Resolved Issues

The following issues are resolved in Juniper Networks Cloud CPE Solution Release 3.2.

• Performance metrics for the NFX Series device are collected through the HTTP interface. [CXU-8710]
• On rare occasions, the Logspout microservice causes the docker daemon to hog the CPU on the microservices virtual machine. [CXU-11863]
• When a session is transferring more than 2 GB of data, the unit of throughput is incorrectly reported as terabits per second (Tbps) in the CSO GUI. [CXU-11556]
• On an NFX Series device, application tracking is enabled for department security zones only on pushing an SD-WAN APBR policy. When there is only a firewall policy deployed without SD-WAN, no application visibility is displayed for the NFX Series device. [CXU-12154]
• If the oam-and-data interface goes down, the IBGP session is lost and traffic stops flowing. This causes communication with CSO to be lost and Syslogs are not sent even though there are other WAN interfaces up and running. [CXU-12346]
• For a site, when DHCP is configured on the WAN interface and the LAN segment, the device activation fails. [CXU-13432]
• During the failover of a link between an NFX Series spoke device and a vSRX hub device, the BGP session goes down even though the virtual route reflector (VRR) is reachable. [CXU-13517]
• On the Site Management page, the overlay links information for the cloud hub are incorrect. [CXU-13579]
• If you configure a static SD-WAN policy and a link goes down, it may take approximately three minutes for the gr-0/0/0 interface to be removed from the MPLS/Internet routing table. [CXU-13528]
• If you create an SD-WAN and firewall policy with the source as a department and the department is not associated with a site or a LAN segment, the job created to apply the SD-WAN and firewall policies after ZTP fails. [CXU-13542]
• For sites with device-initiated connections, by default, all site traffic is source NATted at the hub. You cannot apply a different source NAT rule to the hub because the default rule overrides any user-configured source NAT rule. [CXU-13558]
• If you have a tenant with more than one site and deploy a firewall policy to a single site, the policy is deployed only to that site. However, jobs are created to push a dummy firewall policy to other sites, which causes a performance issue on setups with a large number of devices. [CXU-13562]
• If you configure DHCP on an NFX Series or an SRX Series spoke device, in some cases, the spoke might fail to establish a connection to CSO and may fail to send Syslog messages to the Contrail Analytics node. [CXU-13567]
• In some cases, one or more security management microservices take more than 20 minutes to come up and are stuck in the same state. [CXU-13726]
• Link switching does not occur even though the throughput threshold configured in the SLA profile is crossed because incorrect interface stats are reported for the gre interface. [CXU-14127]
• The reverse path taken by traffic on the hub is different from the forward path. [CXU-14330]
• During activation, the NFX250 device reboots and requests that you enter the activation code twice, because there is no default value for the HugesPages count in the Linux Kernel on the device. [CXU-5601, PR1254219]
• In the detailed view of a site on the Sites page (Sites > Site Management), the Overlay Links tab displays only GRE links and not GRE over IPsec links. [CXU-10170]
• In some cases, when multiple system log messages (syslogs) or queries are being processed, the Contrail Analytics Node (CAN) crashes (Docker restarts). [CXU-10838]
• In some cases, an operation might fail with the Authentication required error message because of an expired token. [CXU-10809]
• If a user who belongs to more than one tenant is deleted, the user is deleted from all tenants. [CXU-11201]
• On the Site-Name page (Sites > Site-Name), when you click the Device link (in the Connectivity & Devices box on the Overview tab), you are navigated to the Devices page (Resources > Devices) where all available devices are displayed instead of only the device that you selected. [CXU-11339]
• If you modify a site group that is not used in any policy, a GUI notification incorrectly indicates that policies need to be deployed. [CXU-11395]
• If an infrastructure node (virtual machine) goes down, the backup node takes over the tasks handled by the primary node. However, after the node that was down recovers, it does not join the cluster and is stuck in slave mode. [CXU-11711]
• If you create a LAN segment with the name LAN0, LAN1, or LAN2, the deployment of the LAN segment fails. [CXU-11743]
• When you remove a cloud hub from a tenant, the corresponding router is removed from the All Tenants scope. [CXU-11796]
• When the deployment of a LAN segment on a device fails, the device status is changed from PROVISIONED to PROVISION_FAILED. However, when you redeploy the LAN segment and the deployment is successful the device status is not changed to PROVISIONED. Therefore, when you attempt to deploy an SD-WAN or a firewall policy on the device, the deployment fails with the error message "[get_policy_info_list: method execution failed]Site/ Device information not found". [CXU-11874]
• When a tunnel goes down, the event generated displays different information for the NFX Series and SRX Series devices:
  • When the GRE over IPsec tunnel goes down:
    • The event generated for the vSRX device (running on the NFX Series device) has the description ['Tunnel-id ID is inactive'].
    • The event generated for the SRX Series device has the description GRE over IPSEC is Down.
  • When the GRE-only tunnel goes down:
    • The event generated for the vSRX device (running on the NFX Series device) has the description tunnel-oam-down.
    • The event generated for the SRX device has the description GRE tunnel down.

  [CXU-11895]

• If you try to delete one or more LAN segments, the confirmation dialog box does not display the list of LAN segments selected for deletion. However, when you click OK to confirm the deletion, the LAN segments are deleted successfully. [CXU-11896]
• If the role of an existing user is changed from MSP Operator to MSP Administrator and that user tries to switch the tenant by using the scope switcher in the banner, the tenant switching fails. [CXU-11898]
• In Cloud CPE Solution Release 3.1.1, editing a site is not supported. When you try to edit a site, the message "unable to retrieve the router info" is displayed. [CXU-11912]
• If you edit an existing LAN segment that was previously added during site creation, the Department field is changed to Default. [CXU-11914]
• If you apply an APBR policy on a vSRX device or an SRX Series device, in some cases, the APBR rule is not active on the device. [CXU-11920]
• ZTP activation of an SRX Series device by using the phone home client (PHC) fails. [CXU-11926]
• On the Monitor > Overview page the number of hub devices is reported as zero even though a cloud hub exists. [CXU-11931]
• If an SLA profile is defined with only the throughput metric specified, in some cases, the SLA profile is assigned to a link that is down. [CXU-11997]
• You see an import error message when you use the license tool, because the tssmclient package is missing from the license tool files. [CXU-12054]
• Some variables in the CSO and NSC installer packages do not have the correct values. [CXU-12113]
• When you try to install the Distributed_Cloud_CPE_Network_Service_Controller_3.1 package, the load services data module fails with an import error in the publish_data_to_design_tools function. [CXU-12137]
• When you deploy a firewall policy, the deployment fails with the message Fail to invoke mapper to create snapshot with reason null. [CXU-12151]
• If you deploy a NAT policy with one or more rules and then delete the policy without first deleting the rules, the configuration on the device is not cleared. [CXU-13879]
• On the NAT Rules page, if you try to search or use the column filters for departments named Internet or Corporate Network, the search does not work. [CXU-10406]
• FW rules are deleted from the device when a rule is modified after the last LAN segment is deleted. [CXU-15138]
• Performance metrics for the NFX Series device are collected through the HTTP interface. [CXU-8710]
• On rare occasions, the Logspout microservice causes the docker daemon to hog the CPU on the microservices virtual machine. [CXU-11863]
• When a session is transferring more than 2 GB of data, the throughput incorrectly reported as Terabits per second (Tbps) in the CSO GUI. [CXU-11556]
• On an NFX Series device, application tracking is enabled for department security zones only on pushing an SD-WAN APBR policy. When there is only a firewall policy deployed without SD-WAN, no Application Visibility is displayed for the NFX Series device. [CXU-12154]
• If the oam-and-data interface goes down, the IBGP session is lost and traffic stops flowing. This causes communication with CSO to be lost and Syslogs are not sent even though there are other WAN interfaces up and running. [CXU-12346]
• For a site, when DHCP is configured on the WAN interface and the LAN segment, the device activation fails. [CXU-13432]
• During the failover of a link between an NFX Series spoke device and a vSRX hub device, the BGP session goes down even though the virtual route reflector (VRR) is reachable. [CXU-13517]
• On the Site Management page, the overlay links information for the cloud hub are incorrect. [CXU-13579]
• If you configure a static SD-WAN policy and a link goes down, it may take approximately three minutes for the gr-0/0/0 interface to be removed from the MPLS/Internet routing table. [CXU-13528]
• If you create an SD-WAN and firewall policy with the source as a department and the department is not associated with a site or a LAN segment, the job created to apply the SD-WAN and firewall policies after ZTP fails. [CXU-13542]
• For sites with device-initiated connections, by default, all site traffic is source NATted at the hub.You cannot apply a different source NAT rule to the hub because the default rule overrides any user-configured source NAT rule. [CXU-13558]
• If you have a tenant with more than one site and deploy a firewall policy to a single site,the policy is deployed only to that site. However, jobs are created to push a dummy firewall policy to other sites, which causes a performance issue on setups with a large number of devices. [CXU-13562]
• If you configure DHCP on an NFX Series or an SRX Series spoke device, in some cases, the spoke might fail to establish a connection to CSO and may fail to send Syslog messages to the Contrail Analytics node. [CXU-13567]
• The secmgt-sm, secmgt-appvisibility, and secmgt-ecm microservices do not change to ready state because they are not initialized correctly during deployment. [CXU-13726]
• Link switching does not occur even though the throughput threshold configured in the SLA profile is crossed because incorrect interface stats are reported for the gre interface. [CXU-14127]
• The reverse path taken by traffic on the hub is different from the forward path. [CXU-14330]
• During activation, the NFX 250 device reboots and requests that you enter the activation code twice, because there is no default value for the HugesPages count in the Linux Kernel on the device. [CXU-5601, PR1254219]
• In the detailed view of a site on the Sites page (Sites>SiteManagement), the Overlay Links tab displays only GRE links and not GRE over IPsec links. [CXU-10170]
• In some cases, when multiple system log messages (syslogs) or queries are being processed, the Contrail Analytics Node (CAN) crashes (Docker restarts). [CXU-10838]
• In some cases, an operation might fail with the Authentication required error message because of an expired token. [CXU-10809]
• If a user who belongs to more than one tenant is deleted, the user is deleted from all tenants. [CXU-11201]
• On the Site-Name page (Sites>Site-Name), when you click the Device link (in the Connectivity&Devices box on the Overview tab),you are navigated to the Devices page (Resources>Devices) where all available devices are displayed instead of only the device that you selected. [CXU-11339]
• If you modify a site group that is not used in any policy, a GUI notification incorrectly indicates that policies need to be deployed. [CXU-11395]
• If an infrastructure node (virtual machine) goes down, the backup node takes over the tasks handled by the primary node. However, after the node that was down recovers, it does not join the cluster and is stuck in slave mode. [CXU-11711]
• If you create a LAN segment with the name LAN0, LAN1, or LAN2, the deployment of the LAN segment fails. [CXU-11743]
• When you remove a cloud hub from a tenant, the corresponding router is removed from the All Tenants scope. [CXU-11796]
• When the deployment of a LAN segment on a device fails, the device status is changed from PROVISIONED to PROVISION_FAILED. However, when you redeploy the LAN segment and the deployment is successful the device status is not changed to PROVISIONED.Therefore, when you attempt to deploy an SD-WAN or a firewall policy on the device, the deployment fails with the error message"[get_policy_info_list:method executionfailed]Site/Deviceinformationnotfound". [CXU-11874]
• When a tunnel goes down, the event generated displays different information for the NFX Series and SRX Series devices:
  • When the GRE over IPsec tunnel goes down:
    • The event generated for the vSRX device (running on the NFX Series device) has the description ['Tunnel-id ID is inactive'].
    • The event generated for the SRX Series device has the description GRE over IPSEC is Down.
  • When the GRE-only tunnel goes down:
    • The event generated for the vSRX device (running on the NFX Series device) has the description tunnel-oam-down.
    • The event generated for the SRX device has the description GRE tunnel down.

  [CXU-11895]

• If you try to delete one or more LAN segments, the confirmation dialog box does not display the list of LAN segments selected for deletion. However, when you click OK to confirm the deletion, the LAN segments are deleted successfully. [CXU-11896]
• If the role of an existing user is changed from MSP Operator to MSP Administrator and that user tries to switch the tenant by using the scope switcher in the banner, the tenant switching fails. [CXU-11898]
• In Cloud CPE Solution Release 3.1.2, editing a site is not supported. When you try to edit a site, the message "unable to retrieve the router info" is displayed. [CXU-11912]
• If you edit an existing LAN segment that was previously added during site creation, the Department field is changed to Default. [CXU-11914]
• If you apply an APBR policy on a vSRX device or an SRX Series device, in some cases, the APBR rule is not active on the device. [CXU-11920]
• ZTP activation of an SRX Series device by using the phone home client (PHC) fails. [CXU-11926]
• On the Monitor>Overview page: The number of hub devices is reported as zero even though a cloud hub exists. [CXU-11931]
• If an SLA profile is defined with only the throughput metric specified, in some cases, the SLA profile is assigned to a link that is down. [CXU-11997]
• You see an import error message when you use the license tool, because the tssmclient package is missing from the license tool files. [CXU-12054]
• Some variables in the CSO and NSC installer packages do not have the correct values. [CXU-12113]
• When you try to install the Distributed_Cloud_CPE_Network_Service_Controller_3.1 package, the load services data module fails with an import error in the publish_data_to_design_tools function. [CXU-12137]
• When you deploy a firewall policy, the deployment fails with the message Fail to invoke mapper to create snapshot with reason null. [CXU-12151]
• If you deploy a NAT policy with one or more rules and then delete the policy without first deleting the rules, the configuration on the device is not cleared. [CXU-13879]
• On the NAT Rules page, if you try to search or use the column filters for departments named Internet or Corporate Network, the search does not work. [CXU-10406]
• Firewall rules are deleted from a device when a rule is modified after the last LAN segment is deleted. [CXU-15138]