In PCF 1.10 and PCF 1.11, When trying to use CF CLI with the network policy plugin for administering policies, the allow-access [0] command will fail with the following error:

$cf allow-access <SOURCE-APP> <DESTINATION-APP> --protocol <PROTOCOL> --port <PORT>
Allowing traffic from <SOURCE-APP> to <DESTINATION-APP> as admin... 
FAILED 
adding policies: 500 Internal Server Error: policies-create: database create failed

Problems creating policies are usually related to issues on the policy server virtual machines (VMs). When the policy server is backed by MySQL versions < 5.7, a user may see this error when trying to create a policy. If you troubleshoot further by looking at the policy-server logs you will see something like

{"timestamp":"1509378875.429716587","source":"container-networking.policy-server","message":
"container-networking.policy-server.policies-create: database create failed","log_level":2,"data":
{"error":"creating destination: Error 1064: You have an error in your SQL syntax; check the manual 
that corresponds to your MySQL server version for the right syntax to use near 'WHERE\n\t\tNOT 
EXISTS (\n\t\t\tSELECT *\n\t\t\tFROM destinations\n\t\t\tWHERE group_id = ? AND ' at line 3"}}

NOTE: In 1.10 the policy server is co-located on the cloud controller VM(s) so `bosh ssh` onto the cloud controller VM and view the logs in /var/vcap/sys/log/policy-server/*. In 1.11 the policy server has it's own vm so `bosh ssh` onto the policy-server VM and view the logs in /var/vcap/sys/log/policy-server/*.

To resolve this issue, please upgrade Pivotal Cloud Foundry Elastic Runtime version to 1.10.33 [1] for PCF 1.10 and 1.11.17 for PCF version 1.11