Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists known issues in Juniper Networks CSO Release 5.1.0.


  • Addition and deletion of mesh tags are not captured in the DVPN audit logs.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32252

  • When you add or remove any intent on the SD-WAN Policy page, a +0 is added after every element even though you selected only one element.

    Workaround: This issue does not have any functional impact. The +0s disappear when you refresh the page.

    Bug Tracking Number: CXU-32068

  • Traffic from a spoke site that has dynamic SLA policy enabled and is connected to an MX cloud hub takes asymmetric paths, that is different paths for upstream and downstream.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32506

  • On gateway site, when there are no non-datacenter departments, SD-WAN policy deploy job may return the following message and fail:

    No update of SD-WAN policy configuration on device due to missing required information.

    Workaround: There is no functional impact; the deploy job completes successfully when a non-datacenter department with a LAN segment is deployed on Gateway site.

    Bug Tracking Number: CXU-31365

  • SD-WAN deployment policy job may fail if policy intent involves datacenter department or department without any LAN segment. This does not impact SD-WAN policy deployment for other sites.

    Workaround: Use more specific SD-WAN intents, with department or department with site, to exclude datacenter departments and departments without LAN segments.

    Bug Tracking Number: CXU-31313

  • In a bandwidth-optimized, hub-and-spoke topology where network segmentation is enabled, a new LAN segment that has an existing department added to it might cause a deploy to fail.

    Workaround: Delete the LAN segment and retry the deploy. If there are policy dependencies, remove the dependencies before you delete the LAN segment.

    Bug Tracking Number: CXU-25968

  • OAM configurations remain on an MX device that you have deactivated as cloud hub from CSO.

    Workaround: Manually remove the configuration from the device.

    Bug Tracking Number: CXU-25412

  • If the Internet breakout WAN link of the cloud hub is not used for provisioning the overlay tunnel by at least one spoke site in a tenant, then traffic from sites to the Internet is dropped.

    Workaround: Ensure that you configure a firewall policy to allow traffic from security zone trust-tenant-name to zone untrust-wan-link, where tenant-name is the name of the tenant and wan-link is the name of the Internet breakout WAN link.

  • Bug Tracking Number: CXU-21291

  • If a WAN link on a CPE device goes down, the WAN tab of the Site-Name page (in Administration Portal) displays the corresponding link metrics as N/A.

    Workaround: None.

    Bug Tracking Number: CXU-23996

  • If you delete a cloud hub that is created in Release 3.3.1, CSO does not delete the stage-2 configuration.

    Workaround: You must manually delete the stage-2 configuration from the device.

    Bug Tracking Number: CXU-25764


  • At times, recall with the recovery configuration fails to revert EX2300 and EX3400 devices to the recovery configuration because some devices do not have the /var/db/scripts/events directory.

    Workaround: Keep a copy of the recovery configuration and use the load override recovery filename command to revert the devices to the required configuration.

    Bug Tracking Number: CXU-34430

  • For an EX Series switch, on the Configuration Template page the Maximum Power field is not validated. The range for Maximum Power is 0 through 30 watts. The deployment fails if you specify any other values.

    Workaround: Specify a value within the range (0 through 30 watts).

    Bug Tracking Number: CXU-38850

  • ZTP of an EX Series switch fails if you add an EX Series switch behind an enterprise hub.

    Workaround: For onboarding an EX Series switch behind an enterprise hub, manually configure the stage-1 configuration.

    Bug Tracking Number: CXU-38994

  • For an EX Series switch, if you enable or disable a port from the UI, the port status is reflected in Port Chassis View and Port Grid only after an approximate time of 5 minutes.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-37846

  • For an EX Series switch, you cannot filter or search for the device ports on the Resources > Devices Device-Name> Ports tab.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-38564

  • If you reboot an NFX250 device, the EX Series switch behind the NFX250 device might not renew the DHCP request, and the operational status of the switch might be displayed as down.

    Workaround: On the EX Series switch, manually run the request dhcp client renew all command.

    Bug Tracking Number: CXU-39127

  • The phone-home process might not be triggered if you zeroize an EX Series switch and disable the management interface on the switch.

    Workaround: To trigger the phone-home process, run the delete chassis auto-image-upgrade command and commit the delete operation.

    Bug Tracking Number: CXU-39129

  • If you are using an EX Series switch with Junos OS Release 18.3R1.9, the Current System Users widget always displays the login time as Jan 1, 1970.

    Workaround: Upgrade the EX Series switch to Junos OS Release 18.4R2.7.

    Bug Tracking Number: CXU-38647

  • The deployment of a port profile fails if the values you have configured for the firewall filter are not supported on the Junos OS platform.


    • Edit the firewall filter.

    • Modify the values according to the supported configuration specified for a firewall filter, in this link.

    • Redeploy the port profile.

    Bug Tracking Number: CXU-39629

  • The chassis view for an EX Series switch is not automatically refreshed to display the status of the newly-configured ports.

    Workaround: Manually refresh the Device-name page. Alternatively, navigate to some other page on the UI and then revisit the Device-name page to view the status of the newly-configured ports on the chassis view.

  • The Zero Touch Provisioning toggle button is displayed for EX4600 and EX4650 switches although these switches do not support ZTP.

    Workaround: Disable the Zero Touch Provisioning toggle button and manually configure the stage-1 configuration on the switches.

    Bug Tracking Number: CXU-41608

  • The chassis view for an EX Series Virtual Chassis incorrectly displays member 0 as the master member although the Virtual Chassis was successfully provisioned without member 0, through ZTP.

    Workaround: Add an EX Series device as member 0 before provisioning the Virtual Chassis.

    Bug Tracking Number: CXU-40322

  • If you upgrade a CSO 5.0.3 site with EX series switch to CSO 5.1, the port profile configuration or manual configuration of a port profile on an already configured port may not work as expected. 

    Workaround: Delete the recreate the site with EX series switch

    Bug Tracking Number: CXU-41763

CSO High Availability

  • In an HA setup, some of the VRRs are incorrectly reported as down even though those VRRs are up and running. This problem occurs because some of the alarms that are created when VRRs are down after a power failure fail to be cleared even after the VRRs come back online.

    Workaround: Though this issue does not have any functional impact, we recommend that you restart the VRR to clear the alarms.

    Bug Tracking Number: CXU-31448

  • In an HA setup, deployment of NAT and firewall policies fail if secmgt-sm pods fail to initialize after a snapshot process and remain in 0/1 Running state.

    Workaorund: Run the following curl command from the microservices VM and make sure scemgt-sm pods comes to 1/1 Running state:

    curl -XPOST "https://<central-vip>/api/juniper/sd/csp-web/database-initialize" -H 'Content-Type: application/json' -H 'Accept: application/json' -H "X-Auth-Token: token

    Bug Tracking Number: CXU-31446

  • In a multi-node CSO installation, the authentication of microservices might fail if you restart any servers (of the 3 available). This is because of the cassandra database-related issue.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41620

Security Management

  • If a cloud hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a cloud hub use the same type of authentication (either PKI or PSK) as the cloud hub device.

    Bug Tracking Number: CXU-23107

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

  • If SSL proxy is configured on a dual CPE device and if the traffic path is changed from one node to another node, the following issue occurs:

    • For cacheable applications, if there is no cache entry the first session might fail to establish.

    • For non-cacheable applications, the traffic flow is impacted.

    Workaround: None.

    Bug Tracking Number: CXU-25526

Site and Tenant Workflow

  • On a site with an NFX250 device and EX Series switch, the EX Series switch is not be detected if there are no LAN segments.

    Workaround: Onboard the site with at least one LAN segment.

    Bug Tracking Number: CXU-38960


  • App Visibility functionality for NFX250 and NFX150 Hybrid WAN Managed Internet CPE may not work as expected because application tracking is not enabled by default.

    Workaround: Enable application-tracking through device configuration from the CSO UI. Go to Devices, select an NFX250 or NF150 site, and then select Configuration > Zones > Edit Untrust Zone, and select the Application-Tracking check box and deploy the configuration.

    Bug Tracking Number: CXU-37713

  • When a WAN link that is configured with DHCP is used as a DVPN tunnel endpoint, a change in the DHCP IP address of the WAN link causes the DVPN tunnel to be down.

    Workaround: Delete the DVPN tunnel from the Resources > Resource Name > WAN tab and create a new tunnel.

    Bug Tracking Number: CXU-36761

  • The display name field of the monitor object deleted alarm shows the UUID of deleted sites instead of the name of the site.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-36367

  • In next-generation firewall sites with LAN, the recall of EX2300 and EX3400 devices with the zeroize option does not work. This issue occurs because EX2300 and EX3400 do not support the zeroize option.

    Workaround: Manually clean up the EX2300 and EX3400 devices.

    Bug Tracking Number: CXU-35208

  • For Hybrid sites that use NFX150 or NFX250 CPE, you cannot use default configuration templates to configure physical interfaces, zones, or routing instances.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-35021

  • You cannot filter the device ports for SRX Series devices while adding an on-premise spoke site or while adding a switch.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32826

  • UTM Web filtering fails at times even though the Enhanced Web Filtering (EWF) server is up and online.

    Workaround: From the device, configure the EWF Server with the IP address as shown in the following example:

    root@SRX-1# set security utm feature-profile web-filtering juniper-enhanced server host

    Bug Tracking Number: CXU-32731

  • After you do an RMA of a spoke, the LAN segment fails to connect to the enterprise hub.

    Workaround: Reboot the spoke device.

    Bug Tracking Number: CXU-35379

  • On the Shared Objects page, if you edit a custom application or application group settings, the firewall policies or SD-WAN policies are marked as Pending Deployment even though there are no changes to the policies.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-38706

  • When you configure and deploy IPS on the firewall rule, IDP does not detect the attacks and processes the traffic on an NFX150 device with Junos OS Release 18.2X85-D12 when a dynamic application is configured.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-38388

  • If you create or delete a DVPN tunnel, you cannot reach the LAN interface on the SRX Series device.

    Workaround: Reboot the spoke or execute the following commands and then roll back the changes.

    • set groups dept-configuration interfaces ge-0/0/4 vlan-tagging

    • set groups dept-configuration interfaces ge-0/0/5 vlan-tagging

    Bug Tracking Number: CXU-35379

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • While adding a spoke site if you add and associate one or more departments with one or more LAN segments, sometimes the department's VRF tables might not be created at the enterprise hub. This causes the enterprise hub's 0/0 (default) route to be missing in the spoke site department's VRF tables.

    Workaround: Delete and redeploy the LAN segments.

    Bug Tracking Number: CXU-37770

  • The contrail health check fails for a non HA deployment, after you run the script on a startup servers.

    Workaround: Reboot the CAN node. Wait for 10 minutes and rerun the script to see if all components are healthy. Once all the components are healthy proceed with the installation.

    Bug Tracking Number: CXU-41463

  • On a newly-installed CSO setup, core files are generated in the CAN VMs.

    Workaround: No workaround. However, to see if the processes are running as expected, check the contrail-status in all the dockers.

    Bug Tracking Number: CXU-41338

  • When DVPN tunnels [GRE_IPSEC tunnels] is established between a pair of SRX3xx devices which have INTERNET WAN links behind NAT, the GRE OAM status of tunnels shows as DOWN and hence the tunnels are marked as DOWN and not usable for traffic.

    Workaround : Disable GRE OAM Keepalive configuration to make the tunnel usable for traffic.

    Bug Tracking Number: CXU-41281

  • The health check in the CAN node fails while you run the script on the startup server during the HA deployment. This is because the Kafka process is inactive in one of the CAN nodes.


    1. Log in to the CAN node.

    2. Run the docker restart analyticsdb analytics controller command.

    3. Wait for around 10 minutes

    4. Rerun the script on the startup server.

    5. If the CAN node components are still unhealthy, repeat step 3 and step 4.

    Once all the components are healthy proceed with the installation.

    Bug Tracking Number: CXU-41232

  • The alarm is not getting generated if date and time is not in sync with the NTP server.

    Workaround: CSO and devices must be NTP-enabled. Make sure CSO and device time are in sync.

    Bug Tracking Number: CXU-40815

  • UTM web filtering is not supported in the Active-Active SRX cluster. The UTM web filter will be UP only on one node of the cluster. The UP status depends on which node could setup connection to the cloud server from PFE directory.

    Workaround: None

    Bug Tracking Number: CXU-32738

  • The bootstrap process remains in the In Progress state because the phone-home server fails to receive the bootstrap completion notification from the phone-home client.

    Workaround: Reconfigure the name-server and phone-home server (, and restart the phone-home client.

    Bug Tracking Number: CXU-41449

  • Signature database installation might fail for an SRX series device with the following error message:

    Application signature version 3229 install failed for device 4100HAEH. Error copy on device/node failed : file copy /tmp/application_groups2.xml.gz node0:/var/db/idpd/nsm-download/application_groups2.xml.gz error: put-file failed error: could not send local copy of file {primary:node0} cspuser@4100HAEH.4100HAEH

    Workaround: Run the following commands as root user on the device shell:

    • chmod -R 777 /var/db/idpd/nsm-download

    • chmod -R 777 /var/db/appid/sec-download

    For dual CPE devices, you must run these commands on on node 0 and node 1.

    Bug Tracking Number: CXU-41678

  • The firewall policy deployment fails if the system has more than 10000 addresses.

    Workaround: In the elasticsearch.yml file, update the index.max_result_window parameter to 20000.

    Bug Tracking Number: CXU-41678