Customer has a SG implementation based on ML2-OVS and in the process of moving to ML2-OVN. The VNF deployed uses two VMs in a ECMP mode where incoming traffic can be directed to each of the VMs by the gateway node. SG is defined only on one of the VMs which initiates the TCP connection for the service.

However the response for the TCP SYN is received at the other VM of the VNF which does not have the conntrack state of the connection. In ML2-OVS, this worked as the SG implementation did not drop the packet if there is no existing conntrack state and it passed the TCP response to the other VM which does have the Conntrack state for the TCP connection resulting in successful TCP establishment. In case of ML2-OVN when the TCP response is received at the alternate VM, since there is no state for the connection, the TCP response is dropped by the SG and the connection establishment fails for ML2-OVN.

Release: RHOSP 17.1 RHEL 9.2

Please refer to the following diagram.

It is blocker for the customer and will need a fix or workaround for RHEL 9.2.x or hotfix

cc: rhn-support-vanhoof