Is there an existing issue for this?

• I have searched the existing issues

What happened?

Hey, I use cilium in generic-veth chaining mode with kube-ovn. Kube-proxy replacement is enabled in strict mode.

Everything works as expected. However external traffic to service with externalTrafficPolicy: Cluster forwarded to pods on external nodes always reseted:

11:52:30.232445 IP 192.168.100.13.57196 > 10.244.0.129.80: Flags [S], seq 1862326452, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1540021380 ecr 0,sackOK,eol], length 0
11:52:30.232539 IP 10.244.0.129.80 > 192.168.100.13.57196: Flags [S.], seq 499673168, ack 1862326453, win 32352, options [mss 1360,sackOK,TS val 2139715536 ecr 1540021380,nop,wscale 7], length 0
11:52:30.232877 IP 192.168.100.13.57196 > 10.244.0.129.80: Flags [R], seq 1862326453, win 0, length 0

In case if I disable hostLegacyRouting option, I see that external services traffic can reach pods on both local and remote nodes, however in this case any pods on the same nodes can’t reach each-other, packets are just dropped for some reason.

Cilium Version

Client: 1.15.5 8c7e442 2024-05-10T16:33:07+02:00 go version go1.21.10 linux/amd64
Daemon: 1.15.5 8c7e442 2024-05-10T16:33:07+02:00 go version go1.21.10 linux/amd64

Kernel Version

Linux srv1 6.6.29-talos #1 SMP Tue Apr 30 14:51:50 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

v1.30.0

Regression

No response

Sysdump

cilium-sysdump-20240524-220902.zip

1.pcap.gz

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct