What’s Changed

SHA-1 password format deprecated (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX and vSRX)—We've removed the sha1 option at the [edit system login password format] hierarchy level because SHA-1 is no longer supported for plain-text password encryption.

Change in in unnumbered-address support for GRE tunnel?Starting in Junos OS Release 24.4R1, there is a behavioural change in unnumbered-address support for GRE tunnel with IPV6 family and display donor interface for both IPV4 and IPV6 families of GRE tunnel. You can view interface donor details under show interfaces hierarchy level. See show interfaces. https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-interfaces-gigabit-ethernet.html

OpenConfig container names for Point-to-Multipoint per interface ingress and egress sensors are modified for consistency from "signalling" to "signaling".

Enhancement to snmp mib command behavior (PTX10008)—Starting in Junos OS Evolved, when you execute show snmp mib walk decimal command, the output parameter jnxRedundancySwitchoverReason is not working as expected, which always show the value 0 instead of expected values. Now, jnxRedundancySwitchoverReason output parameter is corrected to expected behavior with the following expected values.

[See show snmp mib.]

No support for PKI operational mode commands on the Junos Limited version (MX Series routers, PTX Series routers, and SRX Series devices)—We do not support request, show, and clear PKI-related operational commands on the limited encryption Junos image ("Junos Limited"). If you try to execute PKI operational commands on a limited encryption Junos image, then an appropriate error message is displayed. The pkid process does not run on Junos Limited version image. Hence, the limited version does not support any PKI-related operation.

The <request-system-zeroize/> RPC response indicates when the device successfully initiates the requested operation (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the <request-system-zeroize/> RPC successfully initiates the zeroize operation, the device emits the <system-zeroize-status>zeroizing re0</system-zeroize-status> response tag to indicate that the process has started. If the device fails to initiate the zeroize operation, the device does not emit the <system-zeroize-status> response tag.

Support for Embedded RP on PTX10008—From this release, we support the Embedded RP feature on PTX10008 devices.

[See Configuring Embedded RP.]

"Switchover Status Ready" incorrectly describes the status of the backup Routing Engine (RE) after node reboot (PTX10004, PTX10008, PTX10016)—During preparation for switchover between master RE and backup RE running Junos OS Evolved releases prior to 22.2R1, "Switchover Status Ready" from the show system switchovercommand on the backup RE node, after system reboot, incorrectly describes the status of the backup RE. The incorrect status description results from a discrepancy between the master RE and the backup RE both using local uptime to determine if sufficient time had elapsed before declaring "Switchover Status Ready".

Use the request chassis routing-engine master switch command on the master RE and the backup RE to obtain the correct status when preparing for switchover.

[See show system switchover and request chassis routing-engine master.]

Refreshing scripts from an HTTPS server requires a certificate (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)–When you refresh a local commit, event, op, SNMP, or Juniper Extension Toolkit (JET) script from an HTTPS server, you must specify the certificate (Root CA or self-signed) that the device uses to validate the server's certificate, thus ensuring that the server is operational mode command, include the cert-file option and authentic. In earlier releases, when you refresh scripts from an HTTPS server, the device does not perform certificate validation. When you refresh a script using the request system scripts refresh-from specify the certificate path. Before you refresh a script using the set refresh or set refresh-from configuration mode command, first configure the cert-file statement under the hierarchy level where you configure the script. The certificate must be in Privacy-Enhanced Mail (PEM) format.

See request system scripts refresh-from.

See cert-file.

When defining a constrained path LSP using more than one strict hop belonging to the egress node, the first strict hop must be set to match the IP address assigned to the egress node on the interface that receives the RSVP Path message. If the incoming RSVP Path message arrives on an interface with a different IP address the LSP is rejected.

Limits increased for the max-datasize statement (ACX Series, PTX Series, and QFX Series)—The max-datasize statement's minimum configurable value is increased from 23,068,672 bytes (22 MB) to 268,435,456 bytes (256 MB), and the maximum configurable value is increased from 1,073,741,824 (1 GB) to 2,147,483,648 (2 GB) for all script types. Furthermore, if you do not configure the max-datasize statement for a given script type, the default maximum memory allocated to the data segment portion of a script is increased to 1024 MB. Higher limits ensure that the device allocates a sufficient amount of memory to run the affected scripts.

[See max-datasize.]

Changes when deactivating or deleting instances of the ephemeral configuration database (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The following changes apply when you deactivate or delete ephemeral database instances in the static configuration database:

• When you deactivate the entire [edit system configuration-database ephemeral] hierarchy level, the device deletes the files and corresponding configuration data for all user-defined ephemeral instances. In earlier releases, the files and configuration data are preserved; however, the configuration data is not merged with the static configuration database.

• When you delete an ephemeral instance in the static configuration database, the instance's configuration files are also deleted. In earlier releases, the configuration files are preserved.

• You can delete the files and corresponding configuration data for the default ephemeral database instance by configuring the delete-ephemeral-default statement in conjunction with the ignore-ephemeral-default statement at the [edit system configuration-database ephemeral] hierarchy level.

[See Enable and Configure Instances of the Ephemeral Configuration Database.]

Support for automatically synchronizing an ephemeral instance configuration upon committing the instance (EX Series, MX Series, MX Series Virtual Chassis, PTX Series, QFX Series, and vMX)—You can configure an ephemeral database instance to synchronize its configuration to the other Routing Engine every time you commit the ephemeral instance on a dual Routing Engine device or an MX Series Virtual Chassis. To automatically synchronize the instance when you commit it, include the synchronize statement at the [edit system commit] hierarchy level in the ephemeral instance's configuration.

[See Commit and Synchronize Ephemeral Configuration Data Using the NETCONF or Junos XML Protocol.]

Changes to the NETCONF [edit-config] RPC response (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—When the [edit-config] operation returns an error, the NETCONF server does not emit a load-error-count element in the RPC response. In earlier releases, the [edit-config] RPC response includes the load-error-count element when the operation fails.

DES deprecation for SNMPv3-The Data Encryption Standard (DES) privacy protocol for SNMPv3 is deprecated due to weak security and vulnerability to cryptographic attacks. For enhanced security, configure the triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (CFB128-AES-128 Privacy Protocol) as the encryption algorithm for SNMPv3 users.

[See privacy-3des and privacy-aes128.]

The RPD_OSPF_LDP_SYNC message not logged—On all Junos OS and Junos OS Evolved devices, when an LDP session goes down there is a loss of synchronization between LDP and OSPF. After the loss of synchronization, when an interface has been in the holddown state for more than three minutes, the system log message with a warning level is sent. This message appears in both the messages file and the trace file. However, the system log message does not get logged if you explicitly configure the hold-time for ldp-synchronization at the [edit protocols ospf area area id interface interface name] hierarchy level less than three minutes. The message is printed after three minutes.

To achieve consistency among resource paths, the resource path /mpls/signalling-protocols/segment-routing/aggregate-sid-counters/aggregate-sid-counterip-addr='address'/state/countersname='name'/out-pkts/ is changed to /mpls/signaling-protocols/segment-routing/aggregate-sid-counters/aggregate-sid-counterip-addr='address'/state/countersname='name'/. The leaf "out-pkts" is removed from the end of the path, and "signalling" is changed to "signaling" (with one "l").

When the krt-nexthop-ack statement is configured, the RPD will wait for the next hop to get acknowledged by PFE before using it for a route. Currently, only BGP-labeled routes and RSVP routes support this statement. All other routes will ignore this statement.

SSH TCP forwarding disabled by default—We've disabled the SSH TCP forwarding feature by default to enhance security. To enable the SSH TCP forwarding feature, you can configure the allow-tcp-forwarding statement at the edit system services ssh hierarchy level.

In addition, we've deprecated the tcp-forwarding and no-tcp-forwarding statements at the edit system services sshhierarchy level.

[See services (System Services).]

Load JSON configuration data with unordered list entries (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—The Junos schema requires that list keys precede any other siblings within a list entry and appear in the order specified by the schema. Junos devices provide two options to load JSON configuration data that contains unordered list entries:

• Use the request system convert-json-configuration operational mode command to produce JSON configuration data with ordered list entries before loading the data on the device.

• Configure the reorder-list-keys statement at the [edit system configuration input format json] hierarchy level. After you configure the statement, you can load JSON configuration data with unordered list entries, and the device reorders the list keys as required by the Junos schema during the load operation.

• When you configure the reorder-list-keys statement, the load operation can take significantly longer to parse the configuration, depending on the size of the configuration and number of lists. Therefore, for large configurations or configurations with many lists, we recommend using the request system convert-json-configuration command instead of the reorder-list-keys statement.

  [See json and request system convert-json-configuration]

Junos XML protocol Perl modules deprecated (ACX Series, EX Series, MX Series, PTX Series, QFX Series, SRX Series, vMX, and vSRX)—We no longer provide the Junos XML protocol Perl client for download. To use Perl to manage Junos devices, use the NETCONF Perl library instead.

[See Understanding the NETCONF Perl Client and Sample Scripts..]

A new field rollback pending is added to the output of show system commit that identifies whether commit confirmed is issued. It is removed once commit or commit check is issued or commit confirmed is rolled back after rollback timeout.

When you configure max-cli-sessions at the [edit system] hierarchy level, it restricts the maximum number of CLI sessions that can coexist at any time. Once the max-cli-sessions number is reached, new CLI access is denied. The users who are configured to get the CLI upon login, are also denied new login. The max-cli-sessionsis configured so you can control the memory usage for the CLI. You may set the max-cli-sessions per your requirement. However, ifmax-cli-sessionsis not configured, there is no control on the number of CLIs getting invoked.

Persistent CLI timestamps-To have a persistent CLI timestamp for the user currently logged in, enable the set cli timestamp operational command. This ensures the timestamp shows persistently for each new line of each SSH session for the user or class until the configuration is removed. To enable timestamp for a particular class with permissions and format for different users, configure the following statements: set system login class class name permissions permissions, set system login class class name CLI timestamp, set system login user username class class name authentication plain-text-password

Changes to show mvpn c-multicast and show mvpn instance outputs— The FwdNh output field displays the multicast tunnel (mt) interface in the case of Protocol Independent Multicast (PIM) tunnels.

[See show mvpn c-multicast.]