Known Issues

• If you create a firewall policy and deploy it to the device, and subsequently create one or more firewall policy intents without re-deploying the policy, the firewall policy is automatically deployed to the device when there's a change in the topology, such as the addition of a new site, department, or LAN segment.

  Workaround: Create firewall policy intents when you intend to deploy them to the device and re-deploy the policy. [CXU-15794]

• In a HA setup, the time configured for the CAN VMs might not be synchronized with the time configured for the other VMs in the setup. This can cause issues in the throughput graphs.

  Procedure

  Workaround:

  1. Log in to can-vm1 as root.
  2. Modify the /etc/ntp.conf file to point to the desired NTP server.
  3. Restart the NTP process.

  After the NTP process restarts successfully, can-vm2 and can-vm3 automatically re-synchronize their times with can-vm1.

  [CXU-15681]

• On NFX Series devices, Touch Provisioning (ZTP) fails when you commit the stage-1 configuration when no VLAN is configured. [CXU-13446]
• If you create VNF instances in the Contrail cloud by using Heat Version 2.0 APIs, a timeout error occurs after 120 instances are created.

  Workaround: If you want to create more than 120 instances (up to a maximum of 500 instances), use the Heat Version 1.0 APIs instead.

• SD-WAN policies are incorrectly deployed automatically when signatures are not installed. [CXU-14799]
• Rebooting the central infrastructure node might result in redis clusters not restarting properly.

  Procedure

  Workaround:

  1. Log in to the infrastructure node as root.
  2. At the shell prompt, run the kubectl get pods | grep secmgt-sm command to get the names of the security management pods that did not come up.
  3. Restart each pod by executing the kubectl delete pods secmgt-podname command.

  [CXU-16307]

• If any nodes are in the “not ready” state while deploying micro services, some docker pods might not come up in the “running” state.

  Workaround: Log in to the VM that is having the problem and restart the docker service by executing the sudo service docker restart command. [CXU-16541]

• The automatic NAT deployment job for the first site in the mesh topology fails and is not listed in the pending deployments window.

  Workaround: Open the Configuration > Deployments > History window, select the failed job and click Re-Deploy. [CXU-16652]