Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists known issues in Juniper Networks CSO Release 5.1.1.


  • On an enterprise hub, when there are no non-data center departments, the SD-WAN policy deploy job may return the following message and fail:

    No update of SD-WAN policy configuration on device due to missing required information.

    Workaround: There is no functional impact; the deploy job completes successfully when a non-data center department with a LAN segment is deployed on an enterprise hub.

    Bug Tracking Number: CXU-31365

  • If the Internet breakout WAN link of the provider hub is not used for provisioning the overlay tunnel by at least one spoke site in a tenant, then traffic from sites to the Internet is dropped.

    Workaround: Ensure that you configure a firewall policy to allow traffic from security zone trust-tenant-name to zone untrust-wan-link, where tenant-name is the name of the tenant and wan-link is the name of the Internet breakout WAN link.

  • Bug Tracking Number: CXU-21291

  • While provisioning a dual CPE SRX Series cluster as an enterprise hub with the multi-access shared bearer (MASB) configuration, the stage-1 configuration fails to commit because untagged logical interfaces are not supported on the device interface when MASB is configured.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42201


  • The phone-home process might not be triggered if you zeroize an EX Series switch and commit the configuration manually on the switch.

    Workaround: To trigger the phone-home process, run the delete chassis auto-image-upgrade command and commit the delete operation.

    Bug Tracking Number: CXU-39129

  • The deployment of a port profile fails if the values you have configured for the firewall filter are not supported on the device running Junos OS.


    • Edit the firewall filter.

    • Update the values according to the supported configuration specified for a firewall filter, in this link.

    • Redeploy the port profile.

    Bug Tracking Number: CXU-39629

  • CSO is unable to configure access ports on the EX4600 and EX4650 devices after you zeroize the device because a default VLAN is configured on all the ports after zeroizing.

    Workaround: Load the factory-default configuration if you zeorize the EX4600 and EX4650 devices or delete the default VLAN configuration from all the ports of the members by using commands such as # wildcard range delete interfaces xe-0/0/[0-23].

    Bug Tracking Number: CXU-42865

  • When adding a switch to an already provisioned site, the site state is set to Provisioned in CSO. Therefore, a link to copy the stage-1 configuration for manually activating the EX Series device does not appear. You must set the state of a site to Provisioned only when all the devices in the site are provisioned.

    Workaround: Delete the device from CSO and add the device again after rectifying the reason for provision failure.

    Bug Tracking Number: CXU-40647

  • The chassis view for an EX2300 Virtual Chassis appears blank when the device resources are used up and the request for getting a response from the device times out.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42866

  • In an on-premises installation, when deploying a port profile configuration fails on an EX4650 switch, CSO displays the management status of the site with EX4650 switch as provisioned even though the ZTP job fails on the switch.

    Workaround: Ensure that no port profile is deployed on an EX4650 switch during ZTP.

    Bug Tracking Number: CXU-42181

  • ZTP of an EX Series switch fails if you add the switch behind an enterprise hub.

    Workaround: For onboarding an EX Series switch behind an enterprise hub, manually configure the stage-1 configuration on the switch.

    Bug Tracking Number: CXU-38994

CSO High Availability

  • In an HA setup, deployment of NAT and firewall policies fail if secmgt-sm pods fail to initialize after a snapshot process and remain in 0/1 Running state.

    Workaround: Run the following curl command from the microservices VM and make sure scemgt-sm pods comes to 1/1 Running state:

    curl -XPOST "https://<central-vip>/api/juniper/sd/csp-web/database-initialize" -H 'Content-Type: application/json' -H 'Accept: application/json' -H "X-Auth-Token: token

    Bug Tracking Number: CXU-31446

  • In an HA installation, during infrastructure deployment, sometimes services inside the Contrail Analytics Node remain in the initializing state. Because of this, the Contrail Analytics Node cannot be configured and the infrastructure deployment fails.

    Workaround: There is no known workaround. You must delete all the virtual machines spawned and start the deployment again from scratch.

    Bug Tracking Number: CXU-42965

  • In an HA setup, in case of power failure scenarios, certain workflows, such as onboard tenant or configure site, may fail randomly with ReadTimeout Error.

    Workaround: Contact JTAC for the recovery procedure.

    Bug Tracking Number: CXU-43001

  • When an SD-WAN controller is down or not reachable from CSO, you cannot delete a site or tenant from CSO.

    Workaround: Recover the SD-WAN controller and retry deleting the site or tenant.

    Bug Tracking Number: CXU-43724

  • After you restart all the three infrastructure nodes, MariaDB is not restored properly.

    Workaround: Execute the on the startup server and select the MariaDB option to restore MariaDB completely.

    Bug Tracking Number: CXU-42125

  • In an high availability installation of CSO, when a server is restarted, the node on which RabbitMQ is running does not join the cluster.

    Workaround: Execute the script on the startup server and select the RabbitMQ option to recover the RabbitMQ cluster and restart microservices.

    Bug Tracking Number: CXU-43726

  • After restarting the etcd pod, the pod does not return to the running state. Instead the pod is in the crashloopbackoff state.

    Workaround: Contact JTAC for getting the etcd pod to the running state.

    Bug Tracking Number: CXU-38345

Security Management

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

  • If SSL proxy is configured on a dual CPE device and if the traffic path is changed from one node to another node, the following issue occurs:

    • For cacheable applications, if there is no cache entry the first session might fail to establish.

    • For non-cacheable applications, the traffic flow is impacted.

    Workaround: None.

    Bug Tracking Number: CXU-25526

Site and Tenant Workflow

  • On a site with an NFX250 device and EX Series switch, the EX Series switch is not detected if there are no LAN segments.

    Workaround: Onboard the site with at least one LAN segment.

    Bug Tracking Number: CXU-38960

  • When you perform ZTP on more than one enterprise hub at the same time, ZTP for one or the other enterprise hub may fail.

    Workaround: Perform ZTP on enterprise hubs one after the other; that is, after the ZTP of the first enterprise hub completes successfully. You can also retry executing the failed ZTP job.

    Bug Tracking Number: CXU-42985

  • When onboarding a next-generation firewall and switch, the CSO GUI may temporarily show that provisioning the firewall has failed when a license is not present, although the ZTP task completes and the site is provisioned.

    Workaround: Refresh the page to view the final status of onboarding the next-generation firewall.

    Bug Tracking Number: CXU-43024


  • In next-generation firewall sites with LAN, the recall of EX2300 and EX3400 devices with the zeroize option does not work. This issue occurs because EX2300 and EX3400 do not support the zeroize option.

    Workaround: Manually clean up the EX2300 and EX3400 devices.

    Bug Tracking Number: CXU-35208

  • You cannot filter the device ports for SRX Series devices while adding an on-premises spoke site or while adding a switch.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32826

  • UTM Web filtering fails at times even though the Enhanced Web Filtering (EWF) server is up and online.

    Workaround: From the device, configure the EWF Server with the IP address as shown in the following example:

    root@SRX-1# set security utm feature-profile web-filtering juniper-enhanced server host

    Bug Tracking Number: CXU-32731

  • If you create or delete a DVPN tunnel, you cannot reach the LAN interface on the SRX Series device.

    Workaround: Reboot the spoke or execute the following commands and then roll back the changes.

    • set groups dept-configuration interfaces ge-0/0/4 vlan-tagging

    • set groups dept-configuration interfaces ge-0/0/5 vlan-tagging

    Bug Tracking Number: CXU-35379

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • While adding a spoke site if you add and associate one or more departments with one or more LAN segments, sometimes the department's VRF tables might not be created at the enterprise hub. This causes the enterprise hub's 0/0 (default) route to be missing in the spoke site department's VRF tables.

    Workaround: Delete and redeploy the LAN segments.

    Bug Tracking Number: CXU-37770

  • When DVPN tunnels (GRE_IPSEC tunnels) are established between a pair of SRX3XX devices that have Internet WAN links behind NAT, the GRE OAM status of the tunnels is displayed as DOWN and hence the tunnels are marked as DOWN and not usable for traffic.

    Workaround : Disable the GRE OAM keepalive configuration to make the tunnel usable for traffic.

    Bug Tracking Number: CXU-41281

  • The health check in the CAN node fails while you run the script on the startup server during the HA deployment. This is because the Kafka process is inactive in one of the CAN nodes.


    1. Log in to the CAN node.
    2. Run the docker restart analyticsdb analytics controller command and wait for around 10 minutes.
    3. Rerun the script on the startup server.
    4. If the CAN node components are still unhealthy, repeat 2 and 3.

    If all the components are healthy, then proceed with the installation.

    Bug Tracking Number: CXU-41232

  • Alarms are not getting generated if the date and time is not in sync with the NTP server.

    Workaround: CSO and devices must be NTP-enabled. Make sure CSO and device time are in sync.

    Bug Tracking Number: CXU-40815

  • The firewall policy deployment fails if the system has more than 10,000 addresses.

    Workaround: In the elasticsearch.yml file, update the index.max_result_window parameter to 20000.

    Bug Tracking Number: CXU-41678

  • The bootstrap job for a device remains in the In Progress state for a considerable time. This is because CSO fails to receive the bootstrap completion notification from the device.

    Workaround: If the bootstrap job is in the In Progress state for more than 10 minutes, add the following configuration to the device:

    set system phone-home server

    Bug Tracking Number: CXU-35450

  • After Network Address Translation (NAT), only one DVPN tunnel is created between two spoke sites if the WAN interfaces (with link type as Internet) of one of the spoke site have the same public IP address.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41210

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • In case of an AppQoE event (packet drop or latency), the application may not switch to the best available path among the available links.

    Workaround: Reboot the device.

    Bug Tracking Number: CXU-41922

  • While you are using a remote console for a tenant device, if you press the Up arrow or the Down arrow, then instead of the command history irrelevant text (that includes the device name and the tenant name) appears on the console.

    Workaround. To clear the irrelevant text, press the down arrow key a few times and then press Enter.

    Bug Tracking Number: CXU-41666

  • While you are editing a tenant, if you modify Tenant-owned Public IP Pool under Advanced Settings (optional), then the changes that you made to the Tenant-owned Public IP pool field are not reflected after the completion of the edit tenant operation job.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41139

  • The TAR file installation of a distributed deployment fails. This issue occurs if the version of the bare-metal server that you are using is later than the recommended version.

    Workaround: You must install the python-dev script before running the deploy-sh script.

    After you extract the CSO TAR file on the bare-metal server:

    1. Navigate to the /etc/apt directory and execute the following commands:

      • cp sources.list sources.list.cso

      • cp orig-sources.list sources.list

    2. Install the python2.7-dev script by running the following commands:

      • apt-get update && apt-get install python2.7-dev

      • cp sources.list.cso sources.list

    3. Navigate to the /root/Contrail_Service_Orchestration_5.1.0 folder and then run the script.

    Bug Tracking Number: CXU-41845

  • The Users page continues to display the name of the user that you deleted. This is because the Users page is not automatically refreshed.

    Workaround: Manually refresh the page.

    Bug Tracking Number: CXU-41793

  • After ZTP of an NFX Series device, the status of some tunnels are displayed as down. This issue occurs if you are using the subnet IP address192.168.2.0 on WAN links, which causes an internal IP address conflict.

    Workaround: Avoid using the subnet on WAN links.

    Bug Tracking Number: CXU-41511

  • If you have installed CSO Release 5.1 on a single node and if there is a power failure, the UI is not accessible even if the power resumes.


    1. On the infraservices virtual machine (VM),
      1. Stop the kubernetes and dockers on both infra service and microservice by running the service kubelet stop and service docker stop commands.

      2. Navigate to the /var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt folder and take a backup of the meta.db file.

        root@k8-infra1-vm:~# cd /var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt/
        root@k8-infra1:/var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt# mv meta.db meta.db.bak
      3. Navigate to the /var/lib/docker folder and take a backup of the network file.

        root@k8-infra1-vm:/var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt# cd /var/lib/docker
        root@k8-infra1:/var/lib/docker# mv network network_bkp
    2. On the microservice VM,
      1. Stop the kubernetes and dockers on both infra service and microservice by running the service kubelet stop and service docker stop commands.

      2. Navigate to the /var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt folder and take a backup of the meta.db file.

        root@k8-microservices_1:~# cd /var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt/
        root@k8-microservices_1:/var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt# mv meta.db meta.db.bak
      3. Navigate to the /var/lib/docker folder and take a backup of the network file.

        root@k8-microservices_1:/var/lib/docker/containerd/daemon/io.containerd.metadata.v1.bolt# cd /var/lib/docker
        root@k8-microservices_1:/var/lib/docker# mv network network_bkp
    3. Restart the kubernetes and dockers on both infra service and microservice by running the service docker start and service kubelet start commands.
    4. Navigate to the Contrail_Service_Orchestration_ folder and run the script on the bare-metal server to enable traffic flow from outside the network.
      root@ccra-68:~/Contrail_Service_Orchestration_/ci_cd# ./
    5. On the Startup server, run the kubectl delete pods –all -n central && kubectl delete pods –all -n regional command to restart CS0 microservices.

    Bug Tracking Number: CXU-41460

  • In the CSO GUI, in the LAN tab of a next-generation firewall site with a LAN switch, when you click the arrow icon next to a LAN segment, the ports displayed in the Switch Ports field disappear.

    Workaround: Hover over the +number of ports link in the Switch Ports column to view the list of ports on the LAN.

    Bug Tracking Number: CXU-42608

  • Installation of licenses on an SRX4200 dual CPE cluster by using CSO is failing.

    Workaround: Install the licenses manually. To install the licenses manually:

    1. Copy the license files for both the devices to the primary node of the cluster.
    2. Install the license on the primary device.
    3. Copy the license file of the backup node to the backup node.
    4. Log in to the backup node and install the license.

    Bug Tracking Number: CXU-40522

  • When you back up an SD-WAN report generated in CSO Release 4.1.1 and restore it in CSO Release 5.1.1, an error appears when you try to download the report, and the report is not downloaded.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42395

  • When you configure a CPE behind NAT, DVPN tunnels stay between an Internet link that is behind NAT and an Internet link that is not behind NAT due to a wrong external interface in the IPsec configuration.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-43217