Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why does static NAT not work after the reboot on SRX?

0

0
Article ID: KB24310 KB Last Updated: 05 Jun 2012Version: 1.0 Summary:
This KB will explain why STATIC NAT could stop working after a reboot or an upgrade.
Symptoms:
The goal is to identify the problem and provide a quick workaround to resolve the issue.
Cause:
  In cases where static NAT is configured from the routing-instance VR context, if the name of the routing-instance matches any zone, then the STATIC NAT ruleset doesn't get pushed to the pfe (packet forwarding engine) after the reboot and requires manual intervention.
Solution:
Configuration:
==============

static {
            rule-set lps-to-backbone {
                from routing-instance LPS;
                rule test {
                    match {
                        destination-address x.x.x.x/x;
                    }
                    then {
                        static-nat prefix y.y.y.y/y routing-instance Backbone;   <<<< Notice the name is "Backbone"
                    }
                }
            }
        }
		
		
		
zones {
        security-zone Backbone {            <<<<<<< Notice the name is same as in the routing-instance static-nat stanza.
                host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                rethx.x;
            }
        }		

Symptoms:
=========

root# run show security nat static rule all 
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
 
Static NAT rule: test      Rule-set: lps-to-backbone   <<<< Rule-set is working to begin with.
  Rule-Id                    : 1  
  Rule position              : 1
  From routing instance      : LPS
  Destination addresses      : 204.86.81.217
  Host addresses             : 10.101.81.127
  Netmask                    : 32
  Host routing-instance      : Backbone
  Translation hits           : 0


*******************************************
rebooted system
*******************************************


[edit]
root# run show security nat static rule all 
Total static-nat rules: 0                           <<<<<<<< After the reboot, the rule-set didn't get pushed to the pfe.
Total referenced IPv4/IPv6 ip-prefixes: 0/0

**********************************************
		
		
Workaround/Solution:
====================		
		
- This issue is a known issue and has been fixed in 11.2R7. 
- After the reboot when the problem happens, please deactivate and activate the ruleset manually. This will correct it.

# deactivate security nat static 
# commit 
# activate security nat static      
#commit                          

Verification:
=============

root# run show security nat static rule all    
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
 
Static NAT rule: test      Rule-set: lps-to-backbone 
  Rule-Id                    : 1  
  Rule position              : 1
  From routing instance      : LPS
  Destination addresses      : 204.86.81.217
  Host addresses             : 10.101.81.127
  Netmask                    : 32
  Host routing-instance      : Backbone
  Translation hits           : 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search