Description of problem:
A VM with a port with port-security disabled is not reachable after migration from ML2/OVS to OVN. It cannot even be pinged from its ovnmetadata namespace.

The VM had its IP properly configured via DHCP before the migration, but after the migration it could not contact the DHCP service. DHCP packets were dropped on table 17 from the br-int flows:
 cookie=0x968032e0, duration=33983.654s, table=17, n_packets=23, n_bytes=7866, idle_age=1207, priority=2001,ip,reg0=0x200/0x200,reg14=0x9,metadata=0x5 actions=drop

I have enabled port-security on this port and added ICMP and SSH security rules and now it works fine (dhcp client succeeded, ping to external network, etc).



I have created a new VM on the same network with port-sec disabled after the migration to OVN is completed and it works fine.

The rest of the VMs with port-sec disabled created before the migration have the same connectivity problems.


Link to the job: https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/job/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ml2ovs-to-ovn-migration/3/

This has been actually reproduced by several tobiko tests during the check resources stage:
http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ml2ovs-to-ovn-migration/3/infrared/.workspaces/workspace_2021-09-09_16-16-00/tobiko_check-resources/tobiko_check-resources_check_resources_scenario.html



Version-Release number of selected component (if applicable):
RHOS-16.2-RHEL-8-20210903.n.1

How reproducible:
100%

Steps to Reproduce:
1. create VM with port-sec disabled
2. perform ovs to ovn migration