Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] SD-WAN policy fails with "error_tag": "Command Execution Error"

0

0

Article ID: KB36350 KB Last Updated: 11 Dec 2020Version: 1.0
Summary:

This article explains why an SD-WAN policy deployment for matching “NETFLIX-VIDEO" application traffic may fail with "error_tag": "Command Execution Error" and gives the steps to resolve the error and succeed with the SD-WAN deployment in Contrail Service Orchestration (CSO).

 

Symptoms:

Job failure for a deployment task in the CSO UI:

 

Cause:

To analyze the job log for the above mentioned failure, navigate to CSO UI > Monitor > Jobs > Job Log.

 
 <Log Snip>
 
Nov 10, 2020, 10:15:57 AM SDWAN policy configuration deployment on device <device1> with device id 25b684d8-5652-43f7-aebb-799297483d26 failed.
Exception occurred while executing workflow to configure SD-WAN policy on the device. Error Config deploy failed:
{"error_data": {"status_code": "500", "error_tag": "Command Execution Error", "error_message": "requestid: api_server_db_40a675b7-475a-420a-bc2d-c3225e37b75c,api_server_db_40a675b7-475a-420a-bc2d-c3225e37b75c,xw7G,Vdwp,a82S,b3N8.9afd2ee2-230f-11eb-b093-c22b13788f7d deviceid: 25b684d8-5652-43f7-aebb-799297483d26 \\n\\n\\nprotocol\\noperation-failed\\nerror\\n\\nappsecured\\n\\n\\n[edit groups nfx-gwr-cos-policy-config class-of-service application-traffic-control rule-sets pr_cos_LAN rule r_cos_d_LAN_p_NP-Control-1_s_ZIBO-HL-256K match]\\n\\n\\n\\napplication junos:NETFLIX-VIDEO\\n\\n\\n\\nno match for application name\\n\\n\\n\\nprotocol\\noperation-failed\\nerror\\n\\nappsecured\\n\\n\\n[edit groups nfx-gwr-cos-policy-config class-of-service application-traffic-control rule-sets pr_cos_LAN rule r_cos_d_LAN_p_NP-Control-1_s_ZIBO-HL-256K]\\n\\n\\n\\nmatch\\n\\n\\n\\nasd_read_rule_match get application match failure\\n\\n\\n\\nprotocol\\noperation-failed\\nerror\\n\\nappsecured\\n\\n\\n[edit groups nfx-gwr-cos-policy-config class-of-service application-traffic-control rule-sets pr_cos_LAN rule r_cos_d_LAN_p_NP-Control-1_s_ZIBO-HL-256K]\\n\\n\\n\\nmatch\\n\\n\\n\\nasd_read_rule rule match failure\\n\\n\\n\\nprotocol\\noperation-failed\\nerror\\n\\nappsecured\\n\\n\\n[edit groups nfx-gwr-cos-policy-config class-of-service application-traffic-control rule-sets
 

From the above job logs, you can see that the job failed because there was “no match for application name” for application junos:NETFLIX-VIDEO.

 

Solution:

To resolve the error, perform the following steps:

  1. Get the OAM IP address of the tenant device where the policy is intended to deploy.​​

  2. Go to the Tenant page in CSO UI and search for the device name that was obtained from the logs in the site list. The OAM IP address can be obtained from here.

  1. Log in to the device by using the OAM IP address and check the device to see whether NETFLIX-VIDEO is listed with the current signature package.

user@GWR.device1# set class-of-service application-traffic-control rule-sets test rule test match application junos:NET NETFLIX?
Possible completions:
<name_value> Specify application name to match
junos:NETFLIX-STREAM
{primary:node0}[edit]
## It doesnt have "NETFLIX-VIDEO" application listed. ​​​
  1. Check the application signature version. Note that the application version shows as 3271.

show services application-identification version
node0:
--------------------------------------------------------------------------
Application package version: 3271
node1:
--------------------------------------------------------------------------
Application package version: 3271
  1. ​Check the application signature version in the CSO UI, which is showing as 3324.

The device (CPE) is shown to have an older version of the signature package.

  1. Update the latest signature pack to the device from CSO.

When the latest signature is installed, SD-WAN deployment will be successful. 

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search