Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Known Issues


This section lists known issues in Juniper Networks CSO Release 6.0.0.


  • In case of SRX3xx chassis cluster, data tunnels on secondary node are reported as down. Traffic continues to flow through tunnels connected to the primary node.

    Workaround: There is no known workaround.

    Bug Tracking Number: PR 1574912

  • When an SD-WAN controller is down or not reachable from CSO, you cannot delete a site or tenant from CSO.

    Workaround: Recover the SD-WAN controller and retry deleting the site or tenant.

    Bug Tracking Number: CXU-43724

  • If a provider hub is used by two tenants, one with public key infrastructure (PKI) authentication enabled and other with preshared key (PSK) authentication enabled, the commit configuration operation fails. This is because only one IKE gateway can point to one policy and if you define a policy with a certificate, then the preshared key does not work.

    Workaround: Ensure that the tenants sharing a provider hub use the same type of authentication (either PKI or PSK) as the provider hub device.

    Bug Tracking Number: CXU-23107

  • When configuring a DVPN tunnel between two devices, if one device is not functional while the other is functional, the DVPN tunnel should not be configured on the device that is functional.

    Workaround: If a DVPN tunnel is configured on the functional device, delete the tunnel manually.

    Bug Tracking Number: CXU-46188

  • VNFs are not coming up in NFX150 running on Junos OS Release 19.3R2-S3 due to non availability of the required number of CPUs.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-49268

  • If you are an Opco administrator and edit the OAM and CONTROL traffic profiles after your tenants have deployed SD-WAN policy intents, then the changes are not immediately applied on your tenant devices.

    Workaround: The changes are applied to the device only when your tenants redeploy the SD-WAN policy.

    Bug Tracking Number: CXU-52482

  • You must specify the same value for the Loss Priority field on the SLA Profile page and the Traffic Type Profile page; otherwise, the Loss Priority parameter might not be applied during the traffic congestions.

    Workaround: Ensure that you specify the same value for the Loss Priority field on the SLA Profile and Traffic Type Profile pages.

    Bug Tracking Number: CXU-52516

High Availability

  • On an SRX4200 chassis cluster, LAN segment with aggregated interface with LLDP enabled fails.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54985

Security Management

  • On NFX150 and NFX250 devices, firewall policies are not applied automatically after RMA.

    Workaround: After the RMA is done, you must apply the policy configurations again after adding the necessary licenses, certificates, and signatures.

    Bug Tracking Number: CXU-51335

  • If UTM Web-filtering categories are installed manually (by using the request system security UTM web-filtering category install command from the CLI) on an NFX150 device, the intent-based firewall policy deployment from CSO fails.

    Workaround: Uninstall the UTM Web-filtering category that you installed manually by executing the request security utm web-filtering category uninstall command on the NFX150 device and then deploy the firewall policy.

    Bug Tracking Number: CXU-23927

Site and Tenant Workflow

  • When the non-preferred link-type for an application transitions from SLA violated to SLA met, during the time when the non-preferred link-type is being used. The application flow does not transition to preferred link type even if it is available. This happens till the time non-preferred link-type again transitions to SLA violated.

    Workaround: Bounce the non-preferred link type.

    Bug Tracking Number: CXU-55353

  • Site edit might fail in case of conflicting user defined templates deployed on the device.

    Workaround: Undeploy the user defined templates prior to edit operations and re-deploy the user defined templates post edit.

    Bug Tracking Number: CXU-55399

  • When you enable Local Internet Breakout (LBO) on the WAN by using site edit workflow, the underlay traffic might drop.

    Workaround: Deploy new firewall policy post WAN edit operation.

    Bug Tracking Number: CXU-53095


  • In some cases, bootstrap job is not triggered if SRX ZTP is executed over LTE WAN link with factory default configuration. On SRX345 devices running CSO, ZTP fails with factory-default configuration if the internet connectivity is through the LTE interface.

    Workaround: Run the delete chassis auto-image-upgrade command from the factory-default configuration and commit.

    Bug Tracking Number: PR 1569595

  • On NFX150 Series devices, Class of Service (CoS) does not work for PPP interface.

    Workaround: There is no known workaround.

    Bug Tracking Number: PR 1581489

  • Even after you change the Site name by using site-edit option, some of the job logs might still refer to the old site-name. However, this does not affect the service.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-54355

  • You should not select OPCO name in SRX-HUB-BREAKOUT template and deploy. The template deployment fails in such cases.

    Workaround: You should remove the OPCO name selected in in SRX-HUB-BREAKOUT template and redeploy the template.

    Bug Tracking Number: CXU-54312

  • On an SRX Series device, the deployment fails if you use the same IP address in both the Global FW policy and the Zone policy.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-41259

  • Tenant owned Public IP Pool can be edited until the first SD-WAN site is onboarded in that tenant. After you onboard an SD-WAN site, Tenant owned Public IP Pool cannot be edited.

    Bug Tracking Number: CXU-41139

  • When you upgrade the image for SRX4200 dual CPE device, the job status is displayed as Success even though the reboot is in progress for the secondary node.

    Workaround: Check the status of the cluster and the FPC status on the primary node before proceeding with any other activity on the CPE device.

    Bug Tracking Number: CXU-52974

  • Ubuntu service chaining instance fails on NFX150.

    Workaround: There is no known workaround.

    Bug Tracking Number: CXU-52512