VMs Unreachable after vJailbreak Migration

Problem

After migrating VMs to PCD environment using vJailbreak, it was noticed multiple VMs running in a specific compute host were not reachable from compute host itself and also from external network, when checked using network connectivity tests. Identified the affected VMs were part of a common vLAN.

Environment

Private Cloud Director Virtualization - v2025.4 and Higher
Self-Hosted Private Cloud Director Virtualization - v2025.4 and Higher
Component: Nova
Network: vLAN

Cause

One of the VMs within the host will be blocking the connectivity due to the stale MAC address.

Diagnostics

Follow the below steps to run the diagnostics.

Identify target VMs on the host from the affected network. Usually all the VMs running on the same host from a specific network are affected

Command
    
 
openstack server list --all --host <host-uuid> | grep -i <network-name>
Copy

Find recently migrated / Created VMs: ( vm uuid captured from the point number 1)

Command
    
 
openstack server event list <VM-UUID>
Copy

Power off suspect VMs one by one (with confirmation) and check network reachability for other VMs.
Once identified the problematic VM which when powered off rest of the VMs in running state and using the affected Network are reachable, change the IP and MAC address of the OpenStack port attached to the problematic VM.
In the OVN flows for the affected VM, the evident traces of a stale route can be tracked as shown in the below example

Example OVN flow:

In the OVN flow 0x58 to decimal is 88.

Affected Host
    
 
65. reg15=0x58,metadata=0x14, priority 100, cookie 0xf8315af4    output:274
Copy

The corresponding rule to 88 was:

Affected Host
    
 
_uuid               : [UUID]dp_key              : 20mac                 : "[MAC_ADDRESS]"port_key            : 88
Copy

This was a stale route.

Workaround

Delete the existing port and let a port be created automatically so that a MAC address of the VM is changed.

OR
Delete the stale FDB from the ovn-sb pod using command:

Host
    
 
$ ovn-sbctl destroy fdb [FDB_UUID]
Copy

Post this change the network connectivity of the impacted VMs in the host will be resolved.

Resolution

Instead of disabling port security entirely, we recommend keeping the basic MAC-address validation enabled and applying a security group that allows all traffic. This approach ensures that:

The VM ports continue to enforce correct MAC-address learning.
The gateway MAC address is not mistakenly learned on VM interfaces.
All inbound and outbound traffic continues to flow without restriction.

This provides the required functionality while maintaining the minimal level of protection needed to prevent incorrect MAC entries from causing connectivity issues.

Validation

The VMs will respond to ping tests and accessible via SSH and virsh console.

Last updated on

Was this page helpful?