How To Fix Hairpin Connectivity with IPVS enabled

This document (000020045) is provided subject to the disclaimer at the end of this document.



Many users enable IPVS for kube-proxy to help alleviate bottlenecks associated with iptables. An issue arises on Kubernetes 1.15 and below where the masquerade iptables rule doesn't get applied and therefore hairpin connectivity stops working.

You can determine if this isn't working by connecting to a pod, from itself via its service. The connection should time out. It's worth noting that if the node is never rebooted after enabling IPVS the masquerade rule will remain, but it will not be restored after reboot.


  • Kubernetes 1.15 and below
  • IPVS enabled for kube-proxy


The workaround is to apply the masquerade-all=true flag to kube-proxy to force it to apply the masquerade iptables rule.


Edit the cluster yaml and change services.kubeproxy.extra_args to reflect the following and hit save:

      proxy-mode: ipvs
      masquerade-all: true

Once this is done, hairpin connectivity should be restored.

Further reading


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020045
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center