Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues

 

This section lists known issues in Juniper Networks CSO Release 5.1.1.

Installation and Upgrade

SD-WAN

  • On an enterprise hub, when there are no non-data center departments, SD-WAN policy deploy job may return the following message and fail:

    No update of SD-WAN policy configuration on device due to missing required information.

    Workaround: There is no functional impact; the deploy job completes successfully when a non-data center department with a LAN segment is deployed on an enterprise hub.

    Bug Tracking Number: CXU-31365

  • If the Internet breakout WAN link of the provider hub is not used for provisioning the overlay tunnel by at least one spoke site in a tenant, then traffic from sites to the Internet is dropped.

    Workaround: Ensure that you configure a firewall policy to allow traffic from security zone trust-tenant-name to zone untrust-wan-link, where tenant-name is the name of the tenant and wan-link is the name of the Internet breakout WAN link.

  • Bug Tracking Number: CXU-21291

  • While provisioning a Dual CPE SRX cluster as an enterprise hub with the multi-access shared bearer (MASB) configuration, the Stage1 configuration is failing to commit because untagged logical interfaces are not supported on the device interface when MASB is configured.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42201

SD-LAN

  • The phone-home process might not be triggered if you zeroize an EX Series switch and commit configuration manually on the switch.

    Workaround: To trigger the phone-home process, run the delete chassis auto-image-upgrade command and commit the delete operation.

    Bug Tracking Number: CXU-39129

  • CSO is unable to configure access ports on the EX4600 and EX4650 device after zeroizing the device because a default VLAN is configured on all the ports after zeroizing.

    Workaround: Load the factory default configuration if you zeorize the EX4600 and EX4650 devices or delete the default VLAN configuration from all the ports of the members by using commands such as # wildcard range delete interfaces xe-0/0/[0-23].

    Bug Tracking Number: CXU-42865

  • When adding a switch to an already provisioned site, the site state is set as Provisioned, because of which a link to manually activate the EX device does not appear. The state of a site should be set to Provisioned only when all the devices in the site are provisioned.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-40647

  • Chassis view for an EX2300 Virtual Chassis appears blank when the Virtual chassis is pre-provisioned.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42866

  • While preprovisioning an EX Virtual Chassis, if a member is down or the member is not connected to the Virtual Chassis, the Virtual Chassis Port (VCP) status of the member is not updated in CSO after the member is brought up after provisioning.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42124

  • The Chassis View of an EX Virtual Chassis displays the port admin status as up, and VCP link status as down for a member which is powered down.

    Workaround: There is no known workaround. You can identify that a device is down by viewing the last polled data.

    Bug Tracking Number: CXU-43552

CSO High Availability

  • In an HA setup, deployment of NAT and firewall policies fail if secmgt-sm pods fail to initialize after a snapshot process and remain in 0/1 Running state.

    Workaround: Run the following curl command from the microservices VM and make sure scemgt-sm pods comes to 1/1 Running state:

    curl -XPOST "https://<central-vip>/api/juniper/sd/csp-web/database-initialize" -H 'Content-Type: application/json' -H 'Accept: application/json' -H "X-Auth-Token: token

    Bug Tracking Number: CXU-31446

  • On an HA installation, during infrastructure deployment, sometimes services inside the Contrail Analytics Node remains in the initializing state. Because of this, the Contrail Analytics Node cannot be configured and the infrastructure deployment fails.

    Workaround: There is no known workaround. You must, delete all the Virtual Machines spawned and start the deployment again from scratch.

    Bug Tracking Number: CXU-42965

  • On an HA setup, in case of power failure scenarios, certain workflows, such as onboard tenant/configure site may fail randomly with ReadTimeout Error.

    Workaround: Contact Juniper support team for recovery procedure.

    Bug Tracking Number: CXU-43001

Security Management

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

  • If SSL proxy is configured on a dual CPE device and if the traffic path is changed from one node to another node, the following issue occurs:

    • For cacheable applications, if there is no cache entry the first session might fail to establish.

    • For non-cacheable applications, the traffic flow is impacted.

    Workaround: None.

    Bug Tracking Number: CXU-25526

Site and Tenant Workflow

  • On a site with an NFX250 device and EX Series switch, the EX Series switch is not detected if there are no LAN segments.

    Workaround: Onboard the site with at least one LAN segment.

    Bug Tracking Number: CXU-38960

  • On an on-premise installation, when deploying a port profile configuration fails on an EX4650 switch, CSO displays the management status of the site with EX4650 switch as provisioned even though the zero-touch provisioning (ZTP) job fails on the switch.

    Workaround: Ensure that no port profile is deployed on an EX4650 switch during ZTP.

    Bug Tracking Number: CXU-42181

  • Zero-touch provisioning of an EX Series switch fails if you add the switch behind an enterprise hub.

    Workaround: For onboarding an EX Series switch behind an enterprise hub, manually configure the Stage-1 configuration on the switch.

    Bug Tracking Number: CXU-38994

  • When you perform ZTP on more than one enterprise hub at the same time, ZTP for one or the other enterprise hub may fail.

    Workaround: Perform ZTP on enterprise hubs one after other; that is, after the ZTP of the first enterprise hub completes successfully. You can also retry executing the failed ZTP job.

    Bug Tracking Number: CXU-42985

  • When onboarding a next-generation firewall and switch, the CSO GUI may temporarily show that provisioning the firewall as failed when a license is not present, though the ZTP task completes and the site is provisioned.

    Workaround: Refresh the page to view the final status of onboarding the next-generation firewall.

    Bug Tracking Number: CXU-43024

  • While configuring an SD-WAN site with an EX switch, the VLAN value is not saved when you enable CPE ports for configuring the VLAN.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-43365

General

  • In next-generation firewall sites with LAN, the recall of EX2300 and EX3400 devices with the zeroize option does not work. This issue occurs because EX2300 and EX3400 do not support the zeroize option.

    Workaround: Manually clean up the EX2300 and EX3400 devices.

    Bug Tracking Number: CXU-35208

  • You cannot filter the device ports for SRX Series devices while adding an on-premise spoke site or while adding a switch.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32826

  • UTM Web filtering fails at times even though the Enhanced Web Filtering (EWF) server is up and online.

    Workaround: From the device, configure the EWF Server with the IP address 116.50.57.140 as shown in the following example:

    root@SRX-1# set security utm feature-profile web-filtering juniper-enhanced server host 116.50.57.140

    Bug Tracking Number: CXU-32731

  • If you create or delete a DVPN tunnel, you cannot reach the LAN interface on the SRX Series device.

    Workaround: Reboot the spoke or execute the following commands and then roll back the changes.

    • set groups dept-configuration interfaces ge-0/0/4 vlan-tagging

    • set groups dept-configuration interfaces ge-0/0/5 vlan-tagging

    Bug Tracking Number: CXU-35379

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • While adding a spoke site if you add and associate one or more departments with one or more LAN segments, sometimes the department's VRF tables might not be created at the enterprise hub. This causes the enterprise hub's 0/0 (default) route to be missing in the spoke site department's VRF tables.

    Workaround: Delete and redeploy the LAN segments.

    Bug Tracking Number: CXU-37770

  • When DVPN tunnels (GRE_IPSEC tunnels) are established between a pair of SRX3XX devices that have Internet WAN links behind NAT, the GRE OAM status of the tunnels is displayed as DOWN and hence the tunnels are marked as DOWN and not usable for traffic.

    Workaround : Disable the GRE OAM keepalive configuration to make the tunnel usable for traffic.

    Bug Tracking Number: CXU-41281

  • The health check in the CAN node fails while you run the deploy.sh script on the startup server during the HA deployment. This is because the Kafka process is inactive in one of the CAN nodes.

    Workaround:

    1. Log in to the CAN node.
    2. Run the docker restart analyticsdb analytics controller command and wait for around 10 minutes.
    3. Rerun the components_health_check.sh script on the startup server.
    4. If the CAN node components are still unhealthy, repeat 2 and 3.

    If all the components are healthy, then proceed with the installation.

    Bug Tracking Number: CXU-41232

  • Alarms are not getting generated if the date and time is not in sync with the NTP server.

    Workaround: CSO and devices must be NTP-enabled. Make sure CSO and device time are in sync.

    Bug Tracking Number: CXU-40815

  • The firewall policy deployment fails if the system has more than 10,000 addresses.

    Workaround: In the elasticsearch.yml file, update the index.max_result_window parameter to 20000.

    Bug Tracking Number: CXU-41678

  • The bootstrap job for a device remains in the In Progress state for a considerable time. This is because CSO fails to receive the bootstrap completion notification from the device.

    Workaround: If the bootstrap job is in the In Progress state for more than 10 minutes, add the following configuration to the device:

    set system phone-home server https://redirect.juniper.net

    Bug Tracking Number: CXU-35450

  • After Network Address Translation (NAT), only one DVPN tunnel is created between two spoke sites if the WAN interfaces (with link type as Internet) of one of the spoke site have the same public IP address.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41210

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • In case of an AppQoE event (packet drop or latency), the application may not switch to the best available path among the available links.

    Workaround: Reboot the device.

    Bug Tracking Number: CXU-41922

  • While you are using a remote console for a tenant device, if you press the Up arrow or the Down arrow, then instead of the command history irrelevant text (that includes the device name and the tenant name) appears on the console.

    Workaround. To clear the irrelevant text, press the down arrow key a few times and then press Enter.

    Bug Tracking Number: CXU-41666

  • While you are editing a tenant, if you modify Tenant-owned Public IP Pool under Advanced Settings (optional), then the changes that you made to the Tenant-owned Public IP pool field are not reflected after the completion of the edit tenant operation job.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41139

  • The TAR file installation of a distributed deployment fails. This issue occurs if the version of the bare-metal server that you are using is later than the recommended version.

    Workaround: You must install the python-dev script before running the deploy-sh script.

    After you extract the CSO TAR file on the bare-metal server:

    1. Navigate to the /etc/apt directory and execute the following commands:

      • cp sources.list sources.list.cso

      • cp orig-sources.list sources.list

    2. Install the python2.7-dev script by running the following commands:

      • apt-get update && apt-get install python2.7-dev

      • cp sources.list.cso sources.list

    3. Navigate to the /root/Contrail_Service_Orchestration_5.1.0 folder and then run the deploy.sh script.

    Bug Tracking Number: CXU-41845

  • The Users page continues to display the name of the user that you deleted. This is because the Users page is not automatically refreshed.

    Workaround: Manually refresh the page.

    Bug Tracking Number: CXU-41793

  • After ZTP of an NFX Series device, the status of some tunnels are displayed as down. This issue occurs if you are using the subnet IP address192.168.2.0 on WAN links, which causes an internal IP address conflict.

    Workaround: Avoid using the 192.168.2.0 subnet on WAN links.

    Bug Tracking Number: CXU-41511

  • On the CSO GUI, in the LAN tab of a next-generation firewall site with a LAN switch, when you click the arrow icon next to a LAN segment, the ports displayed in the Switch Ports field disappear.

    Workaround: Hover over the “+<number of ports>” link in the Switch Ports column to view the list of ports on the LAN.

    Bug Tracking Number: CXU-42608

  • Installation of license on an SRX4200 Dual CPE cluster by using CSO is failing.

    Workaround: Install the licenses manually. To install the licenses manually:

    1. Copy the license files for both the devices to the primary node of the cluster.
    2. Install the license on the primary device.
    3. Copy the license file of the backup node to the backup node.
    4. Log in to the backup node and install the license.

    Bug Tracking Number: CXU-40522

  • When you backup SD-WAN reports generated in CSO Release 4.1.1 and restore it on CSO Release 5.1.1, an error appears when you try to download the report and the report is not downloaded.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42395

  • When you configure a CPE behind a NAT, DVPN tunnels stay between an Internet link that is behind NAT and an Internet link which is not behind NAT due to wrong external-interface in the IPSEC Configuration.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-43217