Troubleshooting Image, License, and Policy Deployment Issues
Unable to find device image version
Problem
Description
How do I find my device image version without console access to the device?
Solution
Use the J-Web interface to find the device image version.
To access the J-Web interface of the device:
Connect your laptop or workstation to any port (except ge-0/0/0) that is available on the device.
Enable DHCP on the laptop or workstation and acquire the IP address and gateway information from the device.
Use the gateway address (also known as the device address) in the Web browser to connect to the J-Web interface.
Log in with the default username root. As the root user, you don’t need a password to log in.
The Welcome page appears displaying the device image version.
Upgrade device image using J-Web
Problem
Description
Device image version is 15.1X49-D110; how do I upgrade the device image before site onboarding?
Solution
Use the J-Web interface to upgrade the device image.
To upgrade the device image using J-Web:
Download the recommended image or the software version from the Juniper Networks website to your local machine.
Log in to the J-Web interface.
Select Maintain > Software > Upload Package.
Navigate to the device image file location and select the file.
Click Upload and Install Package to upgrade the device image.
Unable to connect to the device
Problem
Description
I am not able to log in to the device through the J-Web interface or through the device console. How do I proceed?
Solution
Press and hold the Reset Config button on the device for 15 seconds. Wait for two minutes for the device to restore the factory-default settings. Log in to the device as the root user (no password is required for the root user). If you are still not able to access the device, then reboot the device.
Device image version is different from the recommended version
Problem
Description
The device image version at the site is 15.1X49D110, but the recommended image version is 15.1X49D170.x. Should I upgrade the device image manually before site onboarding?
Solution
You don't’ need to upgrade the device image manually before site onboarding. You can do either of the following:
Upgrade the device image during site activation in CSO—While you are in the site configuration or onboarding workflow, select the device image from the drop-down list.
Note:Device image upgrade during site activation delays the site activation process.
Upgrade the device image post site activation in CSO—Navigate to Resources > Images, select the image, and click Deploy.
Policy deployment failed
No data for next-generation firewall site
Problem
Description
Application Visibility Monitoring page shows no data for the next-generation firewall site; how do I proceed?
Solution
Do the following:
Verify that your network firewall allows the UDP port 514.
Verify the application visibility monitoring page after multiple application sessions (in the time range of 3–5 minutes) traffic.
Use an appropriate time interval for the query. For example, if you are querying for the traffic sent in the last 10 minutes, then try using a 15-minute query (minimum time interval).
No data for SD-WAN site
Problem
Description
Application visibility and WAN performance data on the Site Management page shows no data for the SD-WAN site; how do I proceed?
Solution
Do the following:
Verify the application visibility and WAN performance data after multiple application sessions (in the time range of 3-5 minutes) traffic.
Use an appropriate time interval for the query. For example, if you are querying for the traffic sent in the last 10 minutes, then try using a 15-minute query (minimum time interval).
Traffic from Spoke Sites Are Dropped or Are Not Reaching Internet or Destination
Problem
Description
Traffic from spoke sites are dropped or are not reaching the Internet or their specified destinations.
Solution
Verify the alerts for overlay or underlay connections, and check whether BGP is active.
Log in to Administration portal, and select Monitor > Alerts and Alarm > Alerts.
Check whether the firewall policies are successfully deployed to the CPE device and that the traffic or applications are matching the policies to permit the traffic to Internet or to other sites.
In Administration Portal, select Sites > Site-Name > Policies.
Or log in to the CPE device and verify that the next-generation firewall policies are deployed.
Check the routes in the default VRF route table in the CPE device.
Trace the route and verify the reachability from the hub to the destination. If the hub cannot reach the Internet, then verify whether the firewall and NAT policies are set up properly in the hub.
For further troubleshooting, collect the logs and output results and contact Juniper Networks Technical Support team.
SLA Violation-Original Link Recovered After SLA Violation
Problem
Description
The original link is recovered after a service-level agreement (SLA) violation but the application traffic does not switch back to the original link.
Solution
Applications change links only on an SLA violation, because applications are not tied to a specific link and are based on SLA type, such as path preference or link performance metrics.
All WAN links are Up But Not All Links Are Utilized
Problem
Description
All WAN links are up but not all links are being utilized.
Solution
It is possible that all SD-WAN policies can select the same WAN link if they match the SLAs. If the CPE receives a lot of matching and non-matching application traffic for SD-WAN policies, but not all WAN links are being used, then ensure the following:
Check that the CPE device receives multiple flows per application.
Check that all the WAN overlays are up (IPsec, GRE) in the CPE device and the hub device.
Check the SLA performance data or real-time performance monitoring (RPM) probe results in the CPE device for all links.
Log in to the Administration Portal, and select Monitor > Applications > SLA Performance.