Known Behavior
This section lists known behavior, system maximums, and limitations in hardware and software in Juniper Networks CSO Release 5.1.1.
Install and Upgrade
After upgrading from CSO Release 4.1.1 to CSO Release 5.1.1, you must modify the IP address of the virtual route reflector (VRR) configuration.
To modify the IP address of the VRR, connect to VRR-1 VM and change the public IP address of VRR-1 to 192.168.10.29/32. Similarly, connect to VRR-2 VM and change the IP address of VRR-1 to 192.168.10.30/32.
While upgrading from CSO Release 5.0.x to CSO Release 5.1.1, the upgrade of a site with NFX250 device may fail due to connectivity issues.
Note To use the CPE behind NAT and multi-service shared bearer (MSSB) features, you must upgrade sites configured in the earlier releases of CSO as follows:
When upgrading from CSO Release 5.0.x to CSO Release 5.1.1, any site with OAM or OAM-DATA hub must also be upgraded to CSO Release 5.1.1. Upgrade of enterprise hubs, data hubs, and spoke sites to CSO Release 5.1.1 is optional.
When upgrading from CSO Release 5.1.0 to CSO Release 5.1.1, upgrade of sites (both hub and spoke) to CSO Release 5.1.1 is optional.
When upgrading from CSO Release 4.1.1 to CSO Release 5.1.1, any site with OAM or OAM-DATA hub must also be upgraded to CSO Release 5.1.1. Upgrade of enterprise hubs, data hubs, and spoke sites to CSO Release 5.1.1 is optional.
While upgrading from CSO Release 4.1.1 to CSO Release 5.1.1, to avoid issues because of user or group permissions, you must run the following commands on all the infrastructure nodes to back up Elasticsearch data:
service elasticsearch stop usermod -u 2001 elasticsearch groupmod -g 2001 elasticsearch chown -R elasticsearch:elasticsearch /var/log/elasticsearch chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/ chown -R elasticsearch:elasticsearch /var/lib/elasticsearch chown -R elasticsearch:elasticsearch /mnt/data/elasticsearch chown -R elasticsearch:elasticsearch /home/elasticsearch chown -R root:elasticsearch /etc/elasticsearch service elasticsearch restart
After you upgrade to CSO Release 5.1.1, you must change the etcd values of the hostname and IP address of the south-bound load balancer (SBLB) host to the match the values in CSO Release 4.1.1 to maintain the same connections between the nodes as in CSO Release 4.1.1.
To update the etcd values, execute the following commands in the startup server:
kubectl exec -it etcd-etcd-0 bash -n infraetcdctl set /csp/infra/fmpmlb/host <virtual IP address of SBLB in CSO Release 4.1.1>etcdctl set /telemetryconverter/virtualhostname '''{"regional": "SBLB hostname in CSO Release 4.1.1", "central": ""}'''
While you upgrade from CSO Release 4.1.1 to CSO Release 5.1.1, MariaDB might fail to restore at the first attempt. MariaDB is restored successfully in the next attempt.
Device Management
CSO does not support cluster-level Return Material Authorization (RMA) for SRX dual CPE devices. Only cluster node-level RMA is supported.
The SRX4100 and SRX4200 devices support all existing SD-WAN features, except the following:
Phone-home client (PHC)—The devices must be manually activated by copying the stage-1 configuration from the CSO portal, pasting it to the console of the SRX4100 and SRX4200 devices, and then committing the stage-1 configuration.
LTE and xDSL interfaces.
In a dual SRX Series cluster, the devices must be manually activated by copying the stage-1 configuration from the CSO portal, pasting it to the console of the SRX Series device, and then committing the configuration.
LTE is not supported for dual CPE devices.
You cannot remotely access a cloud spoke device and edit the configuration.
You can intall and use only an external LTE Vodafone K5160 dongle to the NFX250 device.
Dynamic VPN (DVPN)
Creation and deletion of DVPN tunnels based on the DVPN create and delete thresholds are governed by the
MAX_DVPN_TUNNELSand MIN_TUNNELS_TO_START_DVPN_DEACTIVATE parameters, respectively. However,MAX_DVPN_TUNNELSandMIN_TUNNELS_TO_START_DVPN_DEACTIVATEare not honored when DVPNs are created or deleted from the CSO UI. This might cause the total active DVPN tunnels count on the Site > WAN tab to show a greater value than theMAX_DVPN_TUNNELSvalue configured for that site.DVPN create and delete thresholds are based on the APPTRACK_SESSION_CLOSE messages. When APPTRACK_SESSION_CLOSE messages reach the specified threshold, an alarm is generated for creating or deleting a DVPN tunnel. However, the alarms are not cleared until the APPTRACK_SESSION_CLOSE message count goes below the threshold (for create alarms) or above the threshold (for delete alarms) to trigger a fresh cycle. This causes the create and delete alarms to remain active and prevent further alarms and to, thus, slow down the creation or deletion of tunnels.
Passive probes created by an SD-WAN policy time out because of inactivity in 60 seconds. This causes CSO to close the corresponding sessions and trigger
APPTRACK_SESSION_CLOSEmessages. TheAPPTRACK_SESSION_CLOSEmessages are tracked and added to the number of sessions closed. The sessions closed count is used to calculate the DVPN delete threshold.DVPN is not supported for cloud spoke sites.
Policy Deployment
An SD-WAN policy deployment is successful even if there is no matching WAN link meeting the SLA. This is expected behavior and it ensures that when a WAN link matching the SLA becomes available, traffic is routed through that link.
The policy intents defined for a firewall or an SD-WAN policy must not have conflicts with other policy intents in that policy because such conflicts lead to inconsistent behavior. For example:
You cannot define an SD-WAN policy with one policy intent for application X and SLA profile S-1 and another policy intent for application X and SLA profile S-2.
You cannot define two firewall policy intents with the same source and destination endpoints but one with action Allow and another with action Deny.
You must not start the Custom Application Signature name or Custom Application Signature Group name with the keyword Junos. This keyword is reserved for only predefined applications.
SD-WAN
If WAN link endpoints are not of similar type but overlay tunnels are created based on matching mesh tags, the static policy for site-to-site or central Internet breakout traffic gives preference to the remote link type.
Advanced SLA configurations, such as CoS rate limiting, are not supported during local breakout if no specific application is selected; that is, if Application is set to ANY. Choose specific applications if you want to enable advanced SLA configurations, such as CoS rate limiting.
If two or more SD-WAN policy rules are configured for the same application with different levels of granularity, such as all, sites, and departments, then CSO applies the CoS rate limiter in the same order in which you have created the intents.
On the WAN tab of the Site-Name page, the link metrics graph displays aggregated data. Therefore, in cases where the aggregation interval overlaps between source and destination link data, the link metrics graph displays incorrect data.
On the SD-WAN Events page, when you hover the mouse over the Reason field of link switch events, sometimes Above Target is displayed instead of the absolute SLA metric value for very large values (for example, for an SLA metric value that is 100 times the target value).
When an SD-WAN policy is deployed and a high rate of traffic flows through the CPE device, this might lead to network congestion and introduce delays or cause traffic loss. However, even though an SLA violation is reported, the traffic does not switch to a different link.
In device redundancy mode, when you reboot a node, the device fails to generate a few system logs. Because a few system logs are not generated, the link switch event in CSO displays the same interface as the source interface and the destination interface.
Sometimes duplicate link switch events are displayed on the Link Switch Events page.
You cannot use an NFX150 dual CPE device for deploying SD-WAN services.
SD-LAN
Overlapping LAN segments are not supported within a tenant network.
PHC is supported for EX2300, EX3400, and EX4300 Series switches (except EX4300-MP) with only Junos OS Release 18.4R2 and later. CSO Release is qualified for Junos OS Release 18.3R1, and the PHC capability is currently not supported for EX switches that are onboarded with Junos OS release 18.3R1.
If the PHC capability is not supported for EX switches, you must manually copy the stage-1 configuration from the CSO portal and paste it to the device console to commit the stage-1 configuration when you create a LAN site or activate an EX series switch.
Do not zeroize EX2300 and EX3400 devices as doing so might result in unexpected behavior.
When a Virtual Chassis member goes down, the chassis view shows the last known status of the Virtual Chassis member ports until the member is up again.
Security Management
UTM Web filtering is not supported in an active-active SRX Series cluster device.
Performance of SSL proxy may not be as expected on SRX300 and SRX320 devices.
Site and Tenant Workflow
When tenants are created, ensure that the tenant name is unique across the CSO instance; that is, the same tenant name should not be there in any of the OpCo networks on the CSO instance.
In the Add Site workflow, use IP addresses instead of hostnames for the NTP server configuration. If you are using hostnames instead of IP addresses, ensure that the hostname is DNS-resolvable; if the hostname is not DNS-resolvable, ZTP for the device fails.
CSO uses RSA-key-based authentication when establishing an SSH connection to a managed CPE device. The authentication process requires that the device has a configured root password, and you can use Administration Portal to specify the root password in the device template.
To specify a root password for the device:
- Log in to Administration Portal.
- Select Resources > Device Templates.
- Select the device template and click Edit.
- Specify the plain text root password in the ENC_ROOT_PASSWORD field.
- Click Save.
When you try to deploy a LAN segment on an SRX Series spoke device, the CSO GUI allows you to select more than one port for a LAN segment. However, for SRX Series devices, only one port for a LAN segment can be deployed; multiple ports in a LAN segment can be deployed only on NFX Series devices.
On a site with an NFX Series device, if you deploy a LAN segment without the VLAN ID specified, CSO uses an internal VLAN ID meant for internal operations and this VLAN ID is displayed in the LAN section of the Site Detail View page. There is no impact on the functionality.
Do not create departments that have names starting with default, default-reverse, mpls, internet, or default-hub because CSO uses the following departments for internal use:
Default-vpn_name
Default-reverse-vpn_name
mpls-vpn_name
internet-vpn_name
Default-hub-vpn_name
Topology
DHCP configuration on WAN links on a SD-WAN hub is not supported.
User Interface
When you use Mozilla Firefox to access the CSO GUIs, a few pages do not work as expected. We recommend that you use Google Chrome version 60 or later to access the CSO GUIs.
When you copy and paste a stage–1 configuration from Chrome version 71.0.3578.98, insert a new line, as shown in the following example, in the private key text:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1F6A1336016A8239 ADD A NEW LINE HERE 2C638z/Lgr/g4Kw7r9lys9XWnUGbGnPpT1cc5jGq1Qbb8Nu286QsVGfrUy7Qh9sU FJkIQI9bOMNadLL7wklsnwBCVAoAYjX+haizSaZzDphT6XBzph35BN9M0Zmb+Kpn fH5i5FZx8FJixbnonCmaVrWFgWcwUi+ijUKp/h9NfE5c2W5m2VBdmRjBfjWo9jcH HV5gkkoG0Gdx7Kv60HKOMDl2YkjL4zfAzBS8J8BMmk5x6sY+GqNQOdgs7m4oXYCH 1loOYS6n9l0WDZcxXYWWeINlu6zOSIlZYVIdwaE0OMDvoA82tzTHFmMy2kA48FHJIf you do not insert the new line, the private key fails.
General
While deploying CSO, only one Redis server will be running on a pod. The Redis server automatically restarts if you restart or terminate the pod.
If you choose to purge the audit log with the Archive and Store in Local Location option selected, you need to contact Juniper Networks for accessing the locally archived audit logs. We recommend that you use the Archive and Store in Remote Location option for easy access to archived logs. When you run an audit log purge with the Archive and Store in a Remote Location option selected, ensure that the remote server where you want to archive the purged audit logs is reachable from CSO.
A LAN segment deploy job is handled in two parts in the following sequence:
LAN segment-related policies are deployed.
Firewall policies are deployed.
However, the deploy job status is updated as soon as the first part is completed. Because of this, a deploy job for a LAN segment is shown as a success even though the associated firewall policy deployment is still in progress.
On an NFX Series device:
To activate a virtualized network function (VNF), perform the following steps:
- Add the VNF to the device.
- Initiate the activation workflow and ensure that the job is 100% completed.
To retry the activation of a VNF that failed, perform the following steps:
- Deactivate the VNF.
- Remove the VNF.
- Add the VNF to the device.
- Initiate the activation workflow and ensure that the job is 100% completed.
Class-of-service (CoS) configuration on Layer 2 interfaces (ge-0/0/port number) is not supported on NFX150 CPE devices.
Enterprise hub is not supported for cloud spoke sites.