Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists known issues in Juniper Networks CSO Release 5.0.1.


  • When you add or remove any intent on the SD-WAN Policy page, a +0 is added after every element even though you selected only one element.

    Workaround: This issue does not have any functional impact. The +0s disappear when you refresh the page.

    Bug Tracking Number: CXU-32068

  • When frequent link switches happen, the application throughput data displayed on Monitor> Application SLA Performance page and Resources > Site management > Site details > WAN page might vary.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-33050

  • The firewall policy deployment fails if you deploy the Default_FW_policy firewall policy on an SD-WAN site.

    Workaround: The Default_FW_policy firewall policy is for only next-generation firewall sites. Create a new policy, add rules that are specific to SD-WAN sites, and then deploy the policy on the SD-WAN site.

    Bug Tracking Number: CXU-37567

Site and Tenant Workflow

  • During ZTP, the bootstrap job times out if the device takes a long time to connect to CSO.

    Workaround: Delete the site and add it again, and then try ZTP.

    Bug Tracking Number: CXU-34298

  • An SRX Series device remains in the DEVICE_DETECTED state for 3 to 4 minutes during ZTP.

    Workaround: There is no functional impact. The ZTP continues after the delay of around four minutes.

    Bug Tracking Number: CXU-31813


  • If tenant administrators select an enterprise hub site while adding a static tunnel for a full-mesh topology network by using the + icon on the WAN page, CSO returns the error Error NoneType object is not iterable. This problem occurs because static tunnels are already present between the enterprise hub and spoke sites.

    Workaround: There is no functionality impact and no known workaround.

    Bug Tracking Number: CXU-37758

  • Application Visibility functionality for NFX250 and NFX150 hybrid WAN managed Internet CPE might not work as expected because application tracking is not enabled by default.

    Workaround: Enable application tracking through device configuration from the CSO UI. Go to Devices, select an NFX250 or NF150 site, and then select Configuration > Zones > Edit Untrust Zone. Select the Application-Tracking check box and deploy the configuration.

    Bug Tracking Number: CXU-37713

  • For provider hub devices that are provisioned by an OpCo administrator, the OpCo administrator is unable to access the Remote Console option on the Resources > Cloud Hub Devices page.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-37706

  • The More options on the Site Management page shows Reboot for a provider hub device. However, tenant administrators do not have the permissions to reboot a provider hub device, and the reboot job initiated by a tenant administrator fails.

    Workaround: There is no functionality impact and no known workaround.

    Bug Tracking Number: CXU-37698

  • Over an SD-WAN CPE, traffic flow from the LAN side is not monitored for application quality of experience (AppQoE) passive probes if the destination (UDP or TCP) port for the traffic is set to 36000.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-37413

  • When a WAN link that is configured with DHCP is used as a DVPN tunnel endpoint, a change in the DHCP IP address of the WAN link causes the DVPN tunnel to be down.

    Workaround: Delete the DVPN tunnel from the Resources > Resource Name > WAN tab and create a new tunnel.

    Bug Tracking Number: CXU-36761

  • The bootstrap job for sites that use SRX Series devices remains in the in-progress state. This problem occurs if only MPLS links are enabled with use for OAM.

    Workaround: Copy and paste the stage-1 configuration to the device CLI instead of performing ZTP.

    Bug Tracking Number: CXU-36661

  • If you deploy multiple firewall policies that have multiple devices, The View Configuration page shows only devices from one of the policies even though the policies have been successfully deployed to all devices.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-36594

  • The display name field of the monitor object deleted alarm shows the UUID of deleted sites instead of the name of the site.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-36367

  • The bootstrap job for a device remains in the In Progress state for a considerable time. This is because, CSO fails to receive the bootstrap completion notification from the device.

    Workaround: If the bootstrap job is in the In Progress state for more than 10 minutes, add the following configuration to the device:

    set system phone-home server

    Bug Tracking Number: CXU-35450

  • When you delete a site and recover the recovery.conf file on SRX3XX devices, the Phone-Home Client (PHC) does not automatically restart.

    Workaround: After you commit the recovery.conf file, you must manually restart the PHC by running the restart phone-home-client command, and then perform ZTP.

    Bug Tracking Number: CXU-35385

  • In next-generation firewall sites with LAN, the recall of EX2300 and EX3400 devices with the zeroize option does not work. This issue occurs because EX2300 and EX3400 do not support the zeroize option.

    Workaround: Manually clean up the EX2300 and EX3400 devices.

    Bug Tracking Number: CXU-35208

  • For Hybrid sites that use NFX150 or NFX250 CPE, you cannot use default configuration templates to configure physical interfaces, zones, or routing instances.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-35021

  • At times, recall with the recovery configuration fails to revert EX2300 and EX3400 devices to the recovery configuration because some devices do not have the /var/db/scripts/events directory.

    Workaround: Keep a copy of the recovery configuration and use the load override recovery filename command to revert the devices to the required configuration.

    Bug Tracking Number: CXU-34430

  • If you create an audit log purge with a recurring schedule and select the Run Now option, the recurrence fails to get scheduled.

    Workaround: When you schedule an audit log purge with a recurring schedule, use the Schedule at a later time option instead of the Run Now option.

    Bug Tracking Number: CXU-32608

  • You cannot filter the device ports for SRX Series devices while adding an on-premise spoke site or while adding a switch.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32826

  • UTM Web filtering fails at times even though the Enhanced Web Filtering (EWF) server is up and online.

    Workaround: From the device, configure the EWF Server with the IP address as shown in the following example:

    root@SRX-1# set security utm feature-profile web-filtering juniper-enhanced server host

    Bug Tracking Number: CXU-32731

  • After you do an RMA of a spoke, the LAN segment fails to connect to the enterprise hub.

    Workaround: Reboot the spoke device.

    Bug Tracking Number: CXU-35379

  • OpCo administrators (created in CSO Release 5.0.0) are able to delete a data hub even if one of their tenants have sites associated with the data hub or if the tenant imports the data. Because there is no warning, before deleting a data hub the OpCo administrators must ensure that there are no sites associated with the data hub.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-37800

  • If you configure a PPPoE-enabled xDSL link for exclusive breakout, it might not work as expected.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-36706