diff --git a/neutron/agent/common/config.py b/neutron/agent/common/config.py
index 499e27899f1..7ab3afd4eac 100644
--- a/neutron/agent/common/config.py
+++ b/neutron/agent/common/config.py
@@ -64,6 +64,12 @@ IPTABLES_OPTS = [
                        "generated iptables rules that describe each rule's "
                        "purpose. System must support the iptables comments "
                        "module for addition of comments.")),
+    cfg.BoolOpt('debug_iptables_rules', default=False,
+                help=_("Duplicate every iptables difference calculation to "
+                       "ensure the format being generated matches the format "
+                       "of iptables-save. This option should not be turned "
+                       "on for production systems because it imposes a "
+                       "performance penalty.")),
 ]
 
 PROCESS_MONITOR_OPTS = [
diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py
index 853160da9f1..1debe43d4c4 100644
--- a/neutron/agent/linux/iptables_manager.py
+++ b/neutron/agent/linux/iptables_manager.py
@@ -412,6 +412,9 @@ class IptablesManager(object):
         finally:
             try:
                 self.defer_apply_off()
+            except n_exc.IpTablesApplyException:
+                # already in the format we want, just reraise
+                raise
             except Exception:
                 msg = _('Failure applying iptables rules')
                 LOG.exception(msg)
@@ -436,7 +439,16 @@ class IptablesManager(object):
             lock_name += '-' + self.namespace
 
         with lockutils.lock(lock_name, utils.SYNCHRONIZED_PREFIX, True):
-            return self._apply_synchronized()
+            first = self._apply_synchronized()
+            if not cfg.CONF.AGENT.debug_iptables_rules:
+                return first
+            second = self._apply_synchronized()
+            if second:
+                msg = (_("IPTables Rules did not converge. Diff: %s") %
+                       '\n'.join(second))
+                LOG.error(msg)
+                raise n_exc.IpTablesApplyException(msg)
+            return first
 
     def get_rules_for_table(self, table):
         """Runs iptables-save on a table and returns the results."""
diff --git a/neutron/tests/contrib/gate_hook.sh b/neutron/tests/contrib/gate_hook.sh
index 69c703f0e93..b2601d01494 100644
--- a/neutron/tests/contrib/gate_hook.sh
+++ b/neutron/tests/contrib/gate_hook.sh
@@ -54,6 +54,7 @@ case $VENV in
         start_new_ovs
     fi
 
+    load_conf_hook iptables_verify
     # Make the workspace owned by the stack user
     sudo chown -R $STACK_USER:$STACK_USER $BASE
     ;;
@@ -66,6 +67,9 @@ case $VENV in
     load_rc_hook qos
     load_rc_hook trunk
     load_conf_hook osprofiler
+    if [[ "$VENV" =~ "dsvm-scenario" ]]; then
+        load_conf_hook iptables_verify
+    fi
     if [[ "$VENV" =~ "pecan" ]]; then
         load_conf_hook pecan
     fi
diff --git a/neutron/tests/contrib/hooks/iptables_verify b/neutron/tests/contrib/hooks/iptables_verify
new file mode 100644
index 00000000000..72cbd1aeb57
--- /dev/null
+++ b/neutron/tests/contrib/hooks/iptables_verify
@@ -0,0 +1,4 @@
+[[post-config|/etc/neutron/neutron.conf]]
+
+[AGENT]
+debug_iptables_rules=True