Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues

 

This section lists known issues in Juniper Networks CSO Release 5.2.0.

SD-WAN

  • On an enterprise hub, when there are no non-data center departments, the SD-WAN policy deploy job may return the following message and fail:

    No update of SD-WAN policy configuration on device due to missing required information.

    Workaround: There is no functional impact; the deploy job completes successfully when a non-data center department with a LAN segment is deployed on an enterprise hub.

    Bug Tracking Number: CXU-31365

  • While provisioning a dual CPE SRX Series cluster as an enterprise hub with the multi-access shared bearer (MASB) configuration, the stage-1 configuration fails to commit because untagged logical interfaces are not supported on the device interface when MASB is configured.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42201

  • Traffic is not load balancing in the Active-Active mode with cloud breakout for IPSec tunnels.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-43136

  • The infotip for the ADSL_ENCAP parameter in the SRX as SDWAN CPE device profile incorrectly indicates to encapsulation used to connect to the ADSL service provider through PPPoE. The ADSL_ENCAP parameter does not apply to PPPoE, but to PPPoA.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-46189

Hybrid WAN

  • Fortinet service chaining is failing on NFX250

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42188

SD-LAN

  • The phone-home process might not be triggered if you zeroize an EX Series switch and commit the configuration manually on the switch.

    Workaround: To trigger the phone-home process, run the delete chassis auto-image-upgrade command and commit the delete operation.

    Bug Tracking Number: CXU-39129

  • The deployment of a port profile fails if the values you have configured for the firewall filter are not supported on the device running Junos OS.

    Workaround:

    • Edit the firewall filter.

    • Update the values according to the supported configuration specified for a firewall filter, in this link.

    • Redeploy the port profile.

    Bug Tracking Number: CXU-39629

  • CSO is unable to configure access ports on the EX4600 and EX4650 devices after you zeroize the device because a default VLAN is configured on all the ports after zeroizing.

    Workaround: Load the factory-default configuration if you zeorize the EX4600 and EX4650 devices or delete the default VLAN configuration from all the ports of the members by using commands such as # wildcard range delete interfaces xe-0/0/[0-23].

    Bug Tracking Number: CXU-42865

  • When adding a switch to an already provisioned site, the site state is set to Provisioned in CSO. Therefore, a link to copy the stage-1 configuration for manually activating the EX Series device does not appear. You must set the state of a site to Provisioned only when all the devices in the site are provisioned.

    Workaround: Delete the device from CSO and add the device again after rectifying the reason for provision failure.

    Bug Tracking Number: CXU-40647

  • The chassis view for an EX2300 Virtual Chassis appears blank when the device resources are used up and the request for getting a response from the device times out.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-42866

  • ZTP of an EX Series switch fails if you add the switch behind an enterprise hub.

    Workaround: For onboarding an EX Series switch behind an enterprise hub, manually configure the stage-1 configuration on the switch.

    Bug Tracking Number: CXU-38994

  • You cannot edit a standalone SD-LAN site though the Edit Site button is enabled.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-45918

  • While configuring an SD-WAN site with an EX switch, the VLAN value that you enter for a LAN segment is not saved if you enable CPE ports in the LAN segment.

    Workaround: Reenter the VLAN value after you add the CPE ports to the LAN segment.

    Bug Tracking Number: CXU-45943

Security Management

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

  • If SSL proxy is configured on a dual CPE device and if the traffic path is changed from one node to another node, the following issue occurs:

    • For cacheable applications, if there is no cache entry the first session might fail to establish.

    • For non-cacheable applications, the traffic flow is impacted.

    Workaround: None.

    Bug Tracking Number: CXU-25526

  • When CSO is upgraded to release 5.2.0, there are 15 LAN ports in the SRX1500 dual CPE device template, when the actual number of LAN ports should be four.

    Workaround: Clone the SRX1500 dual CPE device template and remove the extra 11 LAN ports from the template. Use the cloned device template to onboard an SRX1500 dual CPE device to CSO.

    Bug Tracking Number: CXU-45889

Site and Tenant Workflow

  • On a site with an NFX250 device and EX Series switch, the EX Series switch is not detected if there are no LAN segments.

    Workaround: Onboard the site with at least one LAN segment.

    Bug Tracking Number: CXU-38960

  • Provisioning an SRX340 device as next-generation firewall by using CSO is failing when Junos OS 19.3R2 is installed on the device.

    Workaround: Disable AUTO_INSTALL_DEFAULT_TRUSTED_CERTS_TO_DEVICE option in Device Template during ZTP.

    Bug Tracking Number: CXU-43362

General

  • In next-generation firewall sites with LAN, the recall of EX2300 and EX3400 devices with the zeroize option does not work. This issue occurs because EX2300 and EX3400 do not support the zeroize option.

    Workaround: Manually clean up the EX2300 and EX3400 devices.

    Bug Tracking Number: CXU-35208

  • You cannot filter the device ports for SRX Series devices while adding an on-premises spoke site or while adding a switch.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32826

  • UTM Web filtering fails at times even though the Enhanced Web Filtering (EWF) server is up and online.

    Workaround: From the device, configure the EWF Server with the IP address 116.50.57.140 as shown in the following example:

    root@SRX-1# set security utm feature-profile web-filtering juniper-enhanced server host 116.50.57.140

    Bug Tracking Number: CXU-32731

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • While adding a spoke site if you add and associate one or more departments with one or more LAN segments, sometimes the department's VRF tables might not be created at the enterprise hub. This causes the enterprise hub's 0/0 (default) route to be missing in the spoke site department's VRF tables.

    Workaround: Delete and redeploy the LAN segments.

    Bug Tracking Number: CXU-37770

  • When DVPN tunnels (GRE_IPSEC tunnels) are established between a pair of SRX3XX devices that have Internet WAN links behind NAT, the GRE OAM status of the tunnels is displayed as DOWN and hence the tunnels are marked as DOWN and not usable for traffic.

    Workaround : Disable the GRE OAM keepalive configuration to make the tunnel usable for traffic.

    Bug Tracking Number: CXU-41281

  • The health check in the CAN node fails while you run the deploy.sh script on the startup server during the HA deployment. This is because the Kafka process is inactive in one of the CAN nodes.

    Workaround:

    1. Log in to the CAN node.
    2. Run the docker restart analyticsdb analytics controller command and wait for around 10 minutes.
    3. Rerun the components_health_check.sh script on the startup server.
    4. If the CAN node components are still unhealthy, repeat 2 and 3.

    If all the components are healthy, then proceed with the installation.

    Bug Tracking Number: CXU-41232

  • Alarms are not getting generated if the date and time is not in sync with the NTP server.

    Workaround: CSO and devices must be NTP-enabled. Make sure CSO and device time are in sync.

    Bug Tracking Number: CXU-40815

  • The firewall policy deployment fails if the system has more than 10,000 addresses.

    Workaround: In the elasticsearch.yml file, update the index.max_result_window parameter to 20000.

    Bug Tracking Number: CXU-41678

  • After Network Address Translation (NAT), only one DVPN tunnel is created between two spoke sites if the WAN interfaces (with link type as Internet) of one of the spoke site have the same public IP address.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41210

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • In case of an AppQoE event (packet drop or latency), the application may not switch to the best available path among the available links.

    Workaround: Reboot the device.

    Bug Tracking Number: CXU-41922

  • While you are using a remote console for a tenant device, if you press the Up arrow or the Down arrow, then instead of the command history irrelevant text (that includes the device name and the tenant name) appears on the console.

    Workaround. To clear the irrelevant text, press the down arrow key a few times and then press Enter.

    Bug Tracking Number: CXU-41666

  • While you are editing a tenant, if you modify Tenant-owned Public IP Pool under Advanced Settings (optional), then the changes that you made to the Tenant-owned Public IP pool field are not reflected after the completion of the edit tenant operation job.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41139

  • The TAR file installation of a distributed deployment fails. This issue occurs if the version of the bare-metal server that you are using is later than the recommended version.

    Workaround: You must install the python-dev script before running the deploy-sh script.

    After you extract the CSO TAR file on the bare-metal server:

    1. Navigate to the /etc/apt directory and execute the following commands:

      • cp sources.list sources.list.cso

      • cp orig-sources.list sources.list

    2. Install the python2.7-dev script by running the following commands:

      • apt-get update && apt-get install python2.7-dev

      • cp sources.list.cso sources.list

    3. Navigate to the /root/Contrail_Service_Orchestration_5.1.0 folder and then run the deploy.sh script.

    Bug Tracking Number: CXU-41845

  • The Users page continues to display the name of the user that you deleted. This is because the Users page is not automatically refreshed.

    Workaround: Manually refresh the page.

    Bug Tracking Number: CXU-41793

  • After ZTP of an NFX Series device, the status of some tunnels are displayed as down. This issue occurs if you are using the subnet IP address192.168.2.0 on WAN links, which causes an internal IP address conflict.

    Workaround: Avoid using the 192.168.2.0 subnet on WAN links.

    Bug Tracking Number: CXU-41511

  • In the CSO GUI, in the LAN tab of a next-generation firewall site with a LAN switch, when you click the arrow icon next to a LAN segment, the ports displayed in the Switch Ports field disappear.

    Workaround: Hover over the +number of ports link in the Switch Ports column to view the list of ports on the LAN.

    Bug Tracking Number: CXU-42608

  • Installation of licenses on an SRX4200 dual CPE cluster by using CSO is failing.

    Workaround: Install the licenses manually. To install the licenses manually:

    1. Copy the license files for both the devices to the primary node of the cluster.
    2. Install the license on the primary device.
    3. Copy the license file of the backup node to the backup node.
    4. Log in to the backup node and install the license.

    Bug Tracking Number: CXU-40522

  • Image upgrade on an SRX4X00 Series cluster fails as the ISSU upgrade command throws an error due to real-time performance monitoring (RPM) configuration.

    Workaround: To upgrade an SRX4X00 Series cluster:

    1. Log in to CSO Customer Portal and apply the srx-rouser configuration template on the primary device in the cluster.
    2. Deploy the configuration template on the primary device by enabling the Admin option for the device.
    3. Copy the image to be upgraded on to both the primary and the backup devices by using CSO or manually.
    4. After the image is copied on both the primary and the backup devices, access the Remote Console option for the device from CSO.
    5. Log in to the backup device from the primary device:
    6. On the backup device, issue the upgrade command request system software add /var/tmp/<image-name> no-validate.
    7. After the image on the backup device is upgraded successfully, open another remote console on the primary device and upgrade the image on the primary device.
    8. Reboot the backup device.
    9. Immediately open another remote console and reboot the primary device.
    10. After both the devices are up, redeploy the srx-rouser template on the primary device by disabling the Admin option.

    The image is now upgraded on both the devices of the cluster.

    Bug Tracking Number: CXU-39491

  • Link metric widgets do not show data as expected when an analytics node is down.

    Workaround: Bring up the analytics node to view link metric widgets correctly.

    Bug Tracking Number: CXU-30813

  • When you install the license on the backup node of an SRX dual CPE cluster, the installation fails.

    Workaround: To install license on the backup node of an SRX dual CPE cluster by using CSO:

    1. Install license on the primary node by using CSO
    2. Reboot the primary node to switch the backup node to function as the primary node.
    3. After the backup node becomes the primary node, install license for the backup node (currently working as the primary node) by using CSO.

    Bug Tracking Number: CXU-43085

  • If you delete a tenant that has e-mail notification enabled, and then add the same tenant back to CSO, the send e-mail notification option for alarms is enabled by default and the tenant receives e-mail notifications for alarms.

    Workaround: Disable the send e-mail notification option before you delete the tenant to stop receiving e-mail notification for alarms. Also, disable the send e-mail notification option after you add the same tenant back to CSO.

    Bug Tracking Number: CXU-45973

  • ZTP fails on SRX345 and vSRX due to issues with loading default certificates.

    Workaround: Retry ZTP after you disable default certificates in the device profile.

    Bug Tracking Number: CXU-45904

  • On devices running Junos OS 19.3R2-S2, the SLA reason field (Actual Delay, Expected Delay, Jitter, Loss) for a Link Switch event is missing in the WAN tab of the Site Management page.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-43653

  • The Install Signature page does not reflect the correct OS version for a spoke site after the image on the device is upgraded.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-36373

  • On the Site Management page for an OpCo, the operational status of a provider hub is displayed as N/A when the status is actually up.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-45924

  • When you clone a site template containing a next-generation firewall and a switch, you may not be able to clone some of the fields in the cloned template.

    Workaround: Create a new template with a next-generation firewall and a switch instead of cloning.

    Bug Tracking Number: CXU-45919

  • Some of the IP addresses in the 10.0.0.0/8 subnet are reserved and used for GRE and OAM secure (st0) interfaces and for NFX250 internal communication. So, if you use IP addresses within the 10.0.0.0/8 subnet for your LAN segment and if the IP addresses overlap with the reserved IP addresses, there can be a communication problem.

    Workaround: Avoid using IP addresses in the 10.0.0.0/8 subnet for your LAN segments.

    Bug Tracking Number: CXU-46223