Application Acceleration
Reply
pkc
Contributor
pkc
Posts: 111
Registered: ‎09-24-2008
0

off path : primary ip mismatch

Hi all,

 

I try to set up two WX devices, both in of-path mode. 

 

each device is in a DMZ with private LAN adressing;

 

The firewalls do the nat and allow the tcp and udp required ports, but the registration server (ie the wx

located at the headquarters) complains that the IP that tries to register is not the source IP the packets come from; 

 

so I have in the log a lot of messages that shows : 

primary IP mismatch.

 

could anyone remind me how to indicate the reg server to accept the requests ? 

 

thanks. 

 

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: off path : primary ip mismatch

The issue, here is that you are NAT'ing the src/dst IP addresses of the applinaces but when the spoke WX's register with the reg-server part of that registration process is that in the data-portion of the setup packet the 'real' IP address of the applinace and obviously NAT'ing does not NAT content in packet payload, if that makes sence.

 

This is your issue.

 

 

Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
pkc
Contributor
pkc
Posts: 111
Registered: ‎09-24-2008
0

Re: off path : primary ip mismatch

Thanks DannyJ for explaining the issue.

 

In other words, if you wish to use private IP, the only option is to

use the private IPs and do some nat on the firewalls. 

 

That sounds quite weird. 

 

Is it planned to develop a feature that would permit to use a private IP and indicate the packets between the WX

devices will use public addresses ?

 

That also means you cannot use WX if both devices use the same private LAN adresses ? 

(ie overlapping). 

 

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: off path : primary ip mismatch

Does this help you picture the limitations?
Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
pkc
Contributor
pkc
Posts: 111
Registered: ‎09-24-2008
0

Re: off path : primary ip mismatch

Hi,

 

this was too hard to configure so I set up a vpn instead. 

 

and now I have some vpn issues but that dosn't concern the WX anymore. 

 

do you know if the feature of having a public and a private IP (ie identify the devices  with something els than the IP) is planned ? 

 

how about using ssl at least to communicate for the registration ? 

 

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: off path : primary ip mismatch

Later this year will be moving towards a transparent flow solution where we will remove the tunnel architecture and in the WAN flow will retain there original src and dst IP and port information, however this will be 2H of 2009 for.

 

P.S. In this solution will not have a reg-server.

Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
pkc
Contributor
pkc
Posts: 111
Registered: ‎09-24-2008
0

Re: off path : primary ip mismatch

Do you mean the so long mentionned WXOS 6 will be released ?

 

Could it be possible to take part to a beta test ?

 

 

Recognized Expert
DannyJ
Posts: 319
Registered: ‎11-02-2007
0

Re: off path : primary ip mismatch

Yes V6.

 

Re beta, we are currently in beta and just started beta2.

 

Who is you JNPR Partner? JNPR local SE? what country are you in?

Danny Jump
Technical Marketing Manager - Access and Acceleration Business Unit
Juniper Employee
AMS-TAC
Posts: 29
Registered: ‎03-18-2009
0

Re: off path : primary ip mismatch

There has to be two-way connectivity end-to-end between the WXes, and any NAT that happens must be translated back so that the remote device 'sees' the original IP of the originating WX. If this is not achievable, your best option is to use VPN as you already found out yourself.
Visitor
Sunny_ICT
Posts: 2
Registered: ‎06-09-2009
0

Re: off path : primary ip mismatch

Hi Guys,

 

Has this been resolved and in what firmware?

 

I have two sites with the same network infrastructure and IP addresses.

 

I have setup a VPN between the two sites with overlapping subnets.

 

e.g.

 

PC 1 at Site A on 192.168.1.120

PC 1 at Site B on 192.168.1.120

 

The PC1 on Site A can ping the PC1 at Site B on 2.2.2.120

 

The PC1 on Site B can ping the PC1 at Site A on 3.3.3.120

 

This all works great.

 

The issue is with the WXC

 

I can’t get the WXC to pair up. (the can both ping etc and no restriction on the FW).

 

The WXC Registration server complains about ‘primary IP mismatch’

 

(log from WXC registration server)

2009-06-09 14:16:55 23AF3A5C E09 REG: Primay IP mismatch: paramsIp=192.168.2.253 remoteIp=44.44.44.253 priIp=32.58.175.35  

 

After doing some digging, I’ve manage to find out that the WXC spoke registers with the WXC registration server by sending it IP address in the payload of the packet. Because the packet headers are being Natt’d, the source IP address in the payload (which the registration server uses)and the source IP of the packet do not match and hence the ‘Primary IP mismatch’.

 

Has this been fixed, otherwise is their an ETA on when a fix will be available?

 

Many thanks

 

Sunny

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.