Comment 3 for bug 1536080

THe problem reproduces as below..

Initially a ping session was started with a VM from the dhcp namespace.
The relevant OVN acl shows as:
from-lport 1002 (inport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4) allow-related
to-lport 1002 (outport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4 && icmp4) allow-related

Conntrack on that connection shows:
[stack@ovncontroller-01 devstack]$ sudo conntrack -L | grep 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1

Now the ICMP security group rule is deleted
[stack@ovncontroller-01 devstack]$ neutron security-group-rule-delete e3a3888b-e0c8-4af9-88a0-17f1c617a4ff

Conntrack still shows the connection and ping is still ongoing to the VM
[stack@ovncontroller-01 devstack]$ sudo conntrack -L | grep 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1

Now we delete the conntrack state as below:
[stack@ovncontroller-01 devstack]$ sudo conntrack -D -p icmp -s 10.0.0.2 -d 10.0.0.4
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1
conntrack v1.4.2 (conntrack-tools): 2 flow entries have been deleted.

Then the ping to the VM stops.