Hello. Would you tell me if u r using vvrp or carp? It was set up with vrrp and allowed_address_pair then it worked but it seems wont with carp.
Nguyen Huu Khoi


On Tue, Mar 10, 2026 at 8:24 AM Joel McLean <joel.mclean@micron21.com> wrote:
We did a PCAP of a similar situation (A10 Networks load balancer VIPs) and having the  VIP as an allowed address was only one part of the equation; your configuration may vary, but we found that the port also needed the allowed-address pairs of the client that it’s talking to, because it passes that traffic on; i.e. the VIP receives the traffic, and the back end doesn’t receive from the VIP, but from the client IP. In this way, the back end responds to the client (the A10 is the network gateway, which NAT’s out through the VIP for a complete return path.

Where these VIPs were for public networks (i.e. a website load balancer for a public API or similar) the allowed_address_pair had to be 0.0.0.0/0 if we were permitting any address on the internet to talk to the back end through the VIP. This was the alternative to completely disabling port security.

This might be similar to what you’re experiencing.

Kind Regards,
 
Joel McLean
Cyber Security and Product Development Manager
Australia’s First Tier IV Data Centre
https://www.micron21.com/

  tel:1300%20769%20972
  tel:03%209751%207618
  tel:0407%20888%20429
  mailto:joel.mclean@micron21.com


http://www.micron21.com/


Follow us on https://twitter.com/micron21 and https://m21status.com/ for important service and system updates.

This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

 

From: Nguyễn Hữu Khôi <nguyenhuukhoinw@gmail.com>
Sent: Tuesday, 10 March 2026 12:03 PM
To: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Subject: [openstack][neutron][ovn]Cannot ping VIP without disable port security

Hello,

I am setting up HA OPNsense on OpenStack, and here are the steps I followed.

I successfully configured CARP between two firewall instances, but from a PC in the same subnet as the VIP, I cannot ping the VIP address. When I capture traffic on the master firewall, I can see the ARP request and reply, but on my PC I do not see any reply packets.

I have also configured allowed_address_pairs with the VIP address on the member ports, but the VIP only responds when I disable port security.

Additionally, I created a port with the VIP address and assigned a floating IP to it. However, it does not work unless I disable the port admin state. When I repeatedly refresh the browser (press F5 many times), the traffic is redirected between the two firewall members, which means the connection does not remain persistent on the CARP master.

Is there any additional configuration required in OpenStack (Neutron / OVN) to properly support CARP VIPs without disabling port security?

Thank you for your assistance.


Nguyen Huu Khoi