SRX

Expand all | Collapse all

Static/Reverse NAT between RI not working

Jump to Best Answer
  • 1.  Static/Reverse NAT between RI not working

    Posted 02-22-2019 06:37
      |   view attached

    We have two sides of an environment where we statically NAT ranges of private to public IPs and/or vice versa.  On one side of this, we leverage a vSRX (on 15.1X49-D110.4), in which this traffic only lives in the global routing instance. 

     

    On the backup link, we have IPSec terminating into a RI (MNO) on an SRX240 (on 12.3X48-D65.1), which then passes traffic into the global RI. 

     

    With either path, if I generate traffic from the public to the private, NAT functions as expected.  I see an approproate session and translation created within either SRX and away we go. 

     

    If I generate traffic from the private to public, I see the vSRX create a reverse NAT as expected, however, the SRX does not. 

     

    We route between these RIs on the SRX240 via lt interfaces, and the (truncated) NAT policy is as follows:

     

    set security nat static rule-set MNO_NAT from zone INSIDE

    set security nat static rule-set MNO_NAT rule 3_TEST2 match destination-address x.x.79.249/32
    set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix 10.59.15.254/32
    set security nat static rule-set MNO_NAT rule 3_TEST2 then static-nat prefix routing-instance MNO

     

    The rule set on the vSRX is identical save the RI statement

     

    My assumption is that it's a configuration issue, however, we did seem to have this working properly when we leveraged rib-groups instead of lt interfaces.  The how and why we changed is another conversation for another day.  And I'm near the point to revert back to using rib-groups. 

     

    While trying to troubleshoot this, I'd created a source NAT rule as per this link to no avail; I'd seen the same behavior. 

     

    Taking some traces, I see the following for the failed translation:

    Spoiler
    10:59:28.978800:CID-0:RT: <10.59.15.254/1->x.x.50.173/24285;1> matched filter TO_LIBRE:
    10:59:28.978800:CID-0:RT: packet [84] ipid = 0, @0x43d532d0
    10:59:28.978800:CID-0:RT: ---- flow_process_pkt: (thd 2): flow_ctxt type 1, common flag 0x0, mbuf 0x43d53080, rtbl_idx = 4
    10:59:28.978800:CID-0:RT: flow process pak, mbuf 0x43d53080, ifl 71, ctxt_type 1 inq type 6
    10:59:28.978800:CID-0:RT: in_ifp <MNO:st0.0>
    10:59:28.978800:CID-0:RT: flow_process_pkt_exception: setting rtt in lpak to 0x64226648
    10:59:28.978800:CID-0:RT: host inq check inq_type 0x6
    10:59:28.978800:CID-0:RT: tifp st0.0
    10:59:28.978800:CID-0:RT: pkt out of tunnel.Proceed normally
    10:59:28.978800:CID-0:RT: st0.0:10.59.15.254->x.x.50.173, icmp, (8/0)
    10:59:28.978800:CID-0:RT: find flow: table 0x526d79e0, hash 63187(0xffff), sa 10.59.15.254, da x.x.50.173, sp 1, dp 24285, proto 1, tok 16393
    10:59:28.979003:CID-0:RT: no session found, start first path. in_tunnel - 0x56a76708, from_cp_flag - 0
    10:59:28.979045:CID-0:RT: Not a traffic-selector enabled tunnel. returing EOK
    10:59:28.979045:CID-0:RT: search gate for MNO:10.59.15.254/1->x.x.50.173/24285,1
    10:59:28.979045:CID-0:RT: gate_search_specific_bucket: no gate found
    10:59:28.979121:CID-0:RT: search gate for MNO:10.59.15.254/1->x.x.50.173/24285,1
    10:59:28.979121:CID-0:RT: gate_search_specific_bucket: no gate found
    10:59:28.979121:CID-0:RT: search widecast gate for MNO:10.59.15.254/1->x.x.50.173/24285,1
    10:59:28.979121:CID-0:RT: gate_search_widecast_bucket: no gate found
    10:59:28.979121:CID-0:RT: flow_first_create_session
    10:59:28.979121:CID-0:RT: First path alloc and instl pending session, natp=0x5b695c78, id=187634
    10:59:28.979121:CID-0:RT: flow_first_in_dst_nat: in <st0.0>, out <N/A> dst_adr x.x.50.173, sp 1, dp 24285
    10:59:28.979121:CID-0:RT: chose interface st0.0 as incoming nat if.
    10:59:28.979121:CID-0:RT: flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to x.x.50.173(24285)
    10:59:28.979121:CID-0:RT: flow_first_routing: vr_id 4, call flow_route_lookup(): src_ip 10.59.15.254, x_dst_ip x.x.50.173, in ifp st0.0, out ifp N/A sp 1, dp 24285, ip_proto 1, tos 68
    10:59:28.979121:CID-0:RT: Doing DESTINATION addr route-lookup
    10:59:28.979121:CID-0:RT: flow_ipv4_rt_lkup success x.x.50.173, iifl 0x47, oifl 0x4e
    10:59:28.979356:CID-0:RT: routed (x_dst_ip x.x.50.173) from MNO (st0.0 in 0) to lt-0/0/0.345, Next-hop: x.x.50.52
    10:59:28.979356:CID-0:RT: flow_first_policy_search: policy search from zone MNO-> zone MNO (0x0,0x15edd,0x5edd)
    10:59:28.979400:CID-0:RT: Policy lkup: vsys 0 zone(9:MNO) -> zone(9:MNO) scope:0
    10:59:28.979400:CID-0:RT: 10.59.15.254/2048 -> x.x.50.173/5478 proto 1
    10:59:28.979400:CID-0:RT: app 0, timeout 60s, curr ageout 60s
    10:59:28.979400:CID-0:RT: permitted by policy ALLOW_ALL_MNO(10)
    10:59:28.979400:CID-0:RT: packet passed, Permitted by policy.
    10:59:28.979400:CID-0:RT: flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False
    10:59:28.979400:CID-0:RT: flow_first_src_xlate: incoming src port is : 1.
    10:59:28.979400:CID-0:RT: flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
    10:59:28.979400:CID-0:RT: dip id = 0/0, 10.59.15.254/1->10.59.15.254/1 protocol 0
    10:59:28.979400:CID-0:RT: choose interface lt-0/0/0.345(P2P) as outgoing phy if
    10:59:28.979400:CID-0:RT: is_loop_pak: No loop: on ifp: lt-0/0/0.345, addr: x.x.50.173, rtt_idx:4
    10:59:28.979614:CID-0:RT: -jsf : Alloc sess plugin info for session 704374824178
    10:59:28.979614:CID-0:RT: [JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0
    10:59:28.979702:CID-0:RT: +++++++++++jsf_test_plugin_data_evh: 3
    10:59:28.979702:CID-0:RT: [JSF]Plugins(0x0, count 0) enabled for session = 704374824178, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    10:59:28.979755:CID-0:RT: -jsf : no plugin interested for session 704374824178, free sess plugin info
    10:59:28.979755:CID-0:RT: flow_first_service_lookup(): natp(0x5b695c78): app_id, 0(0).
    10:59:28.979755:CID-0:RT: service lookup identified service 0.
    10:59:28.979755:CID-0:RT: flow_first_final_check: in <st0.0>, out <lt-0/0/0.345>
    10:59:28.979755:CID-0:RT: In flow_first_complete_session
    10:59:28.979755:CID-0:RT: flow_first_complete_session, pak_ptr: 0x52028c50, nsp: 0x5b695c78, in_tunnel: 0x56a76708
    10:59:28.979755:CID-0:RT: construct v4 vector for nsp2
    10:59:28.979755:CID-0:RT: existing vector list 0x204-0x4b521b50.
    10:59:28.979755:CID-0:RT: Session (id:187634) created for first pak 204
    10:59:28.979755:CID-0:RT: first pak processing successful
    10:59:28.979755:CID-0:RT: flow_first_install_session======> 0x5b695c78
    10:59:28.979755:CID-0:RT: nsp 0x5b695c78, nsp2 0x5b695d08
    10:59:28.979755:CID-0:RT: make_nsp_ready_no_resolve()
    10:59:28.979755:CID-0:RT: flow_ipv4_rt_lkup success 10.59.15.254, iifl 0x47, oifl 0x47
    10:59:28.979755:CID-0:RT: route lookup: dest-ip 10.59.15.254 orig ifp st0.0 output_ifp st0.0 orig-zone 9 out-zone 9 vsd 0
    10:59:28.979755:CID-0:RT: route to 10.59.15.254
    10:59:28.979755:CID-0:RT: no need update ha
    10:59:28.979755:CID-0:RT: Installing s2c NP session wing
    10:59:28.980062:CID-0:RT: first path session installation succeeded
    10:59:28.980062:CID-0:RT: flow got session.
    10:59:28.980062:CID-0:RT: flow session id 187634
    10:59:28.980062:CID-0:RT: vector bits 0x204 vector 0x4b521b50
    10:59:28.980106:CID-0:RT: skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    10:59:28.980106:CID-0:RT: encap vector
    10:59:28.980106:CID-0:RT: no more encapping needed
    10:59:28.980106:CID-0:RT: mbuf 0x43d53080, exit nh 0x120010
    10:59:28.980106:CID-0:RT: flow_process_pkt_exception: Freeing lpak 0x52028c50 associated with mbuf 0x43d53080
    10:59:28.980106:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

    And the good side form the vSRX

     

    Spoiler
    13:49:59.572864:CID-0:THREAD_ID-01:RT: <10.255.49.73/1->x.x.49.170/31499;1,0x0> matched filter TO_LIBRE:
    13:49:59.572868:CID-0:THREAD_ID-01:RT: packet [84] ipid = 0, @0x19e25ed2
    13:49:59.572875:CID-0:THREAD_ID-01:RT: ---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x68e9d400, rtbl_idx = 0
    13:49:59.572876:CID-0:THREAD_ID-01:RT: flow process pak fast ifl 76 in_ifp ge-0/0/0.345
    13:49:59.572877:CID-0:THREAD_ID-01:RT: ge-0/0/0.345:10.255.49.73->x.x.49.170, icmp, (8/0)
    13:49:59.572879:CID-0:THREAD_ID-01:RT: find flow: table 0x28812f40, hash 29145(0xffff), sa 10.255.49.73, da x.x.49.170, sp 1, dp 31499, proto 1, tok 9, conn-tag 0x00000000
    13:49:59.572884:CID-0:THREAD_ID-01:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
    13:49:59.572885:CID-0:THREAD_ID-01:RT: search gate for MNO-MVNO:10.255.49.73/1->x.x.49.170/31499,1
    13:49:59.572887:CID-0:THREAD_ID-01:RT: gate_search_specific_bucket: no gate found
    13:49:59.572888:CID-0:THREAD_ID-01:RT: search gate for MNO-MVNO:10.255.49.73/1->x.x.49.170/31499,1
    13:49:59.572889:CID-0:THREAD_ID-01:RT: gate_search_specific_bucket: no gate found
    13:49:59.572889:CID-0:THREAD_ID-01:RT: search widecast gate for MNO-MVNO:10.255.49.73/1->x.x.49.170/31499,1
    13:49:59.572890:CID-0:THREAD_ID-01:RT: gate_search_widecast_bucket: no gate found
    13:49:59.572891:CID-0:THREAD_ID-01:RT: flow_first_create_session
    13:49:59.572894:CID-0:THREAD_ID-01:RT: Save init hash spu id 0 to nsp and nsp2!
    13:49:59.572895:CID-0:THREAD_ID-01:RT: First path alloc and instl pending session, natp=0x2f7262c0, id=133393
    13:49:59.572896:CID-0:THREAD_ID-01:RT: flow_first_in_dst_nat: in <ge-0/0/0.345>, out <N/A> dst_adr x.x.49.170, sp 1, dp 31499
    13:49:59.572898:CID-0:THREAD_ID-01:RT: chose interface ge-0/0/0.345 as incoming nat if.
    13:49:59.572900:CID-0:THREAD_ID-01:RT: flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to x.x.49.170(31499)
    13:49:59.572901:CID-0:THREAD_ID-01:RT: [JSF] Do ingress interest check. regd ingress plugins(1)
    13:49:59.572903:CID-0:THREAD_ID-01:RT: [JSF][0]plugins(0x0) enabled for session = 261993138449 implicit mask(0x0), service request(0x0)
    13:49:59.572904:CID-0:THREAD_ID-01:RT: -jsf : no plugin ingress interested for session 261993138449
    13:49:59.572905:CID-0:THREAD_ID-01:RT: flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.255.49.73, x_dst_ip x.x.49.170, in ifp ge-0/0/0.345, out ifp N/A sp 1, dp 31499, ip_proto 1, tos 38
    13:49:59.572907:CID-0:THREAD_ID-01:RT: Doing DESTINATION addr route-lookup
    13:49:59.572910:CID-0:THREAD_ID-01:RT: flow_ipv4_rt_lkup success x.x.49.170, iifl 0x4c, oifl 0x48
    13:49:59.572911:CID-0:THREAD_ID-01:RT: routed (x_dst_ip x.x.49.170) from MNO-MVNO (ge-0/0/0.345 in 0) to ge-0/0/0.0, Next-hop: 185.18.51.250
    13:49:59.572916:CID-0:THREAD_ID-01:RT: flow_first_policy_search: policy search from zone MNO-MVNO-> zone untrust (0x0,0x17b0b,0x7b0b)
    13:49:59.572919:CID-0:THREAD_ID-01:RT: Policy lkup: vsys 0 zone(9:MNO-MVNO) -> zone(7:untrust) scope:0
    13:49:59.572922:CID-0:THREAD_ID-01:RT: 10.255.49.73/2048 -> x.x.49.170/44421 proto 1
    13:49:59.572926:CID-0:THREAD_ID-01:RT: app 0, timeout 60s, curr ageout 60s
    13:49:59.572927:CID-0:THREAD_ID-01:RT: permitted by policy permit-all(6)
    13:49:59.572930:CID-0:THREAD_ID-01:RT: packet passed, Permitted by policy.
    13:49:59.572932:CID-0:THREAD_ID-01:RT: reverse mip xlate 10.255.49.73/1 -> x.x.161.73/1 (on ge-0/0/0.0)
    13:49:59.572933:CID-0:THREAD_ID-01:RT: flow_first_src_xlate: nat_src_xlated: True, nat_src_xlate_failed: False
    13:49:59.572936:CID-0:THREAD_ID-01:RT: flow_first_src_xlate: hip xlate: 10.255.49.73->x.x.161.73 at ge-0/0/0.0 (vs. ge-0/0/0.0)
    13:49:59.572937:CID-0:THREAD_ID-01:RT: dip id = 0/0, 10.255.49.73/1->x.x.161.73/1 protocol 0
    13:49:59.572939:CID-0:THREAD_ID-01:RT: choose interface ge-0/0/0.0(P2P) as outgoing phy if
    13:49:59.572942:CID-0:THREAD_ID-01:RT: is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: x.x.49.170, rtt_idx:0
    13:49:59.572945:CID-0:THREAD_ID-01:RT: [JSF]Normal interest check. regd plugins 35, enabled impl mask 0x0
    13:49:59.572947:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572951:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572953:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572954:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572955:CID-0:THREAD_ID-01:RT: +++++++++++jsf_test_plugin_data_evh: 3
    13:49:59.572958:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572958:CID-0:THREAD_ID-01:RT: get NULL sess plugin info 0x2f7262c0
    13:49:59.572961:CID-0:THREAD_ID-01:RT: [JSF]Plugins(0x0, count 0) enabled for session = 261993138449, impli mask(0x0), post_nat cnt 0 svc req(0x0)
    13:49:59.572963:CID-0:THREAD_ID-01:RT: -jsf : no plugin interested for session 261993138449, free sess plugin info
    13:49:59.572964:CID-0:THREAD_ID-01:RT: flow_first_service_lookup(): natp(0x2f7262c0): app_id, 0(0).
    13:49:59.572965:CID-0:THREAD_ID-01:RT: service lookup identified service 0.
    13:49:59.572965:CID-0:THREAD_ID-01:RT: flow_first_final_check: in <ge-0/0/0.345>, out <ge-0/0/0.0>
    13:49:59.572967:CID-0:THREAD_ID-01:RT: flow_first_final_check: flow_set_xlate_vector.
    13:49:59.572968:CID-0:THREAD_ID-01:RT: In flow_first_complete_session
    13:49:59.572968:CID-0:THREAD_ID-01:RT: flow_first_complete_session: pak_ptr is xlated packet
    13:49:59.572969:CID-0:THREAD_ID-01:RT: flow_first_complete_session, pak_ptr: 0x5cdfcd50, nsp: 0x2f7262c0, in_tunnel: 0x0
    13:49:59.572970:CID-0:THREAD_ID-01:RT: construct v4 vector for nsp2 and nsp
    13:49:59.572971:CID-0:THREAD_ID-01:RT: existing vector list 0x1200-0x759e2190.
    13:49:59.572971:CID-0:THREAD_ID-01:RT: existing vector list 0x1200-0x759e2190.
    13:49:59.572972:CID-0:THREAD_ID-01:RT: Session (id:133393) created for first pak 1200
    13:49:59.572972:CID-0:THREAD_ID-01:RT: first pak processing successful
    13:49:59.572973:CID-0:THREAD_ID-01:RT: flow_first_install_session======> 0x2f7262c0
    13:49:59.572973:CID-0:THREAD_ID-01:RT: nsp 0x2f7262c0, nsp2 0x2f726380
    13:49:59.572974:CID-0:THREAD_ID-01:RT: make_nsp_ready_no_resolve()
    13:49:59.572978:CID-0:THREAD_ID-01:RT: flow_ipv4_rt_lkup success 10.255.49.73, iifl 0x4c, oifl 0x4c
    13:49:59.572980:CID-0:THREAD_ID-01:RT: route lookup: dest-ip 10.255.49.73 orig ifp ge-0/0/0.345 output_ifp ge-0/0/0.345 orig-zone 9 out-zone 9 vsd 0
    13:49:59.572981:CID-0:THREAD_ID-01:RT: route to 10.249.1.1
    13:49:59.572983:CID-0:THREAD_ID-01:RT: no need update ha
    13:49:59.572983:CID-0:THREAD_ID-01:RT: Installing c2s NP session wing
    13:49:59.572984:CID-0:THREAD_ID-01:RT: Installing s2c NP session wing
    13:49:59.572985:CID-0:THREAD_ID-01:RT: first path session installation succeeded
    13:49:59.572986:CID-0:THREAD_ID-01:RT: flow got session.
    13:49:59.572986:CID-0:THREAD_ID-01:RT: flow session id 133393
    13:49:59.572987:CID-0:THREAD_ID-01:RT: vector bits 0x1200 vector 0x759e2190
    13:49:59.572988:CID-0:THREAD_ID-01:RT: flow_xlate_pak
    13:49:59.572989:CID-0:THREAD_ID-01:RT: flow_handle_icmp_xlate
    13:49:59.572989:CID-0:THREAD_ID-01:RT: xlate_icmp_pak
    13:49:59.572994:CID-0:THREAD_ID-01:RT: post addr xlation: x.x.161.73->x.x.49.170.
    13:49:59.572995:CID-0:THREAD_ID-01:RT: post addr xlation: x.x.161.73->x.x.49.170.
    13:49:59.572996:CID-0:THREAD_ID-01:RT: skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
    13:49:59.572999:CID-0:THREAD_ID-01:RT: mbuf 0x68e9d400, exit nh 0xd0010
    13:49:59.572999:CID-0:THREAD_ID-01:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)

    So I'm at a loss as to why this is occuring.  I've attached a sanitized config that's relevant for this setup. 

     

    I'm certainly open to suggestions.  I do have a JTAC case open, but it's not going to be followed up on until Monday.

     

    Attachment(s)

    txt
    SRXConfigSanitized.txt   23K 1 version


  • 2.  RE: Static/Reverse NAT between RI not working
    Best Answer

    Posted 02-26-2019 01:37

    So for inquiring minds, I was looking at the behavior of the SRX logically.  Seems that's a bad thing to do. 

     

    My from zone rule statement was apparently pointing to the wrong zone.  I was lookint at it from the perpsective of traffic traversing the zone.  In my case, I was pinging from a server on the INSIDE towards the MNO zone/instance.  As that worked, I'd assumed it should work in the reverse, but I needed to have that statement point to the MNO zone, and it works. 

     

    Because of the order of operation, I wouldn't have thought that would have covered it as traffic from the INSIDE doesn't have any NAT rules associated from the INSIDE, but apparently that's not the reality of it.