Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for CN2 23.3.

General Routing

  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

General Features

  • CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Workaround: Disable the juniperheader option to mirror both egress and ingress packets.

  • CN2-5916: When 4 interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.

    Workaround: Limit two interfaces in a bond configuration for an X710 NIC.

  • CN2-10346: When restarting a vRouter pod on kernel-mode nodes where vhost0 is installed onto bond interfaces, the bond IP address is assigned to a bond secondary interface instead of a bond primary interface.

    Run the following script for the workaround:

  • CN2-13314: The gateway service instance (GSI) does not work with a 4-byte ASN.

    Workaround: Use a 2-byte ASN when connecting workloads through the GSI service.

  • CN2-17407: In compute nodes running the Intel N6000 SmartNIC with CN2 23.3, it is necessary to add 12 Byes to the actual MTU expected from the interface.

Red Hat OpenShift

  • CN2-7787: The KubeVirt deployment in Openshift 4.10 fails intermittently.

    See Red Hat OCPBUGS-2535 for a workaround.

  • CN2-13011: Red Hat OCP backup and restore fails.

    See Red Hat https://access.redhat.com/solutions/6964756 for a workaround.

  • CN2-16593: Monitor API used to fetch Prometheus metadata fails on OCP.

    Some observability and monitoring widgets in the CN2 UI do not work in an OCP deployment.

    The following are some of the widgets that might not render data in the UI:

    • Dashboard > Observability: CN2 Workloads, Kubernetes Overview, Top Nodes by Workload Utilization, CN2 Overview-Workload.

    • Monitoring > Orchestration > Ingress: CPU Utilization, Memory utilization.

    • On Monitoring > Orchestration > DNS: Core DNS Details, Queries handled by Cluster.

    • On Monitoring > CN2 > Controllers > Analytics: CPU utilization of database engines, Memory utilization of database engines.

    • On Monitoring > CN2 > Metrics: Only a few metrics are populating.

    Workaround: Use the Analytics API to obtain the date for the affected widgets.

CN2 Apstra Integration

  • CN2-13607: In a CN2 Apstra deployment, Apstra takes several minutes to create a virtual network under a scaled scenario.

  • CN2-13428: VNI does not update in Apstra in an Intra-VN topology.

    In CN2 Apstra integrated environments, updating the VNI associated to a VN is not supported through Apstra.

    Workaround: If you need to update any VNI parameters, delete the VN and recreate it with new VNI parameters.

CN2 and Kubernetes

  • CN2-4508: Contrail virtual network subnet created through NAD can not have user defined gateway.

    Workaround: None.

  • CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.

    Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts.

  • CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.

    Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.

  • CN2-10351: KubeVirt v0.58.0 does not support imagePullSecret, required for pulling images from the secure registry: enterprise-hub.juniper.net/contrail-container-prod/.

    Following these steps for the workaround:

    1. Install Docker.
    2. Create a local insecure registry.
    3. Restart Docker.
    4. Download the required containers. The containers are located at Release Userspace CNI - dpdk vhostuser interface support Juniper/kubevirt. These containers are stored as Assets.
    5. Load the containers.
    6. Tag and push the containers to the new insecure registry.
    7. Download operator.yaml and cr.yaml.
    8. Modify the kubevirt-operator.yaml to use your insecure registry.
  • CN2-14895: Pods are being deployed more than the VMI capacity of the nodes.

    When a custom pod scheduler is configured with maximum VMI capacity as thresholds, if the pods are scheduled back-to-back in quick succession, it is possible that more pods are deployed than the configured threshold. This is due to the delay in data sync between the node and analytics.

    Workaround: Additional pod scheduling on the busy nodes will stop within a few seconds once the VMI data is synced between the nodes and analytics.

  • CN2-15530: Packet loss is observed in CN2 flow stickiness when scaling up from one to many pods (non-ECMP to ECMP).

    During scale up flow stickiness is applicable only within the ECMP group. Scale up from one to many pods does not maintain flow stickiness.

    Workaround: Start with a minimum of 2 workloads and scale up.

  • CN2-15461: BFD session is not coming up when healthcheck is associated with 2 BGPaaS objects.

    Workaround: In environments where BFD is used with BGPaaS, if firewall policy is configured, ensure that the policy rules allow port 4784 (BFD packets).

Security

  • CN2-4642: In CN2, the network policy uses the reserved tags application and namespace. These tags conflict with Contrail's reserved resources.

    Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.

  • CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.

    Workaround: Delete the policy and re-add it again.

CN2 Pipelines

  • CN2-15876: Tests are triggered when files in a different folder from the one specified in the YAML file directory are committed. The cn2networkconfig folder is specified in the values.yaml as the directory for commits and files are merged tests expected to be triggered. Argo CD only supports syncing from the path specified in the Helm chart as a part of CN2 pipeline startup.

    Workaround: Only commit to the cn2networkconfig directory.

  • CN2-16034: Auto-created CN2 objects puts Argo out-of-sync after the commit. Creating a NAD starts the virtualRouter and subnets which are flagged as out-of-sync by Argo.

    Workaround: Add the resource.exclusions: in charts/argo-cd/templates/argocd_sa.yaml

    Workaround added to Helm chart: