final edits complete.

Chr1st0ph3rTurn3r · Chr1st0ph3rTurn3r · commit 515b3bce00fc · 2025-11-21T11:52:27.000-05:00
diff --git a/docs/config-proxy-server.md b/docs/config-proxy-server.md
@@ -8,11 +8,11 @@ With only MPLS or private connectivity available, it is possible to leverage a c
 The following support is provided for proxy server configuration:
 
 - Proxy IP per WAN interface
- - Configuration override of proxy IP per WAN link
+	- Configuration override of proxy IP per WAN link
 - Proxy IP for public URLs accessed by SSR. For example:
- - Websense
- - Sophos Server
- - Juniper Software download
+	- Websense
+	- Sophos Server
+	- Juniper Software download
 - Proxy IP for an SSR to Mist connection (Secure ZTP Onboarding) 
 
 This document provides information to configure the SSR to identify and use the non-transparent proxy. That information can also be used to perform the [Mist secure ZTP onboarding process](sec-ztp-web-proxy.md).
diff --git a/docs/config_multicast.md b/docs/config_multicast.md
@@ -314,6 +314,12 @@ exit
 
 While this configuration example uses one RP for the multicast range, you can use different RPs for different multicast addresses or ranges. The same can be done for the service; smaller services for more specific ranges of multicast with different senders and receivers as needed.
 
+### PIM Graceful Restart Timer
+
+The routing default-instance pim restart-time command has been added to allow users to define the number of seconds that the PIM protocol will perform graceful-restart after a node failure. The restart time range is 0-1800, with a default of 120 seconds.
+
+During the graceful restart period, the PIM join states are created, but no updates of multicast routes are sent to the forwarding plane. Once the graceful restart period is over, all new multicast routes are programmed, and old multicast routes are removed.
+
 ## Multicast Source Discovery Protocol (MSDP) 
 
 MSDP is used to allow RPs to share the active Multicast Sources. Messages are sent as Source-Active (SA) messages between MSDP peers. In normal MSDP operation, an MSDP peer is received from one peer and forwarded to the other MSDP peers. To ensure there are no loops, RPF checks have been put in place.
diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md
@@ -68,10 +68,14 @@ An issue has been identified when onboarding SSR routers installed with older ve
 
 ### Resolved Issues
 
-- **The following CVEs have been identified and resolved in this release:** CVE-2024-3651, CVE-2024-56171, CVE-2025-24928, CVE-2024-11187, CVE-2024-1737, CVE-2024-1975, CVE-2024-3596, CVE-2024-37370, CVE-2024-37371, CVE-2025-24528, CVE-2023-46846, CVE-2024-45802, CVE-2024-12085, CVE-2023-26604, CVE-2024-7347, CVE-2025-23419, CVE-2024-43842, CVE-2024-40906, CVE-2024-44970, CVE-2025-21756, CVE-2022-49011, CVE-2024-53141, CVE-2025-21587, CVE-2025-30691, CVE-2025-30698, CVE-2024-0727, CVE-2023-5678, CVE-2024-5535, CVE-2024-9143, CVE-2024-13176, CVE-2016-9840, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-32462, CVE-2025-5702, CVE-2025-5702, CVE-2025-4802, CVE-2025-6020, CVE-2025-47268, CVE-2025-25724, CVE-2025-3576, CVE-2025-47273, CVE-2024-23337, CVE-2025-48060, CVE-2023-52572, CVE-2023-52621, CVE-2023-52757, CVE-2024-26686, CVE-2024-26739, CVE-2024-26952, CVE-2024-27402, CVE-2024-35790, CVE-2024-35866, CVE-2024-35867, CVE-2024-35943, CVE-2024-36350, CVE-2024-36357, CVE-2024-36908, CVE-2024-38540, CVE-2024-38541, CVE-2024-42160, CVE-2024-42322, CVE-2024-44938, CVE-2024-46742, CVE-2024-46751, CVE-2024-46774, CVE-2024-46784, CVE-2024-46816, CVE-2024-49960, CVE-2024-49989, CVE-2024-50047, CVE-2024-50125, CVE-2024-50258, CVE-2024-50272, CVE-2024-50280, CVE-2024-53128, CVE-2024-53185, CVE-2024-53203, CVE-2024-54458, CVE-2024-56551, CVE-2024-56599, CVE-2024-56655, CVE-2024-56658, CVE-2024-56751, CVE-2025-21681, CVE-2025-21839, CVE-2025-21853, CVE-2025-22027, CVE-2025-22062, CVE-2025-23140, CVE-2025-23142, CVE-2025-23144, CVE-2025-23145, CVE-2025-23146, CVE-2025-23147, CVE-2025-23148, CVE-2025-23150, CVE-2025-23151, CVE-2025-23156, CVE-2025-23157, CVE-2025-23158, CVE-2025-23159, CVE-2025-23161, CVE-2025-23163, CVE-2025-37738, CVE-2025-37739, CVE-2025-37740, CVE-2025-37741, CVE-2025-37742, CVE-2025-37749, CVE-2025-37752, CVE-2025-37756, CVE-2025-37757, CVE-2025-37758, CVE-2025-37765, CVE-2025-37766, CVE-2025-37767, CVE-2025-37768, CVE-2025-37770, CVE-2025-37771, CVE-2025-37773, CVE-2025-37780, CVE-2025-37781, CVE-2025-37787, CVE-2025-37788, CVE-2025-37789, CVE-2025-37790, CVE-2025-37792, CVE-2025-37794, CVE-2025-37796, CVE-2025-37797, CVE-2025-37803, CVE-2025-37805, CVE-2025-37808, CVE-2025-37810, CVE-2025-37812, CVE-2025-37817, CVE-2025-37819, CVE-2025-37823, CVE-2025-37824, CVE-2025-37829, CVE-2025-37830, CVE-2025-37836, CVE-2025-37838, CVE-2025-37839, CVE-2025-37840, CVE-2025-37841, CVE-2025-37844, CVE-2025-37850, CVE-2025-37857, CVE-2025-37858, CVE-2025-37859, CVE-2025-37862, CVE-2025-37867, CVE-2025-37875, CVE-2025-37881, CVE-2025-37883, CVE-2025-37885, CVE-2025-37890, CVE-2025-37892, CVE-2025-37905, CVE-2025-37909, CVE-2025-37911, CVE-2025-37913, CVE-2025-37914, CVE-2025-37915, CVE-2025-37923, CVE-2025-37927, CVE-2025-37929, CVE-2025-37930, CVE-2025-37940, CVE-2025-37949, CVE-2025-37967, CVE-2025-37969, CVE-2025-37970, CVE-2025-37982, CVE-2025-37983, CVE-2025-37985, CVE-2025-37989, CVE-2025-37990, CVE-2025-37991, CVE-2025-37992, CVE-2025-37994, CVE-2025-37995, CVE-2025-37997, CVE-2025-37998, CVE-2025-38005, CVE-2025-38009, CVE-2025-38023, CVE-2025-38024, CVE-2025-38031, CVE-2025-38089, CVE-2025-7425, CVE-2025-32414, CVE-2025-32415, CVE-2025-27151, CVE-2025-32023, CVE-2025-48367, CVE-2025-49133, CVE-2025-6965, CVE-2025-5222, CVE-2025-4373, CVE-2024-52533, CVE-2024-6174, CVE-2025-5994, CVE-2024-52615, CVE-2025-40909, CVE-2022-29458, CVE-2024-47081, CVE-2025-6965, CVE-2025-8058, CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50106, CVE-2025-5914, CVE-2025-54389, CVE-2025-7425, CVE-2025-8194, CVE-2025-48964, CVE-2025-53905, CVE-2025-53906, CVE-2025-58060, CVE-2025-58364, CVE-2025-32988, CVE-2025-32989, CVE-2025-32990, CVE-2025-6395, CVE-2023-49083, CVE-2024-47252, CVE-2025-23048, CVE-2025-49812, CVE-2020-11023, CVE-2025-5318, CVE-2025-6021, CVE-2025-32414 ,CVE-2025-49794, CVE-2025-49796, CVE-2025-49844.  
+- **The following CVEs have been identified and resolved in this release:** CVE-2024-3651, CVE-2024-56171, CVE-2025-24928, CVE-2024-11187, CVE-2024-1737, CVE-2024-1975, CVE-2024-3596, CVE-2024-37370, CVE-2024-37371, CVE-2025-24528, CVE-2023-46846, CVE-2024-45802, CVE-2024-12085, CVE-2023-26604, CVE-2024-7347, CVE-2025-23419, CVE-2024-43842, CVE-2024-40906, CVE-2024-44970, CVE-2025-21756, CVE-2022-49011, CVE-2024-53141, CVE-2025-21587, CVE-2025-30691, CVE-2025-30698, CVE-2024-0727, CVE-2023-5678, CVE-2024-5535, CVE-2024-9143, CVE-2024-13176, CVE-2016-9840, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-32462, CVE-2025-5702, CVE-2025-5702, CVE-2025-4802, CVE-2025-6020, CVE-2025-47268, CVE-2025-25724, CVE-2025-3576, CVE-2025-47273, CVE-2024-23337, CVE-2025-48060, CVE-2023-52572, CVE-2023-52621, CVE-2023-52757, CVE-2024-26686, CVE-2024-26739, CVE-2024-26952, CVE-2024-27402, CVE-2024-35790, CVE-2024-35866, CVE-2024-35867, CVE-2024-35943, CVE-2024-36350, CVE-2024-36357, CVE-2024-36908, CVE-2024-38540, CVE-2024-38541, CVE-2024-42160, CVE-2024-42322, CVE-2024-44938, CVE-2024-46742, CVE-2024-46751, CVE-2024-46774, CVE-2024-46784, CVE-2024-46816, CVE-2024-49960, CVE-2024-49989, CVE-2024-50047, CVE-2024-50125, CVE-2024-50258, CVE-2024-50272, CVE-2024-50280, CVE-2024-53128, CVE-2024-53185, CVE-2024-53203, CVE-2024-54458, CVE-2024-56551, CVE-2024-56599, CVE-2024-56655, CVE-2024-56658, CVE-2024-56751, CVE-2025-21681, CVE-2025-21839, CVE-2025-21853, CVE-2025-22027, CVE-2025-22062, CVE-2025-23140, CVE-2025-23142, CVE-2025-23144, CVE-2025-23145, CVE-2025-23146, CVE-2025-23147, CVE-2025-23148, CVE-2025-23150, CVE-2025-23151, CVE-2025-23156, CVE-2025-23157, CVE-2025-23158, CVE-2025-23159, CVE-2025-23161, CVE-2025-23163, CVE-2025-37738, CVE-2025-37739, CVE-2025-37740, CVE-2025-37741, CVE-2025-37742, CVE-2025-37749, CVE-2025-37752, CVE-2025-37756, CVE-2025-37757, CVE-2025-37758, CVE-2025-37765, CVE-2025-37766, CVE-2025-37767, CVE-2025-37768, CVE-2025-37770, CVE-2025-37771, CVE-2025-37773, CVE-2025-37780, CVE-2025-37781, CVE-2025-37787, CVE-2025-37788, CVE-2025-37789, CVE-2025-37790, CVE-2025-37792, CVE-2025-37794, CVE-2025-37796, CVE-2025-37797, CVE-2025-37803, CVE-2025-37805, CVE-2025-37808, CVE-2025-37810, CVE-2025-37812, CVE-2025-37817, CVE-2025-37819, CVE-2025-37823, CVE-2025-37824, CVE-2025-37829, CVE-2025-37830, CVE-2025-37836, CVE-2025-37838, CVE-2025-37839, CVE-2025-37840, CVE-2025-37841, CVE-2025-37844, CVE-2025-37850, CVE-2025-37857, CVE-2025-37858, CVE-2025-37859, CVE-2025-37862, CVE-2025-37867, CVE-2025-37875, CVE-2025-37881, CVE-2025-37883, CVE-2025-37885, CVE-2025-37890, CVE-2025-37892, CVE-2025-37905, CVE-2025-37909, CVE-2025-37911, CVE-2025-37913, CVE-2025-37914, CVE-2025-37915, CVE-2025-37923, CVE-2025-37927, CVE-2025-37929, CVE-2025-37930, CVE-2025-37940, CVE-2025-37949, CVE-2025-37967, CVE-2025-37969, CVE-2025-37970, CVE-2025-37982, CVE-2025-37983, CVE-2025-37985, CVE-2025-37989, CVE-2025-37990, CVE-2025-37991, CVE-2025-37992, CVE-2025-37994, CVE-2025-37995, CVE-2025-37997, CVE-2025-37998, CVE-2025-38005, CVE-2025-38009, CVE-2025-38023, CVE-2025-38024, CVE-2025-38031, CVE-2025-38089, CVE-2025-7425, CVE-2025-32414, CVE-2025-32415, CVE-2025-27151, CVE-2025-32023, CVE-2025-48367, CVE-2025-49133, CVE-2025-6965, CVE-2025-5222, CVE-2025-4373, CVE-2024-52533, CVE-2024-6174, CVE-2025-5994, CVE-2024-52615, CVE-2025-40909, CVE-2022-29458, CVE-2024-47081, CVE-2025-6965, CVE-2025-8058, CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50106, CVE-2025-5914, CVE-2025-54389, CVE-2025-7425, CVE-2025-8194, CVE-2025-48964, CVE-2025-53905, CVE-2025-53906, CVE-2025-58060, CVE-2025-58364, CVE-2025-32988, CVE-2025-32989, CVE-2025-32990, CVE-2025-6395, CVE-2023-49083, CVE-2024-47252, CVE-2025-23048, CVE-2025-49812, CVE-2020-11023, CVE-2025-5318, CVE-2025-6021, CVE-2025-32414 ,CVE-2025-49794, CVE-2025-49796, CVE-2025-49844, CVE-2023-4752, CVE-2023-6693, CVE-2024-12797, CVE-2024-25742, CVE-2024-25743, CVE-2024-25744, CVE-2024-28956, CVE-2024-3567, CVE-2024-52616, CVE-2024-55549, CVE-2024-56583, CVE-2024-8176, CVE-2024-8508, CVE-2025-21605, CVE-2025-2784, CVE-2025-31498, CVE-2025-32049, CVE-2025-32050, CVE-2025-32052, CVE-2025-32053, CVE-2025-32906, CVE-2025-32907, CVE-2025-32911, CVE-2025-32913, CVE-2025-32914, CVE-2025-4598, CVE-2025-46420, CVE-2025-46421, CVE-2025-4948.  
 ------
 - **I95-39653 Negative duration in session table after applying filter:** Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration.
 ------
+- **I95-57019 KNI host interfaces erroneously generate LLDP:** Resolved an issue where host KNI interfaces are incrementally generating out-errors in `show device-interface`. 
+------
+- **I95-58007 Add ability to set PIM graceful restart-time:** The routing default-instance pim restart-time command has been added to allow users to define the number of seconds that the PIM protocol will perform graceful-restart after a node failure. For more information, see [PIM Graceful Restart Timer](config_multicast.md#pim-graceful-restart-timer).
+------
 - **I95-60767 `service-route next-hop validation` rejects configuration:** Resolved an issue where the rule validator did not consider the `service application-type` as DNS proxy into consideration during the configuration rule validation. This issue has been resolved.
 ------
 - **I95-60799 Tenant prefix use within a VRF:** The SSR allows the configuration of tenant-prefixes without giving an error, and correctly handles interfaces with tenant-prefixes within the protocol code.
@@ -106,6 +110,12 @@ An issue has been identified when onboarding SSR routers installed with older ve
 ------
 - **I95-62449 HA conductor fails to initialize secondary node:** Resolved an issue with password validation that was preventing the secondary node from accessing the primary node to download files needed for initialization. The user is now prompted to enter the new password for the primary node when setting up the secondary node. 
 ------
+- **I95-62695 Management interface placed in incorrect zone during conductor onboarding:** Resolved an issue where an earlier change did not put the management infterface in the t128 zone. 
+------
 - **I95-62703 Highway process crashed when BGP over SVR is activated:** Resolved an issue where the unicast code path was incorrectly calling the multicast variant of getBestMultiHomedPathIndex() and causing a highway crash.
 ------
 - **I95-62742 Cannot see sync errors for nodes that are stuck synchronizing:** Resolved an issue where errors in `show assets` disappeared when the synchronizing state retries. 
+------
+- **I95-63206 `Get Dhcp Address` failed after retrying for 15 minutes:** Resolved an issue where the PCI address was being fetched from the wrong location. The PCI address is now retrieved from the resource file rather than the configuration. 
+------
+- **I95-63334 HA node failover causing mismatched node IDs:** Resolved an issue where where Enhanced Security Key Management security exchange state may get stuck on HA node failover.
diff --git a/docs/sec-cert-based-encrypt.md b/docs/sec-cert-based-encrypt.md
@@ -36,11 +36,7 @@ If the above three checks pass, then the certificate is accepted and imported.
 
 The Certificate Revocation List (CRL) Manager handles the discovery, fetching, and periodic updates to CRLs. From this process a list of all known revoked certificates from all CRL sources is created, and the master list is published to disk.
 
-The following are some details of certificate security.
-
-- Periodic revocation checks of the base certificate are performed based on the configuration defaults or user configured timelines. 
-
-- When a certificate is configured to link to a certificate on disk that does not exist, an alarm is generated. A valid certificate must be obtained from a Certificate Authority before secure communication can take place.  
+Periodic revocation checks of the base certificate are performed based on the configuration defaults or user configured timelines. 
 
 ## Certificate Revocation List
 
diff --git a/docs/sec-disable-ports.md b/docs/sec-disable-ports.md
@@ -11,7 +11,7 @@ serial-console-enabled true
 recovery-mode-enabled true 
 reset-button-enabled true
 ```
-Use the following configuration commands to disable out of band management ports on the SSR 400/440 (Models 1 and 2) - the USB and Serial ports, and block the local admin access.
+Use the following configuration commands to disable out of band management ports on the SSR400 and SSR440 - the USB and Serial ports, and block the local admin access.
 
 #### Setting via PCLI:
 
@@ -48,7 +48,7 @@ When disabled (set to **false**), the pushbutton interrupt is disabled, and no a
 
 ### Disable Serial Console Port
 
-When disabled (set to **false**), the serial console is excluded from the kernel cmdline, and no driver will be bound by the operating system or applications. Kernel error logs are only accessible via the system journal.
+When disabled (set to **false**), the serial console is excluded from the kernel command line, and no driver will be bound by the operating system or applications. Kernel error logs are only accessible via the system journal.
 
 See [Uninterruptable Boot Process](#uninterruptable-boot-process) below for important information.
 
@@ -60,7 +60,7 @@ See [Uninterruptable Boot Process](#uninterruptable-boot-process) below for impo
 
 ### Uninterruptable Boot Process
 
-This feature is configured on the SSR4x0 by setting **both** the Serial Console Port and Firmware Recovery as **disabled**. When configured, it means that a failed upgrade will not allow the user to select the image on the other volume (since the Console port is disabled, no user input is possible).  
+This feature is configured on the SSR400 and SSR440 by setting **both** the Serial Console Port and Firmware Recovery as **disabled**. When configured, it means that a failed upgrade will not allow the user to select the image on the other volume (since the Console port is disabled, no user input is possible).  
 
 If **both** the Serial Console Port and Firmware Recovery are disabled, and an incorrect or empty IP address is configured for one of the Ethernet ports (or system boot repeatedly fails for any other reason), use the Fail-Safe Restore process for recovery.
 
diff --git a/docs/sec-ztp-web-proxy.md b/docs/sec-ztp-web-proxy.md
@@ -3,7 +3,7 @@ title: Secure ZTP Onboarding Using a Mist Proxy
 sidebar_label: Secure ZTP Onboarding Using a Mist Proxy
 ---
 
-With only MPLS or private connectivity available, it is possible to leverage a connection to MIST using an explicit proxy and a private web proxy in the network. This type of web proxy is often used to bridge the gap between private and public networks.
+With only MPLS or private connectivity available, it is possible to leverage a connection to Mist using an explicit proxy and a private web proxy in the network. This type of web proxy is often used to bridge the gap between private and public networks.
 
 There are two steps to the process of onboarding using a Mist proxy; Provisioning a conductor, and configuring the SSR to identify and use the non-transparent proxy. 
 
@@ -20,12 +20,12 @@ This document provides information perform the secure ZTP onboarding process.
 The sZTP process is the following:
 
 1. SSR devices are [configured with an SSR Mist connection using a web proxy](config-proxy-server.md).
-2. Upon installation, the SSR will "phone home" to the MIST Global1 EP terminator (`ep-terminator.mistsys.net`). 
+2. Upon installation, the SSR will "phone home" to the Mist Global1 EP terminator `ep-terminator.mistsys.net`. 
 3. Based on the target claimed environment, the device is redirected to the appropriate organization.
-4. The client creates a TLS connection to MIST cloud and validates using OCRA authentication. 
-MIST Cloud validates the client by leveraging onboard TPM with a request/response challenge.
+4. The client creates a TLS connection to Mist cloud and validates using OCRA authentication. 
+Mist Cloud validates the client by leveraging onboard TPM with a request/response challenge.
 
-5. The MIST org/site is configured with the following information to be validated and installed on the device:
+5. The Mist org/site is configured with the following information to be validated and installed on the device:
 	- Conductor IP address 
 	- Pre-shared secret obtained from the conductor 
 	- Root CA for the cert installed on the conductor (optional)
