Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues

 

This section lists known issues in Juniper Networks CSO Release 5.3.0.

SD-WAN

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate, then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • Sometimes, jobs to update NAT information are not getting triggered. Therefore, NAT port assigned to a DVPN IPsec configuration is incorrect.

    Workaround: Delete and create the DVPN tunnels manually by using the CSO GUI.

    Bug Tracking Number: CXU-46183

  • While creating an IPsec tunnel between an Internet link that is behind NAT in a spoke to an MPLS link in an ENT hub, wrong NAT interface is configured on the IPsec tunnel. Therefore, the tunnel fails to be created.

    Workaround: You must trigger a NAT update job immediately to assign the correct NAT IP to static tunnel.

    Bug Tracking Number: CXU-46185

  • When configuring a DVPN tunnel between two devices, if one device is not functional while the other is functional, the DVPN tunnel should not be configured on the device that is functional.

    Workaround: There is no known workaround. If a DVPN tunnel is configured on the functional device, delete the tunnel manually.

    Bug Tracking Number: CXU-46188

  • VNFs are not coming up in NFX150 running on Junos OS Release 19.3R2-S3 due to non availability of the required number of CPUs.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-49268

  • Upgrade of Junos OS Release 15.1X49-D172 to Junos OS Release 19.3R2-S3 fails on SRX 4100, SRX4200, and SRX300 dual CPE clusters, when functioning as enterprise hubs, due to incorrect IPsec configuration and CLI validations.

    Workaround: To upgrade the Junos OS image from Release 15.1X49-D172 to Release 19.3R2-S3:

    1. Log in to Customer Portal.
    2. Navigate to Resources > Templates > Configuration Template.
    3. Select the srx-rouser template and click Deploy to Devices.

    4. Select the device that you want to upgrade and click Next.
    5. Select Is Admin for the device and click Next.

      The Configure Device Parameters tab is displayed.

    6. Select the device that you want to upgrade and click the Set Parameters button above the Device table.

      The Device Configuration for the Device page appears.

    7. Click the Is Admin toggle button to enable the Is Admin option.

      The rouser gets administrator privileges.

    8. Click Save to save the configuration.
    9. Click Next.

      The Deploy tab is displayed.

    10. Select Run now for Choose Deployment Time.
    11. Click Finish.
    12. Access the terminal of the primary device.

      To access the device terminal:

      1. Navigate to Resources > Devices.
      2. Select the device and click More > Remote Console.
    13. On the device console, access the shell and enter the following command:
    14. Copy the output displayed to a text file.
    15. Again, enter the following command:
    16. Append the text file with the output of the command executed in Step 15.
    17. Switch to edit mode on the device by typing Edit at the command prompt.
    18. Copy the commands from the text file and paste them into the device CLI.
    19. Copy the Junos OS Release 19.3R2-S3 image to the device either by using CSO or manually.

      To copy the image to the device by using CSO:

      1. Switch to Administration Portal.
      2. Navigate to Resources > Images.
      3. Click the Add icon (+) to upload the image.
      4. Wait until the upload is successful.
      5. Switch to Customer Portal.
      6. Navigate to Resources > Images and select the uploaded image.
      7. Click Stage.
      8. On the Stage Image page, select the device, ensure Run Now is selected for Choose Deployment time, and click OK.

        The device image is copied only to the primary device.

    20. Copy the image to the backup device.

      To copy the image to the backup device, access the remote terminal of the backup device by referring to Step12 and enter the following command:

    21. After the image is copied to both the primary and the backup devices, access the Remote Console option of the primary device from CSO.
    22. Log in to the backup device from the primary device:
    23. On the backup device, issue the upgrade command request system software add /var/tmp/image-name no-validate.
    24. After the image on the backup device is upgraded successfully, open another remote console on the primary device and upgrade the image on the primary device.
    25. Reboot the backup device.
    26. Immediately open another remote console and reboot the primary device.
    27. After both the devices are up, redeploy the srx-rouser template on the primary device by disabling the Admin option.

    Bug Tracking Number: CXU-50068

  • When you edit an enterprise hub site by adding a WAN link, static tunnels are not established with connected spoke sites automatically.

    Workaround: Reconfigure the static tunnels with connected spoke sites manually.

    Bug Tracking Number: CXU-44427

SD-LAN

  • CSO is unable to configure access ports on the EX4600 and EX4650 devices after you zeroize the device because a default VLAN is configured on all the ports after zeroizing.

    Workaround: Load the factory-default configuration if you zeorize the EX4600 and EX4650 devices or delete the default VLAN configuration from all the ports of the members by using commands such as # wildcard range delete interfaces xe-0/0/[0-23].

    Bug Tracking Number: CXU-42865

  • When adding a switch to an already provisioned site, the site state is set to Provisioned in CSO. Therefore, a link to copy the stage-1 configuration for manually activating the EX Series device does not appear. You must set the state of a site to Provisioned only when all the devices in the site are provisioned.

    Workaround: Delete the device from CSO and add the device again after rectifying the reason for provision failure.

    Bug Tracking Number: CXU-40647

  • ZTP of an EX Series switch fails if you add the switch behind an enterprise hub.

    Workaround: For onboarding an EX Series switch behind an enterprise hub, manually configure the stage-1 configuration on the switch.

    Bug Tracking Number: CXU-38994

  • While configuring an SD-WAN site with an EX switch, the VLAN value that you enter for a LAN segment is not saved if you enable CPE ports in the LAN segment.

    Workaround: Reenter the VLAN value after you add the CPE ports to the LAN segment.

    Bug Tracking Number: CXU-45943

  • The chassis view of an EX Series Virtual Chassis may not reflect the correct status of the Virtual Chassis Ports (VCP).

    Workaround: There is no known workaround.

  • When you select all VLANs for deletion and if any of the selected VLAN is connected to a CPE port, the VLANs are not deleted. An error message appears and a job to delete the VLANs is created in CSO. The jobs appears successful and the status of the VLANs appear as Delete Pending.

    Workaround: When VLANS are selected for deletion and if any of the VLANS are connected to a CPE port, remove the VLAN configuration from the CPE port and then delete the VLAN.

  • When you reboot an EX Series switch that is configured behind a CPE, the EX Series switch is unable to connect back to CSO as it does not get the DHCP information from the CPE.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-47062

Next-Generation Firewall

  • Upgrade of a next-generation firewall from CSO Release 5.2.0 to CSO Release 5.3.0 fails when SSL policies are deployed in the firewall.

    Workaround: Deploy SSL policies after the upgrading the firewall from CSO Release 5.2.0 to CSO Release 5.3.0.

    Bug Tracking Number: CXU-50316

Security Management

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

General

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • After Network Address Translation (NAT), only one DVPN tunnel is created between two spoke sites if the WAN interfaces (with link type as Internet) of one of the spoke site have the same public IP address.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41210

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • Tenant owned Public IP Pool can be edited until the first SD-WAN site is onboarded in that tenant. After you onboard an SD-WAN site, Tenant owned Public IP Pool cannot be edited.

    Bug Tracking Number: CXU-41139

  • The Users page continues to display the name of the user that you deleted. This is because the Users page is not automatically refreshed.

    Workaround: Manually refresh the page.

    Bug Tracking Number: CXU-41793

  • After ZTP of an NFX Series device, the status of some tunnels are displayed as down. This issue occurs if you are using the subnet IP address192.168.2.0 on WAN links, which causes an internal IP address conflict.

    Workaround: Avoid using the 192.168.2.0 subnet on WAN links.

    Bug Tracking Number: CXU-41511

  • In the CSO GUI, in the LAN tab of a next-generation firewall site with a LAN switch, when you click the arrow icon next to a LAN segment, the ports displayed in the Switch Ports field disappear.

    Workaround: Hover over the +number of ports link in the Switch Ports column to view the list of ports on the LAN.

    Bug Tracking Number: CXU-42608

  • Installation of licenses on SRX1500 and SRX4200 dual CPE clusters by using CSO is failing.

    Workaround: Install the licenses manually. To install the licenses manually:

    1. Copy the license files for both the devices to the primary node of the cluster.
    2. Install the license on the primary device.
    3. Copy the license file of the backup node to the backup node.
    4. Log in to the backup node and install the license.

    Bug Tracking Number: CXU-40522

  • Image upgrade on an SRX4X00 Series cluster fails as the ISSU upgrade command throws an error due to real-time performance monitoring (RPM) configuration.

    Workaround: To upgrade an SRX4X00 Series cluster:

    1. Log in to CSO Customer Portal and apply the srx-rouser configuration template on the primary device in the cluster.
    2. Deploy the configuration template on the primary device by enabling the Admin option for the device.
    3. Copy the image to be upgraded on to both the primary and the backup devices by using CSO or manually.
    4. After the image is copied on both the primary and the backup devices, access the Remote Console option for the device from CSO.
    5. Log in to the backup device from the primary device:
    6. On the backup device, issue the upgrade command request system software add /var/tmp/<image-name> no-validate.
    7. After the image on the backup device is upgraded successfully, open another remote console on the primary device and upgrade the image on the primary device.
    8. Reboot the backup device.
    9. Immediately open another remote console and reboot the primary device.
    10. After both the devices are up, redeploy the srx-rouser template on the primary device by disabling the Admin option.

    The image is now upgraded on both the devices of the cluster.

    Bug Tracking Number: CXU-39491

  • Link metric widgets do not show data as expected when an analytics node is down.

    Workaround: Bring up the analytics node to view link metric widgets correctly.

    Bug Tracking Number: CXU-30813

  • When you install the license on the backup node of an SRX dual CPE cluster, the installation fails.

    Workaround: To install license on the backup node of an SRX dual CPE cluster by using CSO:

    1. Install license on the primary node by using CSO
    2. Reboot the primary node to switch the backup node to function as the primary node.
    3. After the backup node becomes the primary node, install license for the backup node (currently working as the primary node) by using CSO.

    Bug Tracking Number: CXU-43085

  • While you deploy the VRRP configuration templates on a SRX Series or EX Series devices, the template does not render as expected on the Devices page of the CSO GUI.

    Workaround: Edit and save the VRRP configuration template without making any changes for the VRRP template to render correctly on the CSO GUI for SRX Series and EX Series devices.

  • CSO does not support cluster-level Return Material Authorization (RMA) for SRX Series dual CPE devices. Only cluster node-level RMA is supported.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32157

  • ZTP with phone-home client does not work if PPPoE is enabled on the OAM link with xDSL or Ethernet interfaces.

    Workaround: Copy the Stage-1 configuration to the device to connect the device to CSO and provision the device.

    Bug Tracking Number: CXU-50427

  • Deleting an SRX345 dual CPE is failing. However, the site related to the SRX345 device is deleted from the CSO GUI.

    Workaround: There is no known workaround.