Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Known Limitations

This section describes the issues and limitations present in Cloud-Native Contrail Networking (CN2) Release 23.1.

General Routing

  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

General Features

  • CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Workaround: Disable the juniperheader option to mirror both egress and ingress packets.

  • CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.

    Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.

  • CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.

    Workaround: Limit two interfaces in a bond configuration for an X710 NIC.

  • CN2-10346: When restarting a vRouter pod on kernel-mode nodes where vhost0 is installed onto bond interfaces, the bond IP address might gets assigned to a bond secondary interface instead of a bond primary interface.

    Run the following script for the workaround:

  • CN2-13314: The gateway service instance (GSI) does not work with a 4-byte ASN.

    Workaround: Use a 2-byte ASN when connecting workloads through the GSI service.

Red Hat OpenShift

CN2 Apstra Integration

  • CN2-13607: In a CN2 Apstra deployment, Apstra takes several minutes to create a virtual network.

CN2 and Kubernetes

  • CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.

    Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts

  • CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.

    Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.

  • CN2-10351: Kubevirt v0.58.0 does not support imagePullSecret, required for pulling images from the secure registry:

    Following these steps for the workaround:

    1. Install Docker.
    2. Create a local insecure registry.
    3. Restart Docker.
    4. Download the required containers. The containers are located at Release Userspace CNI - dpdk vhostuser interface support Juniper/kubevirt. These containers are stored as Assets.
    5. Load the containers.
    6. Tag and push the containers to the new insecure registry.
    7. Download operator.yaml and cr.yaml.
    8. Modify the kubevirt-operator.yaml to use your insecure registry.


  • CN2-4642: In CN2, the network policy uses the reserved tags application and namespace. These tags conflict with Contrail's reserved resources.

    Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.

  • CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.

    Workaround: Delete the policy and re-add it again.