It worked before. Then I retire one manager node docker version 24, and replace it with a new node with docker version 27. It’s a one manager, one worker setup.

Now, I can’t access my swarm services from my manager node.

If I look at all the iptables rules, the ports are NOT mapped at all. On the worker node, it looks fine, all ports goes to 172.18.0.2, not on manager node, no such rule at all. iptables rules are very short.

Now here is the funny part:
If I move one of the service to manager node, then it can’t be accessed from worker node any more.

It’s like the network mode was set to “VIP”, but it acts like “host”.

any idea?

I assume you mean the published port uses mode: ingress.

The only vip setting I know is related to the endpoint_mode of the service, which introduces a virtual ip and makes the service name resolve to it. The dnsrr setting would make the service name resolve to a multive-value response containing each ip of tasks that belong to a service. This is not related to the ingress routing mesh.

By any chance, did you upgrade the os of your manager node as well?