Container is not reachable after migration and becomes available only after some time, when the ARP cache expires on the routers.
The container IPs belong to a VLAN, configured in the network and on both source and destination hardware nodes.
The destination server has Intel i350 network card.
Intel i350 network card comes with a feature the blocks potentially malicious traffic. This feature is enabled by default and the NIC silently drops packets, generated by Virtuozzo to make ARP announcement about the arrived container IPs. Specifically packets, generated by
arpsend utility are blocked.
This is recognized as a Red Hat mainstream bug (access for RH subscribers only).
Until the issue is completely fixed in the mainstream kernel, the following workaround can be suggested:
# echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind # arping -c 2 -s <container_ip> -U -I <interface> <destination> # echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
These commands should be run on the destination server right after the migration.