03-02-2009 06:50 AM
I try to set up two WX devices, both in of-path mode.
each device is in a DMZ with private LAN adressing;
The firewalls do the nat and allow the tcp and udp required ports, but the registration server (ie the wx
located at the headquarters) complains that the IP that tries to register is not the source IP the packets come from;
so I have in the log a lot of messages that shows :
primary IP mismatch.
could anyone remind me how to indicate the reg server to accept the requests ?
03-02-2009 09:24 AM
The issue, here is that you are NAT'ing the src/dst IP addresses of the applinaces but when the spoke WX's register with the reg-server part of that registration process is that in the data-portion of the setup packet the 'real' IP address of the applinace and obviously NAT'ing does not NAT content in packet payload, if that makes sence.
This is your issue.
03-03-2009 12:01 AM
Thanks DannyJ for explaining the issue.
In other words, if you wish to use private IP, the only option is to
use the private IPs and do some nat on the firewalls.
That sounds quite weird.
Is it planned to develop a feature that would permit to use a private IP and indicate the packets between the WX
devices will use public addresses ?
That also means you cannot use WX if both devices use the same private LAN adresses ?
03-04-2009 01:08 AM
this was too hard to configure so I set up a vpn instead.
and now I have some vpn issues but that dosn't concern the WX anymore.
do you know if the feature of having a public and a private IP (ie identify the devices with something els than the IP) is planned ?
how about using ssl at least to communicate for the registration ?
03-04-2009 10:15 AM
Later this year will be moving towards a transparent flow solution where we will remove the tunnel architecture and in the WAN flow will retain there original src and dst IP and port information, however this will be 2H of 2009 for.
P.S. In this solution will not have a reg-server.
03-05-2009 10:31 AM
Re beta, we are currently in beta and just started beta2.
Who is you JNPR Partner? JNPR local SE? what country are you in?
03-18-2009 07:49 AM
06-09-2009 09:00 AM
Has this been resolved and in what firmware?
I have two sites with the same network infrastructure and IP addresses.
I have setup a VPN between the two sites with overlapping subnets.
PC 1 at Site A on 192.168.1.120
PC 1 at Site B on 192.168.1.120
The PC1 on Site A can ping the PC1 at Site B on 220.127.116.11
The PC1 on Site B can ping the PC1 at Site A on 18.104.22.168
This all works great.
The issue is with the WXC
I can’t get the WXC to pair up. (the can both ping etc and no restriction on the FW).
The WXC Registration server complains about ‘primary IP mismatch’
(log from WXC registration server)
2009-06-09 14:16:55 23AF3A5C E09 REG: Primay IP mismatch: paramsIp=192.168.2.253 remoteIp=22.214.171.124 priIp=126.96.36.199
After doing some digging, I’ve manage to find out that the WXC spoke registers with the WXC registration server by sending it IP address in the payload of the packet. Because the packet headers are being Natt’d, the source IP address in the payload (which the registration server uses)and the source IP of the packet do not match and hence the ‘Primary IP mismatch’.
Has this been fixed, otherwise is their an ETA on when a fix will be available?