Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Behavior

This section lists known limitations with Cloud-Native Contrail Networking Release 22.1.

General Routing

  • CN2-3234: When a flow matches an ingress network policy, the egress network policy is also allowed. The network policy in Cloud-Native Contrail Networking behaves differently than standard Kubernetes behavior.
  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

  • CN2-3256: All cSRX workloads with subinterfaces are not compatible with Cloud-Native Contrail Networking.

  • CN2-4634: Configuring a local ASN parameter in a BGPRouter object interferes with the operation of a peer ASN parameter.

    Workaround: Do not configure the local ASN field. Use the peer ASN field to configure a BGP peer.

General Features

  • CN2-5166: When upgrading a CNI, sometimes Contour's load balance envoy readiness check fails. This is due to a bug in Contour. See: Envoy Pod Issue with Contour.

    Workaround: Restart Contour.


  • CN2-4642: In Cloud-Native Contrail Networking, the network policy uses the reserved tags "application" and "namespace". These tags conflict with Contrail's reserved resources.

    Workaround: Do not use application and namespace labels to identify the pod and namespace resources.

  • CN2-5201: In scaled environments, we recommend that you refer to the node tuning parameters of the corresponding distribution. For example, for OpenShift, follow the instructions Using the Node Tuning Operator.

  • CN2-5902: If a service label is shared between a working pod and non-working (terminating) pods, creating a service fails.

    Workaround: Remove the service label association from the non-working pods.


  • CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC,an mbuf leak with traffic drop is observed.

    Workaround: Limit two interfaces in a bond configuration for X710 NICs.