Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting Image, License, and Policy Deployment Issues

 

Image Upload Failure

Problem

Description: Image upload operation failed.

Solution

  1. Check the job logs in the Administration Portal for the image upload failure and the reason for the failure.
    1. Log in to the Administration Portal and select Monitor > Jobs

      The Jobs page is displayed.

    2. Select the log related to image upload failure and click the Detailed View icon that appears before the log.

      The Detailed View page appears, showing the details of the job and the number of tasks associated with the job.

    3. Click View Logs.

      The Job status page is displayed

  2. Check latency, download or upload bandwidth, between the UI client machine(remote machine) and the central microservices virtual machine. You can use any third-party tool to check these details.
  3. Try to upload the image through the CLI. You can execute the CLI configuration statement in any machine that is reachable to the central microservices virtual machine or directly in the central microservices virtual machine for a quick upload. A sample CLI configuration statement is listed below:
  4. Manually upload the image to the NFX device and update the image location in the NFX CPE device template.
  5. Ensure that the image name is vsrx-vmdisk-15.1.qcow2 unless the vSRX image name has changed in the NFX device template.

Firewall Application Policy Deployment Failure

Problem

Description: The firewall application policy failed to deploy.

Solution

  1. Check the job logs in the Administration Portal for the signature installation failure and the reason for the failure.
    1. Log in to the Administration Portal and select Monitor > Jobs

      The Jobs page is displayed.

    2. Select the log related to the failure and click the Detailed View icon that appears before it.

      The Detailed View page appears, showing the details of the job and the number of tasks associated with the job.

    3. Click View Logs.

      The Job status page is displayed

  2. Check if the CPE device is up and the outbound SSH connection is active.

    Log in to Administration portal, select Monitor > Alerts and Alarm > Alerts

    or check the outbound SSH connection in the regional microservices virtual machine.

    root@regionalmsvm:~#netstat -anp | grep 7804
  3. Check that the application signature is successfully installed on the device.

    In the Administration Portal, select Administration > Signature Database, and click Install on device to verify the installation status.

  4. Check that the rendered configurations do not show any user input error and that they are pushed to the device. For a detailed log, check the Kibana dashboard http://central-infra-iIP-Address:5601> or execute the following command in the central microservices virtual machine to check the rendered configuration and the deployment status.
    root@centralmsvm:~#kubectl get pods –n central | grep cms
  5. For further troubleshooting, collect the logs and output results and contact Juniper Networks Technical Support team.

Traffic from Spoke Sites Are Dropped or Are Not Reaching Internet or Destination

Problem

Description: Traffic from spoke sites are dropped or are not reaching the Internet or their specified destinations.

Solution

  1. Verify the alerts for overlay or underlay connections, and check whether BGP is active.

    Log in to Administration portal, and select Monitor > Alerts and Alarm > Alerts.

  2. Check whether the firewall policies are successfully deployed to the CPE device and that the traffic or applications are matching the policies to permit the traffic to Internet or to other sites.

    In Administration Portal, select Sites > Site-Name > Policies.

    Or log in to the CPE device and verify that the next-generation firewall policies are deployed.

  3. Check the routes in the default VRF route table in the CPE device.
  4. Trace the route and verify the reachability from the hub to the destination. If the hub cannot reach the Internet, then verify whether the firewall and NAT policies are set up properly in the hub.
  5. For further troubleshooting, collect the logs and output results and contact Juniper Networks Technical Support team.

Missing Data in Application Visibility Page

Problem

Description: Data is missing in the Application Visibility page.

Solution

  1. Check whether the TCP connection is established between the CPE and the regional sblb virtual machine on port 3514.
    root@regional-sblb:~#netstat -anp | grep 3514

    Or execute the following command in the CPE device:

    root@cpe # show security flow session | grep 3514
  2. If the TCP connection is not established on port 3514, then check the IP connectivity between the CPE device and the regional sblb virtual machine. Ensure that TCP port 3514 is not blocked in the path.

Problem

Description: Link switch does not happen during service-level agreement (SLA) violation in bandwidth-optimized SD-WAN deployments.

Solution

  1. Check that the applications match the SD-WAN policy.
  2. Check that CSO or Controller recognizes the SLA violation.

    Log in to the Administration Portal, and select Monitor > Applications > SLA performance.

  3. Verify whether the CPE time is synchronized with the NTP server.
  4. Click the SLA profile and ensure that the SLA performance data is correct. If it is not, then check that the violation is introduced in the appropriate link.
  5. Log in to the CPE device and check the RPM result. Verify the preferred route in the SLA VRF (TC* VRF) table using the following commands.
    root@cpe # show services rpm probe-results
    root@cpe # show route table TC1-CustomerA_DefaultVPN.inet.0

Problem

Description: The original link is recovered after a service-level agreement (SLA) violation but the application traffic does not switch back to the original link.

Solution

Applications change links only on an SLA violation, because applications are not tied to a specific link and are based on SLA type, such as path preference or link performance metrics.

Problem

Description: All WAN links are up but not all links are being utilized.

Solution

It is possible that all SD-WAN policies can select the same WAN link if they match the SLAs. If the CPE receives a lot of matching and non-matching application traffic for SD-WAN policies, but not all WAN links are being used, then ensure the following:

  1. Check that the CPE device receives multiple flows per application.
  2. Check that all the WAN overlays are up (IPsec, GRE) in the CPE device and the hub device.
  3. Check the SLA performance data or real-time performance monitoring (RPM) probe results in the CPE device for all links.

    Log in to the Administration Portal, and select Monitor > Applications > SLA Performance.