diff --git a/pkg/kernel/networkservice/inject/common.go b/pkg/kernel/networkservice/inject/common.go
index c8df718c..9dcd8165 100644
--- a/pkg/kernel/networkservice/inject/common.go
+++ b/pkg/kernel/networkservice/inject/common.go
@@ -94,7 +94,13 @@ func move(ctx context.Context, conn *networkservice.Connection, isClient, isMove
 	if !contNetNS.IsOpen() && isMoveBack {
 		contNetNS = vfConfig.ContNetNS
 	}
-	defer func() { _ = contNetNS.Close() }()
+
+	// keep NSE container's net ns open until connection close is done,.
+	// this would properly move back VF into host net namespace even when
+	// container is accidentally deleted before close.
+	if !isClient || isMoveBack {
+		defer func() { _ = contNetNS.Close() }()
+	}
 
 	ifName := mech.GetInterfaceName()
 	if !isMoveBack {