The issue was originally reported by eolivare against Neutron and its stateless Security Groups: https://bugs.launchpad.net/neutron/+bug/2115053

After some investigation it seems that there are 2 different scenarios here:

1. Neutron Security Group set to stateless and Neutron Floating IP set to stateful - this is exactly the case described in the u/s bug mentioned above and the entry in conntrack table is like: 

   $ sudo conntrack -L --dst 10.100.0.41
   tcp      6 113 SYN_SENT src=10.10.0.129 dst=10.100.0.41 sport=45892 dport=22 [UNREPLIED] src=10.100.0.41 dst=10.10.0.129 sport=22 dport=45892 mark=0 zone=11 use=1
   
   conntrack v1.4.8 (conntrack-tools): 1 flow entries have been shown.
   

    

1. Neutron security grou set to stateless and Neutron Floating IP set to stateless (additional patch https://review.opendev.org/c/openstack/neutron/+/951511 in Neutron is needed for that or it has to be set manually in the NAT entry's options). In this case whole traffic is in conntrack table: 

   $ sudo conntrack -L --dst 10.100.0.41        
   tcp      6 431994 ESTABLISHED src=10.10.0.129 dst=10.100.0.41 sport=45258 dport=22 src=10.100.0.41 dst=10.10.0.129 sport=22 dport=45258 [ASSURED] mark=0 zone=11 use=2
   
   conntrack v1.4.8 (conntrack-tools): 1 flow entries have been shown.
   

    

That issue was observed initially in the upstream CI job which is using Ubuntu 24.04 and OVN 24.03 but I also confirmed that with OVN from main branch:

$ sudo ovn-nbctl --version                                      
ovn-nbctl 25.03.90
Open vSwitch Library 3.5.90
DB Schema 7.12.0

The same issue isn't observed in the CI jobs which are running on Ubuntu 22.04 with OVN 22.03