diff --git a/octavia/api/v2/controllers/load_balancer.py b/octavia/api/v2/controllers/load_balancer.py
index f185ff4147..cdc876a6a9 100644
--- a/octavia/api/v2/controllers/load_balancer.py
+++ b/octavia/api/v2/controllers/load_balancer.py
@@ -558,6 +558,13 @@ class LoadBalancersController(base.BaseController):
                     subnet_id=add_vip.subnet_id)
 
             if listeners or pools:
+                # expire_all is required here, it ensures that the loadbalancer
+                # will be re-fetched with its associated vip in _graph_create.
+                # without expire_all the vip attributes that have been updated
+                # just before this call may not be set correctly in the
+                # loadbalancer object.
+                lock_session.expire_all()
+
                 db_pools, db_lists = self._graph_create(
                     lock_session, db_lb, listeners, pools)
 
diff --git a/releasenotes/notes/fix-fully-populated-with-allowed-cidrs-ad04ccf02bf9cbbc.yaml b/releasenotes/notes/fix-fully-populated-with-allowed-cidrs-ad04ccf02bf9cbbc.yaml
new file mode 100644
index 0000000000..47aa3d5759
--- /dev/null
+++ b/releasenotes/notes/fix-fully-populated-with-allowed-cidrs-ad04ccf02bf9cbbc.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixed a bug when creating a load balancer and a listener with
+    ``allowed_cidrs`` with the fully-populated load balancer API, the call was
+    rejected because Octavia could not validate that the IP addresses of the
+    ``allowed_cidrs`` have the same family as the VIP address.