IPv6 L2 announcement not responding to NDP requests, SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST

[morpig]

Is there an existing issue for this?

• I have searched the existing issues

Version

v1.19.0-pre.4

What happened?

We are testing a full IPv6 only cluster including External IPs for gateway.

Our setup is a mix of on-prem & AWS nodes, routed over vxlan for cross-node comms.

However, when deploying a service with external IP allocated by Cilium's IPAM, it is not reachable from external networks.

In our case, we have Node A (on-prem) with IPv6 setup as follows
- Network iface to router: ens16
- Allocated from router: redacted::a0/64
- Node IP: redacted:a0:f000::1
- IPAM pool range: redacted:a0:f000:e000::/112

No issue in accessing Service External IP from other nodes:

# curl [redacted:f000:e000::] -v
*   Trying [redacted:f000:e000::]:80...
* Connected to redacted:f000:e000:: (redacted:f000:e000::) port 80
> GET / HTTP/1.1
> Host: [redacted:f000:e000::]
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< date: Wed, 14 Jan 2026 17:10:23 GMT
< content-length: 0

When accessing from external networks:

# curl [redacted:f000:e000::]
curl: (7) Failed to connect to redacted:f000:e000:: port 80 after 3070 ms: No route to host

we can confirm cilium agent at Node A leased the l2announcement with the correct iface:

# kubectl exec pods/cilium-4rlrt -n kube-system -- cilium-dbg shell -- db/show l2-announce
IP                             NetworkInterface
redacted:f000:e000::   ens16

device policy selector confirms ens16 as selected:

# kubectl exec pods/cilium-4rlrt -n kube-system -- cilium-dbg shell -- db/show devices
Name              Index   Selected   Type     MTU     HWAddr              Flags                               Addresses                                                           OperStatus
lo                1       false      device   65536                       up|loopback|running                 127.0.0.1, ::1                                                      unknown
ens16             2       true       device   1500    52:50:a3:9a:5f:ef   up|broadcast|multicast|running      public-ipv4, redacted:f000::1, fe80::5050:a3ff:fe9a:5fef   up
tailscale0        3       true       tuntap   1280                        up|pointtopoint|multicast|running   100.97.5.124, fd7a:115c:a1e0::1037:57c, fe80::e8d1:16ad:bf96:3761   unknown
cilium_net        4       false      veth     1500    e6:d9:29:59:b5:f1   up|broadcast|multicast|running      fe80::e4d9:29ff:fe59:b5f1                                           up
cilium_host       5       false      veth     1500    e2:a0:b0:91:05:7d   up|broadcast|multicast|running      fd00::1fb                                                           up
cilium_vxlan      6       false      vxlan    1500    46:2d:26:83:e2:59   up|broadcast|multicast|running      fe80::442d:26ff:fe83:e259                                           unknown
lxcb74eabdd685c   12      false      veth     1500    86:15:6f:6c:bc:28   up|broadcast|multicast|running      fe80::8415:6fff:fe6c:bc28                                           up
lxc0945d7c4e55a   14      false      veth     1500    ae:a4:d5:7d:79:3c   up|broadcast|multicast|running      fe80::aca4:d5ff:fe7d:793c                                           up
lxc86ace3de4332   16      false      veth     1500    02:07:d7:af:0b:88   up|broadcast|multicast|running      fe80::7:d7ff:feaf:b88                                               up
lxcce738733f2ea   18      false      veth     1500    de:02:f6:dd:72:a3   up|broadcast|multicast|running      fe80::dc02:f6ff:fedd:72a3                                           up
lxc13143c5d2f23   20      false      veth     1500    6a:a8:5b:0d:3d:79   up|broadcast|multicast|running      fe80::68a8:5bff:fe0d:3d79                                           up
lxc74003e980dce   28      false      veth     1500    6a:71:a9:8b:20:e4   up|broadcast|multicast|running      fe80::6871:a9ff:fe8b:20e4                                           up
lxc9ad71d2cb02e   32      false      veth     1500    ae:d0:f4:31:bb:1c   up|broadcast|multicast|running      fe80::acd0:f4ff:fe31:bb1c                                           up
lxc18de018533db   34      false      veth     1500    fe:15:2e:a6:8e:19   up|broadcast|multicast|running      fe80::fc15:2eff:fea6:8e19                                           up
lxc_health        56      false      veth     1500    b2:37:7c:c2:8a:d7   up|broadcast|multicast|running      fe80::b037:7cff:fec2:8ad7                                           up

pwru seeing NDP requests coming in:

0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  86    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) eth_type_trans
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_defer_rx_timestamp
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  86    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_ensure_writable
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  86    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_ensure_writable
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_rcv_core
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) nf_hook_slow
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) nf_ip6_checksum
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) __skb_checksum_complete
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_route_input
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_mc_input
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_input
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) nf_hook_slow
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_input_finish
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  72    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ip6_protocol_deliver_rcu
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) raw6_local_deliver
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ipv6_raw_deliver
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) icmpv6_rcv
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) __pskb_pull_tail
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  24    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ndisc_rcv
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  24    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) __pskb_pull_tail
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) ndisc_recv_ns
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) kfree_skb_reason(SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST)
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_release_head_state
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_release_data
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) skb_free_head
0xffff8d0ec469dd00 3   <empty>:0        4026531840 0            ens16:2      0x86dd 1500  32    [redacted:2a03:2880:0:f329]:0->[ff02::1:ff00:0]:0(icmp6) kfree_skbmem

tcpdump version:

17:18:47.639811 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:2a03:2880:0:f329 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8

we're lost here, please guide us for more debug info.

How can we reproduce the issue?

we're running cilium + envoy gateway

kubeProxyReplacement: true
routingMode: tunnel
enableIPv6Masquerade: true

underlayProtocol: "ipv6"
tunnelProtocol: "vxlan"

devices: eth+,ens+,tailscale0
MTU: 1500

ipv4:
  enabled: false

ipv6:
  enabled: true

gatewayAPI:
  enabled: true

cni:
  exclusive: false

envoy:
  enabled: false

socketLB:
  enabled: true
  hostNamespaceOnly: true
  lbMapMax: 131072

operator:
  replicas: 2
  rollOutPods: true

l2announcements:
  enabled: true

l2NeighDiscovery:
  enabled: true

Cilium Version

v1.19.0-pre.4

Kernel Version

ubuntu 24 + 6.14.0-1018-aws

Kubernetes Version

v1.34.3+k3s1
containerd://2.1.5-k3s1

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[yuito-it]

This issue may possibly related.

• [Release Testing] IPv6 NDP L2 Advertise intermittently missing and external traffic fails after lease changes #43530

[msune]

No issue in accessing Service External IP from other nodes:

By this you mean other worker nodes or other nodes in the same L2 segment in general. If that is working, then the L2 announcement feature is working correctly.

When accessing from external networks:

# curl [redacted:f000:e000::]
curl: (7) Failed to connect to redacted:f000:e000:: port 80 after 3070 ms: No route to host

This seems to indicate that this specific host doesn't have a route to reach redacted:f000:e000::. It doesn't look like it's L2 announcements related, at first glance.

What is the output of?

ip -6 route get redacted:f000:e000::

[morpig]

Hi @msune, sorry for not being clear.

By this you mean other worker nodes or other nodes in the same L2 segment in general.

Other worker node (let's call it Node B, AWS) that is completely seperate from Node A's v6 network (on-prem)

To reiterate, it is possible to access the service IP from Worker Node B AWS to Worker Node A on-prem:

# curl [redacted:f000:e000::] -v
*   Trying [redacted:f000:e000::]:80...
* Connected to redacted:f000:e000:: (redacted:f000:e000::) port 80
> GET / HTTP/1.1
> Host: [redacted:f000:e000::]
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 404 Not Found

# ip -6 route get redacted:f000:e000::
redacted:f000:e000:: from :: via fe80::cb7:7fff:fe98:5133 dev ens5 proto ra src AWS_IP:5dd8:cf2a:b5ee:5d14 metric 100 hoplimit 255 pref medium

^going to default route.. does cilium carry/takeover service IP traffic?

# ping redacted:f000::1 - ping to Node's A server IP
PING redacted:f000::1 (redacted:f000::1) 56 data bytes
64 bytes from redacted:f000::1: icmp_seq=1 ttl=57 time=29.3 ms
64 bytes from redacted:f000::1: icmp_seq=2 ttl=57 time=28.9 ms

We can confirm there is no issue between external client <> Node A's server IP (still within the /64 block with service IP)

# ping redacted:f000::1
PING redacted:f000::1(redacted:f000::1) 56 data bytes
64 bytes from redacted:f000::1: icmp_seq=1 ttl=58 time=12.3 ms
64 bytes from redacted:f000::1: icmp_seq=2 ttl=58 time=12.3 ms

# curl [redacted:f000:e000::]
curl: (7) Failed to connect to redacted:f000:e000:: port 80 after 13347 ms: No route to host

Additional info from node A:

NDP from router:
09:52:22.007714 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::4e73:4f08:d927:52c1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): 4c:73:4f:27:52:c1
            0x0000:  4c73 4f27 52c1

# ip maddr show
2:      ens16
        link  33:33:00:00:00:01
        link  01:00:5e:00:00:01
        link  33:33:ff:9a:5f:ef
        link  01:80:c2:00:00:00
        link  01:80:c2:00:00:03
        link  01:80:c2:00:00:0e
        link  33:33:ff:00:00:01
        link  33:33:00:00:00:02 users 2
        inet  224.0.0.1
        inet6 ff02::1:ff00:0 users 2
        inet6 ff05::2
        inet6 ff01::2
        inet6 ff02::2
        inet6 ff02::1:ff00:1
        inet6 ff02::1:ff9a:5fef
        inet6 ff02::1 users 2
        inet6 ff01::1

# ip neigh show
PUBLIC_v4_IP dev ens16 lladdr 4c:73:4f:27:52:c1 managed extern_learn REACHABLE
fe80::4426:3cff:fe89:8a11 dev ens16 lladdr 46:26:3c:89:8a:11 STALE
redacted:2a03:2880:0:f329 dev ens16 lladdr c2:04:0b:f1:ed:c8 STALE
fe80::54b3:72ff:fe9e:72e0 dev ens16 lladdr 56:b3:72:9e:72:e0 STALE
redacted::1 dev ens16 lladdr 4c:73:4f:27:52:c1 router managed extern_learn REACHABLE
redacted:f000::1 dev ens16 managed extern_learn INCOMPLETE
fe80::4e73:4f08:d927:52c1 dev ens16 lladdr 4c:73:4f:27:52:c1 router STALE
fe80::c004:bff:fef1:edc8 dev ens16 lladdr c2:04:0b:f1:ed:c8 STALE

[morpig]

Adding some cilium logs

# kubectl logs -f cilium-xff96 -n kube-system | grep -E "bpf|ens16|error"
time=2026-01-15T09:33:36.759183334Z level=info msg="option bpf-ct-global-tcp-max set by dynamic sizing to 131072"
time=2026-01-15T09:33:36.759197848Z level=info msg="option bpf-ct-global-any-max set by dynamic sizing to 65536"
time=2026-01-15T09:33:36.75920695Z level=info msg="option bpf-nat-global-max set by dynamic sizing to 131072"
time=2026-01-15T09:33:36.759215931Z level=info msg="option bpf-neigh-global-max set by dynamic sizing to 131072"
time=2026-01-15T09:33:36.761252733Z level=info msg="  --bpf-auth-map-max='524288'"
time=2026-01-15T09:33:36.761264189Z level=info msg="  --bpf-conntrack-accounting='false'"
time=2026-01-15T09:33:36.761282398Z level=info msg="  --bpf-ct-global-any-max='262144'"
time=2026-01-15T09:33:36.761294941Z level=info msg="  --bpf-ct-global-tcp-max='524288'"
time=2026-01-15T09:33:36.761310365Z level=info msg="  --bpf-ct-timeout-regular-any='1m0s'"
time=2026-01-15T09:33:36.761322457Z level=info msg="  --bpf-ct-timeout-regular-tcp='2h13m20s'"
time=2026-01-15T09:33:36.761337322Z level=info msg="  --bpf-ct-timeout-regular-tcp-fin='10s'"
time=2026-01-15T09:33:36.761348962Z level=info msg="  --bpf-ct-timeout-regular-tcp-syn='1m0s'"
time=2026-01-15T09:33:36.761363946Z level=info msg="  --bpf-ct-timeout-service-any='1m0s'"
time=2026-01-15T09:33:36.761375758Z level=info msg="  --bpf-ct-timeout-service-tcp='2h13m20s'"
time=2026-01-15T09:33:36.76145749Z level=info msg="  --bpf-ct-timeout-service-tcp-grace='1m0s'"
time=2026-01-15T09:33:36.761478469Z level=info msg="  --bpf-distributed-lru='false'"
time=2026-01-15T09:33:36.761491915Z level=info msg="  --bpf-events-default-burst-limit='0'"
time=2026-01-15T09:33:36.761503392Z level=info msg="  --bpf-events-default-rate-limit='0'"
time=2026-01-15T09:33:36.761514409Z level=info msg="  --bpf-events-drop-enabled='true'"
time=2026-01-15T09:33:36.761540012Z level=info msg="  --bpf-events-policy-verdict-enabled='true'"
time=2026-01-15T09:33:36.761551369Z level=info msg="  --bpf-events-trace-enabled='true'"
time=2026-01-15T09:33:36.761562892Z level=info msg="  --bpf-filter-priority='1'"
time=2026-01-15T09:33:36.761574394Z level=info msg="  --bpf-fragments-map-max='8192'"
time=2026-01-15T09:33:36.761584919Z level=info msg="  --bpf-lb-acceleration='disabled'"
time=2026-01-15T09:33:36.761596124Z level=info msg="  --bpf-lb-affinity-map-max='0'"
time=2026-01-15T09:33:36.761607229Z level=info msg="  --bpf-lb-algorithm='random'"
time=2026-01-15T09:33:36.761617539Z level=info msg="  --bpf-lb-algorithm-annotation='false'"
time=2026-01-15T09:33:36.761628469Z level=info msg="  --bpf-lb-dsr-dispatch='opt'"
time=2026-01-15T09:33:36.761638841Z level=info msg="  --bpf-lb-external-clusterip='false'"
time=2026-01-15T09:33:36.761649785Z level=info msg="  --bpf-lb-ipip-sock-mark='false'"
time=2026-01-15T09:33:36.761661026Z level=info msg="  --bpf-lb-maglev-hash-seed='JLfvgnHc2kaSUFaI'"
time=2026-01-15T09:33:36.761672143Z level=info msg="  --bpf-lb-maglev-map-max='0'"
time=2026-01-15T09:33:36.761683253Z level=info msg="  --bpf-lb-maglev-table-size='16381'"
time=2026-01-15T09:33:36.761693741Z level=info msg="  --bpf-lb-map-max='65536'"
time=2026-01-15T09:33:36.761704499Z level=info msg="  --bpf-lb-mode='snat'"
time=2026-01-15T09:33:36.76171479Z level=info msg="  --bpf-lb-mode-annotation='false'"
time=2026-01-15T09:33:36.761725475Z level=info msg="  --bpf-lb-nat46x64='false'"
time=2026-01-15T09:33:36.761736441Z level=info msg="  --bpf-lb-rev-nat-map-max='0'"
time=2026-01-15T09:33:36.761750152Z level=info msg="  --bpf-lb-rss-ipv4-src-cidr=''"
time=2026-01-15T09:33:36.761763028Z level=info msg="  --bpf-lb-rss-ipv6-src-cidr=''"
time=2026-01-15T09:33:36.761774314Z level=info msg="  --bpf-lb-service-backend-map-max='0'"
time=2026-01-15T09:33:36.761785384Z level=info msg="  --bpf-lb-service-map-max='0'"
time=2026-01-15T09:33:36.76179567Z level=info msg="  --bpf-lb-sock='true'"
time=2026-01-15T09:33:36.761806085Z level=info msg="  --bpf-lb-sock-hostns-only='true'"
time=2026-01-15T09:33:36.761817392Z level=info msg="  --bpf-lb-sock-terminate-pod-connections='true'"
time=2026-01-15T09:33:36.761828252Z level=info msg="  --bpf-lb-source-range-all-types='false'"
time=2026-01-15T09:33:36.761839564Z level=info msg="  --bpf-lb-source-range-map-max='0'"
time=2026-01-15T09:33:36.761850219Z level=info msg="  --bpf-map-dynamic-size-ratio='0.0025'"
time=2026-01-15T09:33:36.761864719Z level=info msg="  --bpf-map-event-buffers=''"
time=2026-01-15T09:33:36.761876643Z level=info msg="  --bpf-nat-global-max='524288'"
time=2026-01-15T09:33:36.761887991Z level=info msg="  --bpf-neigh-global-max='524288'"
time=2026-01-15T09:33:36.761899231Z level=info msg="  --bpf-node-map-max='16384'"
time=2026-01-15T09:33:36.761923627Z level=info msg="  --bpf-policy-map-full-reconciliation-interval='15m0s'"
time=2026-01-15T09:33:36.761936656Z level=info msg="  --bpf-policy-map-max='16384'"
time=2026-01-15T09:33:36.761949173Z level=info msg="  --bpf-policy-map-pressure-metrics-threshold='0.1'"
time=2026-01-15T09:33:36.7619603Z level=info msg="  --bpf-policy-stats-map-max='65536'"
time=2026-01-15T09:33:36.761970856Z level=info msg="  --bpf-root='/sys/fs/bpf'"
time=2026-01-15T09:33:36.761981818Z level=info msg="  --bpf-sock-rev-map-max='0'"
time=2026-01-15T09:33:36.763218157Z level=info msg="  --enable-bpf-clock-probe='false'"
time=2026-01-15T09:33:36.763235459Z level=info msg="  --enable-bpf-masquerade='true'"
time=2026-01-15T09:33:36.763246659Z level=info msg="  --enable-bpf-tproxy='false'"
time=2026-01-15T09:33:36.764681069Z level=info msg="  --endpoint-bpf-prog-watchdog-interval='30s'"
time=2026-01-15T09:33:36.767504285Z level=info msg="  --kvstore-max-consecutive-quorum-errors='2'"
time=2026-01-15T09:33:36.768470426Z level=info msg="  --preallocate-bpf-maps='false'"
time=2026-01-15T09:33:36.769022627Z level=info msg="  --vlan-bpf-bypass=''"
time=2026-01-15T09:33:36.777265542Z level=info msg="Detected mounted BPF filesystem" bpffsRoot=/sys/fs/bpf
time=2026-01-15T09:33:36.887545397Z level=info msg="option bpf-sock-rev-map-max set by dynamic sizing to 65536" module=agent.controlplane
time=2026-01-15T09:33:37.230303219Z level=info msg="Removed map pin, recreating and re-pinning map" bpfMapPath=cilium_ipcache_v2 bpfMapName=cilium_ipcache_v2
time=2026-01-15T09:33:37.233601452Z level=info msg="Devices changed" module=agent.datapath.devices-controller devices="[ens16 tailscale0]"
time=2026-01-15T09:33:37.235074918Z level=info msg="Node addresses updated" module=agent.datapath.node-address addresses="PUBLIC_V4_IP (primary, nodeport), redacted:f000::1 (primary, nodeport), fe80::5050:a3ff:fe9a:5fef" device=ens16
time=2026-01-15T09:33:37.303923157Z level=info msg="Direct routing device detected" module=agent.controlplane.daemon direct-routing-device=ens16
time=2026-01-15T09:33:37.405711889Z level=warn msg="Unable to restore endpoint, ignoring" module=agent.controlplane.endpoint-restore endpointID=3437 ciliumEndpointName=/ error="interface  could not be found"
time=2026-01-15T09:33:37.419404123Z level=info msg="Setting IPv6" module=agent.datapath.bigtcp device=ens16 gso_max_size=65536 gro_max_size=65536
time=2026-01-15T09:33:37.419599426Z level=info msg="Setting IPv4" module=agent.datapath.bigtcp device=ens16 gso_max_size=65536 gro_max_size=65536
time=2026-01-15T09:33:38.487456063Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock6_connect pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock6_connect
time=2026-01-15T09:33:38.487560559Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock6_sendmsg pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock6_sendmsg
time=2026-01-15T09:33:38.487636033Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock6_recvmsg pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock6_recvmsg
time=2026-01-15T09:33:38.487713589Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock6_getpeername pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock6_getpeername
time=2026-01-15T09:33:38.487904632Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock4_connect pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock4_connect
time=2026-01-15T09:33:38.487993082Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock4_sendmsg pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock4_sendmsg
time=2026-01-15T09:33:38.48806641Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock6_post_bind pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock6_post_bind
time=2026-01-15T09:33:38.488212497Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock_release pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock_release
time=2026-01-15T09:33:38.488288817Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock4_recvmsg pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock4_recvmsg
time=2026-01-15T09:33:38.488360365Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock4_getpeername pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock4_getpeername
time=2026-01-15T09:33:38.488447439Z level=info msg="Updated link for program" module=agent.datapath.loader name=cil_sock4_post_bind pin=/sys/fs/bpf/cilium/socketlb/links/cgroup/cil_sock4_post_bind
time=2026-01-15T09:33:45.371240758Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/cilium_vxlan/links/cil_from_overlay progName=cil_from_overlay
time=2026-01-15T09:33:45.371511597Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/cilium_vxlan/links/cil_to_overlay progName=cil_to_overlay
time=2026-01-15T09:33:51.596389488Z level=info msg="Compiled new BPF template" module=agent.datapath.loader file-path=/var/run/cilium/state/templates/8de0b4d822f6c1dde188cff3743a00398e30bf779aec3c423472875792eee12d/bpf_lxc.o BPFCompilationTime=6.212962157s
time=2026-01-15T09:33:51.837692325Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/endpoints/871/links/cil_from_container progName=cil_from_container
time=2026-01-15T09:33:51.859862342Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/endpoints/682/links/cil_from_container progName=cil_from_container
time=2026-01-15T09:33:51.861608725Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/endpoints/839/links/cil_from_container progName=cil_from_container
time=2026-01-15T09:33:51.879531139Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/endpoints/2251/links/cil_from_container progName=cil_from_container
time=2026-01-15T09:33:57.943219534Z level=info msg="Compiled new BPF template" module=agent.datapath.loader file-path=/var/run/cilium/state/templates/e4900981c88a76aadb42659c0adc9da94afa739ceac19e5328047062b95fe350/bpf_host.o BPFCompilationTime=6.103499124s
time=2026-01-15T09:33:58.279759944Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/cilium_host/links/cil_to_host progName=cil_to_host
time=2026-01-15T09:33:58.280001614Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/cilium_host/links/cil_from_host progName=cil_from_host
time=2026-01-15T09:33:58.5844589Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/cilium_net/links/cil_to_host progName=cil_to_host
time=2026-01-15T09:33:58.920299334Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/ens16/links/cil_from_netdev progName=cil_from_netdev
time=2026-01-15T09:33:58.920541137Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/ens16/links/cil_to_netdev progName=cil_to_netdev
time=2026-01-15T09:33:59.22183996Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/tailscale0/links/cil_from_netdev progName=cil_from_netdev
time=2026-01-15T09:33:59.222049311Z level=info msg="Updated link for program" module=agent.datapath.loader link=/sys/fs/bpf/cilium/devices/tailscale0/links/cil_to_netdev progName=cil_to_netdev
time=2026-01-15T09:33:59.224240536Z level=info msg="Removed stale bpf map" module=agent.datapath.maps-cleanup file-path=/sys/fs/bpf/tc/globals/cilium_lb4_maglev
time=2026-01-15T09:33:59.224295942Z level=info msg="Removed stale bpf map" module=agent.datapath.maps-cleanup file-path=/sys/fs/bpf/tc/globals/cilium_lb6_maglev

[msune]

Sorry, I am struggling to understand the setup and where are you curling from; is it an external network or is it part of the AWS VPC? Can you provide a network diagram with the different nodes involved?

Thanks

[morpig]

is it an external network or is it part of the AWS VPC?

Everything in this scenario is over the public internet, no VPCs/private networks in between.

I think I understand your concern, how can the AWS master node reach the service IP while external clients cant?

I'm investigating this too, and honestly I'm also at a lost now.

AWS Master Node <> External Service IP

This should go over the public internet with main server NIC.

# ip -6 route get redacted:f000:e000::0
redacted:f000:e000:: from :: via fe80::cb7:7fff:fe98:5133 dev ens5 proto ra src 2406:da19:e0e:c02:5dd8:cf2a:b5ee:5d14 metric 100 hoplimit 255 pref medium

# curl "[redacted:f000:e000::0]" -H "Connection: close" -v
*   Trying [redacted:f000:e000::]:80...
* Connected to redacted:f000:e000:: (redacted:f000:e000::) port 80
> GET / HTTP/1.1
> Host: [redacted:f000:e000::]
> User-Agent: curl/8.5.0
> Accept: */*
> Connection: close
>
< HTTP/1.1 404 Not Found
< date: Thu, 15 Jan 2026 11:30:25 GMT
< connection: close
< content-length: 0

However, I do not see the port 80 traffic on main AWS NIC. tcpdump & pwru are both empty on AWS NIC interface.

[msune]

Everything in this scenario is over the public internet, no VPCs/private networks in between.

Thank you for the diagram, that is really helpful

If you deploy another host in the same L2 segment (LAN) as Worker Node A, are you able to curl the service correctly? I would expect not, based on the report, but I want to confirm.

[morpig]

If you deploy another host in the same L2 segment (LAN) as Worker Node A, are you able to curl the service correctly? I would expect not, based on the report, but I want to confirm.

Yup confirm, it's not possible to reach service IP too.

# curl "[redacted:f000:e000::]" --interface redacted:e000::1
curl: (7) Failed to connect to redacted:f000:e000:: port 80 after 3058 ms: No route to host

[msune]

Why are you using:

curl "[redacted:f000:e000::]" --interface redacted:e000::1

I don't think it will matter, but you shouldn't have to specify --interface if External client 2 is in the same L2 segment or broadcast domain.

Can you try without and have a tcpdump session alive with icmp6 filter to see NDP NSs/NAs?

curl "[redacted:f000:e000::]"

What is ip -6 neigh show after that?

[morpig]

This is from External Client 2

# curl [redacted:f000:e000::] -v
*   Trying redacted:f000:e000:::80...
* connect to redacted:f000:e000:: port 80 failed: No route to host
* Failed to connect to redacted:f000:e000:: port 80 after 3070 ms: No route to host
* Closing connection 0
curl: (7) Failed to connect to redacted:f000:e000:: port 80 after 3070 ms: No route to host

23:37:18.347910 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8
23:37:19.357558 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8
23:37:20.381546 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8

# ip -6 neigh show
redacted:f000:e000:: dev ens16  FAILED
redacted::1 dev ens16 lladdr 4c:73:4f:27:52:c1 router REACHABLE
fe80::4e73:4f08:d927:52c1 dev ens16 lladdr 4c:73:4f:27:52:c1 router STALE

From Node A on-prem worker

16:37:18.346163 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8
16:37:19.355812 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8
16:37:20.379793 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) redacted:e000::1 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has redacted:f000:e000::
          source link-address option (1), length 8 (1): c2:04:0b:f1:ed:c8
            0x0000:  c204 0bf1 edc8

[msune]

L2 announcements (not only for IPv6) choose one of the worker nodes to announce the IP of the serivce. From the diagram, you have Node A and node B in different L2 segments (LANs).

See this: https://docs.cilium.io/en/latest/network/l2-announcements/#leader-election

Could it be Node B is selected for redacted:f000:e000:: to be announced? You should be able to introspect and troubleshoot using this:

https://docs.cilium.io/en/latest/network/l2-announcements/#troubleshooting

You can control the leader selection using the node selector: https://docs.cilium.io/en/latest/network/l2-announcements/#node-selector

Please note that if NodeB is selected this will never work. Clients MUST be in the same L2 segment to use the L2 announce feature (both IPv4 an v6).