Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Issues

This section lists the known issues in Cloud-Native Contrail Networking (CN2) Release 22.4.

General Routing

  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

  • CN2-10038: The maximum number of virtual interfaces (VIFs) you can attach to a DPDK vRouter is 64. This includes the VIF used by the compute service pods running on the compute node.

General Features

  • CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Workaround: Disable the juniperheader option to mirror both egress and ingress packets.

  • CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.

    Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.

  • CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.

    Workaround: Limit two interfaces in a bond configuration for an X710 NIC.

  • CN2-10346: When restarting a vRouter pod on kernel-mode nodes where vhost0 is installed onto bond interfaces, the bond IP address might gets assigned to a bond secondary interface instead of a bond primary interface.

    Run the following script for the workaround:

Redhat OpenShift

  • CN2-7787: The Kubevirt deployment in Openshift 4.10 fails intermittently. See the Red Hat OCPBUGS-2535 for information.

CN2 and Kubernetes

  • CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.

  • Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts.

  • CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.

    Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.

  • CN2-9276: The custom default pod network does not support environments where Multus is installed. This includes Red Hat's OpenShift Container Platform and any Kubernetes distribution where Multus was manually installed.

  • CN2-10010: If you create more pods in a subnet than the number of available IP addresses, the usable IPs are blocked from the subnet when other active pods are deleted.

    Workaround: Delete the pods that failed to release the blocked IPs.

  • CN2-10351: Kubevirt v0.58.0 does not support imagePullSecret, required for pulling images from the secure registry:

    Following these steps for the workaround:

    1. Install Docker.
    2. Create a local insecure registry.
    3. Restart Docker.
    4. Download the required containers. The containers are located at Release Userspace CNI - dpdk vhostuser interface support Juniper/kubevirt. These containers are stored as Assets.
    5. Load the containers.
    6. Tag and push the containers to the new insecure registry.
    7. Download operator.yaml and cr.yaml.
    8. Modify the kubevirt-operator.yaml to use your insecure registry.


  • CN2-4642: In CN2, the network policy uses the reserved tags application and namespace. These tags conflict with Contrail's reserved resources.

    Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.

  • CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.

    Workaround: Delete the policy and re-add it again.