Dynamic Kernel Module Support fails to build DPDK kernel modules for OpenContrail v3.2.3 on kernels newer than v4.8. The workaround is to use DPDK libraries v17.02 instead of v2.1.


If the OpenContrail cluster has ports with the allowed address pair (AAP) prefix length less than /24 for IPv4 and /120 for IPv6, such AAPs may not work after the upgrade of OpenContrail v3.2 to v4.0. The workaround is to modify all AAPs on all virtual interfaces through the OpenContrail web UI. For example, change to


Fixed in 2019.2.3 In the OpenContrail 4.x deployments, after restoring the ZooKeeper database, contrail-control may be inactive on all ntw nodes due to an issue with permissions for certificates.


  1. Log in to the Salt Master node.

  2. Change permissions:

    salt -C 'I@opencontrail:control' 'chown -R contrail:contrail /etc/contrail'
  3. Verify that the files are owned by the OpenContrail user:

    salt -C 'I@opencontrail:control' 'ls -la /etc/contrail'


Fixed in 2019.2.3 In the OpenContrail 4.x deployments, some web UI tabs fail to open. For example, opening of Setting -> Config Editor raises [SyntaxError: Failed to parse JSON body: Unexpected end of input] in logs. Opening of Monitor -> Infrastructure -> Virtual Router restarts the web UI with The worker has disconnected error in logs.


  1. Log in to any ntw or nal node.
  2. In /etc/haproxy/haproxy.cfg, remove the option nolinger parameter from the contrail-api and contrail-analytics sections of the file.
  3. Repeat the step 2 on the remaining ntw and nal nodes.


The OpenContrail web UI may display the Instance data is available in config but not available in analytics false error message for some properly operating SNAT instances in Monitoring > Virtual Routers > Instances. Do not remove such instances.


Tempest tests may cause contrail-api fail to start. The workaround depends on the workloads put on the cloud after performing the tempest test, contact Mirantis support to resolve the issue.


Fixed in 2019.2.8 Updating the name of a shared network in the Horizon web UI fails with the Failed to update network <network_name> error message. As a workaround, update the network through CLI or the OpenContrail web UI.


Fixed in 2019.2.4

The Kafka service may fail to start on the MCP deployments with OpenContrail 4.1.

The Kafka service has the timeout option for connection to the ZooKeeper cluster. Sometimes, the specified timeout value is less than the time needed for ZooKeeper to perform election and start the service requests. The Kafka service stops working if connection to the ZooKeeper cluster is not established during the specified amount of time (timeout).


  1. Log in to the Salt Master node.

  2. Start the failed Kafka service on the affected node(s):

    salt -C "<affected_node_name>" "doctrail analyticsdb service confluent-kafka start"


Opening or refreshing the OpenContrail 4.1 web UI in the Google Chrome browser causes the SSH handshake failure.


Select from the following options:

  • Use a different browser, for example, Firefox or Safari
  • Access the OpenContrail web UI through the prx nodes


The OpenContrail 4.1 vRouter may crash when applying the contrail-vrouter-agent configuration. No workaround is required, the vRouter automatically restarts after the crash and correctly applies the new configuration.


After upgrading an MCP cluster, some VMs on the OpenStack compute nodes can be unreachable through a floating IP due to an incorrect checksum. In such case, the InterfaceConfiguration: Virtual-network UUID mismatch for interface error entry appears in the vrouter-agent log for the interface of the affected VM.

The workaround is to manually disable tx-checksumming for the bond interface. For details, see Juniper documentation: Troubleshooting: SSH/TCP traffic fails in Contrail due to checksum errors.


  1. Log in to the OpenStack compute node that runs the affected VM.

  2. Disable tx-checksumming for the bond interface:

    ethtool -K bond0 tx off