Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Behavior

This section lists known behavior, system maximums, and limitations in hardware and software in Juniper Networks CSO Release 6.3.0.

Device Management

  • The SRX4100, SRX4200, and SRX4600 devices support all existing SD-WAN features, except the following:

    • Phone-home client (PHC)—The devices must be manually activated by copying the stage-1 configuration from the CSO portal, pasting it to the console of the SRX4100, SRX4200, and SRX4600 devices, and then committing the stage-1 configuration.

    • LTE and xDSL interfaces.

  • LTE and xDSL interfaces are not supported on dual CPE devices.

  • You cannot remotely access a cloud spoke device and edit the configuration.

  • You can install and use only an external LTE Vodafone K5160 dongle to the NFX250 device.

  • NFX150 is not supported in cluster mode.

  • UTM Web filtering is not supported in an active-active SRX Series cluster device.

  • ADSL and VDSL are not supported on an NFX250 device running Junos OS Release 18.4R.

  • Prestaging is required for ZTP over PPPoE-enabled WAN link.

  • For SRX series devices, you must manually install the device certificates after the ZTP is complete. To manually install the certificate, select the SRX series device on the Resources > Devices page and click More > Install Certificates.

Dynamic VPN (DVPN)

  • Creation and deletion of DVPN tunnels based on the DVPN create and delete thresholds are governed by the MAX_DVPN_TUNNELS and MIN_TUNNELS_TO_START_DVPN_DEACTIVATE parameters, respectively. However, MAX_DVPN_TUNNELS and MIN_TUNNELS_TO_START_DVPN_DEACTIVATE are not honored when when site-to-site tunnels are created or deleted from the CSO UI. This might cause the total active DVPN tunnels count on the Site > WAN tab to show a greater value than the MAX_DVPN_TUNNELS value configured for that site.

  • DVPN create and delete thresholds are based on the APPTRACK_SESSION_CLOSE messages. When APPTRACK_SESSION_CLOSE messages reach the specified threshold, an alarm is generated for creating or deleting a DVPN tunnel. However, the alarms are not cleared until the APPTRACK_SESSION_CLOSE message count goes below the threshold (for create alarms) or above the threshold (for delete alarms) to trigger a fresh cycle. This causes the create and delete alarms to remain active and prevent further alarms and to, thus, slow down the creation or deletion of tunnels.

  • Passive probes created by an SD-WAN policy time out because of inactivity in 60 seconds. This causes CSO to close the corresponding sessions and trigger APPTRACK_SESSION_CLOSE messages. The APPTRACK_SESSION_CLOSE messages are tracked and added to the number of sessions closed. The sessions closed count is used to calculate the DVPN delete threshold.

Policy Deployment

  • An SD-WAN policy deployment is successful even if there is no matching WAN link meeting the SLA. This is expected behavior and it ensures that when a WAN link matching the SLA becomes available, traffic is routed through that link.

  • The policy intents defined for a firewall or an SD-WAN policy must not have conflicts with other policy intents in that policy because such conflicts lead to inconsistent behavior. For example:

    • You cannot define an SD-WAN policy with one policy intent for application X and SLA profile S-1 and another policy intent for application X and SLA profile S-2.

    • You cannot define two firewall policy intents with the same source and destination endpoints but one with action Allow and another with action Deny.

  • The SD-WAN policy intents do not support selecting 'none' in the Apps field as an application endpoint.
  • For every SD-WAN policy intent with a specific address or service, you must define a firewall intent with the same name as the SD-WAN policy intent.


  • You cannot change the MTU values for the logical interfaces. For example, if you create two LAN segments on the same physical port with two different VLANs, the MTU values on both the VLANs are the same as that of the physical port. You cannot configure different MTU values for the VLANs.

  • CSO explicitly disables the long-lived graceful restart capability for BGP peering sessions with provider edge (PE) and data center or LAN routers. Disabling long-lived graceful restart ensures that the CPE device does not differentiate the route advertisements to the peering router irrespective of the peering router’s long-lived graceful restart capability.

  • If WAN link endpoints are not of similar type but overlay tunnels are created based on matching mesh tags, the static policy for site-to-site or central Internet breakout traffic gives preference to the remote link type.

  • Advanced SLA configurations, such as CoS rate limiting, are not supported during local breakout if no specific application is selected; that is, if Application is set to ANY. Choose specific applications if you want to enable advanced SLA configurations, such as CoS rate limiting.

  • If two or more SD-WAN policy rules are configured for the same application with different levels of granularity, such as all, sites, and departments, then CSO applies the CoS rate limiter in the same order in which you have created the intents.

  • On the SD-WAN Events page, when you hover the mouse over the Reason field of link switch events, sometimes Above Target is displayed instead of the absolute SLA metric value for very large values (for example, for an SLA metric value that is 100 times the target value).

  • Active-Active mode is not supported with cloud breakout for GRE tunnels.

  • You cannot add a LAN segment to a Dual SRX site in CSO upgraded to Release 6.0.0 if the site has not been upgraded.

    So, to add a LAN segment to a site, you must first do the following:

    After the above steps, add the LAN segment to the site from Device page on the LAN tab. While adding the LAN segment details, remember to create RETH interface and enable LACP. See Add a Branch Site with SD-WAN Capability.

Site and Tenant Workflow

  • An NFX250 site is automatically upgraded to the current CSO version after performing RMA of an old site (prior to site upgrade). Prior to site upgrade on an NFX dual-CPE site, RMA is supported only at the cluster level, not at the node level.
  • In the Add Site workflow, use IP addresses instead of hostnames for the NTP server configuration. If you are using hostnames instead of IP addresses, ensure that the hostname is DNS-resolvable; if the hostname is not DNS-resolvable, ZTP for the device fails.

  • CSO uses RSA-key-based authentication when establishing an SSH connection to a managed CPE device. The authentication process requires that the device has a configured root password, and you can use Administration Portal to specify the root password in the device template.

    To specify a root password for the device:

    1. Log in to Administration Portal.

    2. Select Resources > Device Templates.

    3. Select the device template and click Edit.

    4. Specify the plain text root password in the ENC_ROOT_PASSWORD field.

    5. Click Save.

  • When you try to deploy a LAN segment on an SRX Series spoke device, the CSO GUI allows you to select more than one port for a LAN segment. However, for SRX Series devices, only one port for a LAN segment can be deployed; multiple ports in a LAN segment can be deployed only on NFX Series devices.
  • In case of multiple LAN segments under the same department (VPN) configured with OSPF protocol, the Overlay Route(s) to LAN knob should be configured in the same way for all of them (either ON or OFF).
  • On a site with an NFX Series device, if you deploy a LAN segment without the VLAN ID specified, CSO uses an internal VLAN ID meant for internal operations and this VLAN ID is displayed in the LAN section of the Site Detail View page. There is no impact on the functionality.
  • Do not create departments that have names starting with default, default-reverse, mpls, internet, or default-hub because CSO uses the following departments for internal use:

    • Default-vpn_name
    • Default-reverse-vpn_name
    • mpls-vpn_name
    • internet-vpn_name
    • Default-hub-vpn_name
  • Site edit fails if you try to edit the MTU WAN value for a site that is running CSO 6.1.0 or an earlier release.

User Interface

  • When you use Mozilla Firefox to access the CSO GUIs, a few pages do not work as expected. We recommend that you use Google Chrome version 60 or later to access the CSO GUIs.
  • When you copy and paste a stage–1 configuration from Chrome version 71.0.3578.98, insert a new line, as shown in the following example, in the private key text:

    If you do not insert the new line, the private key fails.


  • Application-identification database version may show 999 (default sigpack) after upgrading from Junos OS 20.4 or earlier to Junos OS 21.1 or later. This is due to application identification signature incompatibility between Junos OS 21.1 or later and Junos OS 20.4 and earlier.


    • Junos OS earlier to Junos OS 21.1

    • Junos OS 21.1 or later

    Update the application identification database by using the commands request services application-identification download and request services application-identification install.

    1. Download the Application package using the command request services application-identification download.


    2. Check the status of downlaod using the command request services application-identification download status.


    3. Install the Application package using the command request services application-identification install.


    4. Check the status of the installation using the command request services application-identification install status.


    See KB71763 for more information.

  • The site deletion process is split into two phases to minimize the overall time required to delete a site:
    • Site deletion (phase 1)—The device is zeroized, all activation information is removed from CSO, and the site is deleted from the GUI. After deletion, you can onboard the site using the same name or a different name.
    • Site cleanup (phase 2)—The cleanup process is triggered after the site is deleted. This process removes all the configuration associated with the site from the provider or enterprise hub, a spoke site to which this site is connected, and virtual Route Reflectors (vRRs).

      For optimization purposes, configurations on spoke sites might not be deleted during the cleanup phase. In such cases, the configurations are deleted during the next commit operation on the spoke devices.

  • On an NFX Series device:

    To activate a virtualized network function (VNF), perform the following steps:

    1. Add the VNF to the device.
    2. Initiate the activation workflow and ensure that the job is 100% completed.

    To retry the activation of a VNF that failed, perform the following steps:

    1. Deactivate the VNF.
    2. Remove the VNF.
    3. Add the VNF to the device.
    4. Initiate the activation workflow and ensure that the job is 100% completed.
  • Enterprise hub is not supported for cloud spoke sites.
  • CSO internally uses IP addresses starting from through You must avoid using these IP addresses in LAN subnets.
  • NFX250 uses some IP addresses in the subnet for VNF management. You must avoid using these IP addresses in a LAN. For more information about the usage of this subnet, see the NFX250 documentation.
  • Starting from CSO Release 6.2.0, you can use VLAN IDs in the following ranges to configure LAN segments:

    • SRX Series devices (single and dual CPE) and vSRX: 1 – 4094 (in releases prior to CSO Release 6.2.0, the range is 1 – 4049)

    • NFX250 (single and dual CPE) and NFX150 devices: 1 - 4049

  • If a tenant has an overlapping IP address configured across departments, then to access the resources in the enterprise hub’s data center, you must apply a source NAT rule with source as the trust zone and destination as the data center department zone on the enterprise hub device.
  • If an overlapping IP address is configured on the same site across departments, hosts in the overlapping subnet are unable to deterministically access data center routes behind nonprimary enterprise hubs.
  • The end-to-end traffic cannot be established if two LAN hosts within a tenant have traffic such that all the 5 tuples are exactly the same and the destination IP address is in the data center that is hosted behind nonprimary enterprise hubs.
  • If you initiate the Sync Alarm operation from the Alarms page, the timestamp of the synchronized alarms changes to the time the Sync Alarm operation is initiated.

  • Starting from Junos OS Release 21.1R1 and above if you want to view Application Traffic logs, you must apply the following commands:

    • set security application-tracking log-session-create
    • set security application-tracking log-session-close