311949

  • A race condition causing rpd to generate a core file is observed in scale setup scenarios with continuous BFD session flaps (causing OSPF/RSVP session flaps). This is related to a software memory corruption caused by RSVP PSB is holding a stale pointer, which causes this memory overwrite. PR1312169

  • On MX240/MX480/MX960 , PEM alarms and I2C Failures with PCF8584 are observed.PR1312336

  • In general, an alarm for manual PIC reboot is raised after the user makes port speed configuration change. However, if MPC6E is replaced with MPC8E/9E which has MIC MRATE installed, the MIC will restart automatically after the port speed change. This issue is due to an internal variable (PIC dynamic mode variable) that has special value set for MPC6E. It is not reset to default value after the MPC8E/9E is online, and results in the MIC restart.PR1312504

  • On MX Series platform, the counter at the PPPoE session on the logical interface (IFL) will get incremented when malformed PPPoE packet is received. PR1312998

  • In a few cases, it is observed that when routers were all up, the virtual services were down. This was seen mainly in configuration load override conditions. PR1313009

  • MPC5/6/7/8/9 inserted on MX2020 supports specific FPC sensors which are used to fetch temperature information. During SNMP periodic temperature check, the false over-temperature SNMP trap might be sent because of a software bug, causing it to compare temperature with the default threshold instead of the corresponding threshold. PR1313391

  • Adding all routers mc addr route (ff02::2) in inet6 table of non-default routing instances. This is needed to receive router-solicitation packet on dynamically configured interfaces. The failure occurred because the packet (RS) with destination FF02::2 received would be looked up in the FIB table attached to the interface and if interface (inet6 family) was attached to X.inet6.0 because no route was found , the packet was never given up to rpd. PR1313722

  • The show version detail command gives severity error log traffic-dird[20126]: main: swversion pkg: 'traffic-dird' name: 'traffic-dird' ret: 0PR1313866

  • Frequent deletion of sessions might result in memory arena churn. Fix is added to optimize memory arena free, thereby avoiding flow-control exertion by service PIC. PR1314070

  • The show version detail CLI operational commands hangs for more than 120 seconds in the master Routing Engine and more than 60 seconds in the backup Routing Engine when an extensible subscriber services related configuration is present in the router. PR1314242

  • While performing multiple switchovers with 1000s of subscribers, the smgd process might generate core files repeatedly if it is not possible to setup distributed multicast for a few subscribers. In this temporary fix, distributed multicast for problem subscribers in backup will not be set up. This will handle the problem gracefully. However multicast traffic might stop for subscribers with incomplete data after a switchover if there is any other service activation. This can be recovered by a logout/login. PR1314651

  • This issue is observed while trying to encapsulate MoFRR (MCNH) nexthop thata does not have a next-hop index. As per assumptions, the next hop (incoming/outgoing) must have a valid next-hop index before the route can program to kernel. But in this flow, MoFRR next hop contains a NULL index, which causes assertions.PR1314711

  • IR-mode command commit failure is observed.PR1314755

  • RPC will throw an error after committing system services subscriber-management enable through NETCONF as follows: <error-severity>error</error-severity>.PR1314968

  • On all MX Series platform, if the Point-to-Point Protocol over Ethernet (PPPoE) subscribers run on Layer 2 Tunneling Protocol (L2TP) Access Concentrator (LAC) over dual-tagged VLAN and auto-sensed VLANs, all the packets that are being sent to the L2TP Network Server (LNS) might be dropped, because the LAC Ethernet pads the PPPoE packets with larger size. PR1315009

  • The routing information base (RIB, that is, routing table) and forwarding information base (FIB, that is, forwarding table) might get out of sync on a very large scale network due to KRT queue being stuck. The KRT queue is used by the routing protocol daemon (rpd) to send forwarding information messages to Packet Forwarding Engines. Without this change, the queue might get into a state where no more messages can be sent to the Packet Forwarding Engines. This issue is applicable to Junos OS Release 16.1R1 and later releases. PR1315212

  • An FPC crash is observed when a route has unilist next hops that contain primary/backup paths. Also, interfaces related to unilist members go down when set protocol rsvp load-balance bandwidth is configured. PR1315228

  • The show version detail command give the severity error log mobiled: main Neither BNG LIC nor JMOBILE package is present,exit mobiled.PR1315430

  • The command show version detail command might generate severity error log main: name: SRD ret: 0. This is a cosmetic issue. PR1315436

  • On MX Series platforms with MPC cards, frequent FAN speed change might be seen. PR1316192

  • The output of show auto-configuration out-of-band CLI command executed on the MX Series router with different commands shows the same output for all of them as illustrated in the following output : user@router> show auto-configuration out-of-band Circuit Id Remote Id Subscriber IFL Session ID VLAN circuit-12001 ge-2/2/0 0 1 circuit-12002 ge-2/2/0 0 2 circuit-12003 ge-2/2/0 0 3 circuit-12004 ge-2/2/0 0 4 circuit-12005 ge-2/2/0 0 5 user@router> show auto-configuration out-of-band pending Circuit Id Remote Id Subscriber IFL Session ID VLAN circuit-12001 ge-2/2/0 0 1 circuit-12002 ge-2/2/0 0 2 circuit-12003 ge-2/2/0 0 3 circuit-12004 ge-2/2/0 0 4 circuit-12005 ge-2/2/0 0 5 user@router> show auto-configuration out-of-band brief Circuit Id Remote Id Subscriber IFL Session ID VLAN circuit-12001 ge-2/2/0 0 1 circuit-12002 ge-2/2/0 0 2 circuit-12003 ge-2/2/0 0 3 circuit-12004 ge-2/2/0 0 4 circuit-12005 ge-2/2/0 0 5 user@router> show auto-configuration out-of-band all Circuit Id Remote Id Subscriber IFL Session ID VLAN circuit-12001 ge-2/2/0 0 1 circuit-12002 ge-2/2/0 0 2 circuit-12003 ge-2/2/0 0 3 circuit-12004 ge-2/2/0 0 4 circuit-12005 ge-2/2/0 0 5 PR1316661

  • On MX Series platforms, demux interface over IPv6 sends neighbor solicitation with a source link-address of all zeros: 00:00:00:00:00:00 MAC. PR1316767

  • If the output from show configuration <> | display json contains alphanumeric (for example, 10m, 512k) or wildcards (like <*>), and the alpha-numeric or wildcard represents a number, they might not be enclosed in double quotation marks. PR1317223

  • Mutable objects, when having threads update, might not be thread-safe. PR1317961

  • Making changes in services traffic load-balance instance for one instance, can lead to the refresh of existing instances. PR1318184

  • If unified ISSU is done from Junos OS Release 15.1 to Junos OS Release 16.1, after the upgrade to 16.1, applying new services (residential or business for example, CoA shaping rate) will fail on subscriber sessions inherited from Junos OS Release 15.1. If the issue occurs, authd logs will show the error code SDB Update Blocked. For example, Nov 3 15:21:36.392846 createServiceSession SDB entry fails SDB update blocked.PR1318319

  • The show subscriber summary displays incorrect terminated subscriber count. PR1320717

  • The rpd (Routing Protocol Process) might crash during heavy next-hops churn. PR1318476

  • In a subscriber management scenario with Point-to-Point Protocol over Ethernet (PPPoE) configured, bbe-smgd might crash if performing graceful routing engine switchover (GRES) during PPPoE subscribers login. This is a timing issue and only part of the subscribers might get synchronized to the standby Routing Engine in this case. PR1318528

  • In the subscriber management environment and a rare scenario, bbe-smgd process might crash multiple times and fail to recover. PR1318887

  • In rare conditions, MS-MPC/MS-MIC might crash due to too many rekey packets after a new Internet Protocol Security (IPsec) VPN tunnel is added to all tunnels on that PIC would be brought down and traffic might be lost. PR1318932

  • At the completion of MX Series Virtual Chassis unified ISSU, the Virtual Chassis backup member chassis connection to the Virtual Chassis master SNMP daemon is impaired and does not reconnect properly. Performing a local Routing Engine mastership switch on the Virtual Chassis Backup chassis corrects the SNMP connection and restores access to the Virtual Chassis backup chassis MIB objects. PR1320370

  • FPC degraded fabric condition detected was reported and FPC might be rebooted if fpc-offline-on-blackholing was configured. The trigger is that the FPC has only one Packet Forwarding Engine on this slot, but an FPC that had two Packet Forwarding Engines was installed in this slot before. PR1320774

  • For DSL subscribers such as Point-to-Point Protocol over Ethernet, when a customer premises equipment (CPE) device is administratively powered off, the Broadband Remote Access Server (BRAS) terminates the subscriber as expected upon the expiry of the configured PPP LCP Link Control Protocol keapalive value. However, in a scaled scenario, a few subscriber sessions remain active even though the keepalive has expired, becaue the same CPE (client) cannot reconnect unless the former sessions are cleared/deleted from the server or the client waits for an extended amount of time to make sure the server internally clears those sessions. PR1320880

  • In a subscriber management environment MX Series routers might respond to DHCPv6 solicit and router solicitation requests before completing the PPP IPv6CP negotiations with the CPE. PR1321064

  • MX Series Virtual Chassis CoS is not applied to Packet Forwarding Engine when VCP link is added. PR1321184

  • While running SNMP walk and with continuous server flaps for over an hour, it is observed that for a few instances VS summary shows as down but RS shows as up’. PR1321318

  • On MX Series platforms and in a scaled number of Point-to-Point Protocol over Ethernet (PPPoE) dual-stack subscriber scenario. The bbe-smgd process generates core files after a massive clients log out and log in. PR1321468

  • With drop policy configured under radius-flow-tap, when sending Radius CoA-request for lawful Intercept (LI) activation for Layer 2 Tunneling Protocol (L2TP) enabled subscribers, there is CoA-NAK with Error-Cause = Invalid-Request sent back to RADIUS server by BNG-LAC. PR1321492

  • The SNMP MIB walk takes a longer time as compared to earlier releases because of the TLB scale scenario. PR1321613

  • When two next hops are installed and they have the same next-hop index in the kernel, an rpd crash on the master Routing Engine might happen. PR1322535

  • After multiple iterations of MS-MIC offline/online, the MIC interface logical interfaces (IFLs) remain down due to a failure in Routing Engine-to-PIC control communication over the Packet Forwarding Engine. PR1322854

  • The show subscribers client-type vlan subscriber-state active logical-system default routing-instance <routing-instance name> does not work. This is only a display issue and not a functional issue. show subscriber or show subscriber detail command can be used instead to achieve the same result. PR1322907

  • In a subscriber management scenario where the static subscriber interface is used, an item for the underlying interface might be still on the device after the underlying interface comes down. The stale item on the device further results in login failures for all the subsequent subscribers corresponding to the involved interface, after the underlying interface comes up. PR1324446

  • Starting in Junos OS Release 15.1 (enhanced subscriber management), snmp interface filters will not work for subscriber interfaces when "interface-mib" is part of the subscriber dynamic-profile. Without "interface-mib" in the subscriber dynamic profile, there is no change in behavior. PR1324573

  • When a VLAN re-write operation occurs on the outgoing packets and the outer VLAN ID is >2047, the wrong VLAN ID might be placed. This issue happens when Ethernet OAM is configured on a port on DPCE cards. PR1325070

  • When XM chip temperature increases above 67 degrees Celsius, its Packet Forwarding Engine forwarding capacity of 130 Gbps might be reduced by 3 percentage, which might affect production traffic in certain corner-case scenarios. PR1325271

  • On MX Series platforms, when disabling an aggregated Ethernet (AE) interface and deactivating micro BFD session on the AE interface, and then enabling the AE interface up again, IS-IS fails to establish (even though the AE and all its child interfaces are up). PR1325311

  • On MX Series platform, when performing unified ISSU from Junos OS Release before 15.1 to Release 16.1, some FO (Fabric Out) request timeout log errors might lead to an increased number of fabric drops and the traffic passing through the fabric might be also dropped. PR1326275

  • In a subscriber scenario with MX Series routers running Junos OS Release 15.1 or later, with subscriber-management enabled, if restarting smg-service or performing GRES, the VLAN demux interface does not respond to the ARP request. PR1326450

  • On MX Series routers, the BNG CoS service object is not deleted properly for TCP and scheduler. PR1326853

  • Some of the show commands are issue twice while executing request support information.PR1327165

  • Deterministic-nat and ams with load-balancing-options is not supported because the algorithm of deterministic-nat cannot work in a load-balancing scenario. On the other hand, deterministic-nat and AMS with redundancy-options is supported. An error message is added to indicate the same. PR1329049

  • When an AMS bundle has a single maximum allocation bandwidth constraints model (MAM) added to it the subinterfaces does not recover after the subinterface has been disabled. PR1329498

  • If the scale of the SNMP query is very large/frequent and Packet Forwarding Engine is unable to process such large requests within a required time, the following general error is logged during the SNMP MIB walk. This syslog is printed by mib2d when PFED runs out of transfer credits(maximum number of requests) to the Packet Forwarding Engine. The performance of SNMP walk for the Interfaces related to the MIB objects in Junos OS 16.1 Releases and later is improved. Messages : mib2d[4943]: %DAEMON-4-SNMP_EVLIB_FAILURE: PFED ran out of transfer credits with PFE.Failed to get stats. ifl index: 794 mib2d[4943]: %DAEMON-4-SNMP_EVLIB_FAILURE: PFED ran out of transfer credits with PFE.Failed to get stats. ifl index: 798. PR1329931

  • The show services nat mappings address-pooling-paired times out and fails. This is occurring because MS service MIC is taking more than 60 seconds to process. PR1330207

  • On MX2010/MX2020 plarforms, Too many supplies missing in Lower/Upper zone alarm flap (set/clear) continues every 20 seconds if a zone does not have the minimum number of required PSMs. The alarm is stably turned ON under chassis alarms. . PR1330720

  • In certain rare scaled system scenarios, after disabling GRES+NSR (nonstop Routing), rpd rashes and generates core files on the new backup Routing Engine due to the race condition of the SIGTERM on rpd. In the fix, the termination flow was corrected for rpd when GRES+NSR are disabled. Because the core files are seen on backup Routing Engine, there is no traffic impact. PR1330750

  • FPC wedge with fragmented packets on link services intelligent queuing interface (LSQ) interface - PT1: Head and tail are out of synchronization. PR1330998

  • FPC crash occurs at jnh_counter_delink_counter_group. PR1331395

  • The bbe-smgd process might crash when the clear ancp access-loop circuit-id <circuit id of interface set> CLI command is executed in a subscriber scenario. PR1332096

  • The updated routes are being sent by rpd to SRRD with the same timestamp, and these routes are being sent by SRRD to its clients. Inline J-Flow uses the timestamp field for identifying if it is an actual update, since the timestamp in the route is not being changed, the route updates were being ignored. The fix is ignore the timestamp and compare all fields that you are interested in. Even if one of the fields is changed, it is considered to be an update and honored. PR1332666

  • On MX Series platforms with a Point-to-Point over Ethernet (PPPoE) subscriber environment, in order to increase overall system performance of subscriber accessing, after optimizing the session database (SDB) using short-term Storage (STS) cache, the subinfo process might crash and might cause the SDB of the MX Series subscriber to experience a down event. As a result, the PPPoE subscribers might get disconnected from the MX Series. PR1333265

  • After successive flaps on core interfaces In active-active Multihoming EVPN-VXLAN, some race conditions can trigger constant high CPU usage on the backup Routing Engine. The rpd shows very high CPU, subsystem does not respond the and NSR task is non-complete state. During multiple EVPN-VXLAN core interface flaps, rpd does not process learned the next-hop entries by L2 learning in Junos and goes into an infinite loop, causing 98 percentage CPU usage on backup Routing Engine. Issue is fixed in Junos OS rpd code to add a preventive check during LB next-hop learned by L2 learning. PR1334235

  • When performing unified ISSU to the builds with indus changes (18.2+), the fix of this PR should be present in both “from” and “to” builds. Otherwise FPC will go for restart. PR1334612

  • The UID limit is reached in a large-scale subscriber scenario when dynamic profiles use UID variables, or CoS is configured in Junos OS Release 15.1 or later releases.PR1334886

  • When using show subscribers and the FPC number has two digits, the interface and IPv6 address get connected together for DHCPv6 PD. PR1334904

  • When NonStop Active Routing (NSR) is enabled and the Routing Information Protocol (RIP) route updates are incoming over 32 packets/second (512 bytes/packet), the NSR replication socket might drop some packets due to the small default Packet Replication Layer (PRL) queue size. The fix dynamically increases the PRL queue size when the queue gets filled up due to the high incoming packet rate. PR1335646

  • On MS-MPC/MS-MIC in ALG scenario, MAC_STUCK might be seen and traffic may be lost. PR1335956

  • Subscriber management experiences SDB DOWN event; dfcd[4707]: %DAEMON-3 Attempting to close SDB while DOWN. PR1336388

  • On MX2000 line with MPC7/8/9E and MX2000 Switch Fabric Board (SFB) installed, the FI cell underflow errors can happen when link utilization approaches 100G and the re-order window size on the egress Packet Forwarding Engine FI block exceeds threshold 512. PR1336446

  • The service creation fails in bbe_cos_iflset_conf_add may cause bbesmgd core file. PR1336852

  • In a subscriber management environment, with an MX Series router working as (L2TP tunnel switch), the error log message sdb_db_interface_remove might be seen when a subscriber logs out. This log message is innocuous and can be ignored or filtered out from the logs. PR1337000

  • The PR will reduce LNS scale over ASI interface on MPC3E NG HQoS and MPC5 from 64,000 to 32,000 subscribers on that Packet Forwarding Engine.PR1341659

  • In some scenarios, when a discard interface configured with IGMPv3 join an existing multicast flow, because of a change in the outgoing interface list (OIL) KRT queue gets stuck during multicast next-hop (MCNH) reprogramming. PR1342032

  • On MX Series platform with 100M SFP used on MIC-3D-20GE-SFP-E/MIC-3D-20GE-SFP-EH, SFP might not work if it is not from Fiberxon or Avago. PR1344208

  • In a subscriber management environment MX Series router responds to DHCPv6 Solicit and router solicitation requests before completing the PPP IPv6CP negotiations with the CPE. PR1344472

  • The ancpd process might generate a core file when clearing ancp subscribers in scaled scenario when enhanced-ip is configured PR1344805

  • On MX Series platforms, when converged service support for Routing Engine-based captive portal is used, cpcd core files might be observed. PR1345096

  • In some circumstances some Point-to-Point Protocol over Ethernet (PPPoE) sessions might not be totally cleaned up. This might cause login failure for new PPPoE users. PR1346226

  • If the CLI command show pppoe statistics is issued to check the "AC system error" counter (sent statistics), the counter might not increase when there is an AC access concentrator system error. The issue is due to a mismatch between PPPoE actual statistics and PPPoE management show statistics. PR1346231

  • On MX Virtual Chassis (MX VC) setup, with at least two vcp interfaces on separate FPCs configured, if one vcp link is deleted on Master Routing Engine in the Virtual Chassis master router (VC-Mm), VCCP-ADJDONW detection might be delayed on Master Routing Engine in the Virtual Chassis backup router (VC-Bm). PR1346328

  • The twice-napt-44 sessions are not synchronizing to the backup SDG with stateful synchronization configured. PR1347086

  • When community_action is specified with community_name in NETCONF for insert after operation, the parse error in identifier attributes error and insertion fails. PR1348082

  • The MPC might crash due to ISR 2 MIC error interrupt hogging. And the core files could be seen by executing CLI command show system core-dumps. PR1348107

  • On MX2000 line routers, the chassisd (chassis process) might crash and Routing Engine switchover occurs after replacing MPC6E/7E with an MPC9E line card in the same slot. The new inserted MPC9E is not able to come online. PR1348834

  • On MX240/MX480/MX960/SRX5400/SRX5600/SRX5800 platform with DC PEMs (Power Entry Modules), Major PEM alarm "Major PEM x Input Failure" may be observed in rare condition and the PEM might be power-off by the chassis.PR1349179

  • If there is a label swap plus egress mirroring on the MPLS family, with mirror interface hosted on a remote Packet Forwarding Engine then internal variables get updated incorrectly. Due to this when the swapped in label to be written it might trigger ending an incorrect extension header, which might in turn carry an incorrect policy_map and drop the traffic. PR1350380

  • pfed process consumes high CPU on PPC-based routers running subscriber management. This occurs on MX5, MX80, and MX104. PR1351203

  • The high CPU usage of BBE subscriber management daemon (bbe-smgd) might be seen when Layer 2 Bit Stream Access (L2BSA) subscribers get stuck. PR1351696

  • When BGP and nonstop-routing (NSR) is configured, after graceful Routing Engine switchover (GRES) from RE1 to RE0 and then rebooting the backup immediately, all BGP neighbors might reset. And at Backup Routing Engine, the BGP Idle state lasts 1 minute or 7 minutes, which means the BGP neighbors at Backup Routing Engine take around 1 minute or 7 minutes to establish once Backup Routing Engine boots up. PR1351705

  • In a subscriber environment, the bbe-smgd daemon might restart while executing the command clear igmp statistics. PR1352546

  • Rpd could possibly end up getting stuck due to repeated failures to initialize route record module.PR1353548

  • The error message indicates that the filter index as identified in the message failed to bind to the BBE subscriber's IFL. dfw_bbe_filter_bind:1125 BBE Filter bind type 0x84 index 167806617 returned 1. PR1354435

  • There is a memory leak in agentd. PR1354922

  • On MX Series platform, if Simple Network Management Protocol (SNMP) traps is enabled, i2c messages from power entry module(PEM)/power supply module (PSM) might be seen. PR1356259

High Availability (HA) and Resiliency

  • In a node slicing setup downing the Control Board ports on both servers can result in one or more GNFs displaying not ready under the show system switchover command. Performing a NSR in this state might result in protocol flaps and traffic disruption. As a workaround, run the restart kernel-replication on backup. This will restart ksyncd and make the system gres ready. PR1306395

  • On MX platforms with MS-DPC, if sampling or flow-monitoring is configured, the ksyncd on the new backup Routing Engine (RE) might crash continuously after performing a Graceful Routing Engine Switchover (GRES). This might cause GRES to be not ready, the ksyncd becomes unrecoverable until the backup Routing Engine reboots. PR1329276

  • When GRES is configured with large-scale configurations (for example, 20K subscribers), if the ksyncd repeatedly runs into a replication error, the kernel synchronization process (ksyncd) will trigger a "gather-crashinfo" script, which is run by ksyncd internally, to generate debug information into files on both Routing Engines (master and backup). If the generated files are large (gigabytes), it might lead to insufficient available space on the hard disk. And the debug information as well as all the core files will be saved in one single .tgz file on the backup Routing Engine. PR1332791

Infrastructure

  • The syscalltrace.sh script gets installed as part of Junos OS Release 16.1R1 later releases, and it is triggered whenever there is a replication error on the backup Routing Engine. It logs the system function call to the output file, which provides additional debug information. But it might create large files due to a bug in this script. We recommend to uninstall this script after Junos OS is upgraded in the production network. The uninstallation of this script will not have any functionality impact on the router. PR1306986

  • The underlying allocator not cleaning up when a thread exits. PR1328273

Interfaces and Chassis

  • Online insertion and removal (OIR) is not supported on a PIC(PD-4XGE-XFP) currently. When pulling out a PIC(PD-4XGE-XFP) from an FPC that is not offline, the FPC will crash, generating a core file. PR874266

  • T3 interface configured with compatibility-mode digital-link might fail to come up due to incorrect subrate. PR1238395

  • VRRP mastership does not change after priority is changed for certain VRRP groups. PR1242243

  • Rate-limit dropped packets are not displayed by the [show interfaces <ifl> detail] and [show interfaces <ifl> extensive] commands. The drop can be seen with the show interfaces queue command. This is a cosmetic issue and traffic is passing correctly. PR1249164

  • The snmp-set command fails when the FPC/PIC/port has a value greater than 9. PR1259155

  • The jpppd process might report error messages about RLIMIT_STACK and RLIMIT_SBSIZE after issuing the command of show version detail. PR1262629

  • In Junos OS Release 16.1 and later releases, the monitor interface on AE logical interfaces (IFLs) shows an incorrect bps value compared to show interface output. The issue is not visible when comparing the monitor interface value for AE physical interfaces (IFDs).PR1283831

  • In a Layer 2 Tunneling Protocol (L2TP) scenario with enhanced subscriber-management mode and the MX Series router is working in the L2TP Network Server (LNS) role, some L2TP subscribers with fixed-IP returned by RADIUS might not be cleared if the access-internal routes of such subscribers fail to install. PR1298160

  • IRB interface is showing incorrect bandwidth value. PR1302202

  • On MX104 platform with the set system process ethernet link-fault-management disable command configured, AFEB might not come up after restarting router/AFEB. PR1306707

  • In a Point-to-Point over Ethernet (PPPoE) subscriber management scenario, if subscriber authentication fails, the subscriber logical interface will be in disable state. This will cause the jpppd process to drop the next Link Control Protocal (LCP) termination request packet from the subscriber, instead of answering it with an LCP Ack and closing the PPPoE session with a PPPoE Active Discovery Termination (PADT) packet. This Issue impact session setup for this subscriber. PR1311113

  • The ifinfo process might crash and generates core file when executing the CLI command show interfaces <name> with the name greater than 128 characters. PR1313827

  • Due to a deficient dependency check of interface and interface-set, invalid configuration that a disabled/deactivated interface is included in an interface-set can get committed without any commit error. It might cause dcd to get into inconsistent state, and result in continuous crash of dcd, chassisd, and mib2d after system reboot. With the fix of this PR, commit of such an invalid configuration will fail with a commit error given. PR1316976

  • There is no route to the IP address from the directly connected route on the static vlan demux interface in case the configuration of the static vlan demux interface is changed from unnumbered approach to the configuration with the explicit IP address (/30 for example). PR1318282

  • When running MX Series router for BNG/subscriber management functionality, reported that in dual stacked subscriber IPv6 Framed Interface Id field (from show subscribers extensive output) is not matching the negotiated one. PR1321392

  • In a Point-to-Point Protocol over Ethernet subscriber environment, continuous fault log messages might be seen on the backup Routing Engine. The issue does not have an impact on service. PR1328251

  • When multiple Virtual Router Redundancy Protocol (VRRP) groups are separately configured on different units of an AE bundle, the unit 1 of which has both inner and outer VLAN configured, all the other VRRP groups might malfunction with a period of the time configured by "failover-delay", under VRRP stanza, after deleting AE bundle unit 1. PR1329294

  • If an interface is configured as a member of interface-set, it might not work properly after an unrelated FPC (not the one on which the interface resides) restarts. The affected FPC is the restarted one. PR1329896

  • In some situations, like multiple commit in a short time with scaled configuration, dcd memory leak might occur. This could cause commit to fail. PR1331185

  • The transportd process might crash when there is an SNMP query on jnxoptIfOChSinkCurrentExtTable with an unsupported interface index. PR1335438

  • When multiple VRRP sessions with the same group ID are configured on the same port (aggregated Ethernet interface or a physical interface), even though their mastership state is the same as the master, the MAC filter might get deleted when a logical interface (IFL) gets disabled or deleted even if there are other VRRP sessions in the mastership state of the same physical interface (IFD). PR1338277

  • Core is only seen on backup Routing Engine. No functional impact. PR1350563

  • If the multichassis aggregated Ethernet (MC-AE) is configured with enhanced-convergence and the number of logical interfaces (IFLs) under AE physical interface (IFD) are high, the FPC might be stuck at 100% during initial configuration load or FPC restart and this might result in other event processing being delayed. This issue only affects MX with Trio-based FPC. PR1353397

Layer 2 Ethernet Services

  • On MX Series routers, BNG is configured as the DHCPv6 local server for IPv6 prefix delegation alone when a DHCPV6 client bound to IA_PD prefix sends a request for IA_NA prefix. MX Series routers respond with a REPLY message with STATUS_NO_ADDR_AVAIL, which is correct, but it deletes the existing binding for the PD prefix, which is not an expected behavior. PR1286359

  • When a configuration change adds an existing interface to a new routing instance or logical system and the same configuration change is used to enable BBE DHCP subscriber functionality on that routing instance, then the client creation might fail. PR1294274

  • Due to a software defect introduced via PR1174001, MX Series platforms might display a false positive Control Board alarm. PR1298612

  • A jdhcpd core file is generated after making DHCP configuration changes. PR1324800

  • SNMPGET does not work for OID: 1.3.6.1.4.1.2636.3.53.1.1.4.1.1.1/dot3adInterfaceName; SNMPGETNEXT does work with one less value Output In problem State: snmpget -c public -v 2c -M ./mibs -Os <RIP>dot3adInterfaceName.822 dot3adInterfaceName.822 = No Such Instance currently exists at this OID.PR1329725

  • On all MX Series routers, memory leak might occur in l2cpd with 36 bytes blocks per event if the l2-learning process is disabled. The l2cpd tries to connect l2ald periodically and if it fails to connect l2ald after many such attempts, finally, a memory leak for l2cpd occurs. PR1336720

MPLS

  • When RSVP is configured, RSVP neighbors are present and the system is under very high CPU load conditions. The rpd process might crash in rare cases. PR1138190

  • The routing protocol process (rpd) might stop running unexpectedly if a static MPLS LSP is moved from one routing instance to another routing instance in one single configuration change with one single commit. The rpd will need a manual restart with "restart routing". PR1238698

  • When the scale of ingress RSVP LSPs is high, or after the ingress RSVP LSPs have undergone repeated reconfiguration, a forwarding table export policy that uses “install-nexthop lsp/lsp-regex” keywords, or a “next-hop-map” that uses “lsp-next-hop” keyword, might not always correctly identify the next hop corresponding to a given RSVP LSP. This might result in incorrect selection of LSPs for CoS and/or forwarding table export. PR1261739

  • The problem is specific to the case where interface hello has been disabled on the direct hello session Juniper Networks routers running Junos OS Release 16.1 or later. If enhanced FRR is disabled on the routers, then the problem will not be observed. PR1275563

  • In an L2 circuit scenario, while processing an advertisement of an LDP signaled L2 circuit, it gets stale binded because of the corrupted LDP structure. As a result, the rpd crashes. The reason for this corruption is not found, and this issue is not reproduced. PR1275766

  • When performing traceroute to a remote host for an MPLS label-switched path signaled by the LDP, the rpd process might crash. PR1299026

  • If next-generation MVPN and RSVP-TE are configured at the same time, the traffic in the P2MP tunnel might be lost if next-generation MVPN has more than one routing instance on router. PR1299580

  • In rare conditions, where traffic engineering is configured and there are more than four addresses configured for the loopback interface, the rpd process might crash when there are multiple Interior Gateway Protocol (IGP) flaps. PR1303239

  • The RSVP node-hello packet might not work after the next hop for the remote destination is changed. PR1306930

  • In some cases, it is seen that the label states are getting deleted twice, which results in routing protocol process (rpd) crash. This is applicable only when ultimate-hop popping (UHP) based label-switched paths (LSPs) are configured. PR1309397

  • When LDP egress-policy is configured for the BGP route and a label is received for a BGP route in inet.0 table from LDP, if BGP receives a new label for the same BGP route matching the LDP egress-policy, rpd might crash because of updating the new label. PR1312117

  • The show mpls container-lsp output will not show any egress LSP until the enhanced FRR is enabled for these egress LSPs. PR1314960

  • For Junos OS Release 16.1 running on MX Series routers, when using enhanced FRR, node-ID based hellos are enabled by default. When you disable enhanced FRR and node-hello under protocol RSVP, you might still observe node neighbor(s) in the result of show rsvp neighbor. This is a cosmetic issue and will not cause any service impact. PR1317241

  • If there are some LSPs for which a router has made link protection available and when primary link failure is caused by FPC restart, a core file might be generated. PR1317536

  • In an LDP over RSVP setup, when the RSVP label-switched paths (LSPs) have protection and a route can be reached through both LDP direct neighbor (IP next hop) and LDP remote neighbor over RSVP LSPs (RSVP next hop), the LDP route next hop is transitioned between the IP next hop and the RSVP LSP next hop. Then RSVP LSP make-before-break (MBB) can happen, and the LDP route might use a stale RSVP LSP next hop because of a timing issue. This might cause the rpd process to crash. PR1318480

  • When the dynamic tunnel is configured and RSVP signaling is disabled, any configuration that affects dynamic tunnels might cause the rpd process to crash. PR1319386

  • With the deployment of l2circuit on MX Virtual Chassis (MX VC) andaggregated Ethernet interface (AE) works as core-facing interface whose member interfaces are across Virtual Chassis members, if the IPv4/IPv6 multicast traffic comes in via the l2circuit and goes out through AE member interface across Virtual Chassis members, the traffic might get dropped on the egress Packet Forwarding Engine. The egress Packet Forwarding Engine on other Virtual Chassis member recalculates the hash value after the new Layer 2 header and MPLS label is pushed, which results in a different hash value from the one calculated by the ingress Packet Forwarding Engine, thus cause packets to be dropped. PR1320742

  • When make-before-break (MBB) events such as reoptimization, auto-bandwidth, and interoperability with earlier releases happens in an RSVP scenario, the rpd might crash. PR1321952

  • For non-auto-bandwidth LSPs, in a scenario where some of routes resolving over the RSVP LSPs are withdrawn, the SNMP OID counters for mplsLspInfoAggrOctets might show a constant value for RSVP LSPs for a longer time (for more than a few cycles of statistics sampling interval) and do not match the statistics of show mpls lsp statistics during that time. PR1327350

  • Packet loss might be observed when auto-bandwidth is enabled for circuit cross-connect (CCC) connections and label-switched-path (LSP) no-self-ping with no-install-to-address is configured. PR1328129

  • When there is an error during creation of the RSVP path state (the PSB data structure), the data structure itself is freed but some associated memory is not freed. This is causing a memory leak. It is very unlikely that this error condition ever happens on a NSR master Routing Engine (or when no NSR is configured). But on the NSR backup Routing Engine, there are more likely to be conditions that cause the path state creation to fail, thus exposing the memory leak in the error-handling code. Thus this memory leak was seen on the NSR backup Routing Engine. The fix went to address mitigation of memory leak due to RSVP_HOP object in this PR. PR1328974

  • Whenever there is a decrease in the statistics value across an LSP, the mplsLspInfoAggrOctets value take two statistics intervals to get updated. mplsLspInfoAggrOctets will hold the same value for two statistics intervals (including the stats interval at which there was a decrease in stats) and will get incremented from the next statistics interval onward. PR1342486

  • On all platforms running Junos OS that support point-to-point serial interfaces, if the Label Distribution Protocol (LDP) neighbor is set up with another vendor's device (for example, Cisco ASR) via a directly connected serial link, and an implicit-null label advertisement is received for the serial link prefix from the peer device, a nonreserved LDP label will be accordingly generated for the serial link prefix and installed into the label mapping table. However, by default Junos OS should not generate labels for non-host interface routes. The unexpected behavior will cause potential packet loss in MPLS forwarding. PR1346541

  • The rpd crash might happen when RSVP setup-protection is configured, and the primary interface for the LSP flaps multiple times. Even with setup-protection, this crash is not easily reproducible. PR1349036

  • When LDP failed to allocate self-id for the P2MP FEC because the self-id had not been released by another protocol, rpd might crash in the LDP P2MP area in a very rare scenario. PR1349224

Multicast

  • Multicast traffic is not forwarded on the newly added P2MP branch/receiver because Multicast indirect next hop and alternate forwarding next hop (snooping route) go out of sync after the receiver leaves the group. PR1317542

Network Management and Monitoring

  • A vulnerability in Junos OS SNMP MIB-II subagent daemon (mib2d) might allow a remote network-based attacker to cause the mib2d process to crash, resulting in a denial-of-service (DoS) condition for the SNMP subsystem. PR1241134

  • The mib2d process logs an RLIMIT curr 1048576000 max 1048576000 message every time a commit is performed. This might confuse the operator to believe that the memory limit of 1 GB has been reached. PR1286025

  • When an SNMP MIB view is attached to a community, the default views of "_all_" and "_none_" get added to the view linklist on each snmpd configuration update (SIGHUP) signal. This list can grow long, and it causes the queries to loop through all the entries during view-based access control model (VACM) checks. This causes the CPU hike during SNMP query. PR1300016

  • Syslog duplicate entries of hostname and timestamp are breaking the standard logging format. PR1304160

  • During SNMP polling on interface MIBs, if the FPC restarts or interfaces flaps, the mib2d crash might be seen. PR1318302

  • On platforms running Junos OS with SNMP enabled, snmpd might stop or become very slow once for in a very long of time, (for example, once in 6 months). If snmpd restarts, then it responds faster again. PR1328455

  • With interface-mib configuration in dynamic-profile, when multiple OIDs are queried in an SNMP get walk, the router might reply with No Such Instance currently exists at this OID for some of the OIDs. PR1329749

Platform and Infrastructure

  • When certain hardware transient failures occur on an MQ-chip based MPC, traffic might be dropped on the MPC, and syslog errors Link sanity checks and Cell underflow are reported. There is no major alarm or self-healing mechanism for this condition. PR1265548

  • Synchronization of the ephemeral default database will not work between the master and backup. Synchronization of the instance ephemeral database is not impacted by this issue. PR1279653

  • On MX Series routers with MPCs, if the IRB index gets an invalid value and the IRB interface is deleted or any configuration change is made for this IRB interface, an MPC crash might be seen. PR1281107

  • On all routers running Junos OS, the dexp process might crash and cause a commit time to increase after committing set system commit delta-export if there is no “any” configuration under groups. PR1284788

  • There is a day-1 bug in the generate-event time-interval usage. There are two timer events triggered on the commit of such a configuration. One is fired immediately on commit action and another after the actual timer expiry. This is now corrected and the timer event is fired only on the actual expiry. PR1286803

  • Prior to this fix, the show system resource-monitor fpc slot <>' reported 'mem free' percentages were not accurate. Earlier generations of FPCs used EDMEM only for NH/FW, later generations of FPC can expand into DMEM. This PR takes into account these differences and ensures the NH/FW mem free % values are correct. PR1287592

  • When you see T3 with regard to hardware timestamps, and when you see T4 < T1 and T3-T2 because of NTP synchronization, those samples for any measurements (including round-trip time, ingress and egress jitter and delays) are not considered. However, they are reported under error statistics. In these cases, probes are received from the real-time performance monitoring server with correct timestamps and hence they are marked as successful probes. However, they are not used for any measurements. PR1300049

  • In AE interface scenario, the interface-mac-limit function might not take effect. PR1303293

  • When auditd child process is terminated, the terminated child process is still having a pid and an entry in the process table. When there are multiple defunct processes remaining, the system is reaching a processes ceiling and the following messages are logged.

    Message from user@router at Jan 5 10:01:11.497 ... router jlaunchd: System reaching processes ceiling low watermark: Contact to system administrator to clean up unnecessary processes or increase maxproc ceiling.

    Message from user@router at Jan 5 10:12:15.016 ... router jlaunchd: System reaching processes ceiling high watermark: Contact to system administrator to clean up unnecessary processes or increase maxproc ceiling. Further process fork request may be denied.

    Message from user@router at Jan 5 10:13:15.332 ... router jlaunchd: System reaching processes ceiling critical watermark: Contact to system administrator to clean up unnecessary processes or increase maxproc ceiling. Further non-suid process fork request will be denied.

    Message from user@router at Jan 5 10:14:56.013 ... router jlaunchd: System processes overflow: Recovered system by killing malefactor processes. Contact system administrator to verify the system state.user@router> restart audit-processPR1305964

  • On MX Series platforms, RSMON (resource monitor) thread might be stuck in a loop consuming 100 percentage of FPC CPU due to a race condition. PR1305994

  • Service cookie opaque data reset incorrectly leading data sent to service pic getting corrupted. This issue might occur after the fix of PR 1302493.PR1310904

  • The MPC might crash due to CPU hogging after the chip fails to initialize. PR1312286

  • Every load override increases the refcount by 1 and after it reaches the max value of it (65,535), the mgd crash will be observed and the session will get killed. However, for a new session, there will not be any impact. PR1313158

  • This PR addresses the ICMP error messages in the Packet Forwarding Engine and is forwarded to the correct PIC in the AMS bundle. PR1313668

  • For an interface on LU-chip based MPC, when transmit-rate is configured with option rate-limit, the LU chip performs a hard policer (Rate-limiter) to the queue. Then configuring a very small 'temporal' buffer could result in a burst-size of one MTU set for the LU Rate-limiter of that queue. This one-MTU burst-size is not enough to handle packets packed by LU and lead to packet drop. PR1317385

  • In the MoFRR scenario, if core-facing links flap, multicast traffic being forwarded from both links might be seen. This will lead to double multicast traffic. PR1318129

  • The default severity of the correctable ECC errors on MX Series routers with MPC2E NG Q, MPC3E NG Q, or MPC5E has been changed from Fatal to Major. This helps in avoiding instances of line card restart caused by Fatal errors, thereby preventing any potential operational impacts for users. PR1320585

  • On MX Series routers with MPC3/4, when fabric header protection feature is enabled, the DRD parcel timeout errors might be seen. PR1320874

  • Starting with Junos OS Release 14.2R1, no-propagate-ttl might not take effect if chained-composite-next-hop ingress l3vpn extended-space' is configured. The time-to-live (TTL) value is still copied from the IP header to MPLS labels in the stack even though no-propagate-ttl is configured. PR1323160

  • On a multichassis system (TX Series, TXP Series, and T1600 TXP-LCC-3D SIB) with four LCCs, if more than 8 100G FPCs are configured with non-default forwarding-mode, the SFC’s chassisd will bounce the PIC on LCC0-FPC0 at every chassisd Series configuration change commit. PR1324745

  • The MAC might not be learned on MX Series Trio-based cards due to the negative value of the bridge MAC table limit counter. PR1327723

  • When the label-switching router (LSR) works on MX Series routers with MPCs/MICs platforms or vMX and LSR carries MPLS pseudowire (such as l2circuit[LDP based]/l2vpn(BGP based)/VPLS] traffic, the packet might get dropped if the MPLS pseudowire payload does not have a control word and its destination MAC starts with '4' or '6'. PR1327724

  • On MX Series platforms with MPC7E/8E/9E card, when the Logical Tunnel (LT) interface with both encapsulation ethernet-ccc and hierarchical-scheduler configuration is hosted on MPC card, traffic loss might be observed on LT interface. PR1328371

  • On MX10003, MX150, MX204, MX240/480/960 with RE-S-X6-64G, MX2010/MX2020 with REMX2K-X8-64G, PTX1000, PTX10008, PTX10016, QFX10000, QFX5200, SRX1500, SRX4100, SRX4200 platforms: Execution is denied when running automation script stored in Junos automation folder(/var/db/scripts) or directory 'jet' is missing under /var/db/scripts causing error: Invalid directory: No such file or directory error during commit. PR1328570

  • The libpcap format did not have support for ps and lt interfaces for Junos OS Release 16.2 and earlier branches. For Junos OS Release 17.1 and later releases, libpcap did not have support for lt interfaces. PR1329665

  • If the response is not received from the RPM server, pingResultsMinRtt, pingResultsMaxRtt, pingResultsAverageRtt, and pingProbeHistoryResponse are marked as "1" instead of "0". This defective value was set while converting the microseconds to milliseconds. Through this fix, when the 0 < RTT <=1 milliseconds, it is displayed as "1" in SNMP queries and if there is no response, it is marked as "0" according to r RFC 2925. PR1333320

  • In the scenario where the device has ECMP paths and P2MP enabled, rpd might not send all the address family information with next hop types UNICAST/UNILIST during network churn, which leads Packet Forwarding Engines to be in a race condition and have the different view of UNILIST load-balance selectors for P2MP traffic flows. This causes different Packet Forwarding Engines to select the different outgoing interface and the traffic loss might be observed if the outgoing interface is not the local on the egress Packet Forwarding Engine for the corresponding traffic flow. PR1335302

  • With a commit script configured, the commit might fail after continuous commits. PR1335349

  • If an MPC7/8/9 is used on the router, the MPC might crash after setting max-queues (CLI command set chassis fpc x max-queues y) to a very large number (for example, 256K/512K/1M). The issue can be avoided by setting the max-queues to a small number (for example, equal to or smaller than 128K). PR1338845

  • The Packet Forwarding Engine route might get corrupted after interface flap on the member links of AE with Connectivity fault management configured, to packets being silently dropped or discarded. PR1338854

  • When using 17.3R2-S2, while downgrading PTX from a later release, the router goes into amnesiac state. This issue is not seen upgrading from Junos OS Release 17.3R2. Steps to recover from amnesiac state:

    1. Login to console.

    2. 'rm -rf /var/db/scripts/translation/openconfig-*; mgd -I'. PR1338850

  • The Packet Forwarding Engine route might get corrupted after a few attempts of deactivation/activation of CFM feature list either through interface flap or restart of the FPC hosting the member links AE with connectivity fault management configured, to packets being silently dropped or discarded.PR1342881

  • IPv4 GRPS traffic over AE interface might be affected if enhanced hash key gtp-tunnel-endpoint-identifier is configured. PR1347435

  • Packet Forwarding Engine (PFE) does not remove the vlan tag of the host generated outgoing packet if the outgoing interface is an untagged encapsulated LT (Logical Tunnel) interface. PR1348840

  • On the MS-MPC or MS-MIC, if IPv4 packets with DF flag set and IPv6 packets exceed the MTU of the interface ms, these packets will be discarded without expected feedback ICMP control messages. PR1349503

  • On MX platforms with Virtual Extensible LAN (VXLAN) configuration, the Flexible PIC Concentrator (FPC) would crash due to the memory leak caused by the Virtual Tunnel End Point (VTEP) traffic.PR1356279

  • RMOPD daemon at RE is subscribed to interface and next-hop update events from kernel, even when RPM/TWAMP, which uses this daemon, is not configured. In case of network churn and lots of interface flaps, RMOPD becomes slowest consumer of IFSTATES, thereby affecting KRT queue and other processes. To fix, subscription of IFSTATES from kernel for RMOPD is moved in a way so that RMOPD gets notifications only when RPM/TWAMP is configured. PR1357707

Routing Policy and Firewall Filters

  • On all Junos routers with vrf-target auto configured under routing-instance, the rpd might crash after an unrelated configuration change. PR1301721

  • If Border Gateway Protocol (BGP) import policy is configured with a policy expression, the configuration might not be evaluated after the policy expression is changed later. PR1317132

  • If any of the policy (ssm-map-policy or group-policy or oif-map) is changed under an IGMP interface, committing the configuration might fail. This is because of the deficient computing method for the total characters of policy under an IGMP interface; it causes the calculation result exceed the limit. PR1327075

  • If there is an access-internal route in a routing instance and this route needs to be leaked to another routing instance, the leak might fail when "from instance" is configured in the policy. The leak can be successful when the term "from instance" is removed from the policy. PR1339689

Routing Protocols

  • IS-IS "last transition timer" will be reset after the Routing Engine boots up or unified ISSU with NSR is enabled. PR290900

  • The rpd might crash when running rpd for a long time (such as two years without restart). PR1092009

  • In rare cases, multicast forwarding in Any-Source Multicast (ASM) mode might be interrupted during unified ISSU. The traffic forwarding might be affected. PR1146621

  • When LDP is deactivated, in a rare case, the result of remote loop-free alternate (RLFA) might be computed to go through deactivated LDP node. The situation self-recoveres in the next SPF calculation.PR1202392

  • The display of BGP extended communities in commands such as show route, and indirectly as presented to the policy engine, may have been incorrect in some circumstances. For example, an extended community with the second octet with a value of "4", regardless of the contents of the first octet, would have been displayed incorrectly as a link-bandwidth extended community. This PR addresses a number of such display issues. See RFC 4360 for information on the BGP Extended Communities feature. See http://www.iana.org/assignments/bgp-extended-communities/bgp-extended-communities.xhtml for registered BGP extended communities. PR1216696

  • When the policy with damping is applied on BGP, the rpd might crash after activating or deactivating BGP, which can result in protocol flap or traffic drop.PR1272202

  • In a BGP configuring scenario, the following log entry might be seen in the message logs under normal operation and should be ignored: rpd[11156]: %DAEMON-3: bgp_rt_send_msg_attr: too big attributes: avail 123. PR1276758

  • Bfd daemon kill or restart on the PE router is causing an issue with next-generation MVPN and l2vpn route exchange that results in is traffic drop. PR1278153

  • When the BGP Prefix-Independent Convergence (BGP PIC) feature is configured, a backup path might be installed in the forwarding table as an active path and routing loops might be seen. PR1282520

  • For BGP peers configured in a BGP group, due to certain condition caused by BGP session flapping, the BGP sender might fail to advertise route updates to its peers in the group after the BGP sessions are reestablished. PR1282531

  • Starting in Junos OS Release 16.1 (where BGP IO has been multithreaded), some of the BGP-related traceoptions flag settings will not go into effect immediately after the configuration commit. The changes are reflected once the BGP session get flapped. PR1285890

  • The rpd might crash after loading merge and rolling back a configuration with BGP traceoption.PR1288558

  • Multicast flow interruption might be observed on a transit router in a Protocol-Independent Multicast scenario such as the following: (*,G) join is received on one interface, and (*,G) join and (S,G,RPT) prune are received on another interface, which then receives a (*,G) prune. Multicast flows on the first interface get reset and are interrupted for a short period of time (for example,1 second). PR1293900

  • If logical-system is configured on the router that runs Link-Management Protocol, lmpd will repeat crashing a few times and the daemon process will quit restarting. As a result, link-management completely stops functioning and the CLI responds to any of show link mangement with the message the link-management subsystem is not running. user@router> show link-management error: the link-management subsystem is not running. You will also see the message link-management is thrashing, not restarted in the syslog. PR1294166

  • The routing protocol process (rpd) might restart unexpectedly when configuring rib-groups and routing-instances with static routes in a certain order. PR1298262

  • MSDP sessions might flap due to data replication stuck between the backup and master Routing Engines with huge SA burst between peers. PR1298609

  • The rpd might crash due to malformed Border Gateway Protocol (BGP) UPDATE packet (CVE-2018-0020). Refer to https://kb.juniper.net/JSA10848 for more information. PR1299199

  • With BGP Prefix-Independent Convergence (PIC) enabled, the routing protocol process (rpd) might crash, generating a core file while deleting a multipath route. PR1302395

  • The BGP session might be stuck in 'Established' state without 'SYNC' flag being set when advertising large-scale routes through the BGP session. PR1302426

  • The mcsnoopd process is generating a core file in this scenario. When mcsnoopd tries to terminate gracefully, it tries to clean up all the resources it has used. The task infrastructure waits for 10 minutes for the cleanup to happen. If the KRT task cleanup does not happen properly within 10 minutes, mcsnoopd generates a core file. PR1305239

  • BGP traceoption logs are still written after it is deactivated. This BGP-trace logging issue may affect its RE CPU utilization. PR1307690

  • If static route is configured with qualified-next-hop and resolve options, and its egress interface is over a numbered interface, the next-hop of route might not be resolved successfully. PR1308800

  • With NSR and BGP configured, if the connection between the master Routing Engine and the backup Routing Engine keeps flapping, it might result in the main rpd thread sending multiple read request messages. If that happens, the BGP I/O read request queue might become full, which might lead to BGP session flapping. PR1311224

  • In an IS-IS and IPv6 scenario, rpd might crash when the neighbor router restarted and caused route churn. PR1312325

  • BGP route age was getting reset when the secondary path went down with BGP PIC enabled.PR1312538

  • IS-IS SPF gets triggered by LSP updates containing changes in reservable bandwith in traffic engineering extensions. PR1313147

  • Routing protocol daemon (rpd) might crash and generate core files in a distributed IGMP environment. PR1314679

  • Some BGP configurations, which include 'out-delay' might trigger RPD to use all available CPU. This task is low priority, and, therefore should not significantly degrade the performance in spite of the high CPU usage, especially in multi-CPU Routing Engines. It is not possible to distinguish between actual high CPU usage and busy work.PR1315066

  • On a chassis with BMP configured, if the rpd termination timeout is happening while the BMP main task has failed to terminate and delete itself (seen when rpd is gracefully terminated), the rpd might crash. PR1315798

  • When Junos OS interworks with other vendors' devices, the primary path of MPLS LSP might switch to another address though it was strictly is configured for primary path. PR1316861

  • In some circumstances, a route from a BGP peer in a VRF might have an incorrect multipath attribute. PR1317623

  • When two route-reflector (RR) routers use PIC (protect core) to protect each other's BGP-LU (labeled-unicast) LSP, endless label oscillation might be seen. PR1318093

  • An unintentional message might arise when restarting or switching over the Routing Engine. This message is harmless and can be ignored. PR1318458

  • On a busy system when IS-IS interface metric configuration is changed for ECMP links, IS-IS might choose a suboptimal path instead of the best path. The issue will clear itself if a full LSP (Link State PDU) regeneration (for example,an LSP refresh is triggered because of aged LSP or to clear IS-IS database) happens. PR1319338

  • When BGP graceful-restart(GR) is enabled and the direct interface flaps, traffic might get blackholed until the routes are flushed. PR1319631

  • Rpd crash might happen when deactivating static route if the next-hop interface is point-to-point (P2P) type; for example, ip- or gr-. PR1323601

  • In a Layer 3 Virtual Private Network (L3VPN) scenario with maximum-prefixes and vrf-import/vrf-export configured, when the limit for maximum-prefixes is reached, increasing maximum-prefixes might not take effect. The reason is that if vrf-import/export policies are present, Junos OS does not reapply the import policy in this situation. Making some configuration changes to import policy could solve this issue and install the prefixes to the L3VPN routing table. PR1323765

  • When route target filtering (RTF) is configured for VPN routes and multiple BGP session flaps, there is a slight chance that some of the peers might not be able to receive the VPN routes after the flapped sessions come up. PR1325481

  • Multiple next hops might not be installed for an internal BGP(IBGP) route received from a multipath-enabled peer when an active IBGP route from a non-multipath-enabled peer is changed to a new active route from a multipath-enabled peer due to interior gateway protocol (IGP) route update. PR1327904

  • OpenSSL Security Advisory [07 Dec 2017]. Refer to https://kb.juniper.net/JSA10851 for more information. PR1328891

  • With BGP/LDP/IS-IS configurations, deleted IS-IS routes might still be present in the RIB. The PR does not affect or have any impact on route selection or other functionality of rpd. However the deleted IS-IS routes do not get removed with specific configurations. PR1329013

  • If nonstop active routing (NSR) is configured, after a Border Gateway Protocol (BGP) peer is deleted, the peer is not removed from the BGP import evaluation list on the backup Routing Engine (RE). When the import evaluation background job is scheduled, it would access this freed BGP peer and the rpd would crash on the backup Routing Engine. This is a day-1 timing issue. PR1329932

  • When a backup selection policy is configured for LFA and the remote LFA and protection path/neighbor is rejected by the backup selection policy this might result in a missing route in inet.3. PR1333198

  • Due to PR1282672, a flag needed to update BGP about a change was reset, leading to no further updates when the underlying LSP next hop changes. A dead next-hop type for an interface that has flapped (or the FPC reset) might be observed. This only impacts the cloned route (S=0). PR1333570

  • From Junos OS Release 15.1 onwards, IGMP joins are not processed with the passive allow-receive command configured on the IGMP interface. Though releases earlier than Junos OS Release 15.1, IGMP joins were processed and accepted with a passive allow-receive configuration. However, even in releases earlier to Junos OS Release 15.1, no timer was started to send the query, so after the configured time (default configure time is 260 seconds), the multicast group joined through IGMP join were deleted.PR1334913

  • In a BGP environment, BGP sessions get stuck in active state after the remote Cisco router is restarted or updated. PR1335319

  • Starting in Junos OS Release 16.1R1, there might be a mismatch in the length of the BGP update message between the BGP main thread and the I/O thread, when receiving BGP updates. If this issue happens, rpd crash might be seen. PR1341336

  • Two new fields have been introduced to the show route ... extensive command: Effective AIGP Effective metric. Those fields are in addition to the two related existing fields, "AIGP" and "Resolving AIGP". After the addition of the new commands, the meanings of the fields are as follows:

    AIGP: The received accumulated IGP (AIGP) attribute learned from the BGP route, if present.

    Effective AIGP: The sum of the received AIGP plus the IGP metric for the route's nexthop.

    Resolving AIGP: The AIGP of a BGP route used to resolve a given route.

    Effective metric: The metric of a route plus the resolving AIGP, if applicable.PR1342139

  • On all platforms, with BGP and BFD configured on the local and peer devices, when receiving BFD-down on a local device, a traffic black hole might occur. PR1342328

  • In the multicast environment with knob: join-load-balance enabled. if reverse-path forwarding (RPF) change happens to Equal Cost Multipath (ECMP) upstream interfaces and there is no multicast traffic comes from the new RPF path (active path) for 6 seconds. Re-balancing happens for all the (S,G) due to the join-load-balance knob and a new standby path will be chosen. The multicast traffic would not be forwarded for the Prune delay timer (210s). PR1345156

  • In PIM (Protocol-Independent Multicast) scenario, if a static route for RPF (reverse-path forwarding) uses a qualified-next-hop as the outbound interface, the rpd (routing protocol process) might crash resulting in routing protocols disruption.PR1348550

  • PR1216696 added an additional checking on the 'type' field of each extended community. Currently, com_dump_iana_ext_com() checks for 0x00 leading value for SRC-AS external community, which corresponds to the Transitive Two-Octet AS-Specific Extended Community Sub-Types. However, a value of 0x02 is valid for Transitive Four-Octet AS-Specific Extended Community Sub-Types, so the check must also allow 0x02 as a leading value. PR1353210

Services Applications

  • When a NAT pool is shared between PCP and standard NAT, the PCP mappings cannot be manually cleared. The PCP uses the lower port range of an address pool and then NAT uses the higher port range of the same address pool. PR1284261

  • In a Layer 2 Tunneling Protocol (L2TP) subscriber management scenario, the jl2tpd process might crash on the new master Routing Engine after GRES operation due to a rare timing issue. PR1295248

  • When an MX Series works as an L2TP tunnel switch (LTS), LTS clients experience packet drop for large packets. data packet's size. This occurs because LTS fragments these large packets and forwards the corrupted packets to the adjacent router. The adjacent router drops these packets due to L3 incompleteness or checksum error. PR1312691

  • Remove nonzero check for dsl-type in ICRQ transmission. Dsl-type 0 is valid and should be transmitted in ICRQ. PR1313093

  • When using the command show services l2tp tunnel extensive, the Data Tx and Data Rx values might decrease when subscriber sessions go down after running for an extended time. PR1318133

  • When MS-DPC is used for services, MIB from OID jnxSvcsMibRoot and below are not valid. Hence, any SNMP request for these OIDs will fail to return data. This issue will be seen if the setup has only MS-DPC service cards. PR1318339

  • The L2TP tunnel switch (LTS) router might change the maximum receive unit (MRU) value from 1500 to 1492 while relaying to the L2TP network server (LNS).PR1319252

  • Stale L2TP routes might be seen when the L2TP peer uses any UDP port other than the default 1701. PR1322197

  • In L2TP scenario when MX router functions as LTS (L2TP Tunnel Switch), LTS clients might not receive few initial data packets from LNS (L2TP Network Server) due to delayed programming of the subscriber route in the forwarding plane of LTS. PR1325528

  • In an L2TP subscriber scenario, the jl2tpd might crash if the RADIUS server returns 32 tunnel-server-endpoints during the L2TP subscriber authentication. It will not affect the existing subscribers, but the subscribers that are being authenticated will be affected by it. PR1328792

  • Not all CSURQ messages are replied in case the number of sessions addressed in CSURQ is more than about 107. PR1330150

  • Aborting (using Ctrl+C) two commands, using the same Management Socket Pointer, one after the other might result in a core file. PR1337406

  • In CGNAT/Stateful Firewall scenario, the command show services stateful-firewall flows count might output incorrect "Flow count" after services related configuration change is committed. It is a statistic issue. PR1338704

  • In MX Series routers with the enhanced subscriber management feature enabled, the bbe-smgd process might crash if the maximum number (65535) of Layer 2 Tunneling Protocol (L2TP) sessions are attempted over a single L2TP tunnel. This is caused by an overflow of a 16-bit internal variable. PR1346715

  • In IPv4 Encapsulating Security Payload (ESP) packes, UDP checksum is set to 0 because UDP checksum is not a mandatory field. When MS-DPC does a NAT64 translation of such a packet, the UDP checksum inserted in the IPv6 packet is not correct. Because of this, the Internet Key Exchange Protocol Version 2 (IKEv2) VPN service with NAT-T running through NAT64 on MX Series routers with MS-DPC is not able to pass traffic after successful tunnel setup. PR1350375

  • The show services stateful-firewall flows counter shows negative numbers when MS-DPC/MS-PIC(PB-MS-100-1/PB-MS-400-2/PB-MS-500-3) run out of memory, after which a new flow is created. It is a cosmetic issue because the real flow number on the Packet Forwarding Engine level is still correct. PR1351295

  • If L2TP tunneled subscribers on LAC receive multiple L2TP endpoints from RADIUS, and one of the L2TP endpoints becomes unreachable from the LAC perspective after such subscribers are logged in, jl2tpd process might crash when those subscribers are logged out. PR1352716

Software Installation and Upgrade

  • New versions of Junos OS do not have the tool for accessing auxilliary port - /usr/libexec/interposer. PR1329843

Subscriber Access Management

  • In subscriber scenario with Extensible Subscriber Services Manager (ESSM) used, the test subscriber might stuck in "Init" state when executing CLI command test aaa xxx to test radius AAA Authentication, Authorization, and Accounting (AAA) service. This is because there is some data format mismatch between the router and the radius (for example, incorrect format of nas_port_id). The issue can be recovered by restarting essmd.PR1311263

  • With a scaled number of subscribers logged in, if you clear subscribers with a Junos script or manually, memory leak might be seen. PR1312517

  • Service interim is missing for random Users in a JSRC scenario. PR1315207

  • The unified ISSU is allowed to proceed when the account is suspended. PR1320038

  • When address-assignment pool linking is configured, the IP addresses assignment might allocate IP addresses from later pools before the earlier pool is depleted. This is caused by the mechanism change for the IP assignment from the introduced release. PR1323829

  • The scenario of multiple RADIUS servers with different dynamic request ports is not supported. However, due to missing configuration constrain checks, customers might end up with a configuration in which different dynamic request ports seem to be configured for different radius servers. Currently Junos OS reads dynamic-request-port configuration set for the first RADIUS server and ignores the rest. In the event no dynamic-request-port command is configured, it defaults to port 3799. PR1330802

  • In a subscriber management scenario when JSRC (Juniper Networks Session and Resource Control) sync state stuck in "FULL-SYNC in progress", subscriber might get stuck in the terminated state and not cleared. PR1337729

VPNs

  • Starting from Junos OS 15.1F5, under next generation mvpn environment, when multicast production data stopped, VRF S,G entry and MVPN/BGP routes might persist, whereas they should be deleted.PR1236733

  • The L2circuit or the CE-facing interface might flap repeatedly and cause the packets to be dropped if the configuration asynchronous-notification is configured on the PE. PR1282875

  • In a scenario where L2circuits are stitched via lt peer interfaces, the L2circuits might be stuck in "LD" (local site signaled down) status during chassis booting up, or after performing Routing Engine switchover without nonstop routing (NSR) and graceful Routing Engine switchover (GRES) configured, or after transport label-switched paths (LSPs) for the L2circuits went down simultaneously. PR1305873

  • While doing Routing Engine switchover in NSR , the deletion of LDP label-related entries on the standby Routing Engine might be not handled correctly, which in certain timing scenarios , triggered rpd crash on the standby Routing Engine. PR1310934

  • Moving an MC-LAG interface from LDP-based pseudowire to BGP-based pseudowire in a single commit might cause to rpd crash. PR1325867

  • When a C-multicast route (Type 7 or Type 6) for inter-as non-segmented option C topology is sent with the Originator's IP address, the Junos OS source PE device does not accept this and hence the PIM join fails. PR1327439

  • In rare cases, the rpd on the backup Routing Engine might crash when ingress replication provider tunnels for next-generation MVPN are used. PR1328246

  • With NSR enabled and a Layer 2 circuit configured, an rpd crash might be observed on the backup Routing Engine when you change the Layer 2 circuit virtual-circuit-id and then commit the changes. PR1345949

Resolved Issues:16.1R6

Forwarding and Sampling

  • When the FPCs are busy in high churn scenarios, because the srrd thread in the Packet Forwarding Engine has low priority, CPR resources are insufficient to process the messages sent by srrd process. Due to this, the queue for these busy FPCs are piling in srrd and eventually leading to crash. PR1284918

  • The sampled might crash if traceoptions are enabled. PR1289530

  • When the following example configuration is applied and the archive sites are not reachable, the archiving accounting files might fail and finally the accounting data might be missed: accounting-options { file reStats { files 96; transfer-interval 5; compress; backup-on-failure { master-only; } push-backup-to-master; archive-sites { "<remote-site>"; } }. PR1300764

General Routing

  • On MX Series routers in subscriber scenario, some PPPoE subscribers might get stuck in terminating state and might not get the IP address. PR1228774

  • In L2BSA scaling scenario, after bringing up about 12,000 subscribers, one or more FPCs will reboot. PR1273353

  • After GRES, smid was thrashing and was not restarted after fatal SDB error. PR1288871

  • When you edit dynamic profile (either clean configure by removing all the dynamic profiles or other small change on any of the dynamic profiles) on Junos OS Release 17.3, the following error messages are displayed: {master}[edit] regress@r56mx960wf# load override /var/tmp/baseline-config.conf load complete {master}[edit] regress@r56mx960wf# commit synchronize re0: configuration check succeeds re1: commit complete error: foreign reconfiguration failed. PR1295446

  • After graceful switchover, subscriber database might get stuck when it is not ready. The following CLI output will be seen: user@router> show subscribers Database status: The database is not yet ready.Please try after some time . PR1299940

  • On MX Series routers, if dynamic VLAN is used in a subscriber scenario, ksyncd might crash if subscribers log in and log out continuously. This is a timing issue due to the transient replication error for VLAN between master Routing Engine and backup Routing Engine. PR1161487

  • Stale VBF flow entry left after subscribers were migrated from one port to another, leading to IP address being subsequently unusable on platform running Junos OS enhanced subscriber management release. A new hidden command can be used to free up the VBF flow and its associated objects. It should not be used unless guided by JTAC and engineering team. PR1204369

  • In some rare scenarios, the remote VPLS PE router coming up might cause TCP keepalive timeouts on the local sockets between the master Routing Engine and the FPCs (for example, ppmd <-> PPManager connection).

    kernel: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration Local(0x80000001:6011) Foreign(0x80000015:36678)

    kernel: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration Local(0x80000001:6011) Foreign(0x80000012:25385)

    kernel: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration Local(0x80000001:6011) Foreign(0x80000013:5934).


    This problem is only observed if there are many FPCs installed in the chassis (for example, MX960 with 10 FPCs or more) and GRES is enabled. The problem is caused by a delay in packet processing on em0 interface (including the TCP keepalives from FPCs). PR1209308

  • On platforms with 64-bit X86 Routing Engine, if IPv6 is configured, then either IPv6 router advertisement or Multicast Listener Discovery (MLD) update might cause rpd to crash and generate a core file. PR1224376

  • On MX Series platform with MPC2E-3D-NG, MPC2E-3D-NG-Q, MPC3E-3D-NG, and MPC3E-3D-NG-Q line card, if the FPC-MIC link fails, the bridge might keep sending register messages in an infinite loop, which would cause continuous PCI exceptions; the MPC might crash and traffic forwarding might be affected. This is a rare issue and it is hard to reproduce. PR1231167

  • The "multicast-replication" setting cannot be reflected in the redundancy environment after rebooting both Routing Engines. PR1240524

  • On MX Series routers with high multiple spanning tree protocol (MSTP) scale, MSTP bridge protocol data unit (BPDU) packets might not be sent out. This might result in MSTP not converging. PR1247566

  • The CLI command show pfe statistics traffic displays 2^64 counter for packets output.

    show pfe statistics traffic fpc 5

    Packet Forwarding Engine traffic statistics:

    Input packets: 779912402 575 pps

    Output packets: 18446744073709551615 0 pps <<<<<<<

    Packet Forwarding Engine local traffic statistics:

    Local packets input : 1401882

    Local packets output : 924839

    Software input control plane drops : 0

    Software input high drops : 0

    Software input medium drops : 0

    Software input low drops : 0

    Software output drops : 0

    Hardware input drops : 0

    PR1253299

  • The CLI command show route provides an incorrect format of output displaying the next-hop information in the following format rather than displaying it on the next line: validation-state: unverified, > to 2001:7f8:4::272a:2 via xe-0/0/3.0 PR1254675

  • MIB walk for jnxFabricMIB displays DropBytes as nonzero despite DropPackets being 0. PR1257569

  • In rare cases, if the unicast reverse path forwarding (uRPF) is used, the rpd might crash and a core file might be generated during the next-hop change. PR1258472

  • Under some conditions, routing protocol process (rpd) might crash: evpn_mirror_mac_process_update_instance (evpn_mirror_mac=0x6dd5000, evpn_mirror_mac_key=0x7fffffffd0b0, action_code=<value optimized out>, rt_inst_name=<value optimized out>, bd_name=<value optimized out>. PR1258835

  • On MX Series platforms, specific MPC cards drops traffic when late_cell counter is reported at 65,000 each polling interval or very high values after the MPCs have transient hardware error. PR1262868

  • The peer side of the TCP session of BGP is violating the window given by Junos OS and sends more data because of NSR day-one issue. That is, the backup TCP gets stuck and finally holdtime expires after GRES instead of dropping the packets. PR1264436

  • Because of transient hardware error conditions, only syslog events XMCHIP(x) FI: Cell underflow at the state stage - Stream 0, Count 65535 are reported, which is a sign of a fabric stream wedge. Additional traffic flow register pointers are validated and if stalled a new CMERROR alarm is raised: XMCHIP(x) FI: Cell underflow errors with reorder engine pointers stalled - Stream 0, late_cell_value 65535, max_rdr_ptr 0x6a9, reorder_ptr 0x2ae. PR1264656

  • A low-memory condition puts the service PIC into the Red Zone on the MS-MIC or MS-MPC card when the SIP ALG is used. This can cause SIP ALG to generate a core file. PR1268891

  • Link stays down after a flap on next-generation MPC cards with QSFP+-40G-CU1M. PR1275446

  • When SFP+ diagnostic information is being read out periodically, due to misbehaving SFP+ or noise on the I2C BUS, SFP thread might be hogging and watchdog check will restart the MPC to recover. Enhancements of such handling prevents the SFP+ thread hogging and MPC restarts. PR1277467

  • Multicast traffic when using iflsets in universal call admission control policy mode does not work as expected in certain use cases and bbe-smgd might generate a core file. PR1278543

  • After a MS-MPC-PIC goes offline/online or gets bounced (because of an AMS configuration change), sometimes PIC can take approximately 400 seconds to come up. PR1280336

  • The high voltage alarm might not be cleared when voltage level comes back to normal for MIC on MPC7/8/9. PR1280558

  • Service-accounting-deferred for L2BSA subscriber ingress firewall filter does not include non-IP traffic statistics. PR1281201

  • Dynamic logical interfaces (mt,vt, and gr) are used by multiple applications (PIM and GRE). This PR fixes the change operation handling for dynamic logical interfaces. PR1282854

  • Unified ISSU is not supported from Junos OS Release 15.1 or later, because the source release includes one or more BBE features such as logical interface (IFL) options, CoS fragmentation map, MLPPP, advisory options, advanced services, and multicast distribution. PR1286507

  • DDoS culprit flows are not reported by CLI or during login to a MX Series router with a single Packet Forwarding Engine. PR1286521

  • After first GRES, BBE_SMD_MSG_GET_PSEUDO_IFL_FAIL error is displayed on the new backup. This error can cause some routes on the backup Routing Engine to be created with a null NH. PR1286849

  • After renaming an L2 routing instance, A10NSP interfaces attached to the old routing interface does not get moved to the new routing instance. PR1287070

  • LTS functionality is not working on Junos OS Release 16.1R4-S2 if rewrite-rule configuration is applied to the dynamic profile. PR1287788

  • SNMP query for IF-MIB::ifOutQLen reports Wrong Type should be Gauge32 or Unsigned32 for a dynamic VLAN DEMUX0 interface. PR1287852

  • The services-oids-ev-policy.slax and services-oids.slax files built into the Junos OS image are not the latest versions. PR1287894

  • During a unified ISSU micro BFD flap might be seen. PR1288433

  • The smg-service process might generate core files in the backup Routing Engine with a distributed IGMP configuration. When a subscriber logs in with multiple service activation, the multicast service activates successfully but the login is aborted for other reasons. The backup Routing Engine, which is in the midst of replicating the multicast state, has to abort the login and there is a problem in this cleanup code. PR1288465

  • In MX Series routers with Virtual Chassis mode, if the configuration statement heartbeat is enabled, kernel "rtdata" memory might leak and rtdata memory usage might reach high rate (for example, more than 2 GB). This might affect the performance of the device. PR1289363

  • In a Broadband Edge (BBE) subscriber environment, the flexible PIC concentrator (FPC) heap usage might get high (for example, more than 70%) with very limited subscribers. This will affect the performance of FPC. PR1289365

  • On MX Series platforms, in L2BSA (Layer 2 wholesale services) subscriber management environment, after performing GRES, the interfaces might go to down because they are not found within the corresponding window by chassid. The probability of this issue is low as it is specific to Junos OS 15.1 prior releases (excluding 15.1) and does not occur with scaled configurations. PR1289493

  • When an IGMP protocol is enabled, there can be a leak of 56 bytes in BBE-SMGD process for every subscriber logout that has joined any multicast group during the session. PR1290918

  • L2TP ICCN fast retransmission occurs after tunnels go down. PR1291557

  • The bbe-smgd process might crash and subscribers might get stuck when a large group of different types of subscribers log in or log out. PR1291969

  • An error in vbf_filter_add_orphan_check might be seen when the subscribers using filters log out or log in. PR1292582

  • Error message might be seen while bringing up the subscriber in a subscriber management environment. PR1293057

  • With route-suppression access-internal configuration statement enabled, all transient downlink packets are punted to the Routing Engine with VBF resolve exception code. Note that traffic will hit firewall lo0 filter if it exists. After being punted to Routing Engine, packets are forwarded to subscribers toward the downlink. PR1293505

  • Junos OS releases with a fix committed in Junos OS Releases 15.1R5-S4, 16.1R4-S3, 16.1R5, and 17.3R1 with XM-based line cards (MPC3E/4E/5E/6E/2E-NG/3E-NG) might report DDR3 TEMP ALARM chassisd error log message. PR1293543

  • CPCD process generates a core file using Routing Engine-based http-redirect. PR1293553

  • The show extensible-subscriber-services sessions command is reporting the timestamp increased by 1 hour after a unified ISSU that might even be in the future (see the following output). Expected behavior: Timestamps should be the same after a unified ISSU. Before the unified ISSU starts: show extensible-subscriber-services sessions | match Time Timestamp: Wed Jul 12 10:04:57 2017 Timestamp: Wed Jul 12 10:04:57 2017 Timestamp: Wed Jul 12 10:04:57 2017 Timestamp: Wed Jul 12 10:04:57 2017 Timestamp: Wed Jul 12 10:04:57 2017 After ISSU completed: show extensible-subscriber-services sessions | match Time Timestamp: Wed Jul 12 11:04:57 2017 Timestamp: Wed Jul 12 11:04:57 2017 Timestamp: Wed Jul 12 11:04:57 2017 Timestamp: Wed Jul 12 11:04:57 2017 Timestamp: Wed Jul 12 11:04:57 2017. PR1293800

  • The smg-service daemon might create a core file on service activation or deactivation for subscribers enabled for distributed IGMP along with smg-service daemon restart on the master Routing Engine or after a Routing Engine switchover. PR1295938

  • The kernel might crash during recursive lookup in firewall filter. PR1296884

  • A memory leak is seen when set protocols mld XXX stanza is changed and committed. PR1297454

  • Multiple bbe-smgd core files are seen during a subscriber binding configuration with DT CST with as little as 200-300 subscribers and continual core files while scaling. Maximum scale cannot be achieved with multicast-enabled subscribers (related to IPTV profile). PR1297612

  • During InFlight Daemon Kill test, routing protocol process (rpd) creates a core file with PPPoE and L2BSA flapping. user@host> show subscribers summary, subscribers by the state Init: 3 Configured: 2 Active: 51002 Terminating: 5 Terminated: 1 Total: 51013 Subscribers by Client Type DHCP: 12031 VLAN: 17333 VLAN-OOB: 2376 PPPoE: 17273 ESSM: 2000 Total: 51013. PR1298587

  • In a subscriber scenario, the bbe-smgd process might crash when traceoptions are enabled due to an invalid username that contains a format specifier (for example, the character "%") that cannot be successfully handled by the traceoption process. PR1298667

  • With distributed IGMP login or logout, following a Routing Engine switchover, the new master Routing Engine might generate a core file. If the distributed IGMP logs out, the old master Routing Engine triggers the logout process event in the new master Routing Engine after the switchover. PR1298742

  • MX Series BNG does not respond to PADI after GRES on some ports/VLANs. PR1298890

  • Flat accounting files are not generated according to the configured timers. . PR1299597

  • After IS-IS-TE routes and BGP routes attribute change, traffic loss might be seen because BGP routes point to some stale labels. PR1300425

  • In Junos Telemetry Interface, the error: the SDN-Telemetry subsystem is not responding to management requests error message occurs when you execute the CLI command show agent sensors. If traceoptions are enabled for services analytics, agentd core files might get generated. PR1300829

  • The MTU configuration under family inet could affect the MTU size of MPLS packet. PR1302256

  • Incorrect MTU might be seen on PPP interfaces when PPP MTU is not defined in dynamic profile. PR1303175

  • The list of available routing instances is not available when the command show subscribers routing-instance is issued. PR1303199

  • If OOB-VLAN connection is in pending state, PPPoE or DHCP cannot initiate VLAN auto-sensing. Thus, PPPoE or DHCP subscribers are not able to connect to the same VLAN. PR1303338

  • MX Series router with MIB polling returns a value which has "sdg". Polling result should include 'svc' generic value. PR1303848

  • Effective rate of E3 in framed mode is limited to 30 Mbps on certain channelized MICs.PR1304344

  • RPF check strict mode is causing traffic drop in next-generation subscriber management release. Issue is triggered because of source lookup failing. PR1304696

  • Commit fails with error ffp_intf_ifd_hier_tagging_config_verify: Modified IFD "si-1/1/0" is in use by BBE subscriber, active L2TP LNS client. Commit failure is specific to having implicit-hierarchy defined on the si-interface. PR1304951

  • On inline J-Flow vMX platforms, the optical interface (OIF) field of VPLS data records sometimes reports SNMP index values of the LSI interface instead of the egress physical interface. PR1305411

  • MX Series routers send immediate-interim for the services pushed by SRC/RADIUS. PR1305425

  • With set system internet-options no-tcp-reset drop-all-tcp and NSR configured, you might see the following messages - "kernel: %KERN-5: tcp_timer_keep: Dropping socket connection due to keepalive timer expiration repeatedly on Backup Routing Engine. There is no service impact from the condition that causes the message. PR1305729

  • L2BSA subscriber’s connection attempts failed with VLAN profile-request-error after carrying out the following configuration changes:

    1. Rename the relevant l2 routing instance.

    2. Rollback the configuration change and try to connect L2BSA subscribers. PR1305962

  • L2BSA subscribers came up, but no new ANCP session got established during the RADIUS disaster backup procedure.PR1306872

  • Smihelperd generates a core file when SNMP is polling for JUNIPER-SUBSCRIBER-MIB::jnxSubscriberGeneral.7.0. PR1306966

  • License is lost during Routing Engine switchover in scale-subscriber scenario. PR1308620

  • Error message %PFE-3: fpc0 vbf_var_iflset_add:633: vbf container 11 not found in the msg for ifl .demux.6514 is often seen after MPC restart. PR1309013

  • If the router has already established L2BSA sessions and graceful switchover occurs, the event timestamp field in the RADIUS Accounting-Stop packets for those subscriber will have incorrect values whenever they wish to terminate their sessions. PR1309212

Infrastructure

  • The show system users CLI command output displays more users than that are actually using the router.PR1247546

  • The kernel might fail to finish all input or output before shutdown during updating. And the upgrade might not succeed with the following reason: Could not find installation package. PR1298749

Interfaces and Chassis

  • VRRP mastership does not change even after the priority changes for certain VRRP groups. PR1242243

  • When configuring enhanced-sla-iterator for connectivity fault management (CFM) sessions, under performance monitoring, a race condition might occur, where the sla-iterator attempts to collect statistics on a maintenance endpoint (MEP) that is down. This triggers the iterator adjacency to be removed from the Packet Forwarding Engine, leading to the inability to provide any statistics on the sla-iterator-profiles configured. PR1244525

  • On MX Series routers with MPC7E/8E/9E line cards, the Packet Forwarding Engine crashes while fetching interface-statistics with extended-statistics enabled (CVE-2017-10611). Refer to https://kb.juniper.net/JSA10814 for more information. PR1247026

  • At a high logical interface scale, ifinfo process generates a core file on executing the command <show-interfaces> as part of request support information (RSI) procedure. PR1254189

  • With the affected release, if MPC is restarted followed by GRES, Jpppd process does not read the new service physical interface in a sequence. The new LNS subscriber login with this interface fails in jpppd process. PR1290562

  • The family inet shows as Not-configured after adding or deleting the loopback address. PR1294267

  • In VRRP scenario, when tracked interface or route goes down, the current priority changes at once, but the current master still keeps the mastership and sends advertisement packet after the remaining advertise-interval has elapsed. Therefore, if the advertise-interval is configured with a high value, the mastership switchover is delayed for a longtime and might lead to an adverse impact. PR1294417

Layer 2 Ethernet Services

  • On MX Series routers, BNG is configured as DHCPv6 local server for IPv6 prefix delegation alone when a DHCPV6 client bound to IA_PD prefix sends a request for IA_NA prefix. MX Series routers respond with a REPLY message with STATUS_NO_ADDR_AVAIL, which is correct, but it deletes the existing binding for PD prefix, which is not an expected behavior. PR1286359

  • Under certain difficult to reproduce configuration change scenarios, a timing window is exposed that might result in a process to generate a core file. PR1288475

  • There is an enhancement to support IRB configured in VPLS over a GRE tunnel. Before the PR fix, ARP requests going out on the IRB interface were getting dropped in the IRB ttp output path with the message no l2 ifl because the packet was trying to get out on the GR interface, which does not have ifd_devoutput. PR1295519

  • MX Series router deployed as BNG for dual-stack DHCP/PPPoE subscriber management might eventually stop logging in new subscribers in case DHCP configuration is incorrect (for example, IPv6 address pool is defined too small), because of incorrect calculation of in-flight connections. PR1298976

Junos Fusion Provider Edge

  • "show interfaces diagnostics optics satellite" command output is broken in Junos 16 and and 17 releases. Engineering fixed the same in this PR. PR1327876

Layer 2 Features

  • When an aggregated bundle exists in a Virtual Private LAN Services (VPLS) routing instance and then its member link is added to the same or different instance by mistake, this commit succeeds. This might cause 100 percent rpd utilization until the incorrect configuration gets corrected manually. It is a fact that rpd does not parse the interface configuration, so it is not possible to fail the commit. Without the fix, rpd is trying to update the virtual circuit status of the interface in the kernel. This is not supported by the kernel because the interface is not VPLS enabled, and the kernel returns an error. The rpd keeps trying and causes high (nearly 100%) CPU utilization. PR1280979

  • On MX Series routers, when Virtual Private LAN Services (VPLS) is configured for a routing instance with local switching, and then if an integrated routing and bridging (IRB) interface is configured in the same instance, packets received on the IRB interface going out through the Virtual Tunnel (VT) interface or the Label-Switched Interface (LSI) get double tagged. PR1295991

  • After an LDP signaling flap, an LDP-VPLS pseudowire might remain stuck in NP state instead of coming up due to control word negotiation. This problem could happen if the local device is configured to prefer control word while the remote device does not support control word. When the pseudowire is attempting to re-establish, control word negotiation normally selects the required mode to ensure compatibility between the local and remote devices. In unusual circumstances, the negotiation can deadlock resulting in the pseudowire remaining in NP state until the operator takes corrective action. PR1354784

MPLS

  • The routing protocol process (rpd) might crash in the backup Routing Engine when LSP tunnels are present with an NSR configuration. PR1186292

  • The following log messages might be seen when you have an output firewall filter attached to the loopback interface: >>>>>> kernel: in_dfw_match: invalid IP version 1 . This is caused by incorrect parsing of MPLS l2ckt ping packets. The logs are completely harmless, and it does not mean that any packets have been discarded. PR1288829

  • The routing protocol process generate a core file that is involved in an LDP egress route stitched to a BGP route through the LDP egress-policy configuration. PR1290789

  • In RSVP environment, the stale LSP might get created after Routing Engine switchover with nonstop routing (NSR) enabled. PR1292526

  • In scaling MPLS Label Switched Paths (LSP) scenario with Junos OS Release 16.1 and later releases, if the LSP path-change occurs frequently, it might result in the rpd crash that generates a core file. PR1295817

Network Management and Monitoring

  • jnxDomCurrentLaneTxLaser* SNMP MIBs are now supported for P3-15-U-QSFP28 PIC. PR1265412

  • The mib2d process logs an RLIMIT curr 1048576000 max 1048576000 message every time a commit is performed. This might confuse the operator to believe that the memory limit of 1 GB has been reached. PR1286025

  • If a logical interface (IFL) of loopback interface (lo0) is deleted, it will not be deleted in the ifStack tree. As a result, mib2d process crashes when polling the object identifier (OID) of ifStackStatus.0. PR1286351

  • On MX Series routers, the show arp no-resolve interface command displays the unrelated static ARP entries that are fixed to display proper static ARP entries of the given interface. PR1299619

Platform and Infrastructure

  • All traffic will be silently discarded or dropped on the interface where forwarding-class-accounting enhanced feature is configured when forwarding-options hyper-mode is enabled in the system. This is because the combination of these two features is not supported. PR1198021

  • With commit script configured, the management process (mgd) might crash when you configure anything in the private configuration mode. The problem is specific to private configuration mode [edit private]. It is not seen in regular configuration mode [edit] and if there is no commit script configured. PR1244015

  • Due to the transient hardware events, fabric stream might report CPQ1: Queue underrun indication - Queue <q> continuously. For such events, all fabric traffic is queued for the Packet Forwarding Engine reporting the error, resulting in a high amount of fabric drops. PR1265385

  • In Junos OS, when a new line card or a service card comes online, the real-time performance monitoring (rpm) process might receive the following error message: GENCFG: op 9 (RPM Blob) failed; err 1 (Unknown). PR1266336

  • The real-time performance monitoring (RPM) loss percentage values for "overall tests" through SNMP might be incorrect. This is because the RPM probe loss percentage is stored as a 32-bit integer internally but the calculation can exceed a 32-bit boundary, which might lead to a rounding error. PR1272566

  • In a dual Routing Engines scenario, if one Routing Engine is running a release earlier than Junos OS Release 15.1 and the other Routing Engine is running Junos OS Release 15.1 or later, the command request routing-engine login other-routing-engine might require a password. The issue leads to the inability of transferring files between Routing Engines or performing a synchronized commit. PR1283430

  • If the admin-disabled interfaces are connected to noisy links or remote peer devices, there is a possibility of high CPU load on XM-chip based FPCs (for example, MPC3E/4E/5E/6E/2E-NG/3E-NG on MX Series) when the interfaces on that FPC are disabled by the administrator. As a result, there are continuous MAC fault log messages and/or high FPC interrupt CPU utilization (resulting from many MAC fault interrupts). PR1285673

  • This issue occurs on an MX Series router installed with both MS-DPC and data MPC cards, the network service is configured in enhanced-IP mode, and the ae interface is configured on the MPC card. If the member interfaces of the ae interface are under a different Packet Forwarding Engine, the outbound traffic from the ae interface might experience incorrect load-balancing. If the traffic is received from MS-DPC and exits from the ae interface on MPC, the egress traffic is transmitted to only one member interface of the ae interface instead of all. PR1287086

  • There is a Packet Forwarding Engine heap memory leak found in three routers with the PPPoE subscribers. PR1287870

  • A user permission issue generates the following log messages that are getting triggered when any non-superuser/non root user tries to log in to the router: // rend_dlinit: not a proper library: /usr/lib/render/libdcd-render.so: Cannot open "/usr/lib/render/libdcd-render.so" //. PR1289974

  • When RPM http-get feature is running, rmopd gets stuck at sbwait state if the HTTP agent does not respond properly. PR1292151

  • The broadband remote access server (BRAS) and carrier-grade NAT features running on the same MX Series router might trigger transient flow-control asserted by XLP MAC. PR1293232

  • On MX Series routers running the subscriber management feature, the scale-subscriber license might not be cleaned up after bulk subscribers logout. When it exceeds the license limitation and once the Routing Engine becomes the master, no new subscriber can be logged in. PR1294104

  • In a subscriber environment, the management process (mgd) might crash if an invalid subscriber logs in and GRES occurs at that moment. It does not affect the SSH/Telnet connection. PR1298205

  • When the total number of available CoS queues on MPC Type 1 or Type 2 with an enhanced queuing chip (QX chip) is limited with the chassis fpc max-queues configuration, some interfaces might start dropping all traffic as Tail-/RED-drops. PR1301717

  • On DPC (I-chip)-based platforms, with CoS configured, if the fixed classifier is configured explicitly (or through a wildcard) over both aggregated Ethernet interfaces and member links, and a DPC leg (or a bundle of DPC legs) is present in the aggregated Ethernet nterface, the classifier might not be applied. PR1301723

  • MX Series MPC wedges (might silently drop and discard fabric and finally reboot the line card) when creating more than 4000 logical tunnel interfaces per Packet Forwarding Engine. PR1302075

  • The TWAMP Request-TW-Session message's Type-P Descriptor format is not RFC-compliant. This might cause interoperability issues with an RFC-compliant TWAMP server. PR1305752

Routing Protocols

  • A combination of next-hop-self, add-path, and per-prefix-label on a BGP label-unicast RR can cause the incorrect MPLS.0 routing or forwarding swap state to be installed. PR1238119

  • IPv6 bidirectional forwarding detection (BFD) sessions configured under IS-IS might not come up after IPv6 interfaces configured for BFD are up (either by FPC reboot, or MTU change or router restart). IPv6 BFD sessions might get stuck and might be seen as down from one side and not seen at all from the other side. This issue is not seen if duplicate-address detection is disabled under IPv6. Also, applying "commit full" might bring up IPv6 BFD sessions, but this will not help if interface goes down and then comes up again. PR1266211

  • When a route reflector is configured for optimal route reflection, it computes an IGP SPF tree on behalf of a specified primary node. However, the route reflector does not run this computation when the primary node is configured with IS-IS overload, resulting in no benefit of configuring the route reflector with optimal route reflection. PR1274802

  • After Routing Engine switchover (GRES+GR), default mdt failed to come up also seen with core facing interface flap. PR1279459

  • In a BGP label-unicast protection scenario with the statement per-prefix-label configured, rpd might crash because of a certain chain of events. If a BGP route with the indirect next hop is received first and later another BGP route with the direct next hop (which has the same prefix as the route received earlier) is received, then the prefix is advertised at least on the group. PR1282672

  • In a PIM sparse mode scenario, the second multicast packet sent by a multicast source might be discarded on the RP router. The first packet and third packet onward can be honored by the RP router. This is a timing issue. PR1282848

  • BGP-RR sends full route updates to its RR clients when any of the interface with family-MPLS interface bounces because of any fiber cut or manual events, causing high CPU spike. This is because of the process generating outbound soft-route-refresh to the network peers. The fix reevaluates the export-policy without forcing the soft-outbound-refresh. PR1291079

  • If the statement egress-te is configured for BGP and the BGP flaps, the rpd might crash. If the statement switchover-on-routing-crash and NSR are not enabled on the device, while rpd recovers, there is an unexpected routing protocol disruption. PR1295062

  • If LACP, link fault management (LFM), CFM, or STP is configured, the unified ISSU might take more time to complete and the MPC card might go offline. PR1298259

  • After performing GRES or NSR switchover and subsequent anchor FPC offline or restart, the inline-BFD on IRB interface stops working because of incorrect anchor FPC programming. The BFD session might remain down. PR1298369

  • When local-as x and alias are configured under a BGP group that has multiple BGP peers, the BGP might send an AS path to the peer that includes an incorrect AS number. This causes the BGP session to flap. PR1300333

  • With BGP prefix independent convergence (PIC) enabled, the routing protocol process (rpd) might crash, generating a core file while deleting a multipath route. PR1302395

  • When BGP family inet labeled-unicast protection is configured, a BGP bypass route might be installed in inet.2. At the same time, if inet.2 is used as the RPF table, the bypass route might be used to perform an RPF check, which will lead to RPF check failure. PR1310036

Services Applications

  • Incorrect message formatting is reported on MX Series routers used as LNS. PR1272471

  • Business services are activated and a Routing Engine switchover is performed. In this case, if you try to deactivate the business services (ESSM subscribers) by logging out the parent PPP session, the business services gets stuck in a terminating state. Business services that have LI applied are stuck, and the services that do not have LI are logged out successfully. PR1280074

  • If the actual data rate upstream or the actual data rate downstream information about access line is provided through a vendor-specific tag during PPPoE discovery stage and the corresponding subscriber needs to be tunneled using the L2TP protocol, then the values in AVPs 129/130 of the incoming call request (ICRQ) message will not reflect that information. PR1286583

  • JL2TP process restart should be avoided. GRES followed by jl2tpd process restart results in the loss of subscribers. PR1293783

  • If some subscribers log in without "Tunnel-Client-Endpoint" from RADIUS, each subscriber session gets its own Layer 2 Tunneling Protocol (L2TP). PR1293927

  • Telemetry script running on the router starts an ephemeral jl2tpd process. This results in to running jl2tpd with commit check. As ERA was getting initialized, this triggered creation of ERA log files. This was executed even for a commit check condition. The fix for this PR moves the file creation to the L2tp main process. PR1302270

Software Installation and Upgrade

  • When a router is running Junos OS software based on FreeBSD 10 and built before August 8th, 2017 with a Junos Selective Update (JSU) package, and if the router is rebooted, the JSU package will not be loaded properly. This means that such JSU package is no longer effective. As a result, the router is exposed to the issues that are fixed in the JSU. PR1298935

Subscriber Access Management

  • The DHCP subscriber might not get an IP address with the error of duplicate IP addr when the address pool utilization is tight. PR1274870

  • After the virtual chassis switchover, RADIUS-assigned addresses that do not belong to any configured pool are added to the pool incorrectly. PR1286609

  • An authd process generates a core file while terminating a large number of subscribers. PR1289215

  • When Online Charging System (OCS) charging service devices are used on MX Series routers, a few IPs might get stuck. PR1302509

  • Service interim for DHCP subscriber is not working in JSRC. PR1303553

  • The output of show network-access aaa accounting should contain access-profiles that are attached to LS:RI using set access-profile <profile-name>. As a result of fixing this issue, the output of show network-access aaa accounting might display additional entries of the access-profiles that were used for connected subscribers. This happens after GRES or authd restart. PR1304594

  • MX Series BNG reported incorrect Acct-Delay-Time in RADIUS accounting-on message after rebooting the MX Series BNG. The example is captured on the RADIUS side: rad_recv: Accounting-Request packet from host 172.30.145.76 port 51589, id=1, length=64 Acct-Status-Type = Accounting-On Acct-Session-Id = "\000\000\000" Event-Timestamp = "Sep 18 2017 14:37:16 CEST" Acct-Delay-Time = 1505738235 <<<<< Acct-Authentic = RADIUS NAS-Identifier = "VALENS" NAS-Port-Type = Ethernet. PR1308966

  • The unified ISSU is allowed to proceed when the account is suspended. PR1320038

Resolved Issues:16.1R5

Class of Service (CoS)

  • If the hidden command show class-of-service queue-consumption is executed many times (for example, 100 times), in a rare condition, the cosd process might crash with a core file generated. The core files could be seen by executing the CLI command show system core-dumps. PR1066009

  • The show interfaces queue <if-name> command has three display options:

    • show interfaces queue <if-name> Displays queued/transmitted/dropped packets/bytes for all IFD children.

    • show interfaces queue <if-name> aggregate Displays queued/transmitted/dropped packets/bytes for all IFD children except for IFD RTP traffic

    • show interfaces queue <if-name> remaining Displays queued/transmitted/dropped packets/bytes for IFD RTP traffic only.

    Note that unlike queued/transmitted/dropped counters, queues depth values cannot be aggregated. The following should be true for queues depth values:

    • show interfaces queue <if-name> Displays queues depth values for RTP queues

    • show interfaces queue <if-name> aggregate Displays queues depth values for RTP queues

    • show interfaces queue <if-name> remaining Displays queues depth values for RTP queues.

    The above logic is the same for physical interfaces, interface sets, and logical interface units. PR1226558

  • On MX Series and T Series routers with ingress and egress queueing enabled, input traffic-control-profile is configured, but no output traffic-control-profile on logical interfaces. After you activate/deactivate the CoS configuration, the cosd process might crash. PR1236866

  • A rounding-off issue that was leading to a difference in commit behavior of values such as 79M and 79.1M.PR1252505

  • On T Series routers, the LSI statistics are not shown in aggregated Ethernet interface bundles and also the input statistics counter for aggregated Ethernet does not include MPLS traffic. PR1258003

  • A forwarding class might be missed in the output of show class-of-service scheduler-hierarchy interface <ifd>. This is purely a cosmetic issue: the hardware is still programmed correctly. PR1281523

Forwarding and Sampling

  • After GRES switchover aggregated Ethernet interface might move to the "down" state, even though member interfaces are up. PR1233188

  • J-Flow version 9 cannot get TCP flag information from IPv6 fragment packets. However, it can get other information like src and dst ports information. It can get sampling information partially from the TCP header in IPv6 fragment packets. PR1239817

  • After executing the show firewall command, the dfwinfo: tvptest:dfwlib_owner_create tvp driven policer_byte_count support 0 message is seen in messages logs. PR1248134

  • J-Flow version 9 is sending the flows with the source-address inverted in the show firewall log. PR1249553

  • On MX Series routers, after GRES or configuration change that leads to Packet Forwarding Engine process (pfed) generating a core file and restarting, the routers might send for every single session 5 AcctInterim update. PR1249770

  • In a subscriber management environment, size of statistics database (and corresponding size of /mfs partition) can be constantly increasing due to absence of statistics entry clean up for certain types of subscribers in few scenarios. This issue is likely to occur if VLAN-OOB subscribers are present, or if dynamic authenticated VLANs are removed due to expiration of session-timeout. PR1251756

  • In an MX Series subscriber management environment, the Layer 2 address learning daemon (l2ald) might crash during EVPL subscriber login and logout stress test. PR1258853

  • The accounting interim interval might be reset after performing graceful switchover and will not take into account the last interim accounting timing before the switchover. PR1261472

  • The final service stats are queried via the on-demand service statistics handling module of the pfed process. When the responses are returned from the Packet Forwarding Engine to the Routing Engine through pfed, they are mapped to the request via the request ID as well as location offset. When there is more than one filter configured for a BBE filter service session (out ofIPV4,IPV6 IN,OUT filters), more than one request will be sent to the same location (Packet Forwarding Engine) with the same request ID. PR1262876

  • Whenever a Packet Forwarding Engine learned MAC address expires, the debug message no validate ifl index is displayed as an error message. PR1267684

  • There are different types of statistics requests sent from Packet Forwarding Engine process Routing Engine (RE) to Packet Forwarding Engine. These requests are throttled by in-flight counters to avoid overloading a busy Packet Forwarding Engine. On a few error conditions these in-flight counters are not reverted back properly. This leads to failure of a few SNMP queries with following syslog even when Packet Forwarding Engine is not busy. <Timestamp> <router-name> mib2d[15023]: SNMP_EVLIB_FAILURE: PFED ran out of transfer credits with PFE. Failed to get stats. ifl index: 0 . PR1270686

  • With Routing Engine based sampling configured, it might be observed that the chassis stops exporting flow records after every 5-7 days. The sampling process has to be restarted to work again. PR1270723

  • Routing instances information of the physical interface is not showing in the flat accounting file when the interface is attached to the aggregate Ethernet interface. This behavior is seen when using flat file accounting for L2BSA subscribers. PR1275225

  • In some circumstances, the traffic is still forwarded out of non-physical interfaces such as gr-/ae interfaces even after the non-physical interfaces are disabled. Once the MAC aged out, the traffic will be stopped. PR1277697

General Routing

  • Temp Sensor Fail alarm might be seen while an AS-MCC PIC coming up. This is because an incorrect value is being read from temperature sensors. PR1036412

  • In an IPsec load-balancing environment using MS-MPC cards, the ICMP request and ICMP reply can go through two different IPsec tunnels due to asymmetric routing; that is, ICMP request goes through one PIC, and ICMP reply goes through another PIC. Because of this, the ICMP reply will get dropped and never reach the other side of the IPsec tunnel. PR1059940

  • With l2tp subscribers, all FPCs except the card that hosts subscribers will report a log message “jnh_if_get_input_feature_list(9723): Could not find ifl state" after every subscriber's login attempt. PR1140527

  • On MX Series routers, if dynamic VLAN is used in a subscriber scenario, ksyncd might crash if subscribers log in and log out continuously. This is a timing issue due to the transient replication error for VLAN between master Routing Engine and backup Routing Engine. PR1161487

  • NAT64 service-set:Port block efficiency and unique pool users statistics display incorrect values when the NAT pool is modified dynamically with CGNAT traffic for the particular term in the NAT rule. PR1177244

  • If the MIC-3D-4XGE-XFP is used with MPC2E-3D-NG or MPC3E-3D-NG, the interfaces on the MIC-3D-4XGE-XFP connected to a DWDM device might flap continuously. PR1180890

  • Memory leak in JDHCP during dhcp session RELEASE/BIND. PR1181723

  • On MX Series routers, MS-MIC crash might occur. The exact trigger of the issue is unknown; generally, this issue might happen very rarely without any external triggers. The crash might occur with any services configuration, with core files pointing to a program terminated with signal 4, illegal instruction. PR1183828

  • On MX Series platform, using a filter attached to egress MS interface to redirect packets to routing-instance will fail. PR1184283

  • FRU model numbers might be missing or incorrect as follows: 740-013110 PDM-MX960 740-057995 FFANTRAY-MX960-HC-S 750-033205 MX-MPC3E-3D (incorrect) 750-038493 MX-MPC2E-3D-Q 750-044130 MX2K-MPC6E 750-045372 MX-MPC3E-3D 750-046005 MPC5EQ-100G10G 750-046532 MIC6-10G 750-049457 MIC6-100G-CFP2 750-054563 MPC5E-40G10G 750-054902 MPC3E-3D-NG 750-054903 MPC2E-3D-NG-Q 750-055976 SCBE2-MX-S all CFP, CFP2, QSFPP, QSFP28 optics all MX2000 FRUs all MPC7E, MPC8E, MPC9E, SFB2 FRUs. Note that show chassis hardware models displays correct information, but optics are missing from that output. PR1186245

  • When both AMS-redundant interface and AMS-load-balancing interface is configured in the system, Not a deterministic nat pool syslog is generated whenever deterministic-nat show CLI command show services nat deterministic-nat nat-port-block is executed. PR1186723

  • On a Junos OS based platform, CHASSISD_I2CS_READBACK_ERROR error might occur on a single occurrence of I2C read failure. A single occurrence is a transient error and might be seen randomly without any particular trigger. This type of message should be reported only when there are three consecutive I2C read failures. PR1187421

  • The following system error is logged: JAM: Plugin installed for %s PIC. PR1189100

  • This issue occurs on MX Series routers with the Junos Telemetry Interface, and with the set routing-options lsp-telemetry statement configured. When SDN-telemetry (the agentd process) is disabled or continuously restarted, certain messages are repeatedly logged into syslog, the rpd and eventd processes CPU might get near 100%, and eventually the agentd also gets near 100%. When this issue happens, the agentd process is not able to accept new subscriptions, dropping all existing subscriptions. It can be triggered by restarting consecutively SDN-telemetry (the agentd process), or after device reboot. PR1192366

  • On MX Series platforms with MPC5E installed, in a high-temperature situation, the temperature thresholds for triggering the high temperature alarm and controlling fan speed are based on the FPC level. Any sensor values in the FPC that exceed the temperature threshold of the FPC trigger the actions associated with temperature thresholds. PR1199447

  • The routing protocol process (rpd) might crash after committing configuration. This is a timing issue in route installation blocked scenario while the route installation job gets triggered. There is no exact trigger; any configuration which will trigger; route installation after committing might cause this issue. PR1200174

  • SMID daemon has stopped responding to the management requests after a jl2tpd (L2TP daemon) crash on an MX960 BNG. PR1205546

  • The rpd might crash in the backup Routing Engine after Routing Engine switchover in MX Series router subscriber environment. PR1206804

  • tcp_timer_keep: Drops socket connection when remote VPLS PE comes up. PR1209308

  • On MX Series platform with MPC3/MPC4/MPC5/MPC6/MPC2-NG/MPC3-NG line cards, the chassisd process crashes continuously on both Routing Engines because some failure cases caused by underlying software and hardware are not handled gracefully. Both Routing Engines might loose mastership and get stuck in backup mode. PR1213808

  • Syslog message "fpc_pic_process_pic_power_off_config:[xxxx] :No FPC in slot [y]" is incorrectly displayed on an empty FPC slot on which PIC power off is not configured. PR1216126

  • On MX Series platforms and in the case of multi-homed(MH) PE devices with EVPN, the rpd might crash during MAC moving between multi-homed PE devices, causing the traffic loss PR1216144

  • On MX Series platform, replacing an MQ FPC (MPC Type1, 2, MPC 3D 16x10GE) with an XM one (MPC Type 3,4,5 6. 2E-NG, 3E-NG) might cause all other MQ-based cards to report "FI Cell underflow at the state stage". It will cause packets to be dropped. PR1219444

  • When multicast composite nexthop (MCNH) is used, packet loss might occur when multicast traffic enters the Packet Forwarding Engine and exits the Packet Forwarding Engine in a different FPC. PR1219962

  • MX Series routers equipped with next generation Routing Engines might raise memory mismatch alarm; this issue is cosmetic. PR1220061

  • In a subscriber management environment, the log message vbf_ifl_bind_change_var_walker:377: ifl .demux.22698 (1073764522): IFL TCP (38) Bind change notify ran for 1480 us can often be seen. This log message is generated when the time needed to complete execution of the routine exceeds 1ms. This message is harmless and can be ignored. However, sometimes time calculation yields incorrect results, and this issue has also been corrected. PR1229967

  • On all platforms, for IPv6 static routes derived from weighted LSPs, unequal load balance does not work. PR1230186

  • MPC2E-NG/MPC3E-NG generates a core file with specific MIC due to tight loop of PCIe critical exceptions. PR1231167

  • Optional service session is terminating during session setup when optional service with configuration errors. PR1232287

  • The Packet Forwarding Engine statistics input packets pps counter might be inaccurate on MPC7E, MPC8E, and MPC9E PR1232547

  • Input framing errors increment on interfaces connected to MPC2E-NG/MPC3E-NG/MPC2E-NG-Q/MPC3E-NG-Q with 4x10G XFP MIC when interface is configured in "wan-phy" mode. PR1232618

  • When the software detects an uncorrectable XR2 error, which are in fixed locations relative to queues in XQ, it removes the queues from service by moving the traffic to a new L4 and new set of queues, using other XR2 locations. Currently the queues/L4 that are removed are never returned to service until reset. PR1232952

  • High MPC5 CPU on a scaled setup with 64 - 128 k subscribers due to XQ background service which collects internally statistics. PR1233452

  • For some SNMP traps the description does not match to the event, for example: jnxTimingFaultLOESMCClear .1.3.6.1.4.1.2636.3.75.1.6 jnxTimingFaults 6 JUNIPER-TIMING-NOTFNS-MIB "A trap which signifies Loss of ESMC." PR1234083

  • On MX Series routers, when per-packet load sharing is enabled under aggregated Ethernet interface, egress traffic over the aggregated Ethernet interface might be dropped unexpectedly. PR1235866

  • On all platforms that support EVPN-VXLAN, the outer source MAC in the ARP reply packet header does not correspond to the inner virtual MAC if virtual MAC is configured. PR1236225

  • This issue is applicable to a M2020 system with SFB2s. When there is a MPC6E installed in either slot 10; when a SFB2 in slot 4, 5, 6 or 7 is offlined/onlined, this action will trigger 'SFB check alarm' in the next slot SFB2 will get 'SFB check alarm' unexpectedly. For example, an off-line/online of SFB#4 triggers SFB#5 check alarm. PR1237134

  • In MX Series Virtual Chassis subscriber management environment, LI enabled DHCP subscribers might experience packet drops because of MAC validation errors in the FPC. This issue was seen only when connecting the subscribers for the first time after rebooting the system. PR1237519

  • DNS server IP addresses are not present in the output of show subscribers extensive for DHCP subscribers in case DNS configuration is provided from the access-profile or pool. When such data is provided from RADIUS, the output is correct. The issue is cosmetic: DNS addresses are provided to subscribers. PR1237525

  • On MX Series routers with rpd in "ASYNC" mode, if the distributed IGMP is configured, rpd core file might be seen, causing rpd to crash. PR1238333

  • After the number of licenses for scale-subscriber feature is exceeded, customer encountered the following endless logs on the backup Routing Engine every 10 seconds.

    Dec 12 13:22:41 RE hostname license-check[4900]: RE protocol backup state = 0 Dec 12 13:22:42

    RE hostname license-check[4900]: Empty license directory copied from the master Dec 12 13:22:51

    RE hostname license-check[4900]: RE protocol backup state = 0 Dec 12 13:22:52

    RE hostname license-check[4900]: Empty license directory copied from the master backup Routing Engine: has all licenses in state permanent master Routing Engine: shows the license with the expiry date
    . The log messages disappear after the master switchover. When changing master back, the above messages will start again. These messages do not appear on master Routing Engine, which has the expire date set, regardless of the mastership state. PR1238615

  • On MX Series routers with Junos Telemetry Interface deployed, streaming telemetry stops being sent for message queue telemetry transport (mqttd) when memory reaches maximum of 4G. PR1238803

  • MPC9E might generate a FPC core file on Junos OS Release 16.1R2.11, when configured with "mixed-rate AE bundles" and "adaptive load balancing". Both the load-balancing techniques are orthogonal to each other. PR1238964

  • MX Series routers send accounting interim without update-interval configuration statement. PR1239273

  • In a BGP-PIC scenario, a change in the IGP topology, for example a link failure in the IGP path, causes traffic outage for certain prefixes. The reason for this is that the unilist next-hops for these prefixes are in a broken state. PR1239357

  • Subscriber Management: MIB ifJnxTable is not supported for subscriber interfaces. PR1240632

  • Session database (SDB) synchronization might fail if the master routing engine or the master chassis in MX Series-Virtual Chassis configuration (VC-M) is power cycled. PR1241162

  • During scaled subscriber setup it could happen that the lowest dynamic-profile CoS service rate is applied to other sessions. PR1241201

  • The PTP clock class changes are delayed. When PTP fails and the system goes into holdover it will be send clock class 6 for the next 10-15 minutes. The same behavior, when the system goes from holdover in state "locked". It will be send clock class 248 for the next 10-15 minutes. PR1241211

  • In some specific case, untagged bridged traffic might not be mirrored on the second port of the mirrored group. If untagged bridged traffic is to be mirrored/sent on two different interfaces of the mirrored group, in some specific case traffic might be mirrored/sent only on one of the mirrored interfaces/ports. PR1241403

  • Mobiled daemon is not supported in MX Series Virtual Chassis environment yet. As a result, BNG Advanced services functionality will not work in MX Series Virtual Chassis mode. PR1241857

  • For ANCP subscribers in Idle state the previously reported speed in ANCP Port UP message is not applied. PR1242992

  • ANCP neighbors were being re-initialized (and could go down) after an ephemeral commit regardless of whether ANCP neighbor configuration was changed or not. PR1243164

  • In a Junos Traffic Vision environment, the FPC might crash when adding a physical interface (IFD) sensor during FPC startup. This occurs because during FPC startup, the physical interface does not exist. At this point accessing the physical interface might cause the FPC to crash. PR1243411

  • Currently MS-MIC supports a maximum of 2M routes scale. This includes all IPv4, IPv6 and MPLS routes in the system. When scale limit is exceeded, the FDB (forwarding database) memory will be exhausted, and the MS-MIC will start to drop the routes and also print logs. PR1243581

  • In particular on MX480 and MX240 and MPC2-NG due to the side cooling, the XM CHIP temperature might reach 67C and fans are still operating in normal-speed. The XMCHIP has a total throughput performance of about 130Gbps and due to increasing of the DDR memory refresh interval the packet forwarding throughput will be reduced by about 3-4% out of the 130Gbps. If you reach this limit, fabric drop queuing counters will get reported. A syslog entry does indicate the refresh interval being increased. Junos OS Software is enhanced to set the fan to full-speed before XM CHIP temperature reaches 67C. PR1244375

  • On MX Series Virtual Chassis, some VBF flows are missing after FPC restart. PR1244832

  • PSMs goes to present state whenever there is a feed failure. The logic is changed to update the PSM state based on the number of feeds connected. PR1245459

  • Sensors are not reused when the subscriptions have non-common paths. When subscribed from multiple servers for the same subscription, sensor re-usage is not happening. PR1245902

  • In subscriber management environments with multicast (IGMP) configuration, BBE-SMGD might occur. PR1246318

  • When gRPC subscription for telemetry data with 2 seconds frequency, the jsd process might crash. PR1247254

  • When IGP/Link Flapping or occurs or when running clear mpls lsp, because of the RSVP stale label entry, traffic for BGP prefixes which are pointing to LSP in inet.0/inet6.0 might get silently dropped or discarded. This PR is also fixed in 16.1R4-S1 service release but due to some internal limitation it is not populated in Resolved-In field. PR1247900

  • SPMB rebooted causes a fabric traffic black hole to occur for more than 1 min in TXP-3D. PR1248063

  • Issue occurs when the VLAN UIFL is removed while there is a pending dynamic-profile Add request. The presence of the issue can be monitored based on the following check: show shmlog statistics logname all | match PppoeSessionTerminateNoUifl. So if PppoeSessionTerminateNoUifl is present in the output the issue was triggered. PR1248282

  • The bbe-smgd process might crash in case of duplicate UID variable names (for example: all CoS configuration elements should be converted implicitly to internal variables so they can be automatically “UIDized”) used for different purposes in the dynamic-profile configuration. The bbe-smgd process crash cannot impact the traffic flows for existing subscribers, but impacts the creation of new subscribers. PR1248725

  • The error messages "Telemetry_start_polling_fd: evSelectFD failed, errno: 9" are continuously seen in logs. These are cosmetic logs and harmless. PR1248813

  • Only one IA-NA dhcpv6 (without PD request) could be bound in case two or more subscribers are provided with the same PD from RADIUS. For example in case of several CPE devices from a household, all sessions will be provided with the same ACI/ARI. If the username is formed based on ACI/ARI (so the username is the same for all sessions) RADIUS can provide the same PD for all sessions and this will allow only one session to be established even though though CPE devices did not request PD. PR1249837

  • "JAM:PL: Registered attributes for %x \n" will be logged as INFO level. PR1250091

  • MPC5E/MPC2E-NG/MPC3E-NG/MPC7/MPC8/MPC9 might crash in some cases due to a software defect. If queues associated with L4 node get freed but L4 node is not freed at that time, later when trying to free the L4 node, because the queues have already been deleted, then a NULL queue node will be received and the MPC crashes. PR1250335

  • FPC ukern process might crash on Linux based linecards (that is, MPC7/8/9 on MX Series routers) due to a bug related to ukern scheduler. PR1250691

  • The smihelperd process can crash during subscriber logout process. PR1250760

  • When an IPv6 node receives an ICMPv6 PTB (Packet Too Big) message with MTU < 1280, the node will emit atomic fragments. This behavior might result in denial of service attack. And please refer to JSA10780 for more information. PR1250832

  • Accounting statistics are not correctly preserved across unified ISSU upgrades. PR1250919

  • On all Junos OS platforms which have routing protocol process, if some interfaces go down, which results in some peers going down or BGP-RR (route-reflector) re-advertising routes, the rpd (routing-protocol daemon) process might crash. PR1250978

  • The output for show ancp subscriber detail | match "Aggregate Circuit Identifier Binary" command stops at a certain point and gets stuck for minutes. PR1250996

  • During Routing Engine switchover or MPC/MS-MIC online requests, character corruption is observed in the log.PR1251400

  • There is a rpd problem sending route update messages to the kernel. The KRT queue used to send the messages can get into a state where no more messages can be sent to the kernel. This causes the RIB and FIB to get out of sync. This is a timing problem between multiple rpd threads. It infrequently occurs at very large scale. PR1251556

  • In certain scenarios output of show ancp subscriber detail command might omit many TLVs including mandatory Actual Net Data Upstream and actual net data downstream TLVs. PR1252747

  • When a MIC is re-inserted into the same slot, it is possible that the software might fail to read the software identification of the MIC. This results are misidentification of the MIC and inability to initialize properly, and MIC0 info might disappear. It has no traffic impact. PR1252998

  • If "indirect-next-hop-change-acknowledgements" is enabled, the rpd will request an acknowledgment from the kernel when creating the new forwarding next hop for indirect next hop. In a rare scenario with multipath configured, the rpd might restart while waiting for an acknowledgment from the kernel and the deletion of the old forwarding next hop is queued. PR1254735

  • On MX Series routers with MPC2E-NG/MPC3E-NG, the interfaces of these line cards might not come up when connecting to 3rd party transport switch. PR1254795

  • In the output for show subscribers extensive command, the first IP address from the Framed Prefix (returned in Framed-IPv6-Prefix) looks to be assigned to the subscriber interface although it is not. PR1255029

  • IRBs that are part of an L3 Multicast group allocate ASIC memory when added to the group. A small amount of this memory is not freed when changes are made to the L3 multicast group. This could cause a crash due to an out-of-memory condition if there are continuous changes to multicast groups with IRBs over a long period of time. PR1255290

  • In VMX platform and BBE subscribers with policy configured, if a lot of subscribers login/logout when there are large number of flows (>500K), riot (vPFE) process generates a core file. PR1255866

  • The transmit delay interval is the maximum time the key server will wait before installing a new TX SAK (default value is 6 seconds). When MKA transmit interval is set to 6 seconds, during key roll over both transmit interval and delay interval timers expire at the same time and a new TX SAK gets installed on the key server before the RX SAK is installed on the peer node causing traffic drop. PR1257041

  • VPLS mac table is not being populated properly when checked with CLI show vpls mac-table, though all subscribers have traffic. Thus it is considered a cosmetic issue. PR1257605

  • Adding an application-set with inactive applications that are not defined under [applications] hierarchy will lead to constant generation of core files each time the service PIC boots back up. PR1258060

  • Unable to run show subscribers extensive and some other CLI commands after GRES because subscriber management database is unavailable. The other symptoms of the bug can be messages like sdb.db: close: Bad file descriptor after commit full. PR1258238

  • The routing protocol process (rpd) core during next-hop change when uRPF is used. PR1258472

  • Upon restart, na-grpcd overwrites the previous log file. PR1258484

  • In a subscriber service environment, the device control process (dcd) might restart unexpectedly during commit process after changes to ATM interface configuration. PR1258744

  • Subscriber management daemon (bbe-smgd) might crash and generate a core file during Routing Engine mastership switchover. This issue might be seen when having VLAN-OOB subscribers and running GRES and NSR.PR1258817

  • When using an AMS interface and running the show interfaces extensive command, the logical interfaces will show only 0 for the packet counters. PR1258946

  • Some skew might be noticed in Junos Telemetry Interface export interval due to scheduler model of ukernel on FPC. PR1259224

  • When TRI-RATE SFP-T is installed on MIC-3D-20GE-SFP-E, FPC will generate "HEAP: Free at interrupt level /Free interrupt violation!" syslog message when the interface is going down. PR1259757

  • Due to a software bug, the QSFPP-40GBASE-LR4 (CLI name is QSFP+-40G-LR4) might remain down after fiber link flap. This issue is specific to this optics module. PR1259930

  • Class of service (CoS) does not correctly classify egress L3 multicast traffic from an ingress VLAN bridge interface after a configuration change. PR1260413

  • On MIC-3D-20GE-SFP-E or MIC-3D-20GE-SFP, when SFP diagnostic information is being read out periodically, due to misbehaving SFP or noise on the I2C BUS, SFP thread might be hogging the CPU and a watchdog check will restart the MPC to recover. Enhancements will prevent the SFP thread hogging and MPC restart. PR1260517

  • On MX Series routers with MPC3/4/5/6 linecards, during unified ISSU process, the MPC linecard might go offline, and traffic forwarding might be affected. PR1260714

  • Only the first multicast IP packet was saved when waiting for a route to be resolved. This fix will save up to 20 additional IPv4 multicast packets and send all saved packets after the route is resolved. PR1260729

  • Dynamic profile version update followed by GRES immediately, without even a single subscriber attached in between, prevents new subscribers from attaching. In this case, jpppd daemon is not accessing the updated profile database. PR1260836

  • In MX Series routers BNG subscriber management environment, there could be a slight deviation in the service accounting statistics when the subscriber session terminated abruptly. PR1260898

  • On MX Series routers, in a rare case the backup Routing Engine is slow to process replication. Replication on the master Routing Engine continues too long under a purge condition and results in logic problems and smgd crash on the backup Routing Engine. PR1261268

  • During multicast activation of dynamic subscribers via a service profile, the bbe-smgd daemon in the backup Routing Engine could sometimes crash. PR1261285

  • On MX Series routers with QSFP optics, Rx Loss cleared and set messages will repeat when laser is down, even when actual flapping does not occur, and overwhelms messages file. PR1261793

  • show auto-configuration command was available in Junos OS 14.1X50 releases and was hidden in Junos OS Release 15.1 and later releases by mistake. Now it is corrected and this command is visible in these releases as well. PR1262139

  • In a subscriber management scenario, it is observed that an authenticated dynamic VLAN interface with an idle-timeout is removed if there are no subscribers on top and if "remove-when-no-subscribers" is configured at the auto-configure stanza. The dynamic VLAN interface should only be removed after its idle timeout expires if it stayed idle during this period. PR1262157

  • When subscriber management is enabled, a unified ISSU from Junos OS Release 16.1R4 to 16.2 or 17.1 requires that any service cards be offlined before the unified ISSU is started. PR1262877

  • In BNG subscriber with authentication based on RADIUS[26-1] attribute or domain-map scenario, if one subscriber is authenticated and then relocated to corresponding routing-instance based on RADIUS[26-1] attribute or domain-map, the ICMP network unreachable message might not be sent back to the subscriber client. PR1263094

  • Dynamic VLAN interface is logged out upon reaching idle-timeout even though there is a client session (PPPoE or DHCP) above it. The proper behavior is to keep the dynamic VLAN interface in case a client session (PPPoE or DHCP) is present above the dynamic VLAN interface. PR1263131

  • Currently when the CoS adjustment-control-profile (ACP) is configured with RADIUS-CoA using the adjust-less algorithm, cosd strictly follows the configured algorithm when (1) only service-profiles and/or CoA is used to apply rates to the subscriber flow and (2) no line rate adjustment protocols such as ANCP or protocol tags (for example, PPPoE-tags) are being used to apply updates. This results in undesirable complexity in applying service profiles in the order activated based on an ACP approach that is intended to control the comparison of a configured rate and a line rate, where the former represents a policy and the latter the capabilities of the access loop. When only service profiles are in use, such that more than one service profile might be applied to the subscriber via RADIUS CoA and each service profile affects the shaping rate of the subscriber, the correct behavior is for CoS to ignore the algorithm when no line rate protocol is in use. Instead it should use a replacement semantic (logically the algorithm "adjust-always") to apply a service profile initiated via CoA in the order received. Thus a profile chain can be easily managed that includes the client profile and one or more service profiles, thereby allowing predictable and intuitive revert semantics during service-deactivation or re-activation scenarios. Once a line rate protocol such as ANCP is enabled and updates are received, only then should cosd follow the algorithm because it will then be performing comparisons with the configured rate and a line rate (where the intended goal is minimum (policy rate, line rate)). As a follow-on, the ACP configuration syntax will be revisited because it is unnecessarily complex for the intended use case. PR1263337

  • Duplicate sensor resources created when the difference is trailing "/". PR1263446

  • After router reboot or JSD (JET service process) process crash, sometimes the listening socket for JSD (JET service process) is not operational. PR1263748

  • After running 'show arp' with subscribers connected bbe-smgd can become unresponsive/slow to other CLI commands. PR1264038

  • On MX Series routers with MPC7E/MPC8E/MPC9E installed, due to a race condition in reading optic state, after restarting MPC/MIC, extra link transitions might be seen during the period that the port is coming up. This is a timing issue and the affected port is random. The link might transform/flap multiple times before the link stabilizes. PR1264039

  • BGP holdtime might be expired after GRES/NSR switchover. PR1264436

  • Authd reports pdb_get_all_profiles_from_db: Populate full profile tree failed, err:261 and subscribers are unable to connect at the high number of configured dynamic profiles. PR1264629

  • On MX Series routers with MS-MPC, with the Ethernet frames with more than 2000 bytes of payload, the mspmand process that manages the multiservices PIC might crash. The traffic forwarding might be affected. PR1264712

  • In some situations, MX Series LAC does not encapsulate packets received from CPE in l2tp tunnel if this subscriber has a static pp0 unit configured on the LAC side. This issue is causing a permanent traffic black hole for this subscriber and leads to PPP session flaps or in ability to establish a PPP session between CPE and LNS in case of using lcp re-negociation on the LNS side. PR1265414

  • LLDP neighbor ID is captured incorrect in streaming telemetry output. PR1265705

  • If the dynamic VLAN profile does not have IFF configuration (for example, family PPPoE or family inet), but has firewall filter configuration, firewall filter indexes will not be released after the dynamic VLAN is removed. This eventually leads to depletion of available firewall filter indexes. PR1265973

  • Per IETF RFCs, IGMPv3 & MLDv2 reports not sent to IANA reserved multicast addresses 224.0.0.22(IGMP V3 ROUTERS) and ff02::16(MLD V2 ROUTERS) respectively should be discarded. But BNG processes these reports. PR1266309

  • When VSTP is enabled on a double-tagged aggregated Ethernet logical interface and there is another single-tagged aggregated Ethernet logical interface configured with the same outer VLAN tag, then the incoming traffic on that VLAN is incorrectly hitting the AE_RESERVED_IFL_UNIT (AEx.32767) and the traffic is getting dropped. PR1267238

  • It is possible to see a bbe-smgd core under certain boundary conditions on the standby Routing Engine with certain specific configurations. Because the core is on the standby, no disruption in service is expected and the system recovers from this condition. PR1267646

  • The CLI configuration command set chassis effective-shaping-rate is enabled for the MX104. PR1267829

  • When ANCP port up message is received after a GRES for established ppp session, it will trigger RADIUS AccessRequest. PR1267960

  • Command show arp interface xe-x/x/x no-resolve | display xml returns XNM errors in the output. PR1269170

  • On MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH, an interrupt threshold was introduced. If MIC error interrupts are more than the threshold (> 2500 per 5 min), the MIC or fpc will be restarted. Due to that change, MIC error interrupts will hog the CPU when restart is initiated. PR1270420

  • In multicast environment with Multicast-Only Fast Reroute (MoFRR), if an aggregated Ethernet interface flaps, due to a software defect of handling for aggregated Ethernet logical interface and physical interface, the old NHID is not cleaned and it is still retained in the Packet Forwarding Engine. During this time if any flap event happens with old backup, the multicast blackhole might be seen. PR1270939

  • In MX Series routers equipped with a next-generation Routing Engine (RE-S-X6-64G, REMX2K-X8-64G), the error messages after a 'commit' command is executed might be displayed. PR1271134

  • The Routing Engine might stop all services after GRES or ISSU. This issue is caused by corrupted Berkeley DB file after GRES or ISSU. PR1271306

  • Changing the mode of the interfaces causes the interface to go DOWN/UP. For the interface to be down all the queues (in/out) associated need to be emptied. Due to a certain condition, this is timing out, the queue is not getting emptied and the interface pointer is not getting freed properly, resulting in FPC crash. PR1273462

  • The mspmand log messages about memory zone level which shouldn't be generated are generated. It will occur every 49.7 days and will recover by itself. This is a display issue and will not affect the traffic. PR1273901

  • On MX Series with MPC7E/MPC8E/MPC9E installed, if the ports on MPC that mix 10 Gigabit Ethernet (GE) and 40GE/100GE, after 40GE/100GE port is configured under an aggregated Ethernet bundle, some received packets might be incorrectly dropped by DA rejects. This is due to a misconfiguration on the aggregated Ethernet MAC address under the Packet Forwarding Engine. This issue might happen after configuring 40GE/100GE as LAG member. PR1274073

  • In a subscriber management scenario, due to unavailability of subscriber management database (SDB), many CLI commands related to subscribers like show subscribers detail, show subscribers extensive, might not work. PR1274464

  • In EVPN/MPLS or EVPN/VXLAN environment, if sub-interface is configured with vlan-aware (instance-type virtual-switch), in rare condition the FPC/MPC might crash. PR1274976

  • The FPC generates a core file when a route record with unknown AS index is received. Usually the assumption is to receive the routes with known AS index. The fix is to handle this scenario gracefully. An AS path with this unknown AS index is added and later the route is added. The AS path will hold the default values and these values will be updated once the AS update is received from SRRD. PR1275021

  • Previous default behavior: when the bfd-admin-down under "routing-options static" stanza is not 'not'-configured, it was passive; that is, the static routes would not be deleted on bfd-admin-down. Now the default behavior is active, that is. static routes will be deleted on bfd-admin-down. PR1275973

  • Environment where larger re-orderness causing stream going into secure mode and observed re-order engine getting stuck which casing stream wedge. PR1276301

  • With JET (Juniper Extension Toolkit) application installed on Junos, though the JET client advertises a TCP window size of more than 32000, the TCP window size will be getting negotiated to 32000. PR1276443

  • On MX Series platform with MS-MPC/MS-MIC installed, Spd memory leak might be observed after adding/removing service-set statement in the configuration. Spd will eventually crash due to memory exhaustion. PR1276809

  • In a subscriber management environment, if authenticated subscriber dynamic VLAN receives idle timeout from the Radius server, due to a rare timing issue, the dynamic VLAN interface might be removed immediately after it was successfully created. PR1280990

  • In a subscriber management environment, the legacy rtsock logical interface can get struck in terminated state in a scenario where line card and subscriber management daemon (bbe-smgd) are restarted back-to-back or in the same time frame. After the line card and bbe-smgd daemon are back online, any further subscriber logins over that underlying legacy rtsock logical interface get rejected with the underlying logical interface stuck in terminated state. The problem is observed only in case of double failure (that is, both line card and bbe-smgd daemon restart around the same time). PR1281930

  • When checking the diagnostic level of the optics using streaming telemetry, interfaces that are in a down state will not provide data. This PR adds the ability to get telemetry data from the down interfaces. PR1281943

  • A routine within an internal Junos OS sockets library is vulnerable to a buffer overflow. Malicious exploitation of this issue might lead to a denial of service (kernel panic) or be leveraged as a privilege escalation through local code execution. The routines are only accessible via programs running on the device itself, and veriexec restricts arbitrary programs from running on Junos OS. There are no known exploit vectors utilizing signed binaries shipped with Junos OS itself. PR1282562

  • Unrelated configuration changes related to a routing-instance results in invalid/incomplete inline J-Flow data packets. PR1282580

  • VBF flows not programed correctly on aggregated Ethernet interfaces resulting in 50% traffic loss. PR1282999

  • OAM fails to come up when GRE tunnel source and family inet address are the same. PR1283646

  • When the service-set has both NAT rule and Stateful-Firewall rule configured but a source IP address would not be matched with any NAT rule but could be matched with Stateful-Firewall rule, the PPTP session from this source IP address might not be able to be established successfully. PR1285207

  • The J-Flow data template sequence number is zero for MPLS flows. PR1285975

  • The routing protocol process (rpd) might generate a core file while logging subscribers in or out and performing GRES switchover. The relevant lines in the stack trace: #4 0x08a3c302 in krt_decode_gmp () #5 0x08a3f60f in krt_decode_gencfg () #6 0x08a19e1f in krt_sync_recv () #7 0x08a19e79 in krt_async_recv (). PR1286653

  • The smg-service daemon can generate core file during the backup with distributed IGMP configuration. Likely trigger is that during a subscriber login with multiple service activations, the multicast service got activated successfully but the login is aborted for other reasons. The backup Routing Engine which is in the midst of replicating the multicast state has to abort the login and there is problem in this clean-up code. PR1288465

  • Kernel "rtdata" memory leak on MX Series Virtual Chassis with heartbeat is enabled. PR1289363

  • In subscriber environment, the flexible PIC concentrator (FPC) heap usage might get high (for example, more than 70%) with very limited subscribers. This will affect the performance of FPC. PR1289365

  • When IGMP protocol is enabled, there can be a leak of 56 bytes in BBE-SMGD daemon for every subscriber logout who have joined any multicast group during the session. PR1290918

  • On BNG setups with different types of subscribers running stress tests might result in BBE-SMGD. PR1291969

  • Some dhcpv4 clients not coming up during login or logout test. Issue related to an orphan filter scenario and would be associated with following /var/log/messages:

    [Jul 22 00:00:31.520 LOG: Err] vbf_filter_add_orphan_check:574: Filter index 168017189 already exists (used by flow_id -1), marking as orphaned

    [Jul 22 00:00:31.520 LOG: Err] vbf_dfw_bbe_check_orphan_findex:734: Binding failed because filter 168017189 (flow_id -1) is orphaned.

    [Jul 22 00:00:31.520 LOG: Err] vbf_update_iff_var_list:874: Parent 1:0: var FILTER change failed with error 16

    [Jul 22 00:00:31.520 LOG: Err] vbf_update_var_list:1246: Parent 1:0 => failed to update variables for iff 2 and dir=1 [Jul 22 00:00:31.521 LOG: Err] vbf_flow_msg_handle_change:4618: Flow 398958 => Failed to create variable list for tmpl ifl

    [Jul 22 00:00:31.521 LOG: Err] vbf_flow_msg_handler:5419: Flow 398958 => Failed to change flow with error=16

    [Jul 22 00:10:40.287 LOG: Err] vbf_flow_msg_handler:5356: Flow 486838 => Not Found
    .PR1292582

  • CPCDD core file is generated using Routing Engine based http-redirect. PR1293553

  • The smg-service daemon can sometimes generate a core file on service activation or deactivation of subscriber enabled for distributed IGMP along with smg-service daemon restart on master or after a Routing Engine switchover. PR1295938

  • Kernel generates a core file in rts_gencfg_ifstate_getparent. PR1296884

High Availability (HA) and Resiliency

  • In a rare scenario, GRES might not reach the ready state and might fail to start, because the Routing Engine does not receive the state ack message from the Packet Forwarding Engine after performing GRES. This is a timing issue. It might also stop Routing Engine resource releasing and then cause resource exhausting. PR1236882

  • Vmcores were generated due to GRES issue, which was caused by the vcp port flapping events. So the vcp ports flapping led to the communication drop between VCMM and VCBM, then it caused a ksyncd initialization error, as ksyncd was trying to cleanup stale states. The current retry counts of cleanup was not enough to wait for cleaning event end, so the ksyncd triggered vmcore live coredumps, however, the cleanup finished in time. At last, no ksyncd core would be triggered. PR1274438

Infrastructure

  • On Junos OS 15.1 and later releases, when your restart mib process by restart mib-process CLI command, MIB2D_FILE_OPEN_FAILURE error message might appear in the logs. PR1202044

  • If SSD contains a valid permanent (non-resettable) offline-uncorrectable-sectors positive value, smartd logs on the nonzero value by default every 30 minutes, which is too frequent logging considering that there has not been a change in the value. PR1233992

  • On all Junos OS platforms and on the router with PIM enabled that has a local receiver, stale next hops are present because they did not get deleted by daemons due to a timing issue. PR1250880

  • The issue is because logging to console is enabled ( set system syslog console and set system ports console log-out-on-disconnect) but there is no active console connection. This causes the console log buffer to become full and processes ( like eventd) that has to log messages in the system get hung. This could lead to undesired behavior like rpd, lacpd, and l2ald not getting started correctly. PR1253544

  • Legacy Junos Kernel might generate a core file on userland_sysctl / sysctl_root / sysctl_kern_proc_env / panic_on_watchdog_timeout. PR1254742

  • On FreeBSD 6.x based Junos OS, the devices might crash and reboot if there is a defect in the Junos SDK based multi-threaded application that has been used. PR1259616

  • When streaming telemetry is configured, Zero suppression not working for internal interfaces. PR1260036

  • For TX/TXP system, the kernel synchronization process (ksyncd) might restart on all LCCs after executing command "clear interfaces statistics all" when there is large SNMP polling. PR1274095

Interfaces and Chassis

  • Previously, the same IP address could be configured on different logical interfaces from different physical interfaces but in the same routing-instance. Only one logical interface was assigned with the identical address after commit. There was no warning during the commit, only syslog messages indicating incorrect configuration. This issue is fixed and it is now not allowed to configure the same IP address (the length of the mask does not matter) on different logical interfaces. PR1221993

  • On MX Series routers acting as broadband network gateway (BNG), in Point-to-Point Protocol (PPP) scenario the router can send LCP Terminate-Ack packet after PPP over Ethernet (PPPoE) PPPoE Active Discovery Terminate (PADT) packet. This behavior does not follow RFC 2516, which explicitly demands that when a PADT is sent, no further PPP traffic is allowed to be sent using that session, including normal PPP termination packets. PR1234027

  • Under a particular condition in configuring interfaces which have vlan-id/vlan-tags configured, the commit operation might fail with an error message. PR1234050

  • If the MTU on BNG and CPE sides has different values, in a rare situation the MX Series router might calculate the MTU value for the corresponding pp0 IFL incorrectly. PR1240257

  • When static PPP over Ethernet (PPPoE) subscriber is trying to negotiate a PPP session exactly at the time when Graceful Routing Engine Switchover (GRES) happens, the negotiation might fail and the following logs can be observed in the output of "show log message" command: Jan 12 10:17:24.360130 allocateSession: IFL not available: pp0.1 1600!=1600 PR1245465

  • In scaled subscriber management login/logout tests, jpppd might crash if the shmlog entries using the command clear shmlog entries logname all are cleared. PR1245848

  • In some rare situations Ethernet Connectivity Fault Management Daemon (cfmd) might crash when committing a configuration where CFM filter refers to a firewall policy. When hitting this issue, all CFM enabled interfaces are down. PR1246822

  • If more than one logical interface (IFL) is configured under the same physical interface (IFD), and VRRP is configured on one logical interface without VLAN and the lower unit number logical interface has a VLAN configuration present, then vrrpd incorrectly carries the VLAN information from the lower unit number logical interface to this logical interface's configuration. As a result, VRRP might get stuck (state: unknown, VR State: bringup). This might happen if VRRP is configured on the physical interface with flexible-vlan-tagging or the lt interface without flexible-vlan-tagging. PR1247050

  • CLI help text of the send-chassis-tlv configuration statement was not showing the proper behavior. Even though the CLI help mentioned that this configuration statement will be included only the Chassis id TLV to CCM/LBM/LTM messages, actually it adds management address and management address domain TLVs as well. PR1248583

  • When using static demux VLAN interfaces, the link local address will not be synchronized between the kernel and subscriber management demon. When using router advertisement on a static VLAN demux interface and not in a IP dynamic profile, a router solicit from customer equipment might not be answered by the MX Series router. This depends on which address the CPE is using. In this PR the option to configure the MX Series router to use EUI-64 address for the demux VLAN, will ensure that the addresses are synchronized between the demons. PR1250313

  • On Junos OS platforms, the cfmd process runs by default till the Junos OS 16.1R2 release. When bridge-domain is configured with trunk port, if performing a commit to configuration related to physical interface/logical interface (IFD/IFL), the cfmd memory leak (512 bytes) will be observed due to a software defect. The memory leak could cause cfmd crash when exceeds the RLIMIT(128M). PR1255584

  • Route table entries are not cleared after bringing down static subscribers and access route not cleared after subscriber logout. PR1260240

  • In a dual-stack PPPoE subscribers environment, when the PPP session has been in "OPEN" state, if the router receives a Conf-Request message from the client, it then sends a Term-Request message as a reply unexpectedly. PR1260829

  • When configuring an aggregate interface and after commit some log message appears. And the MRU of aggregated Ethernet interface might reset to the default value (for example: 1522). They are harmless messages. PR1261423

  • In a subscriber scenario, when traceoptions is enabled with flag GRES under PPPoE, if the subscriber username contains a format specifier(for example, the character "%" ) that cannot be successfully handled by the traceoption process, pppd might crash. PR1264000

  • These types of messages might be observed with configuration changes in an MX Series Virtual Chassis environment: Mar 2 00:14:30 CHASSISD_IPC_WRITE_ERR_NULL_ARGS: FRU has no connection arguments fru_send_msg Global FPC 14 Mar 2 00:14:30 SCC fru_set_boolean: send: set_boolean_cmd Global FPC 14 setting hold-pic-online-for-fabric-ready on. These messages are benign. PR1264647

  • In a PPPoE scenario, subscribers might get disconnected due to a keepalive failure when CPE is adding an additional data field in PPP Echo Request. PR1273083

  • The message dot1agCfmMepHighestPrDefect might be reported in the SNMP trap with the value of -1 instead of 0 on recovery after RDI. PR1273278

  • By default, in Junos OS, the minimum length of the CHAP challenge is 16 bytes, and the maximum length is 32 bytes. In Juniper lab tests, without using the configuration statement "challenge-length minimum XX maximum XX", It was found that MX Series does not initialize the default Chap Challenge-Length which as per our document, it should be Minimum of 16 and Maximum of 32. PR1280263

  • When Ethernet OAM LFM session is configured, the line card hosting LFM session might reboot after executing 10 times successive ISSU. PR1283280

Layer 2 Ethernet Services

  • When LACP is configured in fast periodic along with the 'fast-hello-issu' command, LACP might time out if there is any interface commit operation on the peer router during unified ISSU, which causes OSPF adjacency flapping. PR1240679

  • This issue can be seen when DHCP-Relay option-82 is configured. When an interface is deleted, this might cause DHCP-Relay option-82 format changes. PR1253205

  • When ISSU is done from a version of Junos OS that does not have this PR fix, to a version that has this PR fix, then the DPC cards will have to undergo a cold boot rather than a warm boot. This is because the changes are done to the hardware table attributes for DPC, and for this to be effective the card must undergo a cold boot. The observable behavior will be that the loss for traffic using DPC cards will be in the order of minutes rather than seconds, during ISSU. PR1256555

  • In a large-scale unified ISSU testing, a MPC/FPC might go offline during the FRU upgrade phase of unified ISSU. PR1256940

  • The duplicate-clients-in-subnet option82 feature has changed in the following way: When duplicate-clients-in-subnet option82 is configured, the client is identified using the circuit-id and/or remote-id of option82. Any other suboptions (for example, suboption 9 vendor specific) will not be used as a client identifier. Also, if duplicate-clients-in-subnet option82 is configured, existing clients will be identified using the circuit-id and/or remote-id of option 82 if available rather than torn down. PR1257701

  • If Broadband Subscriber Services is enabled the Asymmetric lease override will not work as expected for RENEW or REBIND operations originating from the subscriber devices. The result might be premature loss of address binding by this device and possible loss of service. PR1258415

  • During the DHCPv6 renegotiation lockout time BNG does not accept any DHCP solicits with rapid commit options for further processing. This might slow down the subscriber initialization in relatively high packet drop access network segments. PR1263156

  • The IPv4/IPv6 packets originating from Routing Engine might be corrupted when the bridge domain has 'vlan-id' set to none, but the outgoing L2 interface for the packet is tagged and CoS is enabled. It only affects packets that originate from Routing Engine but does not affect transit traffic. And it affects both IPv4 and IPv6 packets. PR1263590

  • Delegated-IPv6-Prefix not included in radius accounting. PR1269062

  • Under certain difficult to reproduce configuration change scenarios, a timing window is exposed that might result in a process core file. PR1288475

Layer 2 Features

  • When VPLS unicast traffic needs to be passed to a remote PE node via the LSI interface then go through the LAG interface to the L2TP network, packets could be dropped due to improper token handling. PR1240960

  • In VPLS topologies the kernel might report the error pointchange for TLV type 00000052 not supported on IFL <name> in /var/log /messages where is a VT or LSI interface used by VPLS. Sometimes the issue can be reproduced by simply loading the configuration if the scale is high enough, but other triggers might apply as well. The problem might cause high RPD CPU utilization, which can slow routing convergence. PR1279192

MPLS

  • When there are statically configured ingress and transit LSPs, due to a timing issue, there could be a scenario wherein the selfID used by the transit LSP might be allocated to the ingress LSP. Ingress static LSP does not reuse the same selfID during routing protocol process restart, whereas the transit static LSP tries to reuse the same selfID. This leads to rpd crash due to the collision when the transit LSP tries to reuse the same selfID. PR1084736

  • In some Inter-op scenario, sometime a new label is advertised without withdrawing the old label by peer. Under such scenario, Junos OS rejects the new label advertised (as per RFC3036 behavior). The following logs will be generated in such event: Line 408105: Mar 14 14:00:21.716559 LDP: LabelMap FEC L2CKT NoCtrlWord ETHERNET VC 40347 label 53 - received unsolicited additional label for FEC, releasing new label. PR1168184

  • In a scaled environment, when there are many unicast NHs related to the same transport LSP (for example, the same RSVP or LDP label), MPLS traffic statistics collection might take too much CPU time in kernel mode. This can in turn lead to various system impacting events, like scheduler slips of various processes and losing connection toward the backup Routing Engine and FPCs. PR1214961

  • On MX Series routers with MPCs or MICs, if BGP-LU is configured with the entropy label. The entropy label value being generated might not provide a good load sharing result. PR1235258

  • The rsvp-lsp-enh-lp-upstream-status is taking more time to synchronize on the backup Routing Engine on egress side. PR1242324

  • On MX Series routers, the LDP might fail to install LDP route in inet.3 table if IS-IS is configured with source-packet-routing and ldp-tunneling is enabled, which might cause the LDP to fail to install routes when L-IS-IS routes are present. PR1248336

  • On MX Series routers, the rpd might crash when the RSVP bypass undergoes re-optimization and the re-optimized instance encounters failure before it becomes the main instance. PR1250253

  • With nonstop active routing (NSR) and LDP protocol running, a routing protocol process (RPD) on the backup Routing Engine might consume excessive CPU time if it cannot connect to the RPD on the master Routing Engine. PR1250941

  • Collecting LDP statistics not work correctly and kernel memory leak is observed after configuring ldp traffic-statistics. PR1258308

  • When multiple RSVP LSPs are in ECMP and configured with metric values, if one of the LSPs removed the metric, other LSPs in ECMP might not honor the configured metric. PR1261961

  • During MBB (make-before-break), next hop will change in the Packet Forwarding Engine, RSVP route does not request a next hop ACK before changing the route pointing to a new next hop. When the scale is high, traffic loss can be seen for up to 1 second. PR1264089

  • Label 0 is assigned as IPv6 explicit null label when "explicit-null" is configured for LDP. However, label 2 should be used instead of label 0. PR1264753

  • Rpd crash might be seen if egress-policy is configured in LDP and same route prefixes are in both inet.0 and inet.3. PR1266358

  • With LDP session-protection configured, the LDP session for the remote LDP peer for rLFA (remote loop free alternate) might still remain up, even after rLFA is disabled or after the remote targeted LDP session is no longer needed by rLFA. PR1266802

  • When a container LSP has less than 10 member LSPs, only the first 10 LSP will be shown in the show mpls container-lsp name <lsp-name> statistics output. PR1267774

  • When MPLS builds the next hop for an mpls.0 route for the scenario with IDP over RSVP LSP over bypass tunnel and the IDP label is implicit-NULL, the label stack constructed for the next hop might be incorrect, with an invalid bottom label value of 1048575. PR1270877

  • During LDP shutdown, route added and deleted by LDP in the inet.0 table might be in the process of being deleted but still in the inet.0 table. The "show route extensive" CLI command might cause RPD to crash when trying to display the task name for such LDP route. PR1272993

  • The RPD core file involved an LDP egress route, which was stiched to a BGP route via the ldp egress-policy configuration. There is an assumption that LDP egress route should always be associated with a label, in order to install the ldp route. Shortly after Routing Engine switchover during a route flash, LDP found an egress route without a label and the RPD core happened. The issue was due to erroneous logic in LDP during Routing Engine switchover, which caused LDP to delete the label from the egress route. This triggered the RPD core during subsequent route flash. PR1290789

Network Management and Monitoring

  • MX Series BNG might send empty SNMPv3 responses for bulk-get requests to poll dot3adAggPortListPorts related OID's when using nondefault maxMsgSize settings. PR1207683

  • On all platforms, if changing the syslog configuration, the eventd process might stop sending syslog message to a configured syslog server. PR1246712

  • SNMPv2 traps used to have the routing-instance information(context) in the community in the form context@community In SNMPv3, the same routing-instance information will be added to the contextName field of the SNMPv3 trap. For traps originating from a default routing instance, this field will be empty as it was earlier. PR1265288

  • The command Esc-Q does not work to toggle the console syslog. The issue is seen on FreeBSD10 builds since Junos OS 15.1 releases. This fix is needed for the command to work. PR1269274

  • On Junos OS devices with SNMP enabled, a network based attacker with unfiltered access to the Routing Engine can cause the Junos OS snmpd daemon to crash and restart by sending a crafted SNMP packet. Repeated crashes of the snmpd daemon can result in a partial denial of service condition. Additionally, it might be possible to craft a malicious SNMP packet in a way that can result in remote code execution. Refer to JSA10793 for more information. PR1282772

Platform and Infrastructure

  • NPC generated a core file with reference to [ 0x41490f64 in trinity_policer_free (result_ptr=0x5d671f64, nh_ptr=0x5d671f78) at ../../../src/pfe/common/pfe-arch/MX Series/applications/dfw/dfw_action.c:1049 ]. This type of NPC core files can be observed with a dynamic configuration change to the policer. The processing time in attempting to update all associated policers was exceeded. PR1071040

  • When the large scale firewall filter (for example, with 10000 terms on input/output) is configured on either FPC5 or MPC3/4/5/6, traffic drop might occur due to allocation limit. PR1093275

  • With MAC accounting feature (configuration "ethernet-switch-profile mac-learn-enable") configured on an interface of MX Series routers with MPCs/MICs based FPC, the limit of MAC database might be reached and the FPC crashes. PR1173530

  • When multicast, vpls-flood or bridge-flood traffic, on an affected FPC type, with packet sizes ranging from 112 - 113 bytes or 108 - 109 bytes crosses zone boundaries within the router, traffic forwarding toward the fabric might stall. The following syslog entry will be reported "FO: Cell packing interface error". PR1180397

  • When the system log severity level 7 debug-level is set, below debug messages will be printed on a per packet basis. "/kernel: setsocketopts: setting SO_RTBL_INDEX to 1". PR1187508

  • In a very rare scenario, during a TAC accounting configuration change, the auditd daemon crashes due to a race condition between auditd and its sigalarm handler. PR1191527

  • Blank firewall logs for IPv6 packets with next-header hop-by-hop is fixed. PR1201864

  • The auditd process might crash when it reads event message from the socket and gets EAGAIN error.PR1222493

  • Incorrect firewall filter to interface mapping might be observed after performing an upgrade to the affected release (Junos OS release 15.1R4-S7,15.1R5-S2,15.1F2-S15,15.1F7,16.1R4,16.2R1-S3,16.2R2 and later), and then during a GRES disabled Routing Engine switchover. PR1224995

  • A race condition occurs between database creation and database access. There is no functional impact of the core. PR1225086

  • dexp core file is generated during EVPL stress test with 8K ESSM service configuration. PR1228136

  • Next hop used for Routing Engine generated TCP traffic might differ from the one used for Routing Engine-generated non-TCP traffic if the prefix not subjected to 'then load-balanced per-packet' action and is pointing to an indirect next-hop resolved via unilist next-hop (ECMP). Before the fix for PR1193697, this leads to non-TCP traffic generated from Routing Engine taking one unicast next-hop while TCP traffic generated from Routing Engine is load-balanced across different next-hops. After the fix for PR1193697 this behavior might lead to non-TCP host outbound traffic taking one unicast next-hop, while TCP host outbound traffic takes another. PR1229409

  • Firewall filter index mapping gets incorrect after Routing Engine switchover, due to the contents of "/var/etc/filters/filter-define.conf" getting incorrectly changed after Routing Engine switchover. PR1230954

  • The apply-path change bit does not seem to get applied when prefix-list is modified and the DFWD daemon, which waits for the policy-options, does not get notified and the apply-path function is broken. PR1232299

  • The scale-subscriber license count might increase to an invalid license state with L2TP/LTS clients. This is due to the l2tpd daemon not going through a proper state transition on L2TP/LTS clients logout hence the license count was not getting updated. PR1233298

  • On MX Series routers with MPCs/MICs-based linecard, the increase in CPU utilization on the FPCs and MPCs might periodically go as high as 100% as a result of the microcode re-balancing mechanism, which is implemented as a process running within each Packet Forwarding Engine and runs at a lower priority than other processes within the Packet Forwarding Engine. There is no impact on convergence. PR1233390

  • NTP.org and FreeBSD have published security advisories for vulnerabilities resolved in ntpd (NTP daemon). Server-side vulnerabilities are only exploitable on systems where NTP server is enabled within the [edit system ntp] hierarchy level. A summary of the vulnerabilities that might impact Junos OS is in JSA10776. Refer to JSA10776 for more information. PR1234119

  • On MX2000 with SFB2, replacing MPC6E with any ADC based line card might result in failure in internal link training. As a result, the ADC-based line card will not being booted up normally. PR1235861

  • Due to a regression issue, the presence of errors or traps during ISSU might result in LU/XL based FPC crash. PR1239304

  • During an unified ISSU process, an MPC1E/2E/3E/4E or MPC-3D-16XGE-SFPP might restart unexpectedly. This issue shows up as an error in ppe_cfg_morph_ucode_instr() routine, which can be seen in syslog messages. PR1241729

  • For hardware platforms based on EA or XQ chips (such as MPC2E-3D-NG-Q), the minimum buffer value programmable in the Packet Forwarding Engine is modified from 4096 bytes to 1568 bytes. PR1246197

  • An MPC/FPC might report LUCHIP EDMEM error during ISSU. This might cause inconsistency or incorrect forwarding information (FIB) inside the Packet Forwarding Engine. While the MPC is in the problem state, the Packet Forwarding Engine might experience packets loss. The issue should be self-corrected after the ISSU process is complete and the Packet Forwarding Engine learns new FIB entries. PR1249395

  • On MX Series routers, frequent configuration edit from ephemeral database or issuing command user@router> show ephemeral-configuration | display merge might cause one of the daemons (dcd, rpd, dfwd, pfed, cosd, sampled) to generate a core file. PR1249979

  • The configuration database is locked when a user that was "configure exclusive" is logged out unexpectedly. PR1250305

  • When RADIUS accounting is configured, the Junos OS device will try for the maximum number of times when sending RADIUS accounting requests to a non-reachable RADIUS accounting server. When the last try is sending but the socket is closed due to the 'network is down' between Junos OS device and RADIUS accounting server, the auditd might crash. Auditd will get restarted automatically after it crashes. So accounting continues to work after auditd crashes. However, at the time of crash if there are some messages in the auditd queue that need to be sent out from Junos OS device to accounting server, those messages might get lost. After auditd gets restarted, the next event that has to be sent to RADIUS server, will be sent normally. PR1250525

  • In a subscriber scenario, the bbe-smgd daemon might crash if running a PPPOE login or logout with IGMP distributed enabled but without any multicast forwarding or IGMP joins. As a result, the subscriber logins fail momentarily until bbe-smgd daemon restarts and recovers. PR1253036

  • When the incorrectly wired rtclone was getting timed out and deleted or when the route instance was getting deleted, the kernel might encounter a crash with the panic string "rn_clone_unwire no ifclone parent". PR1253362

  • In a logical-systems environment, if there are some failures that cause Routing Engine switchover (not perform Routing Engine switchover manually), the Kernel routing table (KRT) queue might get stuck on the new master Routing Engine with the error "ENOENT -- Item not found". PR1254980

  • On MX Series routers with MPC5E or MPC6E cards, if VPLS or bridging features are configured, it is possible that unicast L2 packets with known MAC addresses are flooded instead of being forwarded to the known ports. It might cause some unicast traffic over VPLS or BRIDGE to be dropped. PR1255073

  • Packets are not encapsulated with GRE header after disabling and reenabling the gr- interface and GRE tunnel traffic might get dropped. PR1255706

  • During ISSU, memory from the previous image related to hash tables is not properly recycled, which leads to blocks of physical memory being left unused. The crash is triggered by an attempt to create a memory pool using one of these blocks. PR1258795

  • mgd might crash after executing the command show ephemeral-configuration | display inheritance. This option is unsupported. PR1258823

  • If IX chipset-based mic(MIC-3D-20GE, for example) is used on an MPC that has two more mic slots, the show pfe statistics traffic detail command could display in/out pps statistics unexpectedly. PR1259427

  • After an interface switch, when the MAC moves from one interface to another, the next hop is incorrectly following the MAC route, which has been corrected via code changes. PR1259551

  • Sometimes show ephemeral-configuration might show the configuration though there were no active subscriptions. PR1260124

  • When a DHCP/BOOP reply packet is received from an unnumbered interface, the FUD process might fail. PR1260623

  • After an unified ISSU upgrade, the WRED drop profile might not be programmed correctly, resulting in an incorrect WRED drop. PR1260951

  • On an MQ chip-based MPC, some DDRIF checksum errors are observed, which might send traffic to a black hole. This PR also includes a chassis management alarm when there is a DDRIF checksum error on the MPC. PR1260983

  • On an MX Series Virtual Chassis setup acting as an MVPN bud node and having a downstream local receiver and a PE node, traffic with few multicast groups are reported not being forwarded to the local receiver. PR1261172

  • The error message rnh_iff_delete_nh: no pat-node that might be seen when subscriber logs out is innocuous and its severity will be reduced to debug in the releases with the fix. PR1263983

  • Configuration changes under logical-system with LSYS user does not takes effect on single commit with fast-synchronize enabled. PR1265139

  • MX Series routers with FPCs might crash generating a core file when interface-specific firewall filters are configured with policers. PR1267908

  • On all platforms, fast flapping of interfaces/fast changing of configurations might cause an RPD crash and BGP sessions will flap very quickly. PR1269116

  • In a rare scenario, the Packet Forwarding Engine might drop the TCP RST(reset) packet from Routing Engine side while doing GRES or flapping interface, and it might cause traffic drop. PR1269202

  • In scaled configurations with the Distributed IGMP configured (above 1000 subscribers per FPC joining 1000 multicast groups), the FPC might crash. The traffic forwarding might be affected. PR1270928

Routing Protocols

  • In MC-LAG scenario with igmp-snooping configuration, when one link of MC-LAG is disabled, the IGMP report packet cannot be transferred correctly. It might cause impact for multiple traffic for IGMP report failing. PR1183532

  • In large-scale BGP route environments with multipath configured, if BGP sessions go down simultaneously, the rpd might crash because it cannot finish multipath cleanup within a 10 minute limit. PR1209695

  • When changing the RD for an existing VRF with established highly active MSDP sessions or deletion/deactivation of MSDP session in the configuration, the rpd process might crash, which leads to traffic disruption. PR1216078

  • In the rare scenario with a maximum number of routes in the BGP RIB_OUT table (for example, there are more than 700K BGP routes in route table), if flapping BGP protocol, it might cause the rpd process to crash. PR1222554

  • Junos OS 15.1 and later releases might be impacted by the receipt of a crafted BGP UPDATE which can lead to an rpd (routing process daemon) crash and restart. Repeated crashes of the rpd daemon can result in an extended denial of service condition. Refer to JSA10778 for more information. PR1229868

  • When a BGP peer goes down on the peer device, there might be a case of freeing the BGP session resources twice on the Junos OS devices and it can result in an rpd crash. This issue occurs when graceful restart is enabled on the peering device. PR1230556

  • Routing protocol (RPD) on the backup routing-engine might restart unexpectedly upon the addition of a new L2VPN routing-instance. PR1233514

  • Juniper Networks implemented BGP4-MIB (including bgpPeerTable and bgpPeerState) per RFC 4273. When there is IPv6 BGP neighbor, Junos OS is unable to return a correct value for the BGP peer. This is caused because bgpPeerTable/bgpPeerEntry is indexed by bgpPeerRemoteAddr, which is syntaxed as IpAddress, a 32-bit integer. But the IPv6 address is 128 bits. This will cause Junos OS to return 0.0.0.0, which is considered an invalid peer. PR1233790

  • With BGP ORR (optimal-route-reflection) configured, if IS-IS LSP has more than one fragment and the LSP is purged (for example, a topology change after a link flap), then an rpd crash might be seen. PR1235504

  • A combination of next-hop-self, add-path, and per-prefix-label on a BGP-LU (label-unicast) RR can cause the wrong MPLS.0 routing/forwarding swap state to be installed. PR1238119

  • When a Juniper Networks device is running protocol BGP, and policy configuration is modified, an assertion condition might be hit where the routing protocol process generates a core file. PR1239990

  • The rpd core might be seen in MVPN scenario, no service or traffic impact. PR1240565

  • In a PIM scenario with BSR configured, after deleting a static RP configuration from another router, then checking an RP table on a BSR router, there might be a stale bootstrap RP entry (which is the static RP deleted from another router) in the RP table. PR1241835

  • Session uptime in show bfd session detail output omits seconds if uptime is longer than 24 hours, which is different from similar output for Label Distribution Protocol (LDP), Open Shortest Path First (OSPF) or Border Gateway Protocol (BGP). Seconds are always included into corresponding outputs for these protocols. PR1245105

  • In BGP configuration, the static rt-constrain feature is configured but family route-target is not present on any BGP configuration, RPD might generate a core file. This is due to cleanup code attempting to free state that was not created since family route-target was not configured. PR1247625

  • On all platforms, OSPF next hop might keep flapping between rLFA (remote LFA) and LFA when multi-area (PQ node sits in different area) rLFA along with policy is configured. PR1248746

  • Junos OS supports the mechanism to preserve BGP routing details for a longer period from a failed BGP peer than the duration for which such routing information is maintained using the BGP graceful restart functionality. But due to a software defect, the LLGR (Long-Lived Graceful Restart) feature is not working between a Juniper Networks PE device to another vendor's RR. PR1248823

  • The OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 26, 2017. Refer to JSA10775 for more information. PR1249517

  • The statement learn-pim-router is not working properly and as a result PIM hello packet will not be forwarded over pseudowire and multicast traffic will be dropped when the statement is configured under igmp-snooping protocol. PR1251439

  • When advertise-from-main-vpn-tables configuration statement is used under BGP and Router Reflector functionality is added , a refresh message is not sent, resulting in some routes are missed. PR1254066

  • There is a 30 second outages on multicast flows, when that is checked, irregular timer behavior has been spotted. PR1257668

  • Routing protocol process (rpd) might restart unexpectedly with a reference to ioth_session_delete_internal ( ) routine. PR1261970

  • On MX Series routers, if enabling IS-IS segment routing but certain interface is not enabled RSVP, then it might cause corrupted TLV 22 of IS-IS (the size of the value part of the TLV exceeds 255), and it might cause rpd to crash for parsing the LSP (labeled switchover path). PR1262612

  • If vrf-table-label is configured in carrier of carriers VRF routing-instance and a direct interface route is advertised from the VRF toward a CE device as BGP-LU (BGP Labeled Unicast) route, the MPLS label entry for the direct route is permanently stuck in the kernel routing table (KRT) queue. PR1263291

  • In MX Series, when configuring import policy of IPv6 prefix with a IPv4 next hop for a BGP neighbor, the rpd might crash continuously. The rpd crashing stops only after deletion of the policy. PR1265224

  • After configuring "family inet unicast extended-nexthop", in the BGP open message sent to the peer, "Nexthop AFI=2" should be in the message instead of "Nexthop AFI=3". PR1272807

  • When a route reflector is configured for optimal route reflection, it computes an IGP SPF tree on behalf of a specified primary node. However, the route reflector does not run this computation when the primary node is configured for IS-IS overload, resulting in no benefit of configuring the route reflector with optimal route reflection. PR1274802

  • In an IS-IS SR (segment routing) scenario, if during interoperability with a Cisco device, which includes new subTLV for supporting SID (segment identifier) within LSPs, due to a issue in handling them, LSPs received from Cisco device might be parsed unsuccessfully and then be dropped on the Juniper Networks side. PR1280522

  • In BGP-LU protection scenario with the statement per-prefix-label configured, rpd might crash due to a certain chain of events that if receiving a BGP route with the indirect next-hop firstly, and later receiving another BGP route with the direct next-hop (which has the same prefix with the route received early) then the prefix is advertised at lest on the group. PR1282672

  • Routing protocol process might generate a core file while running ’deactivate routing-instances iptv protocols pim static’ if a static multicast group contains no source. PR1284760

  • RPD might crash if dynamic RP goes down in the topology with ECMP to RP and PIM join-load-balance automatic configuration statement is configured. PR1288316

Services Applications

  • The kmd process might hog CPU when continuously polling for IKE-related data through SNMP. This issue is specific to IKE related SNMP polling and not seen when continuously polling IPsec related data through SNMP. PR1209406

  • On Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) router where Access Node Control Protocol (ANCP) is used for bandwidth adjustment, L2TP Connect Speed Update Notification (CSUN) message to L2TP network server (LNS) might be sent after a short delay after ANCP Port Up with updated access line parameters was received. This delay is caused by current interaction scheme between ANCP and L2TP daemons and can last up to 5 seconds. In a production network scenario this delay shouldn't be visible as the L2TP daemon checks for state updates each time there is an L2TP packet that has to be sent or received. PR1234674

  • PPPoE - L2TP subscribers might get stuck in Terminating state in longevity login/logout test. PR1235996

  • On Layer 2 Tunneling Protocol (L2TP) network server (LNS) router L2TP tunnels might be stuck in "Terminating" state after execution of particular sequence of CLI commands. Deactivation of tunnel-group on LNS leads to clean up of all logged in L2TP subscribers and L2TP tunnels. If "clear services l2tp tunnel" command is issued when the clean up hasn't been completed, it's possible that the tunnel will not be cleaned up properly and get stuck in "Terminating" state. PR1249768

  • With MS-MIC/MS-MPC used for NAT service, when changing the source-address under a NAT rule term for a BASIC-NAT translation type, all future traffic hitting the NAT term will be dropped. PR1257801

  • When two or more service-sets share same local-gateway for IPsec next-hop service-set, the kmd might crash in the new master Routing Engine after GRES. PR1258811

  • L2TP Congestion Window set to 128 instead of 1 when tunnel is created. PR1265001

  • Apply-group configuration might cause KMD process crash during "commit check" process, which causes IPsec tunnel establishment failures. After this fix, apply-group can be used. PR1265404

  • In a subscriber management scenario, all ingress control packets (for example, packets from subscriber to the MX Series BNG) are mirrored twice. These packets might include DHCPv4 and DHCPv6 traffic, ICMP traffic or any other packets that will be processed by MX Series. PR1275592

  • Business services are activated and a Routing Engine switchover is performed. In this case, if we try to deactivate the Business services (aka ESSM subscribers) by logging out the parent PPP session, the business services are getting stuck in terminating state. Business services that have LI applied are stuck and the services not having LI are logged out successfully. PR1280074

  • JL2TP daemon restart should be avoided. GRES followed by jl2tpd daemon restart will result in the loss of subscriber. PR1293783

  • If some subscribers login without "Tunnel-Client-Endpoint" from radius, each subscriber session is getting its own Layer 2 Tunneling Protocol (L2TP) tunnel. PR1293927

Subscriber Access Management

  • If test aaa ppp command is used to check whether the subscriber has been provisioned correctly on the Radius server, it will provide incorrect result if it is used for an IPv6-only subscriber (for example, a subscriber that is provisioned with IPv6 only attributes). Even if subscriber is able to successfully authenticate on the RADIUS server, the result will indicate "Authentication Deny (reason: Access Denied)". PR1235914

  • Call rate performance might be impacted under heavy load if there are large numbers of small linked address pools due to a bug in the allocation traversal algorithm. PR1264052

  • show network-access aaa statistics radius detail can display an incorrect number of messages to the RADIUS server in case configured RADIUS server's are continuously flapping. PR1267307

  • In MX Series BNG environment, the show network-access requests pending count keeps on increasing even though there are no pending authentication requests. PR1267702

  • During L2BSA subscriber stress test, some subscribers might report invalid Event-Timestamp to RADIUS. PR1270162

  • In a scaled subscriber management scenario bbe-smgd might spontaneously crash after it was restarted from CLI. PR1277099

  • MX Series routers could not filter the some RADIUS attributes with Accounting-Off and Accounting-On message. PR1279533

User Interface and Configuration

  • An routing protocol process memory is increasing and cannot go back after an IS-IS interface flap. If this memory leak reaches a high level that impacts the route calculating, it might cause unexpected network issue. PR1243702

  • Some configuration objects are not properly handled by "delta-export" (dexp). This leads to an omission of the section of the configuration. PR1245187

  • Core file is generated by commitd when deletion for a certain configuration is committed. Configuration is properly changed after commit even though core file remains. PR1267433

VPNs

  • The L2circuit does not switch from primary to backup and vice versa based on the APS status change, because when APS switchover happens, the PW switchover does not switch to the new APS active neighbor PR1239381

  • With NSR enabled and a Layer 2 circuit configured, an rpd crash might be observed on the backup Routing Engine when you change the Layer 2 circuit neighbor and then commit the changes. The issue does not exist if NSR is not enabled. PR1241801

  • Routing protocol process memory leak is seen when NG-MVPN type 6 and type 7 route adds/deletes/changes. The leak is 36 byte block size on Junos OS 15.1 Release prior versions, and 44 byte block size on Junos OS 15.1 or later releases. PR1259579

  • An routing protocol process might crash with a segmentation fault after applying an L2VPN configuration followed by the ping mpls l2vpn command. PR1272612

  • If Rosen7 (PIM-MVPN) is enabled for IPv4, but does not explicitly set NGEN-MVPN to 'disable' for IPv6 then when PIM mcast route is created in IPv4 it will also create the ALT KAT timer. However, when the IPv4 mcast route is removed, PIM checks if NGEN-MVPN is enabled for IPv4 only, which is false. So, ALT KAT timer is not deleted. This leads to the memory leak. PR1276041

Resolved Issues:16.1R4

Class of Service (CoS)

  • When "chained-composite-next-hop" is enabled for Layer 3 VPN routes, MPLS CoS rewrite rules attached to the core-facing interface for "protocol mpls-inet-both-non-vpn" are applied not only to non-VPN traffic (which is the correct behavior) but also to Layer 3 VPN traffic. That is, both MPLS and IP headers in Layer 3 VPN traffic receive CoS rewrite. PR1062648

  • In phase 1 of Junos Fusion Provider Edge extended ports do not support snmp based cos statistics. Polling an EP port for CoS stats can trigger a cosd core. PR1205512

  • Following error log message might be seen with Hierarchical CoS and strict-high scheduling configured. Dec 27 11:08:02.293 mand-re0 fpc1 cos_check_temporal_buffer_status: IFD ge-1/2/1 IFL 358: Delay buffer computation incorrect.^M If hierarchical scheduler is configured for a physical interface and if guaranteed rate is not set for an logical interface under this physical interface, then the temporal buffer configured. The display of error message is valid when guaranteed rate is '0', but it is not valid when 'guranteed rate' is disabled. PR1238719

Forwarding and Sampling

  • If a two-color policer is configured on MX Series with MPCs/MICs based card, more traffic than the limited traffic might be passed when packets size is less than 128 bytes. PR1207810

  • Packet Forwarding Engine process generates a core file on both Routing Engines after a huge configuration statement change is committed. PR1220653

  • Bandwidth-percent policer does not work on ps interface, which will result in commit error. PR1225977

  • Firewall filter family "any" with shared-bandwidth-policer on MC-AE interface does not reconfigure bandwidth or carve-up policer when standby becomes active after A/S switchover, it drops all packets. PR1232607

  • On MX device with ipv4-flow-table-size or ipv6-flow-table-size configuration statement, if sampling instance is not defined under chassis hierarchy (sampling instance is not associated to FPC), after rebooting the device, the "ipv4-flow-table-size" or "ipv6-flow-table-size" does not propagate to FPC. PR1234905

  • When the following configuration statements are applied to accounting options file configuration, it is expected that upon the routing-engine switchover, the local backup statistics files from /var/log/pfedBackup/ directory will be moved from the old master Routing Engine to the new master Routing Engine. But in this case, this does not happen. set accounting-options file <filename> push-backup-to-master set accounting-options file <filename> backup-on-failure master-only. PR1236618

  • J-Flow version 9 cannot get TCP flag information from IPv6 fragment packets. However, it can get other information like src and dst ports infromation etc. It can get sampling information partially from TCP header in IPv6 fragment packets. PR1239817

  • On MX Series platforms series, after GRES (done for SSD upgrade) or configuration change which is lead to pfed core/restart, the MX Series platforms might send for every single session 5 AcctInterim update. PR1249770

General Routing

  • This is a timing issue. After deleting and reconfiguring a VRF instance or changing route-distinguisher in VRF instance while rpf-check is enabled, rpd process might crash. The routing protocols are impacted and traffic disruption will be seen due to loss of routing information. PR911547

  • Wrong byte count was seen in the ipfix exported statistics packets for mpls flows . PR1067084

  • If an aggregated Ethernet interface without LACP enabled has at least two member links and one member link is on MIC-3D-4XGE-XFP, which is in MPC3E-NG or MPC2E-NG, when the link is coming up from down status, there might be 400-900ms traffic loss. This is because there is a window between the physical link getting activated and the XM stream getting created. This window of time might reach to 700ms; all the traffic entering during this period is silented discarded or dropped. PR1167231

  • If the MIC-3D-4XGE-XFP is used with MPC2E-3D-NG or MPC3E-3D-NG, the interfaces on the MIC-3D-4XGE-XFP connected to a DWDM device might flap continuously. PR1180890

  • AMS redundant interfaces not listed under possible-completions of operational commands. PR1185710

  • Nexthop attribute in a framed route is not applicable anymore. Since subscriber IP address is used as the nexthop in all cases, there is no need to have an additional attribute for nexthop for framed routes. PR1186046

  • FRU model numbers might be missing or incorrect as below. 740-013110 PDM-MX960 740-057995 FFANTRAY-MX960-HC-S 750-033205 MX-MPC3E-3D (incorrect) 750-038493 MX-MPC2E-3D-Q 750-044130 MX2K-MPC6E 750-045372 MX-MPC3E-3D 750-046005 MPC5EQ-100G10G 750-046532 MIC6-10G 750-049457 MIC6-100G-CFP2 750-054563 MPC5E-40G10G 750-054902 MPC3E-3D-NG 750-054903 MPC2E-3D-NG-Q 750-055976 SCBE2-MX-S all CFP, CFP2, QSFPP, QSFP28 optics all MX2000 FRUs all MPC7E, MPC8E, MPC9E, SFB2 FRUs. Note that show chassis hardware models displays correct information, but optics are missing from that output. PR1186245

  • When VC-Heartbeat is configured, the MX Series platforms virtual chassis split detection feature should cause the backup chassis to enter line card isolation mode, powering off all FPCs to force external gear to re-route traffic. A race condition in the mechanism can cause the backup chassis to also become protocol master, and leave its line cards in an operational state, which is undesirable. PR1187567

  • As described in RFC7130, when LACP is used and considers the member link to be ready to forward traffic, the member link MUST NOT be used by the load balancer until all the micro-BFD sessions of the particular member link are in Up state. PR1192161

  • Configuring an RLT interface and rebooting the router shows the RLT interface down. The show l2circuit connection shows an mtu mismatch as the immediate cause. For example, the problem might be seen with the following configuration: show configuration interfaces rlt0 redundancy-group { member-interface lt-4/0/0; member-interface lt-4/2/0; } unit 0 { encapsulation vlan-ccc; vlan-id 600; peer-unit 1; family ccc; } unit 1 { encapsulation vlan; vlan-id 600; peer-unit 0; family inet { address 70.70.70.1/24; }. } PR1192932

  • Due to a bug in schema with Junos OS Release 14.1Rx and 15.1rx, Admins will not be able to push mpls configurations to devices that include loose strict tags. PR1193599

  • MAC routes received from control plane are not installed in EVPN mac-table. PR1193754

  • With GRES and nonstop-bridging configured in Juniper Network devices with dual Routing Engines, the backup Routing Engine might run into high CPU usage due to abnormally high CPU utilization by firewall daemon. The abnormally high CPU usage might impact the backup Routing Engine functions. PR1193891

  • If a fragmented ICMP request from subscribers is sent to a device, the device only responds with an ICMP request for the first packet, which causes PING to fail. And if PING initiates from a device to subscribers with size greater than the negotiated MRU, the device can not fragment the packet, which causes PING still failing. PR1195031

  • With MPC8/9 MRATE MIC and plug-in optics module(QSFP28-100GBASE-LR4), bit errors might be seen. PR1200010

  • When performing unified in-service software upgrade (ISSU) on MX Series routers, the MPC might crash during the field-replaceable unit (FRU) upgrade process. PR1200690

  • The routing table will not be updated if some of the unnumbered interface go down and some unnumbered interfaces are still active when there are multiple unnumbered interfaces configured under OSPF. PR1202795

  • A dynamic tunnel gets timed out every 15 mins by default, and then re-tries to create another tunnel. This happens if the route obtained from IGP is non-forwarding. With this fix, stable and persistent dynamic tunnel are allowed even for non-forwarding routes. PR1202926

  • Problem - In case of Local source and with asm MoFRR enabled, the default MDT traffic loops back to the originating router on the MoFRR backup interface, thereby causing continous IIF_mismatches. MoFRR behavior after fix - With the current MoFRR code, since the source is Local, SPT BIT is set by default. Therefore an (S,G,rpt) PRUNE is sent out of the MoFRR Active interface. But an (S,G,rpt) PRUNE is not sent out of the MoFRR Backup interface (Missing Code). With this fix, (S,G,rpt) PRUNE is sent over the MoFRR backup path also (if there is already an (S,G,rpt Prune) going out of the MoFRR Active Path) in order to avoid IIF_Mismatches. PR1206121

  • The l2ald might thrash when the targeted-broadcast is configured on EVPN IRB. PR1206979

  • When an egress Packet Forwarding Engine (NG-MPC3E) is oversubscribed, it applies flow control to the ingress Packet Forwarding Engine (MPC7E). The fabric delay buffer memory utilization on the ingress Packet Forwarding Engine (MPC7E) went up due to the flow control from the egress Packet Forwarding Engine. The default WRED drop profile for the low priority fabric queues was not aggressively dropping the low priority traffic. PR1207417

  • VC link "last flapped" timestamp is reset to "Never" on the new backup Routing Engine after MX Series VC global GRES switchover. PR1208294

  • In a rare condition, multiple interrupts are not handled properly on MX Series routers with MPC7E/MPC8E/MPC9E. The interrupt code is optimized to avoid the unnecessary call to prevent the issue. PR1208536

  • When using the show chassis hardware detail command in Junos OS Release 15.1 or above to display chassis components, the CompactFlash card and hard disk serial numbers might be truncated to 15 characters. PR1209181

  • The logic to calculate the IPsec phase2 soft lifetime has been changed in Junos OS Release 14.2R6, resulting in an interoperability issue in certain scenarios. A hidden configuration statement is provided as part of this PR which will revert the soft lifetime logic to the one used in Junos OS 11.4 Release. PR1209883

  • BGP PIC installs multiple MPLS LSP next hops as active instead of standby in Packet Forwarding Engine. This can cause a routing loop. PR1209907

  • On MX Series platforms, if any inline feature is configured (for example, inline BFD, CFM , or PPP), the FPC might crash and core files are generated. PR1210060

  • The Periodic Packet Manager (ppman) based sessions (such as CFM session) might be flapping when executing offline/online MIC-3D-20GE-SFP (model number) MIC inserted into MPC2E-NG/MPC3E-NG. This occurs because the TNPC-CM thread is hogging the CPU for ~450 ms when executing MIC-3D-20GE-SFP MIC offline/online. PR1211702

  • When an ARP entry is learned through the aggregated Ethernet interface, and a route is pointing to that ARP next-hop, the ARP entry might not expire even though the ARP IP is no longer reachable. This issue is due to the route next-hop on the aggregated Ethernet interface getting stuck in unicast state even if the remote end is not reachable, and the RPD never gets to determine that ARP is invalid. The route next-hop on aggregated Ethernet interface should be shown in 'hold' state when the remote end is not reachable. PR1211757

  • The MS-MPC/MS-MIC service cards might generate a core file when using certain ALGs or the EIM (Endpoint-independent mapping ) / EIF (Endpoint independent filtering) feature due to a bad mapping in memory. PR1213161

  • FPC Major alarm and "MQSS overflow" error messages might be reported on MPC9E running at line rate with small packet sizes. This issue causes no traffic loss. PR1213391

  • MS-MPC/MS-MIC might crash when large fragmented(larger than 2048 bytes) traffic hits the pinhole opened by an ALG. PR1214134

  • Aggregated Ethernet logical interface targeted distribution feature now provides 4 level of prioritization. Please refer document attached in PR for more details. PR1214725

  • On MX Series Virtual Chassis, all VCP interface experiences are tail-dropped as result of configuration conflict. It is a good idea to reference the documentation and customize the CoS associated with VCP interfaces. In this scenario, a user configured a corresponding xe-n/n/n interface with just a description to denote that port is dedicated to VCP. Problem is the resource calculation is impacted and reports smaller queue-depth maximum values when both network interface xe-n/n/n and vcp-n/n/n are defined. Issue is more likely to occur with dynamic modification add/delete of vcp interfaces with a corresponding network interface xe-n/n/n configured. > show interfaces queue vcp-5/3/0 | match max Maximum : 32768 Maximum : 32768 Maximum : 32768 Maximum : 32768 PR1215108

  • If zero length interface name comes in the SDB database, on detection of a zero length memory allocation in the SDB database, a forced rpd crash would be seen. PR1215438

  • On Junos OS Release 15.1R3 and later MX Series platform releases, if DHCPv4 or DHCPv6 subscriber is configured and the subscriber joins more than 29 multicast groups, the line card might crash. PR1215729

  • Incorrect source MAC used for PPPoE after underlying aggregated Ethernet is changed. PR1215870

  • The AMS interface is configured in warm-standby mode, and when failover occurs a percentage of the traffic might fail to get NAT. After the failover, the internal mappings driving traffic back to the service PIC might fail. PR1216030

  • When VPLS instances are configured for the first time or when a system with VPLS instances is rebooted, RPD will be consuming high CPU usage (100%) for a period of time (10-20 mins). The installation of other routes might defer and traffic will be lost and many other RPD services might also slow down or be unavailable. PR1216332

  • Due to a software issue, replacing an MQ FPC (MPC Type1, 2, MPC 3D 16x10GE) with an XM one (MPC Type 3,4,5 6. 2E-NG, 3E-NG) might cause all other MQ-based cards to report "FI Cell underflow at the state stage". It will cause packets to be dropped. PR1219444

  • If RS/RA messages were received through an ICL-enabled(MC-AE) logical interface, packet loss would be seen and last for a while. PR1219569

  • On MX Series and T Series, when enabling the feature VRRP delegate-processing ae-irb, VRRP and BFD might flap. PR1219882

  • The master CB/Routing Engine offline or OIR could lead to a link going down between SFB2 and CB during link reset. As a result of this, some of SFB could be in check status followed by fabric healing. With the fix, the software will 5 times retry to help the graceful link up. When this issue occurs, the following chassis alarm is seen. "Minor Check plane <idx> Fabric Chip" where <idx> is SFB slot number. PR1219890

  • When fpc-pfe-liveness-check is configured, Packet Forwarding Engine liveness detection might incorrectly report a Packet Forwarding Engine failure event under a severe interface congestion situation. PR1220740

  • On MX Series Virtual Chassis partial or complete traffic loss for streams via aggregated Ethernet interfaces might be observed in certain scenarios. For example, if vcp ports were de-configured and re-configured again, then two consecutive global GRES switchovers were performed and the MPC hosting aggregated Ethernet child links was reloaded, traffic loss would be observed after the MPC boots up due to incorrect programming of aggregated Ethernet interface on its Packet Forwarding Engine. PR1220934

  • When MX Series routers have macsec under security and include-sci option is configured, although the interface where macsec is configured receives traffic with imix packet sizes, framing errors might be reported in the interface statistics. PR1221099

  • On MX Series routers with "pppoe dynamic-profile and service-name-table xx" configured, if configuring the prefix or any interface configuration and after committing, the output of show pppoe service-name-tables xx displays as Service Name Table not found: xx. PR1221278

  • PPPoE/DHCP subscribers fail to bind due to ProcessPADIFailedUiflNotActive/SML_CLIENT_DELETE_SDB_ADD_FAILED errors. It is seen during inflight tests. PR1221690

  • Starting with Junos OS Release 15.1, the behavior of storage devices enumeration in kernel level has been changed. Device enumeration in legacy Junos OS (before 15.1), will show CF and Disk as ad0 and ad1, respectively. Device enumeration after Junos OS Release 15.1 will show CF and Disk as ad1 and ad0 instead in the result of show chassis hardware. This might be inconsistent for other output, such as show system boot-messages and show log messages. PR1222330

  • During CoA request there are no changes on schedulers. Requests are received successfully, but no changes from CoS side. PR1222553

  • On setup with IRB configuration statement and non-enhanced-ip mode, when actions that result in underlying aggregated Ethernet interface of IRB going down, are performed, the backup Routing Engine might experience 'panic' and hence reboot. The panic will be due to not being able to allocate the next-hop index that the master Routing Engine has requested. Since the panic and reboot happen on the backup Routing Engine, routing/forwarding/any other functionality will not be affected. Some examples of trigger are continuous child link flaps of aggregated Ethernet, back-to-back commits of different IRB configuration statements or activating/deactivating bridge family on underlying interface. PR1222582

  • Due to a defect related to auto-negotiation in a Packet Forwarding Engine driver, making any configuration change to interface in MIC "3D 20x 1GE(LAN)-E,SFP" might lead to interface flapping. PR1222658

  • In an enhanced subscriber management environment with set system services subscriber-management enable and with remove-when-no-subscribers configuration statement configured in auto-configure stanza, when the last subscriber logs out (which triggers the dynamic VLAN logical interface removal) and then a new subscriber logs in before the logical interface is set to inactive, the dynamic profile deletion might fail. It will also result in the subsequent subscriber’s login failure. This is a timing issue. PR1222829

  • The problem of tunnel stream getting MIS configured for LT interfaces is due to internal programming and has been corrected to evaluate multiple IT interfaces for FPC and PIC slot combination.PR1223087

  • On rare occasions, offlining a MIC-3D-16CHE1-T1-CE MIC can cause a FPC core file. PR1223277

  • After the backup Routing Engine is replaced, the new backup Routing Engine cannot synchronize with Master Routing Engine if 'dynamic-profile-options versioning' is configured. This is because the code checks if any dynamic profile is configured before enabling dynamic-profile-options versioning. If so, it throws an commit error. But there is no need to check when the Routing Engine is in backup state. PR1234453

  • In MX Series Virtual Chassis with subscriber management environment, the bbe-smgd process might leak memory in the backup Routing Engine when running continuous subscriber login logout loop tests. It seems that memory utilization increases with each login logout loop until it reaches 809 MB, but it does not increase beyond that. PR1223625

  • No optic lane dialog is exported for XFP optic in both CLI and snmp. PR1223742

  • In PPPoE subscriber scenario, after demux underlying interface AEx is changed tO AEy, the source MAC used for PPPoE handshake is still the old AEx interface's MAC. This causes PPPoE clients to fail because the PADR packets from the client are dropped due to the MAC address mismatch. PR1224190

  • When you receive alignment errors on a 10GE port you might see MAC control frames counter with a huge value. PR1224632

  • Continuously increasing normal discard count in 'show pfe statistics traffic' without any user traffic due to an internal control traffic which is expected to be dropped silently is unexpectedly being counted as 'normal discard'. There's no impact on user traffic with this issue. PR1227162

  • On MX2020 router, when all the SFBs are yanked out, there is no available fabric in system, but FPCs remain in online state. There is no problem in offlining these SFB/SFb2s. PR1227342

  • On MX Series platforms, executing show chassis ucode-rebalance without a special FPC slot number, might cause chassisd to crash. PR1227445

  • Flowstat reply has incorrect DL type. For example, for the following flow rule, the flowstat reply shows DL type as 0xcc88 instead of 0x88cc user@host> show openflow flows detail Flow name: flow-65536 Table ID: 1 Flow ID: 65536 Priority: 32768 Idle timeout(in sec):0 Hard timeout(in sec): 0 Cookie: 1 Match: Input port: wildcard Ethernet src addr: wildcard Ethernet dst addr: wildcard Input vlan id: 50 Input VLAN priority: wildcard Ether type: 0x88cc IP ToS: wildcard IP protocol: wildcard IPv4 src addr: NA IPv4 dst addr: NA IPv6 src addr: NA IPv6 dst addr: NA ICMPv4 type: wildcard ICMPv4 code: wildcard Source port: wildcard Destination port: wildcard Action: Output port CONTROLLER, user@host> PR1228383

  • When Routing Engine switchover or OIR is performed, MPC7/8/9 could go into wedge status then traffic forwarding would be impacted. PR1228767

  • The Routing Engine CPU uses chassis temperature to decide fan speed instead of Routing Engine CPU. This PR has been fixed to use real Routing Engine CPU temperature to decide the temperature threshold. PR1230109

  • The random load balancing feature does not function; all traffic goes to one of the load-shared egress links instead of being shared across all the links. PR1230272

  • ICMP identifier is not translated back to the expected value during traceroute for TTL exceeded packets on NAT using Multiservices MPC. This occurs for ICMP ID >255 and causes all hops (except first and last) to appear as "*". PR1231868

  • Some Packet Forwarding Engine statistics counters do not work in MPC7/8/9. 1. Fabric Input/Output pps counters do not work in "show pfe statistics traffic" 2. Output and Fabric Input/Output counters do not work in "show pfe statistics traffic detail" example ---------------------------------------------------------------------- user@router-re0> show pfe statistics traffic fpc 1 | match pps Packet Forwarding Engine traffic statistics: Input packets: 112980131493 1672233 pps Output packets: 112980107498 1790272 pps Fabric Input : 0 0 pps <<<<<< Fabric Output : 0 0 pps <<<<<< user@router-re0> show pfe statistics traffic detail fpc 1 | match "pps|fpc|pfe" Packet Forwarding Engine Details: fpc: 1 pfe: 0 Packet Forwarding Engine traffic statistics: Input packets: 56677058489 832899 pps Output packets: 0 0 pps <<<<<< Fabric Input : 0 0 pps <<<<<< Fabric Output : 0 0 pps <<<<<< ---------------------------------------------------------------------- PR1232540

  • On XQ based linecard, in rare condition, if offline/online the FPC or link flap, some error messages might be seen. PR1232686

  • Module voltage is off 10 times when checking CFP diagnostics optics on 2X100GE CFP2 OTN MIC. PR1233307

  • When set port-mirror to MX Series router, LSP-ping might fail and IP packets with options will not get mirrored due to unexpected echo reply from DUT: <----------------------------- echo request -----------------------------> echo reply [R1]------------[DUT]--------------[R2] A | -----------> echo reply (unexpected behavior) | mirror PR1234006

  • RPC call syntax of some of the ANCP related show commands like show ancp subscriber neighbor, show ancp subscriber ip-address and show ancp subscriber identifier has changed. PR1234711

  • MX Series MPC7 and above might receive noise on the FPC console port, and interprets it as valid signals. This might cause login fails on the console port, generation of core files, or even reloads. This PR covers MX Series MPCs/MICs.PR1234712

  • When you start a session with a dynamic-profile service using the service volume, volumes are checked every 10 minutes instead of every 5 minutes as implemented in Junos OS Release 14.1X50. PR1234887

  • VLNS(VBNG) - Commit generated a warning: requires 'l2tp-inline-lns' license but valid license is installed. PR1235697

  • The CLI commands show route forwarding-table all and show system commit are being taken by RSI twice. PR1236180

  • When PIC based MPLS J-Flow is configured and MPLS packets are being sampled at egress (to be sent to service pic), because of this issue the sampled packets do not reach service PIC. As a result, MPLS J-Flow is not created. PR1236892

  • The show ancp neighbor ip-address <> detail command shows the auto-configure interface state as disabled; even though the neighbor maps to the auto-configure interface. PR1237107

  • When the interface configured under "router-advertisement" physically comes up for the first time, the rpd might repeatedly send the router-advertisement, which might result in as high as 100% Routing Engine CPU usage. PR1237894

  • BNG generates rpd core krt_q_flush_status_async. PR1238333

  • After the number of licenses for scale-subscriber feature is exceeded, customer encountered the following endless logs on the backup Routing Engine every 10 seconds:

    Dec 12 13:22:41 RE hostname license-check[4900]: RE protocol backup state = 0 Dec 12 13:22:42

    RE hostname license-check[4900]: Empty license directory copied from the master Dec 12 13:22:51

    RE hostname license-check[4900]: RE protocol backup state = 0 Dec 12 13:22:52

    RE hostname license-check[4900]: Empty license directory copied from the master backup Routing Engine: has all licenses in state permanent master Routing Engine: shows the license with the expiry date.
    The log messages disappear after the master switchover. When changing master back, the above messages will start again. These messages do not appear on master Routing Engine, which has the expire day set, regardless of the mastership state. PR1238615

  • MX Series platforms are sending accounting interim without update-interval configuration statement. PR1239273

  • In a BGP-PIC scenario, a change in the IGP topology, (for example a link failure in the IGP path) causes traffic outage for certain prefixes. The reason for this is that the unilist next-hops for these prefixes are in a broken state. PR1239357

  • During scaled subscriber setup, the lowest dynamic-profile cos service rate might be applied to other sessions. PR1241201

  • The PTP clock class changes are delayed. When PTP fails and the system goes into holdover it will be send clock class 6 for the next 10-15 minutes. The same behavior occurs, when the system goes from holdover in state "locked". It will send clock class 248 for the next 10-15 minutes. PR1241211

  • In some specific case, untagged bridged traffic might not be mirrored on the second port of the mirrored group. If untagged bridged traffic is to be mirrored/sent on two different interfaces of the mirrored group, traffic might be mirrored/sent only on one of the mirrored interfaces/ports. PR1241403

  • Changes in CLI and XML RPC for show ancp subscriber identifier ... and show ancp subscriber ip-address ... caused the removal of the "detail" and "brief" option for these commands. PR1242360

  • Auto route insertion (ARI) IPv6 routes installed for IPSec dynamic endpoints might disappear from the routing-table after performing a graceful routing-engine switchover (GRES) with Nonstop Active Routing (NSR) enabled. The issue is triggered for IPv6 ARI routes with masks of /98 or longer. PR1242503

  • 1. Do we have figures in terms supported of ipv6 and ipv4 route scale for MS-MIC with Netflow configuration? so we can tell the customer. 2M cumulative is the route scale supported with Netflow. This includes all IPv4, IPv6 and MPLS routes in the system. 2. What will be the impact on MS-MIC if we exceeded route scale limit. From MIC perspective, we can't accommodate the additional routes and the JFlow feature or Netflow feature (configured on the MIC) will report wrong information to the collector. 3. Why we do see issue with MS-MIC after increasing route scale without any relevant configuration ? Currently, for supporting JFlow feature (whenever configured), MS-MIC will listen on routes and store them locally irrespective of JFlow being configured. The supported scale is just 2M and the current scale tested is 5M. We are not having space for accommodating more routes (according to the current design with the current flow scale number we published for JFlow service). PR1243581

  • In certain scenarios output of show ancp subscriber detail command might omit many TLVs including mandatory Actual Net Data Upstream and Actual Net Data Downstream TLVs. PR1252747

High Availability (HA) and Resiliency

  • On all platforms, if running unified ISSU, connection might be broken between master Routing Engine and backup Routing Engine. PR1234196

Infrastructure

  • During the upgrade harmless "invalid SMART checksum logs" might be seen. This PR will suppress unnecessary "invalid SMART checksum logs". PR1222105

  • Polling SNMP QoS queue stats along with physical interface stats might result in flat values for QoS queue statistics. The flat values could give a false impression that spikes are happening in the queues. PR1226781

Interfaces and Chassis

  • In the hsl2 toolkit, there is a process which periodically checks the ASICs that communicate through it. Due to a bug in the toolkit code, the process used invalidates the ASIC and a crash occurs. PR1180010

  • In very rare conditions, FPC might crash when CLI command request chassis mic offline fpc-slot <fpc-slot> mic-slot <mic-slot> or request chassis pic offline fpc-slot <fpc-slot> pic-slot <pic-slot> is executed. This is due to a software defect in which SFP diagnostics polling function tries to access already destroyed SFP data structure by MIC/PIC offline. PR1204485

  • If version-3 configuration statement is not configured, the command of show vrrp detail|extensive|interface displays VRRP-Version as 2 for inet6 address family. The VRRP IPv6 never supported any VRRP version 2. It was always version 3. This issue is cosmetic and has no impact on VRRP IPv6 functionality. The VRRP packets generated for inet6 address family are of VRRP version 3. PR1206212

  • When VRRP is configured on IRB interface with scaling configuration (300,000 lines), in a corner case, handles might not be released appropriately after their use is over. As a result, memory leak on vrrpd might be seen after configuration commit. PR1208038

  • Access-internal route not installed for Dual Stack subscriber terminated in VRF at LNS with on-demand-ip-address. PR1214337

  • In a PPP subscriber scenario, if the jpppd process receives a reply message attribute from the RADIUS or tacplus server with a character of %, it might cause the jpppd process to crash and cause the PPP user to go offline. PR1216169

  • The dcd cannot start after router reboot due to nonexisting logical interface referenced in demux-options underlying-interface.PR1216811

  • Unified ISSU will not work from Junos OS Release 15.1R to later images ((for example, 15.1F and 16.1R2)), when the router is equipped with QSFP/CXP/CFP2 optics on MPC3E/MPC4E/MPC5E/MPC6E/MPC 3D 16x10GE cards. This issue occurs because a dark window issue is fixed for SFPP/QSFP/CXP/CFP2 optics in the Junos OS Release 16.1 and 15.1F images, which makes the Junos OS 15.1R image incompatible with later images. Doing unified ISSU on the incompatible image from Junos OS 15.1R to later versions might result in a line card crash. PR1216924

  • On Junos OS Release 14.2 and later releases, if asymmetric-hold-time, delegate-processing, and preempt hold-time are configured, when a neighbor's interface comes up again, the "asymmetric-hold-time" feature cannot be used as expected. PR1219757

  • PPPoE tunneled subscriber (L2TP) might get stuck in terminating state if RADIUS sends  Framed-IP-Address and Framed-IP-Netmask via access-accept in LAC. PR1228802

  • The configuration change where for a static VLAN demultiplexing (demux) interface the underlying physical interface is changed to a one with a lower bandwidth (for example, from xe to ge) can fail.PR1232598

  • There is no trap for dot1agCfmMepHighestPrDefect with value 0 reported when CFM session recovers from any other failed state. PR1232947

  • On an MX Series platform acting as broadband network gateway (BNG), in Point-to-Point Protocol (PPP) scenario, when using the Internet Protocol Control Protocol (IPCP) or Internet Protocol version 6 Control Protocol (IPv6CP) for negotiation, if the router receives a Configure-Request packet from client, MX Series BNG sends the Configure-Request packet, but does not send Configure-Ack packet, in case it does not receive the Configure-Ack that is responding to the Configure-Request packet it sent. The behavior does not follow RFC 1661, which demands that both actions Send-Configure-Request (that is, ConfReq from MX Series to client) and Send-Configure-Ack (that is ConfAck from MX Series to client) must be conducted on the router without any significant delay. PR1234004

  • Under a particular condition in configuring interfaces that have units, commit operation fails with error message. PR1234050

  • On an MX Series platform acting as broadband network gateway (BNG), in Point-to-Point Protocol (PPP) scenario, when using the Internet Protocol Control Protocol (IPCP) and Internet Protocol version 6 Control Protocol (IPv6CP) for negotiation and IPv6CP is negotiated first, if the router receives an IPCP Configure-Request packet from client, MX Series BNG sends the Configure-Request packet, but does not send Configure-Ack packet in case it does not receive the Configure-Ack that is responding to the Configure-Request packet it sent. The behavior does not follow RFC 1661, which demands that both actions Send-Configure-Request (that is, ConfReq from MX Series to client) and Send-Configure-Ack (that is, ConfAck from MX Series to client) must be conducted on the router without any significant delay. PR1235261

Layer 2 Features

  • On MX Series platforms, if a chassis-level configuration is used to offline FPC after detecting major errors, FPC will be offlined. But if committing configuration is performed after offlining FPC, FPC will be brought online back again. PR1218304

  • In a DHCP relay environment, when delay-authentication and proxy mode are configured at the same time, jdhcpd might generate a core file because of to NULL session ID. PR1219958

  • During unified ISSU process, if the first unified ISSU is aborted for some reason, an internal timer will not be cleaned up, and the new lacpd will be forked up. In this case, the second unified ISSU in the backup Routing Engine is aborted in daemon prepare phase. It will not proceed further. PR1225523

  • MX Series platform is not including Delegated-IPv6-Prefix in accounting interim. PR1231665

  • This issue can be seen if CPE is intiating DHCPv6-Solicit with IA_NA, IA-PD and Rapid-Commit Option, but MX Series platforms will send the DHCV6 Advertise with Rapid commit flag even though the Rapid-commit configuration statement is not enabled on MX Series platforms. PR1235578

MPLS

  • User is allowed to configure both "load-balance-label-capability" and "no-load-balance-label-capability" together. This is incorrect and confusing. PR1126439

  • When using RSVP-TE protocol to establish LSPs, make before break (MBB) might not quit and start again when there is a failure on PSB2 (RSVP Path State Block for new LSP) in some cases where PathErr is not seen. (For example, for a PSB2 that is already up and there is PathErr processing for it in place already, in this case, no PathErr is seen owing to local-reversion and a quick flap.) As a result, no rerouting happens even if the TE metric cost is raised. This issue has more chances of occurring only when there is non-default optimize switchover delay. PR1205996

  • Due to an imperfect fix for compatible issue between 64-bit routing protocol process (rpd) and 32-bit client applications (such as "mpls ping", "monitor label-switched-path", "monitor static-lsp", etc) on the Junos OS Release 15.1F5-S3/15.1F6/14.2R7/15.1R4/16.1R1, the function of monitoring signaled or static LSP is broken on either 64-bit or 32-bit rpd. However, the other 32-bit client applications (such as "mpls ping") are not impacted. PR1213722

  • In a scaled environment, when there are many Unicast NHs that are related to the same transport LSP (for example, the same RSVP or LDP label), MPLS traffic statistics collection might take too much CPU time in kernel mode. This can in turn lead to various system impacting events, like scheduler slips of various processes and losing connection with the backup Routing Engine and FPCs. PR1214961

  • If the link/node failure that triggered a bypass persists for a long time, and there are LSPs that do not get globally repaired, multiple stale LSP entries are showing down and listing multiple times in the MPLS LSP. PR1222179

  • This issue occurs in a multi-instance RSVP scenario with MPLS supported in the VRF routing-instance but the Connections protocol is not inside the VRF routing instance. When you are adding any interface under MPLS inside VRF routing-instance, then it should affect the Connections protocol inside the main instance. When we were adding the CE facing interface under MPLS in VRF instance , the Patricia with CCC information was deleted (because the CCC information was not inside the VRF instance). To resolve this issue, oyu would add a check that before acting on the Connections protocol , a check for whether the instance passed was master instance or not would occur. If it was not the master instance, the functionality related to CCC is not triggered. PR1222570

  • In VPLS environment, if you delete the routing-instance, in a rare condition, the rpd process might crash. The routing protocols are impacted and traffic disruption will be seen due to loss of routing information. This is a timing issue and hard to reproduce. PR1223514

  • In impacted Junos OS releases LDP will import metrics for all IS-IS routes that have tags without the configuration statement track-igp-metric. Junos OS Releases 14.1R3 ,14.2R1, and later are impacted with this issue. PR1225592

Multicast

  • The routing protocol process (RPD) creates an indirect next hop when a multicast route (S,G) needs to be installed when listeners show their interest to S,G traffic. Kernel would then create a composite NH. In this case this appears to be P2MP MCNH that gets created. When any member interface is not a Packet Forwarding Engine specific interface (for example, Vt, LSI, IRB or any other pseudointerfaces), the kernel throws a message indicating that FMBB cannot be supported. These messages are harmless and do not have any impact. PR1230465

Network Management and Monitoring

  • Duplicated entries and error while loading MIBs on ManageEngine MIB Browser are fixed for the below MIB files. - jnx-chas-defines.mib - jnx-gen-set.mib - jnx-ifotn.mib - jnx-optics.mib PR1216567

  • On Junos OS Releases prior to 15.1R6 and 16.1R4, Digital Optical Monitoring (DOM) MIB jnxDomCurrentTable for 1G SFP interface does not return any value. PR1218134

  • In MX Series platforms subscriber management environment, sometimes BNG responds to the snmp get requests with Error: status=5 / vb_index=0 for some of the interface related MIBs. PR1218206

  • JUNIPER-SMI-MIB in MIB-Packet juniper-mibs-16.1X60-D30.4-signed.tgz have some syntactical Errors. PR1239539

Platform and Infrastructure

  • SNMP queries to retrieve jnxRpmResSumPercentLost will return the RPM/TWAMP probe loss percentage as an integer value whereas the precise value (including decimal points) can be retrieved through the CLI by using the following commands: show services rpm probe-results show services rpm twamp client probe-results .PR1104897

  • If when you configure micro-bfd on aggregate interface when using native-vlan and if native-vlan is configured on one of the logical interfaces, then ARP resolution is failing for that logical interface. PR1172229

  • The issue happens after GRES. If the commit on the new master Routing Engine during the configuration statement synchronizes with the old master, the commit might fail. PR1179324

  • IPv6 now defaults to a probe type of ICMP. Prior to this a probe type had to be explicitly specified. This change brings functional parity between UIPv4 and IPv6 probe types with regard to a default probe. PR1183196

  • On MX2K, the 'commit full' operation, or committing configuration under 'system' stanza (such as root-authentication and fxp0 interfaces) can cause transient Fan check Major alarm and Fan full speed. The Fan Tray spins at full speed for a while, then goes back to normal with clearing the alarm. The Fan check alarm and corresponding snmp trap are temporal, and they can be safely ignored. user@router> show chassis alarms 2 alarms currently active Alarm time Class Description 2016-05-17 19:49:57 JST Major Fan Tray X Failure 2016-05-17 19:49:57 JST Major Fan Tray Y Failure usr@router> show chassis environment Class Item Status Measurement Fans Fan Tray X Fan 1 Check Fan Tray X Fan 2 Check Fan Tray X Fan 3 Check Fan Tray X Fan 4 Check Fan Tray X Fan 5 Check Fan Tray X Fan 6 Check Fan Tray Y Fan 1 Check Fan Tray Y Fan 2 Check Fan Tray Y Fan 3 Check Fan Tray Y Fan 4 Check Fan Tray Y Fan 5 Check Fan Tray Y Fan 6 Check When MPC9E is installed in MX2K, the Fans usually keep around 6K rpm, and the fan speed control is frequently done by the Junos software. In this situation, when all daemons are re-evaluated(by commit full or configuration statement change under system stanza), the software bug causes the fan status to be checked within quite small period, then the Junos OS software recognizes that the fan is faulty because the fan speed has not reached the target speed yet when the fan status is checked within the small period. After the fan alarm is detected, the fans are expected to start working with full speed to cool the system components. The fan status check logic is fixed by this PR. The fan status is checked after the fan speed is stabilized, hence we do not see this transient fan alarm. PR1185304

  • Issue occurs if there is at least one python event-script configured with policy defended in configuration statement database. There are also some policies without script action that receive the same warning. #commit full Jun 10 13:24:44 re0: [edit event-options] 'policy DOM-SIGNAL-CHECK' warning: Policy 'DOM-SIGNAL-CHECK'. The warning is defined in both the Junos OS configuration database and the event script. PR1190964

  • In a very rare scenario, during TAC accounting configuration change, auditd daemon crashes due to a race condition between auditd and its sigalarm handler. PR1191527

  • Customer can now set the max-datasize configuration statement for JET scripts to up to 3 GB. PR1193948

  • The junos:key attribute that is emitted in the XML format of configuration will not be emitted in the JSON format of configuration PR1195928

  • On Junos OS platforms with configuration statement "delta-export" enabled, the delta-export database might not get correctly reinitialized upon one of the following conditions: 1. delta-export is enabled for first time (delta-export is enabled in just this commit) 2. load override (delta-export is enabled in the configuration statement) 3. commit full (delta-export is enabled in the configuration statement) Due to this there is a mismatch between databases in further commits. As a result, the configuration on backup Routing Engine will be corrupted. PR1199895

  • After system start up or after PSM reset you might see "PSM INP1 circuit Failure" error message. PR1203005

  • If inline J-Flow is configured in scaled scenarios, Inline JFlow Sampler route database is taking huge time to converge. PR1206061

  • On MX Series platforms installed both DPC/E and MX Series with MPCs/MICs, when DPC/E detects a remote destination error toward a MX Series with MPCs/MICs Packet Forwarding Engine, unexpected fabric drops happened. PR1214461

  • In large scale configurations or environment with high rates of churn, the FPC ASIC memory will become "fragmented" over time. It is possible in an extreme case that memory of a particular size will become exhausted and due to the fragmentation, the available memory will not fulfill the pending allocation. PR1216300

  • On MX2K, MIC output is seen when there is no MIC in MPC under "show chassis hardware detail". Steps to reproduce the issue:

    1. offline MPC

    2. physically remove MPC

    3. physically remove MIC from the MPC

    4. reinsert MPC

    5. online MPC

    user@router> show chassis hardware detail |find fpc

    FPC 0 REV 68 750-044130 ABDxxx79 MPC6E 3D

    CPU REV 12 711-045719 ABDxxx35 RMPC PMB

    MIC 0 REV 14 750-049457 ABCxxx22 2X100GE CFP2 OTN >>>>>>>> No MIC inside

    MIC 1 REV 26 750-046532 ABCxxx53 24X10GE SFPP >>>>>>>>>>No MIC inside

    XLM 0 REV 13 711-046638 ABDxxx59 MPC6E XL

    XLM 1 REV 13 711-046638 ABDxxx87 MPC6E XL PR1216413

  • This rmopd core file was caused by the NULL pointer in SW function. PR1217140

  • For Junos OS devices supporting FreeBSD10 and with Junos OS Release 16.1R2, 16.1x60-D30 or 16.1x60-D35, when ephemeral database is in use and "persist-groups-inheritance" configuration statement is configured, daemons (for example, bbe-smgd, l2ald, ccmd, dcd but not limited) might crash after deletion of configuration from either ephemeral database or normal static configuration database. PR1217362

  • MX Series with MPCs/MICs based linecards might crash after firewall filter configuration change is committed. PR1220185

  • Under certain conditions sync-other-re editing configuration warning might be displayed after reboot: user@router> configure exclusive warning: uncommitted changes will be discarded on exit Entering configuration mode Users currently editing the configuration: sync-other-re (pid 9220) on since 2016-10-03 00:16:36 PDT, idle 2d 05:47 sync-other-re (pid 9282