Policy and Workloads
Container workload profile updates could generate a PCE error (E-84624) Occasionally, updating the labels or enforcement mode of a container workload profile fails with a 500 Internal Server Error. This is caused by concurrent C-VEN and Kubelink background activity.
Workaround: The update should succeed by retrying the PUT request.
Tunnel IP appears on VM's inbound port unnecessarily in Illumio policy (E-84081)
In a policy managing traffic between a Kubernetes pod (source) and an external managed Virtual Machine (Provider), the managed VM has both the Host IP and the Tunnel IP on the inbound port. Illumio needs only the pod's Host IP on the external VM; the host's tunnel IP address is unnecessary.
While this situation doesn't impact functionality, Illumio plans to correct this in a future release.
Enforcement Boundary filter returns Potentially Blocked flows mislabeled "no Rule" (E-83415)
Enforcement Boundaries filtered by IP Lists and displayed in the Draft View include Potentially Blocked flows that are labeled "no Rule" instead of "Blocked by Boundary." As it's not possible to enforce a boundary on flows with no rules, the "no Rule" status appears in error.
Workaround: If you see the "no Rule" status in these circumstances, assume that the flows are "Blocked by Boundary."
Virtual Server Mode does not map directly to the management state in the Web Console (E-78370)
Any virtual server discovered on an SLB is considered to be in the “Managed” state when it has a corresponding entry in the virtual server list page. A managed virtual server could be either Not Enforced or Enforced. The
virtual_serversobject in the API returns a “Managed: Not Enforced” virtual server as “unmanaged.”No workaround is available.
Incorrect error message displayed when ruleset named to a name that's in use (E-74498)
When creating and provisioning a rule set (for example, ruleset A, renaming it ruleset B, then creating ruleset A and reverting modifications to ruleset B), the UI displays an incorrect “500” error instead of an error message stating that the ruleset name is already in use.
Policy restore impacts the virtual services of a container cluster (E-73979)
The issues are as follows:
When policy is restored to a version before the creation of a container cluster’s virtual services, the container cluster’s virtual services are marked for deletion in the draft change.
When a container cluster is deleted, restoring its virtual services is possible through policy restore.
No workaround is available.
Inconsistencies in rule coverage for the Windows process-based rules (E-71700)
The draft view of Illumination and Explorer could show an incorrect draft policy decision for traffic covered by a rule using a service with a Windows process or service name. This generally happens when there is a port/protocol specified in the rule in addition to the process/service name, or when a non-TCP/UDP protocol is used in the rule. In these cases, the reported view provides the correct policy decision as reported by the VEN based on the active policy.
No workaround is available.
Rule search with virtual service and labels returns an incorrect rule (E-65081)
When a rule is written with a virtual service whose labels conflict with the ruleset scope, and a rule search is done for the virtual service, the rule search could return the rule even though the rule does not apply due to the scope conflict.
Workaround: Use rule search to ensure that the rule applies to the virtual services and the scope labels separately.
Unable to select multiple protocols in Rule Search (E-57782)
If you try to select multiple protocols in Rule Search, you cannot select a second protocol after selecting a protocol once. For example, if you select TCP and then want to select UDP, the UI does not display the protocol option again.
Workaround: This issue is only an issue in the PCE web console. Using the REST API, you can select multiple protocols and obtain the correct search results.