Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] Unable to deploy LAN segments

0

0

Article ID: KB35088 KB Last Updated: 11 Oct 2019Version: 1.0
Summary:

This KB article explains a specific issue in CSO 4.1.1 with respect to adding LAN segments.

Symptoms:

CSO tries to push stale LAN entry (which does not exists in CSO anymore):

Task: add-department
Sep 9, 2019, 1:54:12 PMStage 2 config start, task_id = add-department ...
Sep 9, 2019, 1:54:13 PMStart stage-2-config stage 1: resolve profile add-department success
Sep 9, 2019, 1:54:13 PMStart stage-2-config stage 2: create abstract configs success: {'JDM': [], 'JUNOS': [[u'default-domain', u'DOMAIN', u'Site', u'JUNOS/srx-add-department-config']], 'JCP': [], 'GWR': []}
Sep 9, 2019, 1:54:13 PMConfigs to be deployed include {'JUNOS': [[u'default-domain', u'DOMAIN', u'Site', u'JUNOS/srx-add-department-config']]}
Sep 9, 2019, 1:54:13 PMAbout to publish and deploy JUNOS configs [[u'default-domain', u'DOMAIN', u'Site', u'JUNOS/srx-add-department-config']]
Sep 9, 2019, 1:57:01 PMStart 2 config for JUNOS: [[u'default-domain', u'DOMAIN', u'Site', u'JUNOS/srx-add-department-config']] deployed failed, reason: {"status": "FAILURE", "hapi_remote_host": "csp.csp-dms-cms-inv-central-core-2909752705-46jr9", "description": "{\"error_data\": {\"status_code\": \"500\", \"error_tag\": \"Command Execution Error\", \"error_message\": \"requestid: UI_f7c13421-4703-533a-e644-58d35cb01153,qUNw,XjRo,lUpD,nnUP.ae1c9508-d34c-11e9-9aea-0242ac10151a deviceid: b715277c-4d6b-442e-a905-bfbecdec9aba commit comment \\\"CSO_Rcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\bQ_ID:UI_f7c13421-47cspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b3-533a-e644-58d35cbcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b1153,qUNw,XjRo,lUpDcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\bnnUP\\\" \\n[edit security zones security-zone IOT]\\n 'interfaces ge-0/0/5.100'\\n Interface ge-0/0/5.100 must be configured under interfaces\\nerror: configuration check-out failed\\n\\n[edit]\\ncspuser@XXXXXXXXXXXX.Site.DOMAIN# \", \"error_diag\": \"This error is propagated from DCS. It occurs during device command execution. \"}}", "hapi_user_client_ip": "X.X.X.X", "hapi_request_id": "UI_f7c13421-4703-533a-e644-58d35cb01153,qUNw,XjRo,lUpD", "details": {"5741e2ec-c561-42cf-b588-29a1ad623876": {"status": "FAILURE", "abstract_config_uuid": "5741e2ec-c561-42cf-b588-29a1ad623876", "description": "{\"error_data\": {\"status_code\": \"500\", \"error_tag\": \"Command Execution Error\", \"error_message\": \"requestid: UI_f7c13421-4703-533a-e644-58d35cb01153,qUNw,XjRo,lUpD,nnUP.ae1c9508-d34c-11e9-9aea-0242ac10151a deviceid: b715277c-4d6b-442e-a905-bfbecdec9aba commit comment \\\"CSO_Rcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\bQ_ID:UI_f7c13421-47cspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b3-533a-e644-58d35cbcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b1153,qUNw,XjRo,lUpDcspuser@XXXXXXXXXXXX.Site.DOMAIN# ... \\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\b\\bnnUP\\\" \\n[edit security zones security-zone IOT]\\n 'interfaces ge-0/0/5.100'\\n Interface ge-0/0/5.100 must be configured under interfaces\\nerror: configuration check-out failed\\n\\n

Cause:

This issue arises due to a wrong combination of tagged and untagged lan-segments using same LAN port. This wrong combination leads the site to a bad state as no more lan-segments can be added after this state.

Solution:

Steps to trigger this issue:

CSO version 4.1.1

  1. Deploy site with one tagged LAN segments
  2. Click on the site and configure another untagged LAN segment
  3. Deployment of untagged LAN segment fails: Subsequent publish will fail with this LAN segment error
  4. If user attempts to delete untagged LAN and create tagged VLAN, it fails
  5. All the subsequent deployment job fails unless manually abstract config is cleared via any rest API
OR
  1. Deploy site with one untagged LAN segments
  2. Click on the site and configure another tagged LAN segment
  3. Deployment of tagged LAN segment fail: Subsequent publish will fail with this LAN segment error
  4. If user attempts to delete tagged LAN and create untagged VLAN, it fails
  5. All the subsequent deployment job fails unless manually abstract config is cleared via any rest API

If you are facing this issue, please contact your JTAC representative to resolve this issue. This workaround must be applied by JTAC to avoid any data inconsistencies.

The workaround is to delete ems-central/abstract-config object corresponding to srx-add-department-config. After this, it starts working until a wrong combination is tried again.

Fix: There is validation in place in CSO version 5.0.1/5.0.2 which prevents users to enter a wrong combination.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search