Tenant Router Unreachable Due to Missing OVN Localnet Port on Provider Network

Problem

Tenant router gateway becomes unreachable from the external network even though the router and provider network configuration appear correct.

Environment

• Private Cloud Director Virtualization - v2025.10 and Higher

• Self-Hosted Private Cloud Director Virtualization - v2025.10 and Higher

• Component - Networking

Cause

The issue occurs due to a race condition between Neutron worker processes during network and port creation.

When the network and associated ports are created concurrently, different Neutron workers may process these requests before the logical switch state is fully synchronized in OVN. As a result, the required localnet port is not created in the OVN logical switch. Without this port, the logical network cannot connect to the physical provider network bridge, preventing ARP responses from the router gateway and causing external connectivity failure.

This is a known bug in neutron. An upstream fix has been released in latest version. Please see Neutron Commit 71ff8ee for more information.

Diagnostics

1. Verify that the router status is ACTIVE and get the [NETWORK_ID]:

$ openstack router show <ROUTER_ID>

1. Verify provider network configuration:

• Physical network mapping should match the expected provider network

• VLAN ID should match the configured external VLAN

1. Verify that OVS bridge mappings on the gateway host:

Run the following command on the compute host where the router gateway port is scheduled.

The provider network, in this example (phprod), must be mapped to the correct physical bridge (br-phy1)

1. Verify that ARP requests reach the compute host:

Run the following commands on the compute host where the router gateway port is scheduled. This helps confirm whether ARP requests from the external network are reaching the host.

or on the provider bridge:

In this example:

• 100.77.1.40 → External firewall

• 100.77.1.50 → Router gateway IP

• VLAN 266 → Provider network VLAN

The ARP request will typically appear as:

If ARP requests are visible but no ARP reply is observed, it indicates that even though traffic is successfully reaching the compute host via the physical network, OVN is not responding to the ARP request.

1. Verify OVN logical switch configuration:

Locate the logical switch corresponding to the network.

The expected configuration should include a localnet port:

If the localnet port is missing, the provider network cannot connect to the physical network, which prevents traffic from reaching the router gateway.

1. Compare with a working provider network

Run the following command to inspect a working external network.

If routers connected to this network work correctly while the failing network does not, the issue is isolated to the affected VLAN network.

Resolution

This issue is caused by a known Neutron race condition that has been addressed in the upstream project. An internal engineering tracker has been created for this issue: PCD-5897

Workaround

As an immediate workaround, recreate the affected provider network so that the OVN logical switch and localnet port are created correctly.

1. Delete the affected Network.

Run the following command from the controller node:

1. Recreate the provider network:

1. Recreate the router gateway:

Attach the router to the recreated network:

1. Verify OVN localnet port creation:

Run:

Confirm the logical switch now contains:

Once the localnet port is present, traffic will be correctly patched between br-int and br-phy, restoring router connectivity.

Additional Information

• For further questions/concerns regarding the bug, reach out to the Platform9 Support Team.

• To run ovn-* commands on the hosts onboarded to PCD, execute below steps.

1. Create an environment file ovs-alias.rc as below:

1. Export the rc file and start using the ovn commands:

1. Access the OVN North Bond Pod in the Management Cluster using the command below.

1. Run the below command to validate: