weave: TCP/UDP failing when using plugin with WEAVE_NO_FASTDP

2 hosts source1@10.99.101.129 and target1@10.99.101.131 running on CentOS 7, latest version of weave on both hosts:

[root@target1 ~]# weave version
weave script 1.5.2
weave router 1.5.2
weave proxy  1.5.2
weave plugin 1.5.2

• weave with fastdp: WORKS
• weave with sleeve mode:
  • containers on the same host: WORKS
  • containers on different hosts: FAILS. icmp ping is fine, but tcp and udp packets do not respond.

It is not firewalld:

1. I added 192.168.0.0/16 that weave is using to trusted zones
2. I ran watch -n 2 -d iptables -nvL FORWARD and watch -n 2 -d iptables -nvL INPUT and see the packets accepted (whereas they were rejected before I added 192.168.0.0/16 to the trusted zone)

I have netserver running on port 7002 in container address 192.168.0.1 on target1, and am trying to reach it from container address 192.168.128.0 on source1. Oddly, here is what I see what I run tcpdump on either container while doing the simple telnet 192.168.0.1 7002:

16:21:48.499767 IP 192.168.128.0.36558 > 192.168.0.1.7002: Flags [S], seq 2020838195, win 27400, options [mss 1370,sackOK,TS val 1552792 ecr 0,nop,wscale 8], length 0
16:21:48.501464 IP 192.168.0.1.7002 > 192.168.128.0.36558: Flags [S.], seq 1921444052, ack 2020838196, win 43690, options [mss 65495,sackOK,TS val 1476106 ecr 1549786,nop,wscale 8]

SYN -> SYN-ACK -> (nothing)

If I strace the net server process, I see it waiting on the file description. It never responds, which means that the kernel never establishes the TCP connection to hand back to it.

Even if I stop firewalld entirely, I still have the same issue.

What basic thing am I missing here? Why is it not sending the final ACK? And even tcpdump on source1 is seeing the SYN-ACK, but not responding? Shouldn’t the kernel be doing this?