Junos OS Release Notes for NFX Series

What’s New

• What’s New in Release 19.1R3

• What’s New in Release 19.1R2

• What’s New in Release 19.1R1

What’s New in Release 19.1R3

There are no new features or enhancements to existing features for NFX Series in Junos OS Release 19.1R3.

What’s New in Release 19.1R2

There are no new features or enhancements to existing features for NFX Series in Junos OS Release 19.1R2.

What’s New in Release 19.1R1

Hardware

• xDSL SFP modules (NFX250 NextGen)—Starting in Junos OS Release 19.1R1, NFX250 NextGen devices support xDSL SFPs. The xDSL SFPs are supported on the SFP and SFP+ ports on the devices. Note that the xDSL SFPs are not supported on the extension modules. The xDSL SFP supports ADSL2/2+ and VDSL2.

  [See ADSL2 and ADSL2+ Interfaces on NFX250 (NextGen) Devices.]

  [See ADSL2 and ADSL2+ Interfaces on NFX250 Devices.]

  [See VDSL2 Interfaces on NFX250 Devices.]

Application Security

• Application Quality of Experience (AppQoE) on NFX150 dual CPE deployments—Starting in Junos OS Release 19.1R1, you can configure Application Quality of Experience (AppQoE) on NFX150 dual CPE deployments. AppQoE effectively prioritizes, segregates, and routes business-critical applications traffic without compromising performance or availability.

  [See Application Quality of Experience on NFX Devices.]

• AppQoE scaling support (NFX250)—Starting in Junos OS Release 19.1R1, Application Quality of Experience (AppQoE) enforces the configuration limit for overlay paths, metric profiles, probe parameters, and SLA rules per profile when you configure application-specific SLA rules and associate the SLA rules to an APBR profile. If you configure more parameters than the allowed limit, an error message is displayed after you commit the configuration.

  [See Application Quality of Experience on NFX Devices.]

Architecture

• Reoptimized architecture support (NFX250 NextGen)—Starting in Junos OS Release 19.1R1, NFX250 devices support a reoptimized architecture, which enables you to use the Junos Control Plane (JCP) as the single point of management to manage all the components.

  Note

  For documentation purposes, the NFX250 devices that use this architecture are referred to as NFX250 NextGen.

  Key components in the software include the JCP, Juniper Device Manager (JDM), Layer 2 dataplane, Layer 3 dataplane, and virtualized network functions (VNFs). The JDM functions in the background. Users cannot access the JDM directly.

  [See How to Configure NFX250 (NextGen).]

Firewall User Authentication

• Firewall user authentication (NFX150)—Starting in Junos OS Release 19.1R1, pass-through firewall user authentication is supported on NFX150 devices. Pass-through authentication restricts users who attempt to access a resource in another zone using FTP, Telnet, HTTP, or HTTPS. If the traffic matches a security policy that specifies pass-through authentication, the user is required to provide login information. The device validates the username and password against the information stored in the local database or on an external authentication server. The device supports the external authentication servers RADIUS, LDAP, and SecurID.

  [See Integrated User Firewall.]

High Availability

• High availability (NFX150)—Starting in Junos OS Release 19.1R1, NFX150 devices support the high availability feature. You can configure a cluster of two NFX150 devices to act as primary and secondary devices for protection against device failures. The high availability feature supports Layer 2 and Layer 3 features in dual CPE deployments.

  By default, the heth-0-0 interface functions as the control interface. One of the remaining front panel interfaces can be configured as the fabric interface. On the LAN, the active/backup mechanism is used. If the primary device fails, the secondary device takes over the operation. On the WAN, both active/active and active/backup mechanisms are supported.

  [See Chassis Cluster on NFX150.]

Performance modes

• Performance modes (NFX150 and NFX250 NextGen)—Starting in Junos OS Release 19.1R1, NFX150 and NFX250 NextGen devices provide the following three performance modes:

  • Throughput mode—Provides maximum resources (CPU and memory) for Junos software and remaining resources, if any, for third-party VNFs. The default mode is throughput mode.

  • Hybrid mode—Provides a balanced distribution of resources between the Junos software and third-party VNFs.

  • Compute mode—Provides minimal resources for Junos software and maximum resources for third-party VNFs.

  [See NFX150 Feature Overview.]

  [See NFX250 NextGen Overview.]

Wireless WAN

• LTE support in dual CPE deployments (NFX150)—Starting in Junos OS Release 19.1R1, you can provide a backup WAN connection by configuring LTE modules on a pair of NFX150 devices operating in cluster mode.

  [See Configuring the LTE Module on NFX Devices.]

What's Changed

• What's Changed in Release 19.1R3

• What's Changed in Release 19.1R2

• What's Changed in Release 19.1R1

What's Changed in Release 19.1R3

There are no changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands in Junos OS Release 19.1R3 for NFX Series devices.

What's Changed in Release 19.1R2

Factory-Default Configuration

• Plug-and-play configuration (NFX150 and NFX250 NextGen devices)—Starting in Junos OS Release 19.1R2, the factory-default configuration is modified to include the secure router plug-and-play configuration. PR1401704

What's Changed in Release 19.1R1

There are no changes in behavior of Junos OS features and changes in the syntax of Junos OS statements and commands in Junos OS Release 19.1R1 for NFX Series devices.

Known Limitations

• Security

• Platform and Infrastructure

• Virtual Network Functions (VNFs)

Security

• Starting in Junos OS Release 19.1R1, the TCP and ICMP RPM probes take the best-effort queue of the outgoing interface instead of the network control queue on NFX150 and NFX250 NextGen devices. As a workaround, configure a DSCP value, such as nc1, to make the RPM probes take the network control queue.PR1329643

Platform and Infrastructure

• The Routing Engine boots from the secondary disk when you:

  • Press the reset button, on the RCB front panel, while Routing Engine is booting up but before Junos OS is up.

  • Upgrade software, by booting from the network using the request vmhost reboot network command, and the system fails to boot from the network.

  • Upgrade BIOS and the upgrade fails.

  • Reboot and the system hangs before Junos OS is up.

  PR1344342

• Starting in Junos OS Release 18.4, NFX150 devices support two versions of disk layout. In the older version of the disk layout, you could upgrade or downgrade from Junos OS Release 18.4. With the new disk layout, a downgrade to releases later than Junos OS Release 18.4 is not possible. As a workaround, avoid operations that reformat the disk layout. PR1379983

Virtual Network Functions (VNFs)

• After you create or delete a VNF on NFX150 and NFX250 NextGen devices, the request virtual-network-functions console vnf-name command gives an error that the VNF domain is not found. VNFs are reachable through SSH in this state. PR1433204

Open Issues

• Interfaces

• High Availability

• Platform and Infrastructure

• Virtualized Network Functions (VNFs)

Interfaces

• On NFX Series devices, if the IRB interface configuration and DHCP service configuration on JDM are removed and rolled back while retaining the VLAN mapping to the IRB interface, the DHCP service fails to assign IP addresses to the corresponding VNF interfaces and the service chaining fails. As a workaround, remove the VLAN mapping to the IRB interface along with IRB and DHCP service configuration on JDM. PR1234055

• When you issue a show interface command on NFX150 devices to check the interface details, the system does not check whether the interface name provided is valid or invalid. The system does not generate an error message if the interface name is invalid. PR1306191

• On NFX150 devices, when you reboot the fpc0 interface, a few error messages are seen in the VTY console. PR1326487

• Starting in Junos OS Release 18.3R1, the reboot time has increased for fpc0 and fpc1 interfaces on NFX150 devices. PR1355527

• On NFX Series devices, while configuring vmhost vlans using vlan-id-list, the system allows duplicate VLAN IDs in the VLAN ID list. PR1438907

• When a DHCP server assigns a conflicting IP address to the NFX device interfaces, the NFX device does not send a DHCP DECLINE message in response. PR1398935

• On NFX150 devices, only the CFM cells that are configured for MEP levels are exchanged across xDSL MEPs. Other MEP-level CFM packets are dropped, whereas for Ethernet all MD levels along with above level are exchanged. PR1409576

• On NFX150 devices, when the interface configuration has the encapsulation flexible-ethernet-services enabled on a 10-Gigabit Ethernet interface, traffic gets dropped. PR1425927

High Availability

• On an NFX150 high availability (HA) chassis cluster, when one of the nodes is down or rebooting, any configuration commit on the peer active node triggers a reboot of the active node. This leads to loss of network connectivity until any one of the nodes in the HA topology becomes active. PR1427550

Platform and Infrastructure

• Jumbo frames are not supported through OVS on NFX250 NextGen devices. PR1420630

• Starting in Junos OS Release 19.1R1, Linux bridge mode is not supported on NFX250 devices. PR1410598

• Starting in Junos OS Release 18.1R1, the file transfer rate from external media over the network to an NFX150 device is around 40–50 Mbps. PR1290263

• During FTP on NFX150 devices, the following error message appears: ftpd[14105]: bl_init: connect failed for `/var/run/blacklistd.sock' (No such file or directory). PR1315605

• On NFX Series devices, the IPSec-NM does not start when the device comes up after a reboot. This issue appears after the system reboots during an upgrade process. It is caused by an inconsistency state of the Docker engine storage during the upgrade process. As a workaround, reboot the device. PR1439577

• When the NFX250 devices are operating on Linux bridge mode, the memory might be insufficient to launch a CLI session from JDM. This results in generating multiple JDM core files while spinning up a vSRX VNF. As a workaround:

  1. Check whether the /var/third-party/jdm-config/last_1048576kB_nr_hugepages_value or /var/third-party/jdm-config/last_2048kB_nr_hugepages_value file is present on the hypervisor. If it is, then delete it.
  2. Reboot the device.
  3. Upgrade to the release where this issue is fixed, if not already upgraded.

  PR1440427

• NFX Series devices running Junos OS Release 19.2R1 do not take the statically assigned MAC address from the CLI configuration. PR1458554

• On NFX250 devices, vector packet processing (VPP) is not loaded in dual CPE, and at times in single CPE. PR1461238

• On NFX Series devices, after a power outage, JDMD might become unresponsive due to the /etc/hosts file getting corrupted. PR1477151

Virtualized Network Functions (VNFs)

• When you issue the show virtual-network-functions vnf-name command, the system creates a defunct process due to the presence of popen() calls and pclose() calls that do not match. This issue is fixed in Junos OS Release 15.1X53-D497 onward by ensuring that pclose() calls match the popen() calls. PR1415210

• While instantiating a vSRX VNF, multiple JDM core files are generated. As a workaround, verify that the /var/third-party/jdm-config/last_1048576kB_nr_hugepages_value and /var/third-party/jdm-config/last_2048kB_nr_hugepages_value files exist on the hypervisor. If the files exist, then delete the files and reboot the device. PR1440427

• On NFX250 devices, JDM does not allow to spin up the VM if the VNF name contains the word JDM. JDM can be used as a substring for VNF names and it is not case sensitive. However, the VNF name must not be equal to JDM. For example, jdm123, abcJDM, and abcJDM123 are valid VNF names, whereas jdm, JDM, Jdm, or JDm are not valid VNF names. As a workaround, do not use JDM (case insensitive) as part of the VNF name. PR1463963

Resolved Issues

• Resolved Issues: 19.1R3

• Resolved Issues: 19.1R2

• Resolved Issues: 19.1R1

Resolved Issues: 19.1R3

Class-of-Service (CoS)

• On NFX150 devices, when you configure a CoS rewrite rule for the st0 interface, the CoS value is not applied on the corresponding forwarding class. Hence, CoS does not work as expected and network traffic is impacted. PR1439401

High Availability

• On an NFX150 high availability chassis cluster, the host logs updated in the system log messages might not show the correct timestamp. As a workaround, convert the UTC timestamp to the local time zone. PR1394778

Platform and Infrastructure

• On NFX250 devices, when you issue the request support information command, the configuration and counter data are missing for JDM. PR1413674

• If you are using init-descriptor filename vsrx.xml to upgrade the NFX Series devices, the upgrade process reverts the file to default and the JDM subsystem becomes unavailable. PR1456900

• Starting in Junos OS Release 19.2R1, NFX Series devices do not take the statically assigned MAC address from the CLI configuration. This issue was caused by an issue with the intel drivers. PR1458554

• On NFX250 devices, Virtual Port Peer (VPP) is not running on dual CPE and occasionally on single CPE. PR1461238

• On NFX Series devices, if there are any conditional groups, the l2cpd process might crash and generate a core file when interfaces are flapping and the LLDP neighbors are available. This issue might cause the dot1x process to fail and all the ports have a short interruption at the time of the process crash. As a workaround, delete the conditional group in the device. PR1431355

• On an NFX250 device with a secondary disk, the device reboots to the secondary disk during a password recovery process. PR1467569

• When you upgrade NFX250 devices from Junos OS Release 15.1X53-D496 to Junos OS Release 18.4R2, the upgrade fails. PR1468586

• When you upgrade NFX250 devices from Junos OS Release 15.1X53-D470 to Junos OS Release 18.4R2, the IPSec-NM does not start when the device comes up after reboot. It is caused by inconsistency state of docker engine storage during upgrade. PR1439577

• After a power outage, JDMD is not responsive because the /etc/hosts file is corrupted. PR1477151

Interfaces

• On NFX150 devices, the WAN ports (heth-0-4 and heth-0-5) do not function properly if you remove a cable connected to these ports or flap the link. As a workaround, use one of the following options:

  • Flap the link again.

  • Enable or disable the interface from the CLI.

  PR1449278

• When traffic goes through vSRX 3.0 instances, core files are generated and traffic is dropped. This issue might cause all interfaces to go down and the Packet Forwarding Engine might not come up. PR1465132

Virtualized network Functions (VNFs)

• NFX250 devices do not allow jdm (case-insensitive) as a VNF name. You can use jdm as part of the name. For example, jdm123, abcJDM, abcJDM123 are valid VNF names, but jdm, JDM, Jdm, JDm are not valid VNF names. PR1463963

Resolved Issues: 19.1R2

Class-of-Service (CoS)

• In the NFX Series device configuration, traffic is being sent to the incorrect queue when configuring CoS with forwarding-classes class versus queue. The forwarding-classes class is not supported and is hidden. As a workaround, use forwarding-classes queue when you configure CoS. PR1436408

Interfaces

• On NFX250 devices using xDSL SFP transceivers on the fiber ports, the status of the transceiver is displayed under the Adsl Status field in the output of the show interfaces int-name command. If you hot-swap an xDSL SFP with another xDSL SFP on the same port, then the Adsl Status field is not displayed in the output of the show interfaces command. PR1408597

• When you transition NFX150 devices from PPPoE configuration to non-PPPoE configuration in a non-promiscuous mode, the interface hangs without any traffic flow. PR1409475

• On NFX150 devices, FPC0 might not be online after an upgrade and a device reboot is required. PR1430803

• When you run the show chassis fpc or show chassis fpc details command, the Temperature field in the command output message is displayed as Testing. PR1433221

• The limit on maximum OVS interfaces is restored to the originally defined limit of 25 for backward compatibility. As a workaround, reduce the number of OVS interfaces in the configuration to 20 or fewer. PR1439950

Layer 2 Ethernet Services

• In DHCP relay scenario, if the device (DHCP relay) receives a request packet with option 50 where the requested IP address matches the IP address of an existing subscriber session, such request packet would be dropped. In such a case the subscriber might need more time to get an IP address assigned. The subscriber might remain in this state until its lease expires if it had previously bound with the address in the option 50. PR1435039

Platform and Infrastructure

• On an NFX250 device, the console is not accessible and JDM stops working. These issues occur because the libvirtd process stops responding. PR1341772

• On an NFX250 device, if the idle-time out parameter for a user login class on JDM is configured in minutes, the system considers the configured idle timeout value in seconds. The user is logged out based on the idle timeout value in seconds. PR1435310

• On NFX150 devices, the show security dynamic-address command does not work for port 3. PR1448594

• Version compare in phc might fail causing the phc to download the same image. PR1453535

• When applying firewall filters on lo0.0 on an NFX250 NextGen device, FPC0 disappears. PR1448246

• When the REST API receives several continuous HTTP requests, the REST service might become unresponsive. PR1449987

SNMP

• On NFX150 devices, SNMP does not work for the following commands:

  • show snmp mib walk jnxIpSecTunMonOutEncryptedBytes

  • show snmp mib walk jnxIpSecTunMonOutEncryptedPkts

  • show snmp mib walk jnxIpSecTunMonInDecryptedBytes

  • show snmp mib walk jnxIpSecTunMonInDecryptedPkts

  • show snmp mib walk jnxIpSecTunMonLocalGwAddr

  • show snmp mib walk jnxIpSecTunMonLocalGwAddrType

  PR1386894

• On NFX250 devices, the request-load-configuration command output from the device does not match with YANG modules for Junos OS Release 18.4. PR1416106

Virtual Network Functions (VNFs)

• When you downgrade from Junos OS Release 19.2 to Junos OS Release 18.4, the show virtual-network-functions vnf-name command does not display the VNF information. PR1437547

Resolved Issues: 19.1R1

NFX250

• Junos Device Manager (JDM) depends on the libvirtd deamon to manage the guest VMs through CLI. On NFX250 devices running Junos OS Release 19.1R1, the libvirtd deamon is inactive and the vjunos VM start up fails. This results in inband connectivity failure, guest VMs fails to start, and the console hangs. PR1314945

NFX150

• On NFX150 devices running Junos OS Release 19.1R1, software upgrade does not delete all images from the previous installation. This occupies 1 GB of storage per upgrade and leads to depletion of storage after several upgrades. PR1408061

Documentation Updates

Migration, Upgrade, and Downgrade Instructions

• Upgrade and Downgrade Support Policy for Junos OS Releases

• Basic Procedure for Upgrading to Release 19.1

Upgrade and Downgrade Support Policy for Junos OS Releases

Support for upgrades and downgrades that span more than three Junos OS releases at a time is not provided, except for releases that are designated as Extended End-of-Life (EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases.

To upgrade or downgrade from a non-EEOL release to a release more than three releases before or after, first upgrade to the next EEOL release and then upgrade or downgrade from that EEOL release to your target release.

For more information on EEOL releases and to review a list of EEOL releases, see https://www.juniper.net/support/eol/junos.html.

Basic Procedure for Upgrading to Release 19.1

When upgrading or downgrading Junos OS, use the jinstall package. For information about the contents of the jinstall package and details of the installation process, see the Installation and Upgrade Guide. Use other packages, such as the jbundle package, only when so instructed by a Juniper Networks support representative.

1. Using a Web browser, navigate to the All Junos Platforms software download URL on the Juniper Networks webpage:

   https://www.juniper.net/support/downloads/

2. Select the name of the Junos OS platform for the software that you want to download.
3. Select the Software tab.
4. Select the release number (the number of the software version that you want to download) from the Version drop-down list to the right of the Download Software page.
5. In the Install Package section of the Software tab, select the software package for the release.
6. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the device or to your internal software distribution site.
10. Install the new package on the device.