New and Changed Features in Contrail Service Orchestration Release 5.3.0

This section describes the new features or enhancements to existing features in Contrail Service Orchestration (CSO) Release 5.3.0.

You can view and read the features that are available in the CSO Releases 5.1.0, 5.1.1, 5.1.2, and 5.2.0 through the following links:


  • Support for adding configuration templates while creating site templates—From CSO Release 5.3.0 onward, you can add one or more configuration templates while creating a site template. You can select the configuration templates in the Additional Configuration section of the Add Site Template page, and set the parameters for the configuration templates that you have selected.

  • Enhancement to the edit support for site properties— From CSO Release 5.3.0 onward:

    • A tenant administrator user can edit the general parameters and WAN parameters of an existing on-premise spoke site (with SD-WAN or NGFW capabilities) or an enterprise hub site from the Site Management page (Resources > Site Management).

    • An OpCo administrator user can edit the parameters of a provider hub site with DATA_ONLY capability from the Provider Hub Devices page (Resources > Provider Hub Devices).

      Note You cannot edit on-premise spoke sites with SD-LAN capability and cloud spoke sites.

  • PPPoE support on Ethernet interfaces—From Release 5.3.0 onward, CSO supports Point-to-Point Protocol over Ethernet (PPPoE) for Ethernet access type on SRX and NFX devices.


Enhancements to the on-premise spoke site and site template workflow—From CSO Release 5.3.0 onward, you can do the following while adding an on-premise spoke site and site template to CSO:

  • Add multiple EX Series switches (physical and Virtual Chassis) while adding a site by using a site template or manually adding an on-premise spoke site with only LAN capability.

    In releases earlier than CSO 5.3.0, you can add multiple EX Series switches, one at a time, only to an existing site with LAN capability.

  • Assign the following while adding a site template for sites with LAN capability or WAN and LAN capabilities:

    • Assign access profile and configuration templates to the EX Series switch.

    • Assign port profiles to the switch ports.


  • Support for SRX550M, SRX1500, SRX4100, SRX4200 Services Gateways devices as a next-generation firewall device—From CSO Release 5.3.0 onward, the following SRX Series Services Gateways devices are supported as a next-generation firewall device: SRX550 High Memory Services Gateway (SRX550M), SRX1500, SRX4100, SRX4200.

  • Support for Firefox for accessing CSO GUIs—From CSO Release 5.3.0 onward, you can use Firefox (Version 78 or later) to access the CSO GUIs.

  • Enhancements to CSO GUIs—From CSO Release 5.3.0 onward, the following GUI enhancements are made:

    • Performance of the existing workflows in GUI is improved.

    • New icons are introduced on the top-right corner of the GUI to view the policies that are due for deployment, alarms and alerts on all the devices managed by CSO, and CSO jobs that are in progress and scheduled.

    • A new menu—Favorites—is introduced for quickly accessing the pages that you frequently visit. A star icon is provided on the right corner of each page to add the page to the favorites menu.

    • Personalize themes and navigation modes in the portal.

    • Three new widgets—Device Count by Platform, Device Count by OS, and Device Count by Status—are added to the dashboard.

  • Support for TLS and TCP for syslog messages—From CSO Release 5.3.0 onward, in a next-generation firewall deployment, the syslog messages are sent from the device to CSO by using Transport Layer Security (TLS) and Transmission Control Protocol (TCP).

  • Enhancements to configuration templates—From CSO Release 5.3.0 onward, you can perform the following actions on configuration templates from Administration and Customer Portals:

    • Undeploy a configuration template from a device.

    • Dissociate a configuration template from a device.

    • Rename a configuration template (by using the Edit operation).

    • Export a configuration template as a ZIP file.

  • RMA support for provider hub devices, enterprise hub devices, and next-generation firewall devices—From CSO Release 5.3.0 onward, you can initiate Return Material Authorization (RMA) workflow for a defective SRX Series provider hub device, enterprise hub device, and next-generation firewall device. RMA is supported for the following SRX Series models:

    • SRX Series provider hub devices: SRX1500, SRX4100, SRX4200, and vSRX

    • SRX Series enterprise hub devices: SRX1500, SRX4100, SRX4200, and vSRX

    • SRX Series next-generation firewall devices: SRX300, SRX320, SRX340, SRX345, SRX550M, SRX1500, SRX4100, SRX4200, and vSRX

Deprecated Feature

  • Hybrid WAN—From CSO Release 5.3.0 onward, CSO will not support Hybrid WAN deployments.

Resolved Issues

The following issues are resolved in Juniper Networks CSO Release 5.3.0:

  • CSO does not support cluster-level Return Material Authorization (RMA) for SRX dual CPE devices. Only cluster node-level RMA is supported.

    Bug Tracking Number: CXU-32157

  • You cannot filter the device ports for SRX Series devices while adding an on-premises spoke site or while adding a switch.

    Bug Tracking Number: CXU-32826

  • The Install Signature page does not reflect the correct OS version for a spoke site after the image on the device is upgraded.

    Bug Tracking Number: CXU-36373

  • The deployment of a port profile fails if the values you have configured for the firewall filter are not supported on the device running Junos OS.

    Bug Tracking Number: CXU-39629

  • When DVPN tunnels (GRE_IPSEC tunnels) are established between a pair of SRX3XX devices that have Internet WAN links behind NAT, the GRE OAM status of the tunnels is displayed as DOWN and hence the tunnels are marked as DOWN and not usable for traffic.

    Bug Tracking Number: CXU-41281

  • While you are using a remote console for a tenant device, if you press the Up arrow or the Down arrow, then instead of the command history irrelevant text (that includes the device name and the tenant name) appears on the console.

    Bug Tracking Number: CXU-41666

  • The chassis view for an EX2300 Virtual Chassis appears blank when the device resources are used up and the request for getting a response from the device times out.

    Bug Tracking Number: CXU-42866

  • Traffic is not load balancing in the Active-Active mode with cloud breakout for IPSec tunnels.

    Bug Tracking Number: CXU-43136

  • Provisioning an SRX340 device as next-generation firewall by using CSO is failing when Junos OS 19.3R2 is installed on the device.

    Bug Tracking Number: CXU-43362

  • On devices running Junos OS 19.3R2-S2, the SLA reason field (Actual Delay, Expected Delay, Jitter, Loss) for a Link Switch event is missing in the WAN tab of the Site Management page.

    Bug Tracking Number: CXU-43653

  • RFC-1918 subnets cannot be used in LAN subnets and LAN segments.

    Bug Tracking Number: CXU-44158

  • The chassis view of an EX Series Virtual Chassis may not reflect the correct status of the Virtual Chassis ports (VCPs).

    Bug Tracking Number: CXU-44880

  • When you select all VLANs for deletion and if one or more of the selected VLANs is connected to a CPE port, the VLANs are not deleted. An error message appears and a job to delete the VLANs is created in CSO. The jobs appear to be successful and the status of the VLANs appear as Delete Pending.

    Bug Tracking Number: CXU-44966

  • When CSO is upgraded to release 5.2.0, there are 15 LAN ports in the SRX1500 dual CPE device template, when the actual number of LAN ports should be four.

    Bug Tracking Number: CXU-45889

  • ZTP fails on SRX345 and vSRX due to issues with loading default certificates.

    Bug Tracking Number: CXU-45904

  • You cannot edit a standalone SD-LAN site though the Edit Site button is enabled.

    Bug Tracking Number: CXU-45918

  • When you clone a site template containing a next-generation firewall and a switch, you may not be able to edit some of the fields in the cloned template.

    Bug Tracking Number: CXU-45919

  • On the Site Management page for an OpCo, the operational status of a provider hub is displayed as N/A when the status is actually up.

    Bug Tracking Number: CXU-45924

  • While you deploy the VRRP configuration template on an SRX Series or EX Series device, the template does not render as expected on the Devices page of the CSO GUI.

    Bug Tracking Number: CXU-46049

  • The infotip for the ADSL_ENCAP parameter in the SRX as SDWAN CPE device profile incorrectly indicates to encapsulation used to connect to the ADSL service provider through PPPoE. The ADSL_ENCAP parameter does not apply to PPPoE, but to PPPoA.

    Bug Tracking Number: CXU-46189

  • CSO may not detect an EX Series switch connected behind an SRX Series device running Junos OS Release 19.3R2-S1 or Release 19.3R2-S2. This is because the port connecting the EX Series switch and the CPE is blocked by RSTP running on the SRX Series device and hence no IP address is assigned by DHCP to the port.

    Bug Tracking Number: CXU-46760