The labnet* hosts don't use Ferm, as Nova configures it's own set of iptables rules and the same applies to the labtestnet* hosts.
While testing the new Stretch-based Cumin master cumin2001 with debdeploy I noticed that it failed to connect to labtestnet2003. Puppet runs were successful, but the new IP address of cumin2001 wasn't added to the $CUMIN_MASTERS macro in /etc/ferm/conf.d/00_defs.
The reason is that in commit 9f0d55323c5 the role of that host was switched from role(test) (which has profile::base::firewall) to role(wmcs:openstack::labtest::net_standby) (which doesn't have profile::base::firewall due to Nova). However, the old ferm installation (and the stale config files which were formerly added via Puppet) is still around and blocks Cumin.
While it would be possible to manually remove ferm this seems a bit brittle, so a reimage of labtestnet2003 is probably the cleanest solution given that it's a test host.