Layer 2 Announcement Interface requires IP

[yarokifor]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.1 and lower than v1.19.0

What happened?

When using a L2 Announcement Policy on an interface where the host doesn't have assigned IP the Cilium daemon set will error with failed to open ARP socket: no IPv4 address available for interface.

ARP does not need a IP address in order to broadcast which MAC address has an IP as it's layer 2. When responding to a ARP request Cilium should respond on Layer 2 using MAC address. If absolutely required Cilium should use the load balancing IP as expected.

How can we reproduce the issue?

1. Install cilium with configuration following the L2 Announcement docs
2. Create Cilium Load Balancer IP Pool resource
3. Create Cilium L2 Announcement Policy resource that uses host interface with no IP
4. Observer logs in Cilium's daemon set on relevant host

Cilium Version

cilium-cli: v0.18.6 compiled with go1.24.5 on linux/amd64
cilium image (default): v1.18.0
cilium image (stable): v1.18.1
cilium image (running): 1.18.1

Kernel Version

Linux storm 6.8.0-71-generic #71-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 22 16:52:38 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: v1.32.5
Kustomize Version: v5.5.0
Server Version: v1.32.5

Regression

No response

Sysdump

cilium-sysdump-20250912-170046.zip

Relevant log output

time=2025-09-11T13:52:14.468318084Z level=error msg="error during partial reconciliation" module=agent.datapath.l2-responder error="garp 10.0.17.50@25: failed to open ARP socket: no IPv4 address available for interface"
time=2025-09-11T13:57:14.306088508Z level=error msg="Error(s) while full reconciling l2 responder map" module=agent.datapath.l2-responder error="garp 10.0.17.50@25: failed to open ARP socket: no IPv4 address available for interface"

Anything else?

I've followed the troubleshooting documentation for L2 announcement. If asked I'll post the result here, but it all checks out. When I added an IP to the interface everything worked fine afterwards.

I found the location in the v1.18.1 source where error log is created. Looks like it might of gotten fixed in v1.19.0-pre.0 and the main branch. Updated source is here. I figure at least the docs should be updated to mentioning this.

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[yarokifor]

I just tested this in 1.19.0-pre.0. It still holds true that interface needs an IP, but 1.19.0-pre.0 will response to the ARP request, but won't respond on layer 3 unless an IP is on the interface.

No IP address

root@k8-host:~# ip addr show dev bond0-vlan17
25: bond0-vlan17@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3e:82:96:03:99:e5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3c82:96ff:fe03:99e5/64 scope link
       valid_lft forever preferred_lft forever

root@k8-host:~# tshark -i bond0-vlan17
Running as user "root" and group "root". This could be dangerous.
Capturing on 'bond0-vlan17'
    1 0.000000000    10.0.17.1 → 10.0.17.50   TCP 74 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414980929 TSecr=0 WS=128
    2 1.029454760    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414981959 TSecr=0 WS=128
    3 2.053450088    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414982983 TSecr=0 WS=128
    4 3.077474291    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414984007 TSecr=0 WS=128
    5 4.101485585    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414985031 TSecr=0 WS=128
    6 5.125538059    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414986055 TSecr=0 WS=128
    7 5.125654610 f2:00:e1:5b:22:c5 → 3e:82:96:03:99:e5 ARP 60 Who has 10.0.17.50? Tell 10.0.17.1
    8 5.125669500 3e:82:96:03:99:e5 → f2:00:e1:5b:22:c5 ARP 60 10.0.17.50 is at 3e:82:96:03:99:e5
    9 7.173404628    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414988103 TSecr=0 WS=128
   10 11.205450954    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=414992135 TSecr=0 WS=128
   11 19.461894154    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=415000391 TSecr=0 WS=128
   12 35.845825072    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=415016775 TSecr=0 WS=128
   13 40.965850473 f2:00:e1:5b:22:c5 → 3e:82:96:03:99:e5 ARP 60 Who has 10.0.17.50? Tell 10.0.17.1
   14 40.965868619 3e:82:96:03:99:e5 → f2:00:e1:5b:22:c5 ARP 60 10.0.17.50 is at 3e:82:96:03:99:e5
   15 68.101855060    10.0.17.1 → 10.0.17.50   TCP 74 [TCP Retransmission] 45694 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=415049031 TSecr=0 WS=128
^C15 packets captured

On the router

admin@router: ~$ curl 10.0.17.50:8080
curl: (28) Failed to connect to 10.0.17.50 port 8080 after 134150 ms: Couldn't connect to server

With IP address

root@k8-host:~# ip addr add dev bond0-vlan17 10.0.17.2/24
root@k8-host:~# ip addr show dev bond0-vlan17
25: bond0-vlan17@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3e:82:96:03:99:e5 brd ff:ff:ff:ff:ff:ff
    inet 10.0.17.2/24 scope global bond0-vlan17
       valid_lft forever preferred_lft forever
    inet6 fe80::3c82:96ff:fe03:99e5/64 scope link
       valid_lft forever preferred_lft forever
root@storm:~# tshark -i bond0-vlan17
Running as user "root" and group "root". This could be dangerous.
Capturing on 'bond0-vlan17'
    1 0.000000000    10.0.17.1 → 10.0.17.50   TCP 74 45122 → 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=415141458 TSecr=0 WS=128
    2 0.000160024 3e:82:96:03:99:e5 → Broadcast    ARP 42 Who has 10.0.17.1? Tell 10.0.17.2
    3 0.000662312 f2:00:e1:5b:22:c5 → 3e:82:96:03:99:e5 ARP 60 10.0.17.1 is at f2:00:e1:5b:22:c5
    4 0.000687486   10.0.17.50 → 10.0.17.1    TCP 74 8080 → 45122 [SYN, ACK] Seq=0 Ack=1 Win=64308 Len=0 MSS=1410 SACK_PERM TSval=3322610716 TSecr=415141458 WS=128
    5 0.001297698    10.0.17.1 → 10.0.17.50   TCP 66 45122 → 8080 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=415141460 TSecr=3322610716
    6 0.001297954    10.0.17.1 → 10.0.17.50   HTTP 145 GET / HTTP/1.1
    7 0.001441482   10.0.17.50 → 10.0.17.1    TCP 66 8080 → 45122 [ACK] Seq=1 Ack=80 Win=64256 Len=0 TSval=3322610717 TSecr=415141460
    8 0.002089648   10.0.17.50 → 10.0.17.1    HTTP 246 HTTP/1.1 200 OK  (text/plain)
    9 0.002291049    10.0.17.1 → 10.0.17.50   TCP 66 45122 → 8080 [ACK] Seq=80 Ack=181 Win=64128 Len=0 TSval=415141461 TSecr=3322610717
   10 0.002523471    10.0.17.1 → 10.0.17.50   TCP 66 45122 → 8080 [FIN, ACK] Seq=80 Ack=181 Win=64128 Len=0 TSval=415141461 TSecr=3322610717
   11 0.002764910   10.0.17.50 → 10.0.17.1    TCP 66 8080 → 45122 [FIN, ACK] Seq=181 Ack=81 Win=64256 Len=0 TSval=3322610718 TSecr=415141461
   12 0.002985762    10.0.17.1 → 10.0.17.50   TCP 66 45122 → 8080 [ACK] Seq=81 Ack=182 Win=64128 Len=0 TSval=415141462 TSecr=3322610718
^C12 packets captured

On the router

admin@router:~$ curl 10.0.17.50:8080
NOW: 2025-09-12 23:58:54.696359687 +0000 UTC m=+10133.595386111

[mchaker]

I also am experiencing this on 1.18.1.

I was expecting that Cilium would manage the addresses on the interface via L2 Advertisement, and that a static host IP assignment would not be required on the VLAN interface.