More roles testing issues. I am using the show datapath session table command and the show acl hits command, but do not see any denied traffic, but the traffic is not getting out. There are no restrictions beyond the controller, so it appears to be the roadblock.
It appears the traffic is hitting the implicit deny in the policy, but I can't prove that. Is there something I am missing?