Junos
Junos

Flows on CGNAT on MX960(MS-DPC) always on Watch mode?

‎07-04-2014 02:33 AM

Hello,

I have one issue with CGNAT 444 configuration like this:

- The flows is counted on router but they are always on Watch mode? So please check and help me? 

Email attached configuration file

 

 

show services stateful-firewall flows extensive
Interface: sp-5/0/0, Service set: NAT444
Flow State Dir Frm count
ICMP 172.30.11.11 -> 8.8.8.8 Watch I 543
NAT source 172.30.11.11 -> 210.245.15.151
Byte count: 45612
Flow role: Master, Timeout: 29
ICMP 8.8.8.8 -> 210.245.15.151 Watch O 0
NAT dest 210.245.15.151 -> 172.30.11.11
Byte count: 0
Flow role: Responder, Timeout: 0
ICMP 8.8.8.8 -> 210.245.15.151 Watch O 0
NAT dest 210.245.15.151 -> 172.30.11.11
Byte count: 0
Flow role: Responder, Timeout: 0
ICMP 172.30.11.11 -> 8.8.8.8 Watch I 38
NAT source 172.30.11.11 -> 210.245.15.151
Byte count: 3192
Flow role: Master, Timeout: 29

 

Attachments

2 REPLIES 2
Junos

Re: Flows on CGNAT on MX960(MS-DPC) always on Watch mode?

‎07-04-2014 03:32 AM

Hello,

There is nothing to check and nothing to help You with. These printouts are normal.

Trust me Smiley Happy

The reason You are seeing ICMP flows in "Watch" state is that MS-DPC ICMP ALG is ON and it inspects the ICMP header & payload for anomalies and "Destination Unreach" content.

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Junos

Re: Flows on CGNAT on MX960(MS-DPC) always on Watch mode?

[ Edited ]
‎07-08-2014 12:37 AM

Dear Aa