Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues

 

This section lists known issues in Juniper Networks CSO Release 6.0.0.

SD-WAN

  • Firmware and SD-WAN policies are not deployed on NFX250 device when you add policies manually or through auto policy jobs even though the policy intents are present after an RMA.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55715

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate, then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • When configuring a DVPN tunnel between two devices, if one device is not functional while the other is functional, the DVPN tunnel should not be configured on the device that is functional.

    Workaround: There is no known workaround. If a DVPN tunnel is configured on the functional device, delete the tunnel manually.

    Bug Tracking Number: CXU-46188

  • VNFs are not coming up in NFX150 running on Junos OS Release 19.3R2-S3 due to non availability of the required number of CPUs.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-49268

  • Upgrade of Junos OS Release 15.1X49-D172 to Junos OS Release 19.3R2-S3 fails on SRX 4100, SRX4200, and SRX300 dual CPE clusters, when functioning as enterprise hubs, due to incorrect IPsec configuration and CLI validations.

    Workaround: To upgrade the Junos OS image from Release 15.1X49-D172 to Release 19.3R2-S5:

    1. Log in to Customer Portal.
    2. Navigate to Resources > Templates > Configuration Template.
    3. Select the srx-rouser template and click Deploy to Devices.

    4. Select the device that you want to upgrade and click Next.
    5. Select Is Admin for the device and click Next.

      The Configure Device Parameters tab is displayed.

    6. Select the device that you want to upgrade and click the Set Parameters button above the Device table.

      The Device Configuration for the Device page appears.

    7. Click the Is Admin toggle button to enable the Is Admin option.

      The router gets administrator privileges.

    8. Click Save to save the configuration.
    9. Click Next.

      The Deploy tab is displayed.

    10. Select Run now for Choose Deployment Time.
    11. Click Finish.
    12. Access the terminal of the primary device.

      To access the device terminal:

      1. Navigate to Resources > Devices.
      2. Select the device and click More > Remote Console.
    13. On the device console, access the shell and enter the following command:
    14. Copy the output displayed to a text file.
    15. Again, enter the following command:
    16. Append the text file with the output of the command executed in Step 15.
    17. Switch to edit mode on the device by typing Edit at the command prompt.
    18. Copy the commands from the text file and paste them into the device CLI.
    19. Copy the Junos OS Release 19.3R2-S3 image to the device either by using CSO or manually.

      To copy the image to the device by using CSO:

      1. Switch to Administration Portal.
      2. Navigate to Resources > Images.
      3. Click the Add icon (+) to upload the image.
      4. Wait until the upload is successful.
      5. Switch to Customer Portal.
      6. Navigate to Resources > Images and select the uploaded image.
      7. Click Stage.
      8. On the Stage Image page, select the device, ensure Run Now is selected for Choose Deployment time, and click OK.

        The device image is copied only to the primary device.

    20. Copy the image to the backup device.

      To copy the image to the backup device, access the remote terminal of the backup device by referring to Step12 and enter the following command:

    21. After the image is copied to both the primary and the backup devices, access the Remote Console option of the primary device from CSO.
    22. Log in to the backup device from the primary device:
    23. On the backup device, issue the upgrade command request system software add /var/tmp/image-name no-validate.
    24. After the image on the backup device is upgraded successfully, open another remote console on the primary device and upgrade the image on the primary device.
    25. Reboot the backup device.
    26. Immediately open another remote console and reboot the primary device.
    27. After both the devices are up, redeploy the srx-rouser template on the primary device by disabling the Admin option.

    Bug Tracking Number: CXU-50068

  • If you are an Opco administrator and edit the OAM and CONTROL traffic profiles after your tenants have deployed SD-WAN policy intents, then the changes are not immediately applied on your tenant devices.

    Workaround: The changes are applied to the device only when your tenants redeploy the SD-WAN policy.

    Bug Tracking Number: CXU-52482

  • You must specify the same value for the Loss Priority field on the SLA Profile page and the Traffic Type Profile page; otherwise, the Loss Priority parameter might not be applied during the traffic congestions.

    Workaround: Ensure that you specify the same value for the Loss Priority field on the SLA Profile and Traffic Type Profile pages.

    Bug Tracking Number: CXU-52516

High Availability

  • The CSO 6.0.0 GUI might display wrong status updates of the primary and secondary nodes of the CSO 6.0.0 chassis cluster.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54649

  • On an SRX4200 chassis cluster, LAN segment with aggregated interface with LLDP enabled fails.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54985

Security Management

  • The fiirewall deploy job logs display old site names even after you edit the site names.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54184

  • On NFX150 and NFX250 devices, firewall policies are not applied automatically after RMA.

    Workaround: After the RMA is done, you must apply the policy configurations again after adding the necessary licenses, certificates, and signatures.

    Bug Tracking Number: CXU-51335

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

Site and Tenant Workflow

  • On NFX150 devices running CSO 6.0.0, traffic drop is observed for spoke traffic session that is established in the CPE device.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55471

  • On CSO 6.0.0, Site=VRR filter does not work in Alarms page.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55678

  • When the primary link is restored by using the auto-revert option, the traffic revert of the current session is continued in the old link.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55353

  • After you upgrade from CSO Release 5.1.2 to CSO Release 6.0.0, when Grant RMA operation is performed for CSO 5.1.2 site, the site version is changed to CSO 6.0.0.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55740

  • You cannot edit a site by using the Connect to EHUB feature.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55399

  • Unable to re-onboard or manage the recalled provisioned site.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54909

  • Site-to-Internet traffic does not flow when you enable the Local Internet Breakout (LBO) by using the site-edit option.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-53095

General

  • Unable to create NFX250 devices by using site template.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55739

  • Actual device response does not match with the API documentation, GET /topology-service/device/<device uuid>.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55807

  • CSO ZTP might fail if the Routing Engine (RE) control data uses backup node.

    Workaround: Reboot the secondary node, and check if BGP is established.

    Bug Tracking Number: CXU-54872

  • On Branch SRX devices running CSO Release 6.0.0, ZTP fails with factory-default configuration if the internet connectivity is through the LTE interface.

    Workaround: Run the delete chassis auto-image-upgrade command and proceed with ZTP.

    Bug Tracking Number: CXU-55905

  • On SRX340 and SRX320 devices running CSO Release 6.0.0, the ZTP over LTE using Phone-home-client works only after you run the delete chassis auto-image-upgrade command on the zeroized device.

    Workaround: During pre-staging of the device, enable the PHC ZTP mode and delete the delete chassis auto-image-upgrade command from the device.

    Bug Tracking Number: CXU-55282

  • Even after you change the Site name by using site-edit option, some of the micro-services continue to use the old name internally. This might reflect in some of job logs. However, this does not affect the service.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54355

  • Workaround: There is no known workaround.

    Bug Tracking Number: CXU-55715

  • If you click a specific application on the Resources > Sites Management > WAN tab > Top applications widget, the Link Performance widget does not display any data.

    Workaround: You can view the data from the Monitoring >Application Visibility page or Monitoring >Traffic Logs page.

    Bug Tracking Number: CXU-39167

  • After Network Address Translation (NAT), only one DVPN tunnel is created between two spoke sites if the WAN interfaces (with link type as Internet) of one of the spoke site have the same public IP address.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41210

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • Tenant owned Public IP Pool can be edited until the first SD-WAN site is onboarded in that tenant. After you onboard an SD-WAN site, Tenant owned Public IP Pool cannot be edited.

    Bug Tracking Number: CXU-41139

  • After ZTP of an NFX Series device, the status of some tunnels are displayed as down. This issue occurs if you are using the subnet IP address192.168.2.0 on WAN links, which causes an internal IP address conflict.

    Workaround: Avoid using the 192.168.2.0 subnet on WAN links.

    Bug Tracking Number: CXU-41511

  • Image upgrade on an SRX4X00 Series cluster fails as the ISSU upgrade command throws an error due to real-time performance monitoring (RPM) configuration. This issue is only applicable when you upgrade from Junos Release 15.149-D172.

    Workaround: To upgrade an SRX4X00 Series cluster:

    1. Log in to CSO Customer Portal and apply the srx-rouser configuration template on the primary device in the cluster.
    2. Deploy the configuration template on the primary device by enabling the Admin option for the device.
    3. Copy the image to be upgraded on to both the primary and the backup devices by using CSO or manually.
    4. After the image is copied on both the primary and the backup devices, access the Remote Console option for the device from CSO.
    5. Log in to the backup device from the primary device:
    6. On the backup device, issue the upgrade command request system software add /var/tmp/<image-name> no-validate.
    7. After the image on the backup device is upgraded successfully, open another remote console on the primary device and upgrade the image on the primary device.
    8. Reboot the backup device.
    9. Immediately open another remote console and reboot the primary device.
    10. After both the devices are up, redeploy the srx-rouser template on the primary device by disabling the Admin option.

    The image is now upgraded on both the devices of the cluster.

    Bug Tracking Number: CXU-39491

  • Link metric widgets do not show data as expected when an analytics node is down.

    Workaround: Bring up the analytics node to view link metric widgets correctly.

    Bug Tracking Number: CXU-30813

  • CSO does not support cluster-level Return Material Authorization (RMA) for SRX Series dual CPE devices. Only cluster node-level RMA is supported.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-32157

  • When you upgrade the image for SRX4200 dual CPE device, the job status is displayed as Success even though the reboot is in progress for the secondary node.

    Workaround: Check the status of the cluster and the FPC status on the primary node before proceeding with any other activity on the CPE device.

    Bug Tracking Number: CXU-52974

  • Ubuntu service chaining instance fails on NFX150.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-52512

  • The site upgrade fails if a site is associated with the SRX340 device.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-52898

  • If you have deployed an SD-WAN policy on a dual-CPE SRX series or NFX series device, the RMA operation fails at the node-level.

    Workaround: Contact Juniper Networks Technical Assistance Center (JTAC).

    Bug Tracking Number: CXU-53271