diff --git a/octavia/network/drivers/neutron/allowed_address_pairs.py b/octavia/network/drivers/neutron/allowed_address_pairs.py
index 61334da91a..d450ea7635 100644
--- a/octavia/network/drivers/neutron/allowed_address_pairs.py
+++ b/octavia/network/drivers/neutron/allowed_address_pairs.py
@@ -194,12 +194,13 @@ class AllowedAddressPairsDriver(neutron_base.BaseNeutronDriver):
             # Don't remove egress rules and don't confuse other protocols with
             # None ports with the egress rules.  VRRP uses protocol 51 and 112
             if (rule.get('direction') == 'egress' or
-                    rule.get('protocol').upper() not in
+                    rule.get('protocol') is None or
+                    rule['protocol'].upper() not in
                     [constants.PROTOCOL_TCP, constants.PROTOCOL_UDP,
                      lib_consts.PROTOCOL_SCTP]):
                 continue
             old_ports.append((rule.get('port_range_max'),
-                              rule.get('protocol').lower(),
+                              rule['protocol'].lower(),
                               rule.get('remote_ip_prefix')))
 
         add_ports = set(updated_ports) - set(old_ports)
diff --git a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py
index 25362a57fc..defdcd7571 100644
--- a/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py
+++ b/octavia/tests/unit/network/drivers/neutron/test_allowed_address_pairs.py
@@ -1071,7 +1071,8 @@ class TestAllowedAddressPairsDriver(base.TestCase):
         fake_rules = [
             {'id': 'rule-80', 'port_range_max': 80, 'protocol': 'tcp',
              'remote_ip_prefix': '10.0.101.0/24'},
-            {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'}
+            {'id': 'rule-22', 'port_range_max': 22, 'protocol': 'tcp'},
+            {'id': 'rule-None', 'port_range_max': 22},
         ]
         list_rules = self.driver.network_proxy.security_group_rules
         list_rules.return_value = fake_rules
diff --git a/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml
new file mode 100644
index 0000000000..9e6cd7f013
--- /dev/null
+++ b/releasenotes/notes/fix-attributeerror-when-securitygroup-rule-has-protocol-none-9b7217c5477d01b6.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed potential AttributeError during listener update when security group
+    rule had no protocol defined (ie. it was null).