SRX Services Gateway
SRX Services Gateway

Re: Multiple static NAT to same prefix

[ Edited ]
‎05-02-2018 09:11 AM

I think this maybe related to "port no-translation", missing from my config. As I'm using SIP the media ports need to be correct and default behaviour for source NAT seems to be PAT. I will give it a try.

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-02-2018 02:13 PM

Yes, it seems likely that PAT is responsible for the port change you are seeing.

 

As the the sessions you see on node1, this is normal.  you will note they are labeled "backup" while sessions on node 0 are "active".  These are the syncing of the session table being done at all times so your node1 is ready to take over all the active sessions should node 0 fail.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-02-2018 02:36 PM

Hum I get the below error on commit check:

 

Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-02-2018 02:49 PM

So you may be configured in active/active mode then.  What is the output from

 

show chassis cluster information

 

A/A deploys are less typical and generally only recommended in certain circumstances.  Is this an existing setup or a new deploy?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-03-2018 12:52 AM
node0:
--------------------------------------------------------------------------
Redundancy Group Information:

    Redundancy Group 0 , Current State: primary, Weight: 255

        Time            From           To             Reason
        Nov  1 14:57:05 hold           secondary      Hold timer expired
        Nov  1 16:17:20 secondary      primary        Remote is in secondary hold

    Redundancy Group 1 , Current State: primary, Weight: 255

        Time            From           To             Reason
        Nov  1 14:57:05 hold           secondary      Hold timer expired
        Nov  1 15:27:01 secondary      primary        Remote yield (200/0)

Chassis cluster LED information:
    Current LED color: Green
    Last LED change reason: No failures

node1:
--------------------------------------------------------------------------
Redundancy Group Information:

    Redundancy Group 0 , Current State: secondary, Weight: 255

        Time            From           To             Reason
        May 30 21:54:14 hold           secondary      Hold timer expired
        Nov  1 14:51:38 secondary      primary        Only node present
        Nov  1 16:17:20 primary        secondary-hold Manual failover
        Nov  1 16:22:20 secondary-hold secondary      Ready to become secondary

    Redundancy Group 1 , Current State: secondary, Weight: -255

        Time            From           To             Reason
        Oct 27 10:21:12 primary        secondary-hold Monitor failed: IF
        Oct 27 10:21:13 secondary-hold secondary      Ready to become secondary
        Nov  1 14:51:38 secondary      ineligible     Fabric link down
        Nov  1 14:51:42 ineligible     primary        Only node present
        Nov  1 15:27:01 primary        secondary-hold Monitor failed: IF
        Nov  1 15:27:02 secondary-hold secondary      Ready to become secondary

Chassis cluster LED information:
    Current LED color: Amber
    Last LED change reason: Monitored objects are down

Failure Information:

    Interface Monitoring Failure Information:
        Redundancy Group 1, Monitoring status: Failed
          Interface                 Status
          reth3                     Monitor Failed
            ge-7/0/11               Down
          reth2                     Monitor Failed
            ge-7/0/9                Down

{primary:node0}
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-03-2018 03:08 AM

This is an active/passive cluster configuration.  It appears this is a limitation on clustering that you cannot use no port translation for a single ip address.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB31275

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-03-2018 03:24 AM

I have seen this KB, in this instance this lan is only connected to node0, so if it was to fail over anyway it would work. So am I ok to use this config with this in mind?

SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-04-2018 02:40 AM

I would interpret that the same way then.   So if it does commit with just a warning it should work.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Multiple static NAT to same prefix

‎05-04-2018 02:42 PM

your nodes are showing a normal table here.  Note that the sessions on node 1 are marked

State: backup

These are simply copies of the sessons sent over to node 1 for use only in the event of a failure on node 0.

 

I don't think the SRX is changing ports by one.  That is not how the port translation process works it moves items to random high ports. 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home