Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 

Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Juniper Networks Cloud CPE Solution Release 3.2.

Application Visiblity

  • Application Visibility data is displayed only when there is at least one SD-WAN policy configured on the SD-WAN CPE.


  • Deployments where CSO is behind NAT require spokes and hubs to be able to reach the VRR without NAT.
  • For SD-WAN deployments, CSO installation behind NAT is not supported.

Policy Deployment

  • The deployment of fiirewall policies with UTM profiles fails on sites (devices) on which UTM licenses are not present. Ensure that you install the required licenses before deploying firewall policies that are associated with UTM profiles.

    In addition, when you add new sites or departments, firewall policies that are automatically deployed to the sites might fail if licenses are not installed. In such cases, install the licenses on the applicable sites and re-deploy the failed policy.

  • SD-WAN policies are incorrectly deployed automatically when signatures are not installed.
  • Whenever a new site is added and auto-NAT is enabled, a NAT policy job is triggered for all existing sites as well as for the new site. There is no impact to functionality; however, you will see additional jobs listed in the system.

Security Management

  • With Cloud CPE Solution Release 3.2, SSL Proxy is not supported on SRX300 and SRX320 series devices.

Site and Tenant Workflow

  • In the Configure Site workflow, use IP addresses instead of hostnames for the NTP server configuration.
  • CSO uses hostname-based certificates for device activation. The regional microservices VM hostname must be resolvable from CPE.


  • Changing the DHCP IP address on the OAM interface is not supported.
  • Hybrid-WAN and SD-WAN deployments using the same MX as a hub is not supported.
  • When using MX as a SD-WAN hub, NAT configuration must be done on MX Series routers using Stage-2 configuration templates.


  • On hub devices, when all WAN links are configured for DHCP, the default route is not imported into the default virtual router of the tenant.
  • With Cloud CPE Solution Release 3.2, when you edit a tenant, changing the deployment plan from Hybrid WAN to SD-WAN or vice versa is not supported, although the field is displayed as editable.
  • For a centralized deployment, use the following procedure to check that the JSM Heat resource is available in Contrail OpenStack on the Contrail Controller node.

    Note: This procedure must be performed on all the Contrail Controller nodes in your CSO installation.

    1. Log in to the Contrail Controller node as root.
    2. To check whether the JSM Heat resource is available, execute the heat resource-type-list | grep JSM command.

      If the search returns the text OS::JSM::Get Flavor, the file is available in Contrail OpenStack.

    3. If the file is missing, do the following:
      1. Use Secure Copy Protocol (SCP) to copy the jsm_contrail_3.pyc file to the following directory:
        • For Heat V1 APIs, the /usr/lib/python2.7/dist-packages/contrail_heat/resources directory on the Contrail Controller node.
        • For Heat V2 APIs, the /usr/lib/python2.7/dist-packages/vnc_api/gen/heat/resources directory on the Contrail Controller node.

        Note: The jsm_contrail_3.pyc file is located in the /root/Contrail_Service_Orchestration_3.2/deployments/central/file_root/contrail_openstack/ directory on the VM or server on which you installed CSO.

      2. Rename the file to jsm.pyc in the Heat resource directory to which you copied the file.
      3. Restart the Heat services by executing the service heat-api restart && service heat-api-cfn restart && service heat-engine restart command.
      4. After the services restart successfully, verify that the JSM Heat resource is available as explained in Step 2. If it is not available, repeat Step 3.

Modified: 2017-12-20