OVN Network Peering Stuck in PENDING State & ACL Configuration Issues

jas02 · December 10, 2025, 8:31pm

Hello,

I’m running into issues with inter-network connectivity between OVN networks in my MicroCloud setup and would appreciate guidance on the recommended approach.

Environment:

MicroCloud 2.1.1 LTS - 3-node cluster
LXD 5.21
Ubuntu 24.04 LTS
OVN overlay networking

Setup: I have two OVN networks that need to communicate:

Network A: 10.10.10.0/24 (NAT IP: 192.168.100.100)
Network B: 10.20.20.0/24 (NAT IP: 192.168.100.101)
Both connected to the same physical UPLINK network

Problem 1: Network Peering Stuck in PENDING

I attempted to create network peering between the networks:

lxc network peer create networkA peer-to-B target-network=networkB
lxc network peer create networkB peer-to-A target-network=networkA

The peers are created but remain in PENDING state indefinitely. Containers cannot ping across networks. Running ovn-nbctl show reveals that each OVN network has its own logical router (lxd-netX-lr), and there are no routes between them.

Problem 2: Security ACL Configuration Error

When trying to configure ACLs on the OVN network level, I get this error:

lxc network set networkB security.acls=my-acl
Error: Uplink address key "volatile.network.ipv6.address" cannot be empty 
when network address key "ipv6.address" is populated

Both networks have ipv6.address: none configured, and the UPLINK has no IPv6 configuration either.

Questions:

What is the recommended LXD/MicroCloud version for stable OVN multi-network setups? Should I upgrade from MicroCloud 2.1.1 LTS / LXD 5.21?
What is the proper way to enable inter-network communication between OVN networks in LXD? Should I:
- Use network peering (and if so, how to activate PENDING peers)?
- Manually configure OVN logical router interconnects?
- Use a different approach entirely?
Is the ACL error a known issue in LXD 5.21, and is there a workaround for applying ACLs to OVN networks?

For now, I can work around this by manually creating a transit network in OVN and adding static routes between the logical routers, but I assume LXD should handle this more elegantly.

Current OVN Topology:

Router lxd-netA-lr: 10.10.10.1/24 (external: 192.168.100.100/24)
Router lxd-netB-lr: 10.20.20.1/24 (external: 192.168.100.101/24)
No interconnection between routers

Any guidance would be greatly appreciated!

jpelizaeus · December 11, 2025, 9:44am

Hi,

What is the proper way to enable inter-network communication

The commands for creating the peering look odd to me.
Can you please try using the following:

lxc network peer create networkA peer-to-B networkB
lxc network peer create networkB peer-to-A networkA

See https://documentation.ubuntu.com/lxd/stable-5.21/reference/manpages/lxc/network/peer/create/

What is the recommended LXD/MicroCloud version

That looks fine. You can also check https://documentation.ubuntu.com/microcloud/latest/microcloud/reference/releases-snaps/#supported-and-compatible-releases.

Is the ACL error a known issue

I can reproduce this also using LXD latest/edge. It’s fine to have only IPv4 configured on the uplink.
You can make it work by unsetting the ipv6.address config key from the network using lxc network unset <network> ipv6.address. But I am not sure if this is meant like this by design.
If you don’t have an IPv6 uplink, it might not make sense to have an ipv6.address on the network as you anyway don’t have IPv6 uplink connectivity.
But you might still want to have cross OVN network IPv6 connectivity (via peering).

@tomp is this a bug?

tomp · December 11, 2025, 10:00am

I think this got fixed by Network: We don't need an OVN volatile uplink when the address is none by escabo · Pull Request #16459 · canonical/lxd · GitHub

If you’re following the 5.21 series, you can test this via 5.21/edge channel in non-production environments as it should have been backported now.

tomp · December 11, 2025, 10:02am

Sorry you’re reply didnt appear when I viewed this issue originally.

If its on latest/edge too then please log a bug here GitHub · Where software is built

tomp · December 11, 2025, 10:05am

One UX experience we could make here is that if the user has access to see networks in the target network we could reject the request if the network doesn’t exist.

Currently we allow the pending peer to be created because each end of the peer relationship can be setup by different people without both needing access to each other’s projects.

So we don’t allow validation of the target network name as it may not exist yet or the user may not be allowed to know if it exists or not.

jas02 · December 11, 2025, 12:29pm

Hi,

I’ve used correct peering syntax:

lxc network peer create networkA peer-to-B networkB
lxc network peer create networkB peer-to-A networkA

Status: CREATED (not PENDING)

Routing Tables Are Correct:

# ovn-nbctl lr-route-list lxd-netA-lr
10.20.20.0/24  10.20.20.1  dst-ip lxd-netA-lr-lrp-peer-netB

# ovn-nbctl lr-route-list lxd-netB-lr
10.10.10.0/24  10.10.10.1  dst-ip lxd-netB-lr-lrp-peer-netA

Problem: Packets Don’t Reach Destination

tcpdump analysis shows:

Source container (10.20.20.2): Outgoing SYN packets visible, receives RST responses
Destination container (10.10.10.3): NO packets arriving at all

This indicates OVN is generating RST responses without forwarding packets to the destination.

Troubleshooting Attempts:

ACL Rules: Added explicit allow rules with priority 1000:

bash

ovn-nbctl acl-add lxd-netB-ls-int from-lport 1000 "ip4.dst == 10.10.10.0/24" allow-related
ovn-nbctl acl-add lxd-netA-ls-int to-lport 1000 "ip4.src == 10.20.20.0/24" allow-related

Result: No change

Stateless Mode: Disabled connection tracking:

bash

ovn-nbctl set logical_switch lxd-netA-ls-int other_config:stateless=true
ovn-nbctl set logical_switch lxd-netB-ls-int other_config:stateless=true

Result: No change

Discovered Issue: Peer router ports created with /32 masks:

lxd-netA-lr-lrp-peer-netB: 10.10.10.1/32 (instead of /24)
lxd-netB-lr-lrp-peer-netA: 10.20.20.1/32 (instead of /24)

Attempted to fix by recreating ports with /24 masks - no change.

Transit Network Approach: Deleted peering, created manual transit network (10.255.0.0/30) with static routes between routers.
Result: Still no connectivity

Current OVN Topology:

Router lxd-netA-lr:
  - Internal: 10.10.10.1/24
  - External: 192.168.100.100/24
  - Route: 10.20.20.0/24 via transit

Router lxd-netB-lr:
  - Internal: 10.20.20.1/24
  - External: 192.168.100.101/24
  - Route: 10.10.10.0/24 via transit

Questions:

Why would OVN generate RST packets instead of forwarding to destination when routing is correct?
Is there a default drop policy or hidden ACL that could block inter-network traffic?
Are there known issues with OVN network peering or inter-router communication in LXD 5.21?
What is the recommended/tested approach for connecting multiple OVN networks in MicroCloud?

Is this LTS release of LXD/MicroCloud really so buggy? What release should I try instead?

tomp · December 11, 2025, 1:39pm

I just tried this on 5.21.4-9eb1368 using lxdbr0 as uplink:

lxc network show lxdbr0
name: lxdbr0
description: ""
type: bridge
managed: true
status: Created
config:
  ipv4.address: 10.143.95.1/24
  ipv4.dhcp.ranges: 10.143.95.10-10.143.95.20
  ipv4.nat: "true"
  ipv4.ovn.ranges: 10.143.95.21-10.143.95.30
  ipv6.address: fd42:4d22:5a5b:5310::1/64
  ipv6.nat: "true"

lxc network create ovn1 --type=ovn network=lxdbr0
lxc network create ovn2 --type=ovn network=lxdbr0
lxc launch ubuntu:24.04 c1 --network ovn1
lxc launch ubuntu:24.04 c2 --network ovn2
lxc ls
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| c1   | RUNNING | 10.99.198.2 (eth0)  | fd42:b0ce:3008:25d7:216:3eff:fe15:b52a (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| c2   | RUNNING | 10.208.250.2 (eth0) | fd42:a299:1fee:940a:216:3eff:fe3d:78ad (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+

Setup the peering between the networks:

lxc network peer create ovn1 ovn1-ovn2 ovn2
Network peer ovn1-ovn2 pending (please complete mutual peering on peer network)
lxc network peer create ovn2 ovn2-ovn1 ovn1
Network peer ovn2-ovn1 created

Test reachability between the two networks:

lxc exec c1 -- ping 10.208.250.2 -c2
PING 10.208.250.2 (10.208.250.2) 56(84) bytes of data.
64 bytes from 10.208.250.2: icmp_seq=1 ttl=62 time=0.066 ms
64 bytes from 10.208.250.2: icmp_seq=2 ttl=62 time=0.175 ms

--- 10.208.250.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1035ms
rtt min/avg/max/mdev = 0.066/0.120/0.175/0.054 ms

lxc exec c2 -- ping 10.99.198.2 -c2
PING 10.99.198.2 (10.99.198.2) 56(84) bytes of data.
64 bytes from 10.99.198.2: icmp_seq=1 ttl=62 time=0.848 ms
64 bytes from 10.99.198.2: icmp_seq=2 ttl=62 time=0.077 ms

--- 10.99.198.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.077/0.462/0.848/0.385 ms

The ovn routing table looks like this (with /24 and /64 peering routes):

ovn-nbctl lr-route-list lxd-net2-lr
IPv4 Routes
Route Table <main>:
          10.208.250.0/24              10.208.250.1 dst-ip lxd-net2-lr-lrp-peer-net3
                0.0.0.0/0               10.143.95.1 dst-ip lxd-net2-lr-lrp-ext

IPv6 Routes
Route Table <main>:
 fd42:a299:1fee:940a::/64    fd42:a299:1fee:940a::1 dst-ip lxd-net2-lr-lrp-peer-net3
                     ::/0    fd42:4d22:5a5b:5310::1 dst-ip lxd-net2-lr-lrp-ext


ovn-nbctl lr-route-list lxd-net3-lr
IPv4 Routes
Route Table <main>:
           10.99.198.0/24               10.99.198.1 dst-ip lxd-net3-lr-lrp-peer-net2
                0.0.0.0/0               10.143.95.1 dst-ip lxd-net3-lr-lrp-ext

IPv6 Routes
Route Table <main>:
 fd42:b0ce:3008:25d7::/64    fd42:b0ce:3008:25d7::1 dst-ip lxd-net3-lr-lrp-peer-net2
                     ::/0    fd42:4d22:5a5b:5310::1 dst-ip lxd-net3-lr-lrp-ext

tomp · December 11, 2025, 1:53pm

Suggest you disable/remove any ACLs you currently have, as well as undoing any custom modifications you’ve made to the ovn northbound DB (as that should not be necessary and puts ovn into an unknown state that might cause issues).

Then setup peering and make sure thats working before adding the ACLs.

The ACLs in LXD will cause all traffic to be dropped by default, including from peer connections, so once you’ve accounted for peering working without ACLs you’ll need to account for that traffic in your ACL rules when you add them.

You can also refer to peer networks using Network subject selectors:

https://documentation.ubuntu.com/lxd/stable-5.21/howto/network_acls/#subject-name-selectors-acl-groups

jas02 · December 11, 2025, 2:37pm

I probably have problem with UPLINK network. I have physical connection from network 192.168.100.0/24 on enp10s0 interface.

Howto properly configure this network interface before microcloud installation in netplan, so it can be used for uplink purpose?

jas02 · December 11, 2025, 8:59pm

I figured it out. Problem was indeed in uplink network setting. Now it works.

jpelizaeus · December 12, 2025, 8:00am

I have logged the ACL issue here Failing to assing ACL if OVN uplink has no IPv6 gateway · Issue #17247 · canonical/lxd · GitHub.

system · December 13, 2025, 8:00am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.