Errata and Changes in Documentation for Junos OS Release 10.3 for SRX Series Services Gateways and J Series Services Routers

Changes to the Junos Documentation Set

This section lists changes in the documentation.

Single Commit on J-Web

The following information pertains to SRX Series devices:

For all J-Web procedures, follow these instructions to commit a configuration:
- If Commit Preference is Validate and commit configuration changes, click OK.
- If Commit Preference is Validate configuration changes, click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.

J-Web Online Help

Previously, J-Web online Help instructions were available both in the Help and in the administration and configuration guides. These topics have been removed from the guides and are now only available in the online Help.

Interfaces and Routing Guide

The Junos OS Interfaces and Routing Guide has been divided into five smaller guides to make it easier for readers to find information:

Junos OS Class of Service Configuration Guide for Security Devices
Junos OS Interfaces Configuration Guide for Security Devices
Junos OS Layer 2 Bridging and Switching Configuration Guide for Security Devices
Junos OS MPLS Configuration Guide for Security Devices
Junos OS Routing Protocols and Policies Configuration Guide for Security Devices

The five books above include all of the information that the original Junos OS Interfaces and Routing Guide included. The Junos OS Interfaces and Routing Guide is itself, however, no longer available as of Junos 10.3.

Errata for the Junos OS Software Documentation

This section lists outstanding issues with the software documentation.

CLI Reference

On SRX210 and SRX240 devices with Integrated Convergence Services, the Transport Layer Security (TLS) option for the SIP transport is not supported in Junos OS Release 10.3. However, it is documented in the Integrated Convergence Services entries of the Junos OS CLI Reference.
The Junos OS CLI Reference contains Integrated Convergence Services statement entries for the music-on-hold feature, which is not supported for Junos OS Release 10.3.

The Junos OS CLI Reference incorrectly states the show security idp status and clear security idp status logs. The logs should be as follows:

Correct show security idp status log

user@host> show security idp status     
State of IDP: 2-default,        Up since: 2010-02-04 13:37:16 UTC (17:15:02 ago)  
Packets/second: 5               Peak: 11 @ 2010-02-05 06:51:58 UTC 
KBits/second  : 2               Peak: 5 @ 2010-02-05 06:52:06 UTC 
Latency (microseconds): [min: 0] [max: 0] [avg: 0]  
Packet Statistics: 
[ICMP: 0] [TCP: 82] [UDP: 0] [Other: 0]  
Flow Statistics:   ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]   
TCP: [Current: 2] [Max: 6 @ 2010-02-05 06:52:08 UTC]   
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]   
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]  
Session Statistics:  [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]   
Policy Name : sample   
Running Detector Version : 10.3.160091104

Correct clear security idp status log

user@host> clear security idp status   
State of IDP: 2-default,        Up since: 2010-02-04 13:37:16 UTC (17:13:45 ago)  
Packets/second: 0               Peak: 0 @ 2010-02-05 06:49:51 UTC 
KBits/second: 0               Peak: 0 @ 2010-02-05 06:49:51 UTC 
Latency (microseconds): [min: 0] [max: 0] [avg: 0]  
Packet Statistics:  [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]  
Flow Statistics:   ICMP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]   
TCP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]   
UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]   
Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC]  
Session Statistics:  [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]   
Policy Name: sample   
Running Detector Version: 10.3.160091104

The Junos OS CLI Reference states that the maximum timeout range for IDP policy is 0 through 65,535 seconds, whereas the ip-action timeout range has been modified to 0 through 64,800 seconds.
The Junos OS CLI Reference is missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout value to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the auto signature update is aborted.
user@host# set security idp security-package automatic download-timeout ?
```
Possible completions:  <download-timeout> 
Maximum time for download to complete (1 - 60 minutes) 
[edit] 
user@host# set security idp security-package automatic download-timeout  
Range: 1 – 60 minutes 
Default: 1 minute
```

Feature Support Reference for SRX Series and J Series Devices

The Feature Support Reference for SRX Series and J Series Devices erroneously states that SRX220 does not support the ADSL2, G.SHDSL, and VDSL interfaces. SRX220 supports the ADSL2, G.SHDSL and the VDSL interfaces.

Integrated Convergence Services Configuration and Administration Guide

The Junos OS Integrated Convergence Services Configuration and Administration Guide does not include show commands for Junos OS Release 10.3.

J-Web

J-Web security package update Help page—The J-Web Security Package Update Help page does not contain information about download status.
J-Web pages for stateless firewall filters—There is no documentation describing the J-Web pages for stateless firewall filters. To find these pages in J-Web, go to Configure>Security>Firewall Filters, then select IPv4 Firewall Filters or IPv6 Firewall Filters. After configuring filters, select Assign to Interfaces to assign your configured filters to interfaces.
There is no documentation describing the J-Web pages for media gateways. To find these pages in J-Web, go to Monitor>Media Gateway.
J-Web Configuration Instructions— Because of ongoing J-Web interface enhancements, some of the J-Web configuration example instructions in the administration and configuration guides became obsolete and thus were removed. For examples that are missing J-Web instructions, use the provided CLI instructions.

Security Configuration Guide

ALG configuration examples in the Junos OS Security Configuration Guide incorrectly show policy-based NAT configurations. NAT configurations are now rule-based.
The Junos OS Security Configuration Guide does not state that custom attacks and custom attack groups in IDP policies can now be configured and installed even when a valid license and signature database are not installed on the device.
The “Verifying the Policy Compilation and Load Status” section of the Junos OS Security Configuration Guide has a missing empty/new line before the IDPD Trace file heading, in the second sample output.
The Junos OS Security Configuration Guide states that the following aggressive aging statements are supported on all SRX Series devices when in fact they are not supported on SRX3400, SRX3600, SRX5600, and SRX5800 devices:
- [edit security flow aging early-ageout]
- [edit security flow aging high-watermark]
- [edit security flow aging low-watermark
The Junos OS Security Configuration Guide states that the maximum acceptable timeout range for an IDP policy is 0 through 65,535 seconds, whereas the ipaction timeout range has been modified to 0 through 64,800 seconds.
The Junos OS Security Configuration Guide is missing information about the new CLI option download-timeout, which has been introduced to set security idp security-package automatic download-timeout < value > to configure the download timeout in minutes. The default value for download-timeout is one minute. If download is completed before the download times out, the signature is automatically updated after the download. If the download takes longer than the configured period, the auto signature update is aborted.
user@host# set security idp security-package automatic download-timeout ?
```
Possible completions:  < download-timeout > 
Maximum time for download to complete (1 - 60 minutes) 
[edit] 
user@host# set security idp security-package automatic download-timeout  
Range: 1 – 60 seconds 
Default: 1 second
```
The Junos OS Security Configuration Guide states the following limitations in the “Limtations of IDP” section:
On SRX Series and J Series devices, IP actions do not work when you select a timeout value greater than 65,535 in the IDP policy.
This issue has been fixed and is no longer a limitation.
The Junos OS Security Configuration Guide incorrectly states the following limitations in the “Limtations of IDP” section:
On SRX210, SRX240, and SRX650 devices, the maximum number of IDP sessions supported is 16,000.
The correct information is as follows:
The maximum number of IDP sessions supported is 1600 on SRX210 devices, 32,000 on SRX240 devices, and 12,8000 on SRX650 devices.
When specifying a forwarding target after authentication on a captive portal, use the ?target= option followed by either the %dest-url% variable or a specific URL. The %dest-url% variable forwards authenticated users to the protected resource they originally specified. A URL forwards authenticated users to a specific site.
Note that when entering a URL with the ?target= option, you must substitute escape characters for any special characters in the URL. Use the following escape characters for these common special characters:
- Replace : with %3A
- Replace / with %2F
- Replace - with %2D
- Replace . with %2E
In the section “Example: Configuring a Redirect URL for Captive Portal (CLI)” in the Junos OS Security Configuration Guide, the procedure description states that, after authentication, users will be forwarded to the specified URL. Step 2 of the configuration procedure, however, is incorrect. This command would forward users to my-website.com before authentication, not after.
To redirect users after authentication, the command must include:
- The IP address of the Infranet Controller to be used for authentication
- The ?target= option and URL to distinguish a forwarding address to be used after authentication
- Escape characters substituted for any special characters in the URL name
The following text in Step 2 is incorrect:
[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://my-website.com
The correct text for Step 2 is as follows:
[edit services unified-access-control] user@host# set captive-portal my-captive-portal-policy redirect-url https://192.168.0.100/?target=my%2Dwebsite%2Ecom

Errata for the Junos OS Hardware Documentation

This section lists outstanding issues with the hardware documentation.

Quick Start Guides

The following SRX Series Quick Start Guides erroneously provide an IP address of 192.168.1/24 in the “Part 4: Ensure That the Management Device Acquires an IP Address” section:
- SRX100 Services Gateway Quick Start Guide
- SRX210 Services Gateway Quick Start Guide
- SRX240 Services Gateway Quick Start Guide
The correct IP address in this section is 192.168.1.0/24.
In the SRX210 Services Gateway Quick Start Guide and the SRX240 Services Gateway Quick Start Guide, in the “Configure the Class of Restriction” section, the document erroneously states that only intra-branch calls and emergency calls are allowed by default. By default, the devices allow intra-branch, local, emergency, and long distance calls. International and 900 calls are denied by default.
In the SRX210 Services Gateway Quick Start Guide and the SRX240 Services Gateway Quick Start Guide, the “Configure the Analog Station” section mentions that you can select the already defined analog template. By default extensions are also configured for the two on-board FXS ports.
In the SRX210 Services Gateway Quick Start Guide and the SRX240 Services Gateway Quick Start Guide, the “Configure a Trunk” section mentions that you can select the trunk type as FXO, FXS, or T1. In addition, the two on-board FXO ports are configured as part of a default group called the Branch_Trunk_Group, which enables you to make calls using the FXO trunk ports.

SRX100 Services Gateway Hardware Guide

The output for the show chassis hardware and show chassis hardware detail commands is incorrectly documented for the Routing Engine field. The following table provides details of the guide, section, incorrect output, and corrected output for these commands.

Section	Incorrect Value in the Hardware Guide	Correct Value Displayed in the Command Output
Monitoring the SRX100 Services Gateway Chassis Using the CLI	RE-SRX100-HM	RE-SRX100H
Locating the SRX100 Services Gateway Component Serial Number and Agency Labels	RE-SRX100-HIGHMEM	RE-SRX100H

The “Understanding Built-In Ethernet Ports” section in the SRX100 Services Gateway Hardware Guide erroneously states the following:
The services gateway acts as a DHCP client out of the built-in Ethernet ports. If the services gateway does not find a DHCP server within a few seconds, the device acts as a DHCP server and assigns an IP address as 192.168.1.1/24. With the device temporarily acting as a DHCP server, you can manually configure it with the J-Web interface.
The correct information for this section is as follows: The services gateway acts as a DHCP client on port fe-0/0/0, and ports fe-0/0/1 to fe-0/0/7 act as a DHCP server.
The “Upgrading the SRX100 Services Gateway Low Memory Version to a High Memory Version” section in the SRX100 Services Gateway Hardware Guide is missing the following information:
The SRX100 Services Gateway High Memory model is shipped with the license key.

SRX210 Services Gateway Hardware Guide

Section	Incorrect Value in the Hardware Guide	Correct Value Displayed in the Command Output
Monitoring the SRX210 Services Gateway Chassis Using the CLI	RE-SRX210-LOWMEM	RE-SRX210B
	RE-SRX210-VOICE	RE-SRX210H-P-M
Locating the SRX210 Services Gateway Component Serial Number and Agency Labels	RE-SRX210-LOWMEM	RE-SRX210B

The “Understanding Built-In Ethernet Ports” section in the SRX210 Services Gateway Hardware Guide erroneously states the following:
The services gateway acts as a DHCP client out of the built-in Ethernet ports. If the services gateway does not find a DHCP server within a few seconds, the device acts as a DHCP server and assigns an IP address as 192.168.1.1/24. With the device temporarily acting as a DHCP server, you can manually configure it with the J-Web interface.
The correct information for this section is as follows: The services gateway acts as a DHCP client on port ge-0/0/0 and ports ge-0/0/1 and fe-0/0/2 to fe-0/0/7 act as a DHCP server.
Installing Software Packages—The current SRX210 Services Gateway Hardware Guide does not include the following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the root partition). If Junos OS installation fails as a result of insufficient space:
1. Use the request system storage cleanup command to delete temporary files.
2. Delete any user-created files both in the root partition and under the /var hierarchy.
The following tables list the changes in the factory default settings on the SRX210 Services Gateway with Integrated Convergence Services.
Table 6: Factory Default Settings for the Voice Ports
Port Label
Interface
Extension
Station/Trunk Name
SRX210 Services Gateway with Integrated Convergence Services
FXS1
fxs-0/0/10
3001
3001
FXS2
fxs-0/0/11
3002
3002
FXO1
fxs-0/0/12
—
fxo1
FXO2
fxs-0/0/13
—
fxo2
Table 7: Factory Default Settings for the Dial Plan on the Services Gateways
Call Pattern
Call Type
Call Type Name
911
Emergency
emergency-call
1XXXXXXXXXX
Long distance
long-distance-call
XXXXXXX
Local
local-call
011.
International
international-call
1900.
900 number
900-number
Table 8: Factory Default Settings for the Class of Restriction on the Services Gateways
Call Pattern
Call Type
Allow
Intra-branch
Local
Long distance
Emergency
Deny
International
900 number
Table 9: Factory Default Settings for SIP and Analog Stations on the Services Gateways
By default, templates are available for both SIP and analog stations. For SIP stations, the extension range is 5001 through 5016.
Table 10: Factory Default Settings for Trunk Groups
By default, the Branch_Trunk_Group includes both the FXO ports. The trunks, fxo1 and fxo2, are part of the Branch_Trunk_Group.

Port Label	Interface	Extension	Station/Trunk Name
SRX210 Services Gateway with Integrated Convergence Services
FXS1	fxs-0/0/10	3001	3001
FXS2	fxs-0/0/11	3002	3002
FXO1	fxs-0/0/12	—	fxo1
FXO2	fxs-0/0/13	—	fxo2

Call Pattern	Call Type	Call Type Name
911	Emergency	emergency-call
1XXXXXXXXXX	Long distance	long-distance-call
XXXXXXX	Local	local-call
011.	International	international-call
1900.	900 number	900-number

Call Pattern	Call Type
Allow	Intra-branch
Local
Long distance
Emergency
Deny	International
900 number

SRX240 Services Gateway Hardware Guide

Section	Incorrect Value in the Hardware Guide	Correct Value Displayed in the Command Output
Monitoring the SRX240 Services Gateway Chassis Using the CLI	RE-SRX240-LM	RE-SRX240B
Locating the SRX240 Services Gateway Component Serial Number and Agency Labels	RE-SRX240-POE	RE-SRX240H-POE

The “Understanding Built-In Ethernet Ports” section in the SRX240 Services Gateway Hardware Guide erroneously states the following:
The services gateway acts as a DHCP client out of the built-in Ethernet ports. If the services gateway does not find a DHCP server within a few seconds, the device acts as a DHCP server and assigns an IP address as 192.168.1.1/24. With the device temporarily acting as a DHCP server, you can manually configure it with the J-Web interface.
The correct information for this section is as follows: The services gateway acts as a DHCP client on port ge-0/0/0, and ports ge-0/0/1 to ge-0/0/15 act as a DHCP server.
The “SRX240 Services Gateway (High Memory with DC Power Supply Model) Compliance Statements for Network Equipment Building System (NEBS)” section in the SRX240 Services Gateway Hardware Guide incorrectly states that the battery return connection is to be treated as a Common DC return (DC-C), as defined in GR-1089-CORE.
The guide should state that the battery return connection is to be treated as an Isolated DC return (DC-I), as defined in GR-1089-CORE.
The following tables list the changes in the factory default settings on the SRX240 Services Gateway with Integrated Convergence Services.
Table 11: Factory Default Settings for the Voice Ports
Port Label
Interface
Extension
Station/Trunk Name
SRX240 Services Gateway with Integrated Convergence Services
FXS1
fxs-0/0/17
3001
3001
FXS2
fxs-0/0/18
3002
3002
FXO1
fxs-0/0/19
—
fxo1
FXO2
fxs-0/0/20
—
fxo2
Table 12: Factory Default Settings for the Dial Plan on the Services Gateways
Call Pattern
Call Type
Call Type Name
911
Emergency
emergency-call
1XXXXXXXXXX
Long distance
long-distance-call
XXXXXXX
Local
local-call
011.
International
international-call
1900.
900 number
900-number
Table 13: Factory Default Settings for the Class of Restriction on the Services Gateways
Call Pattern
Call Type
Allow
Intra-branch
Local
Long distance
Emergency
Deny
International
900 number
Table 14: Factory Default Settings for SIP and Analog Stations on the Services Gateways
By default, templates are available for both SIP and analog stations. For SIP stations, the extension range is 5001 through 5016.
Table 15: Factory Default Settings for Trunk Groups
By default, the Branch_Trunk_Group includes both the FXO ports. The trunks, fxo1 and fxo2, are part of the Branch_Trunk_Group.

Port Label	Interface	Extension	Station/Trunk Name
SRX240 Services Gateway with Integrated Convergence Services
FXS1	fxs-0/0/17	3001	3001
FXS2	fxs-0/0/18	3002	3002
FXO1	fxs-0/0/19	—	fxo1
FXO2	fxs-0/0/20	—	fxo2

Call Pattern	Call Type	Call Type Name
911	Emergency	emergency-call
1XXXXXXXXXX	Long distance	long-distance-call
XXXXXXX	Local	local-call
011.	International	international-call
1900.	900 number	900-number

Call Pattern	Call Type
Allow	Intra-branch
Local
Long distance
Emergency
Deny	International
900 number

The SRX240 Services Gateway Hardware Guide is missing information about the following statements and data:

The “SRX240 Services Gateway Site Electrical Wiring Guidelines” section should include the following statement:
For devices with AC power supplies, an external surge protective device (SPD) must be used at the AC power source.

The “General Electrical Safety Guidelines and Warnings” section should include the following statements:

Warning: Use copper conductors only.

Waarschuwing Gebruik alleen koperen geleiders.

Varoitus Käytä vain kuparijohtimia.

Attention Utilisez uniquement des conducteurs en cuivre.

Warnung Verwenden Sie ausschließlich Kupferleiter.

Avvertenza Usate unicamente dei conduttori di rame.

Advarsel Bruk bare kobberledninger.

Aviso Utilize apenas fios condutores de cobre.

¡Atención! Emplee sólo conductores de cobre.

Varning! Använd endast ledare av koppar.

The “Grounding the SRX240 Services Gateway” section should list the following as tools and the parts required for grounding the SRX240 device:
- Grounding cable for your device—The grounding cable must be minimum 14 AWG (2 mm²), minimum 90°C wire, or as permitted by the local code.
- Grounding lug—Ring-type, vinyl-insulated TV14-6R lug or equivalent for your grounding cable.
- Washers and 10-32x.25-in. screws to secure the grounding lug to the protective earthing terminal.
- Phillips (+) screwdrivers, numbers 1 and 2.
The “Grounding the SRX240 Services Gateway” section should include the following information in the grounding instructions step:
Step 6 - Secure the grounding cable lug to the grounding point with the screw. Apply between 6 lb-in. (0.67 Nm) and 8 lb-in. (0.9 Nm) of torque to the screws.
The “SRX240 Services Gateway Installation Safety Guidelines and Warnings” section should specify that the SRX240 Services Gateway can be installed as customer premises equipment (CPE) only.
The “SRX240 Services Gateway (High Memory with DC Power Supply Model) Compliance Statements for Network Equipment Building System (NEBS)” section should specify the following statement:
The battery return connection is to be treated as an Isolated DC return (DC-I), as defined in GR-1089-CORE.
The “SRX240 Services Gateway Installation Instructions Warning’ section in Appendix SRX240 Services Gateway Installation Safety Guidelines and Warnings should specify the following statements:
- Before you make any crimp connections, coat all conductors (frame ground, battery, and battery return) with an appropriate antioxidant compound. Before you connect unplated connectors, braided strap, and bus bars, bring them to a bright finish and coat them with an antioxidant compound. You do not have to prepare tinned, solder-plated, or silver-plated connectors or other plated connection surfaces before connecting them, but make sure such surfaces remain clean and free of contaminants. To provide a permanent low-impedance path, tighten all raceway fittings.
- An electrical conducting path shall exist between the device chassis and the grounding conductor, or between the chassis and the metal surface of the enclosure or rack in which the device is mounted. Electrical continuity shall be provided by the use of thread-forming-type, unit-mounting screws that remove any paint or nonconductive coatings and establish metal-to-metal contact. Any paint or other nonconductive coatings shall be removed on the surfaces between the mounting hardware and the enclosure or rack. The surfaces shall be cleaned and an antioxidant applied before installation.

SRX5600 Services Gateway Hardware Guide

The show chassis environment cb 0 command mentioned in the SRX5600 Services Gateway Hardware Guide has been modified to show chassis environment cb node 0.

Revision 02 of the SRX5600 Services Gateway Hardware Guide, dated April 2009, contains incorrect information regarding base system power requirements in Table 31 on page 216. The correct information is shown in the Table 16:

Table 16: Base System AC Power Requirements

Component	Power Requirement (Watts)
Low-line nonredundant configuration @ 110 V includes three AC power supplies, midplane, craft interface, and the fan tray (running at normal speed)	180 W (approximate)
Low-line redundant configuration @ 110 V includes four AC power supplies, midplane, craft interface, and the fan tray (running at normal speed)	210 W (approximate)
High-line nonredundant configuration @ 220 V includes two AC power supplies, one Routing Engine, one SCB, midplane, craft interface, and the fan tray (running at normal speed)	150 W (approximate)
High-line redundant configuration @ 220 V includes four AC power supplies, midplane, craft interface, and the fan tray (running at normal speed)	210 W (approximate)

SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide

The SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide erroneously lists the maximum MTU (bytes) for the Serial Mini-PIM as 1504. The correct value for this section is 2000.
The “DOCSIS Mini-Physical Interface Module” chapter in the SRX Series Services Gateways for the Branch Physical Interface Modules Hardware Guide erroneously states that the EuroDOCSIS 3.0 and the DOCSIS J (Japan) models of the DOCSIS Mini-PIM are supported. The guide should state that only the DOCSIS 3.0 U.S. model of the DOCSIS Mini-PIM is supported.