Routing

Expand all | Collapse all

SRX340 Won't accept new static nat until reboot

Jump to Best Answer
  • 1.  SRX340 Won't accept new static nat until reboot

    Posted 06-07-2021 11:51

    Weird problem with SRX340...

    Static NAT works fine normally (once it "takes"), but a newly committed static NAT config has no effect until the machine is rebooted. Then it shows and works fine.

    Firmware: 18.2R3-S2.9

    Here's an example with three static NATs. First rule (below) was set up some time ago, working fine now; second was set up recently, but didn't show up or work until machine was rebooted (it's also working fine now). Third rule below I just set up & committed now; and as you can see from the second clip below, it doesn't even show up. Why??

    [edit]
    root@DCCA# show security nat static
    rule-set static {
        from zone untrust;
        rule 1-server-B {
            description Server-B;
            match {
                destination-address 1.1.1.1/32;
            }
            then {
                static-nat {
                    prefix {
                        10.1.1.1/32;
                    }
                }
            }
        }
        rule 2-server-C {
            match {
                destination-address 1.1.1.2/32;
            }
            then {
                static-nat {
                    prefix {
                        10.2.2.2/32;
                    }
                }
            }
        }
        rule 3-server-O {
            match {
                destination-address 1.1.1.3/32;
            }
            then {
                static-nat {                
                    prefix {
                        10.3.3.3/32;
                    }
                }
            }
        }
    }
    [edit]
    root@DCCA# run show security nat static rule all
    Total static-nat rules: 2
    Total referenced IPv4/IPv6 ip-prefixes: 4/0
    Static NAT rule: 1-SERVER-B     Rule-set: static
      Description                : Server B
      Rule-Id                    : 1
      Rule position              : 1
      From zone                  : untrust
      Destination addresses      : 1.1.1.1
      Host addresses             : 10.1.1.1
      Netmask                    : 32
      Host routing-instance      : N/A
      Translation hits           : 10110151
        Successful sessions      : 9905411
        Failed sessions          : 204740
      Number of sessions         : 81
    Static NAT rule: 2-SERVER-C      Rule-set: static
      Rule-Id                    : 2
      Rule position              : 2
      From zone                  : untrust
      Destination addresses      : 1.1.1.2
      Host addresses             : 10.2.2.2
      Netmask                    : 32
      Host routing-instance      : N/A
      Translation hits           : 1286651
        Successful sessions      : 1286402
        Failed sessions          : 249
      Number of sessions         : 24


    I've seen it with this machine several times now. If the machine is rebooted, everything all work as configured. But if I change the public IP, or the rule name, it no longer takes effect. Config stays, and it commits fine...but there is no functional NAT.

    If more detail is needed, just say so!



  • 2.  RE: SRX340 Won't accept new static nat until reboot

    Posted 06-07-2021 16:40

    I guess this is solved. After I posted today, the Boss got around to cleaning up some BGP (mis)configuration, which had managed to pull in routes to just about every subnet in the WWW. It seems that this overload of information may have filled the tables/memory-space for routing, to the point that changes could no longer be engaged.

    Anyway...with that cleared, static NAT can now be configured without rebooting.

    I don't understand it well enough to explain in a technically coherent way, so if anyone happening across this thread can clarify how this happens, I'd be grateful.



  • 3.  RE: SRX340 Won't accept new static nat until reboot
    Best Answer

     
    Posted 06-07-2021 19:18
    Based on your description it seems likely that memory resource limits was the issue.  Even with enhanced route scale enabled the SRX340 would not be able to handle full tables these days.  And there are limits to other features when that is turned on as well.  you can see a previous post on the subject here.

    https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=69415

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------