Description of problem:

If some client pod is connecting to an external server through an egress IP and the egress IP is moved to a different node, then the pod won't receive any more traffic from the server until it sends at least some tcp traffic, i.e. server(external)→client(pod) communication won't work until any client(pod)→server(external) traffic is seen.

Version-Release number of selected component (if applicable):

4.17.33

How reproducible:

Always

Steps to Reproduce:

1. Have an egress IP and 2 egress-assignable nodes
2. Optional (only required if you previously moved the egress IP): On the node that is not currently holding the egress IP, run conntrack --flush or reboot it.
3. Start a dummy nc/socat TCP server on an external location
4. Connect a dumm nc/socat TCP client from a pod with egress IP to the dummy server
5. Send some traffic (it will work)
6. Force the egress IP to move to a different node by removing the egress-assignable label
7. Do not send any traffic from client to server
8. Send some traffic from server to client

Actual results:

No traffic from the server reaches the client unless the client sends some traffic to the server. Once the client has sent some traffic, the server may re-transmit the traffic not previously seen by the client and those re-transmissions may reach the client.

Expected results:

No traffic lost.

Additional info:

Issue found at a customer.

There is the obvious workaround of having the client always send something to the server, but it cannot be assumed or required. It is legit to have a TCP connection where there is only server-to-client traffic, that is legit and such traffic should not be lost if possible.

I'll be posting a detailed analysis in the comments.