Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Open Issues

Learn about open issues in this release for CN2.

General Routing

  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

  • CN2-17659: The Forwarding class should have namespace associated to it instead of having default namespace.

General Features

  • CN2-3256: cSRX workloads with sub-interfaces are not compatible with CN2.

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Workaround: Disable the juniperheader option to mirror both egress and ingress packets.

  • CN2-5916: When 4 interfaces are configured in a bond interface on an X710 NIC, an mbuf leaf with traffic drop occurs.

    Workaround: Limit two interfaces in a bond configuration for an X710 NIC.

Red Hat OpenShift

  • CN2-7787: The KubeVirt deployment in Openshift 4.10 fails intermittently.

    See Red Hat OCPBUGS-2535 for a workaround.

  • CN2-13011: Red Hat OCP backup and restore fails.

    See Red Hat https://access.redhat.com/solutions/6964756 for a workaround.

  • CN2-17681: When creating a CN2 cluster using cluster-managed networking in OCP 4.14, the OpenShift machine-api cluster operator fails to come up. This occurs regardless of whether you create the cluster using the Assisted Installer or whether you create the cluster using Advanced Cluster Management (ACM). In the case of the Assisted Installer, the cluster comes up but may not be fully functional. In the case of ACM, the cluster does not come up at all.

    Workaround: Create the CN2 cluster with user-managed networking instead of cluster-managed networking.

CN2 Apstra Integration

  • CN2-13607: In a CN2 Apstra deployment, Apstra takes several minutes to create a virtual network under a scaled scenario.

CN2 and Kubernetes

  • CN2-4508: Contrail virtualnetwork subnet created through NAD can not have user defined gateway.

    Workaround: None.

  • CN2-4822: You can not configure BGPaaS objects on nodes that host the Contrail controller and worker nodes on same physical host.

    Workaround: None. Production deployments run the Kubernetes worker nodes and controller in different physical hosts.

  • CN2-8728: When you deploy CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.

    Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.

  • CN2-14895: Pods are being deployed more than the VMI capacity of the nodes.

    When a custom pod scheduler is configured with maximum VMI capacity as thresholds, if the pods are scheduled back-to-back in quick succession, it is possible that more pods are deployed than the configured threshold. This is due to the delay in data sync between the node and analytics.

    Workaround: Additional pod scheduling on the busy nodes will stop within a few seconds once the VMI data is synced between the nodes and analytics.

  • CN2-15530: Packet loss is observed in CN2 flow stickiness when scaling up from one to many pods (non-ECMP to ECMP).

    During scale up flow stickiness is applicable only within the ECMP group. Scale up from one to many pods does not maintain flow stickiness.

    Workaround: Start with a minimum of 2 workloads and scale up.

  • CN2-15461: BFD session is not coming up when healthcheck is associated with 2 BGPaaS objects.

    Workaround: In environments where BFD is used with BGPaaS, if firewall policy is configured, ensure that the policy rules allow port 4784 (BFD packets).

Security

  • CN2-4642: In CN2, the network policy uses the reserved tags application and namespace. These tags conflict with Contrail's reserved resources.

    Workaround: Do not use the application and namespace labels to identify the pod and namespace resources.

  • CN2-10012: If the network policy has a deny-all rule, removing it by updating the policy does not work.

    Workaround: Delete the policy and re-add it again.