ReleaseNotes: Junos®OSRelease 13.3R10
for the EX Series, M Series, MX Series,
PTX Series, and T Series
24 January 2017
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
High Availability and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authentication and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Infrastructure and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Layer 3 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Resolved Issues: Release 13.3R9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Resolved Issues: Release 13.3R8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1Copyright © 2017, Juniper Networks, Inc.
Resolved Issues: Release 13.3R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Resolved Issues: Release 13.3R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Resolved Issues: Release 13.3R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Resolved Issues: Release 13.3R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Resolved Issues: Release 13.3R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Resolved Issues: Release 13.3R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . . 24
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 24
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D
Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . . 26
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Authentication, Authorization, and Accounting (AAA) (RADIUS) . . . . . . 35
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
OpenFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Subscriber Management and Services (MX Series) . . . . . . . . . . . . . . . . 54
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Authentication Authorization and Accounting . . . . . . . . . . . . . . . . . . . . . 62
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Routing Policy and Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Copyright © 2017, Juniper Networks, Inc.2
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Subscriber Management and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Forwarding and Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Layer 2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Multiprotocol Label Switching (MPLS) . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Platform and Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Services Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Resolved Issues: Release 13.3R9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Resolved Issues: Release 13.3R8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Resolved Issues: Release 13.3R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Resolved Issues: Release 13.3R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Resolved Issues: Release 13.3R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Resolved Issues: Release 13.3R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Resolved Issues: Release 13.3R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Resolved Issues: Release 13.3R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Adaptive Services Interfaces Feature Guide for Routing Devices . . . . . . 218
Aggregated Ethernet Interfaces Feature Guide for Routing Devices . . . 218
Broadband Subscriber VLANs and Interfaces Feature Guide . . . . . . . . . 221
Chassis-Level Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Class of Service Library for Routing Devices . . . . . . . . . . . . . . . . . . . . . . 222
Dynamic Firewall Feature Guide for Subscriber Services . . . . . . . . . . . . 222
Ethernet Interfaces Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Ethernet Networking Feature Guide for MX Series Routers . . . . . . . . . . 224
Firewall Filters Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . 226
3Copyright © 2017, Juniper Networks, Inc.
High Availability Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Interchassis Redundancy Using Virtual Chassis Feature Guide for MX
Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Interfaces Feature Guide for Subscriber Management . . . . . . . . . . . . . . 227
Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide . . . . 227
Junos OS High Availability Feature Guide for Routing Devices . . . . . . . 228
Layer 2 Configuration Guide, Bridging, Address Learning, and
Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Layer 2 VPNs Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . 229
Monitoring, Sampling, andCollectionServices InterfacesFeatureGuide
for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
MPLS Applications Feature Guide for Routing Devices . . . . . . . . . . . . . 229
Network Management Administration Guide for Routing Devices . . . . 230
Overview for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Release Notes: Junos OSRelease 13.3R1 for the EX Series, M Series, MX
Series, PTX Series, and T Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Services Interfaces Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . 231
Services Interfaces Overview for Routing Devices . . . . . . . . . . . . . . . . . 236
Standards Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Subscriber Management Access Network Guide . . . . . . . . . . . . . . . . . . 237
Subscriber Management Feature Guide . . . . . . . . . . . . . . . . . . . . . . . . . 238
Subscriber Management Provisioning Guide . . . . . . . . . . . . . . . . . . . . . 239
System Log Messages Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
System Services Administration Guide for Routing Devices . . . . . . . . . . 241
Tunnel and Encryption Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . 241
User Access and Authentication Guide for Routing Devices . . . . . . . . . . 241
VPLS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . 241
VPNs Library for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
VPWS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . 242
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 242
Basic Procedure for Upgrading to Release 13.3 . . . . . . . . . . . . . . . . . . . . 243
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . 245
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 245
Upgrading Juniper Network Routers Running Draft-Rosen Multicast
VPN to Junos OS Release 10.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Upgrading the Software for a Routing Matrix . . . . . . . . . . . . . . . . . . . . . 247
Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled
for Both PIM and NSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Downgrading from Release 13.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Changes Planned for Future Releases . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Junos OS Release Notes for PTX Series Packet Transport Routers . . . . . . . . . . . 252
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Class of Service (CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Copyright © 2017, Juniper Networks, Inc.4
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Software Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Changes in Behavior and Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
High Availability (HA) and Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Network Management and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 260
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Known Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
General Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Resolved Issues: Release 13.3R10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Resolved Issues: Release 13.3R9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Resolved Issues: Release 13.3R8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Resolved Issues: Release 13.3R7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Resolved Issues: Release 13.3R6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Resolved Issues: Release 13.3R5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Resolved Issues: Release 13.3R4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Resolved Issues: Release 13.3R3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Resolved Issues: Release 13.3R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Network Management Administration Guide for Routing Devices . . . . 278
VPWS Feature Guide for Routing Devices . . . . . . . . . . . . . . . . . . . . . . . 278
Migration, Upgrade, and Downgrade Instructions . . . . . . . . . . . . . . . . . . . . . 279
Upgrading Using Unified ISSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Upgrading a Router with Redundant Routing Engines . . . . . . . . . . . . . . 279
Basic Procedure for Upgrading to Release 13.3 . . . . . . . . . . . . . . . . . . . . 279
Product Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Hardware Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Finding More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
5Copyright © 2017, Juniper Networks, Inc.
Introduction
Junos OS runs on the following Juniper Networks®hardware: ACX Series, EX Series, J
Series,MSeries,MXSeries, PTXSeries,QFabric systems,QFXSeries, SRXSeries, TSeries
and Junos Fusion.
These release notes accompany Junos OS Release 13.3R10 for the EX Series, M Series,
MXSeries,PTXSeries, andTSeries.Theydescribenewandchanged features, limitations,
and known and resolved problems in the hardware and software.
Junos OS Release Notes for EX Series Switches
These releasenotesaccompany JunosOSRelease 13.3R10 for theEXSeries.Theydescribe
newandchanged features, limitations, andknownand resolvedproblems in thehardware
and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
• New and Changed Features on page 6
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 13.3R10 for the EX Series.
• Hardware
• Infrastructure
• Multicast
• NetworkManagement andMonitoring
• OpenFlow
Copyright © 2017, Juniper Networks, Inc.6
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Hardware
• Extended cablemanager for EX9214 switches—An extended cable manager is nowavailable for EX9214 switches. The extended cable manager enables you to route
cables away from the front of the line cards and Switch Fabric modules and provides
easier access to the switch than the standard cable manager. To obtain the extended
cablemanager, order theMX960EnhancedCableManager,ECM-MX960. (Installation
of the extended cable manager must be done by a technician authorized by Juniper
Networks and that the service cost is in addition to the component cost.)
[SeeMX960 Cable Manager Description.]
Infrastructure
• Support for IPv6 for TACACS+ authentication (EX9200)—Starting with Junos OSRelease 13.3, Junos OS supports IPv6 along with the existing IPv4 support for user
authentication using TACACS+ servers.
Multicast
• MLD snooping on EX9200 switches—Starting with Junos OS Release 13.3, EX9200switchessupportMulticastListenerDiscovery(MLD)snooping.MLDsnoopingconstrains
the flooding of IPv6multicast traffic on VLANs on a switch. When MLD snooping is
enabled on aVLAN, the switch examinesMLDmessages between hosts andmulticast
routers and learns which hosts are interested in receiving traffic for a multicast group.
Based on what it learns, the switch then forwards multicast traffic only to those
interfaces in the VLAN that are connected to interested receivers instead of flooding
the traffic to all interfaces. You configure MLD snooping at either the [edit protocols]
hierarchy level or the [edit routing-instances routing-instance-nameprotocols]hierarchy
level.
[SeeUnderstanding MLD Snooping.]
NetworkManagement andMonitoring
• sFlowtechnologyonEX9200switches—Startingwith JunosOSRelease 13.3,EX9200switches support sFlow technology, a monitoring technology for high-speed switched
or routed networks. The sFlowmonitoring technology randomly samples network
packets and sends the samples to amonitoring station. You can configure sFlow
technology on an EX9200 switch to continuously monitor traffic at wire speed on all
interfaces simultaneously. The sFlow technology is configured at the [edit protocols
sflow] hierarchy level.
[SeeUnderstandingHowtoUsesFlowTechnology forNetworkMonitoringonanEXSeries
Switch.]
7Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
OpenFlow
• Support for OpenFlow v1.0—Starting with Junos OS Release 13.3, EX9200 switchessupport OpenFlow v1.0. You use the OpenFlow remote controller to control traffic in
an existing network by adding, deleting, andmodifying flows on switches. You can
configure oneOpenFlow virtual switch and one activeOpenFlow controller at the [edit
protocols openflow] hierarchy level on each device running Junos OS that supports
OpenFlow.
[See Understanding Support for OpenFlow on Devices Running Junos OS.]
RelatedDocumentation
Changes in Behavior and Syntax on page 8•
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
Changes in Behavior and Syntax
This section lists the changes in behavior of JunosOS features and changes in the syntax
of JunosOSstatementsandcommands fromJunosOSRelease 13.3R10 for theEXSeries.
• Dynamic Host Configuration Protocol
• High Availability and Resiliency on page 9
• Interfaces and Chassis on page 9
• Network Management and Monitoring on page 10
• User Interface and Configuration on page 10
Copyright © 2017, Juniper Networks, Inc.8
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Dynamic Host Configuration Protocol
• DHCPclientscansendpacketswithoutOption255(EX9200)—OnEX9200switches,starting with Junos OS Release 13.3R5, you can override the DHCP relay agent default
configurationandenableclients to sendDHCPpacketswithoutOption255.Thedefault
behavior in Junos OS is to drop packets that do not include Option 255. To override
that default behavior, configure the allow-no-end-options CLI statement under the
[edit forwarding-options dhcp-relay overrides] hierarchy level.
You can also override the DHCP local server configuration and enable clients to send
DHCPpacketswithoutOption 255 (end-of-options). The default behavior in JunosOS
is to drop packets that do not include Option 255. To override that default behavior,
configure the allow-no-end-options statement under the [system services
dhcp-local-server overrides] hierarchy level.
High Availability and Resiliency
• New redundancy failover CLI statement (EX Series)—Starting in Junos OS Release13.3R6, the chassis redundancy failover not-on-disk-underperform statement prevents
gstatd from causing failovers in the case of slow disks on the Routing Engine.
[See not-on-disk-underperform and Preventing Graceful Restart in the Case of Slow
Disks.]
Interfaces and Chassis
• Direct ARP entries to the correct next-hop interface in anMC-LAG scenario—OnEX9200 switches, the arp-l2-validate statement provides a workaround for issues
related to MAC and ARP entries going out of sync in an MC-LAG scenario. Use the
commandtocorrectmismatchesbetweenMACandARPentries related to thenext-hop
interface.
• Additional options for the request support information command—On EX9200switches, the following CLI commands have been added to the output of the request
support information CLI command:
• show ethernet-switching interface detail
• show ethernet-switching table
• show spanning-tree bridge detail
• show spanning-tree interface
• show vlans extensive
• show vrrp summary
9Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
NetworkManagement andMonitoring
• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (EX9200)—Effective in Junos OS Release 13.3R4, if the counter valueof a Packet Forwarding Engine is reported lesser than its previous value, then the
residual counter value isadded to thenewly reportedvalueonly for that specific counter.
In that case, the CLI shows theMIB2D_COUNTER_DECREASING system logmessage
for that specific counter.
User Interface and Configuration
• Change in the show version command output on EX9200 switches—Starting withJunosOSRelease 13.3, the showversion command output includes the Junos field that
displays the Junos OS version running on the switch. This new field is in addition to the
existing field in the showversion command that displays a list of installed subpackages
running on the switch that display the JunosOSversion number of those subpackages.
The new field provides a consistentmeans of identifying the JunosOS version, instead
of extracting that information from the list of installed subpackages.
In Junos OS Release 13.2 and earlier, the show version command does not have the
Junos field in the output that displays the Junos OS version running on the device as
shown in the following samples. The only way to determine the Junos OS version
running on the device is to review the list of installed subpackages.
Junos OS Release 13.3 and Later ReleasesWith the JunosField
Junos OS Release 13.2 and Earlier ReleasesWithout theJunos Field
user@switch> show versionHostname: lab Model: ex9208 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...
user@switch> show versionHostname: lab Model: ex9208 JUNOS Base OS boot [12.3R2.5]JUNOS Base OS Software Suite [12.3R2.5]JUNOS Kernel Software Suite [12.3R2.5]JUNOS Crypto Software Suite [12.3R2.5]...
[See show version.]
• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in theCLI—JunosOS reserves theprefix junos- for the identifiers of configurationsdefinedwithin the junos-defaults configuration group. User-defined identifiers cannot
start with the string junos-. Starting with Junos OS Release 13.3, if you configure
user-defined identifiers using the reserved prefix through a NETCONF or Junos XML
protocol session, the commit correctly fails. In releases earlier than Junos OS Release
13.3, if you configured user-defined identifiers through theCLI using the reservedprefix,
the commit incorrectly succeeds. Junos OS Release 13.3R1 and later releases now
exhibit the correct behavior. Configurations that currently contain the reserved prefix
for user-defined identifiers other than junos-defaults configuration group identifiers
now correctly results in a commit error in the CLI.
Copyright © 2017, Juniper Networks, Inc.10
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Configuring regularexpressions(EX9200)—Inall supported JunosOSreleases, regularexpressions can no longer be configured if they require more than 64MB of memory
or more than 256 recursions for parsing.
This change in the behavior of Junos OS is in line with the FreeBSD limit. The change
wasmade in response to a known consumption vulnerability that enables an attacker
to cause a denial-of-service attack (resource exhaustion) by using regular expressions
containing adjacent repetition operators or adjacent bounded repetitions. Junos OS
uses regular expressions in several placeswithin theCLI. Exploitationof this vulnerability
can cause the Routing Engine to crash, leading to a partial denial of service. Repeated
exploitation can result in an extendedpartial outageof services providedby the routing
protocol process (rpd).
RelatedDocumentation
New and Changed Features on page 6•
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
Known Behavior
This section lists known behaviors, systemmaximums, and limitations in hardware and
software in Junos OS Release 13.3R10 for the EX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
• Authentication and Access Control
• High Availability (HA) and Resiliency
• Infrastructure and Chassis
• Interfaces and Chassis
• Layer 3 Features
• Multicast
• NetworkManagement andMonitoring
• OpenFlow
11Copyright © 2017, Juniper Networks, Inc.
Known Behavior
Authentication and Access Control
• DHCP relay might not work as expected even if an EX9200 switch is configured for
DHCP relay, if an IRB interface walks through a Layer 2 trunk interface and the
corresponding DHCP relay is configured in a routing instance, or if you deactivate or
activate (or deleteor add)ahierarchy that containsaDHCP relay-relatedconfiguration.
As a workaround, restart DHCP services after youmake any configuration changes
that are related to DHCP. PR935155
High Availability (HA) and Resiliency
• On EX9200 switches, during a unified ISSU, BGP and Layer 3 multicast traffic might
be dropped for approximately 30 seconds. PR1116299
Infrastructure and Chassis
• On EX9200 switches, in a Layer 2 environment, transit packets of size 1514 MTU or
moremight be dropped silentlywhen the packets exit a trunk interface forwhichVLAN
tagging or flexible VLAN tagging is not enabled. PR960638
• On EX9200 switches that are running any of the following images, if more than 1000
DHCP clients send DHCP requests and if the licensing grace period (30 days) expires,
new clients are not added:
• Junos OS Release 13.2R5 or earlier images
• Release 13.3R4 or earlier images
• Release 14.1R3 or earlier images
• Release 14.2R1 or earlier images
As a workaround, install an image from the following list and include the [--format]
option when you run the loader> install command, like this:
loader> install --format file:///junos-package-name
• Release 13.2R6 or later images
• Release 13.3R5 or later images
• Release 14.1R4 or later images
• Release 14.2R2 or later images
See KB20643 for details about using the loader install [--format] command.
Note that if you install the later imagebut do not include the [--format]option, an error
message such as the following appears: LICENSE_GRACE_PERIOD_EXPIRED: License
grace period for feature scale-subscriber(44) has expired. Ignore the error message; it
has no functional impact. PR1071594
Interfaces and Chassis
• On EX9200 switches, an LLDP neighbor might not be formed for Layer 3-tagged
interfaces even though peer switches are able to form the neighbor. PR848721
Copyright © 2017, Juniper Networks, Inc.12
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• OnEX9200switches, if a 100-gigabit interface is configuredaspart of a linkaggregation
group (LAG), committing any configuration changemight cause the interface to flap.
PR1065512
Layer 3 Features
• On EX9200 switches, BFD on IRB interfaces flaps if BFD is configured for subsecond
timers. PR844951
• On EX9200 switches, analyzer configurations with analyzer input and output stanzas
containingmembersof the sameVLANor theVLAN itself arenot supported.With such
configurations, packets canmirror ina loop, resulting inLUchiperrors.Asaworkaround,
use themirror-once option if the input is for ingress mirroring. If it is for ingress and
egress mirroring, configure the output interface as an access interface. PR1068405
Multicast
• If you configure a large number of PIM source-specific multicast (SSM) groups on an
EX9200switch, the switchmight experienceperiodic IPv6 traffic loss. Asaworkaround,
configure the pim-join-prune-timeout value on the last-hop router as 250 seconds.
PR853586
NetworkManagement andMonitoring
• On EX9200 switches, the interface index value is incorrectly displayed as 0 on the
sFlow collector. PR1083226
OpenFlow
• OnEX9200switches, aBGPsessionmight flapwhenanOpenFlow interface is receiving
line-rate traffic and the traffic is notmatching any rule, and therefore thedefault action
of packet-in is applied. PR892310
• OnEX9200switches, configurationofa firewall filteronanOpenFlow-enabled interface
is not supported.
• OnEX9200 switches,minormemory leaksmight occur if you add anddelete the same
multi-VLAN flow on the order of 100,000 such add and delete operations. PR905620
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
13Copyright © 2017, Juniper Networks, Inc.
Known Behavior
Known Issues
This section lists the known issues in hardware and software in JunosOSRelease 13.3R10
for the EX Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
• Platform and Infrastructure
Platform and Infrastructure
• Themgd daemonmight crash after a load replace command in a configuration that
is not properly formatted.
For example:
root# load replace xxx.conferror: session failure: unexpected terminationerror: remote side unexpectedly closed connection
The incorrect configuration format is as follows:
/* annotating */delete: statement;
The correct configuration format should be as follows:
delete: statement;/* annotating */
PR1064036
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
Resolved Issues
This section lists the issues fixed in the Junos OS Release 13.3 main release and the
maintenance releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application.
• Resolved Issues: Release 13.3R10 on page 15
• Resolved Issues: Release 13.3R9 on page 15
Copyright © 2017, Juniper Networks, Inc.14
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Resolved Issues: Release 13.3R8 on page 16
• Resolved Issues: Release 13.3R7 on page 16
• Resolved Issues: Release 13.3R6 on page 18
• Resolved Issues: Release 13.3R5 on page 18
• Resolved Issues: Release 13.3R4 on page 19
• Resolved Issues: Release 13.3R3 on page 20
• Resolved Issues: Release 13.3R2 on page 21
Resolved Issues: Release 13.3R10
• Infrastructure
• NetworkManagement andMonitoring
Infrastructure
• On EX9200 switches, the routing process (rpd) might continuously crash while
processing an (S,G) entry if that entry has beenmistakenly deleted. PR942561
• On EX9200 switches, attempts by line cards tomake unnecessary connections to the
Routing Engine might generate continuous debugging-level log messages, which
consume system resources. PR1113309
Network Management andMonitoring
• OnEX9200switches, even if youconfigureanegress sampling rate for sFlowmonitoring
technology, the switch uses the ingress sampling rate instead. PR686002
Resolved Issues: Release 13.3R9
• Authentication and Access Control
• Platform and Infrastructure
Authentication and Access Control
• On an EX Series switch acting as a DHCPv6 server, the server does not send a Reply
packet after receiving a Confirm packet from the client; the behavior is not compliant
with the RFC 3315 standard. PR1025019
Platform and Infrastructure
• On EX9200 switches, after the show version detail command is executed, the syslog
message UI_OPEN_TIMEOUT: Timeout connecting to peermight appear. This message
is cosmetic only; you can ignore this message. PR895320
• On an EX9200-2C-8XS line card, when the flow-detection feature is enabled under
the [edit system ddos-protection] hierarchy, if suspicious control flows are received,
two issues might occur on the switch:
• The suspicious control flowmight not be detected on the line card.
• After suspicious control flows are detected, theymight never time out, even if traffic
flows no longer violate control parameters.
15Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
PR1102997
Resolved Issues: Release 13.3R8
• Dynamic Host Configuration Protocol
• Infrastructure and Chassis
• NetworkManagement andMonitoring
Dynamic Host Configuration Protocol
• On EX9200 switches with DHCPv6 snooping configured, the enterprise ID field of the
DHCPv6 relay message is converted to hexadecimal format and encoded as a text
string when used as the value for the remote ID (DHCPv6 Option 37). This results in
an incorrect value for the enterprise ID. PR1052956
Infrastructure and Chassis
• On EX9200 switches, if you configure DHCP relaywith the DHCP server and the DHCP
client in separate routing instances, unicast DHCP reply packets (for example, a DHCP
ACK in response to a DHCP RENEW)might be dropped. PR1079980
Network Management andMonitoring
• On EX9200 switches, if you configure an invalid SNMP source address, SNMP traps
might not be sent even after you change the SNMP source address to a valid interface
address. PR1099802
Resolved Issues: Release 13.3R7
• Authentication and Access Control
• Dynamic Host Configuration Protocol
• Interfaces and Platform
• Software Installation and Upgrade
Copyright © 2017, Juniper Networks, Inc.16
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Authentication and Access Control
• OnEX9200 switches, when clients are authenticatedwith dynamic VLANassignment
onan802.1X-enabled interface, disabling802.1Xauthenticationon the interfacemight
cause the Layer 2 address learning daemon (l2ald) to generate a core file. PR1064491
Dynamic Host Configuration Protocol
• On EX9200 switches, when DHCP relay is configured using the forward-only and
forward-only-replies statements at the [edit forwarding-options dhcp-relay] hierarchy
level, if the DHCP local server is also configured with the forward-snooped-clients
statement at the [edit system services dhcp-local-server] hierarchy level, the
configuration for forward-snooped-clients takes precedence over the configuration for
forward-only and forward-only-replies. As a result, DHCPmessage exchange between
VRFsmight not work as expected. PR1077016
Interfaces and Platform
• OnEX9200switches, the showethernet-switching tablevlan-namevlan-name | display
xmlCLI commanddoesnothave thevlan-nameattribute in the<l2ng-l2ald-rtb-macdb>
xml tag. PR955910
• OnEX9200switches,when theswitch receivesLACPcontrolpackets froman interface
other than an aggregated Ethernet (AE) interface, it forwards the packets, causing
LACP peer devices that receive the packets to reset the LACP connections. This might
cause continuous flaps on all aggregated or multichassis aggregated Ethernet
interfaces. PR1034917
• OnEX9200 switches, a process that failsmultiple times in a short period of timemight
not generate a core file. PR1058192
• On EX9200 switches, the Dynamic Host Configuration Protocol (DHCP) relay feature,
which enables the client interface and the server interface to be in separate virtual
routing and forwarding (VRF) instances, does not work when the client interface has
been configured as an integrated routing and bridging (IRB) interface. PR1064889
• On EX9200 switches, the CLI command set interfaces interface-name speed
auto-10m-100m is not supported. PR1077020
• On EX9200 switches, if you configure a virtual private LAN service (VPLS), no
label-switched interface (LSI) belongs to a VLAN even though the VPLS connection
is in theUP state, and traffic does not flood to an LSI. As aworkaround, configure VPLS
on the routing instance rather than on the virtual-switch instance. PR1083561
• On EX9200 switches, when you add a VLAN on an existing virtual-switch instance for
virtual private LAN service (VPLS), the label-switched interface (LSI) might not be
associated with the new VLAN. PR1088541
17Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Software Installation and Upgrade
• Because of a software defect in Junos OS Release 13.3R7.3, we strongly discourage
the use of Release 13.3R7.3 on switches that contain EX9200-40T and EX9200-40F
line cards. PR1108826
Resolved Issues: Release 13.3R6
• Layer 2 Features
• Routing Protocols
• Spanning-Tree Protocols
Layer 2 Features
• OnEX9200switches, ifMVRP is configuredon the aggregatedEthernet (AE) interface,
MVRPmight become unstable when the CLI command no-attribute-length-in-pdu is
configured. PR1053664
Routing Protocols
• On EX9200 switches on which virtual private LAN service (VPLS) is enabled, if the
interfaces on the CE belong to multiple FPCs, when the links between the PE device
and the CE device flap, or when the administrator clears the VPLSMAC table, traffic
might keep flooding in the VPLS routing-instance for more than 2 seconds during the
MAC learning phase. PR1031791
Spanning-Tree Protocols
• On EX9200 switches running the VLAN Spanning Tree Protocol (VSTP), incoming
BPDUsmightnotbe included in theoutputof the showspanning-treestatistics interface
command. PR847405
Resolved Issues: Release 13.3R5
• Dynamic Host Configuration Protocol (DHCP)
• Infrastructure
• Interfaces and Chassis
Dynamic Host Configuration Protocol (DHCP)
• OnEX9200switches,DynamicHostConfigurationProtocol (DHCP) relay functionality
might stop working and DHCP does not form new bindings when the number of
subscribers exceeds 1000 due to license restrictions. PR1033921
Infrastructure
• On EX9200 switches, when apply-groups is used in the configuration, the expansion
of interfaces <*> apply-groups is done against all interfaces during the configuration
validation process, even if apply-groups is configured only under a specific interface
stanza. This does not affect the configuration—if the configuration validation passes,
the apply-groups are expanded correctly only against the interfaces for which
apply-groups is configured. PR967233
Copyright © 2017, Juniper Networks, Inc.18
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• On EX9200 switches, if the disable-logging option is the only option configured at the
[edit system ddos-protection global] hierarchy level, and this option is deleted, the
kernel might generate a core file. PR1014219
• On EX9200 switches, if the switch receives an ARP packet when the Forwarding
Information Base (FIB) has exceeded the limit of 262,144 routes, the kernel might
generate a core file. PR1028714
Interfaces and Chassis
• On EX9200 switches, in an MC-LAG scenario, a MAC address might incorrectly point
to an interchassis control link (ICL) after a MACmove from a single-home LAG to the
MC-LAG. PR1034347
Resolved Issues: Release 13.3R4
• Dynamic Host Configuration Protocol (DHCP)
• Multicast
• Platform and Infrastructure
• Routing Protocols
Dynamic Host Configuration Protocol (DHCP)
• On an EX9200 switch acting as a DHCP relay agent, DHCP_ACKmessages sent from
a DHCP server might not be forwarded to the client if the server identifier in the DHCP
packet is different from that in the DHCP relay agent’s binding table. PR994735
Multicast
• On EX9200 switches that are configured in a multicast scenario with PIM enabled, an
(S,G) discard route might stop programming if the switch receives resolve requests
from an incorrect reverse-path-forwarding (RPF) interface. After this issue occurs, the
(S,G) state might not be updated when the switch receives multicast traffic from the
correct RPF interfaces, andmulticast traffic might be dropped. PR1011098
Platform and Infrastructure
• On EX9200 switches, the interface alias feature might not work as expected and
interfaces might go up and down after commit. PR981249
• Onan EX9200 switch, if the underlying Layer 2 interface of an IRB interface is changed
from accessmode to trunkmode and bi-directional traffic is sent from an interface on
the same switch that has been changed from IRB over Layer 2 to Layer 3 mode, the
Layer 3 traffic toward the IRB interface might be dropped and PPE thread timeout
errors might be displayed. PR995845
19Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Routing Protocols
• On an EX9200 switch with an IGMP configuration in which two receivers are joined to
the same (S,G) and IGMP immediate-leave is configured, when one of the receivers
sends a leavemessage for the (S,G), the other receiver might not receive traffic for 1-2
minutes. PR979936
Resolved Issues: Release 13.3R3
• Authentication and Access Control
• Bridging and Learning
• Dynamic Host Configuration Protocol
• Interfaces and Chassis
• OpenFlow
• Platform and Infrastructure
• Routing Protocols
• Software Installation and Upgrade
• Spanning-Tree Protocols
Authentication and Access Control
• On an EX Series switch that has both 802.1X authentication (dot1x) and a dynamic
firewall filter enabled,when the server-timeout value is set toa short time (for example,
3 seconds) and a large number of clients try to authenticate simultaneously, a delay
success authentication successmessagemight be received on the switch because of
a RADIUS server timeout. This might cause the firewall filter to corrupt the interfaces
on which the authentication attempts were made, because of which client
authentications might fail. As a workaround, configure a server-timeout value that is
greater than 30 seconds. PR967922
Bridging and Learning
• OnEX9200 switches onwhich a native VLAN is configured on a link aggregation group
(LAG), if the native VLAN is changed, for example, if the native VLAN ID is changed or
if the native VLAN is disabled, a packet forwarding engine thread timeout might occur
and LU chip error messages might be displayed. Traffic might be affected. PR993080
Dynamic Host Configuration Protocol
• OnEX9200switches thatare configuredasaDHCP relayor server over an IRB interface,
the relay and server binding tables might incorrectly display the name of the IRB
interfaceas thenameof thephysical interface. Youcanuse the showdhcp relaybinding
detail and show dhcp server binding detail commands to display the correct name of
the physical interface. PR972346
• On an EX9200 switch where a binding already exists for a client, if the client sends a
DHCPdiscovermessage, the switchmight not relay DHCPoffers fromany server other
than the server used to establish the existing binding. PR974963
Copyright © 2017, Juniper Networks, Inc.20
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis
• On EX9200 switches, the configuration statementmcae-mac-flush is not available in
the CLI; it is missing from the [edit vlans] hierarchy level. PR984393
• OnEX9200switches thathavemultichassis linkaggregationgroup(MC-LAG) interfaces
configured by using themac-rewrite statement, the Layer 2 address learning process
(l2ald) might crash, creating a core file. PR997978
OpenFlow
• OpenFlow v1.0 running on an EX9200 switch does not respond reliably to interface up
or down events within a specified time interval. Per a fix implemented in Junos OS
Release 13.3R3.6, OpenFlow v1.0 running on an EX9200 switch responds reliably to
interface up or down events if the echo interval timeout is set to 11 seconds or more.
PR989308
Platform and Infrastructure
• On an EX9200 switch working as a DHCP server, when you delete an IRB interface or
change the VLAN ID of a VLAN corresponding to an IRB interface, the DHCP process
(jdhcpd) might create a core file after a commit because a stale interface entry in the
jdhcpd database has been accessed. PR979565
Routing Protocols
• On EX9200 switches with IGMP snooping enabled on an IRB interface, some transit
TCP packets might be treated as IGMP packets, causing packets to be dropped.
PR979671
Software Installation and Upgrade
• Whenyouareupgrading JunosOSonanEX9200switch, the followingwarningmessage
might be displayed: Could not open requirements file for jroute-ex:
/etc/db/pkg/jroute-ex/+REQUIRE. You can ignore this message. PR924106
Spanning-Tree Protocols
• On EX9200 switches, the MSTI identifier range for MSTP is limited to 1 through 64
while it should be 1 through 4094. PR846878
Resolved Issues: Release 13.3R2
• Bridging and Learning
• Dynamic Host Configuration Protocol
• Infrastructure
• Interfaces and Chassis
• Virtual Chassis
21Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Bridging and Learning
• On EX9200 switches, trunk configuration [edit interface interface-name unit 0 family
ethernet-switching interface-mode trunk]might not work as expected, causing traffic
loss. PR963175
Dynamic Host Configuration Protocol
• On an EX9200 switch that is configured for DHCP relay, with the switch acting as the
DHCPrelayagent, theswitchmightnotbeable to relaybroadcastDHCP informpackets,
which are used by the client to getmore information from theDHCP server.PR946038
• On EX9200 switches with Dynamic Host Configuration Protocol (DHCP) relay
configured, permanent Address Resolution Protocol (ARP) entries for relay clients are
installed. When the client is reachable by means of a different preferred path (due to
STP topology changes or MC-LAG changes and so on), the forwarding state is not
refreshed. This might cause packets to be dropped until the relay binding is cleared.
PR961479
• OnanEX9200switch thatworksasaDHCP relayagent, if the switch receivesbroadcast
DHCPACKpackets sentbyanotherDHCPrelay switch, thosepacketsmightbedropped
until the DHCPmax-hop limit is reached. PR961520
Infrastructure
• OnEX9200 switcheswith an EX9200-32XS line card or an EX9200-2C-8XS line card,
10-gigabit ports on the line card might stay offline if a link flaps or an SFP+ is inserted
after the links have been up for more than 3months. PR905589
• On an EX Series Virtual Chassis that is configured for DHCP services and configured
with a DHCP server, when a client sends DHCP INFORM packets and then the same
client sends the DHCP RELEASE packet, an IP address conflict might result because
the same IP address has been assigned to two clients. As a workaround:
• 1. Clear the binding table:
user@switch> clear system services dhcp binding
• 2. Restart the DHCP service:
user@switch> restart dhcp
PR953586
• On an EX9200 switch, when the SNMPmib2d daemon polls system statistics from
the kernel, the kernel might cause amemory leak (mbuf leak), which in turn might
cause packets such as ARP packets to be dropped at the kernel. PR953664
• On an EX9200 switch with scaled ARP entries (for example, 48K entries), in a normal
state, an ARP entry's current timemust be less than the expiry time. However, some
events might cause the current time to be greater than the expiry time, which then
leads to the ARP entry being flushed, resulting in connectivity issues. A possible trigger
event might be an Inter-Chassis Link flap in a multichassis link aggregation group
scenario. PR963588
Copyright © 2017, Juniper Networks, Inc.22
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis
• OnEX9200 switches, an inter-IRB routemight notwork if Q-in-Q tunneling is enabled,
because theTPID (0x9100) is not setonegressdual-taggedpackets, andotherdevices
that receive these untagged packets might drop them. PR942124
• On an EX Series switch, if you remove an SFP+ and then add it back or reboot the
switch, and the corresponding disabled 10-gigabit interface is amember of a LAG, the
link on that port might be activated. PR947683
Virtual Chassis
• OnEX9200Virtual Chassis, the showvirtual-chassis vc-portcommand showsa resync
flag as part of the Status column of the command. The resync flag indicates the
forwarding readinessof thePacket ForwardingEngine (onwhichVCPsare configured),
after it is up after a reboot. PR946920
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Known Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
Documentation Updates
There are no errata or changes in Junos OS Release 13.3R10 for the EX Series switches
documentation.
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Migration, Upgrade, and Downgrade Instructions on page 24
• Product Compatibility on page 24
23Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
Migration, Upgrade, and Downgrade Instructions
This section contains upgrade and downgrade policies for Junos OS for the EX Series.
Upgrading or downgrading Junos OS can take several hours, depending on the size and
configuration of the network.
• Upgrade and Downgrade Support Policy for Junos OS Releases on page 24
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that spanmore than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release, even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to twoEEOL releases before or after. For example,
JunosOSReleases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from JunosOS
Release 10.0 toRelease 10.4 or even from JunosOSRelease 10.0 toRelease 11.4. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3
(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS
Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information about EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html.
For information on software installation and upgrade, see the Installation and Upgrade
Guide.
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Product Compatibility on page 24
Product Compatibility
• Hardware Compatibility on page 25
Copyright © 2017, Juniper Networks, Inc.24
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelineswith the release, see theHardwareGuide for theproduct.
Todetermine the features supportedonEXSeries switches in this release, use the Juniper
Networks Feature Explorer, a Web-based application that helps you to explore and
compare Junos OS feature information to find the right software release and hardware
platform for your network. Find Feature Explorer at
http://pathfinder.juniper.net/feature-explorer/.
RelatedDocumentation
New and Changed Features on page 6•
• Changes in Behavior and Syntax on page 8
• Known Behavior on page 11
• Known Issues on page 14
• Resolved Issues on page 14
• Documentation Updates on page 23
• Migration, Upgrade, and Downgrade Instructions on page 24
25Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
JunosOSReleaseNotesforMSeriesMultiserviceEdgeRouters,MXSeries3DUniversalEdge Routers, and T Series Core Routers
These release notes accompany Junos OS Release 13.3R10 for the M Series, MX Series,
and T Series. They describe new and changed features, limitations, and known and
resolved problems in the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
• New and Changed Features on page 26
• Changes in Behavior and Syntax on page 61
• Known Behavior on page 78
• Known Issues on page 82
• Resolved Issues on page 101
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 13.3R10 for the M Series, MX Series, and T Series.
• Hardware on page 27
• Authentication, Authorization, and Accounting (AAA) (RADIUS) on page 35
• Class of Service (CoS) on page 35
• General Routing on page 37
• High Availability (HA) and Resiliency on page 38
• Interfaces and Chassis on page 39
• IPv6 on page 47
• Layer 2 Features on page 47
• MPLS on page 47
• Multicast on page 48
• Network Management and Monitoring on page 48
• OpenFlow on page 49
• Platform and Infrastructure on page 49
• Port Security on page 50
• Routing Policy and Firewall Filters on page 50
• Routing Protocols on page 51
• Services Applications on page 52
• Software Installation and Upgrade on page 53
Copyright © 2017, Juniper Networks, Inc.26
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Subscriber Management and Services (MX Series) on page 54
• VPNs on page 60
Hardware
• MIC support (MX104)—Junos OS Release 13.3 and later releases extend support tothe following MICs on the MX104 3D Universal Edge Routers:
• ATMMICwith SFP (Model No: MIC-3D-8OC3-2OC12-ATM)
• DS3/E3MIC (Model No: MIC-3D-8DS3-E3)
• Channelized SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:
MIC-3D-4CHOC3-2CHOC12)
• Channelized SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:
MIC-3D-8CHOC3-4CHOC12)
• Multiservices MIC (Model No: MS-MIC-16G)
• SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:
MIC-3D-4OC3OC12-10C48)
• SONET/SDHOC3/STM1 (Multi-rate) MICs with SFP (Model No:
MIC-3D-8OC3OC12-4OC48)
• SONET/SDHOC192/STM64MICs with XFP (Model No: MIC-3D-10C192-XFP)
[SeeMICs Supported by MX Series Routers in theMX Series Interface Module Reference.]
• Support for MICs onMPC3E (MX240, MX480, andMX960)—Starting in Junos OSRelease 13.3, the following MICs are supported on the MPC3E (MX-MPC3E-3D):
• SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-8OC3OC12-4OC48)
• SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP (MIC-3D-4OC3OC12-1OC48)
• SONET/SDHOC192/STM64MIC with XFP (MIC-3D-1OC192-XFP)
• DS3/E3 MIC (MIC-3D-8DS3-E3)
The following encapsulations are supported on the aforementioned MICs on MPC3E:
• Cisco High-Level Data Link Control (cHDLC)
• Flexible Frame Relay
• Frame Relay
• Frame Relay for circuit cross-connect (CCC)
• Frame Relay for translational cross-connect (TCC)
• MPLS fast reroute
• MPLS CCC
• MPLS TCC
• Point-to-Point Protocol (PPP) (default)
• PPP for CCC
27Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• PPP for TCC
• PPP over Frame Relay
[SeeMPC3E onMX Series Routers Overview.]
• CFP-GEN2-CGE-ER4 (MX Series, T1600, and T4000)—The CFP-GEN2-CGE-ER4transceiver (part number: 740-049763) provides a duplex LC connector and supports
the 100GBASE-ER4 optical interface specification andmonitoring. Starting in Junos
OSRelease 13.3, theGEN2optics have been redesignedwith newer versions of internal
components for reducedpower consumption.The following interfacemodules support
the CFP-GEN2-CGE-ER4 transceiver. For more information about interface modules,
see the Interface Module Reference for your router.
MX Series routers:
• 100-Gigabit Ethernet MIC with CFP (model number:
MIC3-3D-1X100GE-CFP)—Supported in Junos OS Release 12.1R1 and later
• 2x100GE + 8x10GEMPC4E (model number: MPC4E-3D-2CGE-8XGE)—Supported
in Junos OS Release 12.3R2 and later
T1600 and T4000 routers:
• 100-Gigabit Ethernet PIC with CFP (model numbers: PD-1CE-CFP-FPC4 and
PD-1CGE-CFP)—Supported in Junos OS Releases 12.3R5, 13.2R3, 13.3R1, and later
[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications.]
• SFP-GE80KCW1470-ET, SFP-GE80KCW1490-ET, SFP-GE80KCW1510-ET,SFP-GE80KCW1530-ET, SFP-GE80KCW1550-ET, SFP-GE80KCW1570-ET,SFP-GE80KCW1590-ET, and SFP-GE80KCW1610-ET (MX Series)—Beginning withJunos OS Release 13.3, these transceivers provide a duplex LC connector and support
operationandmonitoringwith linksup toadistanceof80km.Each transceiver is tuned
to a different transmit wavelength for use in CWDM applications. These transceivers
are supported on the following interfacemodule. Formore information about interface
modules, see the Interface Module Reference for your router.
• Gigabit Ethernet MIC with SFP (model number: MIC-3D-20GE-SFP) in all versions
of MX-MPC1, MX-MPC2, and MX-MPC3—Supported in Junos OS Release 12.3R5,
13.2R3, 13.3R1, and later.
[See Gigabit Ethernet SFP CWDMOptical Interface Specification]
• CFP-GEN2-100GBASE-LR4 (T1600 and T4000)—The CFP-GEN2-100GBASE-LR4transceiver (part number: 740-047682) provides a duplex LC connector and supports
the 100GBASE-LR4 optical interface specification andmonitoring. Starting in Junos
OSRelease 13.3, the “GEN2”opticshavebeen redesignedwithnewer versionsof internal
components for reducedpower consumption.The following interfacemodules support
the CFP-GEN2-100GBASE-LR4 transceiver. For more information about interface
modules, see the Interface Module Reference for your router.
Copyright © 2017, Juniper Networks, Inc.28
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• 100-Gigabit Ethernet PIC with CFP (model numbers: PD-1CE-CFP-FPC4 and
PD-1CGE-CFP)—Supported in Junos OS Releases 12.3R5, 13.2R3, 13.3R1, and later
[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications.]
• Software feature support on theMPC5E— Starting in Junos OS Release 13.3, MPC5E
supports the following key features:
• Basic Layer 2 features and virtual private LAN services (VPLS) functionality
• Class of service (CoS)
• Flexible Queuing option—By using an add-on license, MPC5E supports a limited
number of queues (32,000 queues per slot including ingress and egress)
• Hierarchical QoS
• Intelligent oversubscription services
• Interoperability with existing MPCs and DPCs
• MPLS
• MX Virtual Chassis
The following features are not supported on MPC5E:
• Active flowmonitoring and services
• Subscriber management features
[SeeProtocols andApplications Supported by theMX240,MX480,MX960,MX2010, and
MX2020MPC5E.]
• SoftwarefeaturesupportontheMPC5EQ—Starting in JunosOSRelease 13.3,MPC5EQ
supports 1 million queues per slot on all MX Series routers. All the other software
features supported on MPC5E are also supported on MPC5EQ.
[SeeProtocols andApplications Supported by theMX240,MX480,MX960,MX2010, and
MX2020MPC5E.]
• Support for new 520-gigabit full duplex Modular Port Concentrator (MPC6E) withtwoModular InterfaceCard (MIC) slots onMX2010andMX20203DUniversal EdgeRouters—In Junos OS Release 13.3R3 and later, MX2020 andMX2010 routers supportanewMPC,MPC6E(model number:MX2K-MPC6E).MPC6E is a 100-Gigabit Ethernet
MPC that provides increased density and performance to MX Series routers in
broadband access networks for services such as Layer 3 peering, VPLS and Layer 3
aggregation, and video distribution.
MPC6Eprovides packet-forwarding services that deliver up to 520Gbps of full-duplex
traffic. It has two separate slots forMICs and supports four Packet Forwarding Engines
with a throughput of 130Gbps per Packet Forwarding Engine. It also supports twoMIC
slots asWAN ports that provide physical interface flexibility.
MPC6E supports:
• Forwarding capability of up to 130 Gbps per Packet Forwarding Engine
• 100-Gigabit Ethernet interfaces
29Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Up to 560 Gbps of full-duplex traffic for the twoMIC slots
• WAN-PHYmode on 10-Gigabit Ethernet interfaces on a per port basis
• Two separate slots for MICs (MIC6-10G and MIC6-100G-CXP)
• Two Packet Forwarding Engines for each MIC slot
• Intelligent oversubscription services
[SeeProtocols andApplications Supported by theMX240,MX480,MX960,MX2010, and
MX2020MPC5E.]
• FeaturesupportonMPC6E—MPC6Esupports the followingsoftware features in JunosOS Release 13.3R2:
• Basic Layer 2 features and virtual private LAN service (VPLS) functionality, except
for Operation, Administration, and Maintenance (OAM)
• Layer 3 routing protocols
• MPLS
• Multicast forwarding
• Firewall filters and policers
• Class of service (CoS)
• Tunnel service
• Interoperability with existing DPCs and MPCs
• Internet Group Management Protocol (IGMP) snooping with bridging, integrated
routing and bridging (IRB), or VPLS
• Intelligent hierarchical policers
• Layer 2 trunk port
• MPLS-fast reroute (FRR) VPLS instance prioritization
• Precision Time Protocol (PTP) (IEEE 1588)
• Synchronous Ethernet
The following features are not supported on MPC6E:
• Fine-grained queuing and input queuing
• Unified in-service software upgrade (ISSU)
• Active flowmonitoring and services
• Virtual Chassis support
[SeeProtocols andApplications Supported by theMX240,MX480,MX960,MX2010, and
MX2020MPC5E.]
• Support for fixed-configurationMPC onMX240, MX480, MX960, MX2010, andMX2020 routers—MX240, MX480, MX960, MX2010 and MX2020 routers support anewMPC, MPC5E (model number: MPC5E-40G10G). On the MX2010 and MX2020
Copyright © 2017, Juniper Networks, Inc.30
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
routers, MPC5E is housed in an adapter card. MPC5E is a fixed-configurationMPCwith
four built-in PICs and does not contain separate slots for Modular Interface Cards
(MICs). MPC5E supports two Packet Forwarding Engines, PFEO and PFE1. PFE0 hosts
PIC0 and PIC2while PFE1 hosts PIC1 and PIC3. A maximum of two PICs can be kept
powered on (PIC0 or PIC2 and PIC1 or PIC3). The other PICs are required to be kept
powered off.
MPC5E supports:
• Flexible queuing option by using an add-on license
• Forwarding capability of up to 130 Gbps per Packet Forwarding Engine
• Intelligent oversubscription services
• Quad small form-factor pluggable plus transceivers (QSFP+) and small form-factor
pluggable plus transceivers (SFP+) for connectivity
• Up to 240 Gbps of full-duplex traffic
• WAN-PHYmode on 10-Gigabit Ethernet Interfaces on a per-port basis
Formore informationabout thesupportedandunsupported JunosOSsoftware features
for this MPC, see Protocols and Applications Supported by the MX240, MX480, MX960,
MX2010, andMX2020MPC5E.
• Support for new fixed-configuration queuingMPC onMX240, MX480, MX960,MX2010, andMX2020 routers—MX240, MX480, MX960, MX2010, and MX2020routers support a new queuing MPC, MPC5EQ (model number: MPC5EQ-40G10G).
On theMX2010 andMX2020 routers, MPC5EQ is housed in an adapter card. MPC5EQ,
like MPC5E, is a fixed-configuration MPCwith four built-in PICs and does not contain
separate slots for Modular Interface Cards (MICs). MPC5EQ, like MPC5E supports two
Packet ForwardingEngines,PFEOandPFE1.PFE0hostsPIC0andPIC2whilePFE1hosts
PIC1 andPIC3. Amaximumof twoPICs can be kept powered on (PIC0 orPIC2 andPIC1
or PIC3). The other PICs are required to be kept powered off.
MPC5EQ supports 1 million queues per slot on all MX Series routers. All the other
software features supported on MPC5E are also supported on MPC5EQ.
Formore informationabout thesupportedandunsupported JunosOSsoftware features
for this MPC, see Protocols and Applications Supported by the MX240, MX480, MX960,
MX2010, andMX2020MPC5EProtocols and Applications Supported by the MX240,
MX480, MX960, MX2010, and MX2020 MPC5E.
• Support forOTNMIConMPC6E(MX2010andMX2020routers)—Startingwith JunosOS Release 13.3R3, the 24-port 10-Gigabit Ethernet OTNMIC with SFPP
(MIC6-10G-OTN) is supported on MPC6E on the MX2010 and MX2020 routers. The
OTNMIC supports both LAN PHY andWAN PHY framingmodes on a per-port basis.
The MIC supports the following features:
• Transparent transport of 24 10-Gigabit Ethernet signals with optical channel data
unit 2 (ODU2) and ODU2e framing on a per port basis
• ITU-standard optical transport network (OTN) performancemonitoring and alarm
management
31Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Pre-forwarderror correction (pre-FEC)-basedbit error rate (BER). Fast reroute (FRR)
uses the pre-FEC BER as an indication of the condition of an OTN link
To configure the OTN options for this MIC, use the set otn-options statement at the
[edit interfaces interfaceType-fpc/pic/port] hierarchy level.
• OTNsupport for 10-GigabitEthernetand 100-GigabitEthernet interfacesonMPC5EandMPC6E (MX240, MX480, MX960, MX2010, andMX2020 routers)—Junos OSRelease 13.3 extends optical transport network (OTN) support for 10-Gigabit Ethernet
and 100-Gigabit Ethernet interfaces on MPC5E and MPC6E. MPC5E-40G10G and
MPC5EQ-40G10GsupportOTNon10-GigabitEthernet interfaces,andMPC5E-100G10G
andMPC5EQ-100G10GsupportOTNon 10-GigabitEthernet interfacesand 100-Gigabit
Ethernet interfaces. The OTNMICs MIC6-10G-OTN and MIC6-100G-CFP2 on MPC6E
support OTN on 10-Gigabit Ethernet interfaces and 100-Gigabit Ethernet interfaces,
respectively.
OTN support includes:
• Transparent transport of 10-Gigabit Ethernet signals with optical channel transport
unit 2 (OTU2) framing
• Transparent transport of 100-Gigabit Ethernet signals with OTU4 framing
• ITU-T standard OTN performancemonitoring and alarmmanagement
Compared with SONET/SDH, OTN provides stronger forward error correction,
transparent transport of client signals, and switching scalability. To configure the OTN
options for the interfaces, use the set otn-options configuration statement at the [edit
interfaces interfaceType-fpc/pic/port] hierarchy level.
• Support for 100 Gigabit-Ethernet OTNMIC onMPC6E (MX2010 andMX2020routers)—Startingwith JunosOSRelease 13.3R3, the 2-port 100-Gigabit EthernetMICwith CFP2 (MIC6-100G-CFP2) is supported on MPC6E. The MIC supports optical
transport network (OTN) features on the 100-Gigabit Ethernet interfaces and also
supports line-rate throughput of 100 Gbps per port.
The following OTN features are supported:
• Transparent transport of 2-port 100-Gigabit Ethernet signals with optical channel
data unit 4 (ODU4) framing for each port
• ITU-standard OTN performancemonitoring and alarmmanagement
• Generic forward error correction (GFEC)
To configure OTN options for this MIC, use the set otn-options statement at the [edit
interfaces interfaceType-fpc/pic/port] hierarchy level.
• Support for MPC5E on SCBE2 (MX Series routers)—Starting with Junos OS Release13.3R3, MPC5E is supported on SCBE2 on MX240, MX480, and MX960 routers.
• Support for enhanced 20-port Gigabit Ethernet MIC (MX5, MX10, MX40, MX80,MX240,MX480,andMX960)—Starting in JunosOSRelease 13.3, anenhanced20-portGigabit EthernetMIC(modelnumberMIC-3D-20GE-SFP-E) is supportedonMXSeries
routers. This enhancedMIC supports up to 20 SFP optical transceiver modules, which
include the following:
Copyright © 2017, Juniper Networks, Inc.32
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Fiber-optic small form-factor pluggable (SFP) transceivers:
• 1000BASE-LH (model number: SFP-1GE-LH)
• 1000BASE-LX (model number: SFP-1GE-LX)
• 1000BASE-SX (model number: SFP-1GE-SX)
• Copper SFP transceiver:
• 1000BASE-T (model number: SFP-1GE-T)
• Bidirectional SFP transceivers:
• 1000BASE-BX (model number pairs: SFP-GE10KT13R14 with SFP-GE10KT14R13,
SFP-GE10KT13R15 with SFP-GE10KT15R13, SFP-GE40KT13R15 with
SFP-GE40KT15R13)
These optical transceiver modules can be hot-swapped. You can view the enhanced
20-portGigabitEthernetMIC informationbyusing theshowchassishardwarecommand.
• Multiservices MIC support (MX104)—Starting with Junos OS Release 13.3R2, theMultiservices MIC (MS-MIC-16G) is supported on MX104 3D Universal Edge Routers.
TheMultiservicesMIChasanenhancedmemoryof 16GBandprovides improvedscaling
and high performance. Only oneMultiservicesMIC is supported on theMX104 chassis.
The Multiservices MIC supports the following software features:
• Active flowmonitoring and export of flowmonitoring version 9 records, based on
RFC 3954
• IP Security (IPsec) encryption
• Network Address Translation (NAT) for IP addresses
• Port Address Translation (PAT) for port numbers
• Stateful firewallwithpacket inspection—detectsSYNattacks, ICMPandUDPfloods,
and ping-of-death attacks
• Traffic sampling
[SeeMultiservices MIC.]
• SFPP-10G-ZR-OTN-XT (MX Series, T1600, and T4000)—Starting with Junos OSRelease 13.3R3, theSFPP-10G-ZR-OTN-XTdual-rateextendedtemperature transceiver
provides a duplex LC connector and supports the 10GBASE-Z optical interface
specification andmonitoring. The transceiver is not specified as part of the 10-Gigabit
Ethernet standard and is instead built according to ITU-T and Juniper Networks
specifications. In addition, the transceiver supports LAN-PHY andWAN-PHYmodes
and OTN rates and provides a NEBS-compliant 10-Gigabit Ethernet ZR transceiver for
the MX Series interface modules listed here. The following interface modules support
the SFPP-10G-ZR-OTN-XT transceiver:
33Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
MX Series:
• 10-Gigabit Ethernet MIC with SFP+ (model number:
MIC3-3D-10XGE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and
later
• 16-port 10-Gigabit Ethernet (model number: MPC-3D-16XGE-SFPP)—Supported in
Junos OS Release 12.3R5, 13.2R3, 13.3, and later
• 32-port 10-Gigabit Ethernet MPC4E (model number:
MPC4E-3D-32XGE-SFPP)—Supported in JunosOSRelease 12.3R5, 13.2R3, 13.3, and
later
• 2-port 100-Gigabit Ethernet + 8-port 10-Gigabit Ethernet MPC4E (model number:
MPC4E-3D-2CGE-8XGE)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and
later
T1600 and T4000 routers:
• 10-GigabitEthernetLAN/WANPICwithOversubscriptionandSFP+(modelnumbers:
PD-5-10XGE-SFPP and PF-24XGE-SFPP)—Supported in Junos OS Release 12.3R5,
13.2R3, 13.3, and later
• 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (model number:
PF-12XGE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and later
Formore informationabout interfacemodules, see the “CablesandConnectors” section
in the Interface Module Reference for your router.
[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications.]
• Support for hypermode to increase packet processing rate on enhancedMPCs(MX240, MX480, MX960, MX2010, andMX2020 routers)—Starting in Junos OSRelease 13.3R4,MPC3E,MPC4E,MPC5E, andMPC6E support the hyper-mode feature.
Enabling thehypermode feature increases the rateatwhichadatapacket is processed,
which results in the optimization of the lifetime of a data packet. Optimization of the
data packet lifetime enables better performance and throughput.
NOTE: You can enable hyper mode only if the network-servicemode onthe router is configured as either enhanced-ip or enhanced-ethernet. Also,
youcannotenable thehypermode feature foraspecificPacketForwardingEngine on anMPC—that is, when you enable the feature, it is applicablefor all Packet Forwarding Engines on the router.
When you enable the hyper mode feature, the following features are not supported:
• Creation of Virtual Chassis.
• Interoperability with legacy DPCs, including MS-DPCs. The MPC in hyper mode
accepts and transmits data packets only from other existing MPCs.
• Interoperability with non-Ethernet MICs and non-Ethernet Interfaces such as
channelized interfaces, multilink interfaces, and SONET interfaces.
Copyright © 2017, Juniper Networks, Inc.34
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Padding of Ethernet Frames with VLAN.
• Sending Internet Control Message Protocol (ICMP) redirect messages.
• Termination or tunneling of all subscriber-based services.
• To configure the hyper mode feature, use the hyper-mode statement at the [edit
forwarding-options] hierarchy level. To view the changedconfiguration, use the show
forwarding-options hyper-mode command.
Authentication, Authorization, and Accounting (AAA) (RADIUS)
• RADIUS functionality over IPv6 for systemAAA—Startingwith Release 13.3R4, JunosOS supports RADIUS functionality over IPv6 for system AAA (authentication,
authorization, and accounting) in addition to the existing RADIUS functionality over
IPv4 for system AAA. With this feature, Junos OS users can log in to the router
authenticated through RADIUS over an IPv6 network. Thus, Junos OS users can now
configure both IPv4 and IPv6 RADIUS servers for AAA. To accept the IPv6 source
address, include the source-address statement at the [edit system radius-server IPv6]
hierarchy level. (If an IPv6 RADIUS server is configured without any source-address,
default ::0 is considered as the source address.)
Class of Service (CoS)
• CCCandTCCsupportonFRF.15,FRF.16,andMLPPP interfaces(MXSeries)—Startingwith Release 13.3, Junos OS supports Circuit Cross Connect (CCC) and Translational
Cross Connect (TCC) over Multilink Frame Relay (MLFR) UNI NNI (FRF.16) interface
and TCC over Multilink Frame Relay (MLFR) end-to-end (FRF.15) and Multilink
Point-to-Point Protocol (MLPPP) interfaces. You can implement the cross-connect
over anMPLSnetworkor a local-switchednetwork.Whenyouconfigure cross-connect
over these interfaces, thepeer interfacecanbeofanyof the interface types that support
cross-connect.
To configure CCC over FRF.16/MFR interfaces, include the following statements under
the [edit interfaces interface-name unit number] hierarchy level:
family ccc {translate-discard-eligible;translate-fecn-and-becn;translate-plp-control-word-de;no-asynchronous-notification;
}
To configure TCC over FRF.15/MLFR, FRF.16/MFR, or MLPPP interfaces, include the
followingconfigurationunder the [edit interfaces interface-nameunitnumber]hierarchy
level:
family tcc {protocols [inet isompls];no-asynchronous-notification;
}
To complete CCC or TCC configurations over the multilink Frame Relay interfaces, you
must also specify the interface name under one of the following hierarchies:
35Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• [edit protocols l2circuit neighbor ip-address] if the switching is done over a Layer 2
circuit.
• [edit protocols connections remote-interface-switch remote-if-sw] if the switching
is done over a remote interface switch.
• [edit protocols connections interface-switch local-if-switch] if the switching is done
using a local switch.
• Support for IPv6 traffic over IPsec tunnels onMS-MICs andMS-MPCs (MXSeries)—Starting with Release 13.3, Junos OS extends IPsec support on MS-MICs andMS-MPCs to IPv6 traffic. IPsec support on MS-MICs and MS-MPCs is limited to the
ESP protocol, and now enables you to configure IPv4 and IPv6 tunnels that can carry
IPv6 as well as IPv4 traffic. To enable IPv6 traffic over an IPsec tunnel, configure an
IPv6 address for the local-gateway statement under the [edit services service-set
service-set-name ipsec-vpn-options] hierarchy level.
• CoS show command enhancements (MX Series)—Starting in Release 13.3, Junos OSextendssupport forCoS showcommandswith theadditionof the showclass-of-service
scheduler-hierarchy interfaceand showclass-of-servicescheduler-hierarchy interface-set
commands. These commands display subscriber class-of-service interface and
interface-set information.
[See show class-of-service scheduler-hierarchy interface and show class-of-service
scheduler-hierarchy interface-set.]
• Traffic schedulingandshaping support forGRE tunnel interfaceoutputqueues (MXSeries)—Beginning with Junos OS Release 13.3, you canmanage output queuing oftraffic entering GRE tunnel interfaces hosted on MIC or MPC line cards in MX Series
routers. Support for the output-traffic-control-profile configuration statement, which
applies an output traffic scheduling and shaping profile to the interface, is extended
to GRE tunnel physical and logical interfaces. Support for the
output-traffic-control-profile-remaining configuration statement, which applies an
output traffic scheduling and shaping profile for remaining traffic to the interface, is
extended to GRE tunnel physical interfaces.
NOTE: Interface sets (sets of interfaces used to configure hierarchical CoSschedulers on supported Ethernet interfaces) are not supported on GREtunnel interfaces.
[See Configuring Traffic Control Profiles for Shared Scheduling and Shaping.]
• New forwarding-class-accounting statement onMX Series routers—Starting in JunosOS Release 13.3R3, new forwarding class accounting statistics can be enabled at the
[edit interfaces interface-name] and the [edit interfaces interface-name unit
interface-unit-number] hierarchy levels. These statistics replace theneed touse firewall
filters for gathering accounting statistics. Statistics can be gathered and displayed for
IPv4, IPv6, MPLS, Layer 2 and Other families in ingress, egress, or both directions.
• Support for CoS hierarchical schedulers onMPC5E (MX240, MX480, MX960,MX2010,andMX2020routers)—Starting in JunosOSRelease 13.3R3, class-of-service
Copyright © 2017, Juniper Networks, Inc.36
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
(CoS) hierarchical schedulers can be configured on MPC5E interfaces. This feature is
supported on egress only.
You can use hierarchical schedulers to define traffic control profiles, which set the
following CoS parameters on a CoS interface:
• Delay buffer rate
• Excess bandwidth
• Guaranteed rate
• Overhead accounting
• Scheduler map
• Shaping rate
General Routing
• Nonstop active routing support for logical systems (MX Series)—Starting in JunosOSRelease 13.3, this featureenablesnonstopactive routing support for logical systems
using the nonstop-routing option under the [edit logical-systems logical-system-name
routing-options] hierarchy. As a result of extending nonstop active routing support for
logical systems, the logical-systems argument has been appended in some show
operational commands to allow display of status, process, and event details.
• Nonstopactive routing formultipoint labeldistributionprotocol (MSeries,MXSeries,and T Series)—Starting in Junos OS Release 13.3, this feature enables nonstop activerouting for the multipoint label distribution protocol, using the nonstop-routing option
at the [edit routing-options] hierarchy level. Themultipoint label distribution protocol
state, event, and process details can be viewed using the p2mp-nsr-synchronization
flag under trace-options.
[See p2mp-ldp-next-hop.]
The showldpdatabasecommanddisplays theentries in theLabelDistributionProtocol
(LDP) database for master and standby Routing Engines.
[See show ldp database.]
Theshowldpp2mptunnelcommanddisplays theLDPpoint-to-multipoint tunnel table
information.
[See show ldp p2mp tunnel.]
37Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
High Availability (HA) and Resiliency
• MXSeries Virtual Chassis support for multichassis link aggregation (MX Seriesrouters with MPCs)—Starting in Junos OS Release 13.3, an MX Series Virtual Chassissupports configuration of multichassis link aggregation (MC-LAG). MC-LAG enables
a device to form a logical link aggregation group interface with two or more other
devices. The MC-LAG devices use the Inter-Chassis Communication Protocol (ICCP)
to exchange control information between twoMC-LAG network devices.
When you configure MC-LAGwith an MX Series Virtual Chassis, the link aggregation
group spans links to two Virtual Chassis configurations. Each Virtual Chassis consists
of two MX Series member routers that form a logical systemmanaged as a single
network element. ICCP exchanges control information between the global master
router (VC-M) of the first Virtual Chassis and the VC-M of the second Virtual Chassis.
NOTE: Internet GroupManagement Protocol (IGMP) snooping is notsupported onMC-LAG interfaces in an MX Series Virtual Chassis.
[See Configuring Multichassis Link Aggregation.]
• TCPauto-merge support in nonstop active routing for short duration hold timers forprotocols (BGP, LDP) (kernel) (M Series, MX Series, and T Series)—Beginning withJunosOSRelease 13.3, TCPauto-merge support in nonstopactive routing for protocols
(BGP, LDP) (kernel) is enabledon theMSeries,MXSeries, andTSeries.Nonstopactive
routing automerge is one of the kernel components of the socket replication. On
switchover, this componentmerges the socket pairs automatically from the secondary
to the primary Routing Engine. Currently, nonstop active routing switchover from
secondary to primary happenswhen rpd issues amerge call for each secondary socket
pair to merge them to a single socket, which can result in a delay. To avoid this delay,
this feature introducesanautomergemodule in thekernel thatdecouples thesecondary
socket merge from rpd and automatically merges secondary sockets on switchover
so that the rpd high priority thread takes advantage of this and generates faster
keep-alive to sustain TCP connections on switchover.
• Nonstop active routing support for BGP addpath (M Series, MX Series, and TSeries)—Beginning in Junos OS Release 13.3, nonstop active routing support for BGPaddpath is available on the M Series, MX Series, and T Series. Nonstop active routing
support is enabled for the BGP addpath feature. After the nonstop active routing
switchover, addpath-enabled BGP sessions do not bounce. The secondary Routing
Engine maintains the addpath advertisement state before the nonstop active routing
switchover.
• Interchassis high availability provides stateful redundancy (MS-MPC andMS-MICinterface cards onMXSeries routers)—Starting with Release 13.3, Junos OS supportsstateful high availability (HA) to replicate flow states on an activeMS-MPCorMS-MIC
service card to a standby MS-MPC or MS-MIC service card on a different chassis. This
enables the preservation of the state of the existing flows in case of a planned or
unplanned switchover.
Copyright © 2017, Juniper Networks, Inc.38
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Services to be synchronized statefully include:
• Stateful firewall
• NAT (NAPT44 and APP only)
Both IPv4 and IPv6 sessions are synchronized.
Synchronizationoccurs for long-lived flowsasdefinedbyaconfigurable synchronization
threshold.
[See Inter-Chassis High Availability for MS-MIC andMS-MPC.]
• Support for unified in-service software upgrade onMX Series routers with MPC3andMPC4E (MX240, MX480, andMX960)—Starting in Release 13.3, Junos OSsupports unified in-service software upgrade (ISSU) on MX Series routers with MPC3
and MPC4E. Unified ISSU is a process to upgrade the system software with minimal
disruption of transit traffic and no disruption of the control plane. In this process, the
new system software version must be later than the version of the previous system
software. When unified ISSU completes, the new system software state is identical
to that of the system software when the system upgrade is performed through a cold
boot.
• MXSeriesVirtual Chassis support for inline flowmonitoring (MXSeries routerswithMPCs)—Starting in Junos OS Release 13.3R3, you can configure inline flowmonitoring
for anMXSeries Virtual Chassis. Inline flowmonitoring enables you to activelymonitor
the flow of traffic by means of a router participating in the network.
Inline flowmonitoring for an MX Series Virtual Chassis provides the following support:
• Active sampling and exporting of both IPv4 and IPv6 traffic flows
• Sampling traffic flows in both the ingress and egress directions
• Configuration of flow collection on either IPv4 or IPv6 devices
• Use of the IPFIX flow collection template for traffic sampling (both IPv4 and IPv6
export records)
• MXSeries Virtual Chassis support for L2TP LNS (MX Series)—Starting in Junos OSRelease 13.3R8,MXSeriesVirtualChassisconfigurationssupportL2TPLNSfunctionality.
[See L2TP for Subscriber Access Overview.]
Interfaces and Chassis
• Transmit ESMC SSMquality level from synchronous Ethernetmode (MXSeries)—Starting in Junos OS Release 13.3, when an MX Series router is configured insynchronous Ethernet mode, the ESMC SSM quality level can be transmitted. The setchassis synchronizationmax-transmit-quality-level command sets a thresholdquality level for the entire system.
• Ethernet frame padding with VLAN (DPCs andMPCs running onMX Seriesrouters)—Starting in JunosOSRelease 13.3, DPCs andMPCs onMXSeries routers padthe Ethernet frame with 68 bytes if the packet is VLAN tagged and the frame length
is less than68bytesandgreater thanor equal to64bytesat theegressof the interface.
39Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• PTP redundancy support for line cards (MX Series andMSeries)—Beginning withJunos OS Release 13.3, line cards on MX Series and M Series routers support slave
redundancy. If multiple slave streams are configured across line cards and the active
slave line card crashes or all of the streams on that line card lose their timing packets,
another slave line card takes over if it has been primed to do so.
• Increased Layer 3 forwarding capabilities forMPCs andMultiservicesDPCs throughFIB localization(MXSeries)—Starting in JunosOSRelease 13.3, forwarding informationbase (FIB) localization characterizes the Packet Forwarding Engines in a router into
two types: FIB-Remote and FIB-Local. FIB-Local Packet Forwarding Engines install all
of the routes from the default route tables into Packet Forwarding Engine forwarding
hardware. FIB-Remote Packet Forwarding Engines create a default (0.0) route that
referencesanexthoporaunilist ofnexthops to indicate theFIB-Local that canperform
full IP table looks-ups for received packets. FIB-Remote Packet Forwarding Engines
forward received packets to the set of FIB-Local Packet Forwarding Engines.
The capacity of MPCs is much higher than that of Multiservices DPCs, so an MPC is
designatedas the localPacketForwardingEngine, andaMultiservicesDPC isdesignated
as the remote Packet Forwarding Engine. The remote Packet Forwarding Engine
forwards all network-bound traffic to the local Packet Forwarding Engine. If multiple
MPCs are designated as local Packet Forwarding Engines, then the Multiservices DPC
load balances the traffic using the unilist of next hops as the default route.
• Support for centralized clocking (MX2020)—Before Junos OS Release 13.3, theMX2020 supported SyncE (Synchronous Ethernet) in distributedmode, where the
clock module on a line card would lock to the SyncE source and distribute frequency
references to the entire chassis. Starting in Junos OS Release 13.3, the MX2020 uses
the centralized Stratum 3 clock module on the control board to lock onto SyncE and
distribute the frequency to the entire chassis. Supported features include:
• Clock monitoring, filtering, and holdover
• Hitless transition from a distributed to centralized clocking mode
• Distribution of the selected chassis clock source to downstream network elements
through supported line interfaces
You can view the centralized clock module information with the show chassis
synchronization clock-module command.
NOTE: PrecisionTimeProtocol/IEEE1588continuetooperate indistributedmode.
• Enhancements to commit check processing (M Series andMX Series)—Starting inJunos OS Release 13.3, the processing performance when you issue the commit check
command has been optimized for the following static and dynamic interface types:
• Logical demultiplexing (demux) interfaces (demux0)
• PPPoE logical interfaces (pp0)
• Inline services interfaces (si)
Copyright © 2017, Juniper Networks, Inc.40
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
The improved performance for commit check enables the overall commit operation to
complete fasterwhennewdemux0, pp0, or si interfacesareadded to theconfiguration.
• Support for ATM virtual connectionmultiplexing and LLC encapsulation (MXSeries)—Starting in Junos OS Release 13.3, ATM virtual connection (VC) multiplexing
and logical link control (LLC) encapsulation are supported on the Channelized
OC3/STM1 (Multi-Rate) Circuit Emulation MIC with SFP. ATM virtual connection
multiplexing and LLC are the twomethods for identifying the protocol carried in ATM
AdaptationLayer5 (AAL5) frames.Themethodsaredefined inRFC2684,Multiprotocol
Encapsulation over ATM Adaptation Layer 5.
In theATMvirtual connectionmultiplexingmethod, eachATMvirtual connectioncarries
protocol dataunits (PDUs)of exactly oneprotocol type.Whenmultipleprotocols need
to be transported, there is a separate virtual connection for each protocol.
TheLLCencapsulationmethodenablesmultiplexingofmultipleprotocolsoverasingle
ATM virtual connection. The protocol type of each PDU is identified by a prefixed IEEE
802.2 LLC header.
[See ATMSupport on Circuit Emulation PICs Overview.]
• Support for MPLS-signaled LSPs to use GRE tunnels (MXSeries)—Starting in JunosOS Release 13.3, MPLS label-switched paths (LSPs) can use generic routing
encapsulation(GRE) tunnels to traverse routingareas, autonomoussystems,and ISPs.
Bridging MPLS LSPs over an intervening IP domain is possible without disrupting the
outlying MPLS domain. This feature is supported on the Channelized OC3/STM1
(Multi-Rate) Circuit Emulation MIC with SFP and is defined in the RFC 4023,
Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE).
[See Configuring MPLS-Signaled LSPs to Use GRE Tunnels.]
• Support for SCBE2 (MX240, MX480, andMX960)—Starting in Junos OS Release13.3, the Enhanced SCB—SCBE2 supports the following features:
• Increased fabric bandwidth per slot
• Improved external clock redundancy
• Dynamic multicast replication only
• GRES
The following scenarios are to be noted when you are using an MX Series router with
an SCBE2:
• Youmust configure the set chassis network-services (enhanced-ip |
enhanced-ethernet) configuration command and reboot the router to bring up the
FPCs on the router. However, after the router reboots, the MS DPC, the MX FPC, and
the ADPC are powered off.
• All the FPCs and DPCs in the router are powered off when you reboot the router
without configuring either the enhanced-ip option or the enhanced-ethernet option
at the [edit chassis network-services] hierarchy level.
• Youmust reboot the router when you configure or delete the enhanced-ip option or
the enhanced-ethernet option at the [edit chassis network-services] hierarchy level.
41Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
[See Centralized Clocking Overview and Network Services Mode Overview.]
• Support for GPS external clock interface on the SCBE (MX240, MX480, andMX960)—Starting with Junos OS Release 13.3, you can configure the EnhancedSCB—SCBE—external clock interface to a GPS timing source, which enables you to
select a GPS external source as the chassis clock source. You can also configure the
external clock interface tooutput either the selectedchassis clock sourceor a recovered
line clock source with GPS timing signals of 1 MHz, 5 MHz, or 10 MHz with 1 pulse per
second (PPS).
[See Centralized Clocking Overview and Understanding Clock Synchronization onMX
Series Routers.]
• Support for mixed-ratemode (T4000 and TXMatrix Plus with 3D SIBs)—Startingwith Junos OS Release 13.3, dual-rate mode or mixed-rate mode for PF-24XGE-SFPP
allows you to configure a mix of port speeds of 1 Gigabit and 10 Gigabit. However, on
PF-12XGE-SFPP, note that youcanconfigureport speedsof either 1Gigabit or 10Gigabit
when the PIC is in line rate mode.
You can enable mixed-rate-mode and set port speeds with themixed-rate-mode
statement and the speed 1G |10G statement, respectively, at the [edit chassis fpc x pic
y] hierarchy level. You can disable themixed-ratemode by using the delete chassis fpc
x pic ymixed-rate-mode statement.
[See Configuring Mixed-Rate Mode Operation.]
• ExtendedMPC support for per-unit schedulers (MX Series)—Starting in Junos OSRelease 13.3, you can configure per-unit schedulers on the non-queuing 16x10GEMPC,
MPC3E, andMPC4E,meaning you can include the per-unit-scheduler statement at the
[edit interfaces interface name] hierarchy level. When per-unit schedulers are enabled,
you can define dedicated schedulers for the logical interfaces.
Enablingper-unit schedulerson the 16x10GEMPC,MPC3E, andMPC4Eaddsadditional
output to the show interfaces interface name [detail | extensive] command. This
additional output lists themaximumresourcesavailableand thenumberof configured
resources for schedulers.
[See Scheduler Maps and Shaping Rate to DLCIs and VLANs.]
• Provider edge link protection for BGP labeled unicast paths (M Series, MX Series,and T Series)—Starting in Junos OS Release 13.3, a precomputed protection path canbe configured in a Layer 3 VPN such that if a BGP labeled-unicast path between an
edge router in oneASand an edge router in another AS goes down, the protection path
(also known as the backup path) between alternate edge routers in the two ASs can
be used. This is useful in carrier-of-carriers deployments, where a carrier can have
multiple labeled-unicast paths to another carrier. In this case, the protection path
avoids disruption of service if one of the labeled-unicast paths goes down.
[See Understanding Provider Edge Link Protection for BGP Labeled Unicast Paths.]
• Redundant logical tunnels (MXSeries)—Beginningwith JunosOSRelease 13.3, whenyouconnect twodevices through logical tunnels, you cancreateandconfiguremultiple
physical logical tunnels and add them to a virtual redundant logical tunnel to provide
redundancy.
Copyright © 2017, Juniper Networks, Inc.42
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• License support to activate ports (MX104)—Starting with Junos OS Release 13.3,license support has been extended for activating the ports on MX104 3D Universal
Edge Routers. MX104 routers have four built-in ports. By default, in the absence of any
valid licenses, all four built-in ports are deactivated. The upgrade license model with
the feature IDs is described in Table 1 on page 43.
Table 1: Port LicenseModel for theMX104
FunctionalityFeature NameFeature ID
Ability to activate the first two built-in ports (xe-2/0/0 andxe-2/0/1)
MX104 2X10G Port Activate (0 and 1)F1
Ability to activate the next two built-in ports (xe-2/0/2 andxe-2/0/3)
MX104 2X10G Port Activate (2 and 3)F2
Both features are also provided in a single license key for ease of use. MX104 routers
do not support the graceful license expiry policy.
• Enhanced load-balancing for MIC andMPC interfaces (MX Series)—Starting withJunos OS Release 13.3, the following load-balancing solutions are supported on
aggregate Ethernet bundles to correct genuine traffic imbalance among themember
links:
• Adaptive—Uses real-time feedback and controlmechanism tomonitor andmanage
traffic imbalances.
• Per-packet randomspray—Randomly sprays thepackets to theaggregate next hops
to ensure that the next hops are equally loaded, resulting in packet reordering.
TheaggregatedEthernet load-balancing solutionsaremutually exclusive. Toconfigure,
use the adaptive or per-packet statement at the [edit interfaces aex
aggregated-ether-options load-balance] hierarchy level.
[See Example: Configuring Aggregated Ethernet Load Balancing.]
• Support for configuring interface alias names—Starting in JunosOSRelease 13.3, youcan configure a textual description of a logical unit on a physical interface to be the
alias of an interface name. Interface aliasing is supported only at the unit level. If you
configure an alias name, the alias name is displayed instead of the interface name in
the output of all show, show interfaces, and other operational mode commands.
Configuring an alias for a logical unit of an interface has no effect on how the interface
on the router or switch operates. To specify an interface alias, you can use the alias
statement at the [edit interfaces interface-name unit logical-unit-number] and [edit
logical-systems logical-system-name interfaces interface-nameunit logical-unit-number]
hierarchy levels.
[See Interface Alias NameOverview.]
• The request support informationcommand(MXSeries)—Starting in JunosOSRelease13.3, when you enter the request support information command with or without the
brief statement, the output includes the showsystemcommit commandoutput,which
displays the commit history and pending commits.
43Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Pseudowire logical interfacedeviceMACaddressconfiguration(MXSeries)—Startingin Junos OS Release 13.3, you can configure a MAC address for a pseudowire logical
interface device that is used for subscriber interfaces over point-to-point MPLS
pseudowires. This feature enables you to specify the MAC address of your choice in
situations in which network constraints require the use of an explicit MAC address.
[See Configuring a Pseudowire Subscriber Logical Interface Device.]
• Support for synchronizing the CB of anMX2020 router with external BITS timingsources (MX2020)—Starting in Junos OS Release 13.3, this feature providesbuilding-integrated timing supply (BITS) input and output support to the two external
clock interfaces (ECI) on the Control Board. You can configure the ECIs for both input
and output BITS. In the absence of any configuration, the ECI is inactive.
You can configure the BITS ECI by using the synchronization statement at the [edit
chassis] hierarchy level. You can view the BITS ECI information by using the show
chassis synchronization extensive command.
[See Understanding Clock Synchronization onMX Series Routers.]
• Distribution of Ethernet connectivity fault management sessions (MXSeries)—Starting with Junos OS Release 13.3, connectivity fault management (CFM)sessions operate in distributedmode and can be processed on the Flexible PIC
Concentrator (FPC) on aggregated Ethernet interfaces. As a result, graceful Routing
Engine switchover (GRES) is supported on aggregated Ethernet interfaces. In releases
before Junos OS Release 13.3, CFM sessions operate in centralizedmode and are
processed on the Routing Engine. However, CFM sessions are not supported on
aggregated Ethernet interfaces if the interfaces that form the aggregated Ethernet
bundle are in mixedmode.
CFM sessions are distributed by default. To disable the distribution of CFM sessions
andtooperate incentralizedmode, include theppmno-delegate-processingstatement
at the [edit routing-options ppm] hierarchy level. However, all CFM sessions should
operate in either only distributed or only centralizedmode. Amixed operation of
distributed and centralizedmodes for CFM sessions is not supported.
[See IEEE 802.1ag OAMConnectivity Fault Management Overview.]
• Redundant logical tunnels (MXSeries)—Beginningwith JunosOSRelease 13.3, whenyouconnect twodevices through logical tunnels, you cancreateandconfiguremultiple
physical logical tunnels and add them to a virtual redundant logical tunnel to provide
redundancy.
[See Example: Configuring Redundant Logical Tunnels.]
• Source class accounting (T4000)—Starting with Junos OS Release 13.3R2, sourceclass usage (SCU) accounting is performed at ingress on a T4000 Type 5 FPC.
• SFPP-10G-CT50-ZR (MX Series)—Beginning in Junos OS Release 13.3R3, theSPFF-10G-CT50-ZR tunable transceiver provides a duplex LC connector and supports
the 10GBASE-Z optical interface specification andmonitoring. The transceiver is not
specified as part of the 10-Gigabit Ethernet standard and is instead built according to
Juniper Networks specifications. OnlyWAN-PHY and LAN-PHYmodes are supported.
To configure the wavelength on the transceiver, use thewavelength statement at the
Copyright © 2017, Juniper Networks, Inc.44
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
[edit interfaces interface-name optics-options] hierarchy level. The following interface
module supports the SPFF-10G-CT50-ZR transceiver:
MX Series:
• 16-port 10-GigabitEthernetMPC(modelnumber:MPC-3D-16XGE-SFPP)—Supported
in Junos OS Release 12.3R6, 13.2R3, 13.3R2, 14.1, and later.
Formore informationabout interfacemodules, see the “CablesandConnectors” section
in the Interface Module Reference for your router.
[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications andwavelength.]
• PTP path tracemechanism onMX Series—Starting with Junos OS Release 13.3R4,you can use a path trace mechanism to detect PTP loops in a PTP ring topology over
an IPv4 network. A path trace is the route that aPTPannouncemessage takes through
the network trail of boundary clocks and is tracked through the path trace TLV in the
announcemessage. The path trace sequence contains the clock ID of each boundary
clock that an announcemessage traverses. To view the path trace, use the show ptp
path-trace detail operational mode command.
• Software feature support (MX104)—Starting in Junos OS Release 13.3, support isextended for the following software features on theMX1043DUniversal EdgeRouters:
• IP features—IPv6ProviderEdge(6PE),AccessNodeControlProtocol (ANCP),DHCP
snooping, DHCPOption-82, Multicast Listener Discovery (MLD), and Domain Name
System (DNS).
• MPLS features—MPLS Transport Profile (MPLS-TP), ATM Single Cell Relay over
MPLS (CRoMPLS) VCMode, Generalized MPLS (GMPLS), and VPNv6.
• Multicast features—Distance VectorMulticast Routing Protocol (DVMRP), Multicast
Listener Discovery (MLD), Multicast Listener Discovery (MLD) Snooping, draft
rosen-multicast VPNs, Multicast version 6, and DHCPv6.
• Layer 2 features—802.1ag threshold negotiation, 802.1X, and Media Access Control
Security (MACsec).
• Resiliency features—Lawful intercept, Inline J-Flow, dynamic ARP inspection (DAI),
reception of dying-gasp protocol data units (PDU), DHCP snooping for port security,
and nonstop active routing (NSR).
[See Protocols and Applications Supported by MX104 Routers.]
• Support for fabric black-hole detection and recovery in TXMatrix Plusrouters—Starting in Junos OS Release 13.3R7, TX Matrix Plus routers can detect andrecover from fabric faults that are not caused by hardware failure butmight be a result
of a fabric black-hole condition.
To recover from a fabric black-hole condition, the routing matrix uses the following
options:
• SIB reboot
• FPC reboot
45Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Destination reprogramming
• Related faults recovery
You can disable the automatic recovery feature by using the auto-recovery-disable
statement at the [edit chassis fabric degraded] hierarchy level. You can configure the
FPCs to go offline when a traffic black-hole condition is detected in the routingmatrix
by using the fpc-offline-on-blackholing statement at the [edit chassis fabric degraded]
hierarchy level.
You can configure the FPCs to restart when a traffic black-hole condition is detected
in the routing matrix by using the fpc-restart statement at the [edit chassis fabric
degraded] hierarchy level.
[See auto-recovery-disable and fpc-offline-on-blackholing.]
• CFP-100GBASE-ZR (MX Series)—In Junos OS Release 13.3R6, 14.1R4, 14.2R3, and15.1R1 and later, the CFP-100GBASE-ZR transceiver provides advanced dual
polarization-quadraturephaseshift keying(DP-QPSK)coherentdigital signalprocessing
(DSP) and forward error correction (FEC)-enabled robust tolerance to optical
impairments and supports 80 km reach over single-mode fiber. The transceiver is not
specifiedaspart of IEEE802.3but is built according to JuniperNetworks specifications.
The following interface modules support the CFP-100GBASE-ZR transceiver:
• 2x100GE + 8x10GEMPC4E (MPC4E-3D-2CGE-8XGE)
• 100-Gigabit Ethernet MIC with CFP (MIC3-3D-1X100GE-CFP)
For more information about the interface modules, see the “Cables and Connectors”
section in theMXSeries Interface Module Reference.
[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported
Network Interface Standards by Transceiver for ACX, M, MX, and T Series Routers.]
• Maximum generation rate for ICMP and ICMPv6messages is configurable (MXSeries)—Starting in Junos OS Release 13.3R5, you can configure the maximum rate at
which ICMP and ICMPv6messages that are not ttl-expired are generated by using the
icmp rate limit and icmp6 rate limit configuration statements at the [edit chassis]
hierarchy level.
• VLAN demux support added toMS-DPC (MX Series)—Starting in Junos OS Release13.3R7, the MS-DPC supports VLAN demux interfaces.
Copyright © 2017, Juniper Networks, Inc.46
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
IPv6
• New forwarding-class-accountingstatement(MXSeries)—Starting in JunosOSRelease13.3R3, new forwardingclassaccounting statistics canbeenabledat the [edit interfaces
interface-name] and [edit interfaces interface-nameunit interface-unit-number] hierarchy
levels. These statistics replace the need to use firewall filters for gathering accounting
statistics. Statistics can be gathered in ingress, egress, or both directions. Statistics
are displayed for IPv4, IPv6, MPLS, Layer 2, and Other families.
NOTE: If you implement this feature inRelease 13.3R3,contact JTACbeforeupgrading to Release 14.1R1 or later.
Layer 2 Features
• Computation of the Layer 2 overhead attribute in interface statistics (TSeries)—Starting in Junos OS Release 13.3, on T Series routers, you can configure anattribute at the PIC level to include the Layer 2 overhead (header and trailer bytes) in
the physical interface and logical interface statistics for both ingress and egress
directions. Both the transit and total statistical information includes the Layer 2
overhead in theoutputof theshowinterfaces interface-namecommandforeachphysical
or logical interface on that PIC.
The ifInOctets and ifOutOctets MIB objects display statistics that include Layer 2
overhead bytes.
MPLS
• Multisegment pseudowire for FEC 129 (M Series, MX Series, and T Series)—JunosOS Release 13.3 and later releases provide support for establishing a dynamic
multisegmentpseudowire (MS-PW)withFEC129 inanMPLSpacket-switchednetwork
(PSN). The stitching provider edge (S-PE) devices in anMS-PWare automatically and
dynamically discovered by BGP, and the pseudowire is signaled by LDP using FEC 129.
This arrangement requires minimum provisioning on the S-PEs, thereby reducing the
configuration burden that is associatedwith statically configured Layer 2 circuits while
still using LDP as the underlying signaling protocol.
TheMS-PW feature also provides operation, administration, andmanagement (OAM)
capabilities, such as ping, traceroute, and Bidirectional Forwarding Detection (BFD),
from the terminating PE (T-PE) devices of an MS-PW.
[See Example: Configuring a Multisegment Pseudowire.]
• Control word for BGP VPLS (M320 andMX Series)—For hash calculation, transitrouters must determine the payload. While parsing an MPLS encapsulated packet for
hashing, a transit router can incorrectly calculate an Ethernet payload as an IPv4 or
IPv6 payload if the first nibble of the DAMAC is 0x4 or 0x6, respectively. This false
positive can cause out-of-order packet delivery over a pseudowire. Starting in Junos
OS Release 13.3R3, this issue can be avoided by configuring a BGP VPLS PE router to
47Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
request that other BGP VPLS PE routers insert a control word between the label stack
and the MPLS payload.
Multicast
• IGMP and PIM snooping support (MPC3E andMPC4E onMX240, MX480, andMX960)—Starting with Junos OS Release 13.3, IGMP snooping and PIM snooping are
supported on the MX240, MX480, and MX960 and with Modular Port Concentrators
(MPC) MPC3E and MPC4E.
NetworkManagement andMonitoring
• System logmessages to indicate checksum errors on the DDR3 interface—Startingin Junos OS Release 13.3R9, two new system logmessages,
XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MINOR and
XMCHIP_CMERROR_DDRIF_INT_REG_CHKSUM_ERR_MAJOR, are added to indicate
memory-related problems on the interfaces to the double data rate type 3 (DDR3)
memory. These error messages indicate that an FPC has detected a checksum error,
which is causing packet drops.
The following error threshold values classify the error as amajor error or a minor error:
• Minor error— 6-254 errors per second
• Major error—255 andmore errors per second
• Configuring SNMP tomatch jnxNatObjects values for MS-DPC andMS-MIC (MXSeries)—Starting in Junos OS Release 13.3R7, you can configure thesnmp-value-match-msmic statement at the [edit services service-set service-set-name
nat-options] hierarchy level.
In networks where both MS-DPC and MS-MIC are deployed, you can configure this
statement to ensure that the values for MS-MIC-specific objects in the jnxNatObjects
MIB table match the values for MS-DPC objects. By default, this feature is disabled.
You can use the deactivate services service-set service-set-name nat-options
snmp-value-match-msmic configuration mode command to disable this feature.
• BFD session enhancements (MX Series routers with MPCs or MICs)—Starting inJunosOSRelease 13.3, the followingBFDsessionenhancementshavebeen introduced:
• enhanced-ip option—For BFD over aggregated Ethernet (ae) interfaces, configuringtheenhanced-ipoptionat the [editchassisnetwork-services]hierarchy level increases
the number of BFD sessions. When you activate or deactivate this option, the router
must be rebooted.
• Inlinemode—This enables the router to transmit and receive BFD packets from the
FPChardware. Currently, for BFDover aggregated Ethernet (ae) interfaces, the inline
mode is supported only on MX Series routers with MPCs/MICs that have configured
theenhanced-ipoption. ForBFDoverGigabit Ethernet interfacesandVLAN interfaces,
the inlinemode is supportedbydefault onall theMXSeries routerswithMPCs/MICs.
• Unified ISSU timer negotiation—During unified ISSU, the timer for BFD sessions isincreased from the configured value to 60 seconds.
Copyright © 2017, Juniper Networks, Inc.48
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Support for BFD over child links of AE or LAG bundle (cross-functional PacketForwarding Engine/kernel/rpd) (M Series, MX Series, and T Series)—Beginning inJunos OS Release 13.3, BFD over child links of an AE or LAG bundle is supported. This
feature provides a Layer 3 BFD liveness detection mechanism for child links of the
Ethernet LAG interface. You can enable BFD to run on individual member links of the
LAG tomonitor the Layer 3 or Layer 2 forwarding capabilities of individual member
links. Thesemicro BFD sessions are independent of each other despite having a single
client that manages the LAG interface. To enable failure detection for aggregated
Ethernet interfaces, include thebfd-liveness-detection statementat the [edit interfaces
aex aggregated-ether-options bfd-liveness-detection] hierarchy level.
[See Understanding Independent Micro BFD Sessions for LAG.]
• Support for the interface-setSNMP index(MXSeries)—StartingwithRelease 13.3R5,Junos OS supports the interface-set SNMP index that provides information about
interface-set queue statistics. The following interface-set SNMP index MIBs are
introduced in the Juniper Networks enterprise-specific Class-of-Service MIB:
• jnxCosIfTable in jnxCosMIB
• jnxCosIfsetQstatTable in jnxCosMIB
[See jnxCosIfTable and jnxCosIfsetQstatTable.]
OpenFlow
• Support for OpenFlow v1.0 (MX80, MX240, MX480, andMX960)—Starting withJunos OS Release 13.3, the MX80, MX240, MX480, and MX960 routers support
OpenFlow v1.0. OpenFlow enables you to control traffic in an existing network using
a remote controller by adding, deleting, andmodifying flows on a switch. You can
configure oneOpenFlow virtual switch and one activeOpenFlow controller at the [edit
protocols openflow] hierarchy level on each device running Junos OS that supports
OpenFlow. On MX Series routers that support OpenFlow, you can also direct traffic
fromOpenFlow networks over MPLS networks by using logical tunnel interfaces and
MPLS LSP tunnel cross-connects.
[SeeOpenFlow Feature Guide.]
Platform and Infrastructure
• VirtualRouteReflector(VRR)—Starting in JunosOSRelease 13.3R3, youcan implementroute reflector capabilityusingageneralpurposevirtualmachineona64-bit Intel-based
blade server or appliance. Benefits of the VRR are:
• Improved scalability (depending on the server core hardware use)
• Scalability of the BGP network with lower cost using VRR at multiple locations in
the network
49Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Fast andmore flexible deployment using Intel servers rather than router hardware
• Space savings through elimination of router hardware
Port Security
• Static ARPwithmulticast MAC address for an IRB interface—Starting in Junos OSRelease 13.3, you can configure a static ARP entry with a multicast MAC address for
an IRB interface that acts as the gateway to the network load balancing (NLB) servers.
Earlier, the NLB servers dropped packets with a unicast IP address and amulticast
MAC address. Junos OS Release 13.3 supports the configuration of a static ARP with
amulticast MAC address.
To configure a static ARP entry with a multicast MAC address for an IRB interface,
configure the ARP entry at the [edit interfaces irb unit logical-unit-number family inet
address address] hierarchy level.
irb {unit logical-unit-number{family inet {address address{arp addressmulticast-macmac-add;
}}
}}
Routing Policy and Firewall Filters
• Using a firewall filter to prevent or allow datagram fragmentation (MXSeries)—Starting in Junos OS Release 13.3, you can define a firewall filter term to
prevent or allow datagram fragmentation by setting or clearing the Don’t Fragment
flag in the IPv4 header of packets that are matched by the filter. Specify the desired
action at the [edit firewall family inet filter filter-name term term-name then action]
hierarchy level.
• To prevent fragmentation of the IP datagram, include the dont-fragment set action
in a term to set the dont-fragment bit to one.
• To allow fragmentation of the IP datagram, include the dont-fragment clear action
in a term to clear the dont-fragment bit to zero.
[See Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation and
Firewall Filter Nonterminating Actions.]
• Newfirewall filtergre-keyfieldmatchcondition—Starting in JunosOSRelease 13.3R3,there is a new gre-key match condition at the [edit firewall family inet filter filter-name
term term-name from] hierarchy level. The gre-key match condition allows a user to
match against the gre key field which is an optional field in gre encapsulated packets.
The key can bematched as a single key value and or a range of key values.
• Support for consistent load balancing for ECMP groups (MX Series routers withMPCs)—Starting in Junos OS Release 13.3R3, onMX Series 3D Universal Edge Routerswithmodular port concentrators (MPCs) only, you can prevent the reordering of flows
Copyright © 2017, Juniper Networks, Inc.50
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
to active paths in an ECMP group when one or more paths fail. Only flows that are
inactive are redirected. This feature applies only to Layer 3 adjacencies learned through
external BGP connections. It overrides the default behavior of disrupting all existing,
includingactive, TCPconnectionswhenanactivepath fails. Include the consistent-hash
statement at the [edit policy-options policy-statement policy-statement-name then
load-balance] hierarchy level. Youmust also configure a global per-packet
load-balancing policy.
[See Actions in Routing Policy Terms. ]
• New fast-lookup-filterstatementonMX240,MX480,MX960,MX2010,andMX2020routerswithMPC5E,MPC5EQ, andMPC6EMPCs and compatibleMICs—Starting inJunos OS Release 13.3R3, the fast-lookup-filter option is available at the [edit firewall
family (inet | inet6) filter filter-name] hierarchy level. This allows for hardware assist
from compatible MPCs in the firewall filter lookup. There are 4096 hardware filters
available for thispurpose, eachofwhichcansupport up to255 terms.Within the firewall
filters and their terms, ranges, prefix lists, and the except keyword are all supported.Only the inet and inet6 protocol families are supported.
• Newaction settings for firewall filter termwhen next-interface is down—In previousversions of JunosOS, if the then clause of a firewall filter termwas set to next-interface
and that next interface went down, traffic was lost because the default action is to
drop the packet.
Starting in Junos OS Release 13.3R3, the actions accept and next term are available at
the [edit firewall family inet filter filter-name term term-name then next-interface
interface-name] hierarchy level. There is no new configuration option available if the
firewall filter term action is set to next-ip, meaning that if the next-ip is down, traffic is
still dropped.
The action configured at this level only becomes active if the next-interface is down
and the ARP on the interface is cleared. If not configured, the default action is to drop
the packet.
Routing Protocols
• Support forBMPversion3—Starting in JunosOSRelease 13.3, BGPmonitoringprotocol(BMP)version3 is supported.BMPallowsa remotedevice (theBMPstation) tomonitor
BGP as it is running on a router or group of routers. BMP version 3 includes substantial
additional functionality versusversion 1. TheBMPversion3configuration is incompatible
with the old version. If you are running BMP version 1 on your Juniper Networks devices,
be sure to update your BMP configurationwhen you upgrade to JunosOSRelease 13.3.
[See Configuring BGPMonitoring Protocol Version 3.]
• Support for consistent load balancing for ECMP groups (MX Series routers withMPCs)—Effective in JunosOSRelease 13.3R3, onMXSeries 3DUniversal EdgeRouterswithmodular port concentrators (MPCs) only, you can prevent the reordering of flows
to active paths in an ECMP group when one or more paths fail. Only flows that are
inactive are redirected. This feature applies only to Layer 3 adjacencies learned through
external BGP connections. It overrides the default behavior of disrupting all existing,
includingactive, TCPconnectionswhenanactivepath fails. Include the consistent-hash
statement at the [edit policy-options policy-statement policy-statement-name then
51Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
load-balance] hierarchy level. Youmust also configure a global per-packet
load-balancing policy.
[See Actions in Routing Policy Terms. ]
• Recursive DNS server ICMPv6 router advertisement option support (M Series, MXSeries, and T Series)—Beginning with Junos OS Release 13.3R4, you can configure amaximum of three recursive DNS server addresses and their respective lifetimes via
static configuration at interface level for IPv6 hosts. Previously, rpd supported only
link-local address information, prefix information, and the link MTU. The router
advertisement-based DNS configuration is useful in networks where an IPv6 host’s
address is auto-configured through an IPv6 stateless address and where there is no
DHCPv6 infrastructure available.
Toconfigure the recursiveDNSserveraddress, include thedns-server-addressstatement
at the [edit protocols router-advertisement interface interface-name] hierarchy level.
[See Example: Configuring Recursive DNS Address.]
Services Applications
• EnablingLayer2ProtocolTunneling(L2PT)support forVLANSpanningTreeProtocol(VSTP) and per-VSTP (MX Series routers with MPC/MICs)—Starting in Junos OSRelease 13.3, this feature enables L2PT support for VSTP/PVSTP.
[See layer2-control.]
You can also enable rewriting of the MAC address for an interface using the
enable-all-ifl option.
[Seemac-rewrite.]
• Chainedcompositenexthops(MXSeriesandTSeries)—Starting in JunosOSRelease13.3, the support of chained composite next hops for directly connected provider edge
(PE) routers varies fromoneplatform toanother.OnMXSeries routers containingboth
DPC and MPC FPCs, chained composite next hops are disabled by default. To enable
chained composite next hops on the MX240, MX480, and MX960, the chassis must
be configured to use the enhanced-ip option in network services mode. On T4000
routers containingMPCandFPCs, chainedcompositenexthopsaredisabledbydefault.
To enable chained composite next hops on a T4000 router, the chassis must be
configured to use the enhanced-mode option in network services mode.
• Data plane inline support added for 6rd and 6to4 tunnels connecting IPv6 clientsto IPv4 networks onMX Series routers with MPC line cards—Starting with Release13.3R3, Junos OS supports inline 6rd and 6to4 on Modular Port Concentrator (MPC)
line cards with Trio chipsets, saving customers the cost of using MS-DPCs for the
required tunneling, encapsulation, and decapsulation processes. Anycast is supported
for 6to4 (next-hop service interfaces only). Hairpinning is also supported for traffic
between 6rd domains.
There are no CLI changes for 6rd and 6to4 configurations. To implement the inline
functionality, configure service interfaces on theMPC card as inline services interfaces
(si-) rather than as MultiServices (ms-) interfaces.
Copyright © 2017, Juniper Networks, Inc.52
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Two new operational commands have been added: show services inline softwire
statistics and clear services inline softwire statistics.
• IPsec invalid SPI notification (MXSeries and T Series)—Starting in Junos OS release13.3R4, you can enable automatic recovery when peers in a security association (SA)
become unsynchronized. When peers become unsynchronized, this can cause the
transmission of packets with invalid security parameter index (SPI) values and the
dropping of those packets by the receiving peer. You can enable automatic recovery
by using the new respond-bad-spi max-responses configuration statement, which
appears under the hierarchy level [edit services ipsec-vpn ike policy]. This statement
results in a resynchronization of the SAs.
The max-responses value has a default of 5 and a range of 1 through 30.
• Support forRPMprobeswith IPv6sourcesanddestinations (MXSeries routerswithMPCs)—Starting with Junos OS Release 13.3R5, the RPM client router (the router or
switch that originates the RPM probes) can send probe packets to the RPM probe
server (the device that receives the RPM probes) that contains an IPv6 address. To
specify thedestination IPv6address used for theprobes, include the target (url ipv6-url
| address ipv6-address) statement at the [edit services rpmprobeowner test test-name]
hierarchy level. You canalsodefine theRPMclient or the source that sentsRPMprobes
to containan IPv6address. To specify the IPv6protocol-related settingsand the source
IPv6addressof theclient fromwhich theRPMprobesaresent, include the inet6-options
source-address ipv6-address statement at the [edit services rpm probe owner test
test-name] hierarchy level.
Software Installation and Upgrade
• Support for autoinstallation of satellite devices in a JNU group—In a Junos NodeUnifier (JNU) topology that contains anMX Series router as a controller that manages
satellite devices, such as EX Series Ethernet Switches, QFX Series devices, and ACX
Series Universal Access Routers, the autoinstallation functionality is supported for the
satellite devices. Starting in Junos OS Release 13.3, JNU has an autoinstallation
mechanism that enables a satellite device to configure itself out-of-the-box with no
manual intervention, using the configuration available either on the network or locally
through a removable media, or using a combination of both. This autoinstallation
method is also called the zero-touch facility.
A JNU factory default file, jnu-factory.conf, is present in the /etc/config/ directory and
contains the configuration to perform autoinstallation on satellite devices. The
zero-touch configuration can be disabled by including the delete-after-commit
statement at the [edit system autoinstallation] hierarchy level and committing the
configuration.
[See Autoinstallation of Satellite Devices in a Junos Node Unifier Group and Configuring
Autoinstallation on JNU Satellite Devices.]
• Validate system software against running configuration on remote host—Beginningwith Junos OS Release 13.3R8, you can use the on (host host <username username> |
routing-engine routing-engine) option with the request system software validate
package-name command to verify candidate system software against the running
configuration on the specified remote host or Routing Engine.
53Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
• Validate system software add against running configuration on remote host orrouting engine—Beginning with Junos OS Release 13.3R8, you can use thevalidate-on-host hostname and validate-on-routing-engine routing-engine optionswith
the requestsystemsoftwareaddpackage-namecommandtoverifyacandidatesoftware
bundle against the running configuration on the specified remote host or Routing
Engine.
Subscriber Management and Services (MX Series)
• Pseudowire subscriber logical interfacesMPCsupport—Starting in JunosOSRelease13.3, pseudowire subscriber logical interfaces are supported on MPCs with Ethernet
MICs only.
• Service packet counting (MX Series)—Starting in Junos OS Release 13.3, you canconfigure the counters that subscriber management uses when capturing volume
statistics for subscribers on a per-service session basis.
• Inline countersare capturedwhen theeventoccurs, anddonot includeanyadditional
packet processing events that occur after the event.
• Deferred counters are not incremented until the packet is queued for transmission,
and therefore include theentirepacketprocessing.Deferredcountersprovideamore
accurate packet count than inline counters, and are more useful for subscriber
accounting and billing.
NOTE: Fast update filters do not support deferred counters.
[See Configuring Service Packet Counting.]
• RADIUS logical line identifier (MX Series)—Starting in Junos OS Release 13.3, serviceproviders can use a virtual port feature, known as the logical line ID (LLID), tomaintain
a reliable and up-to-date customer database for those subscribers whomove from
one physical line to another. The LLID, which is based on the subscriber's user name
and circuit ID, is mapped to the subscriber's physical line. When the subscriber moves
to a different physical line, the service provider database is updated to map the LLID
to the new physical line. Subscriber management supports the LLID feature for PPP
subscribers over PPPoE, PPPoA, and LAC.
[See RADIUS Logical Line Identifier (LLID) Overview.]
• Configurable timers for DHCPv6 address-assignment pools (MX Series)—Startingin Junos OS Release 13.3, subscriber management on MX Series routers supports
configurable timers for address-assignment pools that are used by a DHCPv6 local
server. In addition to the previously supportedmaximum-lease-time timer, you can
configure the valid-lifetime and preferred-lifetime timers to manage address leases
provided by address-assignment pools. You can also configure the renew (T1) and
rebind(T2) times thatsubscribermanagementuses toextendthe lifetimesofaddresses
obtained from an address-assignment pool.
[See DHCPv6 Lease Timers.]
Copyright © 2017, Juniper Networks, Inc.54
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• DHCP statements and options (MX Series)—Starting in Junos OS Release 13.3, youcan use the following statements and options for DHCP subscriber management
support:
• delay-authentication—New statement that conserves managed resources on the
router by delaying subscriber authentication until the DHCP request processing
phase.
• duplicate-clients-in-subnet—New statement that configures how the router
distinguishes between duplicate clients in the same subnet. This replaces the
duplicate-clients-on-interface statement, which is now obsolete.
• incoming-interface—Newoption thatprovides secondary identificationmatchcriteria
for the DHCP auto logout feature when there are duplicate clients.
• option hex-string—New option that enables the use of the hex-string option type for
user-defined DHCP attribute options that are added to client packets.
• server-response-time—New statement that configures the timeframe during which
the router monitors DHCP server responsiveness. The router generates a system log
message when the DHCP server does not respond to relayed packets during the
specified time.
[See client-discover-match, delay-authentication, server-response-time, option, and
duplicate-clients-in-subnet.]
• Support for agent circuit identifier filtering in PPPoE subscriber session lockout(M120, M320, andMX Series)—Starting in Junos OS Release 13.3, extend PPPoEsubscriber session lockout has been extended to support identification and filtering of
PPPoEsubscriber sessionsbyeither theagent circuit identifier (ACI) valueor theunique
MAC source address on static or dynamic VLAN and static or dynamic VLAN demux
underlying interfaces. In earlier Junos OS releases, PPPoE subscriber session lockout
identified and filtered subscriber sessions only by their unique MAC source address.
ACI-based or MAC-based PPPoE subscriber session lockout prevents a failed or
short-lived PPPoE subscriber session from reconnecting to the router for a default or
configurable time period. ACI-based PPPoE subscriber session lockout is useful for
configurations such as PPPoE interworking in which MAC source addresses are not
unique on the PPPoE underlying interface.
ToconfigureACI-basedPPPoEsubscriber session lockout, use theshort-cycle-protection
statement with the filter aci option. To clear an ACI-based lockout condition, issue the
clear pppoe lockout command with the aci option.
[See PPPoE Subscriber Session Lockout Overview.]
• Subscriber management and services feature parity (MX80)—Starting in Junos OSRelease 13.3, the MX80 supports all subscriber management and services features
that are supported by the MX240, MX480, and MX960 routers. Previously, the MX80
router matched feature support for these routers as of Junos OS Release 11.4.
• Subscriber management and services feature and scaling parity (MX2010 andMX2020)—Starting in Junos OS Release 13.3, the MX2010 and the MX2020 supportall subscriber management and services features that are supported by the MX240,
55Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
MX480, and MX960 routers. In addition, the scaling and performance values for the
MX2010 and the MX2020match those of MX960 routers.
[See Protocols and Applications Supported by MX240, MX480, MX960, MX2010, and
MX2020MPCs,ProtocolsandApplicationsSupportedbyMX240,MX480,MX960,MX2010,
andMX2020 EnhancedMPCs (MPCEs), Protocols and Applications Supported by the
MX240, MX480, MX960, MX2010, andMX2020MPC3E, and Protocols and Applications
Supported by the MX240, MX480, MX960, MX2010, andMX2020MPC4Es.]
• Per-subscriber support for multiple instances of the same service with differentparameters (MX Series routers with MPCs or MICs)—Starting In Junos OS Release13.3, a subscriber can havemultiple instances of the same service, provided that each
service instance has a different set of parameters. In earlier Junos OS releases, each
subscriber was limited to only a single instance of each service.
You can configure a specific service instance for a particular subscriber by specifying
a service name and unique service parameters for that instance. Each service instance
is uniquely identified by the combination of its service name and service parameters.
Use the request network-access aaa subscriber delete command to deactivate all
instances of a subscriber service by specifying only the service name, or to deactivate
a specific instance of a service by specifying both the service nameand its parameters.
In earlier Junos OS releases, you deactivated a service by specifying only its service
name, but not its service parameters.
[See Subscriber Services with Multiple Instances Overview.]
• RADIUS accountingmessages for dual-stack subscribers (MX Series)—Starting inJunos OS Release 13.3, when an IPv6 address is assigned using DHCPv6, the RADIUS
interimaccountingmessage includes theassigned IPv6address. If thedelegatedprefix
is provided to the client using DHCPv6-PD, the RADIUS interim accounting message
includes the delegated prefix (IA_PD, such as /56). The
address-change-immediate-updatestatement isnoweffective foranyaddressallocation
changeafteranAcct-Startmessage is issued(for IPv6NCPandDHCPv6).An immediate
Interim-Acctmessage is sentuponanysubsequentDHCPv6negotiationandallocation
whennewallocatedaddressesareadded.After IPv6NCPnegotiation,DHCPv6address
allocation and negotiation occurs.
[See RADIUS Accounting Messages for Dual-Stack Subscribers.]
• Support for IPv6 for TACACS+ authentication (MSeries, MX Series, and T Series)—StartingwithRelease 13.3, JunosOSsupports IPv6alongwith theexisting IPv4 support
for user authentication using TACACS+ servers.
• Configurable L2TP receive window size (MX Series)—Starting in Junos OS Release13.3, the new rx-window-size statement at the [edit services l2tp tunnel] hierarchy level
enables you to specify the size of the receive window in the range 4 through 128 on an
L2TP LAC or LNS. The default value is 4. The ReceiveWindow Size AVP (Attribute
Type 10) is not sent in the SCCRQmessage when the default value is configured on a
LAC or in the SCCRPmessage when configured on an LNS.
[See Setting the L2TP ReceiveWindow Size.]
Copyright © 2017, Juniper Networks, Inc.56
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Clearing ANCP statistics (MX Series)—Starting in Junos OS Release 13.3, you canclear all ANCPstatisticswith the clearancpstatistics command.Youcanclear statistics
for a particular neighbor identified by the neighbor’s IP address with the clear ancp
statistics ip-address ip-address command. You can clear statistics for a particular
neighbor identified by the neighbor’s IP address with the clear ancp statistics
system-namemac-address command.
[See Clearing and Verifying ANCP Statistics.]
• ANCP agent support for nonzero partition IDs (MX Series)—Starting in Junos OSRelease 13.3, the ANCP agent on the router can form adjacencies with multiple logical
partitions on a neighbor when you enable the agent to learn partition IDs during
adjacency negotiation with the neighbor. If the agent receives a SYNmessage from
the neighbor within a configurable period, the agent learns the partition IDs and can
form adjacencies with the partitions. The agent can form an adjacency only with the
neighbor if the SYN is not receivedwithin the period, the partition ID is zero, or learning
is not enabled.
[See Configuring the ANCP Agent to Learn ANCP Partition IDs.]
• Dynamic protocol version detection for ANCP (MX Series)—Starting in Junos OSRelease 13.3, when an ANCP neighbor opens adjacency negotiations, it indicates the
highest version of ANCP that it supports. ANCP neighborsmust be able to identify the
supported versions because ANCP Version 1, defined in RFC 6320, Protocol for Access
Node Control Mechanism in Broadband Networks, is not interoperable with the earlier
version based on GSMPv3.
During negotiation, the receiving neighbor returns the value sent by the other neighbor
if it supports that version, or drops the message if it does not. You can still configure
the router to operate in pre-ietf mode for interoperability with neighbors that support
only GMSPv2.
[See ANCP Topology Discovery and Traffic Reporting Overview.]
• Support forANCPgeneric responsemessagesandresultcodes(MXSeries)—Startingin Junos OS Release 13.3, the ANCP agent supports receipt of generic response
messages. Upon receipt, the router generates a system log, increments the generic
messagecounters,and increments the resultcodecounters.Generic responsemessages
(GRMs) are typically sent instead of specific responsemessageswhen no information
needs to be sent other than a result of success or failure. When themessage reports
a failure, it must include one of eight result codes to indicate the cause. A GRM can
also be sent independent of a request when the failure causes the adjacency to be
shut down.
[See ANCP Topology Discovery and Traffic Reporting Overview.]
• Support for sending and receiving the ANCP Status-Info TLV (MX Series)—Startingin Junos OS Release 13.3, the Status-Info TLV supplements the generic response
message result codes and provides information about a warning or error condition.
Although usually included in generic responsemessages, the TLV can also be included
inotherANCPmessage types.TheStatus-InfoTLVmustbe included ingeneric response
messages when the result code indicates a port is down, a port does not exist, a
mandatory TLV is missing, or a TLV is invalid.
57Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
[See ANCP Topology Discovery and Traffic Reporting Overview.]
• DNS address assignment in DHCPv6 IA_NA and IA_PD environments (MXSeries)—Starting in Junos OS Release 12.3R3 and Release 13.3 (but not in Releases13.1 and 13.2), the DHCPv6 local server returns the DNS server address (DHCPv6
attribute 23) as a global DHCPv6 option, rather than as an IA_NA or IA_PD suboption.
DHCPv6 returns theDNSserveraddress that is specified in the IA_PDor IA_NApools—if
both address pools are requested, DHCPv6 returns the address specified in the IA_PD
pool only, and ignores any DNS address in the IA_NA pool.
In releases earlier than 12.3R3, and in Releases 13.1 and 13.2, DHCPv6 returns the DNS
server address as a suboption inside the respective DHCPv6 IA_NA or IA_PD header.
You can use themulti-address-embedded-option-response statement at the [edit
systemservicesdhcp-local-serverdhcpv6overrides]hierarchy level to revert to theprior
behavior. However, returning the DNS server address as a suboption can create
interoperability issues for some CPE equipment that cannot recognize the suboption
information.
[See DHCPv6 Options in a DHCPv6Multiple Address Environment.]
• Support for filtering trace results by subscribers for AAA, L2TP, and PPP (MXSeries)—Starting in Junos OS Release 13.3, you can filter trace results for someprocesses by subscriber. The reduced set of results simplifies troubleshooting in a
scaled environment. Specify the useruser@domain option at the appropriate hierarchy
level:
• AAA (authd)—[edit system processes general-authentication-service traceoptions
filter]
• L2TP (jl2tpd)—[edit services l2tp traceoptions filter]
• PPP (jpppd)—[edit protocols ppp-service traceoptions filter]
You can filter on the user, the domain, or both. You can use a wildcard (*) at the
beginningor endof each term, as in the following examples: [email protected], tom*,
*tom, *ample.com, tom@ex*, tom*@*example.com.
You cannot filter results using a wildcard in the middle of the user or domain, as in the
following examples: tom*[email protected], tom125@ex*.com.
Traces that have insufficient information to determine the subscriber username are
automatically excluded from the results.
• Overriding the preferred source address as the source address of NeighborSolicitation/Neighbor Advertisement (NS/NA) on unnumbered interfaces (MXSeries)—By default, if a preferred source address is configured on an unnumberedinterface, thatpreferredaddress is usedas the sourceaddressofNS/NA. If nopreferred
sourceaddress is configured, the routerusesasuitableaddressbasedon thedestination
address scope. Starting in Junos OS Release 13.3, you can configure the router to
override the default configuration of using the preferred source address for NS/NA.
The router ignores thepreferred sourceaddressandusesanappropriateaddressbased
on the destination address scope.
• DHCPv6 local server and relay agent usernameandoption 37 (MXSeries)—Startingin Junos OS Releases 12.3R7, 13.2R4, and 13.3R2, the router supports the generation of
Copyright © 2017, Juniper Networks, Inc.58
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
an ASCII version of the authentication username. When you configure DHCPv6 local
server or relay agent to concatenate the authentication username with the Agent
Remote-IDoption37, the router usesonly the remote-idportionofoption37and ignores
the enterprise number.
The router no longer supports the enterprise-id and remote-id options for the
relay-agent–remote-id statement.
• Subscribermanagement and services feature and scaling parity (MX104)—Startingin Junos OS Release 13.3R3, the MX104 router supports all subscriber management
and services features that are supported by the MX80 router. In addition, the scaling
and performance values for the MX104 router match those of the MX80 router.
• DHCPrelayagent forclients indifferentVRFthanDHCPserver (MXSeries)—Startingin JunosOSRelease 13.3R3, subscribermanagementprovides enhanced securitywhen
exchanging DHCPmessages between a DHCP server and DHCP clients that reside in
different virtual routing instances (VRFs). The DHCP cross-VRFmessage exchange
uses the DHCP relay agent to ensure that there is no direct routing between the client
VRF and the DHCP server VRF.
To exchange DHCPmessages between the two VRFs, you configure both the server
side and the client side of the DHCP relay to permit traffic based on the Agent Circuit
ID (DHCP option 82 suboption 1) in DHCPv4 packets and the Relay Agent Interface-ID
(DHCPv6 option 18) in DHCPv6 packets.
• Subscriber management and services feature and scaling parity (MX2010 andMX2020)—Starting in Junos OS Release 13.3, the MX2010 and the MX2020 supportall subscriber management and services features that are supported by the MX240,
MX480, and MX960 routers. In addition, the scaling and performance values for the
MX2010 and the MX2020match those of MX960 routers.
• Support for up to 256L2TP tunnel groups (MXSeries)—Starting in JunosOSRelease13.3R7, you can configure and commit up to 256 tunnel groups. In earlier releases, the
CLI prevents you from committing the configuration when you create more than 32
groups.
• Support for PPPoE-Description VSA (MX Series)—Starting in Junos OS Release13.3R8, you can use Juniper Networks VSA 26-24 (PPPoE Description) when using
RADIUS to authenticate subscribers based on the client MAC address.
Juniper Networks VSA 26-24 is supported for Access-Request, Accounting-Start,
Accounting-Stop, and Interim-accounting messages.
59Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
VPNs
• Enhancedmulticast VPNs traceoptions statement (M Series, MX Series, and TSeries)—Starting in JunosOSRelease 13.3, themulticastVPNs traceoptions statementhasbeen enhanced. You cannowconfigure this statement at the [edit protocolsmpvn]
hierarchy level. Inaddition, the following traceoption flagshavebeenadded:cmcast-join,
inter-as-ad, intra-as-ad, leaf-ad,mdt-safi-ad, source-active, spmsi-ad, tunnel, and umh.
[See Tracing MBGPMVPN Traffic and Operations.]
• Enhanced egress protection in Layer 3 VPNs (M Series, MX Series, and TSeries)—Starting in Junos OS Release 13.3, enhanced point-of-local-repair (PLR)functionality is available, in which the PLR reroutes service traffic during an egress
failure. As part of this enhancement, the PLR router no longer needs to be directly
connected to the protector router. Previously, if the PLR was not directly connected
to the protector router, the loop-free alternate route did not find the backup path to
the protector. A new configuration statement, advertise-mode, enables you to set the
method for the interior gateway protocol (IGP) to advertise egress protection
availability.
[See Configuring Layer 3 VPN Egress Protection with RSVP and LDP.]
• Control word for BGP VPLS (M320 andMX Series)—For hash calculation, transitrouters must determine the payload. While parsing an MPLS encapsulated packet for
hashing, a transit router can incorrectly calculate an Ethernet payload as an IPv4 or
IPv6 payload if the first nibble of the DAMAC is 0x4 or 0x6, respectively. This false
positive can cause out-of-order packet delivery over a pseudowire. Starting in Junos
OS Release 13.3R3, this issue can be avoided by configuring a BGP VPLS PE router to
request that other BGP VPLS PE routers insert a control word between the label stack
and the MPLS payload.
• Loop prevention in VPLS network due toMACmoves (MX Series)—Starting withJunos OS Release 13.3R3, the base learning interface approach and the statistical
approach can be used to prevent a loop in a VPLS network by disabling the suspect
customer facing interface that is connected to the loop. Some virtual MACs can
genuinely move between different interfaces and you can configure such MACs to
ignore themoves.Thecooloff timeandstatistical approachwait timeareused internally
to find out the looped interface. You can configure the interface recovery time to
auto-enable the interface that gets disabled due to a loop in the network. To configure
these parameters of VPLSMACmoves, include the vpls-mac-move statement at the
[edit protocols l2-learning] hierarchy level. The show vplsmac-move-action instance
instance-name command displays the learning interfaces that are disabled, in a VPLS
instance due to a MACmove. The clear vplsmac-move-action interface ifl-name
command enables an interface disabled due to a MACmove.
RelatedDocumentation
Changes in Behavior and Syntax on page 61•
• Known Behavior on page 78
• Known Issues on page 82
• Resolved Issues on page 101
Copyright © 2017, Juniper Networks, Inc.60
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Changes in Behavior and Syntax
This section lists the changes in behavior of JunosOS features and changes in the syntax
of JunosOS statements and commands from JunosOSRelease 13.3R10 for theMSeries,
MX Series, and T Series.
• Authentication Authorization and Accounting on page 62
• High Availability (HA) and Resiliency on page 62
• Interfaces and Chassis on page 62
• IPv6 on page 64
• Junos OS XML API and Scripting on page 64
• Management on page 65
• MPLS on page 65
• Multicast on page 66
• Network Management and Monitoring on page 66
• Routing Policy and Firewall Filters on page 67
• Routing Protocols on page 67
• Security on page 68
• Services Applications on page 68
• Software Installation and Upgrade on page 72
• Subscriber Management and Services on page 72
• User Interface and Configuration on page 77
61Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Authentication Authorization and Accounting
• Statement introduced to enforce strict authorization—Starting in Junos OS Release13.3, customers can use the set system tacplus-options strict-authorization statement
to enforce strict authorization to the users. When a user is logging in, Junos OS issues
twoTACACS+ requests—first the authentication request followedby the authorization
request. By default, when the authorization request is rejected by the TACACS+ server,
Junos OS ignores this and allows full access to the user. When the set system
tacplus-options strict-authorization statement is set, Junos OS denies access to the
user even on failure of the authorization request.
High Availability (HA) and Resiliency
• Newredundancy failoverCLI statement(MSeries,MXSeries,TSeries, andTXMatrixPlus)—Starting in Junos OS Release 13.3R6, the chassis redundancy failovernot-on-disk-underperform statement prevents gstatd from causing failovers in the
case of slow disks on the Routing Engine.
[See not-on-disk-underperform and Preventing Graceful Restart in the Case of Slow
Disks.]
Interfaces and Chassis
• Validation of deactivated inline services MLPPP bundle interfaces—Starting withJunos OS Release 13.3, if you attempt to delete or deactivate a static inline service (si)
MLPPPbundle interface that is still referencedby amember link interface,which could
be PPPoE (pp0) or silogical interfaces, and commit the configuration, the commit
operation fails. Youmust reactivate such MLPPP bundle interface before committing
the settings. Alternatively, youmust ensure that member links do not refer a static
MLPPPbundlebefore youdeleteordeactivate thebundle. Thismethodofdeactivation
and reactivation of an MLPPP bundle is not applicable for interfaces other than si-
interfaces, suchas link services IQ (lsq-) and virtual LSQ redundancy (rlsq-) interfaces.
[See Understanding MLPPP Bundles and Link Fragmentation and Interleaving (LFI) on
Serial Links.]
• Changes to DDoS protection policers for PIM and PIMv6 (MX Series with MPCs,T4000with FPC5)—Starting in Junos OS Release 13.3R2, the default values forbandwidth and burst limits have been reduced for PIM and PIMv6 aggregate policers
to prevent starvation of OSPF and other protocols in the presence of high-rate PIM
activity.
Old ValueNew ValuePolicer Limit
20,0008000Bandwidth (pps)
20,00016,000Burst (pps)
Copyright © 2017, Juniper Networks, Inc.62
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
To see thedefault andmodified values for DDoSprotection packet-typepolicers, issue
one of the following commands:
• show ddos-protection protocols parameters brief—Displays all packet-type policers.
• show ddos-protection protocols protocol-group parameters brief—Displays only
packet-type policers with the specified protocol group.
An asterisk (*) indicates that a value has beenmodified from the default.
• Changes to distributed denial of service statement and command syntax—Startingin Junos OS Release 13.3R2, the protocol group and packet type syntax has changed
for the protocols statement at the [edit system ddos-protection] hierarchy level and
for the various show ddos-protection protocols commands.
The filter-v4and filter-v6packet typeshavebeenmoved fromtheunclassifiedprotocol
group to the new filter-action protocol group.
• filter-actionprotocol group—The followingpacket typesareavailable for unclassified
firewall filter action packets, which are sent to the host because of reject terms in
firewall filters:
• aggregate—Aggregate of all unclassified filter action packets.
• filter-v4—Unclassified IPv4 filter action packets.
• filter-v6—Unclassified IPv6 filter action packets.
• other—All other unclassified filter action packets that are not IPv4 or IPv6.
The resolve-v4 and resolve-v6 packet types have been removed from the unclassified
protocol group. They are replaced by the newmcast-v4,mcast-v6, ucast-v4, and
ucast-v6 packet types in the new resolve protocol group.
• resolve protocol group—The following packet types are available for unclassified
resolvepackets,whichare sent to thehostbecauseof a traffic request resolveaction:
• aggregate—Aggregate of all unclassified resolve packets.
• mcast-v4—Unclassified IPv4multicast resolve packets.
• mcast-v6—Unclassified IPv6multicast resolve packets.
• other—All other unclassified resolve packets.
• ucast-v4—Unclassified IPv4 unicast resolve packets.
• ucast-v6—Unclassified IPv6 unicast resolve packets.
• Deleting PTP clock client (MX104)—Starting with Junos OS Release 13.2, on MX104routers, when you toggle from a secure slave to an automatic slave or vice versa in the
configuration of a Precision Timing Protocol (PTP) boundary clock, youmust first
delete the existing PTP clock client or slave clock settings and then commit the
configuration. You can delete the existing PTP clock client or slave clock settings by
using the delete clock-client ip-address local-ip-address local-ip-address statement at
the [edit protocols ptpmaster interface interface-name unicast-mode] hierarchy level.
You can then addnewclock client configuration by using the set clock-client ip-address
63Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
local-ip-address local-ip-address statement at the [edit protocols ptpmaster interface
interface-name unicast-mode] hierarchy level and committing the configuration.
However, if you attempt to delete the existing PTP clock client and add the new clock
client before committing the configuration, the PTP slave clock remains in the free-run
state and does not operate in the auto-select state (to select the best clock source).
This behavior is expected when PTP client or slave settings are modified.
• Preventing the filtering of packets by ARP policers (MX Series routers)—Beginningin Junos OS Release 13.3R3, you can configure the router to disable the processing of
the specified ARP policers on the received ARP packets. Disabling ARP policers can
cause denial-of-service (DoS) attacks on the system. Due to this possibility, we
recommend that you exercise caution while disabling ARP policers. To prevent the
processing of ARPpolicers on the arriving ARPpackets, include the disable-arp-policer
statement at the [edit interfaces interface-name unit logical-unit-number family inet
policer] or the [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number family inetpolicer]hierarchy level. Youcanconfigure this statement
only for interfaces with inet address families and on MX Series routers with MPCs.
When you disable ARP policers per interface, the packets are continued to be policed
by the distributed DoS (DDoS) ARP policer. Themaximum rate of is 10000 pps per
FPC.
[See Applying Policers.]
IPv6
• Support for interim logging with NAT64—Starting with Junos OS Release 11.4R11,interim-logging is supported with NAT64 onmicrokernel (MS-DPC) platforms. The
configuration statement pba-interim-logging-interval under the [interfaces
services-options] hierarchy level enables the feature for NAT64.
• IPv6 support for SNMP traps (MSeries, MXSeries, and T Series)—In Release 13.3R4and later, Junos OS supports IPv6 source addresses for the SNMP traps.
Junos OS XML API and Scripting
• XML output change for show subscribers summary port command (MXSeries)—Starting in Junos OS Release 13.3R10, the display format has changed for theshow subscribers summary port command tomake parsing the output easier. The
output is now displayed as in the following example:
user@host> show subscribers summary port | display xml<rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos"> <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers"> <counters junos:style="port-summary"> <port-name>ge-1/2/0</port-name> <port-count>1</port-count> </counters> <counters junos:style="port-summary"> <port-name>ge-1/2/1</port-name> <port-count>1</port-count> </counters></rpc-reply>
Copyright © 2017, Juniper Networks, Inc.64
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
In earlier releases, that output is displayed as in the following example:
user@host> show subscribers summary port | display xml<rpc-reply xmlns:junos="http://xml.juniper.net/junos/16.1R2/junos"> <subscribers-summary-information xmlns="http://xml.juniper.net/junos/16.1R2/junos-subscribers"> <counters junos:style="port-summary"> <port-name>ge-1/2/0</port-name> <port-count>1</port-count> <port-name>ge-1/2/1</port-name> <port-count>1</port-count> </counters></rpc-reply>
Management
• Restrictions forcryptoalgorithmsforFIPS inOpenSSH—Starting in JunosOSRelease13.3, the following options are not allowed on systems operating in FIPSmode:
[edit system services ssh]set macs <algorithm>
Not allowed: hmac-md5, hmac-md5-96, [email protected],
[email protected], hmac-ripemd160,
[email protected], [email protected],
[email protected], [email protected], and
[edit system services ssh]set key-exchange <algorithm>
Not allowed: group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1.
[edit system services]set hostkey-algorithm <algorithm | no-algorithm>
Not allowed: ssh-dss and ssh-rsa.
In releases earlier than Junos OS Release 13.3, the options were available but should
have been disallowed.
MPLS
• Enhanced support for GRE interfaces for GMPLS (MX Series)—Starting in Junos OSRelease 12.3R7, 13.1R5, 13.2R5, 13.3R3and later, onGRE interfaces forGeneralizedMPLS
control channels, you can enable the inner IP header’s ToS bits to be copied to the
outer IP packet header. Include the copy-tos-to-outer-ip-header statement at the [edit
interfaces gre unit logical-unit-number] hierarchy level. Previously, the
copy-tos-to-outer-ip-header statement was supported for GRE tunnel interfaces only.
[See copy-tos-to-outer-ip-header.]
• Enhanced transit LSP statistics collection—Starting in Junos OS Release 13.3R4,RSVP no longer periodically polls for transit LSP statistics. This change does not affect
the showmpls lsp statistics command or automatic bandwidth operations for ingress
LSPs. To enable the polling and display of transit LSP statistics, include the
transit-statistics-polling statement at the [edit protocolsmpls statistics] hierarchy
65Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
level. You cannot enable transit LSP statistics collection if MPLS statistics collection
is disabledwith theno-transit-statistics statementat the [editprotocolsmplsstatistics]
hierarchy level.
• Changes toMPLS protection options—In Junos OS releases earlier than Release 13.3,you can configure both fast reroute and node and link protection on the same LSP.
Beginning in Junos OS Release 13.3, you can still configure both fast reroute and node
and link protection on the same LSP; however, when you attempt to commit a
configuration where both features are enabled, a syslog warning message states: The
ability to configure both fast-reroute and link/node-link protection on the same LSP is
deprecated andwill be removed in a future release.
Multicast
• PIM snooping support using relaymode (M Series andMX Series)—Starting withJunos OS Release 13.3, PIM snooping on PE routers is supported using relay mode
insteadofproxymode.This enablesCE routerswithPIMsnooping to sendHellopackets
without setting the tracking bit (T-bit) to the PE routers. In relay mode, you need not
configurevalues for the join-prune-timeoutstatementandsave theFiniteStateMachine.
To check the status of relay mode on the CLI, use the show pim snooping neighbors
command or the show pim snooping interfaces command.
• Traffic arriving via IRBwhen configured in enhanced ip-mode—Beginningwith JunosOS Release 13.3, when configured in enhanced-ip mode, traffic arriving over IRB
(multic-ast source connected over Layer 3) is not forwarded to remote PEs in VPLS
when igmp-snooping is configured along with the use-p2mp-lsp statement.
NetworkManagement andMonitoring
• Support of new system log by SNMP for notifying target addition (M Series, MXSeries, and T Series)—Beginning with Junos OS Release 13.3, when a new trap target
configuration is added to the agent, SNMP raises a new system log
SNMPD_TRAP_TARGET_ADD_NOTICE. The user can configure an event policy for this
system log event to raise a notification of the new trap target addition. This trap is sent
to all the configured trap targets including the new target.
• Error in IfMtuMIB value for IPv6 logical interface (MX Series)—Starting in Junos OSRelease 13.3, the output of the snmpwalk command for the IfMtuMIB object displays
the original value or the default value, 1500, as configured for the IPv6 logical interface.
In previous releases, the output displayed an incorrect value for the IfMtuMIB object.
[See Retrieving Virtual Private Network Information Using SNMP.]
• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (M Series, MX Series, and T Series)—Effective in Junos OS Release13.3R4, if the counter value of a Packet Forwarding Engine is reported lesser than its
previous value, then the residual counter value is added to the newly reported value
only for that specific counter. In that case, the CLI shows the
MIB2D_COUNTER_DECREASING system logmessage for that specific counter.
Copyright © 2017, Juniper Networks, Inc.66
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
[SeeMIB2D_COUNTER_DECREASING.]
• Enhancement for SONET interval counter (M Series, MX Series, and TSeries)—Starting with Junos OS Release 13.3R7, only the Current Day Interval Totaloutput field in the show interfaces interval command for SONET interfaces is reset
after 24 hours. In addition, the Previous Day Interval Total output field displays the last
updated time in hh:mm.
[See show interfaces interval.]
Routing Policy and Firewall Filters
• Newfirewall filtermatchconditionsupportedonMPClinecards(MXSeries)—StartinginRelease 13.3R2, JunosOSsupports the gre-key firewall filtermatch condition onMPC
line cards on MX Series 3D Universal Edge Routers. To configure the gre-key firewall
filter match condition, include the gre-key statement at the [edit firewall family inet
filter filter term term from] hierarchy level.
Routing Protocols
• Hidden clear commands—Starting in Junos OS Release 13.3, the purge option of theclear ospf database and clear ospf3 database commands is hidden and unsupported.
• BGP attribute flag bits—In Junos OS Release 13.2 and earlier, unused attribute flagbits were propagated unchanged. Starting in JunosOSRelease 13.3, BGP attribute flag
bits are reset to zerobydefault andnotpropagated. This behavior is being standardized,
as specified in Internet draft draft-hares-idr-update-attrib-low-bits-fix-01, Update
Attribute Flag Low Bits Clarification.
• Change inconfiguringkeepnoneandkeepallstatements—Starting in JunosOSRelease13.3, configuring keep none or keep all no longer causes all BGP sessions to restart. For
peers that do not support route refresh, when you configure keep none or keep all, the
associated BGP sessions are restarted (flapped). For peers that do support route
refresh, the local speaker sends a route refresh and performs an import evaluation. For
these peers, the sessions do not restart when you configure keep none or keep all. To
determine if a peer supports refresh, check for Peer supports Refresh capability in the
output of the showbgpneighbor command. In previous releases, configuring keepnone
or keep all caused all BGP sessions to restart.
• Modification to the default BGP extended community value—Starting in Junos OS13.3, Junos OSmodifies the default BGP extended community value used for MVPN
IPv4 VRF route import (RT-import) to the IANA-standardized value. The
mvpn-iana-rt-import statement is the default. Themvpn-iana-rt-import statement has
been deprecated; we recommend that you remove it from configurations.
• BGP hides a route receivedwith a label block size greater than 256 (M Series, MXSeries, andTSeries)—WhenaBGPpeer (running JunosOS) sends a routewith a label
block size greater than 256, the local speaker hides the route anddoes not re-advertise
this route. The output of the show route detail/extensive hidden/all command displays
the hidden route and states the reasonas label block sizeexceedsmaxsupportedvalue.
67Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
In earlier Junos OS releases, when a peer sent a route with a label block size greater
than 256, the routing protocol process (rpd) terminated abnormally.
• Configure and establish targeted sessions with third-party controllers using LDPtargeted neighbor (MSeries andMXSeries)—Startingwith JunosOSRelease 13.3R6,you can configure LDP targeted neighbor to third-party controllers for applications
such as route recorder that wants to learn label-FEC bindings of an LSR. LDP targeted
neighbor helps to establish a targeted session with controllers for a variety of
applications.
Security
• Packet typesaddedforDDoSprotectionL2TPpolicers(MXSerieswithMPCs,T4000withFPC5)—The followingeightpacket typeshavebeenadded to theDDoSprotectionL2TP protocol group to provide flexibility in controlling L2TP packets:
scccncdn
sccrqhello
stopccniccn
unclassifiedicrq
Previously, no individual packet types were available for this protocol group and all
L2TPpacketswerepoliced the samebasedon theaggregatepolicer value. Thedefault
values for the bandwidth and burst policers for all packet types is 20,000 pps. The
default recover-time is 300 seconds for each of the L2TP packet types.
Services Applications
• Restriction forRPMprobetestdata-size—In JunosOSRelease 13.2andearlier releases,the data-size statement at the [edit services rpmprobeowner test test-name] hierarchy
level did not enforce any additional restrictions when the hardware-timestampwas
included. Starting in Junos OS Release 13.3, the data-size value must be at least 100
bytes smaller than the default MTU of the interface of the RPM client interface when
the hardware-timestamp statement is used.
[edit services rpm probe owner test test-name]hardware-time-stamp;data-size size;
• New ranges for TWAMP server connections—In Junos OS Release 13.2 and earlierreleases, themaximum-connections statement at the [edit services rpmtwampserver]
hierarchy level had a range of 1 through 2048. Starting in Junos OS Release 13.3, the
maximum-connections statement has a range of 1 through 1000. In Junos OS Release
13.2 and earlier releases, themaximum-connections-per-client statement at the [edit
services rpm twamp server] hierarchy level had a range of 1 through 1024. Starting in
Junos OS Release 13.3, the maximum-connections-per-client statement has a range
of 1 through 500.
Copyright © 2017, Juniper Networks, Inc.68
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• New range for data-size statement—In Junos OS Release 13.2 and earlier releases,the data-size statement at the [edit services rpmprobeowner test test-name] hierarchy
level had a range of 0 through65507. Starting in JunosOSRelease 13.3R1, thedata-size
statement has a range of 0 through 65400.
• Restriction for NAT ruleswith translation type stateful-nat-64—In JunosOSRelease13.2 and earlier releases, the following restriction was not enforced by the CLI: if the
translation-type statement in the then statement of a NAT rule was set to
stateful-nat-64, the range specified by the destination-address-range or thedestination-prefix-list in the from statement needed to be within the range specified
by thedestination-prefix statement in the then statement. Starting in JunosOSRelease
13.3, this restriction is enforced.
[edit services nat]rule rule-name {term term-name {from {destination-address-range lowminimum-value highmaximum-value <except>;destination-prefix-list list-name <except>;
}then {destination-prefix destination-prefix;
}}
}
• Change in runningRPMtraceoptions—Starting in JunosOSRelease 13.2, runningRPMtraceoptions is performed from the [edit services rpm] hierarchy. In releases earlier
than Junos OS Release 13.2, running RPM traceoptions was performed at the [edit
snmp] hierarchy level.
The RPM traceoptions are configured as follows:
[edit services rpm]traceoptions {file filename <files number> <match regular-expression > <sizemaximum-file-size><world-readable | no-world-readable>;
flag flag;}
This issue was being tracked by PR857470.
• Restrictions for maximumblock size for NAT port block allocation—Beginning withJunos OS Release 13.3, the maximum blocksize for NAT port block allocation (PBA) is
32,000.
• Support for display of NAT type for EIF flows (MX Series routers with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R4, the output of the show services
sessionsextensive command, theTranslationType fielddisplays the valueasNAPT-44
for Endpoint Independent Filtering (EIF) flows. Also, the label, EIF, is displayed beside
the translation type parameter to enable easy identification of EIF flows.
• Support for passive-mode tunneling (MX Series routers with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R4, passive mode tunneling issupported on MS-MICs and MS-MPCs. You can include the passive-mode-tunneling
69Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
statementat the [editservicesservice-setservice-set-name ipsec-vpn-options]hierarchy
level to enable the service set to tunnel malformed packets.
NOTE: The header-integrity-check option that is supported onMS-MICs
andMS-MPCs to verify the packet header for anomalies in IP, TCP, UDP,and ICMPinformationandflagsuchanomaliesanderrorshasafunctionalitythat is opposite to the functionality caused by passivemode tunneling. Ifyou configure both the header-integrity-check statement and the
passive-modetunnelingstatementonMS-MICsandMS-MPCs,andattempt
to commit such a configuration, an error is displayed during commit.
The passivemode tunneling functionality (by including thepassive-mode-tunneling statement at the [edit services service-set
service-set-name ipsec-vpn-options] hierarchy level) is a superset of the
capability to disable IPsec tunnel endpoint in the traceroute output (byincluding no-ipsec-tunnel-in-traceroute statement at the [edit services
ipsec-vpn] hierarchy level). Passivemode tunneling also bypasses the
active IP checks and tunnel MTU check in addition to not treating an IPsectunnel as a next-hop as configured by the no-ipsec-tunnel-in-traceroute
statement.
• Interoperation of ingress sampling and PIC-based flowmonitoring (MXSeries)—Starting in Junos OS Release 13.3R6, If PIC-based flowmonitoring is enabled
onanms- logical interface, a commit checkerror occurswhenyouattempt toconfigure
ingress traffic sampling on that particular ms- logical interface. This error occurs
becauseacombinationof ingress samplingandPIC-based flowmonitoringoperations
onanms- logical interfacecausesundesired flowmonitoringbehavior andmight result
in repeatedsamplingofasinglepacket.Youmustnotconfigure ingress traffic sampling
onms- logical interfaces on which PIC-based flowmonitoring is enabled.
• Generation ofmspmand core file for flow control (MX Series with MS-MICs andMS-MPCs)—Starting with Junos OS Release 13.3R6, instead of an eJunos kernel corefile, themultiservicesPICmanagementdaemoncore file is generatedwhenaprolonged
flow control occurs and when you configure the setting to generate a core file during
prolonged flow control (by using the dump-on-flow-control option). The watchdog
functionality continues to generate a kernel core file in such scenarios.
• Change in support for service options configuration on service PICs at theMS andAMS interface levels (MX Series)—Starting in Junos OS Release 13.3R6, when amultiservices PIC (ms- interface) is a member interface of an AMS bundle, you can
configure the service options to be applied on the interface only at the ms- interface
level or the AMS bundle level by including the services-options statement at the [edit
interfaces interface-name] hierarchy level at a point in time. You cannot define service
options for a service PIC at both the AMS bundle level and at the ms- interface level
simultaneously.When youdefine the service options at theMS level or theAMSbundle
level, the service options are applied to all the service sets, on thems- interface or AMS
interface defined atms-fpc/pic/port.logical-unit or amsN respectively.
Copyright © 2017, Juniper Networks, Inc.70
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Changes in the format of session open and close system logmessages (MX SerieswithMS-MICsandMS-MPCs)—Startingwith JunosOSRelease 13.3R7,with the JunosOS Extension-Provider packages installed and configured on the device for MS-MPCs
and MS-MICs, the formats of the MSVCS_LOG_SESSION_OPEN and
MSVCS_LOG_SESSION_CLOSE system logmessages aremodified to toggle the order
of the destination IPv4 address and destination port address displayed in the log
messages tobe consistent anduniformwith the formats of the session openand close
logs of MS-DPCs.
The following is the modified format of the MSVCS_LOG_SESSION_OPEN and
MSVCS_LOG_SESSION_CLOSE system logmessages:
month date hh:mm:ss syslog-server-ip-address yyyy-mm-dd hh:mm:ss
{NAT-type}<MSVCS_LOG_SESSION_CLOSE or MSVCS_LOG_SESSION_OPEN>:App:
application, source-interface-name fpc/pic/port\address in hexadecimal format
source-address:source-port source-nat-information ->
destination-address:destination-port destination-nat-information (protocol-name)
The following is an example of the session closure message generated for MS-MPCs
and MS-MICs.
Nov 26 13:00:07 10.137.159.1 2014-11-26 07:22:44:
{Dynamic-NAT-64-SS-NHS-1}MSVCS_LOG_SESSION_CLOSE:application:none,ae4.454
2402:8100:1:160:1:2:d384:463c:36822 [49.14.64.37:12261] -> [141.101.120.14]
64:ff9b::8d65:780e:80 (TCP)
• Support for bouncing service sets for dynamic NAT (MX Series with MS-MPCs andMS-MICs)—Starting in Junos OS Release 13.3R5, for service sets associated with
aggregatedmultiservices (AMS) interfaces, you can configure the
enable-change-on-ams-redistribution statement at the [edit services service-set
service-set-name service-set-options] hierarchy level to enable the service set to be
bounced (reset) for dynamic NAT scenarios (dynamic NAT, NAT64, andNAT44)when
amember interface of an AMS bundle rejoins or a member interface failure occurs.
When amember interface fails, the application resources (NAT pool in the case of
dynamic NAT scenarios) and traffic load need to be rebalanced. For application
resources to be rebalanced, which is the NAT pool for dynamic NAT environments, the
NAT pool is split and allocated by the service PIC daemon (spd).
• Support for RPM probes for IPv4 and IPv6 sources and targets (TXMatrixPlus)—Starting with Junos OS Release 13.3R7, you can configure the TXP-T1600,TXP-T1600-3D, TXP-T4000-3D, or TXP-Mixed-LCC-3D router as the real-time
performancemonitoring (RPM) client router (the router or switch that originates the
RPMprobes)cansendprobepackets to theRPMprobeserver (thedevice that receives
the RPMprobes) that contains an IPv4 or IPv6 address. RPM enables you to configure
active probes to track andmonitor traffic. The support for configuring RPMprobes and
RPMclients on TXMatrix Plus routers is in addition to the support for RPM that existed
on M Series, MX Series, T1600, and T4000 routers in previous releases.
71Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
Software Installation and Upgrade
• Upgrading Junos OS in one step (MX Series)—Starting in Junos OS Release 13.3, youcan specifymultiple configuration files in one stepwhen youupgrade JunosOSon your
device.Whenyouenter the requestsystemsoftwareaddor the requestsystemsoftware
validate command, you can use the upgrade-with-config option. You can also use the
upgrade-with-config-format option when the configuration file is in the text format.
Subscriber Management and Services
• Subscriber loginwhen lawful intercept fails—Starting in JunosOSRelease 13.3, whenlawful intercept activation fails during a subscriber login, the subscriber login is not
denied.AnSNMPmessage is still generated that indicates the lawful interceptactivation
failed. In JunosOS releases earlier thanRelease 13.2R2, the subscriber loginwasdenied
if lawful intercept activation failed.
• Change to test aaa ppp user and test aaa dhcp user commands—Starting in Junos OSRelease 13.3, the test aaapppuser and test aaadhcp user commands no longer display
serviceactivation statusbecause serviceactivation is not required in these commands.
Inearlier releases, thecommandsdisplayedserviceactivationstatus to indicatewhether
service activation failed or succeeded. Service-related RADIUS attribute values are
still displayed.
• Configuring domainmaps to use the default routing instance (MXSeries)—Startingin Junos OS Release 13.3, on MX Series routers you can explicitly configure a domain
map to use the default (master) routing instance for the AAA or subscriber contexts.
This enhancement enables you to configure a domain map to use the default routing
instance in cases where a nondefault routing instance is currently referenced, or in
other scenarios in which you need to explicitly reference the default routing instance.
• Configuration support to prevent the LACPMC-LAG system ID from reverting to thedefault LACP system ID on ICCP failure—Beginning in Junos OS Release 13.3, you canconfigure the prefer-status-control-active statement with the status-control standby
configuration at the [edit interfaces aeX aggregated-ether-optionsmc-ae] hierarchy
level toprevent theLACPMC-LAGsystem ID from reverting to thedefault LACPsystem
ID on ICCP failure. Use this configuration only if you can ensure that ICCP does not go
down unless the router is down. Youmust also configure the hold-time down value (at
the [edit interfaces interface-name] hierarchy level) for the interchassis link with the
status-control standby configuration to be higher than the ICCP BFD timeout. This
configuration prevents traffic loss by ensuring that when the router with the
status-controlactiveconfigurationgoesdown, the routerwith the status-controlstandby
configuration does not go into standbymode.
• Support for rejecting IPv6CP negotiation in the absence of an authorized address(MX Series)—Starting in Junos OS Release 13.3, you can control the behavior of therouter in a situationwhere IPv6CP negotiation is initiated for subscriber sessionswhen
no authorized addresses are available. By default, IPv6CP negotiation is enabled to
proceed for an IPv6-only session when AAA has not provided an appropriate IPv6
address or prefix. In the absence of the address, the negotiation cannot successfully
complete. To prevent endless client negotiation of IPv6CP, include the
Copyright © 2017, Juniper Networks, Inc.72
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
reject-unauthorized-ipv6cp statement at the [edit protocols ppp-service] hierarchy
level, which enables the jpppd process to reject the negotiation attempt.
• Support for ignoring DSL ForumVSAs from directly connected devices (MXSeries)—WhenCPEdevicesaredirectly connected toaBNG, youmightwant the router
to ignore any DSL Forum VSAs that it receives in PPPoE control packets because the
VSAs can be spoofed bymalicious subscribers. Spoofing is particularly serious when
the targeted VSAs are used to authenticate the subscriber, such as Agent-Circuit-Id
[26-1] and Agent-Remote-ID [26-2].
To ignore the DSL Forum VSAs, starting in Junos OS Release 13.3, include the
direct-connect statement for PPPoE interfaces or PPPoE underlying interfaces at the
following hierarchy levels:
• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family
pppoe]
• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number
family pppoe]
• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number
pppoe-underlying-options]
• [edit interfaces interface-name unit logical-unit-number family pppoe]
• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number family pppoe]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number pppoe-underlying-options]
You can determine whether direct-connect is configured for particular interfaces by
issuing the show interfaces or show pppoe underlying-interfaces command.
• ANCP agent behavior for invalid generic responsemessages (MX Series)—Startingin Junos OS Release 13.3, when the ANCP agent receives an incorrect or unexpected
generic responsemessage from an ANCP neighbor, it immediately drops the packet,
generates a system log notice message, and takes no further action.
• Changes toANCPshowcommandoutput (MXSeries)—Starting in JunosOSRelease13.3, the show ancp neighbor command displays information for all configured ANCP
neighbors regardless of operational state. In earlier releases, it displayed information
only for neighbors in the Established state. The Time field, which displays the elapsed
time since the neighbor entered its current state, has replaced the Up TIme field. An
asterisk (*) prefixed to the neighbor entry indicates that the adjacency information
might be stale.
In Junos OS Release 13.3 and later, the show ancp subscriber command displays
information for all subscribers regardless of operational state. In earlier releases, it
displayed information only for active subscribers in the Established state. An asterisk
(*) prefixed to the subscriber entry indicates that the information might be stale. Two
asterisks (**) indicate that the neighbor associated with the subscriber has lost its
adjacency.
73Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
• Enhancedaccountingstatistics (MSeries,MXSeries,andTSeries)—Starting in JunosOSRelease 13.3, the shownetwork-accessaaastatisticsaccounting command includes
the optional detail keyword, which provides additional information about the RADIUS
accounting statistics. You can use the enhanced details for troubleshooting
investigations.
[See Verifying andManaging Subscriber AAA Information.]
• Support for processing Cisco VSAs in RADIUSmessages for serviceprovisioning—Starting with Junos OS Release 13.3R3, Cisco VSAs are supported forprovisioning andmanagement of services in RADIUSmessages, in addition to the
supported Juniper VSAs for administration of subscriber sessions. In a deployment in
which a customer premises equipment (CPE) is connected over an access network to
a broadband remote access gateway, the Steel-Belted Radius Carrier (SBRC)
application might be used as the authentication and accounting server using RADIUS
as theprotocol and theCiscoBroadHopapplicationmightbeusedas thePolicyControl
and Charging Rules Function (PCRF) server for provisioning services using RADIUS
change of authorization (CoA)messages. Both the SBRC and the Cisco BroadHop
serversare considered tobeconnectedwith thebroadbandgateway in sucha topology.
By default, service accounting is disabled. If you configure service accounting using
both RADIUS attributes and the CLI interface, the RADIUS setting takes precedence
over the CLI setting. To enable service accounting using the CLI, include the accounting
statement at the [edit access profile profile-name service] hierarchy level. To enable
interim service accounting updates and configure the amount of time that the router
waits before sending a new service accounting update, include the update-interval
minutes statement at the [edit accessprofileprofile-name serviceaccounting]hierarchy
level.
Youcanconfigure the router tocollect timestatistics, or bothvolumeand timestatistics,
for the service accounting sessions beingmanaged byAAA. To configure the collection
of statistical details that are time-based only, include the statistics time statement at
the [edit access profile profile-name service accounting] hierarchy level. To configure
the collection of statistical details that are both volume-time-based only, include the
statistics volume-time statement at the [edit access profile profile-name service
accounting] hierarchy level.
• Specifying the UDP port for RADIUS dynamic-request servers—Beginning in JunosOS Release 13.3, you can define the UDP port number to configure the port on which
the router that functions as theRADIUSdynamic-request servermust receive requests
from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic
requests from remote RADIUS servers. You can configure the UDP port number to be
used for dynamic requests for a specific access profile or for all of the access profiles
on the router. To define the UDP port number, include the dynamic-request-port
port-number statement at the [edit access profile profile-name radius-server
server-address] or the [edit access radius-server server-address] hierarchy level.
• DCHP Relay subscriber and proxy-mode support (MX Series)—Starting with JunosOS Release 13.3, when DHCP Relay Agent for subscriber management is configured in
proxy-mode, DHCP Request packets for which no client/subscriber state exists on the
Relay Agent (stray requests) behave according to RFC 2131 Section 4.3.2: “If the DHCP
server hasno recordof this client, then itMUST remain silent, andMAYoutputawarning
Copyright © 2017, Juniper Networks, Inc.74
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
to the network administrator. This behavior is necessary for peaceful coexistence of
non-communicatingDHCP servers on the samewire.” Suchbehavior also occurswhen
multiple, non-communicating, proxy-modeRelayAgentsareprocessingDHCPRequest
packets from the same client or subscriber. In some network configurations, Relay
Agent can send a NAK to the client or subscriber when Relay Agent is not configured
to act on bind-on-request. The NAK prevents Relay Agent from forwarding the DHCP
Request to the server or, in the case of a client move, when the packet is not directed
to the proxy-mode Relay Agent that receives it. DHCP Relay Agent for subscriber
management no longer generates a NAK in place of the server in response to stray
requests but relies on the server to respond appropriately to the client or subscriber.
For those cases when packets are configured not to be forwarded to the server
(no-bind-on-request is configured), orwhen thepacket isdeterminednot tobedirected
to the receiving Relay Agent, those packets are silently discarded in accordance with
RFC 2131 Section 4.3.2.
• Addition of pw-width option to the nas-port-extended-format statement—Starting inJunosOSRelease 13.3R4, you can configure the number of bits for the pseudowire field
in the extended-format NAS-Port attribute for Ethernet subscribers. Specify the value
with thepw-widthoption in thenas-port-extended-format statementat the [editaccess
profile profile-name radius options] hierarchy level. The configured fields appear in the
following order in the binary representation of the extended format:
aggregated-ethernet slot adapter port pseudo-wire stacked-vlan vlan
The width value also appears in the Cisco NAS-Port-Info AVP (100).
• LAC configuration no longer required for L2TP tunnel switching with RADIUSattributes (MX Series)—Starting in Junos OS Release 13.3R6, when you use JuniperNetworks VSA 26-91 to provide tunnel profile information for L2TP tunnel switching,
you no longer have to configure a tunnel profile on the LAC. In earlier releases, tunnel
switching failed when you did not also configure the LAC, even when the RADIUS
attributes were present.
• Local DNS configurations available when authentication order is set to none (MXSeries)—Starting in Junos OS Release 13.3R8, subscribers now get the DNS server
addresses when both of the following are true:
• The authentication order is set to none at the [edit access profile profile-name
authentication-order] hierarchy level.
• A DNS server address is configured locally in the access profile with the
domain-name-server, domain-name-server-inet, or domain-name-server-inet6
statement at the [edit access profile profile-name] hierarchy level.
In earlier releases, subscribers get an IPaddress in this situation, but not theDNSserver
addresses.
• Change in support for L2TP statistics-related commands (MX Series)—Starting inJunos OS Release 13.3R8, statistics-related show services l2tp commands cannot be
issued in parallel with clear services l2tp commands from separate terminals. In earlier
releases, you can issue these show and clear commands in parallel. Nowwhen any of
these clear commands is running, youmust press Ctrl+c to make the clear command
75Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
run in the background before issuing any of these show commands. The relevant
commands are listed in the following table:
show services l2tp destination extensiveclear services l2tp destination
show services l2tp destination statisticsclear services l2tp session
show services l2tp session extensiveclear services l2tp tunnel
show services l2tp session statistics
show services l2tp summary statistics
show services l2tp tunnel extensive
show services l2tp tunnel statistics
NOTE: Youcannot runmultipleclearservices l2tpcommands fromseparate
terminals. This behavior is unchanged.
• New option to limit themaximum number of logical interfaces (MX Series routerswith MS-DPCs)—Starting in Junos OS Release 13.3R9, you can include thelimited-ifl-scaling optionwith the network-services enhanced-ip statement at the [edit
chassis] hierarchy level to impose a limitation on themaximum number of logical
interfaces on MX Series routers with MS-DPCs to be 64,000 for enhanced IP network
services mode. Using the limited-ifl-scaling option prevents the problem of a collision
of logical interface indices that can occur in a scenario in which you enable enhanced
IP servicesmode and anMS-DPC is also present in the same chassis. A cold reboot of
the router must be performed after you set the limited-ifl-scaling option with the
network-servicesenhanced-ip statement.Whenyouenter the limited-ifl-scalingoption,
none of the MPCs are moved to the offline state. All the optimization and scaling
capabilities supported with enhanced IPmode apply to the limited-ifl-scaling option.
Copyright © 2017, Juniper Networks, Inc.76
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
User Interface and Configuration
• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in the CLI (M Series, MX Series, and T Series)—Junos OS reserves the prefixjunos- for the identifiersofconfigurationsdefinedwithin the junos-defaultsconfiguration
group. User-defined identifiers cannot start with the string junos-. If you configured
user-defined identifiers using the reserved prefix through a NETCONF or Junos XML
protocol session, the commit correctly fails. In releases earlier than Junos OS Release
13.3, if you configured user-defined identifiers through theCLI using the reservedprefix,
the commit incorrectly succeeded. Junos OS Release 13.3 and later releases exhibit
the correct behavior. Configurations that currently contain the reserved prefix for
user-defined identifiers other than junos-defaults configuration group identifiers will
now correctly result in a commit error in the CLI.
• Change in show version command output (M Series, MX Series, and TSeries)—Beginning in JunosOSRelease 13.3, theshowversioncommandoutput includesthe new Junos field that displays the Junos OS version running on the device. This new
field is in addition to the list of installed sub-packages running on the device that also
display the Junos OS version number of those sub-packages. This field provides a
consistent means of identifying the Junos OS version, rather than extracting that
information from the list of installed subpackages.
In Junos OS Release 13.2 and earlier, the show version command does not have the
single Junos field in theoutput thatdisplays the JunosOSversion runningon thedevice.
The only way to determine the Junos OS version running on the device is to review the
list of installed subpackages.
Junos OS Release 13.3 and Later ReleasesWith the JunosField
Junos OS Release 13.2 and Earlier ReleasesWithout theJunos Field
user@host> show versionHostname: lab Model: mx960 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...
user@host> show versionHostname: lab Model: mx960 JUNOS Base OS boot [12.2R2.4]JUNOS Base OS Software Suite [12.2R2.4]JUNOS Kernel Software Suite [12.2R2.4]JUNOS Crypto Software Suite [12.2R2.4]...
[See show version.]
• Configuring regularexpressions(MSeries,MXSeries, andTSeries)—Inall supportedJunosOS releases, regular expressions can no longer be configured if they requiremore
than 64MB of memory or more than 256 recursions for parsing.
This change in the behavior of Junos OS is in line with the FreeBSD limit. The change
wasmade in response to a known consumption vulnerability that allows an attacker
to cause a denial of service (resource exhaustion) attack by using regular expressions
containing adjacent repetition operators or adjacent bounded repetitions. Junos OS
uses regular expressions in several placeswithin theCLI. Exploitationof this vulnerability
can cause the Routing Engine to crash, leading to a partial denial of service. Repeated
77Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
exploitation can result in an extendedpartial outageof services providedby the routing
protocol process (rpd).
• Newwarningmessage for the configurational changes to extend-size (MSeries, MXSeries, and T Series)—Starting with Junos OS Release 13.3R8, any operation on thesystemconfiguration-databaseextend-sizeconfiguration statement suchas,deactivate,
delete, or set, generates the following warning message:
Change in 'system configuration-database extend-size' will be effective at next reboot
only.
RelatedDocumentation
New and Changed Features on page 26•
• Known Behavior on page 78
• Known Issues on page 82
• Resolved Issues on page 101
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Known Behavior
This sectioncontains theknownbehavior, systemmaximums, and limitations inhardware
and software in Junos OS Release 13.3R10 for the M Series, MX Series, and T Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
• Class of Service (CoS) on page 78
• General Routing on page 79
• Hardware on page 79
• High Availability (HA) and Resiliency on page 80
• MPLS on page 80
• Multicast on page 80
• IPv6 on page 80
• Services Applications on page 80
• Software Installation and Upgrade on page 80
• Subscriber Management and Services on page 81
Class of Service (CoS)
• If you definemore than one forwarding class for a given queue number, do not use the
nameofadefault forwardingclass for oneof thenewclasses, becausedoing socauses
the forwarding classwith thedefault name tobedeleted. For example, donot configure
the following, because doing so deletes the best-effort class:
user@host# set class-of-service forwarding-classes class be queue-num0
Copyright © 2017, Juniper Networks, Inc.78
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
user@host# set class-of-service forwarding-classes class best-effort queue-num0user@host# commit
• To use per-priority shaping on a physical interface on the MX104 router, you must
enable hierarchical scheduling on the interface with the set hierarchical-schedulerstatement at the [edit interface interface-name] hierarchy level.
General Routing
• In MX2020 routers and T Series routers, memory usage of the device increases when
the auto-64-bit statement is issued.
Hardware
• Support for MIC-3D-8OC3-2OC12-ATMRevision 22 andlater—MIC-3D-8OC3-2OC12-ATM Revision 22 is supported only by the following
Junos OS releases:
• Junos OS Release 12.3—12.3R9 and later
• Junos OS Release 13.3—13.3R6 and later
• Junos OS Release 14.1—14.1R4 and later
• Junos OS Release 14.2—14.2R3 and later
• Junos OS Release 15.1 and later
79Copyright © 2017, Juniper Networks, Inc.
Known Behavior
Youmust upgrade to a supported Junos OS release to useMIC-3D-8OC3-2OC12-ATM
Revision 22 and later.
High Availability (HA) and Resiliency
• The MPC5E, MPC5EQ, and MP6E cards do not support unified ISSU on an MX Series
Virtual Chassis.
MPLS
• Removal of SRLG from the SRLG table only on the next reoptimization of the LSP(M, MX, and T Series)—If a SRLG is associated with a link used by an ingress LSP inthe router then on deleting the SRLG configuration from that router, the SRLG gets
removed from the SRLG table only on the next reoptimization of the LSP. Until then
the output displaysUnknown-XXX instead of the SRLGnameand a non-zero srlg-cost
of that SRLG for run showmpls srlg command.
Multicast
• IGMP snooping does notmap router interface when source IP address is0.0.0.0—When a snooping switch sends an IGMP query on an interface with a source
IP address of 0.0.0.0, that interface is notmarked as a router interface. The show igmp
snooping interface command displays Router Interface: no for that interface. This is
expected behavior. To correct IGMPmapping, provide the querying interface with an
IP address other than 0.0.0.0.
IPv6
• Inconsistent IfMtuMIB value (M Series, MX Series, and T Series)—The value of theIfMtuMIB is inconsistent for the logical interfaces with IPv6 address.
Services Applications
• With static NAT configured as basic NAT44 or destination NAT44 onMXSeries routers
with MS-MICs and MS-MPCs, the input and output bytes and traffic rate values
displayed under the Input bytes andOutput bytes fields respectively in the output of
the show interfaces command differ by approximately 25 percent forms- interfaces
with lower packet sizes.
Software Installation and Upgrade
Copyright © 2017, Juniper Networks, Inc.80
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Downgrading to Junos OS Release 12.3 when the configuration includes thetargeted-distribution statement—In Junos OS Release 12.3, the targetted-distributionstatement at the [edit interfaces demux0 unit logical-unit-number] hierarchy level is
misspelled.Starting in JunosOSRelease 13.3, the spelling for this statement is corrected
to targeted-distribution. If you use the misspelled targetted-distribution statement in
Junos OS Release 13.3 or higher, the CLI corrects the spelling to targeted-distribution
in your configuration, so existing scripts still work. The correct spelling is not backward
compatible; Junos OS Release 12.3 supports only the targetted-distribution spelling. If
you downgrade from Release 13.3 or higher to Release 12.3, all correctly spelled
targeted-distribution statementsare removed fromtheconfigurationandconfiguration
scripts with the correct spelling fail.
Subscriber Management and Services
• The clear pppoe sessions command does not have an all option and consequently
clears all current PPPoE subscriber sessions when you enter the command. The CLI
does not prompt you to confirm that you want to clear all sessions. When you want to
gracefully terminateasubscriber session, always include the interfacenameassociated
with the session. For some network configurations, if your subscribers have unique
usernames, youcanalternatively issue theclearnetwork-accessaaasubscriberusername
command.
• On the MX Series, subscriber management uses firewall filters to capture and report
the volume-based service accounting counters that are used for subscriber billing. You
must always consider the relationship between firewall filters and service accounting
counters, especially when clearing firewall statistics. When you use the clear firewall
command (to clear the statistics displayed by the show firewall command), the
commandalso clears the service accounting counters that are reported to theRADIUS
accounting server. For this reason, youmust be cautious in specifying which firewall
statistics you want to clear. When you reset firewall statistics to zero, you also zero
the counters reported to RADIUS.
• On the MX Series, subscriber management provides a route suppression feature that
enables you to override the DHCP default behavior that adds access-internal and
destination routes for DHCPv4 sessions, and to access-internal and access routes for
DHCPv6 sessions. However, you cannot suppress access-internal routes when the
subscriber is configuredwithboth IA_NAand IA_PDaddressesover IPdemux interfaces,
because the IA_PD route relies on the IA_NA route for next-hop connectivity.
• The show ppp interface interface-name extensive and show interfaces pp0 commands
display different values for the LCP state of a tunneled subscriber on the LAC. The
show ppp interface interface-name extensive command displays STOPPEDwhereas
the show interfaces pp0 command displays OPENED (which reflects the LCP state
before tunneling).Asaworkaround, use the showppp interface interface-nameextensive
command to determine the correct LCP state for the subscriber.
• Subscriber management is not supported when the routing protocol daemon (rpd) is
running in 64-bit mode. For subscriber management support, rpd must run in 32-bit
mode.
81Copyright © 2017, Juniper Networks, Inc.
Known Behavior
RelatedDocumentation
New and Changed Features on page 26•
• Changes in Behavior and Syntax on page 61
• Known Issues on page 82
• Resolved Issues on page 101
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Known Issues
This section lists the known issues in hardware and software in JunosOSRelease 13.3R10
for the M Series, MX Series, and T Series.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
• Class of Service (CoS) on page 82
• Forwarding and Sampling on page 83
• General Routing on page 84
• High Availability (HA) and Resiliency on page 90
• Interfaces and Chassis on page 90
• J-Web on page 92
• Layer 2 Ethernet Services on page 92
• Layer 2 Features on page 92
• Multiprotocol Label Switching (MPLS) on page 93
• Network Management and Monitoring on page 94
• Platform and Infrastructure on page 95
• Routing Protocols on page 97
• Services Applications on page 99
• User Interface and Configuration on page 100
• VPNs on page 100
Class of Service (CoS)
• The errormessage only per-unit and 2-level hierarchical scheduler are supported on this
interface is a cosmetic regression issue without any functional impact. PR1050512
• When the chained-composite-next-hop is enabled for Layer 3 VPN routes, MPLS CoS
rewrite rules attached to the core-facing interface for "protocol
mpls-inet-both-non-vpn" are applied not only to non-VPN traffic (which is the correct
behavior) but also to Layer 3 VPN traffic -- that is, both MPLS and IP headers in Layer
3 VPN traffic receive CoS rewrite. PR1062648
Copyright © 2017, Juniper Networks, Inc.82
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Forwarding and Sampling
• OnMX Series routers with the network services enhanced IP configuration, when the
firewall daemon comes up as part of the system reboot, it cannot read the chassis
network-service configuration statement from the kernel. After several retries, the
firewall daemonmust choose the default chassis network service IP mode. When the
interface description change is committed, the firewall daemon attempts to read
chassis network-serviceagain. If it is successful, the firewall daemonmust restart itself
because the chassis network service configuration is in enhanced IPmode. When the
daemon restarts, openFlow connections are dropped.PR1035956
• When VRRP is configured on MX Series routers with MPC/MIC-based MX Series
interfaces, staticMACentries are installedon thePacket ForwardingEngine in theMAC
database as part of MAC filter installation. The MIB walk on some object identifiers
(OIDs) will trigger a walk over the MACMIB entry (walk over the static MAC entries
with no OIDs), resulting in an error message. During the walk, it is expected that no
entries are read from static MAC database entries; however, the EODB is not set to
indicate theMACdatabasewalk has ended. This error log does not have any functional
impact on the MIB walk:
mib2d[xxx]: MIB2D_RTSLIB_READ_FAILURE: check_rtsock_rc: failed in readingmac_db:
0 (Invalid argument)mib2d[xxx]: SNMP_GET_ERROR1: macStatsEntry getnext failed
for interface: index1 ge-*/*/* (Invalid argument)
The following oidmight trigger the issue: 1/ Rpf related oid 2/ AtmCos related oid 3/Mac
related oid , such as jnxMacStatsEntry 4/ PMon related oid 5/ jnxSonetAlarmTable 6/
Scu related oid 7/ jnxCmRescueChg 8/ jnxCmCfgChgEventLog 9/
jnxIpv4AdEntReasmMaxSize.PR1042610
• Moving an interface from onemesh group to another might cause the Layer 2 Address
Learning Daemon (L2ALD) to generate a core file. PR1077432
• In Junos OS Release 12.3R9 and later, if shared-bandwidth-policer is configured on an
ARPpolicer for annon-bundle interface,DHCPwill fail toworkafter thedevice reboots,
even if DHCP is not configured on that same interface. As a workaround, delete
shared-bandwidth-policer or apply this policer to a bundle interface. PR1116450
• After committing a configuration change, youmight see a warning like the following
in the messages log: dfwc: invalid filter program pointer, dph_abst=0xffefd82c
dph_comp=0x0 . There should be no impact to traffic or protocols. This is an
informationalmessage indicating that the dfwc process is compiling the firewall filters
for use on the FPCs. It can be safely ignored. PR1116538
• If abandwidth-percentbasedpolicer isappliedonanaggregatedEthernet (AE)bundle
without the shared-bandwidth-policerconfigurationstatement, trafficwill hit thepolicer
even if the traffic is notexceeding theconfiguredbandwidth.Asaworkaround, configure
the shared-bandwidth-policer configuration statement under the policer. PR1125071
• If you disable the default ARP policer and reboot, when you execute the commit full
command, the default ARPpolicer is attached to the logical interface again.PR1198107
83Copyright © 2017, Juniper Networks, Inc.
Known Issues
General Routing
• During interface flap, the FPC consolemight print the followingmessage:No localhost
ifl for rtt 65535. This is caused by a race condition in the software and is cosmetic.
PR676432
• OFTest can actively try to establish an openflow TCP connection on port 6633. When
OFTest is actively sending SYNmessages to request a TCP connection, the openflow
daemonsendsaTCP/IP reset (RST) flagand refuses theconnection request.PR838297
• Currently, most platforms do not support action set src-mac except QFX3500. Thus
if the controller pushes flowswith set src-mac to unsupported platforms, the CLI show
commanddisplays the flowwith action set src-mac but the router cannot program the
corresponding action to filter at the Packet Forwarding Engine. The router responds
to the controller with the following error message.OFPET_FLOW_MOD_FAILED and
reason code OFPMFC_UNSUPPORTED. code OFPMFC_UNSUPPORTED. PR838699
• The set ToS action is not supported. Flows containing this action are rejected and the
OpenFlow error messageOFPET_FLOW_MOD_FAILED and reason code
OFPFMFC_UNSUPPORTED sent to the controller PR838764
• set vlanpriority action is not supported. Flowscontaining suchanactionwill be rejected
and an error message sent back to the controller with error code
OFPET_FLOW_MOD_FAILED and reason code OFPFMFC_UNSUPPORTED PR838804
• OpenFlow is not supported in logical systems. If you configure the [edit protocols
openflow] hierarchy under the [edit logical-systems] hierarchy, a commit error is not
generated. PR839858
• When both Routing Engines in a dual-Routing Engine system reboot too quickly with
GRES enabled, 'ipsec-key-management' process would require a manual restart.
PR854794
• FTP/TFTP ALG connections/sec is limited to 10,000 connections/sec. PR875490
• Because the forwarding of a packet that arrives with MPLS labels is performed based
on theMPLS label and not basedon the IP address contained in the packet, the packet
is sampled at the output interface with the MPLS label that was popped not being
available at the time of sampling. In such a case, depending on the interface (IIF), the
VRF index is identified and the route for the sampled packet is determined in the VRF
table. Because a specific route is not available in the VRF that is different from theVRF
on which the packet is received, the Output Interface Index, Source Mask, and
Destination Mask fields are incorrectly populated. This behavior occurs when an IPv4
template is applied as a firewall filter on an egress interfacewith sample as the action.
PR876327
• This isaproduct limitation.NecessarydocumentationcanbedoneasnecessaryRelease
Notes or Enhancement Requests and assigned accordingly. PR882695
• The traffic-drd daemonmight hang once after logging into service PIC and restart the
net-monitor daemon. PR889982
• OnMXSeries routers, fabric chipsmight get incorrectly programmedafter unified ISSU
to Junos OS Release12.2 or later. To avoid this issue, make sure the system is in a clean
Copyright © 2017, Juniper Networks, Inc.84
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
state before performing unified ISSU. For more information on steps to achieve clean
state, see this KB article. http://kb.juniper.net/KB28133 PR900028
• Minor memory leaks might occur if you add and delete the samemulti-VLAN flow on
the order of 100,000 such add and delete operations. PR905620
• Sessions are getting timed out immediately while trying to create 7M/15M sessions on
MICs and /MPCs with bidirectional traffic. PR931081
• When service-set configuration and interface service option configuration changes are
committed together in an MX80 router, sometimes both changes are not applied. As
a workaround, commit after one configuration. PR932418
• SR10 transceivers do not support power statistics, because no power monitor is
available on these transceivers. It is an expected behavior to see zero power values on
SR10 CFP. PR932599
• On the 2x10GEMIC and 4x10GEMIC, a +/-6.2ppm frequency offset occurs with the
SyncE operation. As a workaround, match the framing of the PIC and the interface
(this does not occur by default). PR932659
• A 50-Kbps performance drop (since the previous release) occurs on MICs and MPC
with IMIX traffic for next-hop style IPsec tunnels with session traffic. PR935393
• In some scenarios, the floodlight controller cannot connect to the switch running
openflowed because of the contents in the OFPT_SET_CONFIG packet.PR940707
• Asserting flow control when using the show services sessions command with large of
sessions present in MS-MICs results in traffic drop. PR947674
• AVirtualPrivateLanService(VPLS)scenario,when theDensePortConcentrator(DPC)
linecardsuse the label switched interface(lsi) interface, theMediaAccessControl(MAC)
address is incorrectly learned. PR947691
• When the BCM0 interface goes down, the Routing Engine should switch over on the
M320Multiservice Edge Router.. PR949517
• IPsec tunnels are deleted with Network Address Translation-Traversal (NAT-T) and
dead peer detection (DPD) on IPsec rekey. PR951616
• Traceroute through an interface-services style AMS service-set fails under some
configurations. PR966171
• BFDsession flap is expected in scaledenvironmentwhen restarting chassisdor Flexible
PIC Concentrators (FPCs). ". PR969023
• When themirror destination interface is a next-hop-subgroup and the enhanced-IP
chassis configuration statement is enabled, any mirroring applied on L3 interfaces
(inet/inet6) might not work in certain scenarios. PR972138
• Output for the show chassis power detail command displays power consumption as
zero for Windsurf FPCs in Junos OS Release 13.3R2 images. PR981621
• IPsec endpoint fails to decrypt packets on some of the tunnels with NAT between
IPsec endpoints. PR989054
85Copyright © 2017, Juniper Networks, Inc.
Known Issues
• When you use the restart packet-triggered-subscribers command, sessions between
the MX Series SAE and SRC (external policy manager) might become out-of sync. As
a result, new subscribers cannot be created. PR990788
• An inconsistency between JUNIPER-VPN-MIB and MPLS-L3VPN-STD-MIB regarding
the number of interfaces for a routing instance has been identified. For example, note
the following configuration:
user@router-re0>showconfiguration routing-instances ri1 instance-typevrf; interface
ge-2/0/8.10; interface lo0.10; route-distinguisher 65000:1; vrf-target target:65000:1;
vrf-table-label; According to the MPLS-L3VPN-STD-MIB,
maplsL3VpnVrfAssociatedInterfaces: OID: 1.3.6.1.2.1.10.166.11.1.2.2.1.8
Description: Total number of Interfaces connected to this VRF (Independent of
IfOperStatus type). {master} user@router-re0> show snmpmlb walk
1.3.6.1.2.1.10.166.11.1.2.2.1.8 mplsL3VpnVrfAssociatedInterfaces.3.114.105.49 = 2
According to JUNIPER-VPN-MIB, there interfaces in this VRF:
JUNIPER-VPN-MIB :: jnxVpnIfStatusOID: 1.3.6.1.4.1.2636.3.26.1.3.1.10Description:Status
of a monitored VPN Interface.
user@router-re0> show snmpmib walk 1.3.6.1.4.1.2636.3.26.1.3.1.10
jnxVpnIfStatus.2.3.114.105.49.733 = 5 jnxVpnIfStatus.2.3.114.105.49.754 = 5
jnxVpnIfStatus.2.3.114.105.49.774 = 5.
The interfaces in the example are: {master} user@router-re0> show snmpmib walk
1.3.6.1.2.1.2.2.1.2 ifDescr.733 = ge-2/0/8.10 ifDescr.754 = lo0.10 ifDescr.774 = lsi.0.
As a workaround, remove the dynamic interface (in this case, Isi.0) from the interface
list of JUNIPER-VPN-MIB.PR1011763
• There is an existing optimization in the Routing Engine kernel in which the add IPCs of
interface objects (IFD/IFL/IFF/IFA) are not sent to the FPCs (that is, these IPCs get
suppressed) when the corresponding IFD no longer has the IFDF_PRESENT flag set.
Since chassisd has already removed this flag from the IFD, all daemons will start
cleaning up the whole hierarchy, and soon the device control process (dcd) will delete
IFAs/IFFs/IFLs under it, before deleting the IFD itself. The kernel keeps track of which
object's add IPC was suppressed for which FPC peer (it is a per-object bit vector) and
suppresses the delete IPC as well if the add was suppressed. However, this logic does
not exist for RT and NH objects. Therefore, occasionally the FPCmight receive a NH
IPC for which the parent IFL got suppressed in the kernel. In this case, error messages
will be generated; however, the messages can be ignored because DCDwill delete
everything once scheduled. PR1015941
• With Enhanced IP network service mode configured, traffic might fail to be sent out
over the inline LSQ bundle interface. PR1018887
• InBGPMVPNRPT-SPTmode,onanegressprovider edge(PE)devicewithan interface
with static IGMPv2 configuredanddirectly connected IGMPv2hosts, the IGMP reports
can be treated as multicast data packets by the Packet Forwarding Engine, triggering
data events (IIF-MISMATCH) that can create undesirable (S,G) states. These states
are usually harmless but on large scale, can result in resource utilization. Note that in
BGPMVPNRPT-SPTmode, directly connected receivers and senders are not officially
supported for other reasons (because of lack of SPT-Switch capability). PR1021501
Copyright © 2017, Juniper Networks, Inc.86
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• On the MPC5E card, drops on ingress are unaccounted for when you run the show
interfaces extensive command. After you run the no-flow-control command, the drops
become visible. PR1037632
• When the ps interface is configured using a logical tunnel (lt) interface as anchor,
withoutexplicit tunnel-bandwidthconfiguration (under the [chassis fpc<fpc-number>
pic <pic-number> tunnel-services] hierarchy), the ps interface is created only in the
kernel, but not in the Packet Forwarding Engine. In order to have the ps interface in the
Packet Forwarding Engine, an explicit tunnel-bandwidth configuration is required.
PR1042737
• OnMX Series routers with MS-MICs and MS-MPCs, with 3:1 redundancy enabled for
AMS interfaces where onemember interface can back upmultiple other member
interfaces, it is observed that stale flows are preserved and not cleared for a long time.
Thisproblemoccurswith stateful firewall andcarrier-gradeNATconfigured.PR1055388
• On a P2MP branch node router, if the network-services is not in enhanced-ip mode,
packet drop will seen when another sub-LSP within the same P2MP is flapping.
PR1057927
• In the LDP tunneling over single-hop RSVP-based LSP environment, after enabling
chained-composite-next-hop, the router might fail to create the chained composite
next hops if the label value of VPN is equal to the label value of LDP. PR1058146
• Alogmessage requestinganupgradeofVSC8248firmwareofMPC3/MPC4 isdisplayed
during Junos OS upgrade. PR1058184
• The MS-MPC does not support clock synchronization, because it has no
clocking-capable interfaces. On receipt of clock synchronization messages, the router
logs the following message: Jan 20 17:33:14.032 2015 ROUTER_RE0 :%PFE-3: fpc1
gencfg nomsg handlers for gencfg msg command 34 Jan 20 17:35:18.388 2015
ROUTER_RE0/kernel:%KERN-1-GENCFG:op34(CLKSYNCblob) failed; err 7 (Doesnot
Exist). PR1062132
• When you use thempls-ipv4-template sampling template for non-IP traffic
encapsulated in MPLS, log messages such as this one can be seen frequently
(depending upon the rate of traffic, there could be a range of fewmessages to
2000-3000messages per minute): Feb 18 09:28:47 Router-re0 :%DAEMON-3: (FPC
Slot 2, PIC Slot 0)ms20mspmand[171]: jflow_process_session_close: Could not get
session extension: 0x939d53448 sc_pid: 5. Depending upon the frequency of the
messages per second, eventd (daemon) utilization can shoot up processing these
system logs at the Routing Engine. Eventually, high CPU utilization is observed at the
Routing Engine, which can by checked by using show chassis routing-engine or the
freebsd "Top" command under the shell. CPU states:% user,% nice,% system,%
interrupt,% idle <<<<< user cpu% (top command) "show chassis routing-engine"
Routing Engine status: <> CPU utilization: User percent <<<<<<<<<<<<< Background
percent Kernel percent Interrupt percent Idle percent .PR1065788
• Class 4 (32W) optics are not supported on the MPC4E (2CGE+8XGE). Upon insertion
and removal of a Class 4 optic, the TX laser will remain powered off, even when a
supported optic is inserted. PR1068269
87Copyright © 2017, Juniper Networks, Inc.
Known Issues
• ICMP echo_reply traffic with applications like IPsecwill not work with theMS-MIC and
MS-MPC cards in an asymmetric traffic environment, because these cards employ a
stateful firewall by default. The packetwill be dropped at the stateful firewall because
it detects an ICMP reply that does not have amatching session. PR1072180
• The license-checkprocessmight consumemoreCPUutilizationon theRoutingEngine.
This canoccurwhencertain featuresattempt to registerwith the license-checkdaemon
and the daemon cannot process the requests. PR1077976
• On chassis-based line cards, the FI: Protect: Parity error for CP freepool SRAM SRAM
parity error might be seen. It is harmless and can be ignored. PR1079726
• M7i with ASMmodule and IPsec service is unsupported on Junos OS Release 13.3X.
This product has reached End of Life (EOL). PR1082450
• TCPmessages do not have their MSS adjusted by the Multiservices MIC and MPC if
they do not belong to an established session. PR1084653
• On PTX Series platforms, some non-fatal interrupts (for example, CM cache or AQD
interrupts) are logged as fatal interrupts. The following log messages will be shown
on CM parity interrupt: fpc0 TQCHIP 0: CM parity Fatal interrupt,Interrupt status:0x10
fpc0 CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt
has occurred 181 time(s) in 180010msecs TQCHIP0: CMcache parity Fatal interrupt has
occurred 181 time(s) in 180005msecs PR1089955
• Incorrect diagnostic optics information might be seen for the GE-LX10 SFP and SFP+
for SumitomoElectric. The issue is seen only for the following SFP type: "Xcvr vendor
part number: SCP6F44-J3-ANEÂ  it can be seen with show chassis pic fpc-slot X
pic-slot Y. user@device> show chassis pic fpc-slot 0 pic-slot 0 .. PIC port information:
Fiber Xcvr vendorWave- Xcvr Port Cable type type Xcvr vendor part number length
Firmware 0 GIGE 1000LX10 SMOPNEXT INC TRF5736AALB227 1310 nm0.0 1 GIGE
1000LX10 SM FINISAR CORP. FTLF1318P2BTL-J1 1310 nm0.0 2 GIGE 1000LX10 SM
SumitomoElectric SCP6F44-J3-ANE 1310 nm0.0 <<<<Error SFP>. PR1091063
• Themspmand processmight crash because of prolonged flow control with TCP ALGs
when the following conditions happen together:
1. The system is overloaded with TCP ALG Traffic. 2. There are lots of retransmissions
and reordered packets. PR1092655
• When the control path is busy/stuck for the service PIC, the AMSmember interface
hoistedby itmight bedown, butwhen thebusy/stuck condition is cleared, themember
interface might not recover, and AMS bundle will still show the PIC as inactive.
PR1093460
• WhenBGPmultipath is enabled ina virtual routingand forwarding (VRF), ifauto-export
and rib-group are configured to leak BGP routes from this VRF table to another (for
example, the default routing table), traffic coming from the default routing instance
might not be properly load-balanced because of the multipath route leaked into the
default routing table is not the active route. This is a random issue. As a workaround,
only use auto-export to exchange the routes among the routing tables. PR1099496
• OnMX104 Series platform, you use snmpbulkget or snmpbulkwalk (for example, used
by the SNMP server) on a chassisd - related component (for example,
Copyright © 2017, Juniper Networks, Inc.88
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
jnxOperatingEntry), chassis process (chassisd) high CPU usage and slow response
might be seen because of hardware limitation, whichmight also lead to query timeout
on the SNMP client. In addition, the issue might not be seen when using SNMP query
for interface statistics. As a workaround, do either of the following: (Option 1)
Option 1 Use snmpget or snmpwalk instead of snmpbulkget or snmpbulkwalk, and
include "-t 30" options when doing the SNMP query (for example, "snmpget -v2c -c
XX -t 30").
Option 2 Use "-t 30" option with snmpbulkget or snmpbulkwalk (for example,
"snmpbulkget -v2c -c XX -t 30"). PR1103870
• On TX/TXP Series platform, during an LCC hit overtemp situation, it might go offline
abruptly without notifying SFC and other LCCs, which might cause traffic loss or
performance degradation. PR1116942
• TCP-Tickle Packets sent to Public Side targets will have the wrong sequence number
and also will have the untranslated private IP set as the source IP address. PR1117404
• On FPC-SFF-PTX-P1-A(PTX3000) /FPC-SFF-PTX-T(PTX3000)
/FPC-PTX-P1-A(PTX5000), and FPC2 -PTX-P1A(PTX5000), packet loss might be
observed in an equal-cost multipath (ECMP) or aggregated Ethernet (AE) scenario.
The issue occurs in a race condition: the unilist is created before ARP learned the MAC
addresses, then the selector table is corrupted. PR1120370
• In a multihoming EVPN scenario in which the customer-facing interface is an AE
interface, after moving an interface from the EVPN instance into a VPLS instance,
traffic loss might be seen on the customer edge (CE) device facing FPC. PR1126155
• In certain rare conditions, the FPC virtual output queue (VoQ) wedges, resulting in
dropped packets on the ingress Packet Forwarding Engine for the PTX router. Because
the wedge is unable to be reproduced, detection of the wedge condition is introduced
that alarmwould be raised once the wedge condition is detected within 10 seconds.
PR1127958
• A fewNAT ruleupdatesarenot effectiveoncurrent active sessions.Only "clear services
sessions" could help to apply the new rule. PR1142961
• In case of an active BGPmultipath route with more than two indirect next hops and
another BGP route that can participate in protocol-independentmultipathwith router
next hop, rpdmight crash if the interface onwhich the firstmember of the indirect next
hop resolves goes down. PR1156811
• On T Series and TX Series platforms, when themaster Switch Processor Mezzanine
Board (SPMB) goes for a reboot(goes offline/online), all Switch Interface Boards
(SIBs) will get hard-restarted. As a result, the traffic will fall into a black hole for more
than 1 min. PR1160658
• On T Series platforms with 10x10GE Type 4 PIC installed, if an interface in such a PIC
is configuredwithWANPHYmode, theCoSconfigurationon theportwill be incorrectly
programmed and it might result in unexpected packet drop. PR1179556
• GUMEMerrors for the sameaddressmight continually be logged if a parity error occurs
in a locked location in GUMEM. Thesemessages should not impact performance. The
parity error in the locked location can be cleared by rebooting the FPC. PR1200503
89Copyright © 2017, Juniper Networks, Inc.
Known Issues
High Availability (HA) and Resiliency
• After configuring a resolver import policy, some routes are stuck with unresolved next
hops in the resolver. Even though there exists an IGP route to resolve the protocol next
hop, the next hops remain unresolved. PR819068
• During a router hardware upgrade procedure, in a dual Routing Engine system, the
newly installed Routing Enginemight overwrite the other Routing Engine configuration
with the factory-default configuration. As a result, both Routing Engines may boot up
in "Amnesiac" mode. PR909692
• If NSR Routing Engine switchover occurs right after you commit the configuration
change that deletes routing instances, some of those instances might not be deleted
from the forwarding table. PR914878
Interfaces and Chassis
• A DCD configuration write failure message is returned from the kernel when trying to
set an IFF object for pfh interfaces as the kernel rejects this as "Operation not
supported". PR742403
• To troubleshoot a particular subscriber, you can use 'monitor traffic interface <ifd>
write-file xy.pcap'. Using this command on aggregated or demux interfaces can lead
to corrupted ingress packets in the PCAP file. Customer traffic is not affected though.
PR771447
• Whensubscribermanagement control traffic is collectedusingmonitor traffic interface
demux0write-file xy.pcap, the logical unit number is incorrect whenmultiple demux
logical interfaces are present. This problem is fixed and the correct interface logical
unit number is reported in the juniper header of the captured PCAP file. However,
customer traffic is not affected. PR771453
• The kernel might crash on themaster Routing Engine if there are overlapping IP
addresses configured on the same interface. As a workaround, if possible, delete first
all the overlapping IP addresses, starting with the smaller subnet. Then reconfigure
only the IPaddress that is necessary on that interface. In this caseboth the IPaddresses
(10.99.250.156/2; 10.99.250.157/29) have to be deleted first and then the interface
can be configured with the correct IP address (10.99.250.157/29). PR785030
• The online insertion and removal (OIR) is not supported on PIC(PD-4XGE-XFP)
currently. If the PIC(PD-4XGE-XFP) is pulled from the FPC without first being offline,
the FPC crashes and generates a core file. PR874266
• PPP interfaceMTUchangesoccurafter youmakeconfigurationchanges to thesystem.
PR897940
• A nonexistent leg in an aggregated Ethernet bundle prevents DHCP subscribers from
coming up. PR918745
• In Junos OS Release 13.3, commit time improvements have been implemented for the
dcdmodule; however, the first commit after the reboot of the Routing Engine takes
longer time to complete, as compared to the subsequent similar commits. PR942351
Copyright © 2017, Juniper Networks, Inc.90
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• The following logs are seen with certain configuration changes: Dec 24 06:22:16
dcd[4177]: ae1: per-unit-scheduler is valid only on FR and VLAN encapsulation. Dec 24
06:22:17 dcd[1660]: ae1: per-unit-scheduler is valid only onFRandVLANencapsulation..
In this case, the check for allowing per-unit-scheduler on the AE interface was done
before the encapsulation attribute of AE interface was read, and therefore dcd
generated this log errormessage for any of themodifications on theAE interface. Issue
is cosmetic in nature. PR951434
• The PCS statistics counter onNEOMIC can increment even though no XFP is installed.
PR954896
• Demux Subscriber IFLs might show the interface as Hardware-Down even though the
underlying aggregated Ethernet bundle and its member links show up. PR971272
• In the large scaled VPLS environment (in this case, more than 2000 VPLS sessions),
when larger scale route updates occur during In-Service Software Upgrade (ISSU),
one of the FPCs in the router might get stuck in Ready state. In normal upgrades, this
issue will not be observed. PR986264
• On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and
committing, becauseof thedevicecontrolprocess (dcd)on thebackupRoutingEngine
might fail to process the configuration and keep it in the memory. In some cases, it
might beobserved that thememoryof thedcd keeps increasingon thebackupRouting
Engine. PR1014098
• Powering off by pushing theOffline button on themaster Routing Engine causes lots
of packets to be lost even though GRES/NSR is configured. FPC gets rebooted after
the Routing Engine switchover, which also causes traffic loss. PR1034164
• For multichassis link aggregation groups (MC-LAGs) running in active-active mode
with back-to-back square topology, when the Inter-chassis Control Protocol (ICCP)
is broken between any MC-LAG devices, the non-preferred device reverts to its own
local system ID. However, its Link Aggregation Control Protocol (LACP) partner on the
remote side does not remove the flap link from the AE bundle and it remains UP. This
might cause a network-wide loop resulting in traffic outage until manual intervention..
PR1061460
• Deactivating/activating logical interfacesmight causeBGPsession flappingwhenBGP
is using VRRPVIP as source address. This is caused by a timing issue between dcd and
the VRRP overlay file. When dcd reads the overlay file, it is not the updated one or the
one to be updated. This results in error and dcd stops parsing the VRRP overlay file.
PR1089576
• DCD generates a core file at /src/junos/sbin/dcd/infra/lag-link-dist/lag_link_dist_db.c
PR1105235
• In an L2TP subscriber management condition with LTS/LNS configured or when a
heapmemory violation occurs, the jpppd crashes and generates a core file. PR1140981
• Two issues may occurs in PPPoE/PPP subscriber management environment.
• PPPdaemon issue:whenPPPdaemonrestarts/crashes, theremightbe inconsistency
between interface state and SDB (the SDB entry for the IFL is incorrectly removed),
which results in stranded IFL.
91Copyright © 2017, Juniper Networks, Inc.
Known Issues
• PPPoE daemon issue: when PPP daemon issue occurs, the PPPoE Active Discovery
Initiation (PADI) may get dropped due to stale "duplicate-protection" state in the
stranded IFL, which result in PPPoE subscriber login failure if the PPPoE subscribers
are actively logging in. PR1179931
J-Web
• When you open a J-Web interface session using HTTPS, enter a username and a
password, and thenclick theLoginbutton, the J-Web interface takes20seconds longer
to launch and load the Dashboard page than it does if you use HTTP. PR549934
• When the J-Web interface is launchedusingHTTPS, the time shown in theViewEvents
page (Monitor >Events And Alarms > View Events) differs from the actual time in the
switch. As a workaround, set the correct time in the box after the J-Web interface is
launched. PR558556
Layer 2 Ethernet Services
• Bridge domainmac-table does not update when arp is recieved formac on a different
interface. PR1088083
• There is a bug in code of handling the redistribution of periodic packet
management(PPM). Transmit and Adjacency entries for LACP, when the Interface
entry is inpendingdistribution state. This issuemight causeppmdtocrashafter graceful
Routing Engine switchover. PR1116741
• IPv4 and IPv6 long Virtual Router Redundancy Protocol (VRRP) convergence delay
andunexpectedpacket lossmighthappenwhenMACmove for the IRB interfaceoccurs
(for example, when flap occurs on Layer 2 interface, which is the underlying interface
of IRB onmaster VRRP). PR1116757
• For Routing Engine generated packets with VLAN tag, if the outgoing interface is an
LT interface, the VLAN tagwill not be removed even the LT interface is configuredwith
untagged encapsulation. PR1118540
• If a client sends a DHCP Request packet, and Option 55 includes PAD option (0), a
DHCP ACKwill not be sent back to the client. PR1201413
Layer 2 Features
• In a high-scale VPLS configuration,modification of a tunnel interface through a restart
or reconfiguration might cause the Packet Forwarding Engine to access an invalid
interface, resulting inminor packet loss and logging of packet processing engine traps.
Existing traffic flows on the Packet Forwarding Engine are not affected. The router
recovers quickly and normal operation resumeswith the new configuration. PR976972
• The rpdmight crash while trying to get the VPLS instance from the VPLS interface. In
a rare scenario, when the interface has *DELETED as well as a VCIFUK* flag, that
means the interface is still in the kernel update queue. As a result, it is still not
completely wiped out, but the instance pointer is already reset to NULL. However, due
to an assertion that insists that the instance pointer must NOT be NULL value, the rpd
crashes. PR1048737
Copyright © 2017, Juniper Networks, Inc.92
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• When "input-vlan-map" with "push" operation is enabled for dual-tagged interfaces
in "enhanced-ip" mode, the broadcast, unknown unicast, andmulticast (BUM) traffic
might be silently dropped or discarded on some of the child interfaces of the egress
Aggregated Ethernet (AE) interfaces or on some of the equal-cost multi path (ECMP)
core links. PR1078617
• When configuring the ecmp-alb configuration statement to enable adaptive load
balancing for equal-cost multipath (ECMP) next hops, the VPLS broadcast, unknown
unicast, andmulticast (BUM) trafficmightbedroppedon theegressPacketForwarding
Engine when ingress/egress interfaces are distributed to more than one Packet
Forwarding Engine. As a workaround, you can disable ecmp-alb to avoid this issue.
PR1142869
Multiprotocol Label Switching (MPLS)
• Given a point-to-multipoint branch label-switched path (LSP), the value of
jnxMplsTeP2mpTunnelTotalUpTime is reported incorrectly after a new instance of
the branch LSP is re-signaled at the ingress. PR543855
• When a firewall filter is set on Bidirectional Forwarding Detection (BFD) remote side
egress direction to block the incoming packet in local router point of view, and then
after the firewall filter is deleted, the BFD session might get stuck in "Init" state and
the remote state is "Down". PR860951
• Currently configuration of both fast-reroute and link-protection/node-link-protection
on a single LSP are allowed. However, when you configure both types of protection on
the LSPs, it might cause scaling issues in your network. As a workaround, you should
restrict the configuration toeither fast-rerouteor link/node-linkprotectiononaper-LSP
basis. PR860960
• When an LDP-enabled router receives a LDP label mappingmessage that includes an
unknown type, length, andvalue (TLV)withunknownand forwardbit set, theunknown
TLVwill be re-advertisedalongwith the LDPmessage to the upstream label-switching
router (LSR). . However, due to amerge issue, Junos OS appends these unknown TLVs
multiple times during construction of the label mapping message and will have a
unknown TLV(0x0000) with length 0 among the appended unknown TLVs, causing
LDP session flap on the peer. PR1037917
• Whenusingmplstraffic-engineeringbgp-igp-both-ribswithLDPandRSVPbothenabled,
Constrained Shortest Path First (CSPF) for interdomain RSVP LSPs cannot find the
exit area border router (ABR) when there are two or more such ABRs. This causes
interdomain RSVP LSPs to break. RSVP LSPs within the same area are not affected.
As a workaround, you can either run RSVP only on OSPF ABR or ISIS L1/L2 routers and
switch RSVP off on other OSPF area 0/ISIS L2 routers, or you can only use RSVP and
not use LDP at all. PR1048560
• When an LSP is link-protected and has no-local-reversion configured, if the primary
link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up,
before the LSP switch to link3. If link1 is enabled and link3 is disabled, the LSP will get
stuck in bypass LSP forever. This is a timing issue. PR1091774
• The traffic might be dropped for a hashing issue to the choice egress aggregated
Ethernet(AE) member port when there is a unilist of integrated routing and bridging
93Copyright © 2017, Juniper Networks, Inc.
Known Issues
(IRB) interfaces that have underlying interfaces aggregates and label-switched
interfaces (LSIs).PR1112205
• During theLSPswitchover, theHighestWatermarkBWmightget set toanunexpectedly
high value. The issue happens because of an incorrect reference point taken while
calculating the Max avg BW in the last interval, and this results in an incorrect Highest
Watermark BW in the autobandwidth stats. PR1118573
• After the Packet Forwarding Engine restarts, benign error messages are generated.
These can be ignored.PR1136033
• Static MPLS LSP using the VT interface as a outgoing interface would not come up.
PR1151737
• If RSVP link-protection optimize-timer is enabled, rpdmemory might leak in "TED
cross-connect" when a bypass LSP is being optimized. PR1198775
• With two Routing Engines and ldp export policy or l2-smart-policy configured, rpd on
the backup Routing Engine might crash when ldp is trying to delete a filtered label
binding. PR1211194
NetworkManagement andMonitoring
• When sessions are coming at a high rate, a fewof the syslogs are not logged.PR868812
• In one scenario, the Packet Forwarding Engine is not able to keep up with full stats
requests from the Packet Forwarding Engine process (pfed). . Because of this delay,
pfed runs out of transfer credits to send stats request to thePacket Forwarding Engine.
It starts returning full stats requests with error response to mib2d with ifl-info flag set
to LSSTATSandapayload filledwith value zero. In this case,mib2d treats the returned
0 filled stats value as correct stats and returns the 0 values. This causes a spike in
delta value calculated by the side script. PR1010534
• On rare occasions, the event processing process (eventd) crashes and generates a
core file when it receives a new signal while it is processing another signal. The eventd
process uses the event library for signal handling. The crash is caused by a race
condition/ synchronization issue in the event library while handling signals. The event
library is not signal safe and thus is vulnerable to such issues. The eventd process
handles different kinds of signals (through signal handlers): SIGHUP (on commit),
SIGTERM (on killing eventd), SIGCHLD (on termination of event script execution), and
SIGUSR1 & SIGUSR2 (on log rotation). If one signal handler is preempted by another
signal-handler, WaitList structures are adversely affected, resulting in generation of a
core file. PR1122877
• In a certain MIB view configurations specific MIB OID instances are excluded from the
MIBview. In this scenario,whenanSNMPbulk-get request ismade that coversadjacent
MIB objects (at the end of the MIB view), the responsemight bemalformed and get
dropped at snmpd. PR1126432
Copyright © 2017, Juniper Networks, Inc.94
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Platform and Infrastructure
• The show route forwarding-table command only displays <= 16 ecmp pathswhen CBF
is used. PR832999
• In a scaled environment with Bidirectional Forwarding Detection (BFD), addition or
deletion of member links to the existing aggregated Ethernet bundle causes the BFD
session to flap. PR838584
• When scripts are synchronized from one Routing Engine to the other, the destination
for the scripts in the other Routing Engine should be based on the configuration on the
otherRoutingEngine.An issueprevents this fromhappeninganddestination for scripts
depends on the current Routing Engine fromwhich the scripts were synchronized
instead of the configuration on the other Routing Engine. PR841087
• Inline J-Flow PPS rate is not at the line rate for 100G line cards. The following
performance numbers are for Junos OS Release 13.2 and later (numbers are the same
as for Release 12.3): Packet Size 64B 256B 400B 1500B Hyperion(mpps) 59.0 45.3
29.78.2Snorkel (mpps)29.7 29.322.86.3Line rate(mpps) 148.845.329.78.2PR875601
• In scaled scenario with a large number of probes (around 500), some intermittent
spikes around 500 to 1500 usec (the normal range should be 100-300 usec) in Round
Trip Time (RTT) are seen. The overall average RTTmeasurement is not deviated by
much as, though, because these are not seen regularly.PR892973
• Duringcommit, the followingerrormessagemightbeobserved in syslog:auditd[2303]:
%DAEMON-3-AUDITD_RADIUS_AV_ERROR:Unabletocreatecommandrecord:Attribute
too long. This error can occur in the older releases when the Radius AVmessage size
of 248 is exceeded. PR897295
• Router directly connected to multicast source fails to send all the source traffic sent
at line rate toward the down stream interface whenmore than 60MLDmembers are
connected, and MLD sessions flap. PR944001
• In some corner scenarios, when Bidirectional Forwarding Detection (BFD) and host
fast reroute (HFRR) are configured on the same interface, after a link flap for the
protected interface, the BFD session cannot come up because of the HFRR selecting
the backup path to transit traffic, and the HFRR primary path can not be selected due
to BFD session is down. PR951656
• A defect in Layer 3 VPNMake Before Break code results in freeing memory
corresponding to old next hops that is being used by the egress Packet Forwarding
Engine. This results in memory corruption. PR971821
• In the dual Routing Engines scenario with NSR configuration, the configuration
statement groups re0 interfaces fxp0 unit 0 is configured. If you disable interface fxp0,
the backup Routing Engine is unable to proceed with commit processing because of
SIGHUP isnot received, and the rpdprocesson thebackupRoutingEnginemight crash.
PR974430
• XML traceroute does not display as-numbers. PR988727
• GRES does not clear system login to the original master-only fxp0 addresses causing
stale login sessions. PR991029
95Copyright © 2017, Juniper Networks, Inc.
Known Issues
• The IFD rate is calculated as the sum of the rates of all logical interfaces on top of that
physical interface. Logical interface rates are expressed in integral number of packets
per second; that is, the exact traffic rate is truncated to the nearest integral value. The
lower the traffic rate, the higher the percentage of error between the actual and
displayed rate.While this error is insignificantwhenpresenting the rate for an individual
logical interface, it ismultipliedwhen rates of individual logical interfaces are summed
up to calculate the physical interface rate. This might lead to reporting lower physical
interface traffic rate than the actual rate of the traffic being received or sent on the
interface under a low bandwidth utilization condition. PR992976
• Rate-limit value does not match between Routing Engine and Packet Forwarding
Engine. PR1023809
• Occasionally, while performing Multiple GRES and SDG switchovers for long duration,
the backupRouting Enginewill not be in syncwith themaster Routing Engine and thus
is not ready to take the mastership during Routing Engine Failover. PR1037985
• IPv6packet loss occurs and traffic degradesasa result ofMXSeries havinga restrictive
rate limit on ICMPv6 packet too big. PR1042699
• Once theTrafficOffloadEngine thread is stalledbecauseofmemoryerrorat the lookup
chip, all statistics collection from the interfaces hosted by this Packet Forwarding
Engine are not updated anymore. PR1051076
• In configurationswith IRB interfaces, during times of interface deletion, such as an FPC
reboot, the Packet Forwarding Engine might log errors such as
nh_ucast_change:291Referenced l2ifl not found. This condition shouldbe transient,with
the system reconverging on the expected state. PR1054798
• OnMX Series routers with frame-relay (FR) CCC to connect FR passport devices, if
someof the FR circuits carry trafficwithout any valid FR encapsulations, theMXSeries
based Packet Forwarding Engine drops those frames. PR1059992
• If a RADIUS server is configured as accounting server, when it is not reachable, the
auditd processmight become overloaded, sending a huge number of audit logs to the
server and then crashing. PR1062016
• WithVLANmanipulationconfigured for EthernetServices, incorrect frame lengthmight
be used for egress policing on MX Series with MPCs/MICs based line cards. Currently,
the frame length calculation is inconsistent for different traffic topology. When traffic
crosses the fabric, the frame length prior to output VLANmanipulation is used. With
local traffic, the frame length prior to input VLANmanipulation is used. However, the
length after output VLANmanipulation should always be used. PR1064496
• When deleting some uncommitted configuration on the active Routing Engine, the rpd
process on the backup Routing Engine might restart due to Unable to proceedwith
commit processing due to SIGHUP not received. Restarting to recover. PR1075089
• Fragmenting a special host outbound IP packet with an invalid IP header length (IP
header length is greater than actual memory buffer packet header length) can trigger
NULLmbufaccessinganddereferencing,whichmight lead toakernel panic.PR1102044
• JunosOSconfigurationdatabasecorruptionoccurs, resulting in two<junos comment>
entries under the [interfaces] stanza. PR1102086
Copyright © 2017, Juniper Networks, Inc.96
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• The following fields have been added to v10 Sampling (IPFIX) template and data
packets: - SAMPLING RATE - SAMPLING INACTIVE TIMEOUT - SAMPLING ACTIVE
TIMEOUT - TOTAL PACKETS EXPORTED - TOTAL FLOWS EXPORTED. PR1103251
• Output between VTY commands show jnh 0 pool and show jnh 0 pool usage differs
for internal JNHmemory usage. PR1103660
• On ungraceful exit of telnet (quit/shell logout), perm and env files created by pam are
not deleted. PR1142436
• If one logging user is a remote TACACS/RADIUS user, this remote user will bemapped
to a local user on the device. For permissions authorization of flow-tap operations,
when permissions are set on the local device without being set on the remote server,
they cannot work correctly. The flow-tap operations are as follows:
flow-tap -- Can view flow-tap configuration flow-tap-control -- Canmodify flow-tap
configuration flow-tap-operation -- Can tap flows PR1159832
Routing Protocols
• The route distinguisher ID configured in routing-options should not overlap with the
explicitly configured route distinguisher under the routing instance. As a workaround,
ensure that overlap does not happen by other means as well (for example, the same
route distinguisher ID configured at multiple routers). PR529339
• RPD running on the backup Routing Engine might generate core files when a router is
configured for NSR with an inter-AS BGP-signaled L2VPN/VPLS and the router is
functioning as a provider edge (PE) router. The problem is only observed in a highly
scaled setupwith hundreds or thousands of configured L2VPN/VPLS instances. There
is no impact to the master Routing Engine. PR710075
• The routingprotocoldaemon(rpd)mightgenerateacore file inmulticast environment.
This issue is caused by an internal logic error. When a PIM (S,G) state is deleted, the
code should stop processing the (S,G) but it does not. PR785073
• BFD triggered local-repair(RLI9007) is not initiating immediately on receiving a BFD
DOWN packet when the peer has detected the BFD session as down through control
expiry. PR825283
• In rare cases, rpdmight generate a core file with signature "rt_notbest_sanity: Path
selection failure on ..." The core is 'soft'. There should be no impact to traffic or routing
protocols. PR946415
• The rpd process will crash and generate a core file because of an ASPATH check error
when RIB groups are added before VRF.PR959962
• A bug in the code path for show route resolution causes an extra decrement of the
refcount in the show handling. This was causing an early free of some shared object
and a crash. PR995170
• When BGP IPv6 peers are flapping in a scaling setup, rpdmight crash on the backup
Routing Engine because of the BGP standby outbuffer size limit. PR1006185
97Copyright © 2017, Juniper Networks, Inc.
Known Issues
• Scaled configurations toggling from 64-bit to 32-bit rpd at the same time that Rosen
MVPN routing instances are deleted can result in a kernel core file being generated on
the backup Routing Engine. PR1022847
• When configuring the router in RRmode (cluster-id or option BMP-eBGPpeering), the
advertise-external feature is not applicable in local VRFs because of a difference in
the routeselection/advertisementprocess (mainbgp.l3vpn.0vsVRF.inet.0).PR1023693
• The static/static access routes pointing to an unnumbered interface are getting added
in the routing table even if the interface is down. In this case, if graceful Routing Engine
switchover (GRES) is disabled, this type of route will never be added in the routing
table after Routing Engine switchover. PR1064331
• BFD sessions configured with authentication of algorithm keyed-sha1 and keyed-md5
might flap occasionally because of FPC internal clock skew. PR1113744
• JunosOSexhibits twodifferentnext-hopadvertisementbehaviors forMP_REACH_NLRI
on amulti-hop eBGP session, based on whether it is loopback peering or physical
interface peering. When the routers are peering on their loopback, only the global IP
of the interface (lo0) is advertised, whereas when the routers are peering through the
physical interface, both global and link-local address are advertised as the NHs.
PR1115097
• When the BGP speaker has multiple peers configured in a BGP group and it receives
the route from a peer and re-advertises route to another peer within the same group,
MIB object "jnxBgpM2PrefixOutPrefixes" to the peers in the same group reports the
totalnumberofadvertisedprefixes in thegroup.MIBvalue"jnxBgpM2PrefixOutPrefixes"
is defined as a per-peer basis but it looks as if it is a per-group basis. As a workaround,
youcanget thenumberofadvertisedprefixes fromtheCLI command showbgpneighbor
instead. PR1116382
• Whenmultiple addresses are configured on an interface, if the interface has
interface-type p2pconfigured under OSPF and the router does not receive any OSPF
packets from one of the IFAs, the OSPF state will not go down for the corresponding
adjacency. It should have no impact on route learning, but it might cause confusion for
troubleshooting, when peering with Cisco devices, which havemultiple addresses
configured as secondary addresses. PR1119685
• A few seconds of traffic loss is seen on some of the flows when the PE-CE interface
comesupand thePEdevice starts learning 70,000 IPv4prefixesand400 IPv6prefixes
from the CE device during Layer 3 VPN convergence. PR1130154
• In a multicast environment, when the rendezvous point (RP) is a first-hop router, and
it has Multicast Source Discovery Protocol (MSDP) peers, when the rpf interface on
the RP changes to the MSDP facing interface, because of the multicast traffic is still
on the old rpf interface, a multicast discard route is installed and traffic loss is seen.
PR1130238
• The log message "WARNING: no suitable primes in /etc/ssh/primes" is generated
when you log in to the router using SSH2. Thesemessages are generated each time
you log in to the router through SSH2 using SecureCRT. PR1146516
Copyright © 2017, Juniper Networks, Inc.98
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• The generate route does not inherit the next hop from the contributing route in Layer
3 VPNwhen the contributing route is learned throughMP-BGP. The next-hop remains
rejected for the generated route. PR1149970
• In a non-multicast virtual private network (MVPN) scenario, PIM bootstrapmessages
should not go out of interface if there is no PIM Nbr on the interface. In an MVPN
scenario, even if PIM Nbrs is down, the bootstrapmessage is still be able to send out.
However,withMVPNconfiguration,whenPIMNbrs isdown, thebootstrapexport policy
does work. This is not expected. PR1173607
• The VRF-related routes that are leaked to the global inet.0 table and advertised by
the access routers are not being advertised to global inet.0 table on the core file.
PR1200883
• In aBGPscenariowith inet-mdt family configuredunder protocols BGP, the route table
<NAME>.mdt.0 might get deleted if it has no routes. As a result, rpd might crash on
thebackupRoutingEngine, andBGPsessionsmight flapon themasterRoutingEngine.
PR1207988
• In the context of a large number of configured VPNs, routes changing in the midst of
a bgp path-selection configuration change can sometimes lead to an rpd core. This
core file has been seenwith the removal of the always-compare-med option.PR1213131
Services Applications
• In an ipsec-vpn scenario, if backup-remote-gateway under the [set services ipsec-vpn
rule term then] hierarchy is configured, when the Internet Key Exchange (IKE) security
association (SA) negotiation for the primary remote-gateway fails, the IKE tunnel
failover might not be initiated. As a result, the IKE tunnels are not establishedwith any
router. PR849758
• The kmd gets started on the backup Routing Engine and fails to connect to pic & add
manual SA to kernel, because kmd logs ERRORmessages to syslog/kmd logs. This
will not affect any IPsec functionality, and occurs only on T Series routers. PR854975
• TheSIPALGdoesnot recognize or translate the rare 'rtcp' attribute in theSDPpayload.
As a consequence nonsequential RTP and RTCP ports are not supported. The RTP
flow is unaffected,generation of an rpd core file. PR880738
• Performancedegradationof8percent is observedon themaximumpacketper second
supported of J-Flow records exported. PR949965
• Performancedegradationof8percent is observedon themaximumpacketper second
supported of J-Flow records exported. PR950101
• In the NAT environment, the jnxNatSrcPoolName object identifier (OID) is not
implemented in the jnxSrcNatStatsTable. PR1039112
99Copyright © 2017, Juniper Networks, Inc.
Known Issues
User Interface and Configuration
• Performance is considerably slower for users who have permissions controlled by
Juniper-Allow-Commands and/or Juniper-Deny-Commands expressions and have
complex regularexpressionsconfiguredunder thesesamecommands.Asaworkaround,
define the expressions in the allow-configuration and deny-configuration commands
in a restrictive manner. [PR/63248] PR63248
• On the J-Web interface, Configure > Routing> OSPF> Add> Interface Tab shows only
the following three interfaces by default: - pfh-0/0/0.16383 - lo0.0 - lo0.16385. As a
workaround, you can configure the desired interfaces to associated ospf area-range,
by performing the following operation using the CLI: - set protocols ospf area 10.1.2.5
area-range 12.25.0.0/16 - set protocols ospf area 10.1.2.5 interface fe-0/3/1 . PR814171
• OnHTTPS service, J-Web is not launching the chassis viewer page on Internet Explorer
7. PR819717
• Onthe J-Web interface, forConfigure>CLI tools>Pointandclick>System>Advanced
> Deletion of saved core, the No option is not available. clitools->point and
click->system->advanced->deletion of saved core. PR888714
• For routers with multiple Routing Engines and "commit synchronize" configured, the
CLI might get stuck after the commit command is issued simultaneously from both
Routing Engines. PR937960
• When you enter the "restart r" incomplete command in the CLI, the command "restart
routing" is executed. An error message like the following should be seen: “error: invalid
daemon: r". PR1075746
VPNs
• In a next-generation MVPN scenario with multiple source PE routers for the same
group, if an inactive source PE router has local receivers, the routing protocol process
(rpd) on the device might causemulticast traffic loss and continuous IFF-MISMATCH
error. PR1009215
• In a BGPMVPN scenario, an MSDP timeout on the PE router might occur, causing the
source to be removed even if it is local. This will cause type-5 flaps and traffic loss of
30 to 40 seconds. The issue shows up in a scaling MSDP configuration where the KA
timer periodically expireswith aCEdevice (not aPEdevice) actingas rendezvouspoint
(RP). The fix has been provided to add a check for local source (even if not local RP)
before withdrawing the type-5 route. PR1011124
• In next-generation MVPN spt-only mode with a PE router acting as the rendezvous
point (RP), if there are only local receivers, the unnecessary multicast traffic
continuously goes to this RP and is dropped though it is not in the shortest-path tree
(SPT) path from source to receiver. PR1087948
• In amultihomedsource topology innext-generationMVPN(applicable toboth inter-AS
and intra-AS scenario), there are two problems: The first problem is Multicast (S, G)
signaling does not followRPF.When the routing table (mvpninstancename.inet0) has
two routes, because of the policy configuration, the best route to the source is through
the MPLS core, but Multicast (S, G) PIM join and NG-MVPN Type 7 both point to an
Copyright © 2017, Juniper Networks, Inc.100
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
inactive route bymeans of local BGP peer. The second problem iswhen "clear pim join
instance NG" is entered, the multicast forwarding entries are wiped out. PR1099720
• Under certain conditions the l2circuit iw0 stitching is not programmed correctly. This
is due to a bug in the Junos OS code. PR1212429
RelatedDocumentation
New and Changed Features on page 26•
• Changes in Behavior and Syntax on page 61
• Known Behavior on page 78
• Resolved Issues on page 101
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Resolved Issues
This section lists the issues fixed in the Junos OSmain release and themaintenance
releases.
For the most complete and latest information about known Junos OS defects, use the
Juniper Networks online Junos Problem Report Search application.
• Resolved Issues: Release 13.3R10 on page 102
• Resolved Issues: Release 13.3R9 on page 121
• Resolved Issues: Release 13.3R8 on page 132
• Resolved Issues: Release 13.3R7 on page 143
• Resolved Issues: Release 13.3R6 on page 160
• Resolved Issues: Release 13.3R5 on page 170
• Resolved Issues: Release 13.3R4 on page 183
• Resolved Issues: Release 13.3R3 on page 192
• Resolved Issues: Release 13.3R2 on page 207
101Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Resolved Issues: Release 13.3R10
Class of Service (CoS)
• In rare cases, CoS-related queue stats polling with multiple object identifier (OID)
packing or multiple SNMP client polling on the same interface simultaneously can
cause the CoS process (cosd) to generate a core file and restart. However, cosd restart
does not impact any CoS services. PR1199687
Forwarding and Sampling
• Whenthesampledprocess is running, it continuously reads the routingprotocolprocess
(rpd) update information andupdates the routes in its local storage . At the same time,
the sampled process exports the updated records to PIC after every periodic
rescheduling. If many routes are involved, affected, the sampled process might crash
because of memory corruption. PR1055686
• On FPC restart, if a timing condition occurs in which the filter for the sub-interface is
not received, FPCmight crash. This issue might be seen if the following conditions are
met: aggregated Ethernet sub-interface with firewall filters, FPC reboot (or new FPC
coming up), shared-bandwidth-policer or regular policers. PR1113915
• OnMXSeries routers, a change of policers or counters to an existing firewall filter using
physical-interface-filter or interface-specific configuration statements will not be
correctly detected by MIB2D. PR1157043
• In rare situation, if the forwarding-option is configured and the sampled process of the
device receives lotsofClassofServiceupdates (suchaschanging theCoSconfiguration
on interfaces five to seven times per hour), high CPU utilization of the sample process
(50 to 80 percent) might occur. PR1164665
• After upgrading by using unified ISSU, as mib2d initializes connections to FPC Packet
Forwarding Engines. It might start querying states from the Packet Forwarding Engine
when the connection is not ready yet. This failure causes the connection to reinitialize
again, formed a loop that can causememory and CPU cycle usage to grow. As a result,
mib2d crashes. PR1165136
• Even if packets do not match firewall filter conditions, wildcard mask firewall filter
might match any packets, for example: set firewall family inet filter TEST-filter term
TEST1 from destination-address 0.0.0.255/0.0.0.255 <<<<<< set firewall family inet
filter TEST-filter term TEST1 then count TEST1 set firewall family inet filter TEST-filter
termTEST1 thendiscard set firewall family inet filter TEST-filter termTEST2 then accept
. This is a discard filter for /24 prefix broadcast address. However itmight discard other
packets. PR1175782
• OnM7i/M10iwithCompact Forwarding EngineBoard (CFEB) installed, if you configure
"bandwidth-percent" for the firewall policer, use this policer in the firewall filter, and
then apply this firewall filter to an interface, the filter does not work. PR1202181
Copyright © 2017, Juniper Networks, Inc.102
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
General Routing
• After deleting and reconfiguring a VRF instance or changing route-distinguisher in the
VRF instance while rpf-check is enabled, the rpd process might crash. The routing
protocols are impacted and traffic disruption will be seen because of loss of routing
information. This is a timing issue.PR911547
• EVPN type 3 IM route format is different in Junos OS Release 13.3 compared to other
releases. PR922066
• The routing protocol process (rpd) on the CPU can be high because of router
advertisement (RA)-configured interfaces with family inet6 down state. PR942133
• The rpdprocessmight crashbecauseof a timing issue that occurs after Routing Engine
switchover in configurations with LDP P2MP and nonstop-routing (NSR) is enabled.
PR956258
• Trivia Network Protocol(TNP) is designed for internal communication between the
router components. InMXSeriesVirtual-Chassis(VC) scenario, sending tnpingpackets
fromthemasterRoutingEngineofVCBackupchassis(VC-Bm) fromthemasterRouting
Engine of VCMaster chassis(VC-Mm) fails because of a replication panic on next-hop
indexallocation.Asa result, VC-Mbcrashoccurswith kernel andvmcore files.PR977445
• JunosOS runs pkid for certificate validation.Whenapeer device presents a self-signed
certificate as its end-entity certificate with its issuer namematching one of the valid
CA certificates enrolled in Junos OS, the peer certificate validation is skipped and the
peer certificate is treated as valid. This might allow an attacker to generate a specially
crafted self-signed certificate and bypass certificate validation. Refer to JSA10755 for
more information. PR1096758
• WhenDHCP subscribers are terminated at specific routing instances and the interface
stack is IP demux over VLAN-subinterface over the aggregated Ethernet interface,
there might be amemory leak in the kernel AE iffamily when subscribers log in or out.
PR1097824
• If nonstop active routing (NSR) is enabled and a TCP session is terminatedwhile there
is still data in the socket pending transmission, theMBUF (kernelmemory buffer) used
to store this data might not get deallocated properly. In order to hit this issue the TCP
session must use NSR active socket replication. If the system runs low on MBUF
memory, the kernelwill automatically throttle downmemory allocation on low-priority
applications and ultimately, if there is no MBUF left, the system could become
unresponsive because of its inability to serve I/O requests. PR1098001
• With ECMP-FRRenabled, after rebooting the FPC that is hosting someECMP links, the
ECMP-FRRmight not work. PR1101051
• OnMX Series platforms, in a rare condition, if the Packet Forwarding Engine sends the
wrong Packet Forwarding Engine ID to chassisd as part of a capability message, the
kernelmight crashandsomeFPCsmightbestuck in thepresent state.Hence the traffic
forwarding will be affected. This is a corner case; it is not reproduced consistently.
PR1108532
• OnMX240/480/960 Series routers with MS-DPC, in scenarios where you are running
BGP over IPsec and the BGP session has a BFD session tied to it, the BGP session is up
103Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
but the BFD session remains in INIT state. The issue might be seen with any service
configured with multi-hop BFD enabled. Traffic forwarding will not be affected.
PR1109660
• In a rare condition, after Routing Engine switchover, the MPC PICmight offline, and
some error messages might be seen. Occasionally, chassisd on the Routing Engine
continuously generate core files, making the unit unusable because none of interfaces
come up. The root cause of this issue is that after Routing Engine switchover, chassisd
fails to get proper status of the FPCs and generates core files because of to insufficient
IDEEPROM read times. PR1110590
• OnMX Series platforms, MS-MPC crashmight occur. The exact trigger of the issue is
unknown; normally, this issue might happen over long hours (for example, within a
week) of traffic run (for example, running HTTP/HTTPS/DNS/RTSP/TFP/FTP traffic
profile). Core files might indicate that the program terminated with signal 4, Illegal
instruction. PR1124466
• With IPv6 access route configured in dynamic profile, when the router receives an IPv6
SOLICITmessage that requests only prefix delegation but no IPv6 address, the access
route will not be installed successfully. PR1126006
• When Junos OS devices use the Link Layer Discovery Protocol (LLDP), the command
showlldpneighbordisplays thecontentsofPortID type, length, andvalue (TLV) received
from the peer in the field Port Info, and it could be the neighbor's port identifier or port
description. A Junos OS CLI configuration statement can select which interface-name
or SNMP ifIndex to generate for the PortID TLV. Therefore they should not be any
problem as long as two Junos OS devices are connected for LLDP. However, youmight
have an interoperability issue if another vendor device that canmap the configured
port description in thePortID TLV is used. In this case, JunosOSdisplays the neighbor's
PortDescriptionTLV in thePort info field, and if thepeer sets theport descriptionwhose
TLV length is longer than 33 bytes (included), Junos OS is not able to accept the LLDP
packets and discards the packets as errors. The PortID TLV is given as : "the port id tlv
length = port description field length + port id subtype(1B)". PR1126680
• OnM320/T320/T640withFPC 1/2/3and their enhancedversion (-E2/-E), inmulticast
scenario and the aggregated Ethernet (AE) interface is within multicast NH (for
example, AE interface is the downstream interface for a multicast flow), egress
multicast statistics are displayed incorrectly after flapping of AEmember links.
PR1126956
• If two redundant logical tunnel (rlt) sub-interfaces are configured in the same subnet
and in the same routing-instance, a sub-interface will be down (this is expected), but
if the sub-interface is removed from the routing-instance later, after disabling and
enabling the rlt interface, a sub-interface might remain in the down state unless you
remove the configuration of the rlt interface and then do a rollback. PR1127200
• A routing protocol process (rpd) crashmight be seen during deletion of address family
on an interface while reverse path forwarding (RPF) check is configured. PR1127856
• When software encounters an error configuring the optics type into the VSC8248PHY
retimer component of an MX Series MIC/PIC (typically done on SFP+module plugin),
this could lead to 100 percentFPCCPU utilization indefinitely. The followingMPCs and
Copyright © 2017, Juniper Networks, Inc.104
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
MICs that are potentially affected: MPC3 + 10x10GE SFPPMIC MPC4 32XGEMPC4
2CGE+8XGE (10G interfaces only)MPC6+ 24x10GE (non-OTN) SFPPMICPR1130659
• Inascenariowith largernumberof subscriberswithdynamicprofiles thatuseexpression
evaluation for setting variables in a dynamic profile (an example follows), after doing
login/logout atmultiple times, theauthdprocessmight crashbecauseofmemory leak.
<sample> dynamic-profiles { xxx { variables { ratelimit_igmp equals
"$igmp-max-rate##'k'"; burst-size_igmp equals "round($igmp-max-rate *
$burst-factor)"; term-dyn_vod4u equals "ifNotZero($dynamic-prefix_vod-1,
'vod:dynamic-prefix-list:'##$fc_vod_up##'_'##$plp_vod_up)"; term-dyn_vod4dequals
"ifNotZero($dynamic-prefix_vod-1,
'vod:dynamic-prefix-list:'##$fc_vod_out##'_'##$plp_vod_out)"; term-acl_icc4uequals
"ifNotZero($local-acl_icc, 'icc:'##$local-acl_icc##':'##$fc_icc_up##'_'##$plp_icc_up)";
term-acl_icc4d equals "ifNotZero($local-acl_icc,
'icc:'##$local-acl_icc##':'##$fc_icc_out##'_'##$plp_icc_out)"; term-mc_v4d equals
"'mcast:'##$fc_mc_out##'_'##$plp_mc_out"; } } PR1103548
• Insufficient time to allow an MPC5/MPC6 card to lock on the clocking source during
FPC boot timemight cause the Major Alarm raised due to "PLL Error." PR1137577
• In the multicast network topology, whenmaking normal changes, such that paths are
added or deleted, the rpd leaks 8 bytes of memory per operation. The system logs
RLIMIT_DATAmessages similar to the following when thememory usage reaches 85
percent:: kernel:Process (2634,rpd) has exceeded85%ofRLIMIT_DATA: used3084524
KBMax 3145728 KB. PR1144197
• With a 100G CFP2 MIC installed in a MPC6E FPC, if the FPC fails to initialize the MIC,
it is very likely that the FPC will get into a boot loop. PR1148325
• When using type 5 FPCon the T4000platform, traffic going out of the interfacewhere
"source-class-usage output" is configured will be dropped if the Source Class Usage
(SCU) or Destination Class Usage (DCU) policy configuration is missing. This issue is
caused by incomplete configuration.PR1151503
• In sampling feature, certain scenarios force handling of the sampled packet at the
interrupt context, which might corrupt the BMEB packet context and lead to BMEB
FDB corruption. PR1156464
• OnMXSeriesplatformswithMPC2-NG/MPC3-NG/MPC3/MPC4/MPC5/MPC6installed,
in rare cases, TSTATE Parity error might occur. It can cause FPC to get stuck, but it will
not trigger the error-reporting infra (CMERROR). PR1156491
• On Junos OS Release 13.2R1 and later, Packet Forwarding Engine interfaces on MX
SerieswithMPCs/MICs based line cardsmight remain downafter performing "request
system reboot both-routing-engines" or "restart chassisd" several times. PR1157987
• On Junos OS devices with a GRE or IP-IP tunnel configured (that is, devices with a gr-
or ip- interface), a specifically crafted ICMP packet can cause a kernel panic resulting
in a denial of service condition. Knowledge of network specific information is required
to craft such an ICMP packet. Receipt of such a packet on any interface on the device
can cause a crash. PR1159454
• Software OS thread on the line card is doing a busy loop by reading the clock directly
from hardware. Sometimes it seems the thread is getting the wrong values from the
105Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
HW register and waiting forever in the busy loop. After the busy loop crosses a certain
time period, the line card crashes and reboots. This is a rare condition. PR1160452
• OnMX Series routers with enhanced queuing DPCs, there is a memory leak whenever
doingSNMPwalk toanyofCoS-relatedobject identifiers (OIDs)or issuing thecommand
show interfaces interface-set queue <interface-set-name>. PR1160642
• The Router Lifetime field is set to 0 in the first routing advertisement (RA) sent from
LNS back to the Point-to-Point Protocol over Ethernet (PPPoE) subscriber. PR1160821
• Reliability featureon theHighSpeedLink (HSL2)betweenXLandXMforMPC6Ecards
is not active. Once packets are dropped because of CRC error,XMCHIP DRD parcel
timeouts are triggered and packet forwarding is compromised. MPC reboot is needed
to recover from this condition. Only MPC6E card is exposed to this issue. PR1161194
• OnMX Series router with services PIC (MS-DPC/MS-MPC/MS-MIC), the ICMP time
exceedederror packet is not generatedonan IPsec router on thedecap side.PR1163472
• When theMS-MIC orMS-MPC installed in anMXSeries router is processing traffic, and
the IPsec policy configuration is changed bymeans of adding or updating a policy,
mspmand process crashmight occur. PR1166642
• Class of Service process (cosd), routing protocol process (rpd), and device control
process (dcd) might generate core files in subscriber management deployment using
dynamic profiles and radius authentication. PR1168327
• The sample process continues logging events in the traceoption file after traceoption
isdeactivated. This issuecanoccur if there is noconfigurationunder forwarding-options
sampling but another configuration for the sample process is present (for example,
port-mirroring). PR1168666
• An ungraceful removal of an FPC can trigger fabric healing to begin. PR1169404
• Adding keyword fast-filter-lookup to existing filters of an input or output filter list may
result in failure to pass traffic. PR1170286
• If the no-cell-share configuration statement under the chassis stanza is activated on
MPC3, MPC4, MPC5, or MPC6 cards, the Packet Forwarding Engine will only be able
to forward about 62Gbps versus ~130Gbps causing fabric queue drops. PR1170805
• When using Periodic Packet Management process (PPMD, responsible for periodic
transmissionof packets onbehalf of its various clients) relatedprotocols (for example,
LFM, CFM, LACP, and BFD), during fabric or SIB online process, the client session that
establishes adjacencies with PPMD to receive/send periodic packets on those
adjacencies, (for example, LFM, CFM, and LACP) of PPMDmight flap because of CPU
over-utilization. PR1174043
• In a Virtual Tunnel (VT) tunnel environment with forwarding-class, if you use an
aggregated Ethernet (AE) interface to terminate subscribers on the box and the AE
interface has members on two different FPCs, the mirrored traffic does not go to the
correct forwarding class as expected. The issue is also seen when the terminate
SubscribersandVThosted interfaceareon twodifferentFPCs(non-AEcase).PR1174257
Copyright © 2017, Juniper Networks, Inc.106
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• In amulticast scenario where there is PIM configured, if there are PIM assertmessages
sent or received or there is MVPN configured and NSR enabled, memory leak might
happen in rpd. PR1177125
• This is a display issue and does not affect functionality of the power, fixing has been
added to commands show chassis power and show chassis environment pem, when
one of the DC PEM circuit breakers are tripped. PR1177536
• On a dual Routing Engine system, if the master Routing Engine is running Junos OS
13.3R9/14.1R7/14.2R5/15.1R3/16.1R1 or later and the backup Routing Engine is running
Junos OS prior to 13.3R9/14.1R7/14.2R5/15.1R3/16.1R1, a major alarm is raised. This is
cosmetic and can be safely ignored. PR1177571
• OndualRoutingEngineplatforms, if interfacechangesoccuron theaggregateEthernet
(AE) interface that result in marking ARP routes as down on the AE (for example,
bringing down one of the member links), because of an interface state pending
operation issueonbackupRoutingEngine, in racecondition, thebackupRoutingEngine
might crash and reboot with an error message (panic:rnh_index_alloc: nhindex XXX
could not be allocated err=X). PR1179732
• In case of point-to-point interfaces and unnumbered interfaces, rpd crashmight be
seen in corner cases on configuration changes. PR1181332
• In an IPv6 environment, when you add a link local neigbor entry on the subscriber
interface thenaddanew lo0address, if youdelete thisneighborentryand thesubscriber
interface, thenext-hop info is not cleanedproperly. Asa result, rpdprocessmight crash.
The routing protocols are impacted and traffic disruption will be seen due to loss of
routing information. PR1185482
• In IPv6 environment with graceful Routing Engine switchover (GRES) enabled, when
a new prefix (global address) is added on the donor interface (in this case, loopback
interface), andGRES is performed, the ksyncdprocessmight crash because of a kernel
replication error. PR1186317
• OnMXSeries routers, a vulnerability in IPv6processing has beendiscovered thatmight
allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the
router rather than discarded. The crafted packet, destined to the router, will then be
processed by the Routing Engine. A malicious network-based packet flood, sourced
from beyond the local broadcast domain, can cause the Routing Engine CPU to spike,
or cause theDDoSprotectionARPprotocol grouppolicer toengage.When thishappens,
the DDoS policermay start dropping legitimate IPv6 neighbors as legitimate ND times
out. PR1188939
• OnMX Series with MPC3/MPC4/MPC5/MPC6, the VSC8248 firmware on the MPC
crashes occasionally. PR1192914
• OnMS-MPC and MS-MIC, the mspmand process generates a core file when an
encrypted packet is received out of the range of replay-window size. The issue might
occur in peak loadswhenencryptedpackets are receivedout of order becauseof drops
in the network. PR1200739
• Dynamic firewall filter programs incorrect match prefix on the Packet Forwarding
Engine. PR1204291
107Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• False positive message "Host 1 failed tomount /var off HDD, emergency /var created"
is observed after both Routing Engines are upgraded. PR1207864
• Inline J-Flow - Sequence number in flow data template is always set to zero onMPC5E
and above line card type. PR1211520
• On T4000 routers, FPC Type 5 - 3D cards might experience an over-temperature
condition. This issue can occur because (1) chassisd process declares the
over-temperature condition and by default the router will shut down in 240 seconds
or (2) over-temperature SNMP trap (jnxOverTemp) is not sent to external
NMS.PR1213591
• If a zero-length interface name comes in the SDB database, on detection of a
zero-length memory allocation in the SDB database, a forced rpd crash is seen.
PR1215438
High Availability (HA) and Resiliency
• When you configure "nonstop-routing" under one group and apply this group to the
[routing-options] hierarchy, sometimes nonstop active routing (NSR) does not work.
PR1168818
Infrastructure
• After configuration of em interface changed (such as configuring family inet or ip
address, but MTU is not changed) and system rebooting, the em interfacemay flap or
go down. It could cause Routing Engine and FEB connection failure. Under normal
circumstances, em interfaceshouldnot re-initializewhenMTU isnotchanged.PR983616
• The Remote NFS Server process (nfsd) is not terminated on the new backup Routing
Engine (RE) after Routing Engine switchover. As a result, it spawns a new one upon
Routing Engine switchover until running out of memory. PR1129631
• In scaling setup (in this case, there are 1000 VLANs, 1000 Bridge Domains, 120 IRB
interfaces, 120 VRRP instances, BGP and IGP), if the routing protocols are deactivated
and activated, there might be a chance that the pending route stats are not cleaned
up,whichwill cause the stats infra tohave stalepointers and lead tomemory corruption
in socket layers. The systemmight go to dbprompt because of this. All the traffic going
through the router will be dropped. PR1146720
• OnM/T/PTX platforms, the SNMP requests might return timeout if SNMP pollings on
IF-MIB and COS-MIB for the same ifl/ifd are requested at the same time. This is a
generic async stats infra issue in the kernel. On MX Series platform, the same issue
might not be seenbecauseSNMPpollings for ifl stats go throughpfed insteadof kernel
on MX Series platform. PR1149389
• With Junos OS Release 13.3 using Ericsson/Juniper EPG platforms, some session PIC
C-PICcardsmight experience some racecondition resulting in kernel vmcores, followed
by reboot (failover to spare C-PICs) caused by soft-update BSD enabled in some
partitions of the Routing-Engine. The Softdeps on freebsd is not used any longer in
freebsd6 where the fix includes disabling it on all Junos OS partitions. PR1174607
Copyright © 2017, Juniper Networks, Inc.108
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis
• Whenconfiguring theVirtual Router RedundancyProtocol (VRRP)onan interface that
is included in a routing-instance by applying groups setting, if changes aremade to the
interface, VRRP process (vrrpd) memory leak might be observed on the device.
PR1049007
• Due tomovement of SNMP stats model from synchronous requests to asynchronous
requests in Junos OS Release 13.3R1, the IQ2/IQ2E PIC, which has limitedmemory and
CPU power, cannot handle scaling SNMP polling at high rate (for example, a burst of
4800SNMPrequests). This issuecomeswithhigh rateSNMPstatspolling for IQ2/IQ2E
interfacesorAggregatedEthernet (AE) interfacewith IQ2/IQ2Easmember links. These
memory failures can cause IQ2/IQ2EPIC reboot because keepalivemessageswill also
not get memory. PR1136702
• When you poll SNMPMIBs for IPv6 traffic, for example, jnxIpv6IfInOctets, the logical
interface (IFL)on IQ2or IQ2EPICmightoccasionally report double statistics.PR1138493
• Starting from Junos OS Release 12.3R4, on dual-Routing Engine equipped M Series
routers, because of the mismatch of online status of the missing FRU (for example,
FPC or FEB that is not inserted, but is reported as online on backup Control Board),
error messages about the missing FRUmight be seen intermittently on the device.
PR1148869
• In affected releases, the followingcosmetic alarmsare seenafter reseating theclocking
cables: 2015-11-13 05:22:56 UTCMajor CB 0 External-A LOS 2015-11-13 05:22:56 UTC
Major CB 0 External-B LOS PR1152035
• jpppd core at SessionDatabase::getAttribute() from
Ppp::LinkInterfaceMsOper::getLowerInterfaceType(). PR1165543
• On
MIC_40XGE_RJ45/MIC_TAZ_48XGE_RJ45/MIC_20XGE_SFP_EMIC/MIC_20XGE_SFP_EHMIC,
MPCmight crash when the PHY link, which has autonegotiation capable, is up.
PR1166982
• On T1600 and T4000 Series routers, when hold-time for 100G interface is set or even
without hold-time configured, in the event of 100G interface shutdown, BFD flapping
and transit traffic loss might occur. PR1168536
• If an interface configured with VRRP is removed from a routing-instance to global, or
fromglobal to a routing-instance, the logical interfaces of that interfacewill be deleted
and re-created. In ideal cases as the interface gets deleted, VRRP should move to
bringup state; when the interface is created again, VRRP goes to previous state. After
this, VRRP should get VIP addition notification from the kernel and update VRRP state
and group ID for VIP. However, in race conditions, VRRPmight get VIP addition
notification from the kernel even before the interface creation event happens. If so,
VRRPwill never be able to update proper VRRP state and group ID. So the VIP will
reply for theARPwithan incorrectMACendingwith "00",while thecorrectMACshould
end with the group ID configured. PR1169808
• In an MX Series-Bras environment, when you try to remove a demux0 interface, the
dcd process might crash and a core file will be generated. PR1175254
109Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• In the hsl2 toolkit, there is a process that periodically checks the ASICs that
communicate through it. Due to a bug in the toolkit code, the process used invalidates
the very ASIC that it used to process. As a result, a crash occurs. PR1180010
• Commit check might exit without providing correct error message and causing dcd
exit. The only known scenario to trigger this issue is to configure a IPv6 host address
with any other address on the same family. PR1180426
• When there is a configuration change about OAMCFM, cfmdmemory leak is observed
and sometimes also might trigger cfmd crash information. Following messages are
observed: /kernel: Process (44128,cfmd) has exceeded 85%of RLIMIT_DATA: used
378212 KBMax 393216 KB.PR1186694
• The jpppdmight crash and generate a core file because of a memory heap violation
associated with processing MLPPP request. PR1187558
• When VRRP is configured on IRB interface with scaling configuration (300,000 lines),
handles might not be released appropriately after use. As a result, memory leak on
vrrpdmight be seen after configuration commit. PR1208038
• In a PPP subscriber scenario, if the jpppd process receives a reply message attribute
from the RADIUS or tacplus server with a character of%, it might cause the jpppd
process to crash and cause the PPP user to be offline PR1216169
J-Web
• An information leak vulnerability in J-Webmight allow unauthenticated remote users
with network access to the J-Web service to gain administrative privileges or perform
certain administrative actions on the device. PR1114274
Layer 2 Features
• Input/Outputpps/bpsstatisticsmightnotbezeroafteramember linkof theaggregated
Ethernet (AE) interface with distributed ppmdwas down in M320/T
Series(GIMLET/STOLI based FPC). PR1132562
• In a VPLS scenario, when "$junos-underlying-interface-unit" is configured in the
[dynamic-profiles] hierarchy and then implemented in a routing-instance,
upgrade/commitwill fail with the following errormessage: Parseof thedynamicprofile
<dynamic-profile-name>) for the interface: $junos-interface-ifd-name and unit:
$junos-underlying-interface-unit failed. PR1147990
• From Junos OS Release 13.2R1 and later, the rpd process might crash when
adding/deleting virtual private LAN service (VPLS) neighbors in a single commit. For
example, a primary neighbor is changed to become the backup neighbor. PR1151497
• The "Node ID" information is not shown on MX Series platformwhen traceoption flag
"pdu" is configured to trace Ethernet ring protection switching (ERPS) PDU reception
and transmission. PR1157219
• During l2cpd restart, STP isnot receiving restart status.Hence l2cpd is taking thewrong
flowduringSTP initializationanewSTP index is allocated for instance "0", and instance
"0" is always set to "DISCARDING" status. This might lead to traffic loss. PR1176312
Copyright © 2017, Juniper Networks, Inc.110
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
MPLS
• If a RSVP LSP has both a primary and a standby path and link-protection enabled, a
/32 bypass route is unhidden when the primary link goes down. This /32 route is
supposed to bemade hidden again when the primary link comes back up. But in some
cases, this /32 bypass route remains unhidden forever, which causes some issues (for
example, the BFD session down because a better prefix received from bypass LSP).
PR1115895
• When a point of local repair (PLR) is a non-Juniper router, Juniper ingress nodemight
stayon thebypass tunnel and ignore theConstrainedShortestPathFirst (CSPF) result.
PR1138252
• When a link fails on an RSVP LSP that has link-protection or node-link-protection
configured, the point of local repair (PLR) will initiate a bypass LSP and the RSVP LSP
will be tunneled on this bypass LSP. However, if now the bypass LSP is brought down
because there is a link failure on it, the PLRmight only send out a session_preemted
PathErr message to the upstream node without sending a ResvTear message. Hence
the ingress node does not receive a ResvTear message and the RSVP LSP is not
immediately torn down. The RSVP LSP will remain UP for more than 2minutes until
the RSB (Resv sate block) on the ingress's downstream node gets timed out and it
sends a ResvTear message to the ingress. PR1140177
• During FRR, Juniper MP does not send the label sub-object in the record route object
(RRO) for the backup LSPs. This issue is related to interoperability between
multivendors. PR1145627
• In an LDPP2MPscenariowithNSR, after performingmultiple iterations of FPC reloads,
protocol bounce, interface bounce, and GRES, rpd restarts in at random. In a rare
condition, the rpdprocessmight crash, inwhichcase the routingprotocolsare impacted
and traffic disruption will be seen due to loss of routing information. PR1148404
• When an L2VPN composite next-hop configuration statement is enabled along with
L2VPN control-word, end-to-end communication fails. This issue occurs control-word
is not inserted by the ingress provider edge (PE) device, but the other egress device
expects the control-word. PR1164584
• In an LDP-signaled VPLS environment, another vendor sends an AddressWithdraw
Message with FEC TLV but without MAC list TLV. The LDP expected that the Address
WithdrawMessagewith FEC TLV should always haveMAC list TLV. As such, it rejected
themessage and closed the LDP session. The following message can be seen when
this issue occurs: user@router> show logmessages |match TLV
RPD_LDP_SESSIONDOWN: LDP session xxx.xxx.xxx.xxx is down, reason: received bad
TLV. PR1168849
• In anMVPNscenario, if theactiveprimarypathgoesdown, then thepoint of local repair
(PLR) needs to send Label Withdraw for the old path and new Label Mapping for the
new path to the new upstream neighbor. In this case, the LDP P2MP pathmight stay
in "Inactive" state for an indefinite time if an LSR receives a Label Release, immediately
followed by a Label Mapping for the same P2MP LSP from the downstream neighbor.
PR1170847
111Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Network Management andMonitoring
• In rare cases, when themib2d process attempts connection with the snmpd process
and there are pending requests waiting to be finished, the mib2d process might crash
and theCPUutilization is high around the same timeas the crash happens.PR1076643
• The SNMP notify-filter object identifier (OID) does not treat wildcards properly. The
PR fixes theoutputofCLI commandwhensnmpnotify-filter is configuredwithwildcard
characters. Example Configuration: <sample> set snmp v3 notify-filter nf1 oid .1.*.6
include set snmp v3 notify-filter nf1 oid 1.2.3.4.5 mask 1.0.0.1.1 set snmp v3 notify-filter
nf1 oid 1.2.3.4.5 include OLD OUTPUT: root@R2_re0> show snmp v3 Local engine ID:
80 00 0a 4c 01 80 dd 8f 78 Engine boots: 33 Engine time: 9 seconds Maxmsg size:
65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none
nonvolatile active Group name Security Security Storage Status model name type
myGroup usmabhinav nonvolatile active Access control: GroupContext Security Read
Write Notify prefix model/level view view viewmyGroup usm/none iso iso iso SNMP
Target: AddressAddressPortParametersStorageStatusnamename type trapReceive
172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify
Storage Status name namemodel/level filter type trapReceiversP abhinav usm/none
nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1
trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type
type nf1 1.2.3.4.5 include nonvolatile active <<<<< Issue nf1 1.42.6 include nonvolatile
active <<<< Issue NEWOUTPUT: root@R2_re0> show snmp v3 Local engine ID: 80
00 0a 4c 01 80 dd 8f 78 Engine boots: 32 Engine time: 2850 seconds Maxmsg size:
65507 bytes Engine ID: local User Auth/Priv Storage Status abhinav none/none
nonvolatile active Group name Security Security Storage Status model name type
myGroup usmabhinav nonvolatile active Access control: GroupContext Security Read
Write Notify prefix model/level view view viewmyGroup usm/none iso iso iso SNMP
Target: AddressAddressPortParametersStorageStatusnamename type trapReceive
172.29.237.94 162 trapReceive nonvolatile active Parameters Security Security Notify
Storage Status name namemodel/level filter type trapReceiversP abhinav usm/none
nf1 nonvolatile active SNMP Notify: Notify Tag Type Storage Status name type n1
trapReceivers trap nonvolatile active Filter Subtree Filter Storage Status name type
type nf1 1.*.*.4.5 include nonvolatile active <<< Fixed nf1 1.*.6 include nonvolatile active
<<< Fixed PR1185143
Platform and Infrastructure
• Error messages result from failed reads intended to locate failing memory locations
and repair. This thread only checks locations that have been initialized by the control
plane. It is not uncommon for this thread to encounter an error. This issue is also seen
due to a race condition that generates a syslog message with no impact. PR727569
• FPC generates a core file and reboots when show filter is executed in the Packet
ForwardingEngine inMSeries routers. The issue is not seenwith theForwardingEngine
Board (FEB). PR1032098
• OnMX Series with MPCs/MICs based line card with Junos OS Release 12.3R3 and
earlier, the system does not push the configured Tag Protocol ID (TPID) value (for
instance, 0x88a8) to the packets while sending out the packets. Instead it pushes
Copyright © 2017, Juniper Networks, Inc.112
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
default TPID 0x8100. Thismight lead to traffic drop on the peer device if it is expecting
a particular TPID (for instance, 0x88a8) but it receives a different one. PR1059225
• Multiple privilege escalation vulnerabilities occur in Junos OS CLI (CVE-2016-4922).
Refer to https://kb.juniper.net/JSA10763 for more information. PR1061973
• In a hierarchical class of service (HCoS) environment,when the subscriber logout from
the reserved logical interface (ifl) includes the ".32767" unit (for example,
xe-x/x/x.32767), the CoS installation of the interface might get deleted on the Packet
Forwarding Engine. PR1077098
• Dynamic VLAN does not work correctly when it is terminated on the ps interface and
the IP demux inteface is terminated in a routing instance table. Because that IP Demux
lookup is not performed by the Packet Forwarding Engine, no arp-reply is sent to
subscribers and traffic loss occurs. PR1101042
• When you configure one groupwith a configuration of routing-instances and apply this
group under the routing-instances, the rpd process crashes after executing the
deactivating/activating routing-instances command. PR1109924
• With "fast-synchronize" configured, when you add a new configuration-group that has
configuration relevant to the rpd process and apply it and commit, then any
configuration commits might cause the rpd process on the backup Routing Engine to
crash. PR1122057
• On the MX Series platform, when offlining the line card (possibly with any of the line
cards listed here), "Major alarm"might be seen due toHSL (link between line card and
Packet Forwarding Engine) faults. This fault is non-fatal and does not cause service
impact. The line cards that might encounter the issue are: MS-MPC/MS-MIC
MIC-3D-8DS3-E3 MIC-3D-8CHDS3-E3-B MIC-3D-4OC3OC12-1OC48
MIC-3D-8OC3OC12-4OC48MIC-3D-4CHOC3-2CHOC12 MIC-3D-8CHOC3-4CHOC12
MIC-3D-1OC192-XFPMIC-3D-1CHOC48. PR1128592
• In MX Series , whenever the LU encounters an exception event while performing a
packet lookup, a text-based file is generated to record all the relevant information.
The trap file contains the data frame (including L2 header) in question. TTRACE is a
utility that enables you to stop an LU thread and to then trace its execution. For each
instruction that is executed, the internal state of the LU thread is retrieved. This tool
enables you to observe the execution of the forwarding lookup in detail. Auto-trace
feature is enabled by default on FPCs with an MX Series Packet Forwarding Engine.
Packet Processing Engine traps cause auto-trace to capture detailed information of
packets for future debugging. In some cases, that can keep the LU thread busy too
long and eventually might lead to awedge of the LU/XM or XL/XMPacket Forwarding
Engine complex and a restart of the respective FPC. This can happen if the
forwarding-lookup involves multicast replication with a large number of copies or
multicast replication with additional features like fragmentation or output firewall
filters. PR1139406
• In the MX Series with MPCs/MICs base linecard environment with inline sampling
service, after FPC reboot, in a rare condition, the traffic forwarding might get affected
because the PFEMAN SRRD thread continuously consumes high CPU in this case.
PR1141814
113Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When the CLI command show pfe statistics exceptions | match reject is executed,
CPROD thread in thePacket Forwarding Enginemight place excessive loadon theCPU
and result in FPC crash. PR1142823
• Receipt of a specifically crafted UDP packet destined to an interface IP address of a
Junos OS device with a 64-bit architecture might result in a kernel crash. This issue
only affects systems with a 64-bit architecture; 32-bit systems are unaffected by this
vulnerability. PR1142939
• When ARP is trying to receive a next-hopmessage whose size (for example, 73,900
bytes) is bigger than its entire socket receive buffer (65,536 bytes), the kernel might
crash, and the traffic forwarding might be affected. PR1145920
• On an MX Series platformwith MX Series based line card, inline 6rd with si interface
is deployed, if downlink traffic is over equal-cost multipath (ECMP) or aggregated
Ethernet (AE), some traffic might be dropped. PR1149280
• OnMX2000 Series, MPC4 going offline is seen when the Switch Fabric Board (SFB)
is offlined or removed. This could be caused by the buildup of CDR in application
detectionandcontrol (ADC),which leads to transientpacket lossor evengetting stuck.
PR1149677
• When theNTP server address is configured in the routing instance table and reachable
from inet.0 by static configuration (for example, by configuring
static/route/next-table/VRF.inet.0), and NTP source-address is configured, the ntpd
(the Network Time Protocol daemon running on NTP client) might pick the wrong
source-address instead of the configured source-address. As a result, the NTP server
cannot send the NTP packet back. PR1150005
• OnMX Series with MPCs/MICs platform, the FPC/MPCmight cause a black hole of
traffic for transient hardware error condition (LEM data error) in a private zone. The
following example shows error information on the private zone of FPC/MPC:
ppe_lmem_recover(2274) XL[0:0]_PPE 1 Excessive LMEMData errors require Zone 5
disable. Zone 5 is seen (which is nonzero). The Zones < 24 are by definition private
zones. PR1152026
• Duringaunified ISSUupgrade in theMXVCenvironment, linecardsmightcrash, causing
service impact. When the linecards come up, theremight be a next-hop programming
issue as a secondary impact and some logical interfaces might not pass
traffic.PR1152048
• OnMPCEType33D,MPC4E3D32XGE, orMPC4E3D2CGE+8XGE,when "inline-jflow"
with IPFIX is used, the IPFIX datagramswould contain overlapping sequence numbers
for the same Observation domain ID, where the Observation Domain field in exported
IPFIX datagrams are always using the value attributed for LU0. PR1152854
• The logs CHASSISD_READBACK_ERROR are reported on the backup Routing Engine
for the non-empty FPCs. PR1155823
• OnMX2000 series platform, when MPC goes down ungracefully, other MPCs in the
chassiswill experience "destination timeout". In this situation, automatic fabric-healing
will get triggered due to a "destination timeout" condition, which might cause
Fabric-Plane reset. All other MPCs to be restarted in some cases. PR1156069
Copyright © 2017, Juniper Networks, Inc.114
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• OnMX Series platform, when MPC experiences a FATAL error, it is reported to the
chassisd daemon. Based on the action that is defined for a FATAL error, the chassisd
will take subsequent action for the FATAL error. By default, the action for FATAL error
is to reset the MPC.When the MPC reports a FATAL error, chassisd will send an offline
message and will power off the MPC upon the ACK reception. However, if MPC is in
busy state for any reason, the ACK does not come in time and hence there would be
a delay in bringing down the MPC. PR1159742
• LU (or XL) and XM chip based linecard might go to wedge condition after receiving
corrupted packets, and this might cause linecard rebooting. PR1160079
• Because of a software bug on chassisd, backup Control Board (CB) temperature
information ismissingon theCLI command showchassisenvironmentcb if it is replaced
once. PR1163537
• The following logcanbeseenonMX2020after oneFPCwaspulledoutandcommitting
the configuration related interface: CHASSISD_UNSUPPORTED_FPC: FPCwith I2C ID
of 0x0 is not supported.PR1164512
• Modifying theconfigurationof ahierarchical policerwhen it is in usebymore than4000
subscribers on an FPC can cause the FPC to core and restart. PR1166123
• Because the sequence number in RPM ICMP-PING probes is introduced as 32-bit
variable instead of 16-bit, if it increases and reaches the maximum value of 65,535, it
doesnot roll over,whichmight causeall RPM ICMP-PINGprobes to fail andnot succeed
anymore. PR1168874
• Running a Packet Forwarding Engine command such as show sample-rr eg-table ipv4
entry ifl-index 1224 gateway 113.197.15.66 causes the MPC crash. PR1169370
• On all Junos OS platforms, when using the RADIUS server, after the RADIUS request
is successfully sent by the Junos OS device, if the network goes down suddenly, the
response sent by the RADIUS server is not received within the timeout period. In this
scenario, theRADIUS requestwill be sent againwithan invalid socketdescriptor,which
will lead toauditd (providesan intermediary for sendingaudit records toRADIUSand/or
TACACS+ servers) crash. PR1173018
• Because of an internal timer referring Time in Unix epoch (UNIX epoch January 1, 1970
00:00:00UTC) value gettingwrappedaround for every 49days, flowsmight get stuck
for more than the period of the active/inactive timeout period. The number of flows
that get stuck and how long they get stuck cannot be determined exactly; it depends
on the number of flows at the time. PR1173710
• The show arp commandmight not display complete results and reportserror: could
not find interface entry for given index. because some interfaces get deleted when the
show command running.PR1174150
• OnMX2020/2010, chassisd file rotation on commit check causes the trace file to get
stuck, and no other operational chassisd events are logged until chassisd restarts.
PR1177625
• If IGMP snooping is configured in a VPLS routing instance and the VPLS instance has
no active physical interfaces, multicast traffic arriving from the core might be send to
115Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
the Routing Engine. As a result, host queues might get congested and it might cause
protocol instability. PR1183382
• Rarely a VMCORE can occur caused by the process limit being breached by toomany
RSHD children processes being created. PR1193792
• After system startup or after PSM reset the PSM INP1 circuit Failure error message
might be seen. PR1203005
Routing Policy and Firewall Filters
• When amalformed prefix is used to test policy (command test policy <policy-name>
<prefix>), and themalformed prefix has a dot symbol in the mask filed (for example,
x.x.x.x/.24), the rpd process might crash. PR1144161
• Starting with Junos OS Release 13.2R1, an attempt to commit a configuration with a
dangling conditional policy referring a nonexistent/inactive routing-instance will be
permitted. If you have a conditional policy referring to an active routing-instance,
deleting/deactivating this routing-instance and then committing will cause the rpd
process crash. PR1144766
Routing Protocols
• In some corner case scenarios, the execution of the show route commandmight lead
to illegal memory access within the rpd process, causing the rpd process to crash. The
routing protocols are impacted and traffic disruption will be seen because of loss of
routing information. PR911056
• In the multicast environment with bidirectional PIM and graceful-restart, during
multicast traffic for the bidirectional rendezvous point (RP), if the rpd process is
restarted,PIMmight install thediscarded routeand traffic forwardingmightbeaffected.
PR1019560
• In a rare condition, the routing protocol daemon (rpd) might crash and create a core
file if there is internal BGP (IBGP) route churn while IBGPmultipath is configured and
there are multiple levels of IBGP next-hop recursion. PR1060133
• When route convergence occurred, the new gateway address is not updated correctly
in inline-JFlow route-record table (route-record table is used by sampling), and the
sampling traffic forwardingmightbeaffected,butnormal routingwouldbenotaffected.
PR1097408
• This issue is a regression defect introduced in JunosOSRelease 11.4R11, 12.1R10, 12.2R8,
12.3R6, 13.2R4, 13.3R2, 14.1R1. After upgrading to those releases containing the original
fix,when there is noexport policy configured for the forwarding table to select a specific
LSP, whenever routes are resolved over RSVP (for example, due to aggressive
auto-bandwidth), the resolverwill spendaconsiderableamountof timeon the resolver
tree, which contributes to the baseline increase in rpd/Routing Engine CPU. PR1110854
• IGMPv2 working in v2/v1 compatibility mode does not ignore v2 Leavemessages
received on a bridge-domain's L2 member interface. Moreover, an IGMP snooping
membership entry for the respective group at this L2 member interface will be timed
out immediately upon IGMPv2 Leave reception, evenwhen there are someother active
Copyright © 2017, Juniper Networks, Inc.116
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
IGMP hosts attached to this L2member interface. It might breakmulticast forwarding
for this L2 member interface. PR1112354
• When two (or more) route target communities of MP-BGP route match to two (or
more) route target communities in the VRF import policy of a RI, duplicate routing
entries might be installed in the RI. In the output of show route table <RI-name>.inet.0
detail, two identical routing entries appear, with one beingmarked as 'Inactive reason:
Not Best in its group - No difference'. When such duplicate routing information is to be
deleted the rpd process will crash. PR1113319
• During many types of configuration changes, especially including import policy, BGP
has the need to reevaluate the routes it has learned from peers impacted by the
configuration change. This reevaluation involves rerunning the import policy to see if
there are any changes to the learned routes after applying the new policy. This work
is done in the background as part of an "Import Evaluation" job. When BGP is
reconfigured a second time, and the "Import Evaluation job" has not completed, it is
necessary to rerun the job from the beginning if there is another change to the policy
or a similar impact. This state is noted as "Import Evaluation Pending". However, in
this case, there was a bug that caused BGP to always enter the pending state upon
reconfiguration, regardlessofwhether relevantchangesweremade to importoranother
similarly impactful configuration. The result is that once it is necessary to start
reevaluation of the routes for a peer, even trivial configuration changes that happen
too quickly will cause the "Import Evaluation job" to need to run again as a result of
the "Pending" flag being set. PR1120190
• On Junos OS-based products, changes in routing-instance, like changing
route-distinguisher or routing-option changes, might lead to rpd crash. PR1134511
• OndualRoutingEngineplatformwithBidirectionalForwardingDetection(BFD)protocol
enabled, after graceful Routing Engine switchover (GRES), the periodic packet
management process (ppmd)might crash on the backup Routing Engine because of
a software defect. PR1138582
• When Protocol Independent Multicast (PIM) is used, in a very rare condition, if the last
hop router migrates from rendezvous point (RP), repeated routing protocol process
(rpd) crashmight occur due to patricia tree walk issue. PR1140230
• In MVPN scenario, deleting the MVPN configuration from the routing instance (for
example, delete routing-instances <instance-name> protocolsmvpn) might cause the
routing daemon on themaster Routing Engine to crash. The core files can be seen by
executing the CLI command show system core-dumps. PR1141265
• In the BGP labeled unicast environment, the secondary route is configured with both
add-path and advertise-external. If the best route and secondary route are changed
in a routing table at the same time, add-path might fail to readvertise the changed
route. The old route with the old label is still the last route advertised to one router,
instead of updating the advertisementwith the new route and new label. So the traffic
forwarding might be affected. PR1147126
• This core is seen because of incorrect accounting of refcount associated with the
memoryblock thatcomposes thenhid(IRBnh).Whenthe refcountprematurely reaches
0, thememory block was releasedwhile it was still referenced from a route. Youmight
see this issue whenmcsnoopd becomes a slow consumer of rtsock events generated
117Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
by rpd (next-hop events in the current case) andmessages get delivered in a
out-of-order sequence, causing the refcount to be incorrectly decremented. In the
testbed where the issue was reported, tracing was enabled for mcsnoopd (for logging
all events), causing it to become a slow consumer. However, it might become slow
because of other reasons such as processing a very high rate of IGMP snooping
reports/leaves, which could potentially trigger this issue. PR1153932
• OpenSSH client software supports an undocumented feature called roaming. If the
connection to an SSH server breaks unexpectedly, and if the server supports roaming
as well, the client is able to reconnect to the server and resume the suspended SSH
session. This functionality contains two vulnerabilities that can be exploited by a
malicious SSH server (or a trusted but compromised server): an information leak
(memory disclosure), and a buffer overflow (heap-based). PR1154016
• BGPMonitoringProtocol (BMP) feature is introduced in JunosOSRelease 13.3R1.When
BMP is configured in passive mode and the BMP session is closed ungracefully (for
example, No TCP FIN sent), in rare cases, the TCP session might not be cleaned up
properly and the rpd process crashmight be observed during the reestablishment of
the previous session. PR1154017
• In a dual Routing Engines scenario with NSR and PIM configuration, when the backup
Routing Engine handles mirror updates about PIM received from themaster Routing
Engine, it deletes the PIM session information from its database. However, because of
a software defect, a leak of 2 memory blocks (8 or 16 byte leaks) will occur for every
PIM leave. If the memory is exhausted, the rpd process might crash on the backup
Routing Engine. There is no impact seen on themaster Routing Engine when the rpd
generates a core file on the backup Routing Engine. PR1155778
• In a BGP scenario with a large number of routing-instances and BGP peers configured,
because of a software defect (a long thread issue), BGP slow convergencemight be
seen. For example, BGPmight godown8-9secondsafterBFDbringsdown theexternal
BGP (EBGP) session. The rpd slip usually does not hurt anything functionally, but if
the slip gets big enough, it could eventually cause tasks to not be done in time. For
example, BGP keepalives with lower than 90 seconds hold-timemight be impacted.
PR1157655
• When rib-group copy is done for a route change, the rib-group copy of the secondary
route into the destination tables of the copymight not honor maximum-prefixes in
some scenarios, such as upon damping changes. The traffic forwarding might be
affected. PR1157842
• In a BGP scenariowith independent domain enabled in a VRF,when configuring a BGP
session in a VRF routing instance with a wrong local-as number, some routes might
be declared as hidden because of an AS path loop. If you later configure the correct
AS number as local-as and committing the configuration, those routes might still
remain in hidden state. The hidden routes can be released after performing the
commands commit full or clear bgp table <ANY_VRF>.net.0. PR1165301
• On dual-Routing Engine platforms, with NSR enabled for PIM, when change on
reverse-path forwarding (RPF) unicast route occurs, a routing protocol process (rpd)
crashmight occur on backup Routing Engine. PR1174845
Copyright © 2017, Juniper Networks, Inc.118
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• When you have a route received from different external BGP (EBGP) neighbors, for
this specific route, if all BGP selection criteria is matching, you will end up using router
ID. Because this is an EBGP route, BGP will use the active route as the preferred one.
Now if this specific route flappedwith sequence fromthenonpreferred to thepreferred
path, rpd will run the path selection. During RPD path selection, a core file might be
generated. This issue has no operational impact. PR1180307
• In a Layer 3 VPN scenario, VPN routes with different next hops are advertised with the
same label, leading to PE-CE link protection failure and longer-than-expected traffic
loss (as reported 2.6 sec). PR1182777
• BGP routes are rejected as cluster ID loop prevention check fails caused by a
misconfiguration. However, when themisconfiguration is removed, BGP routes are not
refreshed. PR1211065
Services Applications
• SNMP Layer 2 Tunneling Protocol (L2TP) object identifier (OID)
jnxL2tpTunnelGroupStatsTotalSessions does not provide correct information. TheMX
Series router provides total sessions only associated with a remote ID for L2TP and
does not correctly reflect the total sessions associated with the L2TP tunnel group
when there are multiple remote IDs for L2TP tunnels. PR989386
• Whenmaking a configuration change to a EXP type rewrite-rule applied to a SONET
interface inanMXSeriesFPCType2orMXSeriesFPCType3, ifMS-DPC isalso installed
on the device, a MS-PIC core file may be generated. PR1137941
• When NAT for SIP is enabled, in a rare situation where the child SIP flow entries are
still present in theparent conversationwhile theyhavealreadybeendeleted, the service
PICmight crash if the SIP parent flow tries to access them. PR1140496
• OnMXSeriesplatform,whenusingMS-MPC, the "idpd_err.date" errormessage is filling
var/log. PR1151945
• When traffic is flowing through the MS-DPC card Service PIC and there is an active
port block and some ports are assigned from that active port block, if you change the
max-blocks-per-address setting to a lower value (lower than the current value), the
service line card might crash. PR1169314
• MS-PIC generates a core file when MPLS or IPV6 routing updates are received in the
PIC PR1170869
• WhenMS-PIC is running on T640/T1600/T4000, the number of maximum service
sets is incorrectly limited to 4,000, instead of 12,000. Thismight impact scaled service
(such as IPsec, IDS, NAT, and Stateful firewall filter) environments. PR1195088
• When configuring Network Address Translation (NAT) service, the service route is still
available in the route table even after the service interface is disabled. Any types of
service interfaces (except ams- interface) that support NATmight be affected.
PR1203147
119Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Subscriber Access Management
• In a subscribermanagement environmentwith AAAauthentication, after a few rounds
of login/logout, some dynamic PPPoE subscribers might get stuck in configured
(AuthClntLogoutRespWait) state. PR1127823
• OnMX240/MX480/MX960/MX2010/MX2020, jdiameterd might generate a core file
if tx control elements are pushed out of order by the device itself. PR1153776
• Client IP address is not seen under the command test aaa ppp. PR1173389
• On EX2200/EX3300 Series switches configured with dhcp-local-server, if you bring
up a few (say 6 or more) or all interfaces that are under the [dhcp-local-server]
hierarchyat once, theauthdprocess continually generates core files, causing the switch
to get stuck and resulting in packet drop. PR1191446
• If RADIUS return Framed-route="0.0.0.0/0" to a subscriber terminated on a Junos OS
platform, this subscriber cannot log in because of an authentication error. PR1208637
• The session timeout for active PPPoE sessions has expired, but the subscribers are
still showing up. These sessions cannot be cleared using network-access or PPPoE
session commands. PR1230315
User Interface and Configuration
• The following warning is seen: Process: dfwd, path: <none>, statement: <none>,
pinned-page found for bucket 0xb416972c. Thiswarning is givenwhen the application
is done with the page pool and tries to find out if there were any pinned pages in
memory. PR1179264
• Commit fails with the error access has been revoked after automatic rollback because
of an unconfirmed commit. You can still make configuration changes however, the
subsequent commit failswitherror:accesshasbeenrevoked. After exitingconfiguration
mode, entering configuration mode using configure exclusive fails with error:
configuration databasemodified. PR1210942
VPNs
• Onadual Routing Engine platformwith BGP Layer 2 VPN (L2VPN) and nonstop active
routing (NSR) configured, the block label allocation and deletion for L2VPNmight be
out of order on the backup Routing Engine as following: <sample>Master rpd follows
thebelowsequeces (which is the correct order): AddPrefix P1 of Label L1 DeletePrefix1
of Label L1 Add Prefix P2 of Label L1 However, on backup rpd, it goes like this: Add
Prefix P1 of Label L1 Add Prefix P2 of Label L1 <====== Delete Prefix1 of Label
L1<sample>. In this situation, thebackup rpdcannotallocate the label L1 forP2because
L1 is already in use for P1, so it crashes. This occurs in scaling environment (10,000
L2VPN)where the routerhasmultipleBGPpeersanddifferentL2VPNrouting-instances
are deleted and added back. PR1104723
• In BGP VPLS environment, sometimes routes from BGPwith invalid next-hop related
information are received. In such scenarios, VPLS should treat them as bad routes and
not send them to rpd infra for route resolution. Because of a software defect, the bad
routes are passed to the route resolver, which might lead to rpd process crash. The
Copyright © 2017, Juniper Networks, Inc.120
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
routing protocols are impacted and traffic disruption will be seen because of loss of
routing information. PR1192963
Resolved Issues: Release 13.3R9
Class of Service (CoS)
• ThisPRdoesoptimization inAESNMPhandling. If all the links inanAEbundlegodown,
then any COS SNMP query for this AE IFD/IFL will return cached values. PR1140440
• OnMX104platform,whenapplying the "rate-limit" and the "buffer-size" on the logical
tunnel (lt-) interface on themissing MIC (not insterted on MPC), commit failure with
error message would occur. As a workaround, this issue could be avoided by applying
the "rate-limit and "buffer-size" on inserted MIC, then commit. PR1142182
Forwarding and Sampling
• When "shared-bandwidth-policer" is configuredwith aggregate Ethernet (AE), if there
are filters configured on the logical interface family (IFF) of the AE interface, the FPC
may crash upon rebooting (it also be seen when new FPC coming up) due to the fact
that the running thread is stuck at the association of the filter which is in the resolved
state (it happens when the filter has not yet come down to the Packet Forwarding
Engine whereas its association has already reached). It is a timing issue in the above
circumstance. However, it could be consistently reproduced whenmoving links from
one AE to another and then rebooting the FPC by scripts. As a workaround, if it is
possible, the administrator could disable all the filter configuration and then bring up
the line card. PR1113915
• OnMXSeriesplatformwithMX-FPC/DPC,M7/10iwithEnhance-FEB,M120,M320with
E3-FPC, when there are large sized IPv6 firewall filters(for example, use prefix lists
with 64k prefixes each) enabled, commit/commit check would fail and dfwd process
wouldcrashafter configurationcommit/commit check. There is nooperational impact.
PR1120633
• On all Junos OS platform, when both the filter and the policer are configured for an
interface, in rare cases, the policer templatemay not be received by Packet Forwarding
Engine (from the Routing Engine)when it is referenced by the filter term (normally the
policer template gets received before the filter term referencing it which is ensured by
mechanism in Routing Engine kernel). In this situation, the FPCwould crash due to this
timing issue. This issuemight be avoid by the recommended steps below: 1. Deactivate
the physical interface (IFD) and commit 2. Enable any filter and policer that attached
to the interface (e.g. IFL) and commit 3. Activate interface back PR1128518
General Routing
• In some corner case scenarios, the execution of "show route" commandmight lead to
illegal memory access within RPD thereby leading to the RPD crash. PR911056
• Destination ERR alarm is not getting cleared even after FPC offlined. PR937862
• Duringan in-service softwareupgrade (ISSU), if theunified ISSUaborts after upgrading
backupRoutingEngine to thenew release, it is possible that thebackupRoutingEngine
fails to decode themessage from themaster Routing Engine which is running the old
121Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
release, causing the ksyncd process crash on backupRouting Engine and vmcores (live
core) generated on both Routing Engines. Themaster Routing Engine will not be
upgraded and the backup Routing Engine will remain with the new release. There is
no rollback to old release. We have to manually bring backup Routing Engine to old
release. PR1035777
• Onall routingplatformsM/MX/TwithBGPconfigured tocarry flow-specification route,
in case of deleting a filter term and policer, then add the same term and policer back
(it usually happens in race condition when adding/deleting/adding the flow routes),
since confirmation from dfwd for the deleting policer might not be received before
attempting to add the same policer, the rpd would skip sending an add operation for
it to dfwd. As a result, when the filter term is sent to dfwd and tell it to attach to the
policer, dfwd had already deleted the policer, and since rpd skipped re-adding it, dfwd
will reject theattach filterwithpolicer not founderror and rpdwill crashcorrespondingly.
PR1052887
• In a rare condition, the routing protocol daemon (rpd) might crash and create a core
file if there is internal BGP (IBGP) route churn while IBGPmultipath is configured and
there are multiple levels of IBGP next-hop recursion. PR1060133
• When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP
routes), after clearing the LDP/RSVP routes, in the shortwindowbefore the LDP/RSVP
routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the
rpd process might crash. PR1063796
• Upon BFD flapping on aggregate interfaces, the Lookup chip (XL) might send illegal
packets to the center chip (XMCHIP) and compromise packet forwarding and an FPC
restart is needed to recover from this condition. If Fabric path side is affected, the fabric
healing processwill initiate this process automatically to recover fromsuch conditions.
MPC6E/MPC5E/NG-MPCareexposed to thisproblem.Corruptedparcels fromLookup
chip LU/XL to Center Chip (XM) can also compromise packet forwarding and report
DRD parcel timeout errors. An additional parcel verification check is added to prevent
sending corrupted parcels to the center chip (XM). PR1067234
• CFP2-100GBASE-ER4 is supported on MIC6-100G-CFP2/MPC6E/MPC5E from
13.3R8/14.1R6/14.2R3-S4/14.2R4-S1/14.2R5/15.1R2/15.2R1 PR1069112
• After reconnectwindow, chassisdcoredduringplaneonlineoperationdue toacondition
where number of active-active planes must not exceeding the max allowed numbers
(4). In the core file, all FPCs are sending onlinemask, and 7 planes have the fabric state
asACTIVE - this clearly indicates incorrect fabric state.Once the router hit the condition,
chassisd continues to core since the condition does not correct itself. This fix put in a
work-around to prevent the (continuous) chassid core at reconnect expire so that if
the condition is detected, all planes are bounced by offline all planes first, and follow
with online of the planes. Given the FPCs are all online already, the bouncing of the
planes should take reasonable time. PR1070116
• There is a bug about expansion memory usage computation. It does not account for
freedmemory. So the displayed expansion memory usage is higher than the real
expansion memory usage. As displayed expansion memory usage reaches over the
configured threshold (in this case, the threshold is 95%), subscribers are denied to
Copyright © 2017, Juniper Networks, Inc.122
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
comeup. As aworkaround,we could disable the resourcemonitoring throttling feature
to avoid possibility incorrect expansion memory usage. PR1090733
• Occasionally , AFEB PCI reads from Cortona MIC with ATMOAM traffic might return
garbage values even though the actual content in the MIC has the correct value , this
corrupted values would lead to AFEB crash , and also PCI error logs such as : afeb0
PCI ERROR: 0:0:0:0 Timestamp 91614msec. afeb0 PCI ERROR: 0:0:0:0 (0x0006)
Status : 0x00004010 afeb0 PCI ERROR: 0:0:0:0 (0x001e) Secondary bus status :
0x00004000 afeb0 PCI ERROR: 0:0:0:0 (0x005e) Link status : 0x00000011 afeb0
PCI ERROR: 0:0:0:0 (0x0130) Root error status : 0x00000054 afeb0 PCI ERROR:
0:0:0:0 (0x0134)Error source ID : 0x02580258afeb0PCI ERROR:0:2:11:0Timestamp
91614msec. afeb0 PCI ERROR: 0:2:11:0 (0x0006) Status : 0x00004010 afeb0 PCI
ERROR: 0:2:11:0 (0x004a) Device status : 0x00000004 afeb0 PCI ERROR: 0:2:11:0
(0x0052)Linkstatus :0x00004001afeb0PCIERROR:0:2:11:0(0x0104)Uncorrectable
error status : 0x00000020 afeb0 PCI ERROR: 0:2:11:0 (0x0118) Advanced error cap
& ctl : 0x000001e5 afeb0 PCI ERROR: 0:2:11:0 (0x011c) Header log 0 : 0x00000000
afeb0 PCI ERROR: 0:2:11:0 (0x0120) Header log 1 : 0x00000000 afeb0 PCI ERROR:
0:2:11:0 (0x0124) Header log 2 : 0x00000000 afeb0 PCI ERROR: 0:2:11:0 (0x0128)
Header log 3 : 0x00000000. PR1097424
• If NSR (Nonstop Routing) is enabled and a TCP session is terminated while there is
still data in the socket pending transmission, the MBUF (Kernel Memory Buffer) used
to store this data might not get deallocated properly. In order to hit this issue the TCP
sessionmustuseNSRactivesocket replication. If thesystemruns lowonMBUFmemory
the kernel will automatically throttle downmemory allocation on low priority
applications and ultimately if there is no MBUF left, the system could become
unresponsive due to its inability to serve I/O requests. PR1098001
• When the clock sync process (clksyncd) is stopped and resumed during link flaps, the
clksyncdprocessmight get intoan inconsistent statewith various symptoms, the clock
source might be ineligible due to "Interface unit missing" or "Unsupported interface"
with no Ethernet Synchronization Message Channel (ESMC) transmit interfaces.
PR1098902
• Dynamic vlan ifl is not removed with 'remove when-no-subscriber' configuration
PR1106776
• OnMX240/480/960 Series router with MS-DPC, customer running BGP over IPSec.
ThisBGPsessionhasaBFDsession tied to it. TheBGPsession isupbut theBFDsession
remains in INIT state. The issuemightbeseenwithany service configuredwithmultihop
BFD enabled. Traffic forwarding will not be affected. PR1109660
• This issue is a regression defect introduced in JunosOSRelease 11.4R11, 12.1R10, 12.2R8,
12.3R6, 13.2R4, 13.3R2, 14.1R1. After upgrading to those releases containing the original
fix, when there is no export policy configured for forwarding table to select a specific
LSP, whenever routes are resolved over RSVP (for example, due to aggressive
auto-bandwidth), resolver will spend considerable amount of time on resolver tree,
which contributes to base line increase in rpd/Routing Engine CPU. PR1110854
• OnMX Series routers with Junos OS release 12.3X54-D20 or 12.3X54-D25, Inverse
multiplexing for ATM (IMA) interfaces on MIC-3D-4COC3-1COC12-CEmay not come
123Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
up due to "Insufficient Links FE" alarm. This is due to data corruption on the physical
layer. PR1114095
• When using the SIP-ALG with MS-MIC and MS-MPC cards in the 13.3R8 and earlier
builds, the MSPMAND process can generate a core file. PR1120100
• The commit latency will increase along with the increasing lines under [edit system
services static-subscribers group<groupname> interface]. Use ranges to create static
demux interfaces isa recommendedoption. e.g. [edit systemservices static-subscribers
group PROFILE-STATIC_INTERFACE] + interface demux0.10001001 upto
demux0.10003000. PR1121876
• OnMX Series platform, the MS-MPC crashmay occur. The exact trigger of the issue is
unknown, normally, this issuemayhappenover longhours (e.g.withinaweek)of traffic
run(forexample, runningHTTP/HTTPS/DNS/RTSP/TFP/FTPtrafficprofile).PR1124466
• Egress multicast statistics displays incorrectly after flapping of ae member links on
M320. PR1126956
• An incorrect destination MAC address is applied to the packet when a DHCPv6
Offer/Advertise packet is sent back to the subscriber from a non-default routing
instance across a pseudowire. PR1127364
• In current Juniper Networks implementation, the IPv6multicast Router Advertisement
timer is not uniformly distributed value between MinRtrAdvInterval and
MaxRtrAdvInterval as described in RFC 4861. PR1130329
• OnMX Series based line card, multiple modifications of firewall filter might cause
lookup chip error and traffic blackhole, following jnh_free error messages could help
to identify this issue: messages: fpc1 jnh_free(10212): ERROR [FW/3]:1 Paddr
0x006566a9, addr 0x2566a9, part_type 0call_stack 0x40497574 0x418ffa84
0x41900028 0x418ecf94 0x41861690. PR1131828
• When customers do changes under "protocol router-advertisement interfaceX" (such
as changing timers etc), they expect that commit would trigger a new
router-advertisement being sent out to notify hosts about configuration changes.
However it does not seem to be a case unfortunately. It makes the router information
to expire on hosts and causes obvious loss of connectivity for the hosts. PR1132345
• OnMX Series platformwith non-QMPC (for example, MPC2-3D) or Q-MPCwith
enhanced-queueing off, when traffic has to egress on any one of the dynamic PPPoE
(pp0), IP-DEMUX (demux0) and VLAN-DEMUX (demux0) IFLs, the queuemapping
might get wrong. The traffic forwarding might be affected. PR1135862
• Commit error after attempting to delete all guaranteed rates on all
traffic-control-profiles associated with demux0 [edit] user@host# commit re0: [edit
class-of-service interfaces] 'demux0' IFL excess rate not allowed on interface
(demux0), please specify guaranteed rate on at least one IFL error: configuration
check-out failed PR1150156
Copyright © 2017, Juniper Networks, Inc.124
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis
• OnMX Series router, the physical or logical interfaces (ifd/ifl) might be created and
marked UP before a resetting FPCs' fabric planes are brought up and ready to forward
traffic. As a result, traffic might be black-holed during the time window. This window
of traffic black-hole is particular long if the chassis is heavily populatedwith line-cards,
for example, the router has large scale of configuration (routes or subscribers), and
coupled with a lot of FPC reset, such as upon a node power up/reset. PR918324
• Anyhostoutbound traffic goacrossaggregatesonet interface,will lead to ifstatmemory
leak, finally result in kernal crash. Here is a failure phenonmenon: > show system
virtual-memory | match "mem|ifstat " Dec 28 10:24:03 Type InUse MemUse HighUse
Requests Size(s) ifstat 16315831263445K - 16317521
16,32,512,2048,4096,524288,2097152,4194304>showsystemvirtual-memory |match
"mem|ifstat " Dec 28 10:24:06 Type InUse MemUse HighUse Requests Size(s) ifstat
16317436263470K - 16319126 16,32,512,2048,4096,524288,2097152,4194304> show
system virtual-memory | match "memu|ifstat " Dec 28 10:27:23 Type InUse MemUse
HighUse Requests Size(s) ifstat 16456495265643K - 16458247
16,32,512,2048,4096,524288,2097152,4194304Dec2722:09:10T1600-a-re0/kernel:
kmem type ifstat using 284066K, approaching limit 332800K Dec 27 22:10:11
T1600-a-re0 /kernel: kmem type ifstat using 284726K, approaching limit 332800K
Dec 27 22:11:11 T1600-a-re0 /kernel: kmem type ifstat using 285385K, approaching
limit 332800K Dec 27 22:12:11 T1600-a-re0 /kernel: kmem type ifstat using 286045K,
approaching limit 332800K. PR975781
• When IEEE 802.3ah OAM link-fault management action profile is configured to define
event and the resulting action, the link might flap after it is brought down by an event
but brought up by other events erroneously. PR1000607
• OnDPConly chassis, after softwareupgradeornotgracefulRoutingEngineswitchover,
Ethernet OAM related LAG bundles might not come up due to the Link Fault
Management (LFM) packets arrive on AE interface instead of physical link interface.
PR1054922
• When adding new VCP port MX-VC, some of the traffic drops are seen. PR1067111
• OnMX240 or MX480 platformwith at least two DCmodules (PN: 740-027736)
equipped, when shutting down one of the PEMs and then turn it on again, even the
PEM is functioning, the "PEM Fan Fail" alarmmight be observed on the device due to
software logic bug. There is no way to clear the ALARM_REASON_PS_FAN_FAIL for
I2C_ID_ENH_CALYPSO_DC_PEM once it has been raised. PR1106998
• Onall JunosOSplatforms, if the "HDD/var" slice (for example, "/dev/ad1s1f" depending
on the type of Routing Engine) is notmounted (for example, label missing, file system
corrupted beyond repair, HDD/SDD is removed from the boot list, etc), the systemmay
build emergency "/var/". However, no alarm or trap is generated due to the incorrect
operation of the ata-controller. Although the boot messages may present the logs, it
may not be sufficient enough to identify the issue before encountering other problems
(for example, JunosOS upgrade failure and the Routing Enginemay hang in a recovery
shell). In addition, asamethod tocheckwhereRoutingEngine is running from,amanual
check could be done as below, user@re0> show system storage | match " /var$"
125Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
/dev/ad2s1f 34G 18G 13G 57% /var <<<<indicate that>show system storage | match
" /var$" <<<<No output>PR1112580
• Junos OS now checks ifl information under the ae interface and prints only if it is part
of it. PR1114110
• In PPPoE subscriber management environment, when dynamic VLAN subscriber
interfaces is createdbasedonAgentCircuit Identifier (ACI) Information, the subscribers
might unable to login after reboot FPC with syslog "Dropping PADI due to no ACI
IFLSET". PR1117070
• The jpppd processmight crash and restart due to a stalememory reference. The jpppd
process restart results in a minimal impact of system and subscribers. All connected
subscribers remain connected and only subscribers are attempting to connect at time
of process restart would need to retry. PR1121326
• On Junos OS platform, an aggregate-ethernet bundle having more-than onemember
link can show incorrect speedwhichwouldn'tmatch to the total aggregate bandwidth
of all member links. The issue would be seen when LFM is enabled on the
aggregate-ethernet bundle. The issue would be triggered when one of the member
link flaps. Although after the flap, the current master Routing Engine would show
correct aggregate speed, the backup Routing Engine would report incorrect value. In
this state,whenRoutingEnginemastership is switched, thenewmasterRoutingEngine
(which was backup) will show incorrect value. One of the side-effect of this issue is
that RSVP also reflects incorrect Bandwidth availability for the affected
aggregate-ethernetbundle, thus cancauseunder-utilizationof the linkwith LSPhaving
bandwidth constraints. PR1121631
• Since a bugwhichwas introduced in JunosOSRelease 15.1R1, loopback sub-interfaces
always have a Flag down in the output of CLI command "show interfaces". PR1123618
• A hidden configuration attribute is provided to allow alternate vendor IDs to be
considered valid for inspection for ACI/ARI information in PPPoE vendor-specific tags.
Thehiddenconfigurationattribute isas follows: "setprotocolpppoealternate-vendor-id
<vendor id value>" PR1124132
• If two redundant logical tunnels (rlt) sub-interfaces are configured in a same subnet
and in a same routing-instance, a sub-interface will be down (this is expected), but if
the sub-interface is removed from the routing-instance later, after disable and enable
the rlt interface, a sub-interface might remain in down state unless removing
configuration of rlt interface and then rollback. PR1127200
• In Dynamic PPPoE subscriber management scenario, when the system is overloaded
with requests coming, the subscribersmight fail to login in a race condition.PR1130546
• The jpppdprocessmight crashand restart due toabuffer overwrite. The jpppdprocess
restart results inaminimal impactof systemandsubscribers. All connectedsubscribers
remain connected and only subscribers are attempting to connect at time of process
restart would need to retry. PR1132373
• OnMX Series platform, the "Max Power Consumption" of MPC Type 1 3D (model
number: MX-MPC1-3D) would exceed the default value due to software issue. For
example, the value might be shown as 368Watts instead of 239Watts when "max
ambient temperature" is 55 degree Celsius. PR1137925
Copyright © 2017, Juniper Networks, Inc.126
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Layer 2 Features
• OnMX Series platformwith non-stop-routing (NSR) enabled and some L2 protocols
configured, performingRouting Engine switchovermight cause layer 2 control protocol
daemon (l2cpd) to crash and FPC to be rebooted. PR1076113
• OnMX Series platformwith Dynamic Host Configuration Protocol (DHCP)maintain
subscriber feature enabled, after rebooting the FPC hosts the Demux underlying
interfaces, the next-hop for some DHCP subscribers might bemarked as dead in the
forwarding table. When this issue occurs, we can execute CLI command "clear dhcp
server binding <address>" to restore. PR1118421
• For PVSTP/VSTP protocols, when MX/EX92xx router inter-operate with Cisco device,
due to the incompatible BPDU format (there are additional 8 Bytes after the required
PVID TLV in the BPDU for Cisco device), the MX Series might drop these BPDUs.
PR1120688
• In the DHCPv4 or DHCPv6 relay environment with large scaled environment (in this
case, 50-60K subscribers), and the system is under stress (many simultaneous
operations). The subscribers might get stuck in RELEASE state with large negative
lease time. PR1125189
• In some rare scenarios, theMVRPPDUmight be unable to be transmitted,which could
causememory leak in layer 2 control plane daemon (l2cpd), and finally results in the
l2cpd process crash. PR1127146
• WhenAE is core facing ifl in ldp-mesh vpls instancewith local-switching in it, the traffic
is looped back. PR1138842
MPLS
• With egress protection configured for Layer 3VPN services to protect the services from
egress PE node failure in a scenario where the CE site is multihomed with more than
one PE router, when the egress-protection is un-configured, the egress-protection
route cleanup is not handled properly and still point to the indirect composite nexthop
in kernel, but the composite nexthop can be deleted in rpd even the egress protection
route is pointing to the composite nexthop. This is resulting in composite nexthop "File
exists" errorwhen theegressprotection is re-enabledand reuse thecompositenexthop
(new CNH addition fails as old CNH is still referenced in kernel). PR954154
• In next-generation MVPN extranet scenario, if there is a mix of VT interface and LSI
(vrf-table-lable isused) interfaceonnext-generationMVPNegressnode, after changing
some vrf policies, the routing protocol process (rpd)might crash and reset.PR1045523
• InMPLSscenarios, removing the "familympls" configuration fromanoutgoing interface
may cause inet and/or inet6 nexthops associated with that interface to unexpectedly
transit to dead state. Even adding back "family mpls" cannot restore it. PR1067915
• If "optimize-timer" is configured under P2MP branch LSP, this branch LSP will not be
re-established if link flap on egress node. If "optimize-timer" is configured at
protocols/mpls level, issue could be avoided. PR1113634
127Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Network Management andMonitoring
• LAGMIB tables dot3adAggPortTable, dot3adAggPortDebugTable polling or lag
configuration changes may result in mib2d process core or unexpected values for lag
MIB OIDs. The PR fix will resolve these MIB table issues. PR1060202
• The SNMPv3message header has a 4 byte msgID filed, which should be in
(0....2147483647),when thesnmpdprocesshasbeen running for a long time, themsgID
might cross the RFC defined range and causing Net-SNMP errors, "Received bad
msgID". PR1123832
Platform and Infrastructure
• On all high-endMXSeries devices, when a router is acting as anNTP broadcast server,
broadcast addresses must be in the default routing instance. NTPmessages are not
broadcasted when the address is configured in a VPN virtual routing and forwarding
(VRF) instance. PR887646
• After the "show version detail" command is executed, the syslog message
"UI_OPEN_TIMEOUT: Timeout connecting to peer" might appear. This message is
cosmetic only; you can ignore this message. PR895320:
• OnMX Series based line card, when GRE keepalive packets are received on a Packet
Forwarding Engine that is different from the tunnel interface hosted, the keepalive
messagewill apply the firewall filter configuredondefault instance loopback interface.
PR934654
• Bad udp checksum for incomingDHCPv6packets as shown inmonitor traffic interface
output. The UDP packet processing is normal, this is a monitor traffic issue as system
decodes checksum=0000. PR948058
• Under certain conditions the Packet Forwarding Engine flow export thread and flow
update threadmight be out of sync resulting in a situation where the update thread
might attempt to update a flow record that is being aged-out/deleted by the export
thread. As a consequence, PPE traps might be generated during flow processing; the
PPE trap signature is very dependent on the operation performed on that particular
record: fpc1 PPE Sync XTXN Err Trap: Count 3, PC 637f, 0x637f:
flow_export_read_src_address_ipv6LUCHIP(2)PPE_4Errors syncxtxnerrorUnder rare
conditions, this can ultimately lead to record corruption. Trying to reuse or update such
a recordwould trigger the following error: [LOG: Err] LUCHIP(2) HASH INTStatus FPM
Error: [LOG: Err] LUCHIP(2) HASH FPM ERROR: Alloc OMI Ram IF Error, TID=1,
FP_ID=0x2. - There is no impact to forwarding. - There may or may not be impact on
Jflow. - Its a generic problem for any inline-jflow application including IPv4 and IPv6.
With 13.2 release, new fields (min, max TTLs/QinQ values) are added to jflow record.
These fields need to be updated (if value changes) per packet in the flow. So the
probability of hitting the race condition between export thread (deleting the record)
and jflowdatapath code (updating the same record) and is higher in JunosOSRelease
13.2 and later. PR968807
• In rare condition, when execute cscript the cscript process might crash, so the current
cscript executionwill fail. The issue is due to third-party codewhichwe have imported
Copyright © 2017, Juniper Networks, Inc.128
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
in Junos OS for cscript execution. It occurs in rare condition, and it is hard to reproduce.
PR1011518
• TheMIB counter or "showpfe statistics traffic" shows junk PPS and invalid total traffic
output counter. PR1084515:
• OnMX Series platformwith MPC/MIC or T4000 FPC5, TCP session with
MS-Interface/AMS-Interface configuration is not established successfully with the
"no-destination-port" or "no-source-port" configuration statements configured under
forwarding-options hierarchy level. PR1088501:
• On an MPC3E or MPC4E , when the flow-detection feature is enabled under the [edit
system ddos-protection] hierarchy, if suspicious control flows are received, two issues
might occur on the device: The suspicious control flowmight not be detected on the
MPC or line card. After suspicious control flows are detected, they might never time
out, even if traffic flows no longer violate control parameters. PR1102997:
• OnBNGplatform,when disable a static demux interface, theNPConMPCmight crash
and generate a core file. PR1116463:
• Inline 6rd and 6to4 support for XL and XL-XM based platforms. PR1116924:
• When inline static NAT translation is used, if two rules defined in two service sets are
pointing to the same source-prefix or destination-prefix, changing the prefix of one of
the rule and then rolling back the changes is not changing back all the pools correctly.
PR1117197:
• After changinganouter vlan-tags, the ifl is gettingprogrammedwith incorrect stp state
(discarding), so the traffic is getting dropped. PR1121564:
• OnMX Series based platform, when fragmented packets go through the inline NAT
(including source NAT, destination NAT, and twice NAT), the TCP/UDP checksum
would not be correctly updated. In this situation, checksum error would occur on the
remoteend(insideandoutsidedevice).Non-fragmentedpacketswouldnotbeaffected
by the issue. If possible, this issue could be avoided by either of the following
workarounds, * Enable "ignore-TCP/UDP-Checksum errors" at the inside or outside
devicewhich processes TCP/UDPdataOR*Make sure therewill not be any fragments
subjected to inline NAT functionality by appropriate MTU adjustment or setting.
PR1128671
• Parity error at ucode location which has instruction init_xtxn_fields_drop_or_clip will
lead to a LUWedge. LU is lookup ASIC inside the MX Series router. The LU wedge will
cause the fabric self ping to fail which will lead to a FPC reset. This is a transient HW
fault, which will be repaired after the FPC reset. There is no RMA needed unless the
same location continues to fail multiple times. PR1129500
• NTP.org published a security advisory for thirteen vulnerabilities in NTP software on
Oct 21st, 2015. These vulnerabilities may allow remote unauthenticated attackers to
cause Denial(s) of Service(s), disruption of service(s) bymodification of time stamps
being issued by the NTP server frommalicious NTP crafted packets, including
maliciously crafted NTP authentication packets and disclosure of information. This
can impactDNS services, aswell as certificate chains, such as those used in SSL/https
communications and allow attackers to maliciously inject invalid certificates as valid
which clients would accept as valid. Refer to JSA10711 for more information. PR1132181
129Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• OnMXSeries based line card, if there are scaled number of routes (e.g. 10million), due
to amemory allocation issue, the forwarding table might be full and causing failure of
install new routes. The following syslog could indicate this problem:
"jnh_expand_partition failed, inst 0, jnh_app ktree, dwords 524288". PR1133920
• With scaled firewall filters attached to interfaces (e.g. 10k+ filters), running "show
configuration" command can cause high CPU of the mgd process. As a workaround,
we can use "show configuration |display set" command to view the configuration.
PR1134117
• PPE thread timeout trapmay cause XM chip wedge, it will not affect MQ based FPC.
PR1136973
Routing Protocols
• In BGP scenario with IPv4 and IPv6 neighbors mixed in the same group, if all of the
IPv4peers flaps but none of the IPv6peers flaps, a timing issuemight happen that one
of the IPv4 peers comes up before inet.0 RIB is cleaned up. As a result, the routing
protocol daemon (rpd) crash will be seen. PR986272
• Since Junos OS Release 13.3R2 and later if delegated BFD sessions are flapping
continuously, packet buffer memory maybe be leaked. The automatic memory leak
detection process will report this within the syslog once certain threshold is reached
"fpc7 SHEAF: possible leak, ID 8 (packet(clones)) (10242/128/1024)". Please note
BFD sessions operating in centralizedmode are not exposed. PR1003991
• When BGP is doing path selection with default behavior, soft-asserts requests are
introduced. If BGP routes flap a lot, it needs to do path selection frequently, because
of which a great deal soft-asserts might be produced which will cause unnecessary
high CPU and some service issues, such as SNMP can not respond and even rpd core.
PR1030272
• EDITEDMP 8/31When amulticast group in protocol independent multicast (PIM)
densemode has a large number ofmulticast sources, the RPD process can crash after
a routing engine switchover. PR1069805
• On large scale BGP RIB, advertised-prefixes counter might show the wrong value due
to a timing issue. PR1084125
• Due to software bug Junos OS cannot purge so called doppelganger LSP, if such LSP
is received over newly formed adjacency shortly after receiving CSNP from the same
neighbor. PR1100756
• When the IS-IS configuration has been removed, the IS-IS LSDB contents got flushed.
If at the same time of this deletions process, there is an SPF execution, which is trying
to access the data structures at same time when a fraction of secs after freeing its
content, routing protocol process (rpd) crash occurs. PR1103631
• When two (or more) route target communities of MP-BGP route match to two (or
more) route target communities in VRF import policy of a RI duplicate routing entries
might be installed in the RI. In the output of 'show route table <RI name>.inet.0 detail'
two identical routing entries appear with one being marked as 'Inactive reason: Not
Best in its group - No difference'. This condition was observed under high scale (many
Copyright © 2017, Juniper Networks, Inc.130
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
RI's and theBGP routewas imported inmanyRI's aswell).Whensuchduplicate routing
information is to be deleted, rpd process process will crash. PR1113319
• When the Multicast Source Discovery Protocol (MSDP) is used, if the RP itself is the
First-Hop Router (FHR) (i.e. source is local), the MSDP source active (SA) messages
are not getting advertised by the RP to MSDP peers after reverse-path forwarding
(RPF) change (e.g. the RPF interface is changed). PR1115494
• When an interface is associated with a Bidirectional Forwarding Detection (BFD)
session, if changing the unit number of the interface (for example, change the unit
number for a running BFD session from ge-1/0/0.2071 to ge-1/0/0.285), the device
may fail to change the name due themissing check for logical interface (IFL) index
change. PR1118002
• OndualRoutingEngineplatformwithNonstopactive routing (NSR)andauthentication
of the Bidirectional Forwarding Detection (BFD) session enabled, BFD process (bfdd)
memory leak may occur on themaster Routing Engine and the process may crash
periodicallyonce it hits thememory limit (RLIMIT_DATA).Theproblemdoesnotdepend
on the scale, but the leak will speed up with more BFD sessions (for instance 50
sessions). As aworkaround, if possible, disablingBFDauthenticationwill stop the leak.
PR1127367
• Inmulticast environment, when theRP is FHR (first hop router) and it hasMSDPpeers,
when the rpf interface on RP changed to MSDP facing interface, due to the multicast
traffic is still on the old rpf interface, a multicast discard route will be installed and
traffic loss will be seen. PR1130238
• Mt tunnel interface flap cause backup Routing Engine core. exact root cause is not
known. while processing updates on the backup re (received frommaster Routing
Engine), accessing free pointer cause the Core. PR1135701
Services Applications
• When polling to jnxNatSrcNumPortInuse via SNMPMIB get, it might not be displayed
correctly. PR1100696
• JunosOSRelease13.3 and above release, when configuring a /31 subnet address under
a nat pool, the adaptive services daemon (SPD) will continuously crash. PR1103237
• In CGNAT environment, when a service PIC is in heavy load continuously, there might
be a threads yielding loop in CPUs,whichwill cause theCPUutilization high, andmight
cause one the CPUs to be reset. PR1115277
• In CGNAT scenario, whenwe establish simultaneous TCP connects, we need to install
timers for eachTCPconnection/flow. Due to this bug,we endedup creating two timers
for the forward and reverse flow separately. Ideally there needs to be only one timer
for both the forward and reverse flow. Whenever the session used to get deleted due
to timer expiry, the PIC used to crash whenever the code tried to delete the same flow
again. PR1116800
131Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Subscriber Management and Services
• When using Neighbor Discovery Router Advertisement (NDRA) and DHCPv6 prefix
delegation over PPPoE in the subscriber access network, if a local pool is used to
allocate the NDRA prefix, when the CPE send DHCPv6 solicit message with both
InternetAssignedNumbersAuthority (IANA)and IdentityAssociationPrefixDelegation
(IAPD) options, the subscriber might get IPv6 prefix from the NDRA pool but not the
delegated pool. As a workaround, the CPE should send DHCPv6 solicit message with
only IAPD option. PR1063889
• OnMX Series platform, when using the DHCPv6 prefix delegation over PPPoE, if the
RADIUS allocates a DHCPv6 pool name during the authentication of subscribers and
"on-demand-ip-address" feature is enabled in a dynamic-profile, the prefixesmay not
be cleared by authentication process (authd) after disconnecting the subscribers.
PR1108038
• For scenarios thatarenot inaLayer 3wholesalenetworkenvironment,wecanconfigure
"duplication-vrf" to send duplicate accounting records to a different set of RADIUS
servers that reside in either the sameor adifferent routing context. AfterRoutingEngine
switchover, the duplicate accounting feature stops work for existing subscribers.
PR1121524
• Authd core dump in AaaService::cleanUpCliSessionInfo PR1127362
VPNs
• In scenario involving pseudowire redundancy where CE facing interface in the backup
neighbor (can be non-standby, standby, hot-standby type), if the virtual circuit (VC)
is not present for the CE facing interface, the CE facing interface may go up after
committing an unrelated VC interface configuration (e.g. changing description of
another VC interface) even though the local pseudowire status is in down state.
PR1101886
• In L2circuit environment, if one PE has pseudowire-status-tlv configured but remote
hasn't, and at the same time, this PE does not support control-word but remote does,
then it will not send changed local status code to remote PE, in a rare condition, after
enable status-tlv support at remote end, the l2circuit might stuck in "RD" state on
remote PE. PR1125438
Resolved Issues: Release 13.3R8
• Class of Service (CoS) on page 133
• Forwarding and Sampling on page 133
• General Routing on page 133
• Infrastructure on page 136
• Interfaces and Chassis on page 137
• Layer 2 Features on page 138
• MPLS on page 138
• Platform and Infrastructure on page 139
Copyright © 2017, Juniper Networks, Inc.132
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Routing Policy and Firewall Filters on page 142
• Routing Protocols on page 142
• Services Applications on page 142
• Software Installation and Upgrade on page 143
• Subscriber Access Management on page 143
• VPNs on page 143
Class of Service (CoS)
• For an ATM interface configured with hierarchical scheduling, when a
traffic-control-profile attached at ifd (physical interface) level and another output
traffic-control-profile at ifl (logical interface) level, flapping the interface might crash
the FPC. PR1000952
• After restarting chassisd or doing an in-service software upgrade from 13.2R8.2 to
13.3R7.3 results in the following messages seen in syslog:
cosd_remove_ae_ifl_from_snmp_db ae40.0 error 2 Messages appear to be harmless
with no functionality impact. PR1093090
• OnMX104 platform, when we configure rate-limit for the logical tunnel (lt-) interface,
the commit will fail. As a workaround, we can use firewall filter with policer to achieve
the same function. PR1097078
• When performing the Routing Engine switchover without GRES enabled, due to the
fact that the Class-of-Service process (cosd) may fail to delete the traffic control
profile state attached to logical interface (IFL) index, the traffic-control-profile may
not get programmed after the ifl index is reused by another interface. PR1099618
Forwarding and Sampling
• This defect is seen only when an existing child link from an AE is moved to a newly
created AE, simultaneously from both-ends. The new AE is listed as child link in the
existing AE in 'show interface ae<>.0 extensive' CLI. PR965872
• In rare cases, MX Series routers might crash while committing inline sampling related
configuration for INET6 Family only. PR1091435
General Routing
• For inline portmirroring, configure "input-parameters-instance" tomake a port-mirror
instance inherit inputparameters fromanother instance.At times,anynewconfiguration
which is addedunderportmirror hierarchy levelwill not takeeffect even thoughcommit
succeeds. PR944631
• In a Layer 3 wholesale configuration, DHCPv6 advertise messages might be sent out
with source MAC all zeroes if the subscriber is terminated on the demux interface in a
non-default routing instance. For subscribers on default instance there is no such issue
observed. PR972603
• OnMX Series-based platform, when the feature flow-control is disabled (enabled by
default) by using CLI command "no-flow-control" configuration statement (for
example, under "gigether-options" hierarchy), after bringing up or rebooting the MPC,
133Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
due to the fact that status of the hardware may not be updated correctly, the flow
control on that MACmay remain enabled. PR1045052
• In IP security (IPsec)VPNenvironment, after performing theRoutingEngine switchover,
the traffic may fail to be forwarded because the SAsmay not be downloaded to the
PIC, or due to some security associations (SAs) on the PICmay incorrectly hold
references for old Security Policy Database (SPD) handles while SPD has deleted its
entries in the Security Association Database (SAD). PR1047827
• MPCwith Channelized OC3/STM1 (Multi-Rate) Circuit Emulation MIC
(MIC-3D-4COC3-1COC12-CE) might crash. This problem is very difficult to replicate
and a preventive fix will be implemented to avoid the crash. PR1050007
• In the PPP environment, when a subscriber is logged out, its logical interface index is
freed, but in rare condition the session database (sdb) entry is not freed. When the
logical interface index is assigned to a new logical interface, it is still mapped to an old
sdb entry, so the jpppd process might crash because of mismatching. The issue is not
really fixed, developer just adds some debug information. PR1057610
• When"satop-options" is configuredonanE1withStructure-AgnosticTDMoverPacket
(SAToP) encapsulation, after Automatic ProtectionSwitching (APS) switchover, some
SAToP E1s on the previously protected interface (nowworking) start showing drops.
PR1066100
• OnMXSeries routerswithMPCbased line cards in a setup involvingPacket Forwarding
Engine fast reroute (FRR) applications, when BFD session flaps the next-hop program
in the Packet Forwarding Engine may get corrupted. It may lead to incorrect selection
of next-hop or traffic blackhole. PR1071028
• Scheduler: Protect: Parity error for tick table single messages might appear on MPC
cards utilizing XMCHIP like MPC2E-3D-NG,MPC3E, MPC4E, MPC5E or MPC6E.
PR1083959
• In a fib-localization scenario, IPv4 addresses configured on service PICs (SP) will not
appear on FIB-remote FPCs although all local (/32) addresses should, regardless of
FIB localization role, install on all Packet Forwarding Engines. There is no workaround
for this and it implies that traffic destined to this address will need to transit through
FIB-local FPC. PR1092627
• -OnXL-based cards suchasMPC5/MPC6, PPE thread timeout errors (resulting inPPE
trap files) can be triggered when the FPC allocates illegal memory space for the
forwarding state of router operations. - In certain cases, this can result in packet loss
depending on howmany packets use this forwarding state. PR110035
• When the null pointer of jbuf is accessed (jbuf, that is, a message buffer is allocated
onlywhen thepacket is ready toprocess. Thebuffer is freedafter thepacket completes
ALG handling is accessed), for example, when using the Microsoft Remote Procedure
Call (MS RPC) (as observed, issue may also happen on Sun Microsystems RPC)
Application-level gateway (ALG) with NAT (stateful firewall is used as a part of the
service chain), if the traffic matching configured universal unique identifier (UUID) is
arrived on the ALG, themspmand (whichmanages theMultiservice PIC) crash occurs.
PR1100821
Copyright © 2017, Juniper Networks, Inc.134
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• After JunosOS release 13.3R1, IPCMON infra is added to debug IPCs between PFEMAN
and the Routing Engine. When convergence occurs, string processing of IPCMOMwill
take added time. Then the slow convergence will be seen. It is a performance issue, it
is visible in scaled scenario (for example, more than 100K routes). As a workaround,
please execute command "set pfe ipclog filter clear" to disable IPC logging on all FPCs.
PR1100851
• FFP is a generic process that shall be called during commit process, and FFP calls the
PDB initializationaspartof itsprocess.On thePDB-unsupportedplatforms(MXSeries,
EX9200, M10i, M120, M320 is PDB-supported), when committing configuration, some
error messages will be seen. PR1103035
• If fpc offline configuration statement is configured after the presence of
Non-recoverable faults, then offline action will not be performed. PR1103185
• Non-queuing MPC5Emight crash continuously if rate-limit under transmit-rate for
scheduler is applied. As a workaround, do not configure rate-limit and use firewall
policer for forwarding-class instead. MPC5EQ is not exposed. PR1104495
• When using "write coredump" to invoke a live coredump on an FPC in T Series, the
contents of R/SR ASICmemory (Jtree SRAM) will get dumped. In the situation that
there is a parity error present in the SRAM, then the coredumpwill abort and the FPC
will crash. As a workaround, configuring "set chassis pfe-debug flag
disable-asic-sram-dump" before "write coredump" will help to avoid the issue.
PR1105721
• An IPv4 filter configured to use the filter block with term that has both "from
precedence" and another non 5-tuple (i.e. not port, protocol, address) will cause an
XL/EA based board to reboot. Example: set firewall family inet filter FILTER
fast-filter-lookup set firewall family inet filter FILTER term TERM from precedence
PRECEDENCE set firewall family inet filter FILTER term TERM from tcp-established.
PR1112047
• In the scenario that the power get removed from the MS-MPC, but Routing Engine is
still online (for example, onMX960 platformwith high capacity power supplies which
split into two separate power zones, when the power zone for the MS-MPC line card
loses power by switch off the PEM that supports the MS-MPC situated slot), if the
power goes back (for example, switch on the PEM), the MS-MPCmight be seen as
"Unresponsive" (checked via CLI command "show chassis fpc") and not coming up
back online due to failure of reading memory. PR1112716
• Under certain conditions, when the JunosOSRouting Engine tries to send an IP packet
over a IPIP tunnel, the lookupmight endup in an infinite loopbetween two IPIP tunnels.
This is caused by a routing loop causing the tunnel destination for Tunnel#A to be
learned through Tunnel#B and the other way round. PR1112724
• Under certain conditions, when the JunosOSRouting Engine tries to send an IP packet
over aGRE tunnel, the lookupmight endup inan infinite loopbetween twoGRE tunnels.
This is caused by a routing loop causing the tunnel destination for Tunnel#A to be
learned through Tunnel#B and the other way round. PR1113754
135Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Infrastructure
• When "show version detail" CLI command has been executed, it will call a separate
gstatd process with parameter "-vvX". Because the gstatd could not recognize these
parameters, it will run once without any parameter and then exit. In result of "show
version detail", following information could be seen: user@host> show version detail
Hostname:mx960Model:mx960Junos: 13.3R6-S3 JUNOSBaseOSboot [13.3R6-S3]
JUNOSBaseOSSoftwareSuite [13.3R6-S3] JUNOSKernelSoftwareSuite [13.3R6-S3]
JUNOS Crypto Software Suite [13.3R6-S3] <snipped> file: illegal option -- v usage:
gstatd [-N] gstatd: illegal option -- v usage: gstatd [-N] At the same time, log lines like
following might be recorded in syslog: Aug 25 17:43:35mx960 file: gstatd is starting.
Aug 25 17:43:35mx960 file: re-initialising gstatd Aug 25 17:43:35mx960mgd[14304]:
UI_CHILD_START: Starting child '/usr/sbin/gstatd' Aug 25 17:43:35mx960 gstatd:
gstatd is starting. Aug 25 17:43:35mx960 gstatd: re-initialising gstatd Aug 25 17:43:35
mx960 gstatd: Monitoring ad2 Aug 25 17:43:35mx960 gstatd: switchover enabled
Aug 25 17:43:35mx960 gstatd: read threshold = 1000.00 Aug 25 17:43:35mx960
gstatd: write threshold = 1000.00 Aug 25 17:43:35mx960 gstatd: sampling interval =
1 Aug 25 17:43:35mx960 gstatd: averaged over = 30 Aug 25 17:43:35mx960
mgd[14304]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/gstatd', PID 14363, status
0x4000 Aug 25 17:43:35mx960mgd[14304]: UI_CHILD_EXITED: Child exited: PID
14363, status 64, command '/usr/sbin/gstatd' PR1078702
• OndualRoutingEngineplatform, if GRES is configured (triggeredby "on-disk-failure"),
when a disk I/O failure occurs on themaster Routing Engine due to hardware issue (for
example, SSD failure), the graceful Routing Engine switchover might not be triggered
immediately after initial IO failure has been detected. As a result, Routing Enginemight
enter a state in which it responds to local pings and interfaces remain up, but no other
processes are responding. PR1102978
Copyright © 2017, Juniper Networks, Inc.136
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Interfaces and Chassis
• OnMX Series platform, when an aggregated Ethernet bundle participating as L2
interface within bridge-domain goes down, the following syslog messages could be
observed. Themessages would be associated with FPC0 even if there are no link(s)
from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]:
SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2),
ifNamexe-3/3/2mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex637, ifAdminStatus
up(1), ifOperStatusdown(2), ifNamexe-3/3/3mib2d[2782]:SNMP_TRAP_LINK_DOWN:
ifIndex740, ifAdminStatusup(1), ifOperStatusdown(2), ifNameae102 fpc0LUCHIP(0)
Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion
Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC
color=RED, class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm set,
FPC 0Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones
2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED,
class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm cleared, FPC 0
Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN
Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout
Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15,
PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count
10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized
EDMEM[0x3f38b5]Read(0x6db6db6d6db6db6d)fpc0LUCHIP(0)RMC1Uninitialized
EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2
Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0)
RMC3UninitializedEDMEM[0x3d81b6]Read(0x6db6db6d6db6db6d)Thesemessage
would be transient in nature. The discrepancy of nexthop handling that is addressed
in this PR can alsomanifest itself in form of other issues in the system. Basically when
the nexthops go out of sync we are bound to see either Packet Forwarding Engine
crashes/traps or Routing Engine crashes. The fix in this PR should take care of this
behavior and ensurewehandle the nexthops correctly tomaintain the synchronization
betweenmaster Routing Engine, backup Routing Engine and all Packet Forwarding
Engine peers. PR990023
• In some configurations agg_pfe_get_fwd_options log message is generated at the
excessive rate. This log message can be helpful during troubleshooting, but it is not
needed during normal operation. Though it is not service impacting, it may increase
load of the system and it was decided to cover this message under traceoptions in
order to optimize system performance. PR1047564
• dcd will crash if targeted-distribution applied to ge ifd via dynamic-profile. PR1054145
• During subscriber login/logout the following error log might occur on the device
configured with GRES/NSR. /kernel: if_process_obj_index: Zero length TLV! /kernel:
if_pfe: Zero length TLV (pp0.1073751222). PR1058958
• For Junos OS Release 13.3R1 and later, after multiple (for example, 26) iterations of
gracefulRoutingEngine switchover (GRES), theTNPaddressofmanagement interface
might be deleted incorrectly during switchover, this leads to all FPCs to be offline.
PR1060764
137Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• After removing a child link from AE bundle, in the output of "show interface <AE>
detail", the packets count on the remaining child link spikes, then if add back the
previous child link, the count recovers to normal. PR1091425
• During failure notification state machine, CFM does not correctly transit from DEFECT
CLEARINGstate toRESETonce theerror indicationhasbeencleared.Asaconsequence,
all the forthcoming errorswill be consideredpost errors andwill be reported right away
without incurring the fngAlarmTime. This is a cosmetic problem. PR1096346
• On PB-2OC12-ATM2-SMIR PIC, port 0 and port 1 are configured with clock source as
external, if Loss of signal (LOS) is inserted on port 0, the port 0 will be down, the
expected behavior is clock being used from port 1. But in this case, port 0 down will
results inport 1 flappingand reportingSONETphase lock loop(PLL)errors.PR1098540
• Due to the fact that the error injection rate configured by user on Routing Engine via
CLI command "bert-error-rate" may not be programmed in the hardware register, the
PE-4CHOC3-CE-SFP, PB-4CHOC3-CE-SFP, MIC-3D-4COC3-1COC12-CE, and
MIC-4COC3-1COC12-CE-Hmay fail to inject bit errors during a Bit Error Ratio Test
(BERT). PR1102630
• OnMPC-3D-16XGE-SFPP line card, when an optics (for example, 10G-LR-SFP) is
disabled and then enabled administratively, if the SFP is not temperature tolerant
(non-NEBS compliant), the TX laser may not be turned on due to the fact that the
chassisprocess (chassisd)maykeepsending the"disable-non-nebs-optics"command
to the optics if the current temperature of FPC reaches the threshold temperature.
PR1107242
• OnMX Series platform, continuous error messages might be seen on the MICs (for
10G/40G/100GMICs) fromMIC3 onwards (listed as below) when physical interface
(IFD) settings are pushed (e.g. booting the MPC). Based on the current observation,
the issue may not have any operational impact and the MICs that may encounter this
issueare listedasbelow, - 10GMICs:MIC3-3D-10XGE-SFPP,MIC6-10G,MIC6-10G-OTN,
- 40GMICs: MIC3-3D-2X40GE-QSFPP, - 100GMICs: MIC3-3D-1X100GE-CFP,
MIC3-3D-1X100GE-CXP, MIC6-100G-CXP, MIC6-100G-CFP2. PR1108769
Layer 2 Features
• With scaled subscribers connected, restarting one of MPCsmight cause subscribers
unable to log in for about 2 minutes. PR1099237
• Inascenario thatBGPbasedVPLSstitchingwithL2circuit,with "pseudowire-status-tlv"
configured under L2circuit's mesh-group, if L2circuit neighbor does not configure
"pseudowire-status-tlv", then status of "Negotiated PW status TLV" of VPLS
connection is "NO", this will cause BGP based VPLS connection can not up even the
L2circuit is up. PR1108208
MPLS
• InResourceReservationProtocol (RSVP)environment, if CoS-BasedForwarding (CBF)
for per LSP (that filter out traffic not related to that LSP) is configured, and either the
feature fast-reroute or link-protection is used on the device, when the primary link is
down (for example, turning off the laser of the link), due to some next hops of the
traffic may be deleted or reassigned to different class of traffic, and the RSVP local
Copyright © 2017, Juniper Networks, Inc.138
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
repairmay fail to processmore than 200LSPs at one time, the trafficmay get dropped
by the filter on the device before the new next hop is installed. In this situation, the
feature (fast rerouteor linkprotection)may take longer time (for example, 1.5 seconds)
to function and the traffic loss might be seen at the meantime. In addition, the issue
may not be seen if the CBF for per LSP is not configured on the device. PR1048109
• Junkcharactersarebeingdisplayed inoutputof showconnectionsextensivecommand.
PR1081678
Platform and Infrastructure
• All inline-services do not work for large FPC slot numbers on MX2020. It is due to
generic issue in receiving packets. The egress Packet Forwarding Engine instance was
chosen incorrectly. PR1012222
• VRRP advertisements might be dropped after enable delegate-processing on the
logical tunnel (lt) interface. It would result in VRRPmaster state observed on both
routers. PR1073090
• OnMXSeries-basedplatform,when learning theMACaddress fromthepseudo logical
interface (for example, label-switched interface), if the MAC address is aged out in
source FPC where the MAC got learnt, due to the delay (around 2 to 3milliseconds)
of MAC address deleting message processed in the source FPC and the egress FPC
(destination FPC of the traffic), the MAC addressmay be deleted first from the egress
Packet Forwarding Engine but get added again during these 2-3 milliseconds time
intervals (as these is continuous traffic coming on egress FPC destined to this MAC,
the MAC query is generated and send to Routing Engine and source FPC, since source
FPC has not yet processed the MAC deletedmessage, it sends the response, so stale
MACwill get added on the egress Packet Forwarding Engine), in this situation, no L2
flooding would occur for the "unknown" unicast (since the MAC address is present on
the egress Packet Forwarding Engine). PR1081881
• IfwithbothMPC/MSDPCandother typeofDPCsequipped, for local switchingatmesh
group level, split horizon on PW interfaces won't work and this would cause packets
to loop back to same PW interface. PR1084130
• In Junos OS Releases 13.3R3, 14.1R1, 14.2R1, there is a new feature, an extra TLV term
is added to accommodate the default action for the "next-interface" when the
correspondingnext-interface isdown.Whiledoingaunified ISSUfroman imagewithout
the feature to an image with this feature, all MPCsmight crash. PR1085357
• OnMX Series router, if ifl (logical interface) is configured with VID of 0 and parent ifd
(physical interface) with native-vlan-id of 0, when sending L2 traffic received on the
ifl to Routing Engine, the VID 0will not be imposed, causing the frames to get dropped
at Routing Engine. PR1090718
• OnMX2020/2010 router, anSPMBcore filewill be seen if therearebadXFchips (fabric
chip) on SFB, which might trigger Routing Engine/CB switchover. PR1096455
• OnMXSeries-basedplatform,when the typeof the IPv6 traffic is non-TCPor non-UDP
(for example, next header field is GRE or No Next Header for IPv6), if the traffic rate is
high (for instance, higher than 3.5Mpps), the packet re-orderingmayoccur.PR1098776
139Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• OnMX Series-based line cards, when the prefix-length is modified from higher value
to lower value for an existing prefix-action, heap gets corrupted. Due to this corruption,
the FPCmight crash anytime when further configurations are added/deleted. The
following operations might be considered as a workaround: Step 1. Delete the existing
prefix-action and commit Step 2. Then re-create the prefix-action with newer
prefix-length PR1098870
• In an MPLS L3VPN network with a dual-homed CE router connected to different PE
routers, a protectionpath shouldbeconfiguredbetween theCE router andanalternate
PE router to protect the best path. When BFD is enabled on the BGP session between
the CE and the primary PE router, with local traffic flowing from another CE connected
with the primary PE to this CE, after bringing down the interface on the best path, the
local repairwill be triggeredbyBFDsessiondown, but itmight fail due to a timing issue.
This will cause slow converge and unexpected traffic drop. PR1098961
• Under large-scale setup, VPLSMACmight not be aged-out from remote-Packet
Forwarding Engine when local-Packet Forwarding Engine is
MPC3/MPC4/MPC3E/MPC4E, then unknown-unicast frames flood will be seen on
local Packet Forwarding Engine. PR1099253
• When BFD or VRRP is running on amulti LU (lookup chip) Packet Forwarding Engine
(such as MPC3 or MPC4), some incoming BFD or VRRP packets might be incorrectly
evaluated by a firewall filter configured on a loopback interface of a different logical
systemor routing instance.Therefore, packetsmightbeunexpectedlydiscarded leading
to session/mastership flaps. PR1099608
• OnMX Series-based platform, before creating a new unilist nexthop, there is a check
to see if there is at least 512k DoubleWords (DW) free. So, even the attempting NH
requires only a small amount of memory (for example, < 100 DWs), if there is no such
enough free DWs (that is, 512k), the checkwill fail and the end result is that the control
plane will quit adding this NH prematurely - stopping at ~80% of capacity. With the
fix, it will check for 64k free DWswhich is lower reference watermark for available
resource, thereby ensuring that can allocate resource. PR1099753
• Large scaled inline BFD session (in this case, 6000 inline BFD sessions) are loaded
with theminimum-interval value 50ms. If FPC restarts, someBFD sessionsmight flap.
PR1102116
• OnMPC3E/MPC4E line card, when the feature "flow-detection" is enabled (under
"ddos-protection" hierarchy), if suspicious control flow is received, two issues may
occur on the device: Issue 1: sometimes, the suspicious control flowmay not get
detected on the line cards Issue 2: once the suspicious control flows are detected, they
may never time out even if the corresponding packets stop. PR1102997
• On T4000 platformwith FPC Type-5 equipped, after performing unified ISSU, due to
the fact that only 6 out of 16 temperature sensors may get initialized, the temperature
reading for the line card may be shown as "Absent". PR1104240
• Any configuration or logical interface (IFL) change will introduce 160 bytes memory
leak onMPC heapmemorywhenwe have any type of inline sampling configured (ipfix
or version 9). Only trigger of issue is the configuration of inline sampling, even without
traffic being sampled. The leak is more evident in a subscriber management scenario
Copyright © 2017, Juniper Networks, Inc.140
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
whenwehavemany IFLaddition/deletion.RebootingMPC inacontrolledmaintenance
window is the only way to restore memory. PR1105644
• OnMX Series-based platform, in MX Series Virtual Chassis (MXVC) environment, if
the subscriber logical interface (IFL) index65793 is created (for example,whencarrying
15K DHCPv4 subscribers to exceed IFL index creation 65793) and the IEEE 802.1p
rewrite rule is configured (for example, using CoS rewrite rules for host outbound
traffic), due tousageof incorrect IFL index, theVirtualChassisControlProtocolDaemon
(vccpd) packets (for example, Hello packets) transmission may get lost on all VC
interfaces, which may lead to VC decouple (split brain state, where the cluster breaks
into separate parts). As a workaround, either delete the rewrite rule (delete
class-of-service host-outbound-traffic ieee-802.1 rewrite-rules), or find the IFL in jnh
packet trace that is not completing the vccpd send to other chassis and at Routing
Engine clearing that subscriber interface may resolve the issue. PR1105929
• When "shared-bandwidth-policer" is configured with aggregate Ethernet (AE) has
more than onemember link on the same Packet Forwarding Engine and the policer is
configuredwith "physical-interface-policer" configuration statement, if reconfiguration
occurs (for example, adding/deleting new logical units, logical interface flap...), Packet
Forwarding Engine may problemwrong policer during this reconfiguration process,
which could ultimately lead to unexpected packet drop/loss within the referenced
wrong shared policer. PR1106654
• When a common scheduler is shared bymultiple scheduler maps which applies to
differentVLANsofanAggregatedEthernet (AE) interface, if theconfigurationstatement
"member-link-scheduler" is configured as "scale", for some VLANs, the scheduler
parametersare incorrectly scaledamongAEmember links.Asaworkaround,weshould
explicitly configure different schedulers under the scheduler maps. PR1107013
• Due to a software defect found in 13.3R7.3 and 14.1R5.4 inclusively, Juniper Networks
strongly discourage the use of Junos OS software version 13.3R7.3 on routers with
MQ-based MPC. This includes MX Series with MPC1, MPC2; all mid-range MX Series.
PR1108826
• DHCPEndoptions (option255) ismissingbyDHCP-relayagent (where20bytesDHCP
options82 inserted) for clientDHCPdiscovermessagewith 19bytespadding.PR1110939
• OnMX Series-based FPC, when MPLS-labled fragmented IPv6 packets arriving at PE
router (usually seen in 6PE and 6VPE scenario), the Packet Forwarding Engine might
mistakenly detect such IPv6 header and then drop these packets as "L3 incompletes"
in the output of "show interface extensive". PR1117064
• OnMXSerieswithMPCs/MICs based line card, the firewall filtermay have some issues
whenmatchingonAuthenticationHeader (AH)protocol. This canaffectVRRP(among
others) when authentication is used, and an Routing Engine firewall filter is matching
on protocol AH. As a workaround, we can change the filter to match on other criteria
(e.g. source or destination address). PR1118824
141Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Routing Policy and Firewall Filters
• On the platform that M7i/M10i with enhanced CFEB, M320 with E3-FPC, M120, and
MXwith DPC, when the flood filter is configured in VPLS instance on the Packet
ForwardingEngine, if thePacketForwardingEngine receivesa filter change(forexample,
FPC rebootoccurandcomesup), the linecardmay fail toprogramthe filter.PR1099257
Routing Protocols
• In BGP environment, when configuring RIB copy of routes from primary routing table
to secondary routing table (for example, by using theCLI command "import-rib [ inet.0
XX.inet.0]") and if the second route-table's instance is type "forwarding", due to the
BGP routes in secondary routing table may get deleted and not correctly re-created,
the routes may be gone on every commit (even commit of unrelated changes). As a
workaround, for re-creating theBGP routes in secondary route table, useCLI command
"commit full" to make configuration changes. PR1093317
• With this change, the default label hold timer was increased for 10 seconds to 60
seconds. PR1093638
• When a BGP session supports multiple address families, the inactive route of some of
the address families might not be flushed correctly, leading to wrong behaviors for
some of the features which need to advertise inactive routes(e.g. advertise-inactive,
advertise-external, optimal-route-reflection, etc). PR1097297
• When polling SNMPOID isisPacketCounterTable 1.3.6.1.2.1.138.1.5.3, the rpd process
might crash. PR1101080
Services Applications
• When an MX Series router configured as an LNS sends an Access-Request message
toRADIUS for anLNSsubscriber, theLNSnow includes theCalled-Station-ID-Attribute
when it receives AVP 21 in the ICRQmessage from the LAC. PR790035
• With scaling Layer 2 Tunneling Protocol (L2TP) sessions (for example, 128k sessions),
when executing L2TP "show" command in one terminal and "clear" command in
another terminal simultaneously, pressingCtrl-Cor closing the terminal onone terminal
might cause the jl2tpd process to crash. PR1063207
• Withmajority of L2TP subscribers login with invalid credentials (75% of new login
requests are invalid), low call setup rate (CSR) will be observed for the good login
attempt subscribers. PR1079081
• OnM Series platform, in Layer 2 Tunneling Protocol (L2TP) network server (LNS)
environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type,
Framed-Protocol attributes) within Accounting-Request packet are sending to the
RADIUS server. PR1095315
• SIP one way audio calls when using X-Lite SIP Softphone, in case that SIP media is
switched to another media gateway though a SIP RE-Invite message PR1112307
Copyright © 2017, Juniper Networks, Inc.142
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Software Installation and Upgrade
• Add "on <host>" argument to "request system software validate" to allow validation
on a remote host/Routing Engine running Junos OS. PR1066150
Subscriber Access Management
• If authentication-order is configured as none under access profile and domain-name
servers (DNS) are configured locally under access profile, then the subscriberwill login
but will not get DNS addresses which were configured locally. PR1079691
• In scaled DHCP subscribers environment, the authd processmight crash and generate
a core file after clearing DHCP binding or logout subscribers. PR1094674
VPNs
• In Internet multicast over an MPLS network by using next-generation Layer 3 VPN
multicast (NG-MVPN) environment, when rib-groups are configured to use inet.2 as
RPF rib for Global Table Multicast (GTM, internet multicast) instance, the ingress PE
may fail to add P-tunnel as downstream even after receiving BGP type-7 routes. In
addition, this issue only affects GTM. PR1104676
Resolved Issues: Release 13.3R7
• Class of Service (CoS) on page 144
• Forwarding and Sampling on page 145
• General Routing on page 145
• Infrastructure on page 148
• Interfaces and Chassis on page 149
• Layer 2 Features on page 151
• MPLS on page 152
• Network Management and Monitoring on page 152
• Platform and Infrastructure on page 153
• Routing Protocols on page 156
• Services Applications on page 158
• Software Installation and Upgrade on page 159
• Subscriber Access Management on page 159
• VPNs on page 159
143Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Class of Service (CoS)
• When the egress rewrite rules are assigning to both the underlying interface and the
subscriber interface, the rewrite rule applied to the underlying interface may take
precedence and the priority values are applied as set at that level, which is wrong. The
rewrite rule applied to the subscriber interface should take effect over the underlying
interface. PR1058372
• Forwarding class accounting stops working after Routing Engine switchover. This
behavior has been corrected in Releases 13.3X2,13.3R6, 13.3R7, 14.1R5, 14.2R3, and 15.1.
Issue comes when MPC reboots for any reason with forwarding-class-accounting
configured on AE/AS interface. In forwarding-class-accounting feature, counters are
allocated based on number of forwarding classes configured in MPC. In error case on
MPC reboot, AE interface is getting createdbefore themessage for configuring number
of forwarding classes in MPC comes. As a result, while enabling
forwarding-class-accounting feature on AE interface, number of forwarding classes
value in MPC is 0, and counters are not allocated causing issue. Cause: Race condition
whenonMPC rebootAE interface getting createdbefore number of forwarding classes
areconfigured. Fix:Whennumberof forwardingclassesaresetafterMPCreboot, check
for any AE interface with forwarding-class-accounting configured and reprogram it.
PR1060637
• Add chassis schedulermap support on gr interface onMS-PIC, whichmeans therewill
be no commit error if scheduler-map-chassis is applied on gr interface. PR1066735
• 1. With "hierarchical-scheduler" configured at IFD level 2. Under class-of-service
hierarchy "output traffic control profile" configured at "interface-set" as well as IFD
level, for the same IFD/IFL. With the above two conditions met, when a Junos OS
upgrade is performed on a dual Routing Engine system, the configuration validation
check would fail on the Routing Engine that is upgraded later with the following error
message. Error message: "cannot configure a traffic control profile for this ifl when a
parent has a traffic control profile that references a scheduler map: ifl xe-11/0/0.5000
refers to traffic-control-profile TCP_PE-CE_30M. It is also amember of interface set
xe-11/0/0_OTag=80whichhas traffic-control-profileTCP_PE-CE_80Mwhich references
scheduler-mapSM_PE-CE"conditon-1: lab-re1>showconfiguration interfacesxe-11/0/0
{ hierarchical-scheduler; <<< Condition-2: lab-re1> show configuration interfaces
interface-set xe-11/0/0_OTag=80 { interface xe-11/0/0 { <...>; } } lab-re1> show
configuration class-of-service interfaces interface-set xe-11/0/0_OTag=80 {
output-traffic-control-profile TCP_PE-CE_80M; <<< } <..> xe-11/0/0 {
output-traffic-control-profile TCP_Maxbuff; unit 5000 { output-traffic-control-profile
TCP_PE-CE_30M <<< } } PR1069477
• Starting from Junos OS Release 12.3R1, on MX Series platform configured for IP
network-services (default) and with MS-DPC/Tunnel-Interface, virtual-tunnel (vt)
interfaces are created automatically to support ultimate-hop-popping upon enabling
"protocol rsvp". These interfaces are associated with default IP and MPLS classifiers
along with MPLS re-write rule. When "protocol rsvp" is disabled/enabled or
MS-DPC/FPC(with tunnel-service) restarts, the vt interfacesaredeletedand re-added
to the system. However during the deletion, these interfaces are not getting released
from cosd process and thus leads to memory leak in cosd. PR1071349
Copyright © 2017, Juniper Networks, Inc.144
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Forwarding and Sampling
• OnMX Series platform, when deleting firewall filter and the routing instance it is
attached to, in some race conditions, the filter might not be deleted and remains in
resolved state indefinitely. PR937258
• OID .1.3.6.1.2.1.2.2.1.2 stops respondingafter upgrading JunosOS from11.4X27 to 13.3R5.9.
PR1072841
• In some rare cases, SNMPmight get Output bytes of Local statistics instead of the
Traffic statisticswhen retrievingOutput bytes of Traffic statistics on a logical interface.
PR1083246
• In rare cases, SSHor telnet trafficmight hit incorrect filter related toSCU (SourceClass
Usage) due to the defect in kernel filter match. This issue comes when the filter has
match condition on source class ID. PR1089382
General Routing
• Changing the static route configuration from next-hop to qualified-next-hopmight
result in static route getting missed from the routing table. Restarting routing process
can bring back the routes but with the rpd core. PR827727
• In the large scaled dual stack PPPoE subscribers environment (in this case, 16k dual
stack PPPoE subscribers), when IPv6 router-advertisement is configured for common
edge IPv6 subscribers, if flapping dual stack PPPoE subscribers multiple times, in rare
condition the rpd process might crash. The routing protocols are impacted and traffic
disruption will be seen due to loss of routing information. PR934081
• On dual Routing Engine platforms, after performing unified graceful Routing Engine
switchover (GRES) with 8K subscribers, the ksyncd process may crash due to the
replication error on a next hop change operation. The issue is hit when there'smemory
pressure condition on the Routing Engine and in that case, it may lead to null pointer
de-reference and ksyncd crash. Or in some case, the kernel on the newmaster Routing
Enginemight crash after Routing Engine switchover if Routing Engine is undermemory
pressure due to missing null check when trying to add a next hop and the next hop is
not found at the time. PR942524
• In point-to-point (P2P)SONET/SDH interfaceenvironment, there is adestination route
with this interface as next-hop. When this interface is disabled, the destination route
is still kept in the forwarding table andmight cause ping fails with "Can't assign
requested address" error. PR984623
• 'gratuitous-arp-on-ifup' shouldsendagratuitousarponeachunitofaphysical interface,
but inRelease 12.3 and later versions, only the first unit is seeing theconfiguredbehavior.
PR986262
• When there are no services configured, datapath-traced daemon is not running. In the
PIC, the plugin continues to try for the connection and continuous connection failure
logs are seen. PR1003714
• Whenever the logical tunnel (lt-) interfacewith IPv6 family configured goes down and
comes up upon hardware initialization (MPC/FPC replacement/reboot or chassis
reboot), due to Duplicate Address Detection (DAD) functionality not being performed
145Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
for the logical interface (IFL) up/down event, the "lt-" interface may get stuck in
"tentative" state and thus IPv6 traffic cannot pass over it. PR1006203
• A raw IP packet with invalid Memory Buffer(mbuf) length may trigger a kernel crash.
The invalid mbuf length might be set by other daemons incorrectly. PR1006320
• DuringWAN Link flaps , ASIC streams in the Packet Forwarding Engines are
disabled/enabled on the fly when traffic is inflight. This is normal and will result in the
Cell drops, PKTR ICELL signature errors, and SLOUT errors. However under certain rare
conditions, Lout IP -Pkt Len Mismatch error is observed which sometimes triggers
automatic restart of the FPC. On TXP, TXP-3D in FPC Type 4-ES can experience
automatic restart during wan interface flaps. PR1013522
• Configuring a routing policy with the "no-route-localize" option to ensure that the
routes matching a specified filter are installed on the FIB-remote Packet Forwarding
Engines , after removing the routing policy and changing the next-hop for the routes,
the previously installed routes using "no-route-localize" policy will not get removed
fromPFE 1 but will fromPFE 0 on the same FPC. Then traffic received on PFE 1 will not
forward received packets to the FIB-local Packet Forwarding Engines to perform full
IP table lookup but using the staled routes instead. This situation does also apply if
the interface is getting disabled. If traffic destined to the local-address is still received
on PFE 1, those stale route lookup entries might have incorrect entries andmight lead
tooneof the followingpossible symptoms. fpc1 RCHIP(1): 8Multicast list discard route
entries fpc1 Packet Forwarding Engine: Detected error nexthop: fpc1 RCHIP(1): RKME
int_status 0x10000000 RKME and Detected error nexthop will per default will trigger
a FPC restart PR1027106
• OnMPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is
attached to an interface, traffic dropmight be seen. PR1027516
• On the Type 5 PIC, when the "hold-time down" of the interface is configured less than
2 seconds and the loss of signal (LOS) is set and cleared repeatedly in a short period
(for example, performing ring path switchover within 50ms), the "hold-time down"
may fail to keep the interface in "up"statewithin theconfigured timeperiod.PR1032272
• OnMX Series router with MPC3E/MPC4E/MPC5E/MPC6E or T4000with FPC type 5,
when these cards are processing packets in size between 133B-148B, in some very
corner cases, traffic blackhole might be seen. PR1042742
• When querying specific entries of the JUNIPER-SUBSCRIBER-MIB, memory leak may
occur on the smihelperdprocesswhichprovides thenecessary informationoverSNMP.
PR1048469
• In the PPP dual-stack subscribers environment, in rare condition, if bringing up 1000
dual-stack subscribers quickly, the PPP negotiation might fail. Then PPP retries
negotiation, all subscribers fully establish. PR1050415
• OnMXSeries routers, the interrupt-drivenbasis linkdowndetection (an interrupt-driven
link-down notification is generated to trigger locally attached systems to declare the
interface down within a fewmilliseconds of failure) may fail after performing unified
in-service software upgrade (ISSU). The interrupt might have been prevented after
performing unified ISSU due to disabling the interrupt registers before unified ISSU,
but never restored after. PR1059098
Copyright © 2017, Juniper Networks, Inc.146
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• In an IPsec load-balancing environment using MS-MPC cards, the ICMP request and
ICMP reply can go through two different IPsec tunnels due to asymmetric routing; that
is, ICMP request goes through one PIC, and ICMP reply goes through another PIC.
Because of this, the ICMP reply will get dropped and never reach the other side of the
IPsec tunnel. PR1059940
• Due to incomplete fix, in releases containing PR869773 fix, rate limit drops are seen
for Ingress queuing even though rate-limit is not configured or supported for ingress.
PR1061256
• If Bidirectional Forwarding Detection (BFD) protocol is enabled via site-to-site IPsec
tunnel, the BFD session may fail to come up. It is because, when the BFD protocol is
trying to exchange the packet via IPsec tunnel, the value of the TTL in inner IP header
for packet may be decremented, hence the BFD packet gets dropped on the peer side
and no BFD session would come up. PR1061342
• With inline L2TP IP reassembly feature configured, the MX Series routers with
MPCs/MICs might crash due to amemory allocation issue. PR1061929
• If a subscriber-facing AE interface has child links which spread over multiple Packet
Forwarding Engines on a single FPC, when subscribers attempt to login, "LUCHIP
Congestion Detected" error messages will be seen periodically and there might be
some potential forwarding issues for subscribers. PR1069292
• If there are application-sets matching conditions in the NAT rule, NAT port might leak
after deleting applications under application-set in live network. PR1069642
• In subscriber management environment, changing the system time to the past (for
example, overoneday)maycause thedaemons (for example, pppoed, andautoconfd)
that use the time to become unresponsive. PR1070939
• Higher baseline CPU utilization and periodic CPU spikes might be seen on MX-based
MPC as compared to MPC-3D-16XGE-SFPP cards due to following reasons: On
MX-based MPC, low priority threads that monitor various things in the background on
a periodic basis such as voltage, temperature, stats counters, hardware status, and so
on are exited. When the system is idle these threads are allowed to take more of the
load and that is why higher baseline CPU/CPU spikes are seen. This does not prevent
other higher priority threads from running when they have to, as these are non-critical
activitiesbeingdone in thebackgroundandhence is anon-impacting issue.PR1071408
• The dfwd processmight crashwhen kernelmessages for objects such as IFL or IFF are
sent to the dfwd process soon after its dynamic profile delete request. This is a race
condition. PR1074068
• During unified ISSU on MX-VC working as an LAC, few HELLO packets from LNSwill
go unanswered, which might cause L2TP tunnel to get torn down. PR1074991
• In scaledsubscribermanagementenvironment (for example, 3.2KPPPoEsubscribers),
after heavy login/logout, the session setup rate keeps decreasing and also PAP-NAK
messages are sent with "unknown terminate code". This continues till Broadband
NetworkGateway(BNG)doesnotacceptPPPsessionsandall newly incomingsessions
are stuck in PAP Authentication phase (No PAP ACK received). PR1075338
147Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• For Network Address Translation (NAT), Traffic Detection Function (TDF), or IPsec
service configured on MX Series platformwith MS-MPC/MS-MIC, the received
fragmented IPv4/IPv6 packets will be re-assembled and sent out. Under scaled
environment, the mspmand process might crash while MS-MPC/MS-MIC is under
process of assembling the fragmented packets. PR1075454
• When a router with AMS infrastructure has MAC flow control enabled, the continuous
fragmented packetsmight crash theNPUandmspmandprocess (whichmanages the
Multi-Services PIC). PR1076033
• If RTSP(RealTimeStreamingProtocol)ALGhasbeenconfigured,MS-MICmight crash
with core-file in scaled application layer traffic environment. PR1076573
• OnMXSeries, theCLI command set interfaces interface-namespeedauto-10m-100m
is not supported. PR1077020
• In subscriber management environment, the PPP daemon (jpppd) might crash
repeatedly due to amemory double-free issue. PR1079511
• The "inactivity-timeout" configuration statement under the [edit applications
applicationapplication-name]hierarchydoesnot takeeffect forTCP-basedprotocols.
PR1080464
• The rpd process might crash on both master and backup Routing Engines when a
routing instance is deleted from configuration if the routing instance is cleaned up
before the interface delete is received from device control daemon (dcd). This is a rare
timing issue. PR1083655
• OTN based SNMP Traps such as jnxFruNotifOperStatus and
jnxIfOtnNotificationOperStatus are raised by offline/online MIC although no OTN
interface is provisioned PR1084602
• In some rare conditions, depending on the order in which configuration steps were
performed or the order in which hardware modules were inserted or activated, if PTP
master and PTP slave are configured on different MPCs on MX Series router acting as
BC, itmight happen that clock is not properly propagated betweenMPCs. This PR fixes
this issue. PR1085994
• Log reports "LUCHIP(0) RMC 0 Uncorrectable ECC 0x6db6db6d6db6db6d" and
"PLCT INT_STAT0x00000001 InvalidDMEMAddress". TheFPCmay loseconnections
and need to be rebooted to clear the condition. PR1086557
• Wrong ESH checksum computation with non-zero Ethernet Padding in Juniper MX
Series router. PR1091396
Infrastructure
• On all Junos OS platforms, when the gstatd triggers false positives, this would result
in unnecessary Routing Engine switchover. Thus a configuration option is added to
prevent gstatd from initiating a Routing Engine unnecessary switchover or a Routing
Engine relinquishing themastership. FollowingErrormessagesareexpected tobeseen:
gstatd: [ad2] average write duration of 1021.34 crossed threshold of 1000.00 /kernel:
mastership: routing engine 1 relinquishing as master: voluntarily requested. PR1024515
Copyright © 2017, Juniper Networks, Inc.148
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• When the Ethernet Link Fault Management (LFM) action profile is configured, if there
are some errors (refer to the configuration, for example, frame errors or symbol errors)
happening in the past (even a long past), due to the improper handling of error stats
fetching fromkernel, the LFMprocess (lfmd)may generate false event PDUs and send
the false alarm to the peer device. PR1077778
Interfaces and Chassis
• Multicast traffic may not be forwarded to the "Downstream Neighbors" as reported
by the command "show pim join extensive". There can be occasions where this traffic
is blackholed and not forwarded as expected. Alternatively, there may be an occasion
where multicast traffic is internally replicated infinitely, causing one or more of the
"Downstream Neighbors" to receive multicast traffic at line rate. PR944773
• PR fix corrected jnxoptIfOTNPMFECIntervalTimeStamp, jnxPMIntTimeStamp, and
jnxoptIfOTNPMIntervalTimeStamp reporting incorrect values around sytem-local
midnight time as reported in PR 1065110. It also corrected the “SNMP PM Interval -
incomplete date and time format without UTC offset”. PR946014
• OnMX Series based line cards, in virtual private LAN service (VPLS) environment, the
next hop in the kernel allocated by connectivity-fault management process (cfmd)
may not be freed even after the CFM session has been removed (for example,
deactivating the routing-instance). In this situation, after re-activating the
routing-instance, the interfacewithin the routing instancewould fail tocomeupbecause
the nexthop is not freed by the cfmd application and hence the VPLS connection is
down. PR1000060
• On standalone T Series router or TX platform, during Routing Engine rebooting, a bad
(or busy) I2C device on Switch Interface Board (SIB) might cause Switch Processor
MezzanineBoard (SPMB) tocrash.Pleasenote theTXPplatformmightalsoexperience
same issue due the bad I2C, and it has been addressed in another PR, which has been
fixed in Junos OS Releases 13.1R5, 13.2R6, 13.3R1, 13.3R4, 14.1R3, 14.2R1, and 15.1R1.
PR1010505
• In Virtual Router Redundancy Protocol (VRRP) environment, after restarting the FPC,
due to the Router Advertisement (RA) deletion is being incorrectly sent to routing
protocol process (rpd) by VRRP process, the ICMPv6may not be activated on the
corresponding interfaces on the router that is acting as the master. In this case, no RA
message could be sent out. PR1051227
• There is amismatch inmac statistics, few framesgounaccounted. This is a day-1 issue.
With the software fetching ofmac statistics, the snap and clear bits were set together
on pm3393 chip driver software, so it used to so happen that even before the copy of
stats to shadow registers happened, clear was happening which used to go
unaccounted. Now rollover mechanism has been implemented and tested for 2
continuous days and everything is fine. PR1056232
• WhenadynamicPPPoEsubscriberwith targeted-distributionconfiguredonadynamic
vlan demux interface over aggregated Ethernet, the device control daemon (dcd)
processmight crash during a commit if the vlan demux hasmistakenly been removed.
The end users can'not go to the Internet after the crash. This is a rare issue and not
easy to be reproduced. PR1056675
149Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• It is observed that the syslogmessages related to kernel andPacket ForwardingEngine
may get generated at an excessive rate, especially in subscriber management
environment. Most of thesemessagesmay appear repeatedly, for example,more than
1.5 million messages may get recorded in 2 hours, and there are only 140 unique
messages. Besides, these messages are worthless during normal operation and due
to the excessive rate of log generation, high Routing Engine CPU consumption (for
example, RoutingEngineCPUutilization canbe stuckat 100%for a long time (minutes
or hours), it depends on the activity of subscribers (frequency of logins and logouts)
and on the AI scripts used by the customer) by event process (eventd) might be
observed on the device. PR1056680
• OnMX Series platform, when ACI VLAN interface sets are configured for PPPoE
subscribers, PPPoE process (pppoed) crashmay occur during PPPoE control packet
processing when the ACI VLAN interface set needs to be created. If this pppoed crash
is seen, then theACI VLAN interface setwill not be created andPPPoE subscriber login
will not make progress. There is no workaround for this issue and an upgrade to a
release that includes the fix for this PR is recommended. PR1057343
• In Multichassis link aggregation groups (MC-LAGs) environment, the MC-LAG peers
have theMACandport information and can forward the traffic appropriately. If a single
VLAN on ICL interface ismodified to a different VLAN, and then the administrator rolls
back the VLAN configuration to the original one, the remoteMACmight be stuck in the
"Pending" state and not be installed in the bridge MAC-table, which causes the traffic
forwarding to be affected. PR1059453
• In scaling PPP subscriber environment, when the device is under a high load condition
(for example, high CPU utilization with 90% and above), the long delay in session
timeout may occur. In this situation, the device may fail to terminate the subscriber
session (PPPor PPPoE) immediately after three LinkControl Protocol (LCP) keepalive
packets are missed. As a result, subscriber fails in reconnect due to old PPP session
and corresponding Access-Internal route are still active for some time. In addition to
this, it is observed that the server is still sending KA packets after the session timed
out. PR1060704
• OnMX Series routers, INET MTU (PPP payload MTU, that is IP header plus data
excluding any L2 overhead) is being set to lowest MRU of either MX (local device) or
peer. This behavior is not inline with ERX behavior, which is set tomin(local MTU, peer
MRU). This might cause the packet drops in the customer network in the downstream
path. PR1061155
• Error message is continuously logged every second after a particular copper-SFP
[P/N:740-013111] is plugged into a disabled port on MIC. ***** error message ****
mic_sfp_phy_program_phy: ge-*/*/* - Fail to init PHY link mic_periodic_raw: MIC(*/*)
- Error in PHY periodic function PQ3_IIC(WR): no target ack on byte 0 (wait spins 2)
PQ3_IIC(WR): I/O error (i2c_stat=0xa3, i2c_ctl[1]=0xb0, bus_addr=0x56)
mic_i2c_reg_set - write fails with bus 86 reg 29mic_sfp_phy_write:MIC(*/*) - Failed to
write SFP PHY link 0, loc 29mic_sfp_phy_mdio_sgmii_lnk_op: Failed to write: ifd = 140
ge-*/*/*, phy_addr: 0, phy_reg: 29 ala88e1111_reg_write: Failed (20) to write register:
phy_addr 0x0, reg 0x1d Fails in function ala88e1111_link_init PR1066951
Copyright © 2017, Juniper Networks, Inc.150
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• In PPPoE over AE subscribers management scenario, if "targeted-distribution" is
enabled for subscribers IFL, the dcd process might crash and reboot when try to
deactivate the AE interface. PR1067062
• OnMX Series Virtual Chassis (MX-VC) platform, due to a timing issue, the physical
interface (ifd) on the sameModular Interface Card (MIC) with Virtual Chassis port
(VCP)might not be created or take a very long time to be created after reboot the
hosted Modular Port Concentrator (MPC). PR1080032
• The VRRP preempt hold time is not being honored during NTP time sync and system
time is changed. PR1086230
• When an interface onSFPPmodule inMIC is set to disabled, after pulling out the SFPP
and then inserting it, the remote direct connected interfacemight get up unexpectedly.
PR1090285
Layer 2 Features
• The routingprotocolprocess (rpd)mightcrashunderaconditionwhentheconfiguration
statement "bum-hashing" is added and deleted frequently. PR936678
• If the ppmd does not send replies to lacpd's periodic request to gather port statistics,
the lacpd process may crash and restart due to the process memory consumption
being slowly increased and finally reaching RLIMIT_DATA value which is 128MB.
PR1045004
• The Layer 2 Control Protocol process (l2cpd) leaks memory when interface
configuration is applied to LLDP-enabled interfaces using 'apply-groups'. Size of the
leak is ~700 bytes per commit. PR1052846
• After change the way of getting site ID of VPLS from fixed site-id to automatic-site-id
on one site while other sites are still using the fixed site-id in the network, the rpd
process might crash due to the site ID get by "automatic-site-id" may conflict to site
ID which was configured as fixed site ID on other sites. PR1054985
• There are two issues reported. The first issue is bridge domain (BD) implicit filters for
Ethernet ringprotection switching (ERPS),which control the ring automatic protection
switching (RAPS)message forwarding, might get reprogrammedwith wrong logical
interface (ifl) index after rebooting the FPC, and thus cause the device to fail to receive
any ERPSpackets. The second issue is the ERPS statemaybe stuck in the Local Signal
Failure (SF) state when an FPC having an ERP interface is rebooted. PR1070791
• LACP partner system ID is shown wrong when the AEmember link is connected to a
differentdevice,whichmightmisguidewhile troubleshooting theLAG issues.PR1075436
• OnMXSeries routers,whenconfiguring thedynamicaccess routes forDHCPsubscribers
based on the Framed-Route RADIUS attribute, the access route may be created on
the device, however, the framed routes may not be installed for subscriber interface
(under the "Family Inet Source Prefixes"). PR1083871
• MTUchange is not advised on the Ethernet ring protection (ERP) ring interfaces unless
ring is in idle condition. Changing ring interface MTUwhile ring is not in idle state may
151Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
result in change in the forwarding state of the interface and which can lead to loop in
the ring. PR1083889
• During interface flaps a high amount of TCN (Topology Change Notification) might
get propagated causing other switches to get behind due to high amount of TCN
flooding. This problem is visible after the changed done from 11.4R8 onwards which
propagates TCN BPDU immediate and not in the pace of the 2 second BPDU Hello
interval to speed up topology change propagation. The root cause is the TCNWHILE
timer of 4 seconds is always reset upon receiving TCN notifications causing the high
churn TCN propagation. PR1089580
MPLS
• WithBGPprefix-independent convergence (PIC) edge feature enabled,more thanone
BGP next-hop association will be installed in the Packet Forwarding Engine for MPLS
VPNand Internet transit traffic. Deactiving/activating the IGPprotocol (IS-IS orOSPF)
might cause thebackupsession to staydownonPacket ForwardingEngine.PR1058190
• When fast-reroute, node-link-protection, or link-protection is configured, if a Shared
Risk Link Group (SRLG) is associated with a link used by an LSP ingressing at a router,
then on deleting the SRLG configuration from the router, the SRLG entry still stays in
the SRLG table even after the re-optimization of this LSP. PR1061988
• This is a regression issue on all Junos OS operating systems related to a timing factor.
When LDP session flaps, overwhich entropy label TLV or any unknownTLV is received,
the LDP speaker might not send label withdraw for some prefixes to some neighbors.
Asa result, theseneighborswill still use stale labels for theaffectedprefixes.PR1062727
• Bypass enabled with optimize-timer will flap during every re-optimization event.
PR1066794
• WhenCSPF computes the path for node-protected bypass, it considers only the SRLG
group configured on next-hop interface along the primary path. However it does not
consider the SRLG group on next-to-next-hop interface to adequately provide diverse
path between primary and node-protected bypass. PR1068197
• When a primary LSP gets re-routed due to better metric, Link/Node protection for this
LSP is expected to come up within 7 seconds provided the bypass-lsp protecting the
next-hop link/node is already available. However in some corner cases, the Link/Node
protection for re-routed primary LSP will not come up within 7 seconds even with
bypass-lsp availability. The PR fixes this issue and reduces the delay of associating
bypass-lsp with primary-lsp from 7 seconds to 2 seconds. PR1072781
• In scaled l2circuits environment, the rpd processmight crash due to a corruption in the
LDP binding database. PR1074145
• In race conditions, the rpd process on backup Routing Engine might crash when BGP
routes are exported into LDP by egress-policy and configuration changes during the
rpd process synchronizing the state to backup rpd process. PR1077804
Network Management andMonitoring
• In some raceconditionswith firewall filters change, it is possible that themib2dprocess
receives a newMX Series filter ADD event before it learns about a non-MX Series filter
Copyright © 2017, Juniper Networks, Inc.152
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
DELETE event for the same filter index. Themib2d process will crash due to this.
PR1057373
• SNMPqueries for LAGMIB tableswhile LAGchild interface is flappingmaycausemib2d
grow in size and eventually crash with a core file. Mib2d will restart and recover by
itself. PR1062177
Platform and Infrastructure
• On routers with 64-bit Junos OS, Error message generated bymountdmight be seen:
"can't delete exports for /packages/mnt/jbase: Bad address" PR991814
• This issue happens as a result of incorrect programming in Packet Forwarding Engine
whendoing configuration changes related to irb interfaceor bridge-domain.PR995202
• In EVPN scenario, MPCmay crash with core-dumpwhen any interface is deleted and
add that interface to an aggregated Ethernet bundle or changing the ESI mode from
all-active to single-active. PR1018957
• LSI logical interface input packet andbyte stats are also added to core logical interface
stats, but when the LSI logical interface goes down and the core logical interface stats
are polled, there is a dip in stats. The fix is to restore LSI logical interface stats to core
logical interface before deleting the LSI logical interface. PR1020175
• OnMX Series, recurring LMEM data errors might cause a chip wedge. PR1033660
• The Priority code point (PCP) andDrop eligible indicator (DEI) bit in 802.1Q header are
preserved while packet gets routed within the same Packet Forwarding Engine . The
expectedbehavior is resetting thePCPandDEIbitwhen thepacket is routed.PR1036756
• MSDPC-HTTP redirect stops working. PR1039849
• For aRoutingMatrix, if differentRoutingEnginemodelsareusedonswitch-cardchassis
(SCC)/switch-fabric chassis (SFC)and line-cardchassis (LCC) (for example,RE-1600
onSCC/SFCandRE-DUO-C1800onLCC),where theout-of-band(OoB)management
interfaces are named differently (for example, fxp0 on SCC/SFC Routing Engine and
em0 on LCC Routing Engine), then the OoBmanagement interface configuration for
LCC Routing Engine will not be propagated from SCC/SFC Routing Engine during
commit. PR1050743
• On theMXSeries-based line cards, if inlineNetworkAddressTranslation (NAT) service,
Generic Routing Encapsulation (GRE) tunneling and packets fragmentation are
performed on the same Packet Forwarding Engine (specifically, after NAT, the packet
go to tunnel and then to fragmentation), the fragmented packetsmay get dropped by
FTP client due to the incorrect TCP checksum of the fragmented packet. PR1051144
• Under very rare situations, Packet Forwarding Engines on the following linecards, as
well as the compact MX80/40/10/5 series, may stop forwarding transit traffic: -
16x10GEMPC - MPC1, MPC2 This occurs due to a software defect that slowly leaks
the resources necessary for packet forwarding. Interfaces handled by the Packet
Forwarding Engine under duress may exhibit incrementing 'Resource errors' in
consecutive output of 'show interfaces extensive' output. A Packet Forwarding Engine
reboot via the associated linecard or chassis reload is required to correct the condition.
PR1058197
153Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• With the configuration "extend-size", if user loads and commits scaled configuration
(in this case, 250K Unique Prefix list policy options), then deletes the configuration
statement "extend-size", the dfwd process might crash. PR1058579
• After committing the Network Time Protocol (NTP) configuration, if the number of
routing-instances per source-address exceeds 18, it may cause NTP daemon (ntpd)
crash. In this scenario, the NTP feature may not be functional. For example there are
19 routing-instance names per source address statement in the sample configuration
below. ntp { server X.X.X.X; source-address X.X.X.X routing-instance [ X1 X2 X3 X4 X5
X6 X7 X8 X9 X10 X11 X12 X13 X14 X15 X16 X17 X18 X19 ]; (19 routing-instance names) }
PR1058614
• WhenMX Series platform acts as Virtual Extensible Local Area Network (VXLAN)
gateway, if there are multiple Packet Forwarding Engines, VXLAN packets will be
distributed to available Packet Forwarding Engines in the chassis to perform VXLAN
encapsulation/decapsulation. This is not expected (Expect behavior: VXLAN packet
processingwill be doneon the samePacket ForwardingEngine onwhich it is received).
This might result in unexpected packet drop and also overlay ping/traceroute not
working. PR1063456
• OnMX Series routers with MPCs and T4000 routers with Type 5 FPCs, the feature
"enhanced-hash-key" is configured to select data used in the hash key for enhanced
IP forwardingengines. If "type-of-service" is configuredat the [edit forwarding-options
enhanced-hash-key family inet] hierarchy level, or "traffic-class" is configured at the
[edit forwarding-options enhanced-hash-key family inet6] hierarchy level, the last
significant 2 bits of the TOS/TC bytes under the IPv4/IPv6 header are extracted
incorrectly as load-sharing input parameters, which might cause unexpected load
balancing. PR1066751
• StartTime and EndTime of the flow in inline-jflow (version 9) has future time-stamp
PR1067307
• Firewall filters which have a prefix-action cannot be configured under [edit
logical-system <name> firewall family inet] because the Packet Forwarding Engine
will not be programmed for the filter. PR1067482
• AnFPCwith interfaces configured as part of anAggregatedEthernet bundlemay crash
and reboot when the shared-bandwidth-policer is configured as part of the firewall
policer. PR1069763
• OnMXSeries routers, when using FPCwith feature inline sampling activated, memory
partition error messages andmemory leak might be observed on the FPC. In some
cases, this issue only affects sample route-records but not regular Packet Forwarding
Engine routes or next-hops. However, in the extreme case, it is also possible to cause
the Packet Forwarding Engine to fail in installing routes into forwarding next-hops and
hence traffic drop. On MX Series routers, when using FPCs, Junos OS Release 13.3R5
14.1R4 14.2R1or higher is exposed.OnT4korTXP-3D routers,whenusingFPC-3DFPC's,
Junos OS Release 14.2R1 or higher is exposed. PR1071289
• VPLS filter applied under forwarding-options might drop VPLS frame unexpectedly
when it is coming from an lt- interface. PR1071340
Copyright © 2017, Juniper Networks, Inc.154
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• When inline-sampling is enabled, in race conditions, if packet gets corrupted and the
corrupted packet length shows 0, this may cause "PPE_x Errors thread timeout error"
and eventually cause MPC card to crash. PR1072136
• After IPv6 RPM(real-time performancemonitor) support, snmp server cannot receive
someof IPv6PING-MIB info. Forexample, snmpserver receives"pingCtlRowStatus(23)"
and "pingCtlAdminStatus(8)" error and cannot get "pingResultsTable" and
"pingProbeHistoryTable" info. << example >> ** The following logs are snmp server
logs. "snmpset -v 2c -c xxxxxx" commands are used. ----pingCtlRowStatus(23) error
info. Error in packet. Reason: inconsistentValue (The set value is illegal or unsupported
in some way) Failed object:
SNMPv2-SMI::mib-2.80.1.2.1.23.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65
---pingCtlAdminStatus(8) error info. Error in packet. Reason: inconsistentValue (The
set value is illegal or unsupported in some way) Failed object:
SNMPv2-SMI::mib-2.80.1.2.1.8.7.79.87.78.69.82.95.65.6.84.69.83.84.95.65 ** The
following logs are snmp server logs. "snmpwalk -v 2c -c xxxxxx" commands are used.
pingResultsTable(3) SNMPv2-SMI::mib-2.80.1.3 = No Such Object available on this
agent at this OID pingProbeHistoryTable(4) SNMPv2-SMI::mib-2.80.1.4 = No Such
Object available on this agent at this OID PR1072320
• When Integrated routing and bridging (IRB) interface is configured with Virtual Router
Redundancy Protocol (VRRP) in Layer 2 VPLS/bridge-domain, in corner cases after
interface flapping,MACfilter ff:ff:ff:ff:ff:ff is cleared fromthePacketForwardingEngine
hardware MAC table, so the IRB interfacemay drop all packets with destinations MAC
address FFFF:FFFF:FFFF (e.g. ARP packet). PR1073536
• It tries to check allotted power for all the FPCs. In the
CHASSISD_I2CS_READBACK_ERROR logs, it shows the FPCs which are not present in
chassis. It just calls i2cs_readback() to read i2c device and fails there as these FPCs
slots are blank and prints those readback errors. Also the errors are harmless:
"CHASSISD_I2CS_READBACK_ERROR: Readback error from I2C slave for FPC" Code
to check 'if power has been allotted to this FPC', needs to be executed only if the FPC
is present. PR1075643
• MPC is showing the following log message and will generate a core file.
jnh_private_mem_pool_free(898):Noprivatemem_pool for0x00300000/00100000
PR1081855
• LMEM is an internal memory in LU/XL ASIC chip. It has private and shared regions for
Packet Processing Engines. LMEM data errors are very rare events caused by
environmental factors (this is not created by software). Due to a software defect, an
error in the shared LMEM region will result in corruption of critical data structures of
Packet Processing Engines that causes unpredictable communication of LU/XL ASIC
chip with MQ/XM ASIC chip. These events will corrupt the state in MQ/XM and lead
toaMQ/XMwedge.TheMQ/XMwedgewouldcause fabricblackholeand finally reboot
the line card. PR1082932
• OnMX Series routers with MPCs/MICs the "RPF-loose-mode-discard" feature is not
workingwhenconfiguredwithinaVirtualRouter routing instance. The feature isworking
only when configured in the main instance. PR1084715
155Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• Aggregate interfaces in combination with shared-bandwith-policer might lead to
Packet Forwarding Engine policer corruption in case the aggregate interface is being
reconfigured (add / delete units). This corruption could alter the policer rate
programmed in hardware and lead to unexpected policer behavior (we either consider
legitimate traffic as being out of profile or invalid traffic as being within profile).
PR1084912
• With MSDPC equipped on BNG, there might be amemory leak in ukernel, which
eventually causes MSDPC to crash and restart. PR1085023
• The prompt for SSH password changed in Junos OS Release 13.3, from "user@host's
password:" to "Password:". This change breaks the logic in "JUNOS/Access/ssh.pm"
which is located in /usr/local/share/perl/5.18.2/ on Ubuntu Linux, for example.
PR1088033
• IPv6 packets with non-UDP and non-TCP payload belonging to the same flowmight
get reorderedwhen being forwarded byMXSeries router withMPCPacket Forwarding
Engine PR1098776
Routing Protocols
• In a scaling setup a restart routing or NSR switchover can result in duplicate MSDP
entries. PR977841
• RIP is applying the RIB import-policy for the primary RIB table, and as per the policy
configured, evaluation fails and routesare removed fromprimaryRIB. But import-policy
is applied only for secondary tables. RIP should apply only the protocol import policy
and add routes to primary RIB. Routes are leaked to secondary routing table according
to import-policy. Fix: As suggested by rpd infrastructure team, removed the import
policy filter application to primary routing table by protocol RIP. Now import policy
application is handled by policy module within RPD. PR1024946
• After deactivating/deleting BFD configuration, Packet Forwarding Engine receives BFD
session down event and it marks corresponding next hops as down, and traffic drops
as a consequence. PR1053016
• Deletion of a routing-instancesmay lead to a routing daemon crash. Thismay happen
if routing-instance's Routing Information Base (RIB) is referenced in an active
policy-option configuration. As aworkaround,when deactivating the routing-instance,
all associated configurations using the route-table names in the routing-instance
should also be deactivated. PR1057431
• In PIMenvironment, BootstrapRouter (BSR) canbeusedonly betweenPIMv2enabled
devices. When deactivating all the interfaces which are running PIM bootstrap, the
systemchanges tooperate inPIMv1.At this time, all the information learnedabout/from
thecurrentBSRshouldbecleaned, butactually, BSRstate is not cleaned. If the interface
which was the previous "elected BSR" is activated, BSR state is
PIM_BSR_ELECTED(should be cleaned previously), and the system assumes the BSR
timer is still here. When the system tries to access the null BSR timer, the rpd process
might crash. PR1062133
• In Protocol Independent Multicast (PIM) sparse mode environment, in the situation
that the router is being used as the rendezvous point (RP) and also the last hop router,
Copyright © 2017, Juniper Networks, Inc.156
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
when the (*,G) entry is present on the RP and a discard multicast route (for example,
due to receivingmulticast traffic fromnon-RPF interface) is alreadyexisted, if the (S,G)
entry is learned after receiving source-active (SA) of the Multicast Source Discovery
Protocol (MSDP), the SPT cutover may fail to be triggered. There is no traffic impact
as receivers still can get the traffic due to (*,G) route. PR1073773
• In multi-topologies IS-IS scenario, there is huge difference between estimated free
bytes and actual free bytes when generating LSP with IPv6 Prefix. It might cause LSP
fragment exhaustion. PR1074891
• In an MPLS L3VPN Core network, enable BGP Prefix-Independent Convergence (PIC)
Edge feature on a PE router. If the same VPN route is received with different multiple
exit discriminator (MEDs) via two route reflectors (RRs), when BGP PIC evaluates
those two routes, it disregards the one with higher MED, and hence fails to build a
multipath protection/backup path entry. PR1079949
• When removing scale BGP configuration, if the BGP session is holding stale routes for
the benefit of a restarting peer, the routing protocol process (rpd) may crash. As a
workaround, the administrator may use CLI command "show route receive-protocol
bgp <peer address> extensive | match STALE" to find the existing stale routes. If there
arenone, then removing theBGPconfigurationmaynot cause the rpdcrash.PR1081460
• If a policy statement referred toa routing-table, but the corresponding routing instance
is not fully configured (ie. no instance-type), committing such a configuration might
cause the rpd process to crash. PR1083257
• With Multicast Source Discovery Protocol (MSDP) and nonstop active routing (NSR)
configured on the Protocol Independent Multicast (PIM) sparse-mode rendezvous
point (RP), the rpd process might permanently get stuck whenmulticast traffic is
received shortly after Routing Engine switchover. PR1083385
• When there are a number of secondary BGP routes in inet.0, an SNMPwalk of inet.0
by thebgp4MIBcancauseacore if thecorrespondingprimary routesarebeingdeleted.
PR1083988
• WhenBGProute is leaked toa routing-instanceand there isan importpolicy tooverwrite
the route preference, if damping is also configured in BGP, the BGP routes which were
copied to second table cannot be deleted after routes were deleted in master table.
This is a day-1 issue. PR1090760
• When removing BGP Prefix-Independent Convergence (PIC) from the configuration,
the expected behavior is that any protected path would become unprotected. But in
this case, themultipath entry that contains the protection path (which is supposed to
be removed) remains active, until BGP session flaps or the route itself flaps. As a
workaround, use "commit full" command to correct or to commit. PR1092049
• The rpd process might crash when resolve-vpn and rib inet.3 are configured under
separate levels (BGP global, group and peer). The fix is If anybody configures a family
at a lower level, reset the state created by either of configuration statements from
higher levels. This behavior conformswith our current behavior of family config -which
is that any configuration at a lower level is honored and the higher-level configuration
is reset. PR1094499
157Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Services Applications
• In IPsec environment, after performing the Routing Engine switchover (for example,
performinggracefulRoutingEngine switchover) or chassis reboot (that is,wholedevice
is powered downandpoweredUPagain), due to the keymanagement daemon (kmd)
maybe launchedbefore theRouting Enginemastership is finalized, itmay stop running
on the newmaster Routing Engine. PR863413
• On an L2TP access concentrator (LAC) device with more than 8K L2TP sessions up,
if execute command "clear services l2tp session all" and then stop the command by
using Ctrl-c, the Layer 2 Tunneling Protocol process (jl2tpd) might crash. PR1009679
• WithRealTimeStreamingProtocol (RTSP)ApplicationLayerGateway (ALG)enabled,
the PICmight crash if the transport header in status reply from themedia server is
bigger than 240 bytes. PR1027977
• OnM Series, MX Series, T Series routers with Multiservices 100, Multiservices 400, or
Multiservices 500 PICs with "dump-on-flow-control" configured, if prolonged flow
control failure, the coredump file might generate failure. PR1039340
• Inline IPv6 L2TP onMPC subscriber terminated at an LNS breaks adaptive services SP
unicast nexthops on MS-DPC. Even one subscriber causes the issue. PR1054589
• A Layer 2 Tunneling Protocol daemon (l2tpd) crash is seen sometimeswhen the L2TP
service interface unit number is configured higher than 8192. A restriction has been
added to force unit numbers below 8192. PR1062947
• OnMXSeries routerswhichareactingasLNS toprovide tunnel endpoints, it is observed
that theservice-interfacesarenotusable if aMICcorresponding to them isnotphysically
installed on the FPC. If only those service interfaces that belong to the removed PIC
are added to service-device-pool, this results in no LNS subscribers able to login. Note
that once the MIC is inserted into the FPC, the features could be used. PR1063024
• When configuring RADIUS authentication for Layer 2 Tunneling Protocol (L2TP), the
RADIUS server cannot be recognized because the source address is not being read
correctly. As a result, the L2TP session cannot be established. PR1064817
• L2TP daemon will core in LTS scenario while the subscriber logs out. This happens
when the subscriber has "Called Number AVP" attribute. The "Called Number AVP"
was not getting relayed correctly across LTS boundary, hence daemon cores.
PR1065002
• The trigger for the crash iswhen theMS-DPCsService PIC is in a lowmemory zone and
it receives two SYNmessages from the the same client IP within a very short time gap
inbetween the twoSYNs. So this race condition is tied to runningout ofmemory, failing
to allocating a timer for a conversation, and having rapid SYNs on a TCP connection
where the second TCP SYN is matched on flowwhich is being deleted due to a failed
timer allocation for that. This scenario is very difficult to hit and should not be seen in
production often. PR1069006
• Service PIC daemon (spd) might crash with core-dumps due to CGNAT pool's
snmp-trap-thresholds configuration. PR1070370
Copyright © 2017, Juniper Networks, Inc.158
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• InCG-NATor statefull firewall environment, due toanull pointer checkbug, theMS-DPC
might crash every few hours. Note that this is a regression issue. PR1079981
• The crash happens if in an http flow, the flow structure is allocated at a particular
memory region. There is no workaround but the chances of hitting this issue are very
low. PR1080749
• On Layer 2 Tunnel Protocol (L2TP) network server (LNS), during L2TP session
establishment, when receiving Incoming-Call-Connected (ICCN)messages with Last
Sent LCP CONFREQ Attribute Value Pair (AVP) but without Initial Received LCP
CONFREQ and Last Received LCP CONFREQ AVPs, the jl2tpd process might crash.
PR1082673
• In a L2TP tunnel-switching scenario, if a tunnel-switched tunnel is cleared with "clear
services l2tp tunnel peer-gateway" AND an incoming ICRQ is received simultaneously
from the LAC side destined for this tunnel-switched tunnel, this leads to jl2tpd crash.
This defect has now been rectified. PR1088355
• OnM Series platform, in Layer 2 Tunneling Protocol (L2TP) network server (LNS)
environment, not all attributes (Missing NAS-Identifier, NAS-Port-Type, Service-Type,
Framed-Protocol attributes) within Accounting-Request packet are sending to the
RADIUS server. PR1095315
• Some values of MIB object jnxSrcNatStatsEntry might be doubled when AMS (or rsp)
interface and NAT are configured together. PR1095713
Software Installation and Upgrade
• Due to a software defect found in 13.3R7.3, Juniper Networks strongly discourage the
useof JunosOSsoftware version 13.3R7.3on routerswithMQ-basedMPC.This includes
MX-Series with MPC1, MPC2, and all mid-range MX-Series. PR1108826
Subscriber Access Management
• In subscribermanagement environment, after performing the graceful Routing Engine
switchover (GRES), if the Routing Engine switchover happens before the Acct-Start
response is received, and the timeout on service session happens before timeout on
subscriber session, the authentication process (authd) may crash. PR1074011
• Subscriber is not coming up when CISCO AVPair VSA value is returned in Radius
ACCESS-ACCEPT packets in certain scenarios. PR1074992
VPNs
• In NG-MVPN scenario, while traffic is not being generated by source for at least 3 and
ahalfminutes anda routing or othermulticast issueprevents themulticast traffic from
reaching the receiver PE, after the multicast data starts flowing again for about 6
minutes, the Type-7 and Type-5 routes might be withdrawn which causes a discard
route to remain present on the RP facing PE and causes the traffic not to be forwarded
even if there is state and flowing traffic for that group. PR1058574
• In MVPN RPT-SPTmode, with a mix of local and remote receivers all using (*,g) joins
(spt-threshold infinity), the downstream interfacesmay not get updated properly and
there may be a stuck (s,g) forwarding route. This issue can occur with the following
159Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
sequence of events: 1. Local receivers are joined 2. Traffic starts, then stops, and the
route times out. 3. Remote receiver joins. Both a (*,g) and an (s,g) forwarding route
are created. 4. Another local receiver is joined, or an existing one is pruned. 5. In the
(*,g) route the downstream interface list reflects the update, but in the (s,g) route the
downstream interface list doesnot. 6.When traffic startsagain, the (s,g) route --which
has the wrong interface list -- is used. The traffic flows to the wrong set of receivers.
PR1061501
Resolved Issues: Release 13.3R6
• Forwarding and Sampling on page 160
• General Routing on page 161
• Interfaces and Chassis on page 164
• Layer 2 Features on page 165
• MPLS on page 165
• Multicast on page 166
• Network Management and Monitoring on page 166
• Platform and Infrastructure on page 166
• Routing Policy and Firewall Filters on page 168
• Routing Protocols on page 168
• Services Applications on page 169
• Subscriber Access Management on page 169
• VPNs on page 170
Forwarding and Sampling
• This issue affects a systemwith two Routing Engines with "graceful-switchover"
configured. When performs upgrade to Junos OS Release 13.3 from previous releases,
without deactivating "graceful-switchover", master and backup Routing Engines are
likely to become unresponsive due to running out of memory. The Routing Engines
need a power reset to restore service. PR1033926
• When a firewall filter, which is used to de-encapsulate the IPv4 packets encapsulated
in IPv6 GRE header, is attached to interface hosts on MX Series MPC/MIC, the IPv6
GREheaderwould bede-encapsulatedbut the inner IPv4packetwould endupgetting
dropped and not forwarded. This issue affects the packet with IPv4 over IPv6 GRE
header only, and those packets with IPv6 over IPv6 GRE header are not affected.
PR1054039
• shared-bandwidth-policer failure results in subscriber exceeding the configured limit.
PR1056098
Copyright © 2017, Juniper Networks, Inc.160
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
General Routing
• OnMX Series platformwith Enhanced DPCs equipped, after router rebooted, the IRB
broadcast channel is not enabled, all the broadcast packets that are received in the
IRB interface will get dropped. Also when ping is given the below L2Channel error
increases as ping packets are sent: user@router>show interfaces ge-*/*/* extensive
| match channel L3 incompletes: 0, L2 channel errors: 10, L2 mismatch timeouts: 0.
PR876456
• DPDmay not work with link-type IPSec tunnels when NAT is present between the
IPSec peers. Even when NAT is not present between the IPsec peers, the issue can
occur with lesser probability. PR895719
• On T/TX/TXP platforms, once detecting rchip sram parity errors, both parity-error
correction process and automatic jtree simulation are invokedwithin interrupt context
which triggers an assertion and resulting a FPC restart with coredump. FPC Type 5-3D
are not affected. Junos OS Releases 13.3R1 and later are exposed. PR944967
• When a router is booted with AE having per-unit-scheduler configuration and hosted
on an EQ DPC, AE as well as its children get default traffic control profile on its control
logical interface. However, if a non-AE GE interface is created on the DPCwith
per-unit-scheduler configuration, itwill get default schedulermapon its control logical
interface. PR946927
• In large scale L3VPN environment(in this case, there are 80K L3VPN routes) with
non-stopactive routing (NSR)enabled,when theL3VPN routesareaddedanddeleted
frequently, in rare condition, the Composite Next Hop (cnh) deletion from kernel after
backup rpdprocess learns cnhswithduplicated keybutwithdifferent nhids. Thismight
lead to rpd process crash on backup Routing Engine. This issue is not reproducible and
only happened once. PR959331
• OnMX Series, delete an interface A from routing-instance VRF1; then create
routing-instance VRF2 and interface A is added to VRF2 with qualified-next-hop
configured; finally, delete VRF1. Commit the entire above configuration once, in rare
condition, rpdmight crash. PR985085
• OnMX104 router with SONET/SDHOC3/STM1 (Multi-Rate) MIC. In rare condition, if
the MIC is plugged out fromMX104, the Packet Forwarding Engine might crash, the
traffic forwarding will be affected. These MICs as below belong to SONET/SDH
OC3/STM1(Multi-Rate)MIC:*MIC-3D-8OC3OC12-4OC48*MIC-3D-4OC3OC12-1OC48
* MIC-3D-8CHOC3-4CHOC12 * MIC-3D-4CHOC3-2CHOC12 * MIC-3D-8DS3-E3 *
MIC-3D-8CHDS3-E3-B * MIC-3D-1OC192-XFP. PR997821
• An unnecessary update from the routing protocol process (rpd) to the route record
databasemightbe triggeredbycertainconfigurationchange.Thisprocesscauses jump
in CPU utilization of all Packet Forwarding Engines. PR1002107
• OnMX Series Virtual Chassis with the no-split-detection configured, in some rare
circumstances, the transit traffic might get dropped if all of the virtual chassis ports
(VCP) go down and come up quickly (within few seconds). PR1008508
161Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• OnMXSeriesplatformswithADPCFPCs,M120, orM7i/M10iwithEnhancedCFEB, each
VPLS LSI interface flapping triggers a memory leak in jtree segment 0. There is no
memory leak in FPC heap 0memory. PR1009985
• When destinations are pointing to protocol next-hops as unilist type or IP forwarding
next-hops as unilist, which in scenarios like using Loop-FreeAlternateRoutes forOSPF
(LFA-OSPF)with linkprotectionorMPLSFRR is enabled. If flapping theactive interface
very fast, especially an interface comes back up before Kernel gets a chance to delete
all theunilist next-hops, thoseunilist next-hopswhichhavenotbeendeletedyetwould
be re-used. As a result, the corresponding destinations are pointing to discard
next-hop(s) or replaced next-hop(s) in Packet Forwarding Engine Jtree. The "discard"
next-hop(s) causes traffic blackhole while the "replaced" next-hop(s) diverts traffic
to other active next-hop(s) in the unlist. Those unilist next-hops which have been
already deleted are safe and get updated accordingly. This is a day one timing issue.
PR1016649
• Under corner cases, if there are multiple back-to-back Virtual Chassis port (VCP)
related CLI commands, Network Processing Card (NPC) core may be observed and
FPC hosting the VC ports might reboot. PR1017901.
• If you issue the show services nat mappings details command with a large number of
service sets configured (such as 1000 service sets) and one or two NATmappings
specified, the command takes a certain amount of time to display the output. During
this period, if you deactivate or activate the services, amultiservices PICmanagement
daemon core file is generated. PR1019996
• Enabling sampling on anms- interface is not supported configuration, if
'forwarding-opions sampling sample-once' is subsequently deactivated, the FPCmay
reboot. PR1021946
• OnMXSeries routerwith IPv6 subscribers, after performingGRESor reloading one line
cardwhichhasunderlying interfaces fordemux, somedemux interfacesmightbestuck
in Tentative state, and some other demux interfaces which has the same link local
addresses might be unable to send any IPv6 RAmessage. PR1026724
• OnMPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is
attached to an interface, traffic dropmight be seen. PR1027516
• With an unrecognized or unsupported Control Board (CB), mismatch link speedmight
be seen between fabric and FPCs, which results in FPCs CRC/destination errors and
fabric planes offline. Second issue is in a race condition, Fabric Manager (FM)might
process the stale destination disable event but the error is cleared indeed, it will result
in the unnecessary FPC offline and not allowing Fabric Hardening action to trigger and
recover. PR1031561
• If a logical interface isusedas thequalified-next-hop(which implies the logical interface
has unnumbered-address configured), and there are changes in the logical interface
filter configuration, then the static route might disappear from routing table. Tomake
it reappear, need to delete it from the configuration and add it back. PR1035598.
• For MLPPP interface on MX Series based line card, in some very rare conditions, the
received fragmented packets might be dropped. PR1041412
Copyright © 2017, Juniper Networks, Inc.162
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• OnMX Series platformwith one of the following protocols configuration, flapping the
protocols will trigger the Composite Next-hop change operation. In rare condition,
since it is not proper programmed, the FPCmight crash. This is a day-1 issue. - LDP -
MPLS - Point-to-multipoint LSP - RSVP - Static LSPs. PR1045794
• Oncedefault route0.0.0.0/0 isadded,deletedorchanged, thePFEMANthread running
on the MPC/FPC5 needsmore than 600mseconds to program such changes. This is
long enough to trigger LFM or BFD flap. Junos OS Release 13.3R2 or later is exposed to
this symptom. PR1045828
• On T Series FPC 1-3 and M320 except E3-FPC with fib-local configuration. If there are
multiple FIB local FPCs or the FIB local is a multiple Packet Forwarding Engine FPC,
the TCP packetsmight be out of order, packets re-ordering would occur. It reduces the
application level throughput for any protocols running over TCP. PR1049613
• In the PPP dual-stack subscribers environment, in rare condition, if bringing up 1000
dual-stack subscribers quickly, the PPP negotiation might fail. Then PPP retries
negotiation, all subscribers fully establish. PR1050415
• Incorrect flow count is reported in the field 'count' of V9 header in all the packets sent
to the collector. PR1050543
• This problem is because of a race condition, where other FPCs are not able to drain
"which is 1 second" Fabric Streams connecting to FPC which is getting offline. With
this situation - evenwhenFPCcomesonline, other FPCswhichhaveobservedmessage
"xmchip_dstat_stream_wait_to_drain" will not be able to send traffic to that particular
FPC over fabric. There is no workaround. To recover, we have to reboot FPCs which
observed error message "xmchip_dstat_stream_wait_to_drain". PR1052472
• This problem scenario with stuck DEMUX VLANs was observed after upgrade to 12.3
from previous release of 11.4X27. PR1054914
• As a precautionary measure, a periodic sanity check is added to Ichip based FPC. It
checks FPC error conditions and performs the appropriate actions in case of an error.
PR1056161
• IFCM error messagesmay occur in logs when it is not used. We lowered the severity of
the message to avoid confusion. PR1057712
• When enabling pseudowire subscribers the "show subscribers extensive" command
does not display CoS policies applied to the subscriber interface. This issue was fixed
in 13.3R6, 14.1R5 and 14.2R3. PR1060036
• bfd-protectedospf-sessionandbfd-protectedbgp-session fail tocomeupviasite-site
IPSec tunnel. As a workaround use no-ipsec-tunnel-in-traceroute CLI configuration
statement. PR1061342
163Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Interfaces and Chassis
• Refer to the following topology. If we set interface ge-1/0/8disable, interface xe-2/0/0
and xe-2/1/0 become down status because "asynchronous-notification" feature.
However after 3 or 4 seconds, ether OAM detects link-fault status changed to good.
And then, interface xe-2/0/0 and xe-2/1/0 change link status from down to up. The
conditions are the following. 1. Configure MPLS circuit with ether CCC. 2. Configure
"asynchronous-notification"onCE facing interface inbothPEs. 3. ConfigureetherOAM
tooneofPE, CEpair. 4. UseDPC 10giga-interfaceonDTU. *This behavior did not occur
with MPC and DPC 1 giga-interface. << topology >>
********************************************************************* local
link remote linkDPC 10ge | xe-2/0/0Vge-1/0/6ge-1/0/8 [CE ]----------[PE ]---------[
PE ]----------[ CE ] xe-2/1/0 ge-1/0/7 ge-1/0/9 (DTU) <--------> <-------> <-------->
ether CCCMPLS ether CCC asynchronous-notification asynchronous-notification
<--------> ether OAM *CE:MX240 PE:MX240
*********************************************************************
PR973840
• With vrf-table-label configured on the routing-instances, when an FPCwith Enhanced
IQ (IQE) PIC is sharing the same Forwarding Engine Board (FEB) with another FPC,
and the FEB has two core-facing interfaces configured with the family mpls on
aforementionedFPCs separately, the label-switched interface (LSI)might be removed
incorrectly on the working FPC when the other FPC with IQE PIC is set to offline.
PR1027034
• If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE
interfaces may not be distributed.PR1032604
• Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the
duplicate entries to fix the issue. PR1036026
• FRR switching time is much higher than 50ms (e.g. might be 400-900ms) when
protected links are located on MX Series Gigabit Ethernet enhanced and hardened
MICs (i.e. MICmodel name end with -E or -EH, currently, the supported MICs are
MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH). PR1038999
• Using PPP authentication with a specifically crafted PAP Authenticate-Request may
cause the Juniper Networks PPP daemon (jpppd) to crash and restart. After PPPoE
Discovery and LCP phase is successfully negotiated, when the crafted PAP
Authenticate-Request is received, jpppd crashes and no response is sent by the
broadband edge router to the subscriber. The jpppd continues to crash every time the
subscriber re-sends the PAP Authenticate-Request. PR1040665
• In case of the IQ2 or IQ2E PIC are working in tunnel-only mode, rebooting the tunnel
PIC while the traffic is passing through the tunnel might cause the tunnel PIC to not
transfer traffic any more. PR1041811
• jpppd daemon ran out of memory as subscribers login failed due to missing CoS
parameters. Below logs will be seen in messages when the subscribers login fail. Nov
16 12:19:21 jtac-host jpppd: Semantic check failed for profile=PPPoE-1-QoS, error=301
Nov 16 12:19:21 jtac-host jpppd: dyn_prof_send_request: add pre_processing failure,
Copyright © 2017, Juniper Networks, Inc.164
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
error=301 Nov 16 12:19:21 jtac-host jpppd: Profile: PPPoE-1-QoS variable:
$junos-cos-shaping-rate value: failed semantic check PR1042247
• clear interfaces interface-set statistics all fails due to memory limitation. PR1045683
• OnMX Series routers (platforms) with Enhanced Switch Control Board (SCBE), when
the fan tray is inserted or pulled out, the chassisd process might crash. PR1048021
• When Inherit is part of lower logical interface Unit, VRRPD parses it before Active. In
this case, VRRPD attaches a dummy Active to the Inherit, with the assumption that
the Active will be available soon and then replication of information from Active to
Inherit will take place. However, the replication of the priority was not done correctly
due to which the Inherit group was stuck with priority of 0. PR1051135
• In subscriber management environment, PPP client process (jpppd) might crash as a
result of a memory allocation problem. PR1056893
• mru remains set at previous value after deletingmru under group-profile ppp-options.
PR1059720
Layer 2 Features
• After FPC restart, bridge domain (BD) implicit filters for Ethernet ring protection
switching (ERPS)might get reprogrammedwith wrong logical interface (ifl) index,
which cause ERPS to not work correctly. PR1021795
• If a customer is using SNMPandperforms an snmpwalk on the dhcp binding table, not
all of the entries may be displayed. This fix resolves that issue so that bindings for all
IP addresses are displayed. PR1033158
• On a router with DHCP local server configured, if there are scaled number of DHCP
subscribers connected, most of the subscribers might get stuck in "RELEASE" status
after performing graceful Routing Engine switchover (GRES). PR1038385
• In DHCPdynamic subscribermanagement scenario,whenmaintainDHCPsubscribers
during interface delete is configured, some interface indices might be reused by a new
interface if system is under stress (such as high connection speed, many clients and
individual log files configured to be larger than 100M). In this case, it might result in
subscriber being associated with an interface that no longer exists. PR1044002
• Onmultiple Routing Engines systemwith NSR enabled, if the FEC129 VPLS instance
has "no-tunnel-service" configured, the VPLSmight show status as "OL" (no outgoing
label) after performing Routing Engine switchover. PR1050744
MPLS
• Error "tag_icmp_route:failed to find a chain composite ahead of fwd nh" might be
observed when doing traceroute. PR999034
• When configuring point-to-multipoint (P2MP) Label Distribution Protocol (LDP)
label-switched paths (LSPs), the labels will never be freed even though they are no
longer needed. This could lead to the MPLS label exhaustion eventually. To clear the
state, the rpd process will restart with core files. PR1032061
165Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• On the P2MP LSP transit router with link protection enabled, if the LSP is the last
subLSP, tearing the last subLSP (for example, an RESV tear message is received from
downstream router) might crash the routing protocol process (rpd). PR1036452
• When node-protection is enabled for a specified LSP and optimize-timer for a
node-protecting bypass LSP is configured on router, the bypass route might
get-optimized in such a way that it traverses through the very node that the bypass is
trying toprotect during re-optimization. Asaconsequence, thenode-protectingbypass
LSP only provide link protection instead of node protection. PR1045055
• OnM/MX/T Series routers, dynamic-rsvp-lsp is configured under interface
link-protection hierarchy level. After interface flap, the bypass LSP does not come up.
PR1054155
Multicast
• In multicast environment, if GRES is performed immediately after a routing-instance
being deleted, the krt (kernel routing table) queuemight get stuck after adding back
the routing-instances which were deleted. PR1001122
Network Management andMonitoring
• Mib2d cores while trying to re-add a lag child into the internal DB. Since the entry is
already present in the internal DB. Before adding the child link, mib2d does a lookup
on the tree, to know if the entry is not already there. However, this lookup returns no
results, since the child link is part of snmp filter-interface configuration. PR1039508
• SNMPmib walk jnxMac does not return value with et- interfaces on
MPC3/MPC4/MPC5/MPC6. PR1051960
• There is no specific counter name in the MIB2D_COUNTER_DECREASING syslog
message. PR1061225
Platform and Infrastructure
• With inline jflow enabled, if the low 12 bits of the packet counter are zero (0x000)
while copying packets count from hash record into flow export packet, the
packetDeltaCount counter might be incorrect in inline jflow records. There is no traffic
impact but may impact billing. PR886222
• For inline BFD over aggregated Ethernet (AE) interfacewhichmember links are hosted
on different FPCs, BFD packets coming on ingress line card will be steered to anchor
Packet Forwarding Engine through fabric. If FPC reconnects to master Routing Engine
(such as Routing Engine switchover operation), the inline BFD session punts the BFD
packet to host, the BFD packet should go through loopback interface filter of VRF on
which it is received. But in this case, the BFD packet might hit the wrong loopback
interface filter fromwrong routing-instance since the VRF information is not carried
across fabric. PR993882
• BFD sessionwithin default routing-instance are not coming up once inline-services pic
is configured and fixed class-of-service forwarding-class is assigned. BFD session
operating in no-delegate-processing are not affected. PR999647
Copyright © 2017, Juniper Networks, Inc.166
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• OnMX Series platformwith scaled set-up, after deactivate/activate or renaming a
bridge domain (BD) which has irb interface associated, the IGMP snooping configured
under the BDmight not work any more. Note it happens only when the router is in
"network-services enhanced-ip" mode. PR1024613
• A Packet Forwarding Engine memory leak is seen whenmulticast receivers are
connected in a bridge domain where IGMP snooping is enabled and IGMPmessages
exchanged between themulticast receivers and the layer 3 IRB (Integrated Routing
and Bridging) interface. PR1027473
• AggregatedEthernet interfacedoesnot sendPPPoEclient echo replywhenae interface
bundle spans multiple FPC(s). PR1031218
• OnMXSeries3DMPC,when there isacongestedPacketForwardingEnginedestination,
the non-congested Packet Forwarding Engine destinations might experience an
unexpected packet drop. PR1033071
• sa-multicast load sharingmethod under [chassis <> fpc <> pic <> forwarding-mode]
is not working on 100GE interface on MX Series FPC. PR1035180
• ThemicroBFDsessionswon't comeup if incominguntaggedmicroBFDpacketscontain
a source MACwhere the last 12 bits are zero. PR1035295
• Presence of /8 prefix in two terms results in incorrect filter processing and unexpected
behavior. PR1042889
• When IRB interface is configured with VRRP in layer 2 VPLS/bridge-domain, in corner
cases IRB interface may not respond to ARP request targeting to IRB sub-interface IP
address. PR1043571
• In a scaled subscriber management environment, the output of CLI command "show
subscribers" and its sub flavors might print more pages and has to be terminated by
"Ctrl+c" or "q". But this was not closing the back end Session Database (SDB)
connection properly. Over a period of time, this will cause inconsistency and the
subscriber management infrastructure daemon (smid) fails to register and no new
subscribers could connect. PR1045820
• On T4000 and FPC Type 5-3D or TXP-3D platforms , BFD sessions operating in
100msec interval with default multiplier of 3 might randomly flap after the
enhancements implemented via PR967013. BFD sessions with lower intervals of
100msec or higher intervals are not exposed. The internal FPC thread, monitoring the
High Speed Fabric links had a run time of longer then 100msec. PR1047229
• By default, after 16x10GEMPC boards come up, about 75% of queues were allocated
to support rich queuing with MQ chip. Such allocation causes MQ driver software
module to poll stats. Polling stats causes this rise in CPU usage. PR1048947
167Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Routing Policy and Firewall Filters
• In the BGP environment, if operator "!" exists in the regex for as-path, the commit
operation fails. PR1040719
Routing Protocols
• In themulticast environment, in rare condition, after gracefulRoutingEngine switchover
(GRES) is executed, the rpdprocessmight crashdue to receivingNULL incoming logical
interface. PR999085
• When BGP add-path feature is enabled on BGP route-reflector (RR) router, and if the
RR router has mix of add-path receive-enabled client and add-path receive-disabled
(which is default) client, due to a timing issue, the rpdprocess onRRmight crashwhen
routes update/withdraw. PR1024813
• WhenaBGPpeer goes down, the route for this peer should bewithdrawn. If it happens
that a enqueued BGP route update for this peer has not been sent out, issuing the CLI
command"showrouteadvertising-protocolbgp<peer-addr>"might crash the routing
protocol process (rpd). This is a very rare corner case. PR1028390
• When BGP is doing path selection with default behavior, soft-asserts requests are
introduced. If BGP routes flap a lot, it needs to do path selection frequently, because
of which a great deal soft-asserts might be produced which will cause unnecessary
high CPU and some service issues, such as SNMP can not respond and even rpd core.
PR1030272
• When "clear bfd session" is issued immediately (before the Poll - Final sequence is
completed) post config check-in for interval change from higher to lower
minimum-interval value, BFD sessions don't revert to lower interval. PR1033231
• Issue in populating isisRouterTable values. Some entries are not filled correctly. This
does not block/affect the functionality of IS-IS or other components. PR1040234
• If labeled BGP routes are leaked from inet.3 table to inet.0, then activation of BGP
"add-path" feature might crash the routing protocol process (rpd). PR1044221
• BFD session might reset on commit if version is configured. The adaptive RX interval
gets set to 0 which results in the reset. A sample configuration of BFD version is as
follows: protocols { bgp { bfd-liveness-detection { version 1; minimum-interval 1000;
transmit-interval { minimum-interval 1000; } } } PR1045037
• When BGP and ICCP are the client of the samemulti-hop BFD session, BFD runs in
centralized (non-distributed)mode. But if nonstop-routing configuration is added and
enabled, runningmodeofBFD is changed todistributedmode.Thisbehavior is incorrect
but it would not affect to protocols which is client of the BFD session. However, if
Routing Engine switchover is performed after enabling NSR, the BFD session will get
unstable and all the client protocols also get unstable. PR1046755
• Junos OSMulticast Source Discovery Protocol (MSDP) implementation is closing an
established MSDP session and underlying TCP session on reception of source-active
TLV from the peer when this source-active TLV have an "Entry Count" field of zero.
"Entry Count" is a field within SAmessage which defines howmany source/group
tuples are present within SAmessage. PR1052381
Copyright © 2017, Juniper Networks, Inc.168
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• TheBGPsession sendingadd-pathprefixes cancausean rpdcrashwhen theadd-path
IDs that it allocates roll over from 65535 to 0. If the routes contributing add-path
prefixes are changing, the allocated path-id can eventually reach this value. This fix
changes the allocation scheme to always use the lowest available free path-id, so a
rollover will never occur. PR1053339
• After multicast traffic source incoming interface and source ip RPF (reverse path
forwarding) route switching toadifferent interface, themulticast route cacheupstream
interface might not be refreshed to be in sync with the pim join upstream interface.
This is incorrect and will cause packet blackhole for the affectedmulticast stream.
PR1057023
• RPD cored at isisSysLevelTable_next function when we do snmpwalk/snmpget with
invalid value in snmp data variable part. With this fix,added sanity checks for those
OIDs that do not have checks in earlier versions. PR1060485
Services Applications
• Added support to bring up Tunnel-switched sessions when tunnel-group is not
configured at LTS and tunnel attributes are returned from RADIUS. PR1030799
• When NAT hasmultiple terms that refer to the same NAT Pool, the command 'show
snmpmib walk jnxSvcsMibRoot ascii' always prints out jnxNatPoolTransHits for the
count of jnxNatRuleTransHits in the first term. PR1035635
• The cause of the KMD crash is not known. This is not due to SA (Security Association)
memory corruption. The code sees that SA is getting freed without clearing the table
entry. PR1036023
• When the tunnel between L2TP access concentrator (LAC) and L2TP network server
(LNS) is destroyed, the tunnel information will be maintained until destruct-timeout
expire (if the destruct-timeout is not configured, the default value is 300 seconds). If
the same tunnel is restarted within the destruct-timeout expire, the LNS will use the
previously negotiatednondefaultUDPport,whichmight lead to the tunnel negotiation
failure. PR1060310
Subscriber Access Management
• The authd process memory leaks slowly when subscribers login and logout, which
eventually leads the process to crash and generate a core file. PR1035642
• The MX960will send out error message when it processes idle-timeout. PR1041654
169Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
VPNs
• For VPLS over VPLS topology, when the VPLS payload has two labels
(Customer-VPLS-label and Customer-MPLS-label), the framemight be dropped by
the core facing interface hosted on IQ2 PIC with "L2 mismatch timeout" error. This
particular scenario is fixed. But there are some other worse scenarios which might hit
this issue again due to the system architecture limitation, which are not fixed but need
to avoid: * Addition of VLAN tags on Service provider's or CE's VPLS payload e.g.
configuring QinQ. * Addition of MPLS tags on Service provider or CE's VPLS payload.
* Enabling VPLS payload load balancing on Service provider's PE router. PR1038103
• In NGMVPN, after the route to C-RP flaps, traffic lossmight be seen for a short period
of time. PR1049294
• In NG-MVPN scenario, when a source is directly connected to a PE that is acting as an
RP stops sending the traffic, the PE never withdraws the Type 5 route. This causes the
Type7 routesand forwarding routes to remainon theegressand ingressPEs.PR1051799
• In L2VPN scenariowith local switching enabled, in corner cases, the rpd processmight
crashafter flapping thePE-CE link. For example, if the L2VPNconnection typechanges
from remote to local after link flaps, for a brief period of time, two route entries (for
old remote VC connection and for the new local VC connection) might exist for the
same egress route (with interface name as destination prefix). In that case, when
deleting remoteVCconnectionand routeentryassociatedwith that remoteconnection,
the rpdmight crash due to trying to reset an internal variable which is already reset
during route addition for the new local VC connection. PR1053887
Resolved Issues: Release 13.3R5
• Class of Service (CoS) on page 171
• Forwarding and Sampling on page 171
• General Routing on page 171
• High Availability (HA) and Resiliency on page 175
• Infrastructure on page 175
• Interfaces and Chassis on page 175
• Layer 2 Features on page 176
• MPLS on page 176
• Network Management and Monitoring on page 177
• Platform and Infrastructure on page 177
• Routing Policy and Firewall Filters on page 179
• Routing Protocols on page 180
• Services Applications on page 181
• User Interface and Configuration on page 182
• VPNs on page 182
Copyright © 2017, Juniper Networks, Inc.170
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Class of Service (CoS)
• SometimesMXSeriesmight respondwith "no such instance" of the secondOIDwhen
two CoS OIDs in the single SNMP packet. PR1015342
• This issue specific to rate-limit on trunk port in DPC due to a software issue that
installing rate-limit variables to egress Packet Forwarding Engine does not work
normally. PR1022966
• For ichip based platform, IQ2 pic expects FC index in the cookie from ichip for packet
queuing. For Transit traffic, fc index is coming in cookie where are for host outbound
traffic, queue number is coming in cookie to IQ2 pic. As IQ2 pic is not aware whether
traffic is transit or host outbound, it treats value received in cookie as FC value and
looks into fc_to_q table to fetch queue number. This is causing issue in queueing of
host outbound traffic in IQ2PIC in incorrect queue. This is adayone issueandwill come
if in FC to Queuemapping, fc id and queue number are not same. PR1033572
Forwarding and Sampling
• Onthe32-bit JunosOS,whenaverybigburst-size-limit value (2147492676andabove)
is configured in the ingress interface policer, the kernel may drop Routing Engine
destined traffic. PR1010008
• Deactivating Inline Jflow configuration does not makememory release normally.
PR1013320
• When an ARP policer is applied to an interface, it appears commented out in the
configurationwith the followingmessage: "invalidpathelement 'disable_arp_policer'".
PR1014598
• When an MX Series specific filter is configured on an interface located on a DPC, the
filter is not being installed and no warning message is logged on themessage log file.
PR1022836
• Adding "fast-lookup-filter" configuration statement to a firewall filter using one or
more terms with "next-term" action could cause dfwc crash during commit (commit
check phase). Hence because of this bug, this disallows use of "fast-lookup-filter"
feature on firewall filters with terms using "next-term". This PR fixes the above bug
exposed during firewall compiler optimization of filters using next-terms and
fast-lookup-filter. PR1029761
• This issue affects a systemwith two routing engines with "graceful-switchover"
configured. When performs upgrade to Junos OS version 13.3 from previous releases,
without deactivating "graceful-switchover", master and backup Routing Engines is
likely to becomeunresponsive due to running out ofmemory. The routing engines need
power reset to restore service. PR1033926
General Routing
• "show services accounting usage" does not populate cpu utilization for XLP based
cards . Please use "show services service-sets cpu-usage". PR864104
• Leak in /mfs/var/sdb/iflstatsDB.db. PR924761
171Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• In this scenario the CPCD (captive-portal-content-delivery) is configured for
HTTP-REDIRECT for Subscriber Management clients using MS-DPC. When services
sessions start to redirect the HTTP traffic, thememory-usage consistently increments
for MSPMAND on themulti-service PIC. Thememory limit thenmight cause packets
loss. PR954079
• MPLS traceroute causes "rttable-mismatch" syslog messages. PR960493
• OnMX Series DPC line cards with redundancy System Control Boards (SCBs), when
active SCB goes down ungracefully by unexpected event (such as turn off Power Entry
Modules (PEMs)), traffic loss is observed and cannot be recovered on standby SCB
as expected. PR961241
• In the dual Routing Engines scenariowith large scale nexthops (in this case,more than
1-millionnexthopsandaround8KVRFs). In rarecondition, kernelmight crashonbackup
and/or master Routing Engine due to exhaustion of nexthop index space. PR976117
• 1)Due toaprevious fix chassisdon theprotocolmasterRoutingEngineand theprotocol
backup Routing Engine connect to the main snmpd on the protocol master using the
followingmethods. a) Chassisd on the protocolmaster Routing Engine connects using
a local socket since snmpd is running locally. b) Chassisd on the protocol backup
Routing Engine connects using a TNP socket since snmpd is not local. 2) However this
fix changed the way the other daemons connect to snmpd. All important daemons
runon theprotocolmaster andshould connect to snmpdusinga local socket.However
the fix changed it so that all daemons that ran on the protocol master (other than
chassisd) tried to connect using the TNP socket. SNMPD does not accept these
connections.Asa fix, inanMX-VC,wemadesure thatchassisdconnects toall processes
which run on the protocol master using internal socket while the chassisd process on
the protocol backup and protocol lincecard connect connect using TNP socket.
PR986009
• In the dual Routing Engines scenario, in rare condition, while executing GRES and
deleting interfaces at the same time, it is possible that a nexthop delete message is
not sent to rpd process, causing rpd to keep a nexthop index (NHID) that kernel has
already deleted. Laterwhen kernel allocates thisNHID for next newnexthopand sends
it to rpd process, rpd process might crash due to duplicate NHID. PR987102
• MX 960/480/240 fantray red alarm temp changed from 75C to 80C. PR995225
• In the dual Routing Engines scenariowithNSRconfiguration, backuppeer proxy thread
is hogging CPU for more than 1 second if there are multiple updates (>5000) going
frommaster Routing Engine to backup Routing Engine. This is leading to FPC socket
disconnections. The traffic forwarding might be affected. PR996720
• Bydefault, the syslogutility exports800,000 logsper second toa remotesyslogserver.
You canmodify the number of syslogs to be sent by including the message-rate-limit
statement at the [edit interfaces interface-name services-options syslog] hierarchy
level to suit your deployment needs. The rate at which syslog messages can be sent
to the Routing Engine is 10,000 logs per second. PR1001201
• WithNSRenabled,whenactivatingaBGPsession ina routing instance,and the interface
route is imported into the main routing instance, the TCP receive windowmight
Copyright © 2017, Juniper Networks, Inc.172
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
decrement until it hits 0 after receiving incoming BGP traffic arrives from themain
routing instance. PR1003576
• MS-DPCmemory leak on system service setwhenHTTPRedirect attempts to process
none-HTTP traffic with HTTP ports (80/8080/443). PR1008332
• When deleting a routing-instance or making changes to the routing-instance, the
deletion of the routing-instance to kernelmight comebefore the deletion of the logical
interfaces in the routing-instance, resulting in rpd crash. This is a timing issue, hard to
reproduce. PR1009426
• OnMXSeries platformswith ADPC FPCs,M120 orM7i/M10i with EnhancedCFEB each
VPLS LSI interface flapping triggers a memory leak in jtree segment 0. There is no
memory leak in FPC heap 0memory. PR1009985
• Unknown unicast flood is seen with interface flap after router reboot and with static
MAC, no-mac-learning, interface-mac-limit configured for a virtual-switch. PR1014222
• The routing protocol daemon (rpd) might crash continuously with core-files upon
adding a sub-interfacewith "disable" configuration to aMC-LAG interface.PR1014300
• Sendingmulticast traffic to subscribers which have lawful interception enabledmight
crash the FPC. PR1014569
• For 64-bit Junos OS, the route protocols process (rpd) might crash and generate core
file during IBGP route churn when using IBGPmultipath andmultiple levels of IBGP
route/next-hop recursion. PR1014827
• If the serviceoption configuredonaggregatedMultiservices (AMS) interface is different
from its member interface, conflict would happen which might cause some serious
issue.After this fix, service-optionsconfiguration (which includes timeouts/sessios-limit
etc.) shouldonly be configuredonallmembers interfaceswhenconfigureAMSbundle.
PR1014898
• A new global configuration statement is added at the top level CLI "set
forwarding-options port-mirroring [no-preserve-ingress-tag]" By default the system
behavior would remain as it is today where ingressmirrored copy would contain VLAN
content exactly as what came in wire over ingress. However, if this configuration
statement is configured, if any VLANmodification happens to packet as part of its
datapath processing, that would get retained in the ingress mirrored copy ie we will
not restore VLAN to what came in ingress on wire. PR1015149
• This PR is implementing traceoptions debug enhancements to detect route-record
corruption events. The route-record traceoptions debug will be enabled as follows:
---------------------------- user@router> edit Entering configuration mode [edit]
user@router# set routing-options traceoptions flag route-record [edit] user@router#
commit ---------------------------- PR1015820
• hash-key command is no longer treated as a hidden command and considered invalid
input in 12.3 for small footprint routers (these platforms don't support the hash-key
feature), this could cause configuration failure during a software upgrade if hash-key
command is configured prior to the upgrade. This PR reverses the above change and
allowshash-keycommandtobe ignoredonunsupportedplatforms: showconfiguration
173Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
forwarding-options####Warning: configurationblock ignored: unsupportedplatform
(mx80) ## hash-key { family inet { layer-3; } } PR1016339
• In dynamic subscribersmanagement environmentwith "maintain-subscriber" feature
enabled, when scaling up the logged in subscribers, the demux interface might not be
associatedwith thesubscriberand"showauto-configurationextensive"CLI command
only print partial output. PR1017544
• MACaccounting support was added for 40G and 100G interfaces onMPC3 andMPC4
cards. PR1017595
• Traffic destined to theBroadcast orNetwork address of aNetworkAddressTranslation
(NAT) pool using the address prefix setting for the MS-MIC/MS-MPC card causes a
traffic loop that spikes the CPU. PR1019354
• On aMX Series-based FPCs, when there are next-hop changes, the "heap 0"memory
of the FPCmay experiencememory leakage which will eventually causes memory
exhaustion. PR1019794
• Noperformance or functional impact. Can be safely ignored. "Ignore the PTPmessage
(2) as this MPC does not support EEC" should bemoved from notice to debug level.
PR1020161
• When source address is configured under ms interface, and the service-set has syslog
host as local the FPC slot is printed as -ve. PR1020854
• Trace file size is already limited to 1 Mega bytes, but the actual issue is different. When
file reaches its maximum allowed size, an attempt is made to rotate trace file. But
trace files count is presently set to 0 (default), so rotate is not functional. As a result
all logs are appended to the same trace file even after crossing max limit. PR1021076
• MQCHIP(0) mqchip_get_q_forwarded_stats() invalid q_sys 0 q_nummessages are
continously shows in logs.It will cause two GE or XGE interfaces to not forward traffic.
PR1021951
• The host MPCmight continuously crash when trying to online a faulty MS-MIC after
discovering the hardware failure. PR1026310
• OnMPC5E line card, if a firewall filter with large-scale terms (more than 1300 etc.) is
attached to an interface, traffic dropmight be seen. PR1027516
• For M320 or T Series FPCs (M320 non-E3 FPC and T Series non-FPC5) with queuing
PIC, if theconfigured total buffer size temporal valuesexceeds thesupportedmaximum
scheduler buffer size for the PIC (e.g. For PD-5-10XGE-SFPP PIC, the maximum
temporal buffer size that can be configured for a scheduler is 40,000microseconds),
the default scheduler [95,0,0,5] is applied instead of the default chassis scheduler
[25,25,25,25], which might result in the packet drops on Q1 and Q2. PR1027547
• In a rare case, rdd core is reported under /usr/sbin/rdd as soon as applying the group
and commit is performed. PR1029810
• OnMX Series platformwith MS-MPC card, after performing switchover frommaster
RE0 to backup RE1, 2 internal ARP entries for Routing Engine address (128.0.0.1) on
MS-MPCPICs pointing to two eth interfaces connect to CB0 andCB1 separatelymight
be wrongly created. Then if pull out RE0/CB0, the MS-PIC would still select the eth
Copyright © 2017, Juniper Networks, Inc.174
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
interface connects to CB0, which results in loss of connectivity because that path is
not available anymore. PR1030119
• PCS statistics counter is now displayed for PTX 100GE interfces in below command:
cli > monitor interface <intf> PR1030819
• In rare cases, the AUTHD daemonmay crash and cause a corruption of subscriber
dynamicprofiles. In-useprofilesmaybe incorrectlymarkedasnot inuse.Anysubscribers
that reference that profile are forced to remain in Terminating state, until the router is
rebooted. Daemon restarts and GRES switches are ineffective in working around this
situation. PR1032548
High Availability (HA) and Resiliency
• This issueoccurs in rare condition. In thedual Routing Engines scenario, doing interface
flap after Routing Engine switchover. If this action is repeatedmany times, the stale
indirect nexthopentrymight be seen in kernel, this leads to traffic blackhole.PR987959
Infrastructure
• SNMP socket sequence error log. PR986613
Interfaces and Chassis
• If dynamic VLAN subscriber interface is over a physical interface (IFD), and there are
active subscribers over the interface, when deactivate the dynamic VLAN related
configuration under the IFD and add the IFD to an aggregated Ethernet (AE) interface
which has LACP enabled, the Routing Enginemight crash and get rebooted. PR931028
• In the dynamic-profile environment with preferred-source-address configuration. If
subscribers stuck in terminating state, it is impossible to commit changes. PR978156
• In the bridge domain configuration with IRB interface environment, the IRB interface
INET/ISOMTU is set to 1500. When the MTU on IRB interface is deleted, the MTU
would not be changed. PR990018
• In thePPPoEenvironment,when the subscriber logs in successfully but profile activate
fails, due to code processing error, the address entry is not deleted in the authd's DAP
pool. So when the subscriber tries to log in again, it connects fails. PR995543
• In L2 circuit, with async notification configured on a client facing interface goes down,
thenon the remotePE the correspondingCE interface showsup in show interface terse
output while in log snmp reports interface down. PR1001547
• As current Junos OSMultichassis link aggregation groups (MC-LAGs) design, the ARP
entry will not sync when learning ARP via ARP request but not Gratuitous ARP/ARP
reply, in some specific scenarios (e.g. a host changes its MAC address without sending
a Gratuitous ARP), traffic loss might occur. PR1009591
• IS-IS Adjacency may flap after unified ISSU. This behavior is being further analyzed
and fixed in further releases. PR1015895
• VRRP daemon (vrrpd) memory leak might be observed in "show system processes
extensive"whenVRRP is setwith routing-instance and then change any configuration.
PR1022400
175Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• OnM120, when two type 1 FPCs are sharing the same FEB and they are both carrying
core facing interface, with vrf-table-label/no-tunnel-service configuration, the LSI
interfacesmightbe removed incorrect onaworkingFPCwhen theother is set tooffline.
PR1027034
• "set forwarding-options enhanced-hash-key symmetric" configuration statementwill
not get applied on MX104 Packet Forwarding Engine. PR1028931
• If DPCE 20x 1GE + 2x 10GE X card is present in the chassis, BFD sessions over AE
interfaces may not be distributed PR1032604
• Some duplicate entries are reported in jnx-chas-defines.mib. This patch removes the
duplicate entries to fix the issue. PR1036026
Layer 2 Features
• After configuration change or convergence events, kernel may report ifl_index_alloc
failures for LSI interfacesandcausingKRTqueueENOMEM issue, eventually preventing
new logical interfaces being added to the system. This condition always recovers on
its own once convergence is completed. PR997015
• If "maintain-subscriber" configuration statement is enabled on the router, DHCPv6
server/relaymight be unable to process any packet if deactivate and then activate the
routing instance, whichmeans the subscribers can not get the IPv6 addresses. Please
note, even with the fix, the results of this scenario is also expected if with
"maintain-subscriber" configuration statement enabled, please consider using the
workaround to avoid this issue. PR1018131
• After FPC restart, bridge domain (BD) implicit filters for Ethernet ring protection
switching (ERPS)might get reprogrammedwith wrong logical interface index, which
causes ERPS to not work correctly. PR1021795
• In amixedVPLS instancewhere both LDPandBGP flavors are presentwith "best-site"
configuration statement configured under "site" block, any cli change in that instance
will result in rpd crash. PR1025885
MPLS
• When the size of a Routing Engine generated packet going over an MPLS LSP is larger
than MTU (i.e. MTUminus its header size) of an underlying interface, and the extra
bytes leading to IP-fragmentation is as small as <8 bytes, then that small-fragment
will be dropped by kernel and lead to packet drop with kernel message
"tag_attach_labels():m_pullup() failed". For example - If SNMPResponsewith specific
size fall into abovementioned condition then small fragmentwill be droppedby kernel
and eventually the SNMP response will fail. PR1011548
• InMPLS scenariowith TX/TXP router acting as the transit node, performingMPLSLSP
ping or traceroute from ingress nodemight cause kernel crash on the transit node due
to improper timer initialization between SCC and LCC chassis. PR1020021
• Ted link information of protocol from highest credibility level is used irrespective of the
level at which CSPF is computing. i.e., cspf-metric in "showmpls lsp extensive" would
have the sum of te-metric of IGP with highest credibility at each hop in ERO. This has
Copyright © 2017, Juniper Networks, Inc.176
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
been corrected and the cspf-metric will be sum of te-metric of current credibility at
each hop. PR1021593
• When RSVP label-switched-path (LSP) optimize is enabled, RSVP LSPmight stay
down after a graceful Routing Engine mastership switchover (GRES). To resolve the
problem, thecorresponding label-switched-pathconfigurationneeds tobedeactivated,
then, be activated again. PR1025413
Network Management andMonitoring
• Mib2d cores while trying to re-add a lag child into the patricia tree. Since the entry is
already present in the patricia tree. Before adding the child link mib2d does a lookup
on the tree, to know if the entry is not already there. However, this lookup returns no
results, since the child link is part of snmp filter-interface configuration. PR1039508
Platform and Infrastructure
• When apply-groups are used in the configuration, the expansion of interfaces <*>
apply-groups will be done against all interfaces during the configuration validation
process, even if the apply-group is configured only under a specific interface stanza.
PR967233
• TheGNUdebugger, gdb, canbeexploited inaway thatmayallowexecutionof arbitrary
unsigned binary applications. PR968335
• OnMX Series routers with MX Series linecards in a setup involving Packet Forwarding
Engine fast reroute (FRR) applications, if an interface is down for more than ARP
timeout interval or if ARPentries are clearedbyCLI commands, then after the interface
is up again packet forwarding issuesmay be seen for traffic being forwarded over that
interface. PR980052
• Have BFD session between one router supporting inline-BFD (MXSeries and JunosOS
13.3or later)and theotherwhichdoesnot support inline-BFD(anyversionandnon-MX
Series, or MX Series and Junos OS Release 13.3 prior releases). When the "failure
detection time" is less than 50ms, the BFD session might flap. PR982258
• OnMX2020/MX2010wemight see sporadic FO request time-out error reported under
heavy system traffic load. This would mean the request returning into a grant took
longer then +/-30usec. The packet will still get forwarded through the fabric hence no
operational impact. [May 6 18:56:59.174 LOG: Err] MQCHIP(2) FO Request time-out
error [May 6 19:33:47.555 LOG: Info] CMTFPC: Fabric request time out pfe 2 plane 6
pg 0, trying recovery. PR991274
• OnMX Series router with MX Series linecard or T4000 router with type5 FPC, there
are4kGRE tunnelswithdifferentMTUvalue.When thepacketsgo throughGRE tunnel,
if the packets size more than tunnel MTU, in rare condition, the GRE interface might
get stuck due to packets reassembling failure. PR993903
• Whenreceiving traffic comingonMPCandgoingoutonDPC, theMACentryonaPacket
Forwarding Enginemight not be up-to-date and the frames targeted to a knownMAC
address will be flooded across the bridge domain. PR1003525
• Micro BFD sessions are used to monitor the status of individual LAGmember links.
Whenmicro BFD configurations are added after the LAG bundle configuration in
177Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
separate commit, the micro BFD sessions for all the member links might remain in
"Down" state. PR1006809
• On TXMatrix Plus routers or TX Matrix Plus routers with 3D SIBs, all the incoming
interfaces on an FPC are deactivated when none of the fabric planes are functional.
By default, the interfaces remain activated. You can enable the deactivation of
interfaces by using the fpc-restart configuration statement at the edit chassis fabric
degraded hierarchy level. PR1008726
• If rate-limit has been configured in scheduler for MX-VC VCP ports, unified ISSUmight
fail. PR1009590
• MPLS traffic going through the ingress pre-classifier logic may not determine mpls
payload correctly classifyingmpls packet into control queue versus non-control queue
and expose possible packet re-order. PR1010604
• The fix was committed for this PR# but it also needs DDOS configuration additional
to this fix and it is as below: 1) check the "show ddos-protection protocols statistics
terse" 2) For each of the Control plane protocols on the system like ospf/vrrp/pvstp,
it is recommended to configure 2X of the rate as give below example along with
increasing DDOS rate for virtual-chassis control. Example, ######## set system
ddos-protection protocols virtual-chassis control-high bandwidth 20000 set system
ddos-protection protocols virtual-chassis control-high burst 20000 set system
ddos-protectionprotocolsospfaggregatebandwidth 1000set systemddos-protection
protocols ospf aggregate burst 1000 set system ddos-protection protocols vrrp
aggregate bandwidth 100 set system ddos-protection protocols vrrp aggregate burst
100. PR1017640
• For MX Series platformwith inline Network Address Translation (NAT) service, when
using "source-prefix" or "destination-prefix" in aNAT translation rule, a pool is implicitly
created, appending "_jinpool_" with the rule name and term namewith a form :
_jinpool_{rule_name}_{term_name}.Thenamemightbecroppeddueto themaximum
length limitation (64characters). If thathappens, bothpoolsmightget thesamename
and result in the indeterminate behavior (statistic issue, drop or incorrect translation).
PR1020033
• Problemscenario:Theerror logs"CHASSISD_FCHIP_CONFIG_MD_ERROR"will appear
during FPC normal boot up time and also during FPC restart time for each plane and
for each gimlet FPC. Problem statement: Ths Error logs
"CHASSISD_FCHIP_CONFIG_MD_ERROR"areobservedonly inM320chassiscontaining
FPCs based on Gimlet chipsets. Due to this error logs the rate limit for the fabric port
connecting the PFE 1 will be set to the default values. PR1020551
• OnMX Series based line card, if normal BFD sessions (e.g. BFD for OSPF) andmicro
BFD sessions are configured over LAG, it might be seen that only micro BFD sessions
come up and other normal BFD sessions keep in down state. PR1021584
• OnMXSeries based platform,with igmp-snooping enabled and amulticast routewith
integrated routingandbridging (IRB)asadownstream interface, amulticast composite
nexthop is created with a list of L3 and corresponding L2 nexthops. In a rare corner
case, the corresponding L2 nexthop to the L3 IRB nexthop is a DISCARD nexthop and
will cause the FPC to crash. PR1026124
Copyright © 2017, Juniper Networks, Inc.178
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• When receiving traffic coming on MPC and going out on DPC, an Ethernet frame with
known DMACwill be flooded to the whole bridge domain after flapping the link which
the given MAC is learnt for more than 32 times. PR1026879
• When a layer 2 frame entered the VPLS end point on the label switched interface (LSI)
interface with VLAN tagged, the frame is incorrectly interpreted and treated as no
VLAN frame. So the VLAN tagwill not be popped although the outbound interface has
a pop configuration. PR1027513
• On ICHIP line-card, when the packets are queued for several seconds due to interface
congestion and get aged, the ICHIPmight not able to detect those aged packets and
thus fail to drain the queue out, which results in the FPC showing CRC errors and going
into wedge condition. PR1028769
• MX Series-based line card might crash when trying to install the composite next-hop
used for the next-hop-group configuration related to port mirroring of traffic over IRB
to an LSI attached to VPLS instance for a remote host. PR1029070
• For BFD over aggregated Ethernet (AE) interfaces on MX Series routers with MS-MPC
thathaveconfigured theenhanced-ipoption, theBFDdistribution toPacketForwarding
Engine for AE interface might not happen. PR1031916
• This check ( log message) has been added as part an enhancement in the JNH error
report. For FC accounting on AE interface, ingress FC accounting is enabled on AE
interfacenexthopsandegressFCaccounting isenabledonAEchildmembernexthops.
While fetching stats for AE, both member child IFL and AE IFL stats are fetched and
added for result. If ingress FC accounting is enabled on AE IFL, while fetching statistics
for childmember links this error trace is coming because of this newly added JNH error
trace. The fix is to put a check to not call for child member FC statistics when egress
accounting is not enabled on AE bundle. PR1032952
• When the 'enhanced hash key service-load-balancing' feature is used by MPC line
cards load balancing of flows across multiple service PICS via the source-address
across does not work when iBGP is used to steer traffic to the inside service-interface
on the MX Series. For example the operator will see on the stateful firewall that the
same source-address has flows across multiple service interfaces. PR1034770
• Presence of /8 prefix in two terms results in incorrect filter processing and unexpected
behavior. PR1042889
Routing Policy and Firewall Filters
• Executing CLI command "show route resolution" and stopping the command output
before reaching the end of the database, the rpd process might crash when executing
the same command again. PR1023682
• In the BGP environment, if operator "!" exists in the regex for as-path, the commit
operation failure. PR1040719
179Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Routing Protocols
• Prefixes thataremarkedwith twoormore route target communities (matchingmultiple
configured targets configured in policies) will be using more CPU resources. The time
it takes toprocess this kindofprefixesdependson thenumberofVRFsand thenumber
of routes that are sharing this particularity. This can lead to prolonged CPU utilization
in rpd. PR895194
• Bringing up DFWD based BFD sessions at scale causes a churn in DFW as a result of
which the FPC CPU usage remains at 100% for a prolonged timespan. PR992990
• When all the below conditions aremet, if the configuration statement "path-selection
always-compare-med" is configured, the rpd process might crash. - routing-instance
(VR, VRF) with no BGP configuration - rib-group in default instance with
routing-instance.inet.0 as secondary-rib - rib-group applied to BGP in default instance
- BGP routes frommaster tables (inet.0) leaked to the routing-instance table
(routing-instance.inet.0). PR995586
• In themulticast environment, in rare condition, after gracefulRoutingEngine switchover
(GRES) is executed, the rpdprocessmight crashdue to receivingNULL incoming logical
interface. PR999085
• Abnormal ip6 route-calculation behavior can be seen when ospf3-te-shortcut is
configured. PR1006951
• When the same PIM RP address is learnt in multiple VRFs, with NSR configured, rpd
on the backup Routing Engine may crash duememory corruption by the PIMmodule.
PR1008578
• When inet.3/inet6.3 is not enabled, BGP group uses inet6.0 table to advertise the
routes for both inet6 unicast and inet6 labeled-unicast families. When BGP family is
changed, BGP sessions re-establish. When BGP starts to advertise routes to the peer,
BGP expects to see route label however if the old inet6 unicast routes are still present
(not completely cleaned), then rpd process crashes. The fix is to separate BGP group
for inet6 unicast with inet6 labeled-unicast with same rib. The old peers are cleaned
up in the old group and new peers are established in new group. Thus, new peer
establishment is not delayed by the cleanup of the old peer. PR1011034
• IS-IS router table MIB issues, when we do "show snmpmib walk
isisRouterHostName/isisRouterTable" we were not getting exact hostname as it is in
"show isis hostname"so theactual implementationwasnotasperRFC-4444,because
it was showing only the hostnames of the devices which are immediate neighbors of
Dut. Added level info to get sysis_entry per each level correctly and filled
data(isisRouterTable) correctly. PR1011208
• Under certain sequence of events RPD can assert after a RPD_RV_SESSIONDOWN
event. PR1013583
• Withmulticast discard route present, if a RP router has no pd- interface, it might not
generate (S,G) join to upstreamwhen receiving MSDP source active (SA) message.
PR1014145
• When receivingopenmessagewithany capability after the "add-path" capability from
BGP peer, the session will be bounced. PR1016736
Copyright © 2017, Juniper Networks, Inc.180
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• The snmp trap generated when an ipv6 BFD session goes up/down does not contain
the ipv6 bfd session address. PR1018122
• Junos OS implementation of RFC3107 uses unspecified label (0x000000) when
sending routewith label withdrawnmessage. Thismeans JunosOS sends 0x000000
instead of 0x800000 for label withdrawn, which is inconsistent with RFC3107.
PR1018434
• Multicast packets might get dropped with NSR configured and graceful switch over of
the Routing Engine is performed. PR1020459
• Establish two BFD sessions between two routers, one is single-hop BFD for directly
connected interface and the other is multi-hop MPLS OAM BFD. If configuring the
MPLS OAM on the same interface with single-hop BFD, when bringing downMPLS
OAM from the ingress, it might result in the OAM BFD session deleted on ingress but
it still receivingOAMBFDdownpacket fromegress. Since there is no sessionmatching
this BFD packet, it does a normal look up and brings down the single-hop BFD session
which is on the same interface. PR1021287
• If auto-export feature is enabled togetherwith rib-groups configuration option, the rpd
process might crash. PR1028522
• In distributed BFD (which is enabled by default), if the CLIENT session (for example
BGP) flaps due to any reason, themulti-hop BFD session that comes Up after the flap
would not be delegated to FPC. PR1032617
• When "clear bfd session" is issued immediately(before the Poll - Final sequence is
completed) post configuration check-in for interval change from higher to lower
minimum-interval value, BFD sessions do not revert to lower interval. PR1033231
• Issue in populating IS-IS router table values. Some entries are not filled correctly. This
does not block/affect the functionality of IS-IS or other components. PR1040234
Services Applications
• In the largescaledL2TPsubscribermanagementenvironment (in this case,60Ktunnels
upwith 1 sessioneach).When logoutand login 15Ksessions, in rarecondition, the jl2tpd
process (L2TP daemon) might crash. PR913576
• If adestination-prefix or source-prefix is used likebelowexample, theNetworkAddress
Translation (NAT) rule and term names will be used to generate an internal jpool with
a form : _jpool_{rule_name}_{term_name}. If the generated jpool name exceeds 64
characters in length, it will get truncated. If the truncated jpool name get overlapped
withothergenerated jpoolname itwill lead toan inconsistentpoolusage. user@router#
show services nat rule A_RULE_NAME_WHICH_IS_LONG_12345 { ... term
A_TERM_ALSO_WITH_LONG_NAME_1 { from{ source-address { 10.20.20.1/32; } } then
{ translated { source-prefix 10.10.10.1/32; <--- translation-type { source static; } } } }
termA_TERM_ALSO_WITH_LONG_NAME_2 { from { source-address { 10.20.20.22/32;
} } then { translated { source-prefix 10.10.10.2/32; <--- translation-type { source static;
} } } } } First jpool =
_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_LONG_NAME_1
> 64 characters. Second jpool =
_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_LONG_NAME_2
181Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
> 64 characters. The resulted jpool
"_jpool_A_RULE_NAME_WHICH_IS_LONG_1234_A_TERM_ALSO_WITH_" will be used
wrongly in both terms. PR973465
• In L2TP scenario, when the LNS is flooded by high rate L2TPmessages from LAC, the
CPU on Routing Engine might keep too busy to bring up new sessions. PR990081
• Softwire tunnel count management is inconsistent and incorrect, thus the output of
"show service softwire statistics" might be incorrect. PR1015365
• L2TP LNS dropped all tunnels/sessions after a commit PR1020420
• OnMX Series router that configured as L2TP tunnel switch (LTS), after receiving a
Call-Disconnect-Notify (CDN)message on LNS interface from remote LNS, the L2TP
daemon (l2tpd) might crash and generate a core file. PR1021881
• AnMS-DPC PIC coredumpmay be generated if ICMP is used with EIM. PR1028142
• Issue 1: "timeout-remaining" for some filters installed on the DFC pic. (Stream Times
out)Rootcause:Therewasan issuewitharithmeticoperation that lead towraparound
of remaining_time variable. Hence it was having a very huge value. Fix: Necessary
conditions are put in place to ensure there is no wrap around happening. Issue 2:
Problemwith forwarding traffic to the CD during randomDTCPADDs. (Streams Drop)
Root cause: Whenever a DTCP ADD is received by DFC PIC, a new filter is created and
placed in a list data structure called quick-list. 5-tuples of each data packet that is
hitting DFC PIC is matched against the filters in quick-list. Whenever amatch is found,
the 5-tuple(flow) is tagged/attached with the matched filter. Thematching would
continue for other flows aswell and it continues till the filter ismoved out of quick-list.
There was a bug in this logic that made filters to move out of quick-list is a sporadic
manner. Somemoved within fewmillisecond. So, for such filters there won't be any
flows towhich they are attached. Hence the issue. Fix:With this fix, the process of filter
movement out of quick-list is streamlined. A filter would move out of quick-list only
after ensuring that all active flows got a chance to getmatched against that particular
filter. PR1029004
User Interface and Configuration
• When PIM is enabled via apply-groups to one routing-instance whose instance-type
is not defined (no-forwarding type is set), incorrect constraint check of PIMwill cause
routingprotocoldaemon(rpd) tocrashuponanyconfigurationchange later.PR915603
• CST: chassis core generated while applying group configuration on chassis > FPC.
PR936150
VPNs
• In the 12.3 release after issuing a "request pimmulticast-tunnel rebalance" command
the software may place the default encapsulation and decapsulation devices for a
Rosen MVPN on different tunnel devices. PR1011074
• The problem is that MSDP is periodically polling PIM for S,G's to determine if the S,G
is still active. This check helps MSDP determine if the source is active and therefore
the SA still be sent. There is a possibility that PIM will return that the S,G is no longer
active which causesMSDP to remove theMSDP state and notify MVPN to remove the
Copyright © 2017, Juniper Networks, Inc.182
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Type 5. One of the checks PIMmakes is to determine if it is the local RP for the S,G.
During a re-configuration period where any commit is done, PIM re-evaluates whether
it is a local RP. It waits until all the configuration is read and all the interfaces have
come up before making this determination. The local rp state is cleared out early in
this RP re-evaluation process, however, which allows for a window of time where the
local RP statewas cleared out but it has not yet been re-evaluated. During thiswindow
PIMmay believe it is not the local rp and return FALSE to MSDP for the given source.
If MSDPmakes the call into PIM during this window after a configuration
change(commit), then it is possible that the Source Active(Type 5) state will be
removed. The fix will be to clear out the local rp state right before it is re-evaluated ie
after it reads configuration for all interfaces; to not allow any time gap where it could
be inconsistent. PR1015155
Resolved Issues: Release 13.3R4
• Authentication and Access Control on page 183
• Class of Service (CoS) on page 183
• Forwarding and Sampling on page 184
• General Routing on page 184
• Interfaces and Chassis on page 186
• J-Web on page 187
• Layer 2 Features on page 187
• MPLS on page 188
• Network Management and Monitoring on page 188
• Platform and Infrastructure on page 188
• Routing Protocols on page 190
• Services Applications on page 191
• Subscriber Access Management on page 192
• VPNs on page 192
Authentication and Access Control
• The syslogmessage "UI_OPEN_TIMEOUT: Timeout connecting to peer" might appear
if "show version detail" command is executed. This log is a cosmetic log and can be
ignored. This issue is fixed from Junos OS Release 13.3 onwards. PR895320
Class of Service (CoS)
• OnMXSeries routerswith bothMXSeries linecard (in this case, MPC andMPCE on the
box) and other type linecard (DPCE on the box). When the Default Frame Relay DE
Loss Priority Map is configured and commited, all FPCs are getting restarted with
core-files. PR990911
• SNMPget-request for OID jnxCosIngressQstatTxedBytes (ingress queue)might return
the value of jnxCosQstatTxedBytes (egress queue). But SNMPwalk works fine since
it uses get-next-request. PR1011641
183Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Forwarding and Sampling
• Whena firewall filter hasoneormore termswhichhaveMXSeries-onlymatchcondition
or actions, such filters will not be listed during SNMP query. This behavior is seen
typically after Routing Engine reboot/upgrade/master-ship switch. Restarting mib2d
process will cause to learn these MX Series-only filters: cli > restart mib-process After
mib2d restart, SNMPmib walk of firewall OIDs will: - list all the OIDs corresponding
this MX Series-only filter - count correctly as configured in the filter Now, despite the
SNMPmib walk for firewall OIDs lists all OIDs and appropriate values, messages logs
will report the following logs for every interface that has this MX Series-only filter
applied. > Jul 8 15:52:09 galway-re0mib2d[4616]:
%DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed in reading
counter namesae33.1009-i: 288 (No such file or directory)> Jul 8 15:52:09galway-re0
mib2d[4616]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed
in reading counter names ae31.1004-i: 257 (No such file or directory) > Jul 8 15:52:09
galway-re0mib2d[4616]: %DAEMON-3-MIB2D_RTSLIB_READ_FAILURE:
get_counter_list: failed in reading counter names ae33.1010-i: 289 (No such file or
directory) > Jul 8 15:52:09 galway-re0mib2d[4616]:
%DAEMON-3-MIB2D_RTSLIB_READ_FAILURE: get_counter_list: failed in reading
counter names ae31.1004-i: 257 (No such file or directory) The above two issues are
addressed in this PR fix. PR988566
General Routing
• OnTXP/TXP-3Dplatform, a bad I2Cdevice onSFCSwitch InterfaceBoard (SIB)might
cause Switch Processor Mezzanine Board (SPMB) to crash and all SIBs to be unable
to online. PR846679
• Changing the redundancymodeof rlsq interface from"hot-standby" to"warm-standby"
on the fly might lead to kernel crash and the router will go in db> prompt. PR880451
• A few particular sequence of member failures in an AMSwith HA-enabled and with
NAPT-44 configured can cause sessions to reset after a GRES (or SPD restart).
PR910802
• In scale DHCP subscribers scenario (e.g. 54K dual-stack DHCPv4/DHCPv6), graceful
Routing Engine switchover (GRES) is configured. If Routing Engine switchover occurs,
after that execute the command "root@user> show dynamic-configuration" many
times, large scale DHCP or DHCPv6 subscribers might be terminated. PR968021
• In the dual Routing Engines scenario with 8K PPP dual stack subscribers. In rare
condition, after Routing Engine switchover, some subscribers are stuck in terminating
state forever. PR974300
• 1)Due toaprevious fix chassisdon theprotocolmasterRoutingEngineand theprotocol
backup Routing Engine connect to the main snmpd on the protocol master using the
followingmethods. a) Chassisd on the protocolmaster Routing Engine connects using
a local socket since snmpd is running locally. b) Chassisd on the protocol backup
Routing Engine connects using a TNP socket since snmpd is not local. 2) However this
fix changed the way the other daemons connect to snmpd. All important daemons
runon theprotocolmaster andshould connect to snmpdusinga local socket.However
the fix changed it so that all daemons that ran on the protocol master (other than
Copyright © 2017, Juniper Networks, Inc.184
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
chassisd) tried to connect using the TNP socket. SNMPD does not accept these
connections.Asa fix, inanMX-VC,wemadesure thatchassisdconnects toall processes
which run on the protocol master using internal socket while the chassisd process on
the protocol backup and protocol lincecard connect connect using TNP socket.
PR986009
• In 6PE scenario, when PE router is sending IPv6 TCP traffic to MPLS core, in rare
occasions, the kernel might crash and reboot with a vmcore file dumped. PR988418
• OpenFlow v1.0 running on an MX Series router does not respond reliably to interface
up or down events within a specified time interval. Per a fix implemented in Junos OS
Release 13.3R3.6, OpenFlow v1.0 running on an MX Series router responds reliably to
interface up or down events if the echo interval timeout is set to 11 seconds or more.
PR989308
• OnM7i/M10iwith enchancedCFEB,M320with E3-FPC,M120andMXSerieswithDPC.
If "no-local-switching" is present in the bridge domain, then the IGMP-snooping is not
functioning and client cannot see the multicast traffic. PR989755
• During large scale MVPN routes churn events, some core-facing IGP protocols (like
OSPF or LDP)might flap or experience a long convergence time. PR989787
• Commit error needs to be reported when using unsupported NAPT44 nat-options
max-sessions-per-subscriber configuration with MS-MIC/MS-MPC. PR993320
• On T4000 router with type5 FPC. After FPC rebooting, if chassisd process does not
get FPC ready/FPConlineACKmessage fromFPC in 360 seconds, the FPCmight reset
again. PR998075
• OnM/MX/TSeries routers (platforms)withNetwork Address Port Translation (NAPT)
configuration.When the router receives the packet whose value of protocol field in the
IPv4 header is 61, the router erroneously does NAPT44 translation. In the correct
situation, the packet should not be translated and forwarded. PR999265
• The PICmemory gauge counters show up as 0 after a GRES switchover in the "show
chassis pic fpc-slot X pic-slot Y" output. PR1000111
• OnMX240/MX480/MX960 routers running as precision time protocol (PTP)master
when interconnect with MX104 routers running as slave, the PTP clocking state might
get stuck in "INITIALIZING" for the first createdPTPport and not be aligned to clocking
state. Another issue is that when issue command "show ptp clock", wrong "slot"
number might be seen on MX104 slave. PR1001282
• "Syslog generated for session-open will have nat port information only if it is different
from the original source port". PR1001912
• If issue the command "show services nat mappings endpoint-independent" or "show
services nat mappings address-pooling-paired" or "show services sessions" and kill it
immediately when using EIM/APP feature with toomany EIM/APP entries present in
the system, lots of ipc message reply failure messages may be seen in the syslog.
PR1002683
• Multi-Services PIC could crash and restart on receiving a stray SIGQUIT signal due to
it not handling the signal. PR1004195
185Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When several PICs are set up as an aggregated Multi-services (AMS) doing
load-balancing, if one PIC of the AMS bundle gets offline and then gets online, 30 to
40 secondsmomentary traffic loss might be seen. PR1005665
• Ingress queuing is not supported on MPC5 (With Q-MPC) when Optical Transport
Network (OTN) is enabled. Enabling ingress queuing with OTNwould lead to line card
crash. PR1008569
• Withmore thaneight service-setsconfigured,whenusingSNMPmibwalk for service-set
(object "jnxSpSvcSetTable") info, the mspmand process (which manages the
Multi-Services PIC) might crash. PR1009138
• When the SIB plane state changed to fault state, it should read the FPGA for the power
related information instead of reading from the cpld. PR1009402
• Whenever an FPC goes down suddenly due to hardware failure, the data traffic in
transit towards this FPC fromtheother FPCs couldbe stuck in the fabric queue thereby
triggering fabric drops due to lack of buffers to transmit the data to active destination
FPCs. PR1009777
• On ALG router without "flow-control-options" configured, MS-MICmight not service
packets any more once prolonged flow control is hit and cleared. PR1009968
Interfaces and Chassis
• When the GE port is configured withWAN PHYmode, a "Zero length TLV" message
might be reported from the port. This is a cosmetic issue. PR673937
• With nonstop active routing (NSR) enabled, the VRRP tracking routes state on backup
Routing Engine might not get synchronized when adding/deleting the tracking routes.
PR983608
• OnMX Series platform, when an aggregated Ethernet bundle participating as Layer2
interface within bridge-domain goes down, the following syslog messages could be
observed. Themessages would be associated with FPC0 even if there are no link(s)
from this FPC0 participating in the affected aggregate-ethernet bundle. mib2d[2782]:
SNMP_TRAP_LINK_DOWN: ifIndex 636, ifAdminStatus up(1), ifOperStatus down(2),
ifNamexe-3/3/2mib2d[2782]: SNMP_TRAP_LINK_DOWN: ifIndex637, ifAdminStatus
up(1), ifOperStatusdown(2), ifNamexe-3/3/3mib2d[2782]:SNMP_TRAP_LINK_DOWN:
ifIndex740, ifAdminStatusup(1), ifOperStatusdown(2), ifNameae102 fpc0LUCHIP(0)
Congestion Detected, Active Zones f:f:f:f:f:f:f:f:f:f:f:f:f:f:f:f fpc0 LUCHIP(0) Congestion
Detected, Active Zones 2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm set: FPC
color=RED, class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm set,
FPC 0Major Errors fpc0 LUCHIP(0) Congestion Detected, Active Zones
2:0:0:0:0:8:a:0:0:0:0:0:8:4:0:a alarmd[1600]: Alarm cleared: FPC color=RED,
class=CHASSIS, reason=FPC 0Major Errors craftd[1601]: Major alarm cleared, FPC 0
Major Errors fpc0 LUCHIP(0): Secondary PPE 0 zone 1 timeout. fpc0 PPE Sync XTXN
Err Trap: Count 7095, PC 10, 0x0010: trap_nexthop_return fpc0 PPE Thread Timeout
Trap: Count 226, PC 34a, 0x034a: nh_ret_last fpc0 PPE PPE Stack Err Trap: Count 15,
PC 366, 0x0366: add_default_layer1_overhead fpc0 PPE PPE HW Fault Trap: Count
10, PC 3c9, 0x03c9: bm_label_save_label fpc0 LUCHIP(0) RMC 0 Uninitialized
EDMEM[0x3f38b5]Read(0x6db6db6d6db6db6d)fpc0LUCHIP(0)RMC1Uninitialized
EDMEM[0x394cdf] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0) RMC 2
Copyright © 2017, Juniper Networks, Inc.186
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Uninitialized EDMEM[0x3d9565] Read (0x6db6db6d6db6db6d) fpc0 LUCHIP(0)
RMC3UninitializedEDMEM[0x3d81b6]Read(0x6db6db6d6db6db6d)Thesemessage
would be transient in nature. PR990023
• In the demux interfaces over aggregated Ethernet (AE) environment with
targeted-distribution configuration. The index of AE interface is confused when the
index ismore than 100. It copiesonly fourbytes from interfacename. (e.g. If binddemux
interface to ae110, it will be bound to ae11 at the same time). The traffic forwarding
might be affected. PR998906
• OnMX Series router with MX Series linecard or T4000 router with type5 FPC, when
the"Hardware-assisted-timestamping" isenabled, theMPCmodulesmightcrashwith
a core file generated. The core files could be seen by executing CLI command "show
system core-dumps". PR999392
• IGMP joins do not work for PPP subscribers that are usingMLPPP and LNS. PR1001214
• Fabric Blackholing logic recovery for certain cases will be done with different action
(Phase 1/2/3) based on the problem. PR1009502
• Here is the expected behavior for CFM CCM: 1. UP MEP CFM session a. If there is a
manually configured ieee-802.1 classifier attached to the interface, then forwarding
class of the CCM injected should match the respective classifier. b. If there interface
in which CFM is configured has no ieee-802.1 based 1p classified, then the forwarding
class of the CCMwill take as configured in "host-outbound-traffic". c. In case if there
is no "host-outbound-classifier"present thenpacketswill be treatedasnetworkcontrol
(Q3). 2. DownMEP CFM session a. forwarding class of the CCMwill always depends
on the FC classified based on "host-outbound-traffic". If it is not configured, then it
will always take Q3. PR1010929
J-Web
• An insufficient validation vulnerability in J-Web can allow an authenticated user to
execute arbitrary commands. This may allow a user with low privilege (such as read
only access) to get complete administrative access. This scope of this vulnerability is
limited to only those users with valid, authenticated login credentials. Please refer to
JSA10560 for more information. PR826518
Layer 2 Features
• In BGP signaled VPLS/VPWS scenario, rpd process memory leak might occur when
groups with wildcard configuration is applied to the routing instance. PR987727
• When "system no-redirect" is configured, l2 descriptor destination MAC address gets
overwritten and causes "DA rejects" on next-hop router. PR989323
• In race condition, when FPC gets rebooted or reset, link(s) from this FPC which are
part of aggregatedEthernetbundlewould remain inLACP"Detached" state indefinitely.
user@router> show lacp interfaces ae102 Aggregated interface: ae102 LACP state:
Role Exp Def Dist Col Syn Aggr Timeout Activity xe-2/0/0 Actor No Yes No No No Yes
Fast Active xe-2/0/0 Partner No Yes No No No Yes Fast Passive xe-2/0/1 Actor No No
Yes Yes Yes Yes Fast Active xe-2/0/1 Partner No No Yes Yes Yes Yes Fast Active LACP
protocol: Receive State Transmit State Mux State xe-2/0/0 Defaulted Fast periodic
Detached xe-2/0/1 Current Fast periodic Collecting distributing user@node> show
187Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
interfaces xe-2/0/0 terse Interface Admin Link Proto Local Remote xe-2/0/0 up up
xe-2/0/0.0 up up aenet --> ae102.0 xe-2/0/0.32767 up up aenet --> ae102.32767 This
issue would be seen when associated aggregated Ethernet bundle is configured for
vlan-tagging. To clear this condition, the affected interface should be deactivated and
activated using CLI commands. user@node# deactivate interfaces xe-2/0/0
user@node#commit user@node#activate interfaces xe-2/0/0user@node#commit
PR998246
• In the Ethernet ring protection switching (ERPS) environment, once graceful Routing
Engine switchover (GRES) happens on the ring protection links (RPLs) owner node,
there will be a ~30s Ring automatic protection switching (R-APS)message storm in
the ring, which in turn causes some VPLS instance flapping. PR1004066
• In BGP-VPLS scenarios with GRES activated, rpd process might crash in cycles after
manually restarting rpd. PR1011165
MPLS
• In the MPLS environment with no-cspf and strict ERO configuration. In race condition,
if a PATHmessage with routing loop error is received before standby Routing Engine
has resolved the correct PATHmessage with no loop, some of LSP are not replicated
on standby Routing Engine. If Routing Engine switchover occurs, the forwarding traffic
might be affected. PR986714
Network Management andMonitoring
• The Packet Forwarding Engine local protocol statistics are 32-bit counters. If there is
a rollover (typical candidates are arp/lacp), those counters start from zero. mib2d will
addall counters again if oneof thepfe statistics traffic counter is less then theprevious
collected counter, causing the multiplication affect. PR986712
• Alarmmanagement daemon runs onmaster and backup Routing Engines on dual
Routing Engine systems. There is a 80megabyte alarm.db file that is copied over from
masterRoutingEnginetobackupRoutingEnginewhenthealarm-managementdaemon
has come up on both the Routing Engines. The basic issue is that alarm-management
daemon is trying to copy the alarm.db file over and over again in an infinite loop on the
system, causing CPU utilization shooting up after every 20 seconds or so. PR988969
Platform and Infrastructure
• The error message 'unlink(): failed to delete .perm file: No such file or directory' was
logged when disconnecting from a Telnet session to the router. PR876508
• The cprod commands essentially allow "root" access to FPCs. Therefore, access to
those commands should be highly restricted. The issue here is any user with "shell"
permissionwill beallowed tousecprodcommand.Weshouldadd restrictions to cprod
to only "root" permission users. PR924574
• The continuous executing of CLI mib walk commandmight cause user being unable
to issue showcommandsandenter configuremodewith error "Littlememory remains.
Command not stored in history." PR949735
• OnMX Series platform, MPCmight crash and reboot when a non-template filter gets
deleted (but does not get completely cleaned up) and the same filter index gets
Copyright © 2017, Juniper Networks, Inc.188
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
reassigned toa template filter. This couldbeconsideredasa timing issuegiven it comes
with a very specific sequence of events only. PR949975
• When a port being used for port mirroring goes down due to an external factor, such
asa fiber cut or the remote side rebooting, theFPCCPUmay rise to 100%for4minutes
and then followedbya reboot of the FPCwith a reasonof "pfemanwatchdogexpired".
The issue will only be observed occasionally and requires that the FPC CPU is already
very busy and very large firewall filters (thousands of terms long) to be used. If any of
these three factors are not present, the issue will not occur. As such disabling the port
being used for portmirroring on the Juniper prior to bringing down that link is sufficient
to avoid this issue. PR968393
• OnMX Series based line card, VPLS traffic might get blocked for about 5 minutes
(timer of MAC address aged-out) after re-negotiating control-word. PR973222
• The problem is seen because CFMD is getting a configuration commit after theMX-VC
switch has happened. This commit is deleting the cfmd session and then creating a
new sessionwhich is causing the old information of action-profile to be deletedwhich
brings the interface back up. This problem is fixed by the code correction. PR974663
• OnMXSeries Virtual Chassis platforms, if you configure the interface alias feature, the
featuremightnotworkasexpectedand interfacesmightgoupanddownafter commit.
PR981249
• Have BFD session between one router supporting inline-BFD (MXSeries and JunosOS
Release 13.3 or later) and the other which does not support inline-BFD (any version
andnon-MXSeries, orMXSeriesand JunosOSprior to 13.3).When the "failuredetection
time" is less than 50ms, the BFD session might flap. PR982258
• OnMX2020/MX2010wemight see sporadic FO request time-out error reported under
heavy system traffic load. This would mean the request returning into a grant took
longer then +/-30usec. The packet will still get forwarded through the fabric hence no
operational impact. [May 6 18:56:59.174 LOG: Err] MQCHIP(2) FO Request time-out
error [May 6 19:33:47.555 LOG: Info] CMTFPC: Fabric request time out pfe 2 plane 6
pg 0, trying recovery PR991274
• Packets dropped with IPv6 reject route are currently subjected to loopback ipv6 filter
processing on MX Series-based line cards. As a result the packet dropped by a reject
route may be seen from the "show firewall log". PR994363
• On anMX Series router with MX Series linecard or T4000 router with type5.When the
firewall filter under the [forwarding-options] hierarchy within a bridge domain is
removed, it might result in lookup error and frame dropmight be observed. PR999083
• In the IRB interface environment with "destination-class-usage" configuration. If the
bridge domain ID is the same as Destination Class Usage (DCU) ID (bridge domain ID
and DCU ID are generated by system), the firewall filter might match wrong packets,
the packet forwarding would be affected. PR999649
• OnM7i, orM10i equippedwithEnhancedCompactForwardingEngineBoard (CFEB-E).
When a MPLS LSP flaps, the CFEB-E is unable to recover 8 bytes of JTREEmemory
per event. PR1000385
• MS PICmay reset after GRES in case of excessive resolve traffic. PR1001620
189Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When sending traffic comingonMPCandgoing out onDPC, theMACentry on aPacket
Forwarding Engine will not be up-to-date and the frames targeted to a knownMAC
address will be flooded across the bridge domain. PR1003525
• The non-first IP fragments containing UDP payloadmay bemistakenly interpreted as
PTP packets if the following conditions are met: - the byte at the offset 9 in the IP
packet contains 0x11 (decimal 17) - UDP payload - the two bytes at the offset 22 in the
IP packet contain the value 0x01 0x3f (decimal 319; byte 22=0x01 and byte 23=0x3f)
- PTP protocol Themis-identification of the packet as PTP will trigger the corruption
of the fragment payload. PR1006718
• WhenMicro-BFD configurations is added after the ae bundle configuration, then
micro-bfdsession for all themember links remains in "Down"state.Below is thesnippet
as reference, when ae100 LACP state is "Disturbing", while micro-BFD session remain
in "Down" state while on the other end the session would be in "Init" state.
user@ndoeA> show lacp interfaces ae100 Aggregated interface: ae100 LACP state:
Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/3/0 Actor No No Yes Yes Yes
Yes Fast Active xe-0/3/0 Partner No No Yes Yes Yes Yes Fast Active xe-0/3/1 Actor
No No Yes Yes Yes Yes Fast Active xe-0/3/1 Partner No No Yes Yes Yes Yes Fast Active
LACPprotocol: ReceiveStateTransmitStateMuxState xe-0/3/0Current Fast periodic
Collecting distributing xe-0/3/1 Current Fast periodic Collecting distributing
user@ndoeA> show bfd session address 10.10.100.145 Detect Transmit Address State
Interface Time Interval Multiplier 10.10.100.145 Down xe-0/3/0 0.000 1.000 3
10.10.100.145 Down xe-0/3/1 0.000 1.000 3 PR1006809
• Memoryallocated in reference to theBFDsessionwasnotgetting freedup.This resulted
in memory leak and thememory exhaustion triggered crash. PR1007432
Routing Protocols
• When the IPv6 address on fxp0 is active during bootup, the joining of the all-router
group causes the kernel to create a ff02::2 route with a private next-hop, which is not
pushed to the Packet Forwarding Engine. When a non-fxp0 interface is active later,
theprivatenext-hopwill be sharedby thenon-fxp0 interfaceaswell, resulting inpacket
drops destined to ff02::2 on the non-management interface. - After this PR, the
advertising interface should be configured via the following CLI. [edit protocols] +
router-advertisement { + interface <interface_name>; + } PR824998
• Performing CLI command "clear multicast bandwidth-admission interface <int>" on
64-bit Junos OS results the rpd process crash. The command should be used without
the interface qualifier on the impacted releases. PR949680
• There are two receivers joined to same (S,G) and IGMP immediate-leave is configured.
When one of the receivers sends the leavemessage for (S,G), another receiver is not
receiving the traffic for 1-2 minutes. PR979936
• In the P2MP environment with OSPF adjacency are established. One router's time is
set to earlier date than another router. OSPF adjacency might not come up when one
router goes down and comes up. PR991540
• Bringing up DFWD based BFD sessions at scale causes a churn in DFW as a result of
which the FPC CPU usage remains at 100% for a prolonged timespan. PR992990
Copyright © 2017, Juniper Networks, Inc.190
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• BMP is not sending a correctly formatted prefix for inet/inet6 labeled unicast BGP
family routes. This occurs if the route resides in the inet[6].0 table, and not if the route
resides in the inet[6].3 table. PR996374
• There are two scenarios that the rpdmight crash. The first scenario is when all BGP
peers flap with bgp route target proxy configured. The second scenario is when BGP
session is configured in a way that one side is configured with family l2vpn
auto-discovery-only, while on the other side is configured with both family l2vpn
signaling and keep all configuration statements. PR1002190
• When IS-IS is configured for traffic engineer (TE), after remove family mpls from the
interface and remove the specific interface from [edit protocols rsvp] and [edit
protocols mpls] hierarchy level, corresponding link is not removed from the TED as
expected. PR1003159
• When there are more than 65535 "flow-spec" routes existing in the routing table, the
rpd processmight crash because it exceeds the currentmaximumsupportable scaling
numbers (Current scaling numbers are in the range of 10K~16K). PR1004575
• During unified in-service software upgrade (ISSU), when a Bidirectional Forwarding
Detection (BFD) session negotiation is happening, if the session is configured with 10
seconds or higher interval, BFD session would flap. PR1010161
• MisconfiguringBGP routevalidationsession to the router itselfmight lead to rpdprocess
crash. PR1010216
• In scaled BFD scenarios, BFD unified ISSU poll negotiation will fail causing the BFD
session to flap during unified ISSU. PR1012859
• Multicast packets might get dropped with NSR configured and graceful switchover of
the Routing Engine is performed. PR1020459
Services Applications
• OnMX240/480/960 routers with MS-DPCwith "deterministic-port-block-allocation
block-size" configuration. In rarecondition,when the "block-size" is set toa larger value
(in this case, block-size=16128), the Services PICmight crash. PR994107
• jflow-logging: seen "mspmand.core.ms41.0.gz*" with data traffic. PR994256
• The redundant services PIC (rsp-) interfaces or redundant Multiservices (rms-)
interfaces configured with "hot-standby" modemight flap upon committing any
configuration change (will happen for evenanunrelated interfacedescription change).
PR1000591
• The following messages are being logged at ERR not DEBUG severity: mspd[3618]:
mspd: Nomember config mspd[3618]: mspd: Building package info This PR sets the
correct severity. PR1003640
191Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Subscriber Access Management
• MIB entries for jnxUserAAAAccessPoolRoutingInstancemay not appear after deleting
and re-adding an assignement pool under a routing instance. PR998967
VPNs
• In theRosenMVPNenvironment, somedatawouldpass intermittently over thedefault
MDT even after hitting threshold to switch to data MDT. PR999019
• Serving site B is not receiving all the traffic from serving site A when traffic is reduced
from the exceeded cmcast limit. PR1001861
Resolved Issues: Release 13.3R3
• Class of Service (CoS) on page 192
• Forwarding and Sampling on page 193
• General Routing on page 193
• Infrastructure on page 197
• Interfaces and Chassis on page 197
• Layer 2 Features on page 199
• MPLS on page 200
• Network Management and Monitoring on page 201
• OpenFlow on page 201
• Platform and Infrastructure on page 201
• Routing Protocols on page 204
• Services Applications on page 205
• Software Installation and Upgrade on page 206
• Subscriber Access Management on page 207
• User Interface and Configuration on page 207
• VPNs on page 207
Class of Service (CoS)
• We cannot bind classifier on GRE interface" for MX Series routers withMPCs andMICs
for some customer demand now. To restore the old behavior, we can configure
'exp-default' configuration statement onGRE interfacewith the fixed JunosOS image.
<< example >> set class-of-service interfaces gr-0/0/0 unit 0 classifiers exp default.
PR941908
• If anyof the schedulers havean IDof zero, cosdprocessmight crash followingacommit.
PR953523
• Sometimes the cosd generate the coredumpwhen add/delete child interface on the
LAG bundle. PR961119
Copyright © 2017, Juniper Networks, Inc.192
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Applying a scheduler with transmit rate below 65,535 bps and rate-limit option fails
the commit if the associated interface is an non-existing interface or a virtual interface.
PR964647
• OnMX Series router with non-Q DPC (in this case, DPCE 40x 1GE R), when the
"interface-set" is configured on a non-Q DPC, then execute the command "show
interfaces interface-setqueue<interface-set-name>", theDPCmightcrash. PR979668
Forwarding and Sampling
• VPLSmac-table does not gets populated with mac of previous lt interface after
replacing the lt interface in the configuration, that might cause CE connected to the lt
interface to get isolated. PR955314
• When port-mirroring or sampling is configured, if a lot of route updates are happening
in the system, the routing protocol convergence timemight be long and packets loss
might be observed. PR963060
• In the large scaledDHCPsubscribers setup (e.g. 54,000dual-stackDHCPsubscribers),
dynamic firewall daemon (dfwd)memory leak during DHCP subscribers login/logout.
PR967328
• DPC crashed after deactivate/activate [routing-instances TPIX bridge-domains IX
bridge-options]. PR983640
General Routing
• The ingress family feature (uRPF) unicast Reverse Path Forwarding check execution
order was invalidated when (FBF) Filter Based Forwarding was enabled on MX Series
routers with MPCs or MICs. This solution repositions uRPF just prior to Filter Based
Forwaarding (FBF), so that both actions are compatible and applicable. This applies
to both IPv4 and IPv6. PR805599
• OnMX Series routers containing multiple Packet Forwarding Engines such as
MX240/MX480/MX960/MX2010/MX2020,witheitherMPC3EorMPC4Ecards(MPC3
Type 3 3D/MPC4E 3D 2CGE+8XGE/MPC4E 3D 32XGE), if multicast traffic or Layer 2
flood traffic enters the router via these MPC3E or MPC4E line cards, these line cards
mayexhibit a lockup, andoneormoreof their Packet ForwardingEngines corrupt traffic
towards the router fabric. PR931755
• In theMX-VCscenario, havechassis fabric redundancymodeset to increasedbandwidth
(root@user# set chassis fabric redundancy-mode increased-bandwidth). Then
configure the "offline-on-fabric-bandwidth-reduction" for any slot (root@user# set
chassis fpc<slot>offline-on-fabric-bandwidth-reduction). After that execute commit,
the commit check failed and chassisd crashed with core-dumps. PR932356
• Thisproblemoccurswhena largeamountof servicesandamsconfiguration is changed
in a single override operation. A workaround for this problem is to offline and online
the PIC during or after the configuration change. PR933674
• In Junos OS versions later than 11.2 where IFL localization is enabled, Routing Engine
mastership switchover could lead to IFL indexes inconsistency in Ichip FPCs when
graceful Routing Engine switchover (GRES) is configured. This inconsistency could
gradually lead to IFL index overlaps and traffic blackholing. PR940122
193Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When nonstop active routing (NSR) is configured and thememory utilization of rpd
process on the backup Routing Engine is high (1.4G or above), the rpd crash on backup
RoutingEnginemaybounce theBGPsessionson themasterRoutingEngine. PR942981
• Under particular scenarios, commit action might lead the Context-Identifier to be
ignored when OSPF protocol refresh its database. Then the PE router will stop
advertising this Context-Identifier out. PR954033
• FPCmight lose the socket connection to the Routing Engine during the time kernel
live-core dump is active. IGP session might get dropped after the socket connection
got closed.TheFPCwill get restartedby thekernel once the live-coredumphas finished.
PR954045
• Softwarewillmonitor the FPDdial setting in SFC and LCCand raise a alarm if changed
during runtime. In SFC the config dial and in LCCM/S dial will bemonitored. PR955319
• "show interfaces et-x/y/z extensive" will display MRU now. MRU can be configured at
"set interfaces et-x/y/z gigether-options mru" If MRU is not configured then it is
defaulted toMTU+8.MRUdisplayed fromtheCLIdoesnot include theCRC. PR958162
• To support controlwordonBGP-VPLS forM-320 (i-chip) andMX(DPC+MPC), below
2 config configuration statements are newly introduced. routing-instances { green {
protocols { vpls { + control-word; <<<<<<<<< new configuration statement. +
no-control-word; <<<<<<<< new configuration statement. } } } } To omit IP payload
over ether-pw from hash-key for MX Series, A new configuration statement like below
will be provided. forwarding-options { enhanced-hash-key { family mpls { +
no-ether-pseudowire; } } } PR958685
• In subscribermanagement environment, upgrade JunosOS to specific version (include
12.3R6 13.2R4 13.3R2) via ISSUmight make subsequence subscribers fail to connect
with following error: "jdhcpd_profile_request: Add Profile dhcp request failed for client
in state LOCAL_SERVER_STATE_WAIT_AUTH_REQ: error = 301". PR959828
• OnMXVirtual Chassis (MX-VC), if multiple VCP ports are configured betweenMPC5E
cards, traffic might not be load balanced over the VCP ports, besides, packets might
get lost due to VC ingress and egress next-hop caches getting out of synchronization.
PR960803
• Default threshold for ES-FPC errors is 1 for major errors and 10 for minor errors, when
the threshold is reached, someactions (eg, alarm|offline-pic|log|get-state|offline|reset)
will be taken by FPC as configured. This feature is designed for permament/real errors.
The issue here is that even some transient errors (eg, link flaps) will also trigger the
default action. In some cases, it might cause panic for the FPC. PR961165
• Ethernet over ATM LLC hasmissing OUI information. PR961468
• Onall JunosOSplatforms, if aneventoccurs that causes thePacket ForwardingEngine
to restart, service might be interrupted because the stale interface index has not been
deleted. PR962558
• In the initial router configuration, if static routes are configured over GRE interface and
OAM is enable, then the static routesmay remain active while the GRE tunnel is down.
PR966353
Copyright © 2017, Juniper Networks, Inc.194
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• NHtracingprovidesa lightweightmechanismtocaptureNHchains traversedbypackets
of interest for further examination. PR967450
• Support for layer 3 VPN localization has been deprecated in the JunosOS releases and
platforms listedbelow.This affects the followingCLI command: "set routing-instances
[instance-name] routing-options localize" Junos OS releases: - 12.3R7 (CLI command
is hidden) - 13.1R5 (CLI command is hidden) - 13.2R5 (CLI command is hidden) - 13.3R3
(CLI command is removed) - 14.1 (CLI command is removed) - 14.2 (CLI command is
removed) Platforms: - M 320 Series router - MX Series routers (all) - T Series routers
(all). PR967584
• OnMX Series platform, when the Channelized T1/E1 Circuit Emulation MIC
(MIC-3D-16CHE1-T1-CE) with non-enhanced queuing MPC1 or MPC2 is inserted, no
traffic is being forwarded out of the T1/E1 ports. PR967861
• Although receiving the flow specification (flowspec) routes with packet-length,
icmp-code or icmp-typematching rules from a BGP peer properly, the local firewall
filter in the Packet Forwarding Engines might not include these matching rules.
PR968125
• Autoheal denied reasonmay not be shown if CRC errors occurs on the same cable
from F13 side more than once in an autoheal window and subsequently error is seen
is again from LCC side. PR973783
• In processing for fpc-resync and fab-liveness packets if error occurs while sending
packet we do not free the packet. This causes packets buffers to leak and eventually
the packet heap runs out of memory. PR973892
• You cannot configure an MTU value on family inet greater than 1496 if there is a trunk
port configured on the interface; if you configure an MTU greater than 1496, a commit
error occurs. If you configure an MTU value on a physical interface on which a trunk
interface is configured, the configuredMTUvalue is ignored and the value is set to 1518.
These issues do not occur if there is no trunk port on the interface. PR974809
• PPP over ATM transit traffic was not being fragmented correctly by ATMMIC. The
changes allow the fragmentation of the transit traffic to work properly. PR976508
• Changing service-set configuration continuously during scaled traffic conditions may
result in mspmand process crash and a core file generated. PR978032
• On T Series router with FIB Localization enabled, if reboot the Routing Engine while
scaled traffic running, the FIB-remote FPCmight crash. PR979098
• In the high scale P2MP LSP environment, heapmemory leak might occur when the
LSP flaps. Then some P2MP LSPsmight be not installed, so the traffic will lose.
PR979211
• scale-subscriber "License Used" filed shows wrong value after GRES. PR980399
• In rare condition, when PPPoE subscribers login with large amounts of configuration
data, the subscriber management infrastructure daemon (smid) and authentication
service process (authd) might crash, and no new subscribers could connect to the
router. PR980646
195Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• In the BFD environment with static route, the BFD session is established between two
routers.When disable the subinterface on one router, the BFD AdminDown packet will
be sent out from the router (this is not expected). But according to RFC 5882, another
router receives theAdminDownpacket, the static routewill never bedeleted on it. That
might cause traffic packets to be dropped. PR982588
• In scenarioofNG-MVPNwithP2MPLSPasprovider tunnel,KernelRoutingTable (KRT)
might get stuck after making changes for MVPN, then traffic loss will be seen, and
besides, rpd processmight crash while trying to generate a live core dump. PR982959
• With a firewall policer configured onmore than 256 IFFs (interface address family) of
a PIC, then offline and online the PICmight cause the FPC to crash. PR983999
• OpenSSL library in Junos OSwas patched to resolve CVE-2010-5298. PR984416
• OnM7i/M10iwith enchancedCFEB,M320with E3-FPC,M120andMXSerieswithDPC.
In a race condition, the Dense Port Concentrator (DPC)may crashwhen ifls get added
to an ifl-set while that same ifl-set get deactivated/deleted in class-of-service. For
example:#set interfaces interface-set interface_set_JTAC_ge-3/0/0 interfacege-3/0/0
unit 100 # deactivate class-of-service interfaces interface-set
interface_set_JTAC_ge-3/0/0 # commit or (quick commit of following changes) # set
interfaces interface-set interface_set_JTAC_ge-3/0/0 interface ge-3/0/0 # commit
# deactivate class-of-service interfaces interface-set interface_set_JTAC_ge-3/0/0
# commit. PR985974
• OpenFlow does not respond to port_down events when the echo interval timeout is
set for less than 11 seconds. PR989308
• The fabric performance ofMPC1, MPC2, or 16xXEMPC in 'increased-bandwidth'mode
on an MX960 populated with SCBE's will be less compared to redundant mode due
to XF1 ASIC scheduling bugs. PR993787
• Under normal circumstances, the Maximum Receive Unit (MRU) value is set to MTU
size + 8 bytes (e.g. MTU=9102, MRU=9102+8=9110). But in this case, whenMTU is set
to a large value (MTU=9192) on AE interface, theMRU still uses the default value 1522
bytes. Sowhen the interface receives packetswhich size aremore than 1522 bytes, the
packets are dropped. PR994826
• On10X10GESFPP,whenan interfaceconfigured forCCCandasynchronous-notification,
and it is told to turn off its laser. Its laser flaps on and off for some period of time.
PR996277
• On T4000 router with type5 FPC. After FPC rebooting, if chassisd process does not
get FPC ready/FPConlineACKmessage fromFPC in 360 seconds, the FPCmight reset
again. PR998075
• The PICmemory gauge counters show up as 0 after a GRES switchover in the "show
chassis pic fpc-slot X pic-slot Y" output. PR1000111
Copyright © 2017, Juniper Networks, Inc.196
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• ServicePIConMS-MPCcardcouldcore-dumpand restart on receivingastraySIGQUIT
signal due to it not handling the signal.With this fixwe ignoreSIGQUIT signal andavoid
Service PIC restart. PR1004195
• When using AMS load-balancing if a PIC in the AMS bundled if offline for any reason
and the operator on-lines the pic there is slight 30 to 40 secondmomentary traffic
loss. PR1005665
Infrastructure
• OnRE-S-1800familyofRoutingEngine, afteran intensivewriting toSSD, the immediate
rebooting might cause SSD to corrupt. PR937774
Interfaces and Chassis
• If the "tunnel-destination"addressofaGenericRoutingEncapsulation (GRE) interface
is placed in one instance and the GRE interface is placed in another routing-instance,
the lookup for the GRE tunnel destination is done on inet.0 instead of the appropriate
routing instance's inet.0 table. The similar issue could happen on IP-over-IP or
Automatic Multicast Tunneling (AMT) tunnels too. PR851165
• NPC crash seen while verifying Inline Jflow in both RE0 and RE1 and do switchover 10
times and verify new files are updated properly. This is software bug which have been
fixed in 12.3R5. PR905916
• The Packet Forwarding Engine alarms raised by PFEMAN thread using cmalarm api
calls will not be transmitted to Routing Engine. As impact, these alarmswill not reflect
on Routing Engine. There is no impact on functionality, otherwise. PR921254
• If offline and remove a Non-Ethernet Modular Interface Card (MIC) fromMX Series
and then perform a unified in-service-software-upgrade (ISSU), the unified ISSUmay
get aborted. This happens because although theMIC is removed physically but it does
not get removed from the hardware database (HWDB), which makes the chassis
mistakenly try to offline the already removedMICduring unified ISSUand in turn cause
the upgrade failure. PR923569
• Queue stats counters for AE interface will become invalid after deactivating ifl on the
AE interface. PR926617
• Strange FRU Insertion trap[RE PCMCIA card 0] is generated when Routing Engine
master-switching is done on box with RE-1800. PR943767
• Kernel crash might happen when a router running a Junos OS install with the fix to PR
937774 is rebooted. This problemwill not be observed during the upgrade to this Junos
OS install. It occurs late enough in the shutdown procedure that it shouldn't interfere
with normal operation. PR956691
• When an ifl containing some vrrp group configuration is deleted, snmpwalk on vrrp
MIBmay loop continuously. PR957975
• If there is an IRB interface configured for "family inet6" in a bridge-domain on an MX
Series router, the Packet Forwarding Engine may not correctly update the next-hop
for an IPv6 route when theMAC address associatedwith the next-hopmoves from an
AE interface to a non-AE interface. PR958019
197Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• In very uncommon situation, we will see LCCs chassisd state is inconsistent with SFC
chassisd state, this is verymisleading in troubleshooting stage. This PR fixed this issue.
PR963342
• Link speed of a LAG bundle may not properly reflect the total bandwidth, when
microBFD is enabled on the LAG interface. PR967046
• Temperature Top and Bottom are swapped in show chassis environments output for
Type3/Type4 FPCs of T Series. PR975758
• In the large scaled VPLS environment , during delete routing-instance of type VPLS,
thememory is not getting freed. The connectivity-fault management daemon (cfmd)
might crash with a core file generated.The core files could be seen by executing CLI
command "show system core-dumps". PR975858
• Vrrpdmemory leaksonlyonbackupRoutingEnginewithoutanyoperationoncondition
that graceful-switchover under chassis/redundancy is enabled and nonstop-routing
under routing-options is disabled with configuring ipv6 vrrp groups. PR978057
• In the multilink frame relay (mlfr) environment with "disable-tx" configuration. When
the differential delay exceeds the red limit, the transmission is disabled on the bundle
link. When it is restored, the link should be added back. But in this case, the link stays
disable state and it is not rejoined to the bundle. PR978855
• After the following process, we can findMCAEbecomes standby/standby status. Even
if we set "set interfaces aeX aggregated-ether-optionsmc-ae events iccp-peer-down
prefer-status-control-active" for both routers, we can find this issue. << topology
example >> iccp ge-1/0/1 ge-1/0/1 [ MX80(router A)]-----------------[MX240(router
B)] \ ae0 ae0 / --active-- \ / --standby-- \ MC-LAG / \ / \ / ae0(ge-0/0/0)\
/ae0(ge-0/0/1) [ EX4200(switch C) ] << process >> initial status router A : active
router B : standby 1. disable ae0 of router A. 2. disable iccp link of router A. 3. disable
ae0 of switch C 4. enable iccp link of router A. (Please wait until iccp status up.) 5.
enable ae0 of switch C 6. enable ae0 of router A. PR982713
• When upgrading to 13.3R2, customermay see the followingmessages: Chassis control
process: rtslib: ERROR kernel does not support all messages: expected 104 got 103,a
reboot or software upgrademay be required Chassis control process: Chassis control
process: rtslib: WARNING version mismatch for msgmacsec (103): expected 99 got
191,a reboot or software upgrademay be required Chassis control process: Chassis
control process: rtslib: ERROR kernel does not support allmessages: expected 104 got
103,a reboot or software upgrademay be required Chassis control process: Chassis
control process: rtslib: WARNING version mismatch for msgmacsec (103): expected
99got 191,a rebootor softwareupgrademaybe requiredThesemessagesaregenerated
during validating the new chassis management daemon against the old kernel, and
are harmless. PR983735
• 1GbE SFP(EX-SFP-1FE-LX) output optical power is restored after reseating bymanual
removal/insert of SFP although the IF is disabled. PR984192
• SNMPOID VRRP-MIB::vrrpAssoIpAddrRowStatus returns only one Ip address when
the interface ifl has configured with two virtual-addressees under two vrrp-groups.
PR987992
Copyright © 2017, Juniper Networks, Inc.198
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Followingmessages couldbe seenon the router for the FPCslotwhich are evenempty.
These messages are cosmetic and could be ignored. chassisd[1637]: %DAEMON-6:
FPC 0 does not support Pic power off config cmd ignoring the config change
chassisd[1637]: %DAEMON-6: FPC 2 does not support Pic power off config cmd
ignoring the config change. PR988987
• CFMDmay crash after configuration change of an interface in a logical systemwhich
is under OAM config for a l2vpn instance. PR991122
Layer 2 Features
• WhenDHCP local server andDHCPrelayarebothconfiguredonsame router, theDHCP
relaybindingmightget lost if agracefulRoutingEngine switchover (GRES) isperformed.
PR940111
• In L3Wholesale environment, the DHCP clients might fail to renew their address in
DHCP relay scenario. PR956675
• Configuring Ethernet Ring Protection Switching (ERPS), after changing interface's
MTUonRing Protection Link (RPL) owner, all the interfaces on RPL owner change into
forwarding state, hence cause a layer 2 loop. PR964727
• OnMXSeries platformwith Ethernet Ring Protection Switching (ERPS) configuration,
after disabled Ring Protection Link (RPL) interface and thenmove RPL fromwest
interface to east interface, as a result, the ERPS east and west interface might go into
discard state at same time. PR970121
• In DHCPv6 subscriber environment, changing the c-tags (inner vlan)without clear the
DHCPv6 clients first is not recommended, it might cause the subscriber to use the old
inner vlan even after DHCPv6 RENEW process. PR970451
• When Cisco running in an old version of PVST+, it does not carry VLAN ID in the end of
BPDU. So Juniper Networks equipment fails to responds to Topology Change
Notification ACK packet when it interoperates with Cisco equipment. After the fix,
Juniper equipmentwill read theVLAN ID information fromEthernet header. PR984563
• Layer 2 Control Protocol process (l2cpd) is used to enable features such as Layer 2
protocol tunneling or nonstop bridging. If a router receives a Link Layer Discovery
Protocol (LLDP) packets withmultiplemanagement address TLV,memory leakmight
occur which resulting in l2cpd process crash. PR986716
• jnxLacpTimeOut trapmayshownegative valuesand incorrect values for jnxLacpifIndex
and jnxLacpAggregateifIndex. PR994725
• In race condition, when FPC gets rebooted or reset, link(s) from this FPC which are
part of aggregate-ethernetbundlewould remain in LACP"Detached" state indefinitely.
user@node> show lacp interfaces ae102Aggregated interface: ae102 LACPstate: Role
Exp Def Dist Col Syn Aggr Timeout Activity xe-2/0/0 Actor No Yes No No No Yes Fast
Active xe-2/0/0 Partner No Yes No No No Yes Fast Passive xe-2/0/1 Actor No No Yes
Yes Yes Yes Fast Active xe-2/0/1 Partner No No Yes Yes Yes Yes Fast Active LACP
protocol: Receive State Transmit State Mux State xe-2/0/0 Defaulted Fast periodic
Detached xe-2/0/1 Current Fast periodic Collecting distributing user@node> show
interfaces xe-2/0/0 terse Interface Admin Link Proto Local Remote xe-2/0/0 up up
xe-2/0/0.0 up up aenet --> ae102.0 xe-2/0/0.32767 up up aenet --> ae102.32767 This
199Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
issue would be seen when associated aggregate-ethernet bundle is configured for
vlan-tagging. To clear this condition, the affected interface should be deactivated and
activated using CLI commands. ============ [edit] user@node# deactivate
interfaces xe-2/0/0[edit] user@node#commit [edit] user@node#activate interfaces
xe-2/0/0 [edit] user@node# commit ============ PR998246
MPLS
• When the install prefix (specified by the "install" configuration statement) and
destination prefix (specified by the "to" address of the LSP) are same for a static LSP,
the routing protocol process (rpd) might crash while deleting the LSP. PR958005
• During SNMPwalk on tableMPLS cross-connect table (mplsXCTable) in case of flood
nexthop, the rpdmight crash. PR964600
• In the large scaled MPLS setup with NSR enabled. When restart routing protocol
daemon (rpd) on standby Routing Engine, or reload standby Routing Engine, or reload
router, some filtered output label bindings might bemissed on the backup Routing
Engine,which leads toLabelDistributionProtocol (LDP)databasebetween themaster
and backup Routing Engines are inconsistent. PR970816
• In a scaled MPLS environment, whenever fast reroute (FRR) or Link Protection (LP)
or Node Protection (NP) is configured, the switchover from the primary LSP to the
secondary LSPmight cause traffic loss for few seconds. PR973070
• In the MPLS environment, when execute the command "show snmpmib walk
mplsXCTable" to walk the MPLS cross connect table, the routing protocol daemon
(rpd) CPU utilization might reach over 90%, and the rpd process does not respond to
any CLI show commands. PR978381
• snmpwalk/snmpgetnextor "showsnmpmibwalk" failwhenpollingMPLSLSPOCTETS,
MPLSLSPPACKETS, MPLSLSPINFOOCTETS or MPLSLSPINFOPACKETS. PR981061
• LSPmetricmodification leads to Constrained Shortest Path First(CSPF) computation
and resignaling. It should update RSVP routes directly. PR985099
• In the MPLS environment with "egress-protection" configuration, there is a direct LDP
session between primary PE and protector. One context-id is configured as primary
PE's loopback address or any LDP enabled interface address. When delete the whole
apply-group or delete the ldp policy from apply-group, the routing protocol daemon
(rpd) might crash. PR988775
• In the virtual private LAN service (VPLS) environment with multihoming (FEC 129) is
configured, when the router receives the label request for the Forwarding Equivalency
Class (FEC) 129, if there is no route for the specific FEC 129, the routingprotocol daemon
might crash. PR992983
Copyright © 2017, Juniper Networks, Inc.200
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Network Management andMonitoring
• Alarmmanagement daemon runs onmaster and backup Routing Engine on dual
Routing Engine systems. There is a 80megabyte alarm.db file that is copied over from
masterRoutingEnginetobackupRoutingEnginewhenthealarm-managementdaemon
has come up on both the Routing Engines. The basic issue is that alarm-management
daemon is trying to copy the alarm.db file over and over again in an infinite loop on the
system, causing CPU utilization to shoot up after every 20 seconds or so. PR988969
OpenFlow
• OpenFlow v1.0 running on an MX Series router does not respond reliably to interface
up or down events within a specified time interval. Per a fix implemented in Junos OS
Release 13.3R3.6, OpenFlow v1.0 running on an MX Series router responds reliably to
interface up or down events if the echo interval timeout is set to 11 seconds or more.
PR989308
Platform and Infrastructure
• Since theACPowerSystemonMX2020 isaN+Nfeed redundantandN+1power supply
modules (PSMs) redundant, there are two separate input stages per PSM , each
connected to one of the two different/redundant feeds. However, only one stage is
active at a time. This means, the other input stage (unused input stage) may be bad
and systemwill not know about it till it tries to switch to it in case of a feed failure.
PR832434
• When using OSPF/OSPFv3 with interface type point-to-point, it is possible that the
OSPFsession(usingmulticast traffic exclusively) tocomeupbeforenext-hop resolution
is done (ARP, or ND). In this case, transit traffic will be discarded, until resolution is
done. When you havemultiple links available, then the route will be balanced using a
"unilist" next-hop.When one of the links in the "unilist" doesn’t have layer2 resolution,
these next-hopswill actually drop traffic. The fix added by this PRwill make unilist not
contain forwarding and non-forwarding at the same time.When theNH resolutionwill
be done, then the link will be added to the unilist. PR832974
• The error message 'unlink(): failed to delete .perm file: No such file or directory' was
logged when disconnecting from a Telnet session to the router. PR876508
• When the instance have vlan-id all and adding interface unit with "vlan-tags outer X
innerY" to this instance, traffic fromALL instanceVLANs is leakingover that unit tagged
with outer tag X and each VLANs own inner tag A,B.C,..... Fix: When the instance have
vlan-id all, for dual tagged ifl the inner vlan check will be done. PR883760
• OnMX Series based line card, for interfaces tagged with VLAN ID same as the
native-vlan-id configured on the interface, FPC adds Native VLAN ID to the packets
received on the interface and destined to the host. This is irrespective of the packet
content. This results in the packets getting doubly tagged when receiving packets
which are already tagged with VLAN IDmatching the Native VLAN ID, and thus cause
ARP resolution failure on Native VLAN. For example, the ARP packets to IRB (on VLAN
101) are tagged with VLAN ID 101 (which is also the native VLAN ID) and are getting
additional tagged. Hence they are dropped by the IRB and this can cause the ARP
request packet not getting resolved on Native VLAN. PR917576
201Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When the transit traffic is hitting the router and the destination is a local segment IP
which requires ARP resolution, it's mis-classified by the DDOS filter and an incorrect
policer is applied. This leads to host queue congestion. PR924807
• Startingwith JunosOSRelease 13.3and later, the rangeofCLI screen-with is40 through
1024 (in earlier Junos OS releases, the range is 0 through 1024). This PR restores the
option of setting screen-width to 0 resulting in unlimited screen width. PR936460
• The Routing Engine and FPCs are connectedwith an internal Ethernet switch. In some
rare case, the FPCsmight receive amalformed packet from the Routing Engine (e.g.
packet gets corrupted somewhere on its way from Routing Engine to FPC). Then the
toxic traffic might crash the FPC. PR938578
• MPC Type 2 3Dmay crash with CPU hog due to excessive link flaps causing the
interrupts to go high. PR938956
• On a router which does a MPLS label POP operation (penultimate hop router for
example) if the resulting packet (IPv4 or IPv6) is corrupted then it will be dropped.
PR943382
• If a PE router is both egress and trazit node for a p2mp lsp, the Packet Forwarding
Engine may report errors and install a discard state for the fib entry representing the
p2mp lsp label with bottom of stack bit set to 0 . This problem does not have any
impact since there is no application using the s=0 entry of a p2mp lsp. PR950575
• * MX2020 FanTray power specification. - zone#1:FT#3 - gets power from zone#1 only
- zone#1:FT#2 - gets power from zone#0 in case of no-power in zone#1 - zone#0:FT#1
- gets power from zone#0 only - zone#0:FT#0 - gets power from zone#1 in case of
no-power in zone#0 - Critical(Minimum) number for MX2020 operation is 3 If one of
zone has no PSM, then it means FAN single-fault in the chassis's point of view. For
example, if zone#1hasnoPSM, then theFT#3doesnotgetpoweras it is local-powered
FT. Hence, in this case, the FT#3-LED should showORANGE to notify the single-fault
to user,while FT#2 can showsGREEN if it gets enoughpower fromzone#0. In addition,
CRAFT-LED for FT#3 should be turned off. * Due to HW-limit(bicolor), it could not
showORANGE color. In current implementation, both CRAFT-LED, FT#3-LED show
GREEN. That's problem. * NOTE: JunosOS does not support FT double-fault scenario.
(MX2020 needsminimum 3 FTs.) If FT#2 gets in trouble in above case(i.e.,FT
double-fault), the user should see serious cooling-trouble on SFMs within 1 minute.
PR957395
• Unable to modify dynamic configuration database after first commit. PR959450
• When we set "traffic-manager mode ingress-and-egress" on "MIC-3D-40GE-TX (3D
40x 1GE(LAN)RJ45)",we cannot use ingress queue correctly onPIC2 andPIC3. *Note:
We cannot see this issue if we set the above configuration to PIC0 or PIC1. PR959915
• Certain combinations of Junos OS CLI commands and arguments have been found to
be exploitable in a way that can allow root access to the operating system. This may
allow any user with permissions to run these CLI commands the ability to achieve
elevated privileges and gain complete control of the device. Refer to JSA10634 for
more information. PR965762
• Certain combinations of Junos OS CLI commands and arguments have been found to
be exploitable in a way that can allow root access to the operating system. This may
Copyright © 2017, Juniper Networks, Inc.202
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
allow any user with permissions to run these CLI commands the ability to achieve
elevated privileges and gain complete control of the device. Refer to JSA10634 for
more information. PR966808
• Certain combinations of Junos OS CLI commands and arguments have been found to
be exploitable in a way that can allow root access to the operating system. This may
allow any user with permissions to run these CLI commands the ability to achieve
elevated privileges and gain complete control of the device. Refer to JSA10634 for
more information. PR969365
• A defect in L3VPNMake Before Break code was resulting in freeing memory
corresponding tooldnexthopswhich isbeingusedbyegressPacket ForwardingEngine.
This was resulting in memory corruption. PR971821
• WithNG-MVPN,multicast trafficmight get duplicatedand/or blackholed if aPE router,
with active local receivers, is also a transit node and the p2mp lsp is branched down
over an aggregate interface with members on different Packet Forwarding Engines.
PR973938
• SNMP alarms/traps could be generated for unpowered fan trays when only one zone
is powered. PR982970
• OnMX Series platform, when filter is applied on the interface with the action of "then
next-interface", thepackets that are forwardedby the firewall filterwouldbecorrupted.
PR986555
• Interface aliaswas not shown in the show commandswhen configured. Now interface
aliaswill be shown (IF CONFIGURED) in show commands containing interface names.
A |display no-interface-alias command adds the ability to show the actual interface
name if its needed. PR988245
• When services packet(interface-style) is diverted to different routing-instance using
a firewall filter, route lookup of the services packet wasmatching a reject route which
results in PPE thread timeout. PR988553
• TXPwith 13.1R4might not trigger autoheal after65535CRCerror eventon inter-chassis
optical hsl2 link. Customer will need to domanual fabric plane reset to recover the
faulty SIBs after the 65535 CRC error event. PR988886
• NPC core /../src/pfe/ukern/cpu-ppc/ppc603e_panic.c:68. PR989240
• On logical-systems, backup rpd of logical systems is not getting SIGHUPwhen the
"commit fast-synchronize" statement at the [edit system] hierarchy level is enabled.
It causes the issue "restarting backup rpd" of logical systems (as part of recovery
mechanism). PR990347
• Whentwomidplane linkerrorsarepresentbetweenF13andF2Sibs thenCLOSrerouting
logic does not work properly. This can introduce RODR packet drops and result in
destination errors in the plane. PR992677
• "delete" or "deactivate" of apply-group defining the entire TACACS or RADIUS
configuration configured under [edit system apply-group <>] does not take effect on
commit. This could lead to TACACS or RADIUS based authentication to still continue
working despite removal (delete/deactivate) of configuration. PR992837
203Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• OnMX Series router with MPCs or MICs or T4000 router with type5 FPC, if the CoS
scheduler is configured without transmit-rate while with buffer-size temporal, the
Packet Forwarding Engine might not allocate buffer for the associated queue. The
issue might lead to packets loss. PR999029
• The configuration to be applied to the feature auto backup Routing Engine upgrade
for NON-GRES case when back up Routing Engine has unsupported CB. policy
FRU-UNSUPPORTED { events CHASSISD_FRU_UNSUPPORTED; attributes-match {
CHASSISD_FRU_UNSUPPORTED.fru-namematches CB; } then { event-script
auto-image-upgrade.slax; } } event-script { file auto-image-upgrade.slax; }
Recommended setting: -------------------- Since above
CHASSISD_FRU_UNSUPPORTED event generated for every 20mins on box after boot
up, to stop from repetitive execution of this event policy, we can specify following
'within clause' in the event policy configuration. policy FRU-UNSUPPORTED { events
CHASSISD_FRU_UNSUPPORTED; within 1200 { not events
CHASSISD_FRU_UNSUPPORTED; } attributes-match {
CHASSISD_FRU_UNSUPPORTED.fru-namematches CB; } then { event-script
auto-image-upgrade.slax; } } event-script { file auto-image-upgrade.slax; }PR1000476
Routing Protocols
• InPIM-SMnetworkwith"bootstrap routing"RPselectionmechanismused, it isobserved
that some bootstrapmessages (BSMs) generation and forwarding behavior of Junos
OS does not conform to RFC standard, specifically in the section 3.2 (Bootstrap
message generation), 3.3 (Sending Candidate-RP-Advertisement Messages) and 3.4
(Creating the RP-Set at the BSR). PR871678
• In Protocol Independent Multicast (PIM) scenario, if interface get deleted before the
(S,G) route is installed in the Routing Information Base (RIB), then this interface index
mightbe re-usedbykernel foranother interfaceand thuscause routingprotocolprocess
(rpd) core. PR913706
• The rpd process might crash when executing the command "show route
advertising-protocol bgp <nbr>" without a table option, or with a table that is not
advertised by BGP. PR959535
• In the scenario of multicast receiver could receive traffic frommLDP or PIM, if at first
the multicast traffic is flowing over PIM, then the flapping of PIM protocol will cause
the traffic to flow over mLDP and later switch back to PIM, but the mLDP
forwarding-cachemight not get pruned, which resulting duplicated traffic. PR963031
• In certain rare circumstances, BGP NSR replication to the backup Routing Engine may
not make forward progress. This was due to an issue where an internal buffer was not
correctly cleared in rare circumstances when the backup Routing Engine was
experiencing high CPU. PR975012
• In scaledBGPenvironment, if anNSRenabled routerdoesnothaveany routing-instance
configured, after flapping BGP groupswithmultiple peers, some BGP neighborsmight
get stuck in 'not advertising' state. PR978183
• In the dual Routing Engine scenario, after an Routing Engine switchover, the periodic
packet management daemon (ppmd)might exit. PR979541
Copyright © 2017, Juniper Networks, Inc.204
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• OnMXSeries platformswith IGMP snooping enabled on an IRB interface, some transit
TCP packets may be wrongly considered as IGMP packets, causing packets to be
dropped. PR979671
• Due to some corner cases, certain commits could cause the input and/or output BGP
policies to be reexamined causing an increase in rpd CPU utilization PR979971
• PPMD filter is not programmed properly which is resulting Routing Engine to absorb
BFD packets instead of Packet Forwarding Engine. PR985035
• In Junos OS, by default the RIP protocol "send" option is set to Multicast RIPv2. When
this "send"option is changed from"multicast"(active) to "none"(passive)or vice-versa,
rpd core might be seen on the router. PR986444
• In V4 RG, member site receives traffic from both serving sites for few sources upon
withdraw/inject routes for 30 seconds. PR988561
• OSPF adjacency is not coming up with error "OSPF packet ignored: authentication
failure (sequence error)" in p2mpwhen remote peer goes down. PR991540
Services Applications
• Any SIP MESSAGE request will be dropped by the SIP ALG, this type of request is
unsupported from day one. This is rare type of request which will not prevent more
usual SIP operations such as voice calls, but it may affect some instant messaging
applications based on SIP. PR881813
• Clearing the stateful firewall subscriber analysis causes the active subscriber count to
displaya very hugenumber. The largenumber is seenbecausewhenasubscriber times
out the number of active subscribers is decremented. If it is set to zero using the clear
command, then a decrement would give an incorrect result. There is no impact to the
overall functionality and the fix is expected to be present in 14.1R2. PR939832
• Ping failure from LNS to MLPPP client. PR952708
• The dynamic flow control process (dfcd) might core dumpwhen Dynamic Tasking
Control Protocol (DTCP) trigger request is same for both the VLAN and DHCP
subscriber. PR962810
• Message type for if_msg_ifl_channel_delete should be lower severity and not an error.
PR965298
• In the context ofDS-Lite softwire scenario,where theAddress Family TransitionRouter
(AFTR) node performs NATwith Endpoint Independent Filtering (EIF) and Endpoint
Independent Mapping (EIM) enabled, the simultaneous arrival of two packets from
opposite sides of the NATwill trigger the creation of the same flow, which in a race
condition results in the Service-PIC restart. PR966255
• During the Junos OS enhancement of the Port Control Protocol a few issues were
identified regarding NAT flows creation, clearing of the mappings, releasing the
addresses in use, etc. PR967971
• In the L2TP scenario with dual Routing Engines. After subscriber management
infrastructuredaemon(smid)being restarted,because thedeletenotification tobackup
Routing Engine might be lost, the subscriber database (SDB) information does not
205Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
synchronizebetweenmasterRoutingEngineandstandbyRoutingEngine.AfterRouting
Engine switchover is executed, the Layer 2 Tunneling Protocol daemon (jl2tpd) might
crash, and new L2TP subscribers are unable to dial. PR968947
• When transferring large FTP file, the server might send packets with incorrect layer 4
checksum. If inline NAT service is enabled on the router, it might transit the packets to
client insteadofdropping it,whicheventually causes theclient FTP timeout. PR972402
• If a PPPoE/PPP user disconnects in the access networkwithout the LAC/LNS noticing
it to tear down the connection (also the PPP keepalive hasn't detected yet), and a
second PPP request comes from the same subscriber on the L2TP tunnel (same or
different LAC/tunnel), then a second route is added to the table having the next hop
"service to unknown". PR981488
• The cflow export would cease due to memory exhaustion when flow-monitoring is
enabled using Adaptive Services II PIC due to memory leak condition. While in this
condition, user would see increments in "Packet dropped (nomemory)" as below:
user@node> show services accounting errors Service Accounting interface: sp-3/0/0,
Local interface index: 320Servicename: (default sampling) Interface state:Accounting
Error information Packets dropped (nomemory): 315805425, Packets dropped (not
IP): 0. PR982160
• In H323 ALGwith CGNAT scenario, the MS-PICmight crash when the ALG is deleting
an H323 conversation due to the deleting port is outside of allocated NAT port-block
range. PR982780
• OnM/MX/T Series routers (platforms) with Services PIC with dynamic-nat44
translation-type configured, when the flows are cleared the IP addresses in use are
never freed. This issue is present in JunosOSRelease 11.4R7andallmore recent releases
without this fix. PR986974
• In large scale L2TP LNS environment. When the SNMPMIB JNX-L2TP-MIB is walked
continuously, thememory of the L2TPdaemon (jl2tpd) increases due tomemory leak.
PR987678
Software Installation and Upgrade
• Routing Engine could be brought to DBmode when rebooting after interrupted
downgrade. PR966462
• By upgrade-with-config, user can specify a configuration to be applied on upgrade,
but the configuration filewill not be loadedpost upgrading. As a result, routerwill bring
up with old configuration. PR983291
Copyright © 2017, Juniper Networks, Inc.206
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Subscriber Access Management
• In early Release 13.3 code, if NSR and 64-bit rpd are used, there is a chance that the
Routing Engine may lose the primary floating IP address assigned to both Routing
Engine after a couple of GRES Routing Engine switchovers. This issue had been
corrected in later Release 13.3 branch codes. PR973278
User Interface and Configuration
• When load large scale configuration, due to the ddl object not being freed properly
after it's accessed, load configuration failed with error: Out of object identifiers.
PR985324
VPNs
• Upon withdraw /inject bgp routes in the serving PEs for two different
route-groups,member/regular sites receive traffic from both serving sites for 60
seconds. PR973623
• Route groupmember site and regular site may receive data from two serving sites of
twogroups for the same(S,G). This only happenswhen inoneRGthereareno receivers.
PR974245
• In Rosen MVPN environment, if there a twomultihomed ingress PEs, when the route
to multicast source flaps, the receiver router might keep switching between sender
Data MDTs, which resulting in traffic loss. PR974914
• In the Rosen MVPN environment, setting the TOS IP control packet bit can avoid the
possibility of data-mdt TLVmessages being dropped in the core during congestion.
But in this case, the TOS field to indicate its IP control packet (0xc0) is not set. This
might lead to traffic loss. PR981523
• The S-PMSI tunnelmight fail to be originated from ingress PE after flapping the routes
to customer multicast source. PR983410
• In MVPN scenario, a multihomed ingress PEmight fail to advertise type-4 after losing
routes to local sources. PR984946
• In AT and T route-group scenario, source route is flapped on preferred serving site.
After that the member site fails to originate type-4 even though it has type-5 and
type-3 from non-preferred serving sites. PR994687
Resolved Issues: Release 13.3R2
• Forwarding and Sampling on page 208
• General Routing on page 208
• High Availability (HA) and Resiliency on page 210
• Infrastructure on page 211
• Interfaces and Chassis on page 211
• Layer 2 Features on page 212
• MPLS on page 212
207Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• Platform and Infrastructure on page 213
• Routing Policy and Firewall Filters on page 215
• Routing Protocols on page 215
• Services Applications on page 216
• Subscriber Access Management on page 216
• User Interface and Configuration on page 216
• VPNs on page 216
Forwarding and Sampling
• WhenMAC addresses move, Layer 2 address learning process (l2ald) will be called
and produces some other child processes. The child processes cannot be terminated.
Thenmaximum process limitation is reached and the Routing Engine is locked up.
PR943026
General Routing
• Whengr- interface is disabled, theDECAP-NHalsoneeds tobedeleted / set todiscard.
PR791277
• When transit packets with TTL expired is received, FPC is responsible for sending an
ICMPTTLExpiredmessageback to thesender.There isa500ppsperPacketForwarding
Engine rate limit so that FPC is not overwhelmed when large volume of transit traffic
with TTL expired is received. PR893598
• MXVC /kernel: rts_ifstate_client_open:Number of ifstate clients have reached
threshold,current = 63maximum = 63. PR894974
• OnMXSeriesplatformswithMPC4E-3D-32XGE-SFFP/MIC3-3D-10XGE-SFPPequipped,
10G ports of these cards might stay offline where a link flaps or an SFP+ is inserted
after above 3months of link up. PR905589
• This PR addresses a timing issue, which happens when "no-vrf-propagate-ttl" is
configured in the routing-instance configuration. When this configuration is present, it
might sometime create a situationwhere the route selection happens of a routewhich
is yet to be resolved in secondary routing instance table, which results in a RPD core.
PR917536
• MX80 routers now support CLI command "show system resource-monitor summary".
PR925794
• In the Point-to-Point Protocol over Ethernet (PPPoE) scenario, for access or
access-internal routes using an unnumbered interface, if MAC is not specified along
withqualified-nexthop, the routingprotocolprocess (rpd)will fabricateaMACaddress
for it. When the access route or point-to-point interface itself is brought down, the rpd
created qualified-nexthop is being freed, due tomismatch between qualified-nexthop
and the kernel created point-to-point nexthop, rpd crashes and a core file is generated.
PR935978
• Some "service-set" have already existed, when add/delete "stateful-firewall-rules"
about more than 400 lines to the existing "service-set", then execute commit, the
traffic stopped and never restore without offline/online MS-MIC. PR937489
Copyright © 2017, Juniper Networks, Inc.208
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• In subscriber management environment, profile database files at backup Routing
Engineget corruptedwhen thedynamicprofile versioningandcommit fast-synchronize
are enabled in configuration. After GRES when the backup Routing Engine become
master, all the existing DHCP subscribers stuck in RELEASE State and new DHCP
subscribers can't bind at this point. PR941780
• DS0/T1 channel throughput on "16x CHE1T1, RJ48" card with PPP/CISCO-HDLC is not
N*64kbps. PR944287
• PIC level "account-layer2-overhead" configuration statement with ethernet-bridge
does not add "Adjustment Bytes". As a workaround, configure it under interface level.
PR946131
• Egress multicast statistics display incorrectly after flapping of ae member links on
M320 or T Series FPC (M320 non-E3 FPC and T Series non-ES FPC). PR946760
• With scaled configuration of ATM VCs (~4000 VCs) on a single
MIC-3D-8OC3-2OC12-ATM ATMMIC, the MICmight crash. The crash is not seen with
lower scale (i.e. less than 3500 VCs per MIC). PR947434
• When configuring "no-readvertise" flag to existing static route, then this static route
will not exported to other VPN routing and forwarding (VRF) tables from onwards
which is expected. However, for the static route that has already exported to other
routing instance tablesbefore "no-readvertise" configuration, nodeletionevent occurs.
Also, the "rt-export" bit still set for the static route which is exported to other routing
tables after "no-readvertise" configuration. PR950994
• CLI command "show interfaces queue" does not account for interface queue drops
due to Head drops. This resulted in the "Queued" packets/bytes counter to be less
than what was actually received and dropped on that interface queue. This PR fixes
this issue. Head-drops, being a type of REDmechanism, are now accounted under the
"RED-dropped" section of the CLI command "show interfaces queue". PR951235
• In a scaled network and on amulti-chassis platformwith BGP ECMP configured, when
themaster Routing Engine of line-card chassis (LCC) crashes, LCC would go through
a reboot process to bring up the backup Routing Engine, during which the neighbor
session of BGP over aggregated Ethernet (AE) interface might get broken. This is
because the Unilist NHs of the AE are stuck at standby state and therefore no traffic
can be transmit through. PR953365
• On systems running Junos OS Release 13.3R1 and nonstop active routing (NSR) is
enabled, when "switchover-on-routing-crash" under [edit set system] hierarchy is set,
Routing Engine switchover should happen only when the routing protocol process
(rpd)crashes.ButunexpectedRoutingEngineswitchover canbeseenwhenperforming
the CLI command "request system core-dump routing running" to manually generate
a rpd live core. PR954067
• If an aggregated Ethernet (AE) interface has the "scaled" member-link scheduling
mode (which is the default mode), andmultiple forwarding-classes map to a same
queue, then the actual transmit-percent might be unable to reach the configured
scheduler. PR954789
• Default threshold for ES-FPC errors is 1 for major errors and 10 for minor errors, when
the threshold is reached, some actions (for example,
209Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
alarm|offline-pic|log|get-state|offline|reset) will be taken by FPC as configured. This
feature isdesigned forpermament/real errors.The issuehere is thatevensometransient
errors (eg, link flaps) will also trigger the default action. In some cases, it might cause
panic for the FPC. PR961165
• Sessions are getting reset when SFW rule and/or NAT term are added/deleted in a
service set having NAT also. PR961353
• On T Series or M320 routers with OSPF configuration statement, if have large-scale
routes (for example, 180K Composite Nexthop), when do costing-out and costing-in
operationsalongwith changinggigether-optionsof core router facing interfacemultiple
times continuously, the Flexible PICConcentrator (FPC)CPUutilizationmight increase
to 100%, and then FPCmight crash. PR961473
• On an MX Series router with dynamic vlan scenario, when improper sort order data is
sent to dynamic vlan on the Packet Forwarding Engine, theModular Port Concentrator
(MPC)might crash and generate core files. PR961645
• For MXVC platform, the pfe reconnect timer extends from the default 15s to 60s
temporarily. This will be reversed once Packet Forwarding Engine connection issues
resolved. PR963576
• Display issue only. "show route cumulative vpn-family" command is using "inet.6" for
vpnv6 routes instead of inet6.0. PR966828
• Destination alarms are cleared after fabric event even though destination errors are
present in the system. PR967013
• NHtracingprovidesa lightweightmechanismtocaptureNHchains traversedbypackets
of interest for further examination. PR967450
High Availability (HA) and Resiliency
• /var/log/messages is getting filled up with following GRES relatedmessages. These
are harmless and due to the log level(info). *** messages *** Dec 1 22:46:49.201 re0
/kernel: update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1
is_local_slave_peer_gres_ready 0 Dec 1 22:46:49.201 re0 /kernel: vks[0] 1 vks[1] 0 Dec
1 22:46:49.201 re0 /kernel: PFE-MASTER - vks[0] 1 vks[1] 0 Dec 1 22:46:49.201 re0
/kernel: Slave is ready for GRES for vksid 0 Dec 1 22:46:49.201 re0 /kernel:
update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1
is_local_slave_peer_gres_ready 0 Dec 1 22:46:49.201 re0 /kernel: vks[0] 1 vks[1] 0 Dec
1 22:46:49.201 re0 /kernel: PFE-MASTER - vks[0] 1 vks[1] 0 Dec 1 22:46:49.201 re0
/kernel: Slave is ready for GRES for vksid 0 Dec 1 22:46:49.401 re0 /kernel:
update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1
is_local_slave_peer_gres_ready 0 Dec 1 22:46:49.401 re0 /kernel: vks[0] 1 vks[1] 0 Dec
1 22:46:49.401 re0 /kernel: PFE-MASTER - vks[0] 1 vks[1] 0 Dec 1 22:46:49.401 re0
/kernel: Slave is ready for GRES for vksid 0 Dec 1 22:46:53.000 re0 /kernel:
update_slave_peer_gres_status: vksid 0 is_slave_peer_gres_ready 1
is_local_slave_peer_gres_ready 0Dec 1 22:46:53.000 re0 /kernel: vks[0] 1 vks[1] 0 Dec
1 22:46:53.000 re0 /kernel: PFE-MASTER - vks[0] 1 vks[1] 0 Dec 1 22:46:53.000 re0
/kernel: Slave is ready for GRES for vksid 0 PR918075
Copyright © 2017, Juniper Networks, Inc.210
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Whenperformingaunified in-service softwareupgrade (ISSU)validateagainst a router
with ISSU unsupported hardware equipped, the unsupported hardware is being taken
offline, as if an actual ISSU is being performed. In addition, the unsupported hardware
is still offline after the ISSU validate is completed. The workaround is rebooting or
executing CLI commands to bring the offline hardware back online. PR949882
Infrastructure
• On RE-S-1800 family of Routing Engines, after an intensive writing to SSD, the
immediate rebooting might cause SSD to corrupt. PR937774
Interfaces and Chassis
• The Packet Forwarding Engine alarms raised by PFEMAN thread using cmalarm api
calls will not be transmitted to the Routing Engine. As impact, these alarms will not
reflect on the Routing Engine. There is no impact on functionality, otherwise.PR921254
• Traffic that uses MPLS next-hops enters bridge-domain via IRB interface and if
forwardingnext-hopmoves fromnon-aggregate interface toaggregate interface (MAC
move), the MPLS next-hops are not correctly programmed in the Packet Forwarding
Engine and are dropped. The child next-hop of the aggregate interfaces are missing.
Once IRBMPLSnext-hopmoves fromaggregate interface to non-aggregate interfaces
are not affected. IPv4 traffic will not trigger traffic drop uponmacmove. The second
symptom is a possible kernel core-dump on the new backup Routing-Engine after
mastership switch. This applies to an IRBmacmove for ipv4,ipv6 andmpls next-hops.
PR924015
• "Toomany I2C Failures" alarm happens when a FRU (in this case:
PWR-MX960-4100-AC-S) experienced six consecutive i2c read/write failures. While
thePEM is still providing power to the chassis, the chassisd daemon cannot read/write
information from the PEM until it is reseated. In recent investigation, engineering team
has come up some enhancements for this MX960 HC AC PEM: 1. PEM i2c bus hang
avoidance 2. Junos OS recovery from a hung i2c bus 3. noise reduction This Junos OS
eliminates theneed for thePEMFWupgrade,andat thesametime is 100%compatible
with those PEMs which have been upgraded. PR928861
• Traffic is not flowing over Demux input interface A technical description can be found
in the Knowledge Base: http://kb.juniper.net/KB28821. PR937035
• PCS statistics counter(Bit errors/Errored blocks) not working on Mammoth PIC(xge).
PR942719
• Digital Optical Monitoring MIB jnxDomCurrentRxLaserPower gives wrong value in
12.3R3-S6. PR946758
• When Connectivity Fault Management (CFM) is configured, if maintenance domain
intermediate point (MIP) session associated with default maintenance domain (MD)
is inactive, a deletion of the interface cannot delete the MIP session structure, hence
might causing memory leak. This crash could also be seen if delete more than one
Virtual private LAN service (VPLS) routing instance with no neighbor configuration.
PR947499
211Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• When transit traffic of Ethernet frames of size less than 64 bytes is received by 1x
10GE(LAN/WAN) IQ2E PIC, the router forwards the frames instead of dropping them.
PR954996
• Before the problemwas fixed, the CLI "show interfaces et-x/x/x extensive” did not give
full information. PR956497
• Kernel crash might happen when a router running a Junos OS install with the fix to PR
937774 is rebooted.Thisproblemwill notbeobservedduring theupgrade to this install.
It occurs late enough in the shutdownprocedure that it shouldn't interferewith normal
operation. PR956691
• Whenmicro Bidirectional Forwarding Detection (mBFD) is configured on aggregated
Ethernet (AE) interface, if a member link of the AE interface is removed, if a member
link is marked admin down or disabled at CLI, the BFD session would correspondingly
bedown.However, the correspondingmember link in thepeer endcontinues to forward
traffic. PR963314
• In a very uncommon situation, we see that LCCs chassisd state is inconsistent with
SFC chassisd state. This is very misleading in troubleshooting stage. PR963342
Layer 2 Features
• Service accounting interim updates not being sent. PR940179
• In the unified in-service software upgrade (ISSU) for Dynamic Host Configuration
Protocol (DHCP) scenario, when ISSU initiates, if there are some subscribers stuck in
login state and keep sending discover/request packets, this leads to ISSU ready check
failing and ISSU aborting as a result. PR949337
• IP address change of a DHCP relay interface does not get reflected in gateway IP
address (giaddr)whenmaintain-subscribers configurationstatement is enabled,which
needs to restart DHCP daemon tomake it work again. PR951909
• When link level adjacency across IRB interface goes down, targeted LDP sessionmight
also go down even if there is a alternate route. PR959396
MPLS
• When static LSPs are configured on a node, RPD could assert upon committing a
MPLS-related configuration change. Example: router> show system rollback compare
9 8 [edit protocols mpls] interface ae11.0 { ... } + interface as3.0 { + admin-group red;
+} [edit protocols IS-IS interface as3.0 level 2] ! inactive: metric 2610; The following
error is seen in /var/log/messages in-relation to a static lsp, immediately following the
above-mentioned configuration change: rpd[1583]: UI_CONFIGURATION_ERROR:
Process: rpd, path: [edit groups STATELESS_ARIADNE protocols mpls
static-label-switched-path static-lsp], statement: transit 1033465, static-lsp:
incoming-label 1033465hasalreadybeenconfiguredby thisorother staticapplications.
PR930058
• MXSeries routerswithFPCscouldcrashduringnext-hop resolution triggeredby indirect
next-hop change. PR944393
• In certain circumstance, the Junos OS rpd route flash job and LDP connection job are
always running, starvingotherwork suchas stale routedeletion. These jobsare running
Copyright © 2017, Juniper Networks, Inc.212
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
as LDP is continuously sending label map and label withdrawmessages for some of
the prefixes under ldp egress policy. This is due to LDP processing a BGP route from
inet.3 forwhich it has a ingress tunnel (the sameprefix is also learned via IGP) creating
a circular dependency as BGP routes can themselves be resolved over a LDP route.
PR945234
• In a highly scaled configuration, the reroute of transit RSVP LSPs can result in BGP flap
due to lack of keepalive messages being generated by the Routing Engine. PR946030
• TheRSVPbandwidth of the aggregatedEthernet (AE) bundle does not adjust properly
when amember link is added to AE interface, and at the same time an IP address is
removed from this AE bundle. PR948690
• On IS-IS interfaces configured with point-to-point and ldp-synchronization, after a
change of IP address on the interface from the remote router, and if the old Label
Distribution Protocol (LDP) adjacency times-out after the new LDP adjacency is up,
the IS-IS protocol will be notified about the old LDP adjacency down event and the
LDP sync state will remain in "hold-down" even if the new LDP adjacency is up.
PR955219
• When Packet Forwarding Engine fast reroute (FRR) applications are in use (such as
MPLS facility backup, fast-reroute, loop free alternates), a flap of the primary path
could be triggered due to an interface flap or by Bidirectional Forwarding Detection
(BFD) session flap. However, this interface/session flap might lead to a permanent
use of the backup path, which means the original primary path could not be active
again. PR955231
• We add timer for all aggregate LDP prefixes but are not deleting it when the timer
expires because of a bug. Since the timer is not expiring, we never update the route for
any change. This will be sitting in the routing table as a stale entry. PR956661
• The Label Distribution Protocol (LDP) feature is enabled and the background job "LDP
sync send filtered label job" is running, when shut down the LDP, due to LDP failing to
delete a job that didn't exist while shutting down, routing protocol process (rpd)might
crash. PR968825
Platform and Infrastructure
• In an MX-VC environment, in certain situations the inter-chassis traffic might not be
equally balanced across all available vcp links after adding extra links. PR915383
• Transit traffic is being improperly classified and competing with legitimate control
plane traffic. PR924807
• With MX Series routers with MPCs or MICs, changing the MTU on one interface might
cause Layer 2 traffic interruption on other interfaces in the same FPC. PR935090
• When chained-composite-nexthop ingress L3VPN is configured, and if two PEs are
directly connected, the unicast nexhhop on egress is IPv4 protocol encapsulated only
and no LSP label push, thus COS rewrite mask could not correctly set by IPv4 Unicast
nexthop, which leads to MPLS exp rewrite not working. PR941066
• TWAMP connection/session will come up only if the session padding length is greater
than or equal to 27 bytes on the TWAMP Client. The valid range of padding length
213Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
supportedby theTWAMPServer is 27bytes to 1400bytes. If IXIA is usedas theTWAMP
Client, packet length range from 41 bytes to 1024 bytes is supported. PR943320
• In a highly congested system (for example, high multicast traffic rate),
traffic/subscribers lossmightoccurwhileperformingunified in-servicesoftwareupgrade
(ISSU). PR945516
• OnMXSeries routerswithMPCs/MICs,when forwarding table filter (FTF) is configured
for a virtual private LAN service (VPLS) routing instance, the jtree memory corruption
might occur if the routing table attached by FTF is destroyed. The routing table that is
attached by FTF can get destroyed with different events such as an interface that is
part of the VPLS routing instance flaps or route-distinguisher is changed. PR945669
• Tested with 13.3 daily image "13.3-20140101.0". Issue not observed. Able to see both
the vlan fields updated properly. PR946964
• OnMX Series routers with MPCs, whenmulticast traffic flows over the integrated
routing and bridging (IRB) interfaces, MPCmight crash due to memory leak. PR947112
• In PPPoE subscriber management environment, if the BRAS router is an MX Series
router with MS-DPC equipped and traffic from the subscribers is NATed on MS-DPC
card, when PPPoE subscribers flap, heapmemory leak might occur on the MS-DPC.
PR948031
• MIC-3D-40GE-TX (3D 40x 1GE(LAN) RJ45) restarts with core files repeatedly after
configuring "VRRP interface" and "traffic-managermode ingress-and-egress" onPIC2
or PIC3. PR950806
• Current display of "cli> request chassis routing-engine hard-disk-test show-status"
command for Unigen SSD identified by "UGB94BPHxxxxxx-KCI" is incorrect and can
bemisleading when used for troubleshooting. For example, attribute 199 is displayed
as "UDMA CRC Error Count" and is actually "Total Count of Write Sector". PR951277
• Trafficunbalancecanbeseen inoutput interfaceof2ndnode in thecascaded topology.
Current Junos OS hash-seed implementation onMX Series routers with MPCs or MICs
can be used to protect the hash-cascade problem(unbalance at 2nd node output,
0:100 for example) but it does not work very well (60:40 or 70:30 can be seen). The
fixmadeanenhancement, so that it candelivernearly50:50LBperformance.PR953243
• OnMX Series or T4000 router, when a firewall filter is applied to allow only trusted IP
and router loopback address to request NTP service on the router in case of NTPDDoS
attack, the counter for the NTP protocol of the output of "show ddos-protection
protocols ntp" would be always null, though it is confirmed that there is an NTP DDoS
attack. The reason for this is that the only the multicast NTP packet is treated as an
NTP packet by the filter, whereas the unicast one is not. PR954862
• Whenoperating inenhanced-IPmode, forbridge-domains/vpls instanceswithsnooping
configuration, multicast data forwarding does not happen properly for multicast data
that is being routed over IRB interfaces associated with the bridge-domains/vpls
instances to egress on trunk ports associatedwith the bridge-domains/vpls instances.
PR955553
Copyright © 2017, Juniper Networks, Inc.214
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• rmopd will throw an error without jcrypto package which is absent in export build.
Domestic versiondoes not have this error becauseof thepresenceof jcrypto. The issue
exists in only Release 13.3 and not on branches before that. PR960757
• In current Junos OS, a PSM shows dc output value even though it is turned off by a
switch. This cosmetic bug causes miscalculation of actual usage in 'show chassis
power'. PR960865
• Upon the deletion of a routing-instance and subsequent commit, error logs are
generated from each Type 1 - 3(non E3) based FPC. These logs are cosmetic and can
be ignored. PR964326
Routing Policy and Firewall Filters
• Policy with Install-nexthop lspmight not work as expected when there is an LSP path
change triggering route resolution. PR931741
• Configurationofanextendedcommunity suchas: rt-import:*:* src-as:*:* fails because
the wildcard is not allowed during the configuration validation process. PR944400
Routing Protocols
• OnMX Series routers containing multiple Packet Forwarding Engines such as
MX240/MX480/MX960/MX2010/MX2020 routers, with DPC (Dense Port
Concentrator) or FPC (Flexible Port Concentrator) or with line cards designated with
"3D",RPDmight restartwhenattempting tosendaPIMassertmessageonan interface
(whose interface index exceeds 65536). It is likely that RPD restarts repeatedly, since
after RPDhas restarted andprotocols have converged, the samePIMassertwill trigger
further RPD restarts. PR879981
• On the first hop router if the traffic is received from a remote source and the
accept-remote-source configuration statement is configured, the RPF information for
the remote source is not created. PR932405
• Due to new features and the required infrastructure the rpdmemory footprint has
increased by as much as 5% between Releases 12.3 and 13.3. PR957550
• In scaled BGP routes environment, the BGP router has dual Routing Engines, graceful
Routing Engine switchover (GRES) and nonstop active routing (NSR) is configured,
after performing the operation of deactivate/activate BGP groups and commit the
configuration, the BGP router might be stuck in "not-advertising" state. PR961459
• With BGP import policy as next-hop peer-address, if the local router receives inet (or
inet-vpn) flownetwork-layer reachability information (NLRI), routing protocol process
(rpd)might crash. JunosOS is designed to create a fictitious next hop for inet flow and
inet-vpn flow families as they don't send/expect-to-receive next hops. So in this case
when the import-policy set a non-null next-hop for the received inet (or inet-vpn) flow
route, it could not handle it properly which might result in rpd crash. PR966130
• In a scaled setup, if BGP peers flap during an NSR, the sessions can end up out of sync
between themaster andbackupRoutingEngines. To recover youcanclear theaffected
neighbors. PR966206
• In a highly scaled setup after anNSR, someBGP sessionsmight be idle on bothmaster
andbackupRoutingEngines. To recover, clear theaffectedpeerusing theCLI.PR967788
215Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Services Applications
• SIP call forwarding might fail when NAT is used between parties even though the SIP
ALG is in use. PR839629
• Junos OS Release 11.4 introduced the IKEv2 support and a stricter check on IKE/IPsec
SAs proposal parameters. PR843893
• DNSmultiple queries A and AAAAmight cause the Service-PIC to restart. PR943425
• During a rare scenario, switchover on another sp interface can crash a servicePICwhen
running traffic in hairpinning scenario. PR945114
• Jl2tpd process experiences high CPU condition if the process is restarted or if GRES is
executed. The jl2tpd process does recover. The length of the high CPU condition is
directly proportional to the number of tunnels on average, it is 1 second per tunnel.
PR955378
Subscriber Access Management
• LNS-Service accounting updates not sent. PR944807
• Radiusattribute ignore logical-system-routing-instancenot ignoringVSA26-1.PR953802
• Configuration change of the IPv4 address range in address-assignment pool does not
always take effect. PR954793
User Interface and Configuration
• If a configuration file that contains groups related configuration is loaded by command
"load replace", a "commit confirmed" operationmight fail.When this issue occurs, the
new configuration is committed even if you do not confirm it within the specified time
limit. PR925512
VPNs
• The issue happens when the virtual routing forwarding (vrf) is configured
"no-vrf-propagate-ttl" and the vrf import policy changes the local preference of the
vrf route. With "no-vrf-propagate-ttl", BGP will resolve the primary l3vpn route and
the vrf secondary route separately. The root cause is overwriting the route parameters
of the second vrf route with the route parameters of the primary route. So changes to
the local preference of the vrf route might not work. PR935574
• NGMVPNreceiverPEdoesnotgenerateTYPE4 routeafter receivingTYPE3.PR953449
• With these high amount of streams, we have a higher number of data-mdt-tlvs to
process which is becoming a bottleneck. PR957280
• Before Release 13.3R2, if no loopback interface inside vrf was configured, then Rosen
V6might not be able to use default main loopback as source for PE_PE pim
communications., As a result, Rosen v6 neighbor will not be formed toward remote
PEs. PR966825
RelatedDocumentation
New and Changed Features on page 26•
Copyright © 2017, Juniper Networks, Inc.216
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Changes in Behavior and Syntax on page 61
• Known Behavior on page 78
• Known Issues on page 82
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Documentation Updates
This section lists the errata and changes in Junos OSRelease 13.3R10 documentation for
the M Series, MX Series, and T Series.
• Adaptive Services Interfaces Feature Guide for Routing Devices on page 218
• Aggregated Ethernet Interfaces Feature Guide for Routing Devices on page 218
• Broadband Subscriber VLANs and Interfaces Feature Guide on page 221
• Chassis-Level Feature Guide on page 221
• Class of Service Library for Routing Devices on page 222
• Dynamic Firewall Feature Guide for Subscriber Services on page 222
• Ethernet Interfaces Feature Guide on page 223
• Ethernet Networking Feature Guide for MX Series Routers on page 224
• Firewall Filters Feature Guide for Routing Devices on page 226
• High Availability Feature Guide on page 226
• Interchassis Redundancy Using Virtual Chassis Feature Guide for MX Series
Routers on page 226
• Interfaces Feature Guide for Subscriber Management on page 227
• Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide on page 227
• Junos OS High Availability Feature Guide for Routing Devices on page 228
• Layer 2 Configuration Guide, Bridging, Address Learning, and Forwarding on page 228
• Layer 2 VPNs Feature Guide for Routing Devices on page 229
• Monitoring, Sampling, and Collection Services Interfaces Feature Guide for Routing
Devices on page 229
• MPLS Applications Feature Guide for Routing Devices on page 229
• Network Management Administration Guide for Routing Devices on page 230
• Overview for Routing Devices on page 231
• Release Notes: Junos OS Release 13.3R1 for the EX Series, M Series, MX Series, PTX
Series, and T Series on page 231
• Services Interfaces Configuration Guide on page 231
• Services Interfaces Overview for Routing Devices on page 236
• Standards Reference on page 237
217Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
• Subscriber Management Access Network Guide on page 237
• Subscriber Management Feature Guide on page 238
• Subscriber Management Provisioning Guide on page 239
• System Log Messages Reference on page 241
• System Services Administration Guide for Routing Devices on page 241
• Tunnel and Encryption Services Interfaces on page 241
• User Access and Authentication Guide for Routing Devices on page 241
• VPLS Feature Guide for Routing Devices on page 241
• VPNs Library for Routing Devices on page 241
• VPWS Feature Guide for Routing Devices on page 242
Adaptive Services Interfaces Feature Guide for Routing Devices
• The “Configuring Secured Port Block Allocation,” “port,” and
“secured-port-block-allocation” topics should include the following note:
If youmake any configuration changes to a NAT pool that has secured port block
allocation configured, youmust delete the existing NAT address pool, wait at least 5
seconds, and then configure a new NAT address pool. We also strongly recommend
that youperformthisprocedure if youmakeanychanges to theNATpool configuration,
even if you do not have secured port block allocation configured.
• The descriptions in the “Options” section of the IPsec protocol statement at the [edit
services ipsec-vpn ipsec proposal proposal-name] and [edit services ipsec-vpn rule
rule-name term term-name thenmanual direction direction] hierarchy levels fail to state
that the ah and bundle options are not supported on MS-MPCs and MS-MICs on MX
Series routers.
Aggregated Ethernet Interfaces Feature Guide for Routing Devices
• The following enhancements and additions apply to the “Example: Configuring
Multichassis Link Aggregation in an Active- Active Bridging Domain on MX Series
Routers” topic:
• The Topology Diagram section fails to mention that interface ge-1/0/2 functions as
the ICCP link between the two PE devices, interface ge-1/1/1 is the ICL-PL link, and
interface ge-1/1/4 is the link that connects to the server or theMC- LAG client device.
• As a best practice, we recommend that you configure the ICCP and ICL interfaces
over aggregated Ethernet interfaces instead of other interfaces such as Gigabit
Ethernet interfaces, depending on your topology requirements and framework.
• Youmust disable RSTP on the ICL-PL interfaces for an MC-LAG in an active-active
bridging domain.
• The Step-by-Step Procedure section for Router PE2 that is illustrated in the example
is missing, although the quick configuration statements are presented.
Copyright © 2017, Juniper Networks, Inc.218
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
To configure Router PE2:
1. Specify the number of aggregated Ethernet interfaces to be created.
[edit chassis]user@PE2# set aggregated-devices ethernet device-count 5
2. Specify the members to be included within the aggregated Ethernet bundles.
[edit interfaces]user@PE2# set ge-1/0/5 gigether-options 802.3ad ae1user@PE2# set ge-1/1/0 gigether-options 802.3ad ae0
3. Configure the interfaces that connect to senders or receivers, the ICL interfaces,and the ICCP interfaces.
[edit interfaces]user@PE2# set ge-1/0/3 flexible-vlan-tagginguser@PE2# set ge-1/0/3 encapsulation flexible-ethernet-servicesuser@PE2# set ge-1/0/3 unit 0 encapsulation vlan-bridgeuser@PE2# set ge-1/0/3 unit 0 vlan-id-range 100-110user@PE2# set ge-1/0/4 flexible-vlan-tagginguser@PE2# set ge-1/0/4 encapsulation flexible-ethernet-servicesuser@PE2# set ge-1/0/4 unit 0 encapsulation vlan-bridgeuser@PE2# set ge-1/0/4 unit 0 vlan-id-range 100-110user@PE2# set ge-1/0/5 gigether-options 802.3ad ae0user@PE2# set ge-1/1/0 gigether-options 802.3ad ae1
4. Configure parameters on the aggregated Ethernet bundles.
[edit interfaces ae0]user@PE2# set flexible-vlan-tagginguser@PE2# set encapsulation flexible-ethernet-servicesuser@PE2# set unit 0 encapsulation vlan-bridgeuser@PE2# set unit 0 vlan-id-range 100-110user@PE2#setunit0multi-chassis-protection 100.100.100.1 interfacege-1/0/4.0
[edit interfaces ae1]user@PE2# set flexible-vlan-tagginguser@PE2# set encapsulation flexible-ethernet-servicesuser@PE2# set unit 0 encapsulation vlan-bridgeuser@PE2# set unit 0 vlan-id-range 100-110user@PE2#setunit0multi-chassis-protection 100.100.100.1 interfacege-1/0/4.0
5. Configure LACP on the aggregated Ethernet bundles.
[edit interfaces ae0 aggregated-ether-options]user@PE2# set lacp activeuser@PE2# set lacp system-priority 100user@PE2# set lacp system-id 00:00:00:00:00:05user@PE2# set lacp admin-key 1
[edit interfaces ae1 aggregated-ether-options]user@PE2# set lacp activeuser@PE2# set lacp system-priority 100user@PE2# set lacp system-id 00:00:00:00:00:05user@PE2# set lacp admin-key 1
219Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
6. Configure the MC-LAG interfaces.
[edit interfaces ae0 aggregated-ether-options]user@PE2# setmc-aemc-ae-id 5user@PE2# setmc-ae redundancy-group 10user@PE2# setmc-ae chassis-id 1user@PE2# setmc-aemode active-activeuser@PE2# setmc-ae status-control active
[edit interfaces ae1 aggregated-ether-options]user@PE2# setmc-aemc-ae-id 10user@PE2# setmc-ae redundancy-group 10user@PE2# setmc-ae chassis-id 1user@PE2# setmc-aemode active-activeuser@PE2# setmc-ae status-control active
Themultichassis aggregatedEthernet identificationnumber (mc-ae-id) specifies
which link aggregation group the aggregated Ethernet interface belongs to. The
ae0 interfaces on Router PE1 and Router PE2 are configuredwithmc-ae-id 5. The
ae1 interfaces on Router PE1 and Router PE2 are configured with mc-ae-id 10.
The redundancy-group 10statement is usedby ICCP toassociatemultiple chassis
that perform similar redundancy functions and to establish a communication
channel so thatapplicationsonpeeringchassis cansendmessages toeachother.
The ae0 and ae1 interfaces on Router PE1 and Router PE2 are configuredwith the
same redundancy group redundancy-group 10.
The chassis-id statement is used by LACP for calculating the port number of the
MC-LAG's physical member links. Router PE2 uses chassid-id 1 to identify both
its ae0 and ae1 interfaces. Router PE2 uses chassis-id 0 to identify both its ae0
and ae1 interfaces.
Themode statement indicates whether an MC-LAG is in active-standbymode
or active-active mode. Chassis that are in the same groupmust be in the same
mode.
7. Configure a domain that includes the set of logical ports.
[edit bridge-domains bd0]user@PE2# set domain-type bridgeuser@PE2# set vlan-id alluser@PE2# set service-id 20user@PE2# set interface ae0.0user@PE2# set interface ae1.0user@PE2# set interface ge-1/0/3.0user@PE2# set interface ge-1/1/1.0user@PE2# set interface ge-1/1/4.0
The ports within a bridge domain share the same flooding or broadcast
characteristics in order to perform Layer 2 bridging.
The bridge-level service-id statement is required to link related bridge domains
across peers (in this case Router PE1 and Router PE2), and should be configured
with the same value.
Copyright © 2017, Juniper Networks, Inc.220
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
8. Configure ICCP parameters.
[edit protocols iccp]user@PE2# set local-ip-addr 100.100.100.2user@PE2# set peer 100.100.100.1 redundancy-group-id-list 10user@PE2# set peer 100.100.100.1 liveness-detectionminimum-interval 1000
9. Configure the service ID at the global level.
[edit switch-options]user@PE2# set service-id 10
Youmust configure the same unique network-wide configuration for a service in
the set of PE routers providing the service. This service ID is required if the
multichassis aggregated Ethernet interfaces are part of a bridge domain.
Broadband Subscriber VLANs and Interfaces Feature Guide
• The showsubscribers topic in the JunosOSSubscriberManagement FeatureGuidedoes
not fully describe the vlan-id vlan-id option. This option displays information about
active subscribers using a VLANwhere the VLAN tagmatches the specified VLAN ID.
The topic fails to mention that these subscriber VLANs can be either single-tagged or
double-tagged. The command output includes information about subscribers using
double-tagged VLANs when the inner VLAN tagmatches the specified VLAN ID. The
command output does not distinguish between these two types of subscribers.
To display only subscribers where the specified value matches only double-tagged
VLANs, use the stacked-vlan-id stacked-vlan-id option to match the outer VLAN tag
instead of the vlan-id vlan-id option.
Chassis-Level Feature Guide
• The following additional information regarding the compatibility of modules for the
interoperationofRPMclientsandRPMservers applies to the “ConfiguringRPMProbes”
section in the “Configuring Real-Time Performance Monitoring” topic:
Keep the following points in mind when you configure RPM clients and RPM servers:
• You cannot configure an RPM client that is PIC-based and an RPM server that is
based on either the Packet Forwarding Engine or Routing Engine to receive the RPM
probes.
• You cannot configure an RPM client that is Packet Forwarding Engine-based and an
RPM server that receives the RPM probes to be on the PIC or Routing Engine.
• The RPM client and RPM server must be located on the same type of module. For
example, if the RPM client is PIC-based, the RPM server must also be PIC-based,
and if the RPM server is Packet Forwarding Engine-based, the RPM client must also
be Packet Forwarding Engine-based.
• The show chassis fabric unreachable-destinations command is incorrectly mentioned
as supported on MX240, MX480, and MX960 routers from Junos OS Release 11.4R2
and JunosOSRelease 12.1. TheSupportedPlatformssectionof this topicalso incorrectly
state MX240, MX480, and MX960 routers as supported routers for this command.
221Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
This command is not available on the MX240, MX480, and MX960 routers. Instead,
the correct command is the showchassis fabric destinations command, which you can
use to view the state of fabric destinations for all FPCs.
• The followingadditional information regarding theprocessingofTWAMPtraffic applies
to the "Configuring TWAMP Servers" section in the "Configuring TWAMP" topic:
The preceding configuration settings that are described define a TWAMP server on the
router that enables a TWAMPclient to connect to the server using anymedia interface
IP address such as a ge- interface. In such a scenario, the router functions as a TWAMP
server and timestamping is performed in the ukernel of the media-facing FPC.
To configure an inline TWAMP server, which causes timestamping to be performed as
part of the inline services (si-) interfaceprocessing, configure theamountof bandwidth
reserved on each Packet Forwarding Engine for tunnel traffic using inline services by
including the bandwidth (1g | 10g) statement at the [edit chassis fpc slot-number pic
number inline-services] hierarchy level and specify the service PIC logical interface that
provides the TWAMP service by including the twamp-server statement at the [edit
interfaces sp-fpc/pic/port unit logical-unit- number family inet] hierarchy level.
• The description of the check option available with the request chassis routing-engine
master command topic fails to state that this option is supported on MX104 routers
and PTX5000 routers, in addition to the list of devicemodelsmentioned in that topic.
Also, this option is incorrectly stated as supported on MX240 routers, whereas this
option is not supported on those routers.
• The network-services configuration statement topic inadvertently fails to state that
the enhanced network servicesmode settings, such as the enhanced-ethernet and the
enhanced-ip option, are supported on MS-MPCs on MX Series routers.
• The "Configuring Redundancy Fabric Mode for Active Control Boards on MX Series
Routers" topic incorrectly states that on MX Series routers that contain the enhanced
SCBwith Trio chips and the MPC3E, redundancy mode is enabled by default. The
correct default behavior is that on MX Series routers that contain the enhanced SCB,
regardlessof the typeofDPCorMPC installedon it, thedefaultmode is the redundancy
mode.
Class of Service Library for Routing Devices
• The Applying Scheduler Maps and Shaping Rate to DLCIs and VLANs and Scaling of
Per-VLAN Queuing on Non-Queuing MPCs topics in the CoS Output Queuing and
Scheduling Feature Guide for Routing Devices fails to mention that you can configure
can also configure logical interface scheduling on the 8x10GE ports of an 2x100GE +
8x10GEMPC4E, apart the 2x100GE ports.
Dynamic Firewall Feature Guide for Subscriber Services
• The enhanced-policer topic fails to include a reference to the “Enhanced Policer
Statistics Overview” topic. The overview topic explains how the enhanced policer
enables you to analyze traffic statistics for debugging purposes.
Copyright © 2017, Juniper Networks, Inc.222
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
The enhanced policer statistics are as follows:
• Offered packet statistics for traffic subjected to policing.
• OOSpacket statistics for packets that aremarkedout-of-specificationby thepolicer.
Changes to all packets that have out-of-specification actions, such as discard, color
marking, or forwarding-class, are included in this counter.
• Transmitted packet statistics for traffic that is not discarded by the policer. When
the policer action is discard, the statistics are the same as the in-spec statistics;
when thepoliceraction isnon-discard(loss-priorityor forwarding-class), thestatistics
are included in this counter.
To enable collection of enhanced statistics, include the enhanced-policer statement
at the [edit chassis] hierarchy level. To view these statistics, include the detail option
when you issue the show firewall, show firewall filter filter-name, or show policer
command.
Ethernet Interfaces Feature Guide
• In theOutput Fields sectionof the show interfaces(10-GigabitEthernet), show interfaces
(GigabitEthernet), and show interfaces(FastEthernet)command topicsof theEthernet
Interfaces Feature Guide, the descriptions of theBit errors and Erroredblocks fields that
are displayed under the PCS Statistics section of the output are ambiguous. The
following are the revised descriptions of these fields:
• Bit errors—The number of seconds during which at least one bit error rate (BER)
occurred while the PCS receiver is operating in normal mode.
• Errored blocks—The number of seconds when at least one errored block occurred
while the PCS receiver is operating in normal mode.
• The [edit protocols lacp] hierarchy level topic fails tomention that the ppmcentralized
statement is supported at this level for MX Series routers. This statement has been
supported from Junos OS Release 9.4. You can use the ppm statement to switch
between distributed and centralized periodic packet management (PPM). By default,
distributed PPM is active. To enable centralized PPM, include the ppm centralized
statement at the [edit protocols lacp] hierarchy level. You can disable distributed PPM
processing for all packets that use PPM and run all PPM processing on the Routing
Engine by configuring the no-delegate-processing configuration statement at the [edit
routing-options ppm] hierarchy level.
• The following additional information regarding the working of unnumbered interfaces
applies to the “Example: Configuring an Unnumbered Ethernet Interface” section in
the “Configuring an Unnumbered Interface” topic:
The sample configuration that is described works correctly on M Series and T Series
routers. For unnumbered interfaces on MX Series routers, youmust additionally
configure static routes on an unnumbered Ethernet interface by including the
qualified-next-hop statementat the [edit routing-optionsstatic routedestination-prefix]
hierarchy level to specify the unnumbered Ethernet interface as the next-hop interface
for a configured static route.
223Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
Ethernet Networking Feature Guide for MX Series Routers
• The following corrections apply to the “Example: Configuring One VPLS Instance for
Several VLANs” topic:
The following sentence is erroneously presented:
If VLANs 1 through 1000 for customer C1 span the same sites, then the vlan-id all and
vlan-id-list-range statements provide a way to switch all of these VLANs with a
minimum configuration effort and fewer switch resources.
The correct description is as follows:
If VLANs 1 through 1000 for customer C1 span the same sites, then the vlan-id all and
vlan-id-list statements provide a way to switch all of these VLANs with aminimum
configuration effort and fewer switch resources.
The following example replaces the existing example that illustrates the use of the
vlan-id all statement:
[edit]interfaces ge-1/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;unit 1 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.
}}unit 11 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1500;
}}
}interfaces ge-2/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;unit 1 {encapsulation vlan-vpls;family bridge {interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.
}}
}interfaces ge-3/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;family bridge {unit 1 {encapsulation vlan-vpls;
Copyright © 2017, Juniper Networks, Inc.224
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
interface-mode trunk;vlan-id-list 1-1000; # Note the use of the VLAN id list statement.
}}
}interfaces ge-6/0/0 {encapsulation flexible-ethernet-services;flexible-vlan-tagging;family bridge {unit 11 {encapsulation vlan-vpls;interface-mode trunk;vlan-id-list 1500;
}}
}routing-instances {customer-c1-virtual-switch {instance-type virtual-switch;interface ge-1/0/0.1;interface ge-2/0/0.1;interface ge-3/0/0.1;bridge-domains {c1-vlan-v1-to-v1000 {vlan-id all; # Note the use of the VLAN id all statement
}}
} # End of customer-c1-v1-to-v1000customer-c2-virtual-switch {instance-type virtual-switch;interface ge-1/0/0.11;interface ge-6/0/0.11;bridge-domains {c1-vlan-v1500 {vlan-id all; # Note the use of the VLAN id all statement
}}
} # End of customer-c1-v1500} # End of routing-instances
Note the use of the vlan-id all statement in the virtual-switch instance called
customer-c1-v1-to-v1000.
225Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
Firewall Filters Feature Guide for Routing Devices
• The following additional information regarding the decapsulation of GRE packets as
a terminatingaction for firewall filters applies to the "Firewall FilterTerminatingActions"
topic:
NOTE: Thedecapsulateaction that youconfigureat the [edit firewall family
inet filter filter-name term term-name]hierarchy leveldoesnotprocess traffic
with IPv4and IPv6options.Asa result, trafficwithsuchoptions isdiscardedby the decapsulation of GRE packets functionality.
High Availability Feature Guide
• The topic “Improving the Convergence Time for VRRP” failed to include the following
information:
• Disableduplicationaddressdetection for IPv6 interfaces—Duplicateaddressdetection
is a feature of the Neighbor Discovery Protocol for IPv6. Duplicate address detection
is enabled by default and determines whether an address is already in use by another
node. When duplicate address detection is enabled, convergence time is high after an
IPv6 interface that has been configured for VRRP tracking comes up. To disable
duplicate address detection, include the ipv6-duplicate-addr-translation transmits 0
statement at the [edit system internet-options] hierarchy level. To disable duplicate
address detection only for a specific interface, include the dad-disable statement at
the [edit interfaces interface-nameunit logical-unit-number family inet6]hierarchy level.
Interchassis Redundancy Using Virtual Chassis Feature Guide for MX SeriesRouters
• In the Junos OS 13.2 Release Notes for M Series Multiservice Edge Routers, MX Series 3D
Universal Edge Routers, and T Series Core Routers, the Support for MX Series Virtual
Chassis (MXSeries routerswithMPC3E interfaces) feature description failed tomention
that you can configure a two-member MX Series Virtual Chassis on both MPC3E
modules and MPC4Emodules. The correct description for this feature is as follows:
• Support forMXSeriesVirtualChassisonMXSeries routerswithMPC3EandMPC4Einterfaces—Extendssupport for configuringa two-memberMXSeriesVirtualChassisto MX240, MX480, andMX960 routers with any of the followingmodules installed:
• MPC3E (model number MX-MPC3E-3D)
• 32x10GEMPC4E (Model number: MPC4E-3D-32XGE-SFPP)
• 2x100GE + 8x10GEMPC4E (Model number: MPC4E-3D-2CGE-8XGE)
All MX Series Virtual Chassis features are supported on these modules.
In earlier Junos OS releases, MX Series routers did not support MX Series Virtual
Chassis configuration on MPC3E and MPC4Emodules.
Copyright © 2017, Juniper Networks, Inc.226
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
[See Junos OSHigh Availability Library for Routing Devices and Junos OS for MX Series
3D Universal Edge Routers.]
• The followingadditional informationapplies to theVirtualChassisComponentsOverview
topic in the Interchassis Redundancy Using Virtual Chassis Feature Guide for MX Series
Routers for Junos OS Release 11.2 and later releases.
When you configure chassis properties for MPCs installed in a member router in an
MX Series Virtual Chassis, keep the following points in mind:
• Statements included at the [edit chassis membermember-id fpc slot slot-number]
hierarchy level apply to the MPC (FPC) in the specified slot number only on the
specified member router in the Virtual Chassis.
For example, if you issue the set chassis member 0 fpc slot 1 power off statement,
only the MPC installed in slot 1 of member ID 0 in the Virtual Chassis is powered off.
• Statements included at the [edit chassis fpc slot slot-number] hierarchy level apply
to theMPCs(FPCs) in thespecifiedslotnumberoneachmember router in theVirtual
Chassis.
For example, if you issue the set chassis fpc slot 1 power off statement in a
two-member MX Series Virtual Chassis, both the MPC installed in slot 1 of member
ID 0 and the MPC installed in slot 1 of member ID 1 are powered off.
BEST PRACTICE: To ensure that the statement you use to configure MPCchassis properties in a Virtual Chassis applies to the intendedmemberrouter andMPC, we recommend that you always include themember
member-ID option before the fpc keyword, wheremember-id is 0 or 1 for a
two-member MX Series Virtual Chassis.
Interfaces Feature Guide for Subscriber Management
• The “IP Demux Interfaces over Static or Dynamic VLAN Demux Interfaces” topic
incorrectly states thatbothDPCsandMPCssupportVLANdemuxsubscriber interfaces.
In fact, only MPCs support these interfaces.
Junos Address-Aware Carrier-Grade NAT and IPv6 Feature Guide
• The followingnoteapplies to the topic “ConfiguringAddressPools forNetworkAddress
Port Translation (NAPT) Overview”:
NOTE: When 99 percent of the total available ports in a pool for napt-44are used, no new flows are allowed on that NAT pool.
• Several errors were found in the configuration statements included in the “Example:
Configuring Inline Network Address Translation” topic. The topic has been corrected
on theWeb and in the Junos Address Aware Carrier Grade NAT and IPv6 Feature Guide
PDF.
227Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
• The address-allocation statement topic fails to state the following additional
information regarding addresses allocation on MS-MICs and MS-MPCs:
Regardless of whether the round-robin method of allocation is addresses is enabled
byusing theaddress-allocationround-robinstatement, round-robinallocation isenabled
by default on MS-MICs and MS-MPCs.
• The topic “Configuring Secured Port Block Allocation” contains a note listing
configuration changes that require a reboot of the services PIC. The note has been
updated to include a change to the NAT pool name.
• The following information regarding the guidelines for configuration of IP addresses
for NAT processing applies to the "Configuring Source and Destination Addresses
Network Address Translation Overview " section of the "Network Address Translation
Rules Overiew" topic:
The addresses that are specified as valid in the inet.0 routing table and not supported
for NAT translation are orlongermatch filter types. You cannot specify any regions
within such address prefixes in a NAT pool.
• The following information regarding the working of APP with NAT rules applies to the
"Network Address Translation Rules Overiew" topic:
For MX Series routers with MS-MICs and MS-MPCs, although the address pooling
paired (APP) functionality is enabledwithinaNAT rule (by including theaddress-pooling
statement at the [edit services nat rule rule-name term term-name then translated]
hierarchy level), it is a characteristic of a NAT pool. Such a NAT pool for which APP is
enabled cannot be shared with NAT rules that do not have APP configured.
Junos OSHigh Availability Feature Guide for Routing Devices
• In Junos OS Release 13.3, the “Unified ISSU System Requirements” topic in the Junos
OS High Availability Feature Guide for Routing Devices incorrectly states in Table 2:
Unified ISSUProtocol Support that anMXSeries Virtual Chassis supports unified ISSU
in JunosOSRelease 12.2and later releases. In fact, anMXSeriesVirtualChassis supports
unified ISSU in Junos OS Release 14.1 and later releases.
[See Unified ISSU System Requirements.]
•
Layer 2 Configuration Guide, Bridging, Address Learning, and Forwarding
• The following information regarding the differences in the default limit on MAC
addresses that can be learned on an access port and a trunk port is inadvertently
omitted from the “Limiting MAC Addresses Learned from an Interface in a Bridge
Domain” topic:
• For an access port, the default limit on the maximum number of MAC addresses
that can be learned on an access port is 1024. Because an access port can be
configured in only one bridge domain in a network topology, the default limit is 1024
addresses,which is sameas the limit forMACaddresses learnedona logical interface
in a bridge domain (configured by including the interface-mac-limit limit statement
at the [edit bridge-domains bridge-domain-name bridge-options interface
Copyright © 2017, Juniper Networks, Inc.228
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
interface-name]or [editbridge-domainsbridge-domain-namebridge-options]hierarchy
level.
• For a trunk port, the default limit on the maximum number of MAC addresses that
can be learned on a trunk port is 8192. Because a trunk port can be associated with
multiple bride domains, the default limit is the same as the limit for MAC addresses
learned on a logical interface in a virtual switch instance (configured by including
the interface-mac-limit limit statement at the [edit routing-instances
routing-instance-name switch-options interface interface-name] hierarchy level for a
virtual switch instance).
• The following additional information applies to the "Configuring VLAN Identifiers for
Bridge Domains and VPLS Routing Instances" topic:
ThemaximumnumberofLayer2 interfaces that youcanassociatewithabridgedomain
or a VPLS instance on MX Series routers is 4000.
Layer 2 VPNs Feature Guide for Routing Devices
• The descriptions of the pw-label-ttl-1 and router-alert-label options in the
control-channel (Protocols OAM) configuration statement topic are incorrectly and
interchangeably stated. The correct descriptions of these options are as follows:
• pw-label-ttl-1—For BGP-based pseudowires that send OAM packets with the MPLS
pseudowire label and time-to-live (TTL) set to 1.
• router-alert-label—For BGP-based pseudowires that send OAM packets with router
alert label.
Monitoring,Sampling,andCollectionServices InterfacesFeatureGuideforRoutingDevices
• The “Configuring RPMTimestamping” topic failed tomention that RPM timestamping
is also supported on the MS-MPCs and MS-MICs on MX Series routers.
• The description for themax-packets-per-second,maximum-packet-length, and
run-length statementsat the [edit forwarding-optionssampling instance instance-name
input] hierarchy level failed to include the following note:
NOTE: This statement is not supported when you configure inline flowmonitoring (by including the inline-jflow statement at the [edit
forwarding-options sampling instance instance-name family (inet | inet6)
output] hierarchy level).
• The topics “Real-Time Performance Monitoring Services Overview” and “Configuring
RPM Probes” failed to state that RPM is not supported on logical systems.
MPLS Applications Feature Guide for Routing Devices
• The "Configuring Miscellaneous LDP Properties," "Configuring the Authentication Key
Update Mechanism for BGP and LDP Routing Protocols," "authentication-key-chain
229Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
(LDP)," and "authentication-key-chain (BGP and BMP)” topics should include the
following information: Youmust also configure the authentication algorithm using the
authentication-algorithmalgorithm statement. This statementmust be included at the
[edit protocols (bgp | ldp)] hierarchy level when you configure the
authentication-key-chainkey-chain statementat the [editprotocols(bgp| ldp)]hierarchy
level.
• The "Path Computation for LSPs on an Overloaded Router" topic should state that
when you set the overload bit on a router running IS-IS, only new LSPs are prevented
from transiting through the router. Any existingConstrainedPathShortest First (CPSF)
LSPs remain active and continue to transit through the router. The documentation
incorrectly states that any existing LSPs transiting through the router are also rerouted
when you configure the overload bit on an IS-IS router.
NetworkManagement Administration Guide for Routing Devices
• The syntax of the filter-interfaces statement in the “SNMP Configuration Statement”
section is incorrect. The correct syntax is as follows:
filter-interfaces {all-internal-interfaces;interfaces interface-names{interface 1;interface 2;
}}
[See filter-interfaces.]
Copyright © 2017, Juniper Networks, Inc.230
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Overview for Routing Devices
• The "Configuring Automatic Mirroring of the CompactFlash Card on the Hard Disk
Drive" and the "mirror-flash-on-disk" topics shouldnot include support forMX5,MX10,
andMX40 3DUniversal Edge Routers. On theMXSeries, this feature is supported only
on the MX104, MX240, MX480, MX960, MX2010, and MX2020 routers.
Release Notes: Junos OS Release 13.3R1 for the EX Series, M Series, MX Series,PTX Series, and T Series
• Virtual Chassis support onMX104 routers—In Junos OS Release 13.3, the “Softwarefeature support (MX104)” feature description in the Release Notes: Junos OS Release
13.3R1 for the EX Series, M Series, MX Series, PTX Series, and T Series incorrectly states
in the Layer 2 Features section that Virtual Chassis is supported on MX104 routers.
Virtual Chassis is not supported on MX104 routers.
Services Interfaces Configuration Guide
• In the Lines of Sample DTCP Parameter File table in the “Flow-Tap Filter Operation”
topic, the description for the Seq:10 command contained in the DTCP file incorrectly
states that the router looks for a newer sequence number before accepting and
implementing new parameters, and that any configuration attempt with an older
sequence number is rejected by the dynamic flow capture process.
The following guideline correctly describes the processing of the Seq:10 command in
the DTCP file:
The router does not validate the sequence number attribute during any configuration
changes that are performed for a DTCP parameter file sent to the router from the
mediationdevice.Regardlessofwhether thesequencenumberconflictswithaprevious
sequence number or is unique, it is disregarded and not considered.
The following additional fields are missing from the Lines of Sample DTCP Parameter
File table:
DescriptionCommand
This indicates the DTCP version to be used. DTCP/0.6 should be used for all versions of Junos OS upto and including Junos OS 8.5. DTCP/0.7 should be used for Junos OS 9.0 and later. However, JunosOS 9.5R2 and later also accept previous versions of DTCP.
If any unsupported parameters are received for a particular DTCP version, the request is rejected.
NOTE: The notification responses from Junos OS contains the same DTCP version that the controlsource has communicated to Junos OS. For notifications being sent even before the control sourcehas contacted Junos OS, the DTCP version 0.7 will be used.
DELETE DTCP/0.6
This line denotes the ID that DTCP assigns for the mirrored session when you create a DTCP ADDmessage. Use this ID in your DELETEmessages to disable the intercept for a specific subscriber. Toview the ID, use the DTCP LISTmessage. The CRITERIA-ID and the Cdest-ID are mutually exclusive inDELETEmessages.
CRITERIA-ID:criteria-id
[See Flow-Tap Filter Operation.]
231Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
• The following additional information applies to the sample configuration described in
the “Example: Flow-Tap Configuration” topic of the “FlowMonitoring” chapter.
NOTE: Thedescribedexampleappliesonly toMSeriesandTSeries routers,except M160 and TXMatrix routers. For MX Series routers, because theflow-tap application resides in the Packet Forwarding Engine rather thana service PIC or Dense Port Concentrator (DPC), the Packet ForwardingEnginemust send the packet to a tunnel logical (vt-) interface toencapsulate the interceptedpacket. In suchascenario, youneed toallocatea tunnel interface and assign it to the dynamic flow capture process forFlowTapLite to use.
• The following information is missing from the passive-mode-tunneling configuration
statement and the “Example: Configuring Junos VPN Site Secure on MSMIC and
MS-MPC” topic:
Passive module tunneling is not supported on MS-MICs and MS-MPCs.
• Theopen-timeout configuration statement topic and the “ConfiguringDefault Timeout
Settings for Services Interfaces” topic incorrectly state that the default value of the
timeout period for TCP session establishment is 30 seconds. The correct default value
is 5 seconds.
• The Supported Platforms section of the set chassis displaymessage command topic
erroneously states that this command is supportedonMXSeries routers.This command
is not available on MX Series routers.
• The following information regarding the restriction on prefix lengths that can be
configured inNATpools onMS-MPCs andMS-MICs applies to the "Configuring Source
and Destination Addresses Network Address Translation Overview " section of the
"Network Address Translation Rules Overiew" topic:
On MX Series routers with MS-MPCs and MS-MICs, if you configure a NAT address
pool with a prefix length that is equal to or greater than /16, the PIC does not contain
sufficientmemory to provision the configured pool. Also, memory utilization problems
mightoccur if youattempt toconfiguremanypoolswhosecombined total IPaddresses
exceed /16. In such circumstances, a system loggingmessage is generated stating that
the NAT pool name is failed to be created and that the service set is not activated. On
MS-MPCs andMS-MICs, youmust not configure NAT pools with prefix lengths greater
than /16.
• The following procedure applies to the “Provisioning Flow-Tap to a Linux Mediation
Device” topic:
The following example shows the syntax to invoke the Perl script from a Linux device
for deleting a previously configured Flow-Tap session:
1. Invoke the Perl script:
[root@host]# ./dfcclient.pl
Copyright © 2017, Juniper Networks, Inc.232
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
2. Use the following line to push the parameter file del_lea1_tcp.flowtap to the router.
In this example, 10.209.75.199 is the IP address of the router, and verint verint123 is
the username and password that has permission to implement flow-tap-operation.
Any firewall that is between themediation device and the routing device should
allow ssh and port 32001.
[root@host]# ./dfcclient.pl 10.209.75.199 verint verint123 del_lea1_tcp.flowtap
The following settings are contained in the del_lea1_tcp.flowtap DTCP parameter
file. DTCP DELETE can use either Criteria- ID to delete only that criteria or Cdest-ID
to delete everything with cdest-ID that you previously created.
DELETE DTCP/0.7Csource-ID: dtcpCdest-ID: LEA1Flags: STATIC
3. Use the show policer | match flow statement to verify that the flow-tap filter is
removed from the router:
The following sample shows how to disablemirroring for a specific subscriber by using
the CRITERIA-ID.
DELETE DTCP/0.7Csource-ID: dtcp1CRITERIA-ID: 2Flags: STATICSeq: 10Authentication-Info: 7e84ae871b12f2da023b038774115bb8d955f17e
DTCP/0.7 200 OKSEQ: 10CRITERIA-COUNT: 1TIMESTAMP: 2011-02-13 16:00:02.802AUTHENTICATION-INFO: 2834ff32ec07d84753a046cfb552e072cc27d50b
• The following additional information regarding the interoperation of sample actions
in firewall filters and traffic sampling applies to the “MinimumConfiguration for Traffic
Sampling” section in the “Configuring Traffic Sampling” topic:
The following prerequisites apply to M Series, MX Series, and T Series routers when
you configure traffic sampling on interfaces and in firewall filters:
• If you configure a sample action in a firewall filter for an inet or inet6 family on an
interfacewithout configuring the forwarding-options settings, operational problems
might occur if you also configure port mirroring or flow-tap functionalities. In such a
scenario, all the packets that match the firewall filter are incorrectly sent to the
service PIC.
• If you include the then sample statement at the [edit firewall family inet filter
filter-name term term-name] hierarchy level to specify a sample action in a firewall
filter for IPv4 packets, youmust also include the family inet statement at the [edit
forwarding-options sampling] hierarchy level or the instance instance-name family
inet statement at the [edit forwarding-options sampling] hierarchy level. Similarly,
if you include the then sample statement at the [edit firewall family inet6 filter
filter-name term term-name] hierarchy level to specify a sample action in a firewall
233Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
filter for IPv6 packets, youmust also include the family inet6 statement at the [edit
forwarding-options sampling] hierarchy level or the instance instance-name family
inet6 statementat the [edit forwarding-optionssampling]hierarchy level.Otherwise,
a commit error occurs when you attempt to commit the configuration.
• Also, if you configure traffic sampling on a logical interface by including the sampling
input or sampling output statements at the [edit interface interface-name unit
logical-unit-number] hierarchy level, you must also include the family inet | inet6
statement at the [edit forwarding-options sampling] hierarchy level, or the instance
instance-name family inet | inet6 statementat the [edit forwarding-optionssampling]
hierarchy level.
• The “Configuring Port Mirroring” topic erroneously states that the input statement can
be includedunder the [edit forwarding-optionsport-mirroringfamily(inet | inet6)output]
hierarchy level. Only the output statement is available at the [edit forwarding-options
port-mirroring family (inet | inet6)] hierarchy level. To configure the input packet
properties for port mirroring, youmust include the input statement at the [edit
forwarding-options port-mirroring] hierarchy level.
To configure port mirroring on a logical interface, configure the following statements
at the [edit forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring]input {maximum-packet-length bytesrate rate;run-length number;
}family (inet|inet6) {output {interface interface-name {next-hop address;
}no-filter-check;}
}
Also, the note incorrectly states that the input statement can also be configured at the
[edit forwarding-options port-mirroring] hierarchy level and that it is only maintained
for backwardcompatibility. Thenotealsomentions that theconfigurationof theoutput
statement is deprecated at the [edit forwarding-optionsport-mirroring] hierarchy level.
The correct behavior regarding the port-mirroring configuration for the packets to be
mirrored and for the destination at which the packets are to be received is as follows:
NOTE: The input statement is deprecated at the [edit forwarding-options
port-mirroring family (inet | inet6)] hierarchy level and is maintained only
for backward compatibility. Youmust include the input statement at the
[edit forwarding-options port-mirroring] hierarchy level.
• In theOutput Fields section of the show services ipsec-vpn ipsec security-associations
command topic of the Junos VPN Site Secure Feature Guide, the descriptions of the
Copyright © 2017, Juniper Networks, Inc.234
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Local Identity and Remote Identity fields are not clear and complete. The following are
the revised descriptions of these fields:
• Local Identity—Protocol, address or prefix, and port number of the local entity of the
IPsec association. The format is id-type-name
(proto-name:port-number,[0..id-data-len] = iddata-presentation). The protocol is
alwaysdisplayedasanybecause it is not user-configurable in the IPsec rule. Similarly,
the port number field in the output is always displayed as 0 because it is not
user-configurable in the IPsec rule. The value of the id-data-len parameter can be
one of the following, depending on the address configured in the IPsec rule:
• For an IPv4 address, the length is 4 and the value displayed is 3.
• For a subnet mask of an IPv4 address, the length is 8 and the value displayed is 7.
• For a range of IPv4 addresses, the length is 8 and the value displayed is 7.
• For an IPv6 address prefix, the length is 16 and the value displayed is 15.
• Forasubnetmaskofan IPv6addressprefix, the length is32and thevaluedisplayed
is 31.
• For a range of IPv6 address prefixes, the length is 32 and the value displayed is 31.
The value of the id-data-presentation field denotes the IPv4 address or IPv6 prefix
details. If the fully qualified domain name (FQDN) is specified insteadof the address
for the local peer of the IPsec association, it is displayed instead of the address
details.
• Remote Identity—Protocol, address or prefix, and port number of the remote entity
of the IPsec association. The format is id-type-name
(proto-name:port-number,[0..id-data-len] = iddata-presentation). The protocol is
alwaysdisplayedasanybecause it is not user-configurable in the IPsec rule. Similarly,
the port number field in the output is always displayed as 0 because it is not
user-configurable in the IPsec rule. The value of the id-data-len parameter can be
one of the following, depending on the address configured in the IPsec rule:
• For an IPv4 address, the length is 4 and the value displayed is 3.
• For a subnet mask of an IPv4 address, the length is 8 and the value displayed is 7.
• For a range of IPv4 addresses, the length is 8 and the value displayed is 7.
• For an IPv6 address prefix, the length is 16 and the value displayed is 15.
• Forasubnetmaskofan IPv6addressprefix, the length is32and thevaluedisplayed
is 31.
• For a range of IPv6 address prefixes, the length is 32 and the value displayed is 31.
The value of the id-data-presentation field denotes the IPv4 address or IPv6 prefix
details. If the fully qualified domain name (FQDN) is specified insteadof the address
for the remote peer of the IPsec association, it is displayed instead of the address
details.
• The “Understanding Aggregated Mulitservices Interfaces” and the “Example:
Configuring an Aggregated Mulitservices Interface (AMS)” topics in the Services
235Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
Interface Configuration Guide incorrectly state that whenmember-failure-options is
not configured, the default behavior is to redistribute the traffic among the available
interfaces. The correct behavior is that when themember-failure-options statement
is not configured, the default behavior is to dropmember trafficwith a rejoin timeout
of 120 seconds.
• The functionality to log the cflowd records in a log file before they are exported to a
cflowd server (by including the local-dump statement at the [edit forwarding-options
sampling instance instance-name family (inet |inet6 |mpls)output flow-serverhostname]
hierarchy level) is not supportedwhenyouconfigure inline flowmonitoring (by including
the inline-jflow statement at the [edit forwarding-options sampling instance
instance-name family inet output] hierarchy level).
• The following information regarding the interoperationofFTPALGandaddress-pooling
paired features is missing from the "ALG Descriptions" topic of the "Application
Properties" chapter:
OnMS-MPCs andMS-MICs, for passive FTP to work properly without FTP application
layer gateway (ALG) enabled (by not specifying the application junos-ftp statement
at the [edit services stateful-firewall rule rule-name term term-name from] and the [edit
services nat rule rule-name term term-name from] hierarchy levels), youmust enable
the address pooling paired (APP) functionality enabled (by including the
address-pooling statement at the [edit servicesnat rule rule-name term term-name then
translated] hierarchy level). Such a configuration causes the data and control FTP
sessions to receive the same NAT address.
• The “ConfiguringTunnel InterfacesonMXSeriesRouters” topic in theServices Interfaces
Configuration Guide fails to state that Ingress queuing and tunnel services cannot be
configured on the sameMPC as it causes Packet Forwarding Engine forwarding to
stop. Each feature can, however, be configured and used separately.
Services Interfaces Overview for Routing Devices
• The following items describe updates for aggregated Mulitservices (AMS) interfaces
information:
• The description for the rejoin-timeout statement under the hierarchy [edit interfaces
interface-name load-balancing-optionsmember-failure-optionsdrop-member-traffic]
should be changed to the following:
Configure the timebywhen failedmembers (members in theDISCARD state) should
rejoin the aggregatedMultiservices (AMS) interfaceautomatically. Allmembers that
do not rejoin by the configured time aremoved to the INACTIVE state and the traffic
meant for each of the members is dropped.
If multiple members fail around the same time, then they are held in the DISCARD
state using a single timer. When the timer expires, all the failed members move to
INACTIVE state at the same time.
• The following information should be added to the “Aggregated Multiservices
Interface” section in the “Understanding Aggregated Multiservices Interfaces” topic:
Copyright © 2017, Juniper Networks, Inc.236
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Member interfacesare identifiedasmams in theconfiguration. Thechassisdprocess
in routers that support AMS configuration creates amams entry for every
multiservices interface on the router.
When you configure services-options at the ams= interface level, the options apply
to all member interfaces (mams) for the ams interface.
The options also apply to service sets configured onms- interfaces corresponding
to the ams interface’s member interfaces. All settings are per PIC. For example,
session-limit applies per member and not at an aggregate level.
NOTE: You cannot configure services-options at both the ams(aggregate)andmember-interface level. If services-options isconfiguredonms-x/y/z, it also applies to service sets onmams-x/y/z.
When you want services-options settings to apply uniformly to allmembers, configure services-options at the ams interface level. If youneed different settings for individualmembers (for example, because ofa syslog configuration), configure services-options at themember-interface level.
• The show interfaces load-balancing command topic should include the following
description for Last change in the table:
Time elapsed since the last change to the interface. Changes that affect the elapsed
time displayed include internal events that may not have changed the state of any
member.
• The Options section for the flow-export-rate statement under the hierarchy [edit
forwarding-options sampling instance instance-name family inet output inline-jlow] did
not include the default value. The default value is:
Default: 1 for eachPacketForwardingEngineon theFPCtowhich thesampling instanceis applied.
Standards Reference
• The “Supported FlowMonitoring and Discard Accounting Standards” topic fails to
mention the following additional information:
On MX Series routers, Junos OS partially supports the following RFCs:
• RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the
Exchange of IP Traffic Flow Information
• RFC 5102, Information Model for IP Flow Information Export
Subscriber Management Access Network Guide
• The LACTunnel SelectionOverview,ConfiguringWeighted LoadBalancing for LACTunnel
Sessions andweighted-load-balancing (L2TP LAC) topics in the Junos OS Broadband
Subscriber Management and Services Library incorrectly describe howweighted load
237Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
balancing works on an L2TP LAC. The topics state that the tunnel with the highest
weight (highest session limit) within a preference level is selected until it has reached
itsmaximumsessions limit, and then the tunnelwith thenext higherweight is selected,
and so on.
In fact, when weighted load balancing is configured, tunnels are selected randomly
within a preference level, but the distribution of selected tunnels is related to their
weight. The LAC generates a random number within a range equal to the aggregate
total of all session limits for all tunnels in the preference level. Portions of the
range—pools of numbers—are associated with the tunnels according to their weight;
a higher weight results in a larger pool. The random number is more likely to be in a
larger pool, so a tunnel with a higher weight (larger pool) is more likely to be selected
than a tunnel with a lower weight (smaller pool).
For example, consider a level that has only two tunnels, A and B. Tunnel A has a
maximum sessions limit of 1000 and tunnel B has a limit of 2000 sessions, resulting
in an aggregate total of 3000 sessions. The LAC generates a random number in the
range from 0 through 2999. A pool of 1000 numbers, the portion of the range from 0
through 999, is associated with tunnel A. A pool of 2000 numbers, the portion of the
range from 1000 through 2999, is associated with tunnel B. If the generated number
is less than 1000, then tunnel A is selected, even though it has a lower weight than
tunnel B. If the generated number is 1000 or larger, then tunnel B is selected. Because
the pool of possible generated numbers for tunnel B (2000) is twice that for tunnel A
(1000), tunnel B is, on average, selected twice as often as tunnel A.
• The Pseudowire Subscriber Logical Interfaces Overview and Configuring a Pseudowire
Subscriber Logical Interface topics have been updated in Junos OS Release 13.3R9 to
state thatVLANdemux interfacesarenot supportedoverpseudowire subscriber logical
interfaces. Earlier versions of these topics omitted this information.
Subscriber Management Feature Guide
• In the Junos OS Subscriber Management Feature Guide, the fail-over-within-preference
statement at the [edit services l2tp] hierarchy level is incorrectly spelled. The correct
spelling for this statement is failover-within-preference.
• The Junos OS Release 13.3 Subscriber Management Feature Guide fails to include the
new user@domain option for filtering AAA, L2TP, and PPP traces by subscriber. See
the feature description in these Release Notes titled Support for filtering trace results
by subscribers for AAA, L2TP, and PPP for information about using this option.
• The “Example: HTTPServiceWithin aService Set” topic in theSubscriberManagement
Feature Guide erroneously describes how to configure captive portal content delivery
rules in service sets.
Copyright © 2017, Juniper Networks, Inc.238
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Use the followingprocedure to configure captiveportal content delivery rules in service
sets:
1. Define one or more rules with the rule rule-name statement at the [edit services
captive-portal-content-delivery]hierarchy level. In each rule youspecify oneormore
terms to match on an application, destination address, or destination prefix list;
where the match takes place; and actions to be taken when thematch occurs,
2. (Optional) Define one or more rule sets by listing the rules to be included in the set
with the rule-set rule-set-name statement at the [edit services
captive-portal-content-delivery] hierarchy level.
3. Configure a captive portal content delivery profile with the profile profile-name
statement at the [edit services captive-portal-content-delivery] hierarchy level.
4. In the profile, specify a list of rules with the cpcd-rules [rule-name] statement or a
list of rule setswith the cpcd-rule-sets [rule-set-name] statement. Both statements
areat the [editservicescaptive-portal-content-deliveryprofileprofile-name]hierarchy
level.
5. Associate theprofilewithaservicesetwith thecaptive-portal-content-delivery-profile
profile-name statement at the [edit services service-set service-set-name] hierarchy
level.
• The “LAC Tunnel Selection Overview” topic in the Junos OS Subscriber Management
FeatureGuide incorrectly describes thecurrentbehavior for failover betweenpreference
levels. The topic states that when the tunnels at every preference level have a
destination in the lockout state, the LAC cycles back to the highest preference level
andwaits for the lockout time for adestinationat that level to expire before attempting
to connect and starting the process over.
In fact, the current behavior in this situation is that from the tunnels present at the
lowest level of preference (highest preference number), the LAC selects the tunnel
that has the destinationwith the shortest remaining lockout time. The LAC ignores the
lockout and attempts to connect to the destination.
• The Subscriber Management Scaling Values (XLS) spreadsheet previously reported
that 64,000 PPPoE subscribers are supported per interface for Junos OS Release 12.3
and subsequent releases. In fact, the chassis supports 128,000 PPPoE subscribers
beginning in Junos OS Release 12.3.
You can access the latest version of the Subscriber Management Scaling Values (XLS)
spreadsheet fromtheDownloadsboxat JunosOSSubscriberManagementandServices
Library.
Subscriber Management Provisioning Guide
• The table in the topic, “AAA Access Messages and Supported RADIUS Attributes and
Juniper Networks VSAs for Junos OS” incorrectly indicates that VSA 26-1
(Virtual-Router) supports CoA Request messages. VSA 26-1 does not support CoA
Request messages.
239Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
• The following topics erroneously include information about the Ignore-DF-Bit VSA
(26-70): “RADIUSAttributesand JuniperNetworksVSAsSupportedby theAAAService
Framework,” “Juniper Networks VSAs Supported by the AAA Service Framework”, and
“AAAAccessMessages and Supported RADIUSAttributes and Juniper Networks VSAs
for Junos OS.” Junos OS does not support VSA 26-70.
Some versions of the RADIUS dictionary file also erroneously list 26-70 as supported
by the Junos OS.
Copyright © 2017, Juniper Networks, Inc.240
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
System LogMessages Reference
• The formats of theMSVCS_LOG_SESSION_OPENandMSVCS_LOG_SESSION_CLOSE
system logmessages in the "MSVCS System Log Messages" chapter are incorrectly
specified. The following is the correct and complete format of the
MSVCS_LOG_SESSION_OPEN and MSVCS_LOG_SESSION_CLOSE system log
messages:
App: application, source-interface-name fpc/pic/port\address in hexadecimal format
source-address:source-port source-nat-information ->
destination-address:destination-port destination-nat-information (protocol-name)
hh:mm:ss.milliseconds protocol-name (tos tos-bit-value, ttl ttl-value, id id-number,
offset offset-value, flags [ip-flag-type], proto protocol- name (protocol-id), length
number)
SystemServices Administration Guide for Routing Devices
• The “Configuring the SSH Protocol Version” topic incorrectly states that both version
1 and version 2 of the SSH protocol are enabled by default. The topic should state that
version 2 of the SSH protocol is enabled by default, and youmust explicitly configure
version 1 if you want to enable it.
Tunnel and Encryption Services Interfaces
• The topic “Configuring Tunnel Interfaces on MX Series Routers” incorrectly states that
bandwidth rates of 20 gigabits per seconds and 40 gigabits per second require use of
a 100-Gigabit Ethernet Modular Port Concentrator and 100-Gigabit CFP MIC. The
MPC4E, MPC5E, and MPC6E also support 20 and 40 gigabits per second.
User Access and Authentication Guide for Routing Devices
• The "Example: DHCP Complete Configuration" and "dchp" topics should not include
support for the MX Series Universal Edge 3D Routers. This feature is supported only
on the M Series and the T Series.
VPLS Feature Guide for Routing Devices
• The following information regarding the working of firewall filters and policers with
MAC addresses applies to the "Configuring Firewall Filters and Policers for VPLS "
topic:
The behavior of firewall filters processing with MAC addresses differs between DPCs
and MPCs. On MPCs, interface filters are always applied before MAC learning occurs.
The input forwarding table filter is applied after MAC learning is completed. However,
onDPCs,MAC learningoccurs independentlyof theapplicationof filters. If theCE-facing
interface of the PE where the firewall filter is applied is an MPC, then the MAC entry
times out and is never learned again. However, if the CE-facing interface of the PE
where the firewall filter is applied is an DP, then the MAC entry is not timed out and if
the MAC address entry is manually cleared, it is relearned.
241Copyright © 2017, Juniper Networks, Inc.
Documentation Updates
VPNs Library for Routing Devices
• The “Routing Instances Overview” topic should include the following instance types:
EthernetVPN(EVPN)and InternetMulticastoverMPLS.Use theEhternetVPN instance
type, which is supported on the MX Series only, to connect a group of dispersed
customer sites using a Layer 2 virtual bridge. Use the Internet Multicast over MPLS
instance type to provide support for ingress replication provider tunnels to carry IP
multicastdatabetween routers throughanMPLScloud, usingMBGPornext-generation
MVPN.
To configure an EVPN instance type, include the evpn statement at the [edit
routing-instances routing-instance-name instance-type] hierarchy level. To configure
an Internet Multicast over MPLS instance type, include thempls-internet-multicast
statementat the [edit routing-instances routing-instance-name instance-type]hierarchy
level.
VPWS Feature Guide for Routing Devices
• In JunosOSRelease 13.3, the Layer 2Circuits FeatureGuide for RoutingDeviceshasbeen
renamed VPWS Feature Guide for Routing Devices. VPWS content has been added to
this guide, and has been removed from the VPLS Feature Guide for Routing Devices.
RelatedDocumentation
New and Changed Features on page 26•
• Changes in Behavior and Syntax on page 61
• Known Behavior on page 78
• Known Issues on page 82
• Resolved Issues on page 101
• Migration, Upgrade, and Downgrade Instructions on page 242
• Product Compatibility on page 251
Migration, Upgrade, and Downgrade Instructions
This sectioncontains theprocedure toupgrade JunosOS,and theupgradeanddowngrade
policies for JunosOS for theMSeries,MXSeries, andTSeries. Upgrading or downgrading
JunosOScan take several hours, depending on the size and configuration of the network.
• Basic Procedure for Upgrading to Release 13.3 on page 243
• Upgrade and Downgrade Support Policy for Junos OS Releases on page 245
• Upgrading a Router with Redundant Routing Engines on page 245
• Upgrading Juniper Network Routers Running Draft-Rosen Multicast VPN to Junos OS
Release 10.1 on page 246
• Upgrading the Software for a Routing Matrix on page 247
• Upgrading Using Unified ISSU on page 248
• Upgrading from Junos OS Release 9.2 or Earlier on a Router Enabled for Both PIM and
NSR on page 249
Copyright © 2017, Juniper Networks, Inc.242
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Downgrading from Release 13.3 on page 250
• Changes Planned for Future Releases on page 250
Basic Procedure for Upgrading to Release 13.3
In order to upgrade to Junos OS 10.0 or later, youmust be running Junos OS 9.0S2, 9.1S1,
9.2R4, 9.3R3, 9.4R3, 9.5R1, or later minor versions, or youmust specify the no-validate
option on the request system software install command.
When upgrading or downgrading Junos OS, always use the jinstall package. Use other
packages (such as the jbundle package) only when so instructed by a Juniper Networks
support representative. For information about the contents of the jinstall package and
details of the installation process, see the Installation and Upgrade Guide.
NOTE: With JunosOSRelease 9.0 and later, the compact flash diskmemoryrequirement for Junos OS is 1 GB. For M7i andM10i routers with only 256MBmemory, see the Customer Support Center JTAC Technical BulletinPSN-2007-10-001 athttps://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2007-10-001
&actionBtn=Search
NOTE: Before upgrading, back up the file system and the currently activeJunos OS configuration so that you can recover to a known, stableenvironment in case the upgrade is unsuccessful. Issue the followingcommand:
user@host> request system snapshot
The installation process rebuilds the file system and completely reinstallsJunos OS. Configuration information from the previous software installationis retained, but the contents of log files might be erased. Stored files on therouting platform, such as configuration templates and shell scripts (the onlyexceptions are the juniper.conf and ssh files) might be removed. To preserve
the stored files, copy them to another system before upgrading ordowngrading the routing platform. For more information, see the Junos OS
Administration Library for Routing Devices.
243Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
Thedownloadand installationprocess for JunosOSRelease 13.3 isdifferent fromprevious
Junos OS releases.
Before upgrading to 64-bit Junos OS, read the instruction on the following pages:
• To check Routing Engine compatibility, see Supported Routing Engines by Router.
• To read the upgrade instructions, see Upgrading to 64-bit Junos OS.
1. Using aWeb browser, navigate to the All Junos Platforms software download URL on
the Juniper Networks webpage:
http://www.juniper.net/support/downloads/
2. Select the name of the Junos platform for the software that you want to download.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Software
page.
4. Select the Software tab.
5. In the Install Package section of the Software tab, select the software package for the
release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the routing platform.
NOTE: We recommend that you upgrade all software packages out ofband using the console because in-band connections are lost during theupgrade process.
Customers in the United States and Canada, use the following command:
user@host> request system software add validate rebootsource/jinstall-13.3R91-domestic-signed.tgz
All other customers, use the following command:
user@host> request system software add validate rebootsource/jinstall-13.3R91-export-signed.tgz
Replace sourcewith one of the following values:
• /pathname—For a software package that is installed from a local directory on the
router.
• For software packages that are downloaded and installed from a remote location:
• ftp://hostname/pathname
Copyright © 2017, Juniper Networks, Inc.244
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• http://hostname/pathname
• scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 13.3 jinstall package, you cannot
issue the requestsystemsoftwarerollbackcommandto return to thepreviously
installed software. Instead youmust issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that spanmore than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to twoEEOL releases before or after. For example,
Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos
OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4.
However, you cannot upgrade directly from a non-EEOL release that is more than three
releases ahead or behind. For example, you cannot directly upgrade from Junos OS
Release 10.3 (a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from
Junos OS Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform a Junos OS installation on each Routing
Engine separately to avoid disrupting network operation as follows:
245Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
1. Disable graceful Routing Engine switchover (GRES) on themaster Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on themaster Routing Engine.
3. After making sure that the new software version is running correctly on the backup
RoutingEngine, switchover to thebackupRoutingEngine toactivate thenewsoftware.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Upgrading JuniperNetworkRoutersRunningDraft-RosenMulticastVPN to JunosOS Release 10.1
In releases earlier than Junos OS Release 10.1, the draft-rosenmulticast VPN feature
implements the unicast lo0.x address configured within that instance as the source
address used to establish PIM neighbors and create the multicast tunnel. In this mode,
the multicast VPN loopback address is used for reverse path forwarding (RPF) route
resolution to create the reverse path tree (RPT), or multicast tunnel. Themulticast VPN
loopback address is also used as the source address in outgoing PIM control messages.
In Junos OS Release 10.1 and later, you can use the router’s main instance loopback
(lo0.0) address (rather than themulticast VPN loopback address) to establish the PIM
state for the multicast VPN. We strongly recommend that you perform the following
procedure when upgrading to Junos OS Release 10.1 if your draft-rosenmulticast VPN
network includes both Juniper Network routers and other vendors’ routers functioning
as provider edge (PE) routers. Doing so preservesmulticast VPNconnectivity throughout
the upgrade process.
Because JunosOSRelease 10.1 supportsusing the router’smain instance loopback (lo0.0)
address, it is no longer necessary for the multicast VPN loopback address to match the
main instance loopback adddress lo0.0 to maintain interoperability.
NOTE: Youmight want tomaintain amulticast VPN instance lo0.x address
to use for protocol peering (such as IBGP sessions), or as a stable routeridentifier, or to support the PIM bootstrap server function within the VPNinstance.
Complete the following steps when upgrading routers in your draft-rosenmulticast VPN
network to Junos OS Release 10.1 if you want to configure the routers’s main instance
loopback address for draft-rosenmulticast VPN:
1. Upgrade all M7i and M10i routers to Junos OS Release 10.1 before you configure the
loopback address for draft-rosen Multicast VPN.
NOTE: Do not configure the new feature until all theM7i andM10i routersin the network have been upgraded to Junos OS Release 10.1.
Copyright © 2017, Juniper Networks, Inc.246
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
2. After you have upgraded all routers, configure each router’s main instance loopback
address as the source address formulticast interfaces. Include thedefault-vpn-source
interface-name loopback-interface-name] statement at the [edit protocols pim]
hierarchy level.
3. After you have configured the router’s main loopback address on each PE router,
delete the multicast VPN loopback address (lo0.x) from all routers.
We also recommend that you remove themulticast VPN loopback address from all
PE routers fromother vendors. In JunosOS releases earlier thanRelease 10.1, to ensure
interoperability with other vendors’ routers in a draft-rosenmulticast VPN network,
you had to perform additional configuration. Remove that configuration from both
the JuniperNetworks routers and the other vendors’ routers. This configuration should
beon JuniperNetworks routers andon theother vendors’ routerswhere youconfigured
the lo0.mvpnaddress ineachVRF instanceas thesameaddressas themain loopback
(lo0.0) address.
This configuration is not requiredwhen you upgrade to Junos OS Release 10.1 and use
themain loopback address as the source address for multicast interfaces.
NOTE: Tomaintain a loopback address for a specific instance, configurea loopback address value that does notmatch themain instance address(lo0.0).
For more information about configuring the draft-rosen Multicast VPN feature, see the
Multicast Protocols Feature Guide for Routing Devices.
Upgrading the Software for a RoutingMatrix
A routing matrix can be either a TXMatrix router as the switch-card chassis (SCC) or a
TXMatrix Plus router as the switch-fabric chassis (SFC). By default, when you upgrade
software for a TXMatrix router or a TXMatrix Plus router, the new image is loaded onto
the TXMatrix or TX Matrix Plus router (specified in the Junos OS CLI by using the scc or
sfc option) and distributed to all line-card chassis (LCCs) in the routingmatrix (specified
in the Junos OS CLI by using the lcc option). To avoid network disruption during the
upgrade, ensure the following conditions before beginning the upgrade process:
• Aminimumof freedisk spaceandDRAMoneachRoutingEngine.Thesoftwareupgrade
will fail on any Routing Engine without the required amount of free disk space and
DRAM.Todetermine theamountofdisk spacecurrentlyavailableonallRoutingEngines
of the routing matrix, use the CLI show system storage command. To determine the
amount of DRAM currently available on all the Routing Engines in the routing matrix,
use the CLI show chassis routing-engine command.
• Themaster Routing Engines of the TXMatrix or TX Matrix Plus router (SCC or SFC)
and all LCCs connected to the SCC or SFC are all re0 or are all re1.
• The backup Routing Engines of the TXMatrix or TX Matrix Plus router (SCC or SFC)
and all LCCs connected to the SCC or SFC are all re1 or are all re0.
247Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
• All master Routing Engines in all routers run the same version of software. This is
necessary for the routing matrix to operate.
• All master and backup Routing Engines run the same version of software before
beginning the upgrade procedure. Different versions of the Junos OS can have
incompatible message formats especially if you turn on GRES. Because the steps in
the process include changing mastership, running the same version of software is
recommended.
• For a routing matrix with a TXMatrix router, the same Routing Engine model is used
within a TXMatrix router (SCC) and within a T640 router (LCC) of a routing matrix.
For example, a routing matrix with an SCC using two RE-A-2000s and an LCC using
two RE-1600s is supported. However, an SCC or an LCC with two different Routing
Engine models is not supported. We suggest that all Routing Engines be the same
model throughout all routers in the routing matrix. To determine the Routing Engine
type, use the CLI show chassis hardware | match routing command.
• For a routing matrix with a TXMatrix Plus router, the SFC contains twomodel
RE-DUO-C2600-16G Routing Engines, and each LCC contains twomodel
RE-DUO-C1800-8G or RE-DUO-C1800-16G Routing Engines.
BEST PRACTICE: Make sure that all master Routing Engines are re0 and allbackup Routing Engines are re1 (or vice versa). For the purposes of thisdocument, themaster Routing Engine is re0 and the backup Routing Engineis re1.
To upgrade the software for a routing matrix, perform the following steps:
1. Disable graceful Routing Engine switchover (GRES) on themaster Routing Engine
(re0) and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine (re1) while keeping
the currently running software version on themaster Routing Engine (re0).
3. Load the new JunosOSon the backupRouting Engine. Aftermaking sure that the new
software version is running correctly on the backup Routing Engine (re1), switch
mastership back to the original master Routing Engine (re0) to activate the new
software.
4. Install the new software on the new backup Routing Engine (re0).
For thedetailedprocedure, see theRoutingMatrixwithaTXMatrixRouterDeploymentGuide
or the Routing Matrix with a TXMatrix Plus Router Deployment Guide.
Upgrading Using Unified ISSU
Unified in-service softwareupgrade (ISSU)enables you toupgradebetween twodifferent
Junos OS releases with no disruption on the control plane and with minimal disruption
of traffic. Unified in-service software upgrade is only supported by dual Routing Engine
platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active
routing (NSR)must be enabled. For additional information about using unified in-service
software upgrade, see the High Availability Feature Guide for Routing Devices.
Copyright © 2017, Juniper Networks, Inc.248
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Upgrading from JunosOSRelease 9.2 or Earlier on aRouter Enabled for BothPIMand NSR
Junos OS Release 9.3 introduced NSR support for PIM for IPv4 traffic. However, the
following PIM features are not currently supportedwith NSR. The commit operation fails
if the configuration includes both NSR and one or more of these features:
• Anycast RP
• Draft-Rosenmulticast VPNs (MVPNs)
• Local RP
• Next-generation MVPNs with PIM provider tunnels
• PIM join load balancing
Junos OS Release 9.3 introduced a new configuration statement that disables NSR for
PIM only, so that you can activate incompatible PIM features and continue to use NSR
for the other protocols on the router: the nonstop-routing disable statement at the [edit
protocolspim]hierarchy level. (Note that this statementdisablesNSR for all PIM features,
not only incompatible features.)
If neitherNSRnorPIM is enabledon the router tobeupgradedor if oneof theunsupported
PIM features is enabled but NSR is not enabled, no additional steps are necessary and
you can use the standard upgrade procedure described in other sections of these
instructions. If NSR is enabled and no NSR-incompatible PIM features are enabled, use
the standard reboot or ISSU procedures described in the other sections of these
instructions.
Because the nonstop-routing disable statement was not available in Junos OS Release
9.2 and earlier, if both NSR and an incompatible PIM feature are enabled on a router to
be upgraded from Junos OS Release 9.2 or earlier to a later release, youmust disable
PIM before the upgrade and reenable it after the router is running the upgraded Junos
OS and you have entered the nonstop-routing disable statement. If your router is running
Junos OS Release 9.3 or later, you can upgrade to a later release without disabling NSR
orPIM–simplyuse thestandard rebootor ISSUproceduresdescribed in theother sections
of these instructions.
To disable and reenable PIM:
1. On the router running Junos OS Release 9.2 or earlier, enter configuration mode and
disable PIM:
[edit]
user@host# deactivate protocols pimuser@host# commit
2. Upgrade to Junos OS Release 9.3 or later software using the instructions appropriate
for the router type. You caneither use the standardprocedurewith reboot or use ISSU.
3. After the router reboots and is running the upgraded Junos OS, enter configuration
mode, disablePIMNSRwith thenonstop-routingdisable statement, and then reenable
PIM:
249Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
[edit]
user@host# set protocols pim nonstop-routing disableuser@host# activate protocols pimuser@host# commit
Downgrading fromRelease 13.3
To downgrade from Release 13.3 to another supported release, follow the procedure for
upgrading, but replace the 13.3 jinstall package with one that corresponds to the
appropriate release.
NOTE: Youcannot downgrademore than three releases. For example, if yourrouting platform is running Junos OS Release 11.4, you can downgrade thesoftware to Release 10.4 directly, but not to Release 10.3 or earlier; as aworkaround, you can first downgrade to Release 10.4 and then downgradeto Release 10.3.
For more information, see the Installation and Upgrade Guide.
Changes Planned for Future Releases
The following are changes planned for future releases.
Routing Protocols
• Change in Junos OS support for the BGPMonitoring Protocol (BMP)—In Junos OSRelease 13.3and later, thecurrently supportedversionofBMP,BMPversion 1, asdefined
in Internet draft draft-ietf-grow-bmp-01, is planned to be replaced with BMP version
3, as defined in Internet draft draft-ietf-grow-bmp-07.txt. Junos OS can support only
one of these versions of BMP in a release. Therefore, Junos OS Release 13.2 and earlier
releases will continue to support BMP version 1, as defined in Internet draft
draft-ietf-grow-bmp-01. Junos OS Release 13.3 and later support only the updated
BMP version 3 defined in Internet draft draft-ietf-grow-bmp-07.txt. This also means
thatbeginning in JunosOSRelease 13.3,BMPversion3configurationsarenotbackwards
compatible with BMP version 1 configurations from earlier Junos OS releases.
• Removalofsupport forproviderbackbonebridging(MXSeries routers) fromRelease14.1—Starting with Junos OS Release 14.1, the provider backbone bridging (PBB)capability is disabled and not supported on MX Series routers. The pbb-options
statementand its substatementsat the [edit routing-instances routing-instance-name]
hierarchy level and the pbb-service-options statement and its substatements at the
[edit routing-instances routing-instance-name service-groups service-group-name]
hierarchy level are no longer available for configuring customer and provider routing
instances for PBB. When you upgrade MX Series routers running Junos OS Releases
12.3, 13.2, or 13.3 to JunosOSRelease 14.1 and if your deployment contains PBB settings
in configuration files, the configuration files after the upgrade need to bemodified to
remove the PBB-specific attributes because PBB is not supported in Release 14.1 and
later.
[See Provider Backbone Bridging Feature Guide for Routing Devices.]
Copyright © 2017, Juniper Networks, Inc.250
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
RelatedDocumentation
New and Changed Features on page 26•
• Changes in Behavior and Syntax on page 61
• Known Behavior on page 78
• Documentation Updates on page 217
• Product Compatibility on page 251
Product Compatibility
• Hardware Compatibility on page 251
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelineswith the release, see theHardwareGuideand the Interface
Module Reference for the product.
To determine the features supported onM Series, MX Series, and T Series devices in this
release, use the Juniper Networks Feature Explorer, a Web-based application that helps
you to explore and compare Junos OS feature information to find the right software
release and hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/
RelatedDocumentation
New and Changed Features on page 26•
• Changes in Behavior and Syntax on page 61
• Documentation Updates on page 217
• Migration, Upgrade, and Downgrade Instructions on page 242
251Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
Junos OS Release Notes for PTX Series Packet Transport Routers
These release notes accompany Junos OS Release 13.3R10 for the PTX Series. They
describe new and changed features, limitations, and known and resolved problems in
the hardware and software.
You can also find these release notes on the Juniper Networks Junos OS Documentation
webpage, located at http://www.juniper.net/techpubs/software/junos/.
• New and Changed Features on page 252
• Changes in Behavior and Syntax on page 259
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
New and Changed Features
This section describes the new features and enhancements to existing features in Junos
OS Release 13.3R10 for the PTX Series.
• Hardware on page 252
• Class of Service (CoS) on page 254
• General Routing on page 254
• High Availability (HA) and Resiliency on page 254
• Interfaces and Chassis on page 254
• Network Management and Monitoring on page 258
• Routing Protocols on page 258
• Software Installation and Upgrade on page 258
Hardware
• PTX3000PacketTransportRouter—TheJuniperNetworksPTX3000PacketTransportRouter provides 10-Gigabit Ethernet, 40-Gigabit Ethernet, and 100-Gigabit Ethernet
interfaces for large networks and network applications, such as those supported by
ISPs. The router accommodates up to eight Flexible PIC Concentrators (FPCs), each
of which supports one PIC. The compact design of the PTX3000 router allows up to
four chassis to be installed back-to-back in a single four-post rack. The PTX3000
router can be configured with single-phase AC or DC power supply modules.
[See the PTX3000 Packet Transport Router Hardware Guide.]
• CFP-GEN2-CGE-ER4 and CFP-GEN2-100GBASE-LR4 (PTX5000)—TheCFP-GEN2-CGE-ER4 transceiver (part number: 740-049763) provides a duplex LC
connector and supports the 100GBASE-ER4 optical interface specification and
Copyright © 2017, Juniper Networks, Inc.252
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
monitoring. The CFP-GEN2-100GBASE-LR4 transceiver (part number: 740-047682)
provides a duplex LC connector and supports the 100GBASE-LR4 optical interface
specificationandmonitoring. Starting in JunosOSRelease 13.3, the “GEN2”optics have
been redesigned with newer versions of internal components for reduced power
consumption. The following interface module supports the CFP-GEN2-CGE-ER4 and
CFP-GEN2-100GBASE-LR4transceivers. Formore informationabout interfacemodules,
see the Interface Module Reference for your router.
• 100-Gigabit Ethernet PIC with CFP (model number:
P1-PTX-2-100GE-CFP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3R1, and
later
[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications.]
253Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
Class of Service (CoS)
• Support for strict-priority scheduling (PTX Series)—Beginning with Junos OS Release
13.3, interfaces on PTX Series routers support strict-priority scheduling. Configured
queues are processed in strict-priority order. Within the guaranteed region, multiple
CoS queues that compete in the same hardware-based priority level are selected
based on the packet round-robin algorithm, while within the excess region, selection
is based on theWRR algorithm. The queues receive equal share when they send the
same packet size. Otherwise, the queues receive shares proportional to the respective
packet sizes sent. To enable configuration of strict-priority scheduling for a physical
interface on a PTX Series router, include the strict-priority-scheduler statement in the
traffic control profile associated with the interface.
[See Understanding Scheduling on PTX Series Routers.]
General Routing
• Nonstop active routing support for logical systems (PTX Series)—Starting in Junos
OSRelease 13.3, this featureenablesnonstopactive routing support for logical systems
using the nonstop-routing option under the [edit logical-systems logical-system-name
routing-options] hierarchy. As a result of extending nonstop active routing support for
logical systems, the logical-systems argument has been appended in some show
operational commands to allow display of status, process, and event details.
High Availability (HA) and Resiliency
• Nonstop active routing support for BGP addpath (PTX Series)—Beginning in JunosOS Release 13.3, nonstop active routing support for BGP addpath is available on the
PTX Series. Nonstop active routing support is enabled for the BGP addpath feature.
After the nonstop active routing switchover, addpath-enabled BGP sessions do not
bounce. The secondary Routing Engine maintains the addpath advertisement state
before the nonstop active routing switchover.
Interfaces and Chassis
• FPCself-healing(PTXSeries)—Starting in JunosOSRelease 13.3onPTXSeries routersyoucanconfigurePacket ForwardingEngine-relatederror levels (fatal,major, orminor)
and the actions to perform (alarm, disable-pfe, or log) when a specified threshold is
reached. Previously, Packet Forwarding Engine-related errors disabled the FPC. Using
this command Packet Forwarding Engine errors can be isolated thereby reducing the
need for a field replacement. This command is available at the [edit chassis fpc
slot-number] and [edit chassis] hierarchy levels.
• 2-port 100-Gigabit DWDMOTNPIC (PTX3000)—Beginning with Junos OS Release13.3, the 2-port 100-Gigabit dense wavelength division multiplexing (DWDM) optical
transport network (OTN) PIC is supported by Type 5 FPCs on PTX3000 routers. The
100-Gigabit DWDMOTN PIC supports the following features:
• Transparent transport of two 100-Gigabit Ethernet signals with OTU4 framing
• ITU-standard OTN performancemonitoring and alarmmanagement
Copyright © 2017, Juniper Networks, Inc.254
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Dual polarization quadrature phase shift keying (DP-QPSK)modulation and
soft-decision forwarderror correction (SD-FEC) for longhaul andmetroapplications
You can use SNMP tomanage the PIC based on RFC 3591,Managed Objects for the
Optical Interface Type.
[See 100-Gigabit Ethernet OTNOptions Configuration Overview.]
• Pre-FECBERfast reroute(PTX3000)—Starting in JunosOSRelease 13.3, the 100-GbpsDWDMOTN PIC (P1-PTX-2-100G-WDM) supports pre-forward error correction
(pre-FEC) bit error rate (BER) monitoring as a condition for MPLS fast reroute (FRR).
Pre-FEC BER FRR uses pre-FEC BER as an indication of the condition of an optical
transport network (OTN) link. When the pre-FEC BER degrade threshold is reached,
thePIC stops forwarding packets to the remote interface and raises an interface alarm.
Ingress packets continue to be processed. When Pre-FEC BER FRR is used with MPLS
FRR or another link protection method, traffic is then rerouted to a different interface.
You can optionally enable backward FRR to inject local pre-FEC status into the
transmitted OTN frames, notifying the remote interface. The remote interface then
reroutes traffic to a different interface.When you use pre-FEC BER FRR and backward
FRR, notification of signal degradation and rerouting of traffic can occur in less time
than through a Layer 3 protocol.
[See 100-Gigabit Ethernet OTNOptions Configuration Overview.]
• Support for configuring interface alias names (PTX Series)—Beginning in Junos OSRelease 13.3, you can configure a textual description of a physical interface or the
logical unit of an interface to be the alias of an interface name. If you configure an
interface alias, this alias name is displayed in the output of the show interfaces
commands instead of the interface name. Also, in the output of all of the show and
operational mode commands that display the interface names, the alias name is
displayed instead of the interface name if you configure the alias name. It has no effect
on theoperationof the interfaceon the router or switch.Youcanuse thealias statement
at the [edit interfaces interface-name], [edit interfaces interface-name unit
logical-unit-number], and [edit logical-systems logical-system-name interfaces
interface-name unit logical-unit-number] hierarchy levels to specify an interface alias.
[See Interface Alias NameOverview]
• Support for active flowmonitoring version 9 (PTX5000 routers withCSE2000)—Starting with Junos OS Release 13.3, Carrier-Grade Service Engine(CSE2000) supports active flowmonitoring version 9 on PTX5000 routers.
TheCSE2000 is tethered toaPTX5000router toenableactive flowmonitoringversion
9.Active flowmonitoring version9 supports IPV4,MPLS, and IPV6 templates to collect
a set of sampled flows and send the records to a specified host.
• SFPP-10G-CT50-ZR (PTX Series)—Beginning in Junos OS Release 13.3R3, theSPFF-10G-CT50-ZR tunable transceiver provides a duplex LC connector and supports
the 10GBASE-Z optical interface specification andmonitoring. The transceiver is not
specified as part of the 10-Gigabit Ethernet standard and is instead built according to
Juniper Networks specifications. OnlyWAN-PHY and LAN-PHYmodes are supported.
To configure the wavelength on the transceiver, use thewavelength statement at the
255Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
[edit interfaces interface-name optics-options] hierarchy level. The following interface
module supports the SPFF-10G-CT50-ZR transceiver:
• 10-Gigabit Ethernet LAN/WANOTN PIC with SFP+ (model number:
P1-PTX-24-10G-W-SFPP)—Supported in JunosOSRelease 13.2R3, 13.3R2, and later
Formore informationabout interfacemodules, see the “CablesandConnectors” section
in the Interface Module Reference for your router.
[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications andwavelength.]
• SFPP-10G-ZR-OTN-XT (PTX Series)—Starting with Junos OS Release 13.3R3, theSFPP-10G-ZR-OTN-XTdual-rate extended temperature transceiver provides aduplex
LC connector and supports the 10GBASE-Z optical interface specification and
monitoring. The transceiver is not specified as part of the 10-Gigabit Ethernet standard
and is instead built according to ITU-T and Juniper Networks specifications. The
following interface modules support the SFPP-10G-ZR-OTN-XT transceiver:
• 10-Gigabit Ethernet PIC with SFP+ (model number:
P1-PTX-24-10GE-SFPP)—Supported in Junos OS Release 12.3R5, 13.2R3, 13.3, and
later
• 10-Gigabit Ethernet LAN/WANOTN PIC with SFP+ (model number:
P1-PTX-24-10G-W-SFPP)—Supported in JunosOSRelease 12.3R5, 13.2R3, 13.3, and
later
Formore informationabout interfacemodules, see the “CablesandConnectors” section
in the Interface Module Reference for your router.
[See 10-Gigabit Ethernet 10GBASE Optical Interface Specifications.]
• OTN support for PTX Series—Starting in Junos OS Release 13.3, you can configureOTNmode on 10-Gigabit Ethernet interfaces on PTX Series Packet Transport Routers.
Only the 24-port 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (model number:
P1-PTX-24-10G-W-SFPP) supports OTNmode. The following OTN framingmodes
are supported:
• 10-Gigabit Ethernet LAN-PHY over OTU2e/OTU1e
• 10-Gigabit EthernetWAN-PHY over OTU2
The following forward error correction (FEC) types are supported:
• GFEC (G.709)
• EFEC (G.975.1 I.4)
• UFEC (G.975.1 I.7)
• None
You canmonitor various transport features like 24-hour bins and transport states by
using the transport-monitoring statement at the [edit interfaces] hierarchy level.
• Support for active flowmonitoring version 9 (PTX3000 routers withCSE2000)—Starting with Junos OS Release 13.3R4, Carrier-Grade Service Engine(CSE2000) supports active flowmonitoring version 9 on PTX3000 routers.
Copyright © 2017, Juniper Networks, Inc.256
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
TheCSE2000 is tethered toaPTX3000router toenableactive flowmonitoringversion
9. Active flowmonitoring version 9 supports IPv4,MPLS, and IPv6 templates to collect
a set of sampled flows and send the records to a specified host.
• Support fordual-ratespeed(PTXSeries)—Starting in JunosOSRelease 13.3R3, 14.1R3,14.2R2, and later for PTX3000, and Junos OS 14.2R2 and later for PTX5000, support
for dual rate for the 24-port 10-Gigabit Ethernet PIC (P1-PTX-24-10GE-SFPP) enables
you to switch all port speeds to either 1-Gigabit Ethernet or 10-Gigabit Ethernet. The
default is 10 Gbps. All ports are configured to the same speed; there is no
mixed-rate-mode capability. You can use either the SFP-1GE-SX or the SFP-1GE-LX
transceiver for 1 Gbps. Changing the port speed causes the PIC to reboot.
Toconfigureall portson theP1-PTX-24-10GE-SFPPtooperateat 1Gbps, use the speed
1G statement at the [edit chassis fpc fpc-number pic pic-number] hierarchy level. To
return all ports to the 10-Gbps speed, use the delete chassis fpc fpc-number pic
pic-number speed 1G command.
[See speed (24-port and 12-port 10 Gigabit Ethernet PIC) and 10-Gigabit Ethernet PIC
with SFP+ (PTX Series).]
• CFP-100GBASE-ZR (PTX Series)—In Junos OS Release 13.3R6, 14.1R4, 14.2R3, and15.1R1 and later, the CFP-100GBASE-ZR transceiver provides advanced dual
polarization-quadraturephaseshift keying(DP-QPSK)coherentdigital signalprocessing
(DSP) and forward error correction (FEC)-enabled robust tolerance to optical
impairments and supports 80 km reach over single-mode fiber. The transceiver is not
specifiedaspart of IEEE802.3but is built according to JuniperNetworks specifications.
The following interface module supports the CFP-100GBASE-ZR transceiver:
• 100-Gigabit Ethernet PIC with CFP (P1-PTX-2-100GE-CFP)
For more information about the interface modules, see the “Cables and Connectors”
section in the PTX Series Interface Module Reference.
[See 100-Gigabit Ethernet 100GBASE-R Optical Interface Specifications and Supported
Network Interface Standards by Transceiver for PTX Series Routers.]
257Copyright © 2017, Juniper Networks, Inc.
New and Changed Features
NetworkManagement andMonitoring
• Support for BFD over child links of AE or LAG bundle (cross-functional PacketForwarding Engine/kernel/rpd) (PTX Series)—Beginning in Junos OS Release 13.3,BFDover child links of anAEor LAGbundle is supportedon thePTXSeries. This feature
provides a Layer 3 BFD liveness detection mechanism for child links of the Ethernet
LAG interface. You can enable BFD to run on individual member links of the LAG to
monitor theLayer 3or Layer 2 forwardingcapabilitiesof individualmember links. These
micro BFD sessions are independent of each other despite having a single client that
manages the LAG interface. To enable failure detection for aggregated Ethernet
interfaces, include the bfd-liveness-detection statement at the [edit interfaces aex
aggregated-ether-options bfd-liveness-detection] hierarchy level.
[See Understanding Independent Micro BFD Sessions for LAG.]
Routing Protocols
• Bidirectional PIM support (PTX5000)—Beginning with Junos OS Release 13.3,bidirectional PIM is supported on the PTX5000. The following caveats are applicable
for the bidrectional PIM configuration on the PTX 5000:
• You can configure the PTX5000 both as a bidirectional PIM rendezvous point and
the source node.
• For the PTX5000, you can configure the auto-rp statement at the [edit protocols
pimrp]or the [edit routing-instances routing-instance-nameprotocolspimrp]hierarchy
level with themapping option, but not the announce option.
• The PTX5000 does not support nonstop active routing in Junos OS Release 13.3.
• ThePTX5000does not support unified in-service software upgrade (ISSU) in Junos
OS Release 13.3.
Software Installation and Upgrade
• Unified ISSU support for the 100-Gbps DWDMOTNPIC (PTX5000)—Starting inJunosOSRelease 13.3, the 100-GbpsDWDMOTNPIC(P1-PTX-2-100G-WDM)supports
unified in-service software upgrade (ISSU) onPTX5000 routers. Unified ISSUenables
you to upgrade between two different Junos OS releases with no disruption on the
control plane and with minimal disruption of traffic.
[See Unified ISSU System Requirements.]
RelatedDocumentation
Changes in Behavior and Syntax on page 259•
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
Copyright © 2017, Juniper Networks, Inc.258
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Product Compatibility on page 282
Changes in Behavior and Syntax
This section lists the changes in behavior of JunosOS features and changes in the syntax
of Junos OS statements and commands from Junos OS Release 13.3R10 for the PTX
Series.
• High Availability (HA) and Resiliency on page 259
• Interfaces and Chassis on page 259
• IPv6 on page 260
• Network Management and Monitoring on page 260
• Routing Protocols on page 260
• User Interface and Configuration on page 261
High Availability (HA) and Resiliency
• New redundancy failover CLI statement (PTX Series)—Starting in Junos OS Release13.3R6, the chassis redundancy failover not-on-disk-underperform statement prevents
gstatd from causing failovers in the case of slow disks on the Routing Engine.
[See not-on-disk-underperform and Preventing Graceful Restart in the Case of Slow
Disks.]
Interfaces and Chassis
• Change to interpolatedWRED drop probability (PTX Series)—In Junos OS Releases13.2R4 and 13.3R2, the interpolated fill level of 0 percent has a drop probability of 0
percent for weighted random early detection (WRED). In earlier Junos OS releases,
interpolatedWRED can have a nonzero drop probability for a fill level of 0 percent,
which can cause packets to be dropped even when the queue is not congested or the
port is not oversubscribed.
• Exporting active flowmonitoring version 9 packets fromCSE2000 to PTX Seriesrouters—Starting with Junos OS Release 13.3R4, active flowmonitoring version 9
records created by CSE2000 are sent back to PTX Series Routers on the 10-Gigabit
Ethernet interface. The PTX Series routers then forward the version 9 flow records to
the version 9 flow server.
In releasesbefore JunosOSRelease 13.3R4, the version9 recordsare sent to theversion
9 flow server by means of a separate external collector port. This issue was being
tracked by PR985729
259Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
IPv6
• IPv6 support for SNMP traps (PTX Series)—In Releases 13.3R4 and later, Junos OSsupports IPv6 source addresses for the SNMP traps.
NetworkManagement andMonitoring
• New system logmessage indicating the difference in the Packet Forwarding Enginecounter value (PTXSeries)—Effective in JunosOSRelease 13.3R4, if the counter valueof a Packet Forwarding Engine is reported lesser than its previous value, then the
residual counter value isadded to thenewly reportedvalueonly for that specific counter.
In that case, the CLI shows theMIB2D_COUNTER_DECREASING system logmessage
for that specific counter.
[SeeMIB2D_COUNTER_DECREASING.]
• Enhancement for SONET interval counter (PTX Series)—Starting with Junos OSRelease 13.3R7, only the Current Day Interval Total output field in the show interfaces
interval command forSONET interfaces is reset after 24hours. In addition, thePrevious
Day Interval Total output field displays the last updated time in hh:mm.
[See show interfaces interval.]
Routing Protocols
• Modification to the default BGP extended community value—Junos OSmodifies thedefault BGP extended community value used for MVPN IPv4 VRF route import
(RT-import) to the IANA-standardized value. The behavior of themvpn-iana-rt-import
statement isnowthedefault. Themvpn-iana-rt-importstatementhasbeendeprecated;
we recommend that you remove it from configurations.
• Configure and establish targeted sessions with third-party controllers using LDPtargeted neighbor (PTX Series)—Starting with Junos OS Release 13.3R6, you can
configure LDP targeted neighbor to third-party controllers for applications such as
route recorder thatwants to learn label-FECbindingsof anLSR. LDP targetedneighbor
helps to establish a targeted session with controllers for a variety of applications.
Copyright © 2017, Juniper Networks, Inc.260
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
User Interface and Configuration
• User-defined identifiersusingthereservedprefix junos-nowcorrectlycauseacommiterror in the CLI (PTXSeries)—Junos OS reserves the prefix junos- for the identifiers ofconfigurations defined within the junos-defaults configuration group. User-defined
identifiers cannot start with the string junos-. If you configured user-defined identifiers
using the reserved prefix through a NETCONF or Junos XML protocol session, the
commit would correctly fail. Prior to Junos OS Release 13.3, if you configured
user-defined identifiers through the CLI using the reserved prefix, the commit would
incorrectly succeed. Junos OS Release 13.3 and later releases exhibit the correct
behavior. Configurations that currently contain the reserved prefix for user-defined
identifiers other than junos-defaults configurationgroup identifiers nowcorrectly result
in a commit error in the CLI.
• Change in show version command output (PTX Series)—Beginning in Junos OSRelease 13.3, the show version command output includes the new Junos field that
displays the Junos OS version running on the device. This new field is in addition to the
list of installed sub-packages running on the device that also display the Junos OS
version number of those sub-packages. This field provides a consistent means of
identifying the Junos OS version, rather than extracting that information from the list
of installed sub-packages.
In Junos OS Release 13.2 and earlier, the show version command does not have the
single Junos field in theoutput thatdisplays the JunosOSversion runningon thedevice.
The only way to determine the Junos OS version running on the device is to review the
list of installed sub-packages.
Junos OS Release 13.3 and Later ReleasesWith the JunosField
Junos OS Release 13.2 and Earlier ReleasesWithout theJunos Field
user@host> show versionHostname: lab Model: ptx5000 Junos: 13.3R1.4JUNOS Base OS boot [13.3R1.4] JUNOS Base OS Software Suite [13.3R1.4] JUNOS 64-bit Kernel Software Suite [13.3R1.4]JUNOS Crypto Software Suite [13.3R1.4]...
user@host> show versionHostname: lab Model: ptx5000 JUNOS Base OS boot [12.3R2.5]JUNOS Base OS Software Suite [12.3R2.5]JUNOS 64–bit Kernel Software Suite [12.3R2.5]JUNOS Crypto Software Suite [12.3R2.5]...
[See show version.]
• Configuring regular expressions (PTX Series)— In all supported Junos OS releases,
you can no longer configure regular expressions if they require more than 64MB of
memory or more than 256 recursions for parsing.
This change in the behavior of Junos OS is in line with the FreeBSD limit. The change
wasmade in response to a known consumption vulnerability that allows an attacker
to cause a denial-of-service (resource exhaustion) attack by using regular expressions
containing adjacent repetition operators or adjacent bounded repetitions. Junos OS
uses regular expressions in several placeswithin theCLI. Exploitationof this vulnerability
can cause the Routing Engine to crash, leading to a partial denial of service. Repeated
261Copyright © 2017, Juniper Networks, Inc.
Changes in Behavior and Syntax
exploitation can result in an extendedpartial outageof services providedby the routing
protocol process (rpd).
• Newwarningmessage for the configurational changes to extend-size (PTXSeries)—Starting with Junos OS Release 13.3R8, any operation on the systemconfiguration-databaseextend-sizeconfiguration statement suchas,deactivate,delete,
or set, generates the following warning message:
Change in 'system configuration-database extend-size' will be effective at next reboot
only.
RelatedDocumentation
New and Changed Features on page 252•
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
Known Behavior
This sectioncontains theknownbehavior, systemmaximums, and limitations inhardware
and software in Junos OS Release 13.3R10 for the PTX Series.
• IPv6 on page 262
• MPLS on page 262
IPv6
• Inconsistent IfMtuMIB value (PTXSeries)—The value of IfMtuMIB is inconsistent forthe logical interfaces with IPv6 address.
MPLS
• Removal of SRLG from the SRLG table only on the next reoptimization of the LSP(PTX Series)—If a SRLG is associated with a link used by an ingress LSP in the routerthen on deleting the SRLG configuration from that router, the SRLGgets removed from
theSRLGtableonlyon thenext reoptimizationof theLSP.Until then theoutputdisplays
Unknown-XXX instead of the SRLG name and a non-zero srlg-cost of that SRLG for
run showmpls srlg command.
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
• Known Issues on page 263
• Resolved Issues on page 265
Copyright © 2017, Juniper Networks, Inc.262
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
Known Issues
This section lists theknown issues inhardwareandsoftware in JunosOSRelease 13.3R10.
The identifier following the description is the tracking number in the Juniper Networks
Problem Report (PR) tracking system.
• General Routing on page 263
• Interfaces and Chassis on page 264
• MPLS on page 264
• Routing Protocols on page 265
• VPNs on page 265
General Routing
• CCG locks to cc-8k even when configured signal type is cc-8k-400, without
off-frequency PR895450
• CCG configuration change does not reprogram hardware automatically. PR896226
• Output ifIndex is being exported as 0.PR964745
• When request system halt is executed on a PTX Series router, the Routing Engine is
halted, but the PTX Series device does not display the Halt message on the
CRAFT-Interface confirming that the system has halted. PR971303
• On PTX Series routers with 1k ifls, when changing the speed from 10G to 1Gmultiple
times, the ping will not work because the serdes is not being in the correct state, and
the traffic forwarding is affected. As a workaround, restart the PIC.PR988663
• When the TL- chip encounters a KHTmemory parity error, the content of thememory
is not corrected.PR1001052
• In LDP tunneling over single hop RSVP-based LSP environment, after enabling
chained-composite-next-hop, the router might fail to create the chained composite
next hops if the label value of VPN is equal to the label value of LDP. PR1058146
• On PTX Series platforms, some non-fatal interrupts (for example, CM cache or AQD
interrupts) are logged as fatal interrupts. The following log messages are shown on
CMparity interrupt: fpc0TQCHIP0: CMparity Fatal interrupt,Interrupt status:0x10 fpc0
CMSNG: Fatal ASIC error, chip TQ fpc0 TQCHIP 0: CM cache parity Fatal interrupt has
occurred 181 time(s) in 180010msecs TQCHIP 0: CM cache parity Fatal interrupt has
occurred 181 time(s) in 180005msecsPR1089955
• OnPTXSeries platforms, if there are scaling configurations (for example, 5000 routes,
each with 64 ECMP paths configured) on a single interface and an L2 rewrite profile
is applied for the interface, the Flexible PIC Concentrator (FPC) might crash when
deactivating and then activating the CoS configuration of the interface. PR1096958
263Copyright © 2017, Juniper Networks, Inc.
Known Issues
• On the
FPC-SFF-PTX-P1-A(PTX3000)FPC-SFF-PTX-T(PTX3000)FPC-PTX-P1-A(PTX5000),
and FPC2 -PTX-P1A(PTX5000), packet loss might be observed in an equal-cost
multipath (ECMP) or aggregated Ethernet (AE) scenario. This issue occurs in a race
condition: the unilist is created before Address Resolution Protocol (ARP) learns the
MAC addresses and then the selector table is corrupted. PR1120370
• In certain rare conditions the FPC virtual output queue (VOQ) wedges, resulting in
dropped packets on the ingress PFE Packet Forwarding Engine for the PTX Series
router. Because the wedge is unable to be reproduced, detection of wedge condition
is introduced that alarmwould be raised once the wedge condition is detected within
10 seconds. PR1127958
Interfaces and Chassis
• On dual Routing Engine platforms, when adding the logical interfaces (IFLs) and
committing, the device control process (dcd) on the backup Routing Enginemight fail
to process the configuration and keep it in thememory. In some cases (not happening
all the time), it might be observed that thememory of the dcd keeps increasing on the
backup Routing Engine. PR1014098
• On PTX Series platforms "cfp_lh_update_1sec_pm_var received" messages are
periodically logged withWarning level. PR1089592
MPLS
• Currently configuration of both fast-reroute and link-protection/node-link-protection
on a single LSP is allowed. However, when you configure both types of protection on
the LSPs, it might cause scaling issues in your network. As a workaround, you should
restrict the configuration to either fast-reroute or link/node-link protection on per-LSP
basis. PR860960
• When an LSP is link-protected and has no-local-reversion configured, if the primary
link (link1) is down and LSP on bypass (link2), then another link (link3) is brought up,
before the LSP switch to link3. If link1 is enabled and link3 is disabled, the LSP will get
stuck in bypass LSP forever. This is a timing issue. PR1091774
• If LSP's bandwidth is modified to maximum possible value of the link bandwidth in
one commit, some of the LSPsmight be delayed to signal to the new bandwidth.
PR1125323
Copyright © 2017, Juniper Networks, Inc.264
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Routing Protocols
• In a multicast environment, when the rendezvous point (RP) is a first-hop router, and
it has Multicast Source Discovery Protocol (MSDP) peers, when the rpf interface on
the RP changed to an MSDP-facing interface, because the multicast traffic is still on
the old rpf interface, a multicast discard route will be installed and traffic loss will be
seen. PR1130238
VPNs
• For JunosOSRelease 13.3R4, traffic lossmight be seenon flapping theCE-PE interface
on thePTXSeries platform.However for JunosOSRelease 13.3R4.6 and later, no traffic
loss will be seen on flapping the access-facing interface. PR1026955
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
• Known Behavior on page 262
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
Resolved Issues
This section lists the issues fixed in the Junos OSmain release and themaintenance
releases. The identifier following the description is the tracking number in the Juniper
Networks Problem Report (PR) tracking system.
• Resolved Issues: Release 13.3R10 on page 266
• Resolved Issues: Release 13.3R9 on page 267
• Resolved Issues: Release 13.3R8 on page 268
• Resolved Issues: Release 13.3R7 on page 269
• Resolved Issues: Release 13.3R6 on page 269
• Resolved Issues: Release 13.3R5 on page 271
• Resolved Issues: Release 13.3R4 on page 272
• Resolved Issues: Release 13.3R3 on page 273
• Resolved Issues: Release 13.3R2 on page 274
265Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Resolved Issues: Release 13.3R10
Class of Service (CoS)
• In case of member links of an aggregated Ethernet (AE) interface scattering over
multiple Packet Forwarding Engines, if the FPCwheremember links of theAE interface
reside gets reset or the interface is disabled, theremight be adip in the output of SNMP
walk on the AE-related queue MIB (such as jnxCosQstatTxedPkts). This behavior is
intermittent.PR1122343
General Routing
• The rpd process crashmight crash because of a timing issue that occurs after Routing
Engine switchover in configurations with LDP P2MP and nonstop-routing (NSR) is
enabled. PR956258
• OnPTXSeriesplatforms,when the firewall filter is configuredon the loopback interface
of the device, because of bad error handling orNULLpointer, all the FPCs on the device
might continuously crash and be unstable. Because the issue is not reproducible, the
trigger of the issue is not clear. PR996749
• In the multicast network topology, whenmaking normal changes, such that paths are
added or deleted, the rpd leaks 8-bytes of memory per operation. The system logs
RLIMIT_DATAmessages similar to the following when thememory usage reaches
85%: kernel: Process (2634,rpd) has exceeded 85%of RLIMIT_DATA: used 3084524
KBMax 3145728 KBPR1144197
Copyright © 2017, Juniper Networks, Inc.266
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Infrastructure
• Whendeleting child link fromanaggregatedEthernet (AE)bundle, theoutput statistics
for the AE physical interface can return 0 from Packet Forwarding Engine and get
summed incorrectly afterward. The AE logical interface, however, has the correct
statistics, including the residual value from the removed child logical interface. Input
stats are displayed properly and unaffected by this bug. PR1098264
Platform and Infrastructure
• When you configure one group with routing instances and apply this group under the
[routing-instances] hierarchy, the rpd process crashes after executing
"deactivating/activating routing-instances" commands. PR1109924
Routing Protocols
• In a rare condition, the routing protocol daemon (rpd) might crash and create a core
file if there is internal BGP (IBGP) route churn while IBGPmultipath is configured and
there are multiple levels of IBGP next-hop recursion. PR1060133
Resolved Issues: Release 13.3R9
Class of Service (CoS)
• ThisPRdoesoptimization inAESNMPhandling. If all the links inanAEbundlegodown,
then any COS SNMP query for this AE IFD/IFL will return cached values PR1140440
General Routing
• In a rare condition, the routing protocol daemon (rpd) might crash and create a core
file if there is internal BGP (IBGP) route churn while IBGPmultipath is configured and
there are multiple levels of IBGP next-hop recursion. PR1060133
• When a labeled BGP route resolves over a route with MPLS label (e.g. LDP/RSVP
routes), after clearing the LDP/RSVP routes, in the shortwindowbefore the LDP/RSVP
routes restore, if the BGP routes resolves over a direct route (e.g. a one-hop LSP), the
rpd process might crash. PR1063796
• Using the "write coredump" vty command on FPC causes crash after the core is
uploaded. Issue is not seen in 14.1, 14.2 and 15.1 due todesign change Inprevious version,
fixed in 13.3R9 and 13.2R9 PR1139370
267Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Platform and Infrastructure
• TheMIB counter or "showpfe statistics traffic" shows junk PPS and invalid total traffic
output counter. PR1084515
Routing Protocols
• Inmulticast environment, when theRP is FHR (first hop router) and it hasMSDPpeers,
when the rpf interface on RP changed to MSDP facing interface, due to the multicast
traffic is still on the old rpf interface, a multicast discard route will be installed and
traffic loss will be seen. PR1130238
Software Installation and Upgrade
• In certain conditions, when /var is notmounted fromapersistent filesystem, executing
a Junos upgrade will have unexpected results. This is caused by an inexact check of
whether it is running from an Emergency VAR. PR1112334
VPNs
• For Layer 2 circuit, PTX3000 uses different VCCV (Virtual Circuit Connectivity
Verification) BFD control packet format from that of MX and the other PTX Series
platforms. PTX3000 negotiates Router-alert control channel type, and uses PW
Associated Channel Header of Channel Type : 0x0021. However, MX and the other
PTXplatforms use theChannel Type is 0x0007without IP/UDPheaders. JUNOS takes
the Channel-type 0x0007 as default. MX and the other PTX Series platforms work as
expected. This is PTX3000 specific issue. PR1116356
Resolved Issues: Release 13.3R8
• General Routing on page 268
• Interfaces and Chassis on page 268
General Routing
• FFP is a generic process that shall be called during commit process, and FFP calls the
PDB initializationaspartof itsprocess.On thePDB-unsupportedplatforms(MXSeries,
EX9200, M10i, M120, M320 is PDB-supported), when committing configuration, some
error messages will be seen. PR1103035
Interfaces and Chassis
• During subscriber login/logout thebelowerror logmightoccuron thedeviceconfigured
with GRES/NSR. /kernel: if_process_obj_index: Zero length TLV! /kernel: if_pfe: Zero
length TLV (pp0.1073751222) PR1058958
• After removing a child link from AE bundle, in the output of "show interface <AE>
detail", the packets count on the remaining child link spikes, then if add back the
previous child link, the count recover to normal. PR1091425
Copyright © 2017, Juniper Networks, Inc.268
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Resolved Issues: Release 13.3R7
• Forwarding and Sampling on page 269
• General Routing on page 269
Forwarding and Sampling
• In PTXSeries Carrier-Grade Service Engine (CSE) jflow solution environment, because
the sampling process (sampled) may get into a continuous loop when handling
asynchronous event (for example, aggregated tethered services interface flapping, or
route update, or IFL/IFD update), the sampledmay never come out of that loopwhich
may result in high CPU usage (up to 90% sometimes). Because, sampled is not able
to consumeany states (such as route updates, interface updates) generatedby kernel,
this results in memory exhaustion and finally results in the router not making any
updates and forcing a router reboot. PR1092684
General Routing
• OnPTXSeries routers, the interrupt-drivenbasis linkdowndetection(an interrupt-driven
link-down notification is generated to trigger locally attached systems to declare the
interface down within a fewmilliseconds of failure) may fail after performing unified
iIn-service softwareupgrade (ISSU).The interruptmightgetpreventedafterperforming
unified ISSU due to disabling the interrupt registers before unified ISSU, but never
restored after. PR1059098
Resolved Issues: Release 13.3R6
• General Routing on page 269
• Interfaces and Chassis on page 270
• MPLS on page 270
• Platform and Infrastructure on page 271
• Routing Protocols on page 271
General Routing
• On PTX Series routers with MPLS environment (30k transit LSP), large number of
MPLS interfaces (in this case, 200 interfaces) are configured with 0 or 1 MPLS labels.
When these interfaces flap, the FPC kernel memory usagemight leak. PR995893
• The problem is seen in PTX Series routers where the composite nexthops are not
observed, for agivenVPNmpls routeandhence the show routeoutput commandgives
a truncated value which results in script failure. This may be due to default disabled
l3vpn-cnh in case of transit l3vpn router on PTX Series platform. If Resync blob is not
set, RPDwill create indirect nexthop for transit route on PE-PE connection network on
PTX. If Resyncblob is set, RPDwill create composite nexthop for transit routeonPE-PE
connection network on PTX Series. Using composite nexthop (cnh) can help scaled
network. However, either indirect (inh) or composite nexthopswork properly in control
and forwarding planes. PR1007311
• OnPTX5000, thepacketdrop isobservedalongwith theparity error read from l3bnd_ht
entry corresponding to certain addresses. With this SRAM parity error, ASIC will
269Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
unconditionally drop the packet even PTX does not use l3bnd_ht during lookup. The
parity check for l3bnd_ht lookup forPTX5000will bedisabled toavoid theSRAMparity
error and packet drop as a workaround. We also add new logmessage to report the
counter valuechange for slu.hw_err trapcount -TL[<num>]:SLUhwerror count<xxx>
(prev count <yyy>). PR1012513
• LACPonAE interfaces currently does not support unified ISSUonPTXSeries platform.
Awarningmessage ispresentedbeforeperformingunified ISSU if LACP is soconfigured;,
then the user can discontinue the unified ISSU process. PR1018233
• When there is link/node protection/ECMP for RSVP/LDP transit or egress LSPs with
huge scaling and continuous flapping of LSPs like auto-bandwidth case, traffic might
get black-holed upon LSP re-optimizations. The issue would get triggered if the same
unilist list-id (unilist list-id is a unique id for unilist nexthop) is allocated for twodifferent
unilist forwarding topologies. This situation ariseswhen the unilist list-idwraps around
aftermax value of 65535. After thewraparound, if there is long living list-id (which can
bedue to somenode/link protected LSP that has not been re-optimized for long time),
the Packet Forwarding Engine assigns the same list-id during allocation (upon other
LSP re-optimizations) and this will trigger the issue as the new unilist will be directed
to incorrect interface. PR1043747
• OnPTXSeries platformwith one of the following protocols configuration, flapping the
protocols will trigger the Composite Next-hop change operation. In rare condition,
since it is not proper programmed, the FPCmight crash. This is a day-1 issue. - LDP -
MPLS - Point-to-multipoint LSP - RSVP - Static LSPs. PR1045794
• Fix for this PRwas not available at the time of 13.2R7 release time frame. Fix is avaiable
in 13.2R8. 1)Non revertive mode is configured in PTX5000where external clock is
connected to it. 2)Primary clock is set to gps-0-10mhz 3)Secondary clock is set to
fpc-0 4)Hencemaster clock will be locked to primary clock 5)When primary clock is
deleted, the master clock locked to secondary clock 6)Since non-revertive mode is
configured,whenprimary clock is addedback it shouldnot fall back toprimary, it should
stay in secondary. But here it is falling back to Primary clock. PR1052549
• When the port on 24x 10GE(LWO) SFP+ (which never went link up since the PIC is
onlined) is configured as CLI loopback, the ports will receive framing error during until
the interface gets physically linked up. (i.e. with real fiber instead of CLI loop). There
would be no problem in normal use. This is only seen in self-loopback testing with CLI
loopback. PR1057364
Interfaces and Chassis
• When changing the speed from 10G to 1Gmultiple times, the ping will not work due to
the serdesnotbeing in the right state. A restart of thepic could fix this issue. PR988663
MPLS
• On P2MPMPLS LSP transit router with NSR enabled, when RSVP refresh reduction
feature is enabled and LSP link protection is configured on all interfaces, slight P2MP
traffic lossmight be seen after the graceful Routing Engine switchover (GRES) is done.
PR1023393
Copyright © 2017, Juniper Networks, Inc.270
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• In MPLS traffic engineering with link or node protection enabled, after adding Shared
Risk Link Group (SRLG) configuration, the bypass LSPmight ignore the constraint and
use a unexpected path. PR1034636
Platform and Infrastructure
• In some rare conditions, setting up configuration access privileges using the
"allow-configuration-regexps" or "deny-configuration-regexps” statements will crash
the management daemon (mgd), which serves a central role in the user-interface
component of Junos OS. PR1029384
Routing Protocols
• After addingSharedRiskLinkGroup(SRLG)configurationonan interface, the interface
would be deleted from the TED database. If the interface is traversed by LSP optimal
path, in some cases, the re-optimization that occurs selects a sub-optimal path.
PR1035359
• With any single hop BFD session and MPLS OAM BFD session configured over same
interface, when the interface is disabled and enabled back immediately (e.g. a delay
of 10 sec between the two commit check in), the single hop BFD session might get
stuck into Init-Init state due to Down packet is received from other end for MPLS BFD
session on the same interface might get demultiplexed to single hop BFD session
wrongly. PR1039149
Resolved Issues: Release 13.3R5
• General Routing on page 271
• Infrastructure on page 271
• Interfaces and Chassis on page 271
• Layer 2 Features on page 272
• MPLS on page 272
• Routing Protocols on page 272
General Routing
• When large number of IGMP join packets trying to reach router, some IGMP packets
may get dropped. PR1007057
• PCS statistics counter is now displayed for PTX 100GE interfaces in the following
command: cli > monitor interface <intf> PR1030819
Infrastructure
• SNMP socket sequence error log. PR986613
Interfaces and Chassis
• Interface statistic information is wrong for IPV6. This is expected behavior because
ipv6 transit stat is not supported yet. PR965360
271Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• On PTX Series platform, CFP-100G-LR4 and CFP2-100G-LR4 optics report incorrect
"Laser output power" values on all four lanes in cli > show interface diagnostics optics
<intf>. PR1021541
Layer 2 Features
• The PTX Series router is not supposed to generate pause frames even if it gets
congestion. The behavior is to drop aggressively if it ever runs out of queuing memory.
PR968803
MPLS
• When a PTX Series router is at the merge-point (MP) of a bypass LSP, if MPLS
explicit-null has been enabled on the router, and the loopback interface has not been
configured under protocol RSVP, the bypass LSPmight not work correctly. PR1012221
• On P2MPMPLS LSP transit router with NSR enabled, when RSVP refresh reduction
feature is enabled and LSP link protection is configured on all interfaces, slight P2MP
traffic lossmight be seen after the graceful Routing Engine switchover (GRES) is done.
PR1023393
Routing Protocols
• Establish two BFD sessions between two routers, one is single-hop BFD for directly
connected interface and the other is multi-hop MPLS OAM BFD. If configuring the
MPLS OAM on the same interface with single-hop BFD, when bringing downMPLS
OAM from the ingress, it might result in the OAM BFD session deleted on ingress but
it still receivingOAMBFDdownpacket fromegress. Since there is no sessionmatching
this BFD packet, it does a normal look up and brings down the single-hop BFD session
which is on the same interface. PR1021287
Resolved Issues: Release 13.3R4
• General Routing on page 272
• MPLS on page 273
• Network Management and Monitoring on page 273
• Routing Protocols on page 273
General Routing
• On PTX Series routers with AE interface, when the PTX is in ingress node for P2MP
LSP, the double traffic rate might be seen. PR987005
• When a large number of IGMP join packets try to reach the router, some IGMP packets
might get dropped. PR1007057
Copyright © 2017, Juniper Networks, Inc.272
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
MPLS
• On PTX Series platformworking as LSP ingress router, the MPLS auto-bandwidth
feature might cause FPC to wedge condition with all interfaces down. PR1005339
Network Management andMonitoring
• This PR fixes the issue where output ifIndex was being exported as 0. Unless there is
a critical business need, we do not plan to backport the fix to releases earlier than 14.1.
PR964745
Routing Protocols
• ForbidirectionalPIM, the showmulticaststatistics commanddoesnotdisplay the input
counters. This is because a bidirectional route associates with multiple incoming
interfaces (iif's). The statistics are collectedpermroute, and thepacket for bidirectional
groups might come in from any of the iif's. There is no way to impose the incoming
traffic of the route to one of the iif's. PIM-SM, on the other hand, has only one iif per
mroute, and hence the incoming counters are displayed for all PIM-SM routes.
PR865694
Resolved Issues: Release 13.3R3
• Authentication and Access Control on page 273
• General Routing on page 273
• Interfaces and Chassis on page 274
• IPv6 on page 274
• MPLS on page 274
• Routing Policy and Firewall Filters on page 274
• VLAN Infrastructure on page 274
Authentication and Access Control
• "delete" or "deactivate" of apply-group defining the entire TACACS or RADIUS
configuration configured under [edit system apply-group <>] does not take affect on
commit. This could lead to TACACS or RADIUS based authentication to still continue
working despite removal (delete/deactivate) of configuration. PR992837
General Routing
• Kernel crash might happen when a router running a Junos OS install with the fix to PR
937774 is rebooted. This problemwill not be observed during the upgrade to this Junos
OS install. It occurs late enough in the shutdown procedure that it shouldn't interfere
with normal operation. PR956691
• On PTX Series platform, performing Routing Engine switchover might cause flabel
(fabric token) tobeoutof syncbetween themasterRoutingEngineandbackupRouting
Engine, which results in FPC crash. PR981202
273Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
Interfaces and Chassis
• Sometimes cosd generates a corefile when add/delete a child interface on the LAG
bundle. PR961119
• SFP+-10G-ZR (part number = 740-052562) is not fully supported on
P1-PTX-24-10G-W-SFPP pic. Inserting the optic on P1-PTX-24-10G-W-SFPP pic can
cause FPC core on the pic. PR974783
IPv6
• On PTX Series platform, when receiving high rate ipv4/ipv6/mpls packets with TTL
equals 1, the ICMP TTL expired messages are sent back to the sender not according
with the ICMP rate limit settings. PR893129
• PTX Series drops packets containing same source and destination IP due to LAND
attack check. PR934364
MPLS
• In rare scenarios, the routing protocol process can fail to read themesh-group
information from the kernel, which might result in the VPLS connections for that
routing-instance to stay in MI (Mesh-Group ID not available) state. The workaround is
to deactivate/activate the routing-instance. PR892593
• MPLS traceroute does not work with logical router. PR965883
• When issue "traceroutempls rsvp lsp-name" from theMPLS LSP ingress node, if there
are PTX Series routers on the LSP path, PTX Series would not list correct downstream
router's IP in the TLV of the response packet. PR966986
Routing Policy and Firewall Filters
• On PTX Series platform, when a firewall filter hasmany terms, all the termsmight not
work correctly due to incorrect order of terms due to mis-programming. PR973545
VLAN Infrastructure
• Commits less than 3minutes apart with per-vlan-queuing configuration should be
avoided, as this might lead to interrupts or undesirable side-effects. PR897601
Resolved Issues: Release 13.3R2
• Chassis Cluster on page 275
• Dynamic Host Configuration Protocol (DHCP) on page 275
• General Routing on page 275
• Interfaces and Chassis on page 275
• Layer 2 Features on page 276
• MPLS on page 276
• Multicast on page 277
• Network Management and Monitoring on page 277
Copyright © 2017, Juniper Networks, Inc.274
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Software Installation and Upgrade on page 277
• Subscriber Management and Services on page 277
Chassis Cluster
• When only one end of an AE link sees LACP timeouts or there is intermittent LACP loss
on the AE link, it does not result in AE flap. PR908059
Dynamic Host Configuration Protocol (DHCP)
• DHCP relay feature doesn't work on PTX3000. PR864601
General Routing
• On PTX Series Packet Transport Routers, we support only 48k longest prefix match
(LPM) routes. If the limit of 48,000 longest prefix match (LPM) routes is exceeded,
the kernel routing table (KRT) queue can be stuck with the error "Longest Prefix
Match(LPM) route limit is exceeded." PR801271
• RPDon thebackupRoutingEnginemight crashwhen it receives amalformedmessage
from themaster. This can occur at high scale with nonstop active routing enabled
when a large flood of updates are being sent to the backup. There is no workaround
to avoid the problem, but it is rare and backup RPDwill restart and the systemwill
recover without intervention. PR830057
• While performing GRES, the following error message appears: Feb 24 21:23:57 striker1
license-check[1555]: LIBJNX_REPLICATE_RCP_ERROR: rcp -T
re0:/config/license_revoked.db /config/license_revoked.db.new : rcp:
/config/license_revoked.db: No such file or directory This error is seen when no license
is revoked on themaster Routing Engine. It is safe to ignore as it will not affect any
licensing functionality. PR859151
Interfaces and Chassis
• Interrupt storm happened when press craft button with "craft-lockout". PR870410
• On the PTX Series, while deactivating or activating a firewall filter that has tcp-flags
in the match condition on a loopback interface (e.g. lo0.0), memory corruption could
occur when the filter configuration is pushed to the Packet Forwarding Engine, or is
removed fromthePacketForwardingEngine, causingall theFPCs tocrashandgenerate
core files. The following is logged by the FPCs a few seconds prior to the failure:
fpc1dfw_match_branch_db_destroy:77filter index 1, dfw0x20bb2a90,match_branch_dbnot empty on filter delete
fpc2dfw_match_branch_db_destroy:77filter index 1,dfw0x205a6340,match_branch_dbnot empty on filter delete
fpc0dfw_match_branch_db_destroy:77filter index 1,dfw0x20471c38,match_branch_dbnot empty on filter delete
PR874512
• FPC crash can be triggered by a SBE event after accessing a protectedmemory region,
as indicated in the following log: "System Exception: Illegal data access to protected
memory!" The DDRmemory monitors SBEs and reports the errors as they are
encountered. After the syslog indicates a corrupted address, the scrubbing logic tries
275Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
to scrub that location by reading and flushing out 32-byte cache line containing that
location inanattempt toupdate thatmemory locationwithcorrectdata. If thatmemory
location is read-only, it causes illegal access toprotectedmemoryexceptionas reported
and resets the FPC. The above-mentioned scrubbing logic is not needed because even
if SBE is detected, the data is already corrected by the DDR and CPU has a good copy
of the data to continue its execution path. PR919681
• 100GE interfaces on the PTX Series do not display PCS BIP-8 error counters when
queried from the FPC command showmtip-cgpcs <> errors. PR920439
• USB install failed with 13.3B1-PS.1. PR931231
Layer 2 Features
• In some configurations, the MAC address of an AE bundle would fail to be copied to
its child interfaces. This causes thedestinationMACaddress filter check to fail on those
child interfaces, thus preventing ARP resolution and in turn causing the failure in
establishing new egress LSPs.
The workarounds are identified as the following:
• Issuing "commit full" on the router, or
• Adding AE configuration and child interface configuration as two separate commits:
a. Add AE interface configuration, without adding child interface configuration.
b. Commit.
c. Add the child interface configuration (et interface configurations) for the AE
interface.
d. Commit.
PR901744
MPLS
• In an RSVP P2MP crossover/pass-through scenario, more than one sub-LSP can use
the same PHOP and NHOP. If link protection is enabled in the above-mentioned
scenario,whena 'primary linkup' event is immediately followedbyaPathTearmessage,
disassociation of the routes/nexthops are sequential in nature. When the
routes/nexthops disassociation is in progress, if a sub-LSP receives a path tear/PSB
delete will lead to this core file. PR739375
• When a PTX Series router is a penultimate hop of one P2MP LSP branch and acts as
a transit LSR on another branch for the same P2MP LSP, the MPLS packets going out
from the penultimate hop branchmight be tagged with an incorrect Ethertype field.
PR867246
• RPD (routing-protocol process) generates a core file on receipt of an RESVmessage
with an unexpected next-hop address. To avoid the crash, drop the RESVmessage
Copyright © 2017, Juniper Networks, Inc.276
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
with a different next-hop IP address, and then the LSP will time out due to lack of
refresh by the RESVmessage and the session is reset. PR887734
• Changing thepreference onan LSPwas considered a catastrophic event, tearing down
the current path and then re-establishing a new one. This PRmakes the preference
changeminor and only needs a new path to be re-signalled in a make-before-break
manner. PR897182
Multicast
• Starting in JunosOSRelease 13.2, PTXSeries routers accept traffic from remote sources
to enable the remote source to be learned and advertised by MSDP so that receivers
in other MSDP areas can join the source. To configure this feature, use the
accept-remote-source configuration statement at the [edit protocols pim interface
interface-name] hierarchy level.
NOTE: On PTX Series routers requiring tunnel services, the PIMaccept-remote-source configuration statement is not supported.
PR891500
Network Management andMonitoring
• "PowerSupply failure", "PowerSupplyRemoved"or "Fan/BlowerRemoved"messages
and SNMP trap hourly occur. PR860223
• Changing the domain-namedoesn't reflect in DNSquery unless a Commit full is done.
Thisbug inmanagementdaemon(mgd)hasbeen resolvedbyensuringmgdpropagates
the new domain-name to file /var/etc/resolv.conf, so that this can be used for future
DNS queries. PR918552
Software Installation and Upgrade
• BothRoutingEnginesmight crashwhenperforminggracefulRoutingEngine switchover
(GRES)or unified in-service software upgrade (ISSU). The root causeof thepanic here
is the addresses used for internal communication are not taken from the new logical
interfaces in such scenarios. PR851086
• In this case, since the overall package (jinstall) is signed, the underlying component
packagesarenot required tobesignedexplicitly.However the infrastructurewaswritten
in such a way to display a warning message if the component package is not signed.
PR932974
Subscriber Management and Services
• Processing of a neighbor advertisement can get into an infinite loop in the kernel, given
a special set of events with regard to the Neighbor cache entry state and the incoming
neighbor advertisement. PR756656
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
277Copyright © 2017, Juniper Networks, Inc.
Resolved Issues
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
Documentation Updates
This section lists the errata and changes in Junos OSRelease 13.3R10 documentation for
the PTX Series.
• Network Management Administration Guide for Routing Devices on page 278
• VPWS Feature Guide for Routing Devices on page 278
NetworkManagement Administration Guide for Routing Devices
• The syntax of the filter-interfaces statement in the “SNMP Configuration Statement”
section is incorrect. The correct syntax is as follows:
filter-interfaces {all-internal-interfaces;interfaces interface-names{interface 1;interface 2;
}}
[See filter-interfaces.]
VPWS Feature Guide for Routing Devices
• In JunosOSRelease 13.3, the Layer 2Circuits FeatureGuide for RoutingDeviceshasbeen
renamed VPWS Feature Guide for Routing Devices. VPWS content has been added to
this guide, and has been removed from the VPLS Feature Guide for Routing Devices.
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Migration, Upgrade, and Downgrade Instructions on page 279
• Product Compatibility on page 282
Copyright © 2017, Juniper Networks, Inc.278
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Migration, Upgrade, and Downgrade Instructions
This sectioncontains theprocedure toupgrade JunosOS,and theupgradeanddowngrade
policies for Junos OS for the PTX Series. Upgrading or downgrading Junos OS can take
several hours, depending on the size and configuration of the network.
• Upgrading Using Unified ISSU on page 279
• Upgrading a Router with Redundant Routing Engines on page 279
• Basic Procedure for Upgrading to Release 13.3 on page 279
Upgrading Using Unified ISSU
Unified in-service softwareupgrade (ISSU)enables you toupgradebetween twodifferent
Junos OS releases with no disruption on the control plane and with minimal disruption
of traffic. Unified in-service software upgrade is only supported by dual Routing Engine
platforms. In addition, graceful Routing Engine switchover (GRES) and nonstop active
routing (NSR)must be enabled. For additional information about using unified in-service
software upgrade, see the High Availability Feature Guide for Routing Devices.
Upgrading a Router with Redundant Routing Engines
If the router has two Routing Engines, perform a Junos OS installation on each Routing
Engine separately to avoid disrupting network operation as follows:
1. Disable graceful Routing Engine switchover (GRES) on themaster Routing Engine
and save the configuration change to both Routing Engines.
2. Install the new Junos OS release on the backup Routing Engine while keeping the
currently running software version on themaster Routing Engine.
3. After making sure that the new software version is running correctly on the backup
RoutingEngine, switchover to thebackupRoutingEngine toactivate thenewsoftware.
4. Install the new software on the original master Routing Engine that is now active as
the backup Routing Engine.
For the detailed procedure, see the Installation and Upgrade Guide.
Basic Procedure for Upgrading to Release 13.3
When upgrading or downgrading Junos OS, use the jinstall package. For information
about the contents of the jinstall package and details of the installation process, see the
Installation and Upgrade Guide. Use other packages, such as the jbundle package, only
when so instructed by a Juniper Networks support representative.
NOTE: Backupthe file systemandthecurrentlyactive JunosOSconfigurationbefore upgrading Junos OS. This allows you to recover to a known, stableenvironment if the upgrade is unsuccessful. Issue the following command:
user@host> request system snapshot
279Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
NOTE: The installation process rebuilds the file system and completelyreinstalls Junos OS. Configuration information from the previous softwareinstallation is retained, but the contents of log files might be erased. Storedfiles on the router, suchas configuration templatesandshell scripts (theonlyexceptions are the juniper.conf and ssh files),might be removed. To preservethe stored files, copy them to another system before upgrading ordowngrading the routing platform. For more information, see the Junos OS
Administration Library for Routing Devices.
Copyright © 2017, Juniper Networks, Inc.280
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
NOTE: We recommend that you upgrade all software packages out of bandusing the console because in-band connections are lost during the upgradeprocess.
Thedownloadand installationprocess for JunosOSRelease 13.3 isdifferent fromprevious
Junos OS releases.
1. Using aWeb browser, navigate to the All Junos Platforms software download URLon the Juniper Networks webpage:
http://www.juniper.net/support/downloads/
2. Select thenameof the JunosOSplatformfor thesoftware that youwant todownload.
3. Select the release number (the number of the software version that you want to
download) from the Release drop-down list to the right of the Download Softwarepage.
4. Select the Software tab.
5. In the Install Package section of the Software tab, select the software package forthe release.
6. Log in to the Juniper Networks authentication system using the username (generally
your e-mail address) and password supplied by Juniper Networks representatives.
7. Review and accept the End User License Agreement.
8. Download the software to a local host.
9. Copy the software to the routing platform or to your internal software distribution
site.
10. Install the new jinstall package on the router.
NOTE: After you install a Junos OS Release 13.3 jinstall package, youcannot issue the request system software rollback command to return tothe previously installed software. Instead youmust issue the requestsystem software add validate command and specify the jinstall packagethat corresponds to the previously installed software.
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release. Adding the reboot command reboots the router after the upgrade
is validated and installed. When the reboot is complete, the router displays the login
prompt. The loading process can take 5 to 10minutes. Rebooting occurs only if the
upgrade is successful.
Customers in the United States and Canada, use the following command:
user@host> request system software add validate rebootsource/jinstall-13.3R91-domestic-signed.tgz
281Copyright © 2017, Juniper Networks, Inc.
Migration, Upgrade, and Downgrade Instructions
All other customers, use the following command:
user@host> request system software add validate rebootsource/jinstall-13.3R91-export-signed.tgz
Replace the sourcewith one of the following values:
• /pathname—For a software package that is installed from a local directory on the
router.
• For software packages that are downloaded and installed from a remote location:
• ftp://hostname/pathname
• http://hostname/pathname
• scp://hostname/pathname (available only for Canada and U.S. version)
The validate option validates the software package against the current configuration
as a prerequisite to adding the software package to ensure that the router reboots
successfully. This is the default behavior when the software package being added is
a different release.
Adding the reboot command reboots the router after the upgrade is validated and
installed. When the reboot is complete, the router displays the login prompt. The
loading process can take 5 to 10minutes.
Rebooting occurs only if the upgrade is successful.
NOTE: After you install a Junos OS Release 13.3 jinstall package, you cannot
issue the requestsystemsoftwarerollbackcommandto return to thepreviously
installed software. Instead youmust issue the request system software add
validate command and specify the jinstall package that corresponds to the
previously installed software.
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Product Compatibility on page 282
Product Compatibility
• Hardware Compatibility on page 283
Copyright © 2017, Juniper Networks, Inc.282
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
Hardware Compatibility
To obtain information about the components that are supported on the devices, and
special compatibility guidelineswith the release, see theHardwareGuideand the Interface
Module Reference for the product.
Todetermine the features supportedonPTXSeriesdevices in this release, use the Juniper
Networks Feature Explorer, a Web-based application that helps you to explore and
compare Junos OS feature information to find the right software release and hardware
platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/
RelatedDocumentation
New and Changed Features on page 252•
• Changes in Behavior and Syntax on page 259
• Known Behavior on page 262
• Known Issues on page 263
• Resolved Issues on page 265
• Documentation Updates on page 278
• Migration, Upgrade, and Downgrade Instructions on page 279
283Copyright © 2017, Juniper Networks, Inc.
Product Compatibility
Third-Party Components
This product includes third-party components. To obtain a complete list of third-party
components, see Copyright and Trademark Information.
For a list of open source attributes for this Junos OS release, seeOpen Source: Source
Files and Attributions.
FindingMore Information
For the latest, most complete information about known and resolved issues with Junos
OS, see the Juniper Networks Problem Report Search application at:
http://prsearch.juniper.net .
Juniper Networks Feature Explorer is aWeb-based application that helps you to explore
and compare Junos OS feature information to find the correct software release and
hardware platform for your network. Find Feature Explorer at:
http://pathfinder.juniper.net/feature-explorer/.
Juniper Networks Content Explorer is aWeb-based application that helps you explore
Juniper Networks technical documentation by product, task, and software release, and
download documentation in PDF format. Find Content Explorer at:
http://www.juniper.net/techpubs/content-applications/content-explorer/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
• Document or topic name
• URL or page number
• Software release version (if applicable)
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf .
Copyright © 2017, Juniper Networks, Inc.284
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html .
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net/pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected]. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
285Copyright © 2017, Juniper Networks, Inc.
Requesting Technical Support
Revision History
24 January 2017—Revision 3, Junos OS Release 13.3R10– EX Series, M Series, MX Series,
PTX Series, and T Series.
17 January 2017—Revision 2, Junos OS Release 13.3R10– EX Series, M Series, MX Series,
PTX Series, and T Series.
10 January 2017—Revision 1, Junos OS Release 13.3R10– EX Series, M Series, MX Series,
PTX Series, and T Series.
4 August 2016—Revision 5, Junos OS Release 13.3R9– EX Series, M Series, MX Series,
PTX Series, and T Series.
5 May 2016—Revision 4, Junos OS Release 13.3R9– EX Series, M Series, MX Series, PTX
Series, and T Series.
17 March 2016—Revision 3, Junos OS Release 13.3R9– EX Series, M Series, MX Series,
PTX Series, and T Series.
10 March 2016—Revision 2, Junos OS Release 13.3R9– EX Series, M Series, MX Series,
PTX Series, and T Series.
3 March 2016—Revision 1, Junos OS Release 13.3R9– EX Series, M Series, MX Series, PTX
Series, and T Series.
19November 2015—Revision 3, JunosOSRelease 13.3R8–EXSeries,MSeries,MXSeries,
PTX Series, and T Series.
11 November 2015—Revision 2, Junos OSRelease 13.3R8– EX Series, M Series, MX Series,
PTX Series, and T Series.
5 November 2015—Revision 1, Junos OS Release 13.3R8– EX Series, M Series, MX Series,
PTX Series, and T Series.
10September2015—Revision6, JunosOSRelease 13.3R7–EXSeries,MSeries,MXSeries,
PTX Series, and T Series.
26 August 2015—Revision 5, Junos OS Release 13.3R7– EX Series, M Series, MX Series,
PTX Series, and T Series.
12 August 2015—Revision 4, Junos OS Release 13.3R7– EX Series, M Series, MX Series,
PTX Series, and T Series.
6 August 2015—Revision 3, Junos OS Release 13.3R7– EX Series, M Series, MX Series,
PTX Series, and T Series.
30 July 2015—Revision 2, Junos OS Release 13.3R7– EX Series, M Series, MX Series, PTX
Series, and T Series.
23 July 2015—Revision 1, Junos OS Release 13.3R7– EX Series, M Series, MX Series, PTX
Series, and T Series.
Copyright © 2017, Juniper Networks, Inc.286
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series
5 May 2015—Revision 4, Junos OS Release 13.3R6– EX Series, M Series, MX Series, PTX
Series, and T Series.
16 April 2015—Revision 3, Junos OS Release 13.3R6– EX Series, M Series, MX Series, PTX
Series, and T Series.
9 April 2015—Revision 2, Junos OS Release 13.3R6– EX Series, M Series, MX Series, PTX
Series, and T Series.
2 April 2015—Revision 1, Junos OS Release 13.3R6– EX Series, M Series, MX Series, PTX
Series, and T Series.
15 January 2015—Revision 3, Junos OS Release 13.3R5– EX Series, M Series, MX Series,
PTX Series, and T Series.
8 January 2015—Revision 2, Junos OS Release 13.3R5– EX Series, M Series, MX Series,
PTX Series, and T Series.
29December 2014—Revision 1, JunosOSRelease 13.3R5–EXSeries,MSeries,MXSeries,
PTX Series, and T Series.
7 October 2014—Revision 3, Junos OS Release 13.3R4– EX Series, M Series, MX Series,
PTX Series, and T Series.
30September2014—Revision2, JunosOSRelease 13.3R4–EXSeries,MSeries,MXSeries,
PTX Series, and T Series.
23September2014—Revision 1, JunosOSRelease 13.3R4–EXSeries,MSeries,MXSeries,
PTX Series, and T Series.
28 August 2014—Revision 7, Junos OS Release 13.3R3– EX Series, M Series, MX Series,
PTX Series, and T Series.
21 August 2014—Revision 6, Junos OS Release 13.3R3– EX Series, M Series, MX Series,
PTX Series, and T Series.
14 August 2014—Revision 5, Junos OS Release 13.3R3– EX Series, M Series, MX Series,
PTX Series, and T Series.
12 August 2014—Revision 4, Junos OS Release 13.3R3– EX Series, M Series, MX Series,
PTX Series, and T Series.
5 August 2014—Revision 3, Junos OS Release 13.3R3– EX Series, M Series, MX Series,
PTX Series, and T Series.
29 July 2014—Revision 2, Junos OS Release 13.3R3– EX Series, M Series, MX Series, PTX
Series, and T Series.
22 July 2014—Revision 1, Junos OS Release 13.3R3– EX Series, M Series, MX Series, PTX
Series, and T Series.
26 June 2014—Revision 6, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
287Copyright © 2017, Juniper Networks, Inc.
Requesting Technical Support
29May 2014—Revision 5, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
20 May 2014—Revision 4, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
12 May 2014—Revision 3, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
9 May 2014—Revision 2, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
28 April 2014—Revision 1, Junos OS Release 13.3R2– EX Series, M Series, MX Series, PTX
Series, and T Series.
20 March 2014—Revision 5, Junos OS Release 13.3R1– EX Series, M Series, MX Series,
PTX Series, and T Series.
27 February 2014—Revision 4, Junos OS Release 13.3R1– EX Series, M Series, MX Series,
PTX Series, and T Series.
6 February 2014—Revision 3, Junos OS Release 13.3R1– EX Series, M Series, MX Series,
PTX Series, and T Series.
30 January 2014—Revision 2, Junos OS Release 13.3R1– EX Series, M Series, MX Series,
PTX Series, and T Series.
23 January 2014—Revision 1, Junos OS Release 13.3R1– EX Series, M Series, MX Series,
PTX Series, and T Series.
Copyright © 2017, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Copyright © 2017, Juniper Networks, Inc.288
Release Notes: Junos OS Release 13.3R10 for the EX Series, M Series, MX Series, PTX Series, and T Series