Routing

Expand all | Collapse all

CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

Jump to Best Answer
  • 1.  CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

    Posted 09-08-2020 10:26

    I have MS-MPC and configure NAT on ams0 interface (with 2 members):

     

    > show interfaces load-balancing ams0 detail
    Load-balancing interfaces detail
    Interface        : ams0
      State          : Up
      Last change    : 13:17:16
      Member count   : 2
      HA Model       : None
      Members        :
          Interface    Weight   State
          mams-4/0/0   10       Active
          mams-5/0/0   10       Active
    

     

    I configure PBA and "address-pooling paired" so that NAT for the client is always performed from the same IP from the NAT pool:

     

        pool NAT-POOL-1 {
            address-range low x.x.216.0 high x.x.219.255;
            port {
                automatic {
                    random-allocation;
                }
                secured-port-block-allocation block-size 256 max-blocks-per-address 8 active-block-timeout 1800;
            }
            address-allocation round-robin;
            app-mapping-timeout 300;
            snmp-trap-thresholds {
                address-port low 60 high 80;
            }
        }
    
    rule NAT-RULE-1 {
        match-direction input;
        term T1 {
            from {
                source-prefix-list {
                    pl-ipv4-NAT-SRC-1;
                }
            }
            then {
                translated {
                    source-pool NAT-POOL-1;
                    translation-type {
                        napt-44;
                    }
                    address-pooling paired;
                }
            }
        }
    }
    

     

    As long as ams0 contained one member, everything was fine. But as soon as I added the second interface to ams0, I got:

     

    > show services nat mappings address-pooling-paired private 100.64.51.199
    Interface: mams-4/0/0, Service set: SS-NAT-1
    
    NAT pool: NAT-POOL-1
    
    Mapping          : 100.64.51.199   --> x.x.217.1
    Ports In Use     :    13
    Session Count    :    13
    Mapping State    : Active
    
    Interface: mams-5/0/0, Service set: SS-NAT-1
    
    NAT pool: NAT-POOL-1
    
    Mapping          : 100.64.51.199   --> x.x.218.232
    Ports In Use     :     1
    Session Count    :     1
    Mapping State    : Active
    

     

    Now the client can get to different servers from different IPs. This creates problems for some services.

     

    I need client sessions to always be created under one public IP (separate for from the block of addresses allocated under NAT.

    What can be done to solve this problem?


    #CGNAT


  • 2.  RE: CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

    Posted 09-08-2020 10:54

    Hi, first of all, check if source-address load-balancing enabled for service card

     

    >show configuration forwarding-options
    enhanced-hash-key {
        services-loadbalancing {
            family inet {
                layer-3-services {
                    source-address;
                }
            }
        }
    }
    


  • 3.  RE: CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

    Posted 09-08-2020 13:20

    Hello,

     

    "On-the-fly" addition of new NPUs into AMS is not supported.

    You need to deactivate/reactivate the service-set at least.

    And "services-loadbalancing" is not required for MS-MPC.

    HTH

    Thx

    Alex 

     

     



  • 4.  RE: CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

    Posted 09-09-2020 12:47

    The documentation (https://www.juniper.net/documentation/en_US/junos/topics/concept/ams-understanding.html) says:

     

    NOTE If you modify a NAT pool that is being used by a service set assigned to an AMS interface, you must deactivate and activate the service set before the NAT pool changes take effect.

    I just added a new member to ams0 and did not change the service-set or NAT pool.

    In addition, after adding a new masm interface, both pic were reloaded:

     

    Sep  8 04:56:09.928 2020  core1-re0 spd[5433]: Deleting AMS NAT Ranges and NHs for SS-NAT-1 on ams0.
    …
    Sep  8 04:56:11.016 2020  core1-re0 chassisd[4759]: CHASSISD_SNMP_TRAP10: SNMP trap generated: FRU power off (jnxFruContentsIndex 8, jnxFruL1Index 6, jnxFruL2Index 1, jnxFruL3Index 0, jnxFruName PIC: MS-MPC-PIC @ 5/0/*, jnxFruType 11, jnxFruSlot 5, jnxFruOfflineReason 8, jnxFruLastPowerOff -638903524, jnxFruLastPowerOn -1303937025)
    …
    Sep  8 04:56:11.017 2020  core1-re0 chassisd[4759]: CHASSISD_SNMP_TRAP10: SNMP trap generated: FRU power off (jnxFruContentsIndex 8, jnxFruL1Index 5, jnxFruL2Index 1, jnxFruL3Index 0, jnxFruName PIC: MS-MPC-PIC @ 4/0/*, jnxFruType 11, jnxFruSlot 4, jnxFruOfflineReason 8, jnxFruLastPowerOff -638903524, jnxFruLastPowerOn -755917172)
    …
    Sep  8 04:56:11.536 2020  core1-re0 chassisd[4759]: CHASSISD_SNMP_TRAP10: SNMP trap generated: FRU power on (jnxFruContentsIndex 8, jnxFruL1Index 6, jnxFruL2Index 1, jnxFruL3Index 0, jnxFruName PIC: MS-MPC-PIC @ 5/0/*, jnxFruType 11, jnxFruSlot 5, jnxFruOfflineReason 2, jnxFruLastPowerOff -638903524, jnxFruLastPowerOn -638903472)
    …
    Sep  8 04:56:11.704 2020  core1-re0 chassisd[4759]: CHASSISD_SNMP_TRAP10: SNMP trap generated: FRU power on (jnxFruContentsIndex 8, jnxFruL1Index 5, jnxFruL2Index 1, jnxFruL3Index 0, jnxFruName PIC: MS-MPC-PIC @ 4/0/*, jnxFruType 11, jnxFruSlot 4, jnxFruOfflineReason 2, jnxFruLastPowerOff -638903524, jnxFruLastPowerOn -638903455)
    …
    Sep  8 05:19:25.388 2020  core1-re0 spd[5433]: Successfully added AMS NAT Ranges and NHs for SS-NAT-1 on ams0.
    

     

    Do I still need to deactivate / activate the service-set?

     



  • 5.  RE: CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members
    Best Answer

    Posted 09-09-2020 13:28

    Hello,

     


    yury.yaroshevsky@gmail.com wrote:

     

    In addition, after adding a new masm interface, both pic were reloaded:

     

     


     

    Ok cool.

    Do You have "load-balancing-options hash-keys" knob enabled in Your AMS config?

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/hash-keys-edit-interfaces-ams.html

    For nexthop-style CGNAT, You only need to enable it for private src IP, typically it looks like:

     

    set interfaces ams0 load-balancing-options hash-keys ingress-key source-ip

     

    In the other direction, traffic will be attracted by routing towards CGNAT pool IPs split between MAMS interfaces.

    HTH

    Thx

    Alex

     

     



  • 6.  RE: CGNAT PBA with paired address-pooling on ams0 with amount members more 2 members

    Posted 09-10-2020 02:30

    I tried to do a test today.

    When testing, I saw my error 😞

     

        load-balancing-options {
            hash-keys {
                ingress-key [ source-ip protocol ];
            }
        }
    

     

    Once I removed the protocol hash everything returned to normal.

    Thank you.