Hi,
In my HA Cluster SRX650, after 3 years, S-NAT doesn't work anymore since 1st May.
My version since 2015-08-18 :
node0:
--------------------------------------------------------------------------
Hostname: SRX01
Model: srx650
JUNOS Software Release [12.1X46-D35.1]
node1:
--------------------------------------------------------------------------
Hostname: SRX01
Model: srx650
JUNOS Software Release [12.1X46-D35.1]
{primary:node0}node0: -------------------------------------------------------------------------- Current time: 2016-05-12 11:44:54 CEST System booted: 2015-08-18 09:49:34 CEST (38w2d 01:55 ago) Protocols started: 2015-08-18 10:07:52 CEST (38w2d 01:37 ago) Last configured: 2016-05-12 11:27:06 CEST (00:17:48 ago) by rancid 11:44AM up 268 days, 1:55, 1 user, load averages: 0.10, 0.20, 0.22 node1: -------------------------------------------------------------------------- Current time: 2016-05-12 11:44:39 CEST System booted: 2015-08-18 09:43:49 CEST (38w2d 02:00 ago) Last configured: 2016-05-12 11:26:45 CEST (00:17:54 ago) by root 11:44AM up 268 days, 2:01, 0 users, load averages: 0.09, 0.08, 0.11
My configuration :
set security nat source pool IP_GLOBAL_OUTBOUND address 46.xxx.xxx.54/32 set security nat source pool IP_GLOBAL_OUTBOUND address 46.xxx.xxx.44/32 set security nat source pool IP_GLOBAL_OUTBOUND address 46.xxx.xxx.34/32 set security nat source rule-set SNAT_GLOBAL_MDC rule SNAT_GLOBAL_OUTBOUND then source-nat pool IP_GLOBAL_OUTBOUND set security nat source rule-set SNAT_GLOBAL_MDC from zone trust set security nat source rule-set SNAT_GLOBAL_MDC to zone untrust set security nat source rule-set SNAT_GLOBAL_MDC rule SNAT_GLOBAL_OUTBOUND match source-address 172.20.0.0/16 set security nat source rule-set SNAT_GLOBAL_MDC rule SNAT_GLOBAL_OUTBOUND match destination-address 0.0.0.0/0 set security nat source rule-set SNAT_GLOBAL_MDC rule SNAT_GLOBAL_OUTBOUND then source-nat pool IP_GLOBAL_OUTBOUND set security nat source address-persistent
For 3 years, S-NAT configured just one IP_GLOBAL_OUTBOUND : 46.xxx.xxx.34/32 without address-persistent.
But since May 1st , every nightaround 19:30, node0 no longer in translation :
May 12 11:27:01 11:27:01.083348:CID-1:RT:<172.20.170.15/154->8.8.8.8/14665;1> matched filter MatchTraffic: May 12 11:27:01 11:27:01.083423:CID-1:RT:packet [84] ipid = 33018, @0x43dea91c May 12 11:27:01 11:27:01.083423:CID-1:RT:---- flow_process_pkt: (thd 6): flow_ctxt type 15, common flag 0x0, mbuf 0x43dea700, rtbl_idx = 0 May 12 11:27:01 11:27:01.083423:CID-1:RT: flow process pak fast ifl 110 in_ifp reth0.0 May 12 11:27:01 11:27:01.083423:CID-1:RT: reth0.0:172.20.170.15->8.8.8.8, icmp, (8/0) May 12 11:27:01 11:27:01.083423:CID-1:RT: find flow: table 0x5006cf70, hash 41887(0xffff), sa 172.20.170.15, da 8.8.8.8, sp 154, dp 14665, proto 1, tok 6 May 12 11:27:01 11:27:01.083423:CID-1:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 May 12 11:27:01 11:27:01.083423:CID-1:RT:search gate for trust:172.20.170.15/154->8.8.8.8/14665,1 May 12 11:27:01 11:27:01.083423:CID-1:RT:gate_search_specific_bucket: no gate found May 12 11:27:01 11:27:01.083423:CID-1:RT:search widecast gate for trust:172.20.170.15/154->8.8.8.8/14665,1 May 12 11:27:01 11:27:01.083423:CID-1:RT:gate_search_widecast_bucket: no gate found May 12 11:27:01 11:27:01.083423:CID-1:RT: flow_first_create_session May 12 11:27:01 11:27:01.083607:CID-1:RT:First path alloc and instl pending session, natp=0x5d37a880, id=344342 May 12 11:27:01 11:27:01.083607:CID-1:RT: flow_first_in_dst_nat: in <reth0.0>, out <N/A> dst_adr 8.8.8.8, sp 154, dp 14665 May 12 11:27:01 11:27:01.083632:CID-1:RT: chose interface reth0.0 as incoming nat if. May 12 11:27:01 11:27:01.083632:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 8.8.8.8(14665) May 12 11:27:01 11:27:01.083632:CID-1:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.20.170.15, x_dst_ip 8.8.8.8, in ifp reth0.0, out ifp N/A sp 154, dp 14665, ip_proto 1, tos 0 May 12 11:27:01 11:27:01.083632:CID-1:RT:Doing DESTINATION addr route-lookup May 12 11:27:01 11:27:01.083632:CID-1:RT:flow_ipv4_rt_lkup success 8.8.8.8, iifl 0x6e, oifl 0x44 May 12 11:27:01 11:27:01.083718:CID-1:RT: routed (x_dst_ip 8.8.8.8) from trust (reth0.0 in 1) to reth2.0, Next-hop: 46.218.251.147 May 12 11:27:01 11:27:01.083730:CID-1:RT:flow_first_policy_search: policy search from zone trust-> zone untrust (0x0,0x9a3949,0x3949) May 12 11:27:01 11:27:01.083730:CID-1:RT:Policy lkup: vsys 0 zone(6:trust) -> zone(7:untrust) scope:0 May 12 11:27:01 11:27:01.083730:CID-1:RT: 172.20.170.15/2048 -> 8.8.8.8/35215 proto 1 May 12 11:27:01 11:27:01.083730:CID-1:RT: app 0, timeout 60s, curr ageout 60s May 12 11:27:01 11:27:01.083730:CID-1:RT: permitted by policy TRUST-TO-UNTRUST(4) May 12 11:27:01 11:27:01.083730:CID-1:RT: packet passed, Permitted by policy. May 12 11:27:01 11:27:01.083822:CID-1:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed: False May 12 11:27:01 11:27:01.083822:CID-1:RT:flow_first_src_xlate: incoming src port is : 154. May 12 11:27:01 11:27:01.083844:CID-1:RT:flow_first_src_xlate: src nat returns status: 1, rule/pool id: 1/32772, pst_nat: False. May 12 11:27:01 11:27:01.083844:CID-1:RT: dip alloc failed. dip_id = 0/0 May 12 11:27:01 11:27:01.083844:CID-1:RT: packet dropped, dip alloc failed May 12 11:27:01 11:27:01.083844:CID-1:RT:flow_initiate_first_path: first pak no session May 12 11:27:01 11:27:01.083844:CID-1:RT: flow find session returns error. May 12 11:27:01 11:27:01.083844:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
If I flop on node1, no problem while at arround 19:30. Neither the node0nornode1 not make S-NAT with IP.
But, we don't have specific traffic or load, arround 19:30.
If I modify S-NAT and commit, everything works again while 19:30, etc.
It's the same thing witha different IP.
I bypassed by configuring 3 IPsfor 3 days,but the problembegins againonone of the 3IPs.
I searched a lotduringthe last 10 days, but Ihave not found anythingconclusiveon the subject.
Can you help me ?