Also affects us. We found this problem happens with every keep-alive connection, like tunnels (not only GRE).
After some investigating we found this: in file neutron/agent/linux/openvswitch_firewall/firewall.py in function OVSFirewallDriver.update_port_filter() there is some time window happened between "delete port rules" and "add port rules". If any packet comes to already established connection between delete/add events, than it marked as invalid (conntrack_mark=1) and future packets dropped by table 82 in OVS.
Any rules update on a port cause such connections stop work.
Also affects us. We found this problem happens with every keep-alive connection, like tunnels (not only GRE).
After some investigating we found this: in file neutron/ agent/linux/ openvswitch_ firewall/ firewall. py in function OVSFirewallDriv er.update_ port_filter( ) there is some time window happened between "delete port rules" and "add port rules". If any packet comes to already established connection between delete/add events, than it marked as invalid (conntrack_mark=1) and future packets dropped by table 82 in OVS.
Any rules update on a port cause such connections stop work.