This article provides information on how to configure DIP in an Active/Active cluster. The Active-Active mode, which uses NAT, requires the use of DIP groups that are applied within the policy; so that VSD specific NAT translations can be used.
- NSRP active-active scenario with vsd-group ID 1 and 2.
- DIP is configured on both of the outgoing VSI interfaces.
- You can reference only a single DIP in a policy; so that if traffic comes on a different VSI interface, it will then fail to pass.
Topology:
[Zone Trust] [Zone Untrust]
[2.1.1.4]-------------------<eth0/3>[FW]<eth0/1>-----------------------------[1.1.1.4]
eth0/1:1 - DIP 4 - 1.1.1.10
eth0/1:2 - DIP 5 - 1.1.1.20
Configuration:
FW(M)-> set interface "ethernet0/3" zone "Trust"
FW(M)-> set interface "ethernet0/1" zone "Untrust"
FW(M)-> set interface ethernet0/3:1 ip 2.1.1.1/24
FW(M)-> set interface ethernet0/3:2 ip 2.1.1.2/24
FW(M)-> set interface ethernet0/1:1 ip 1.1.1.1/24
FW(M)-> set interface ethernet0/1:2 ip 1.1.1.2/24
FW(M)-> set interface e0/1:1 dip 4 1.1.1.10
FW(M)-> set interface e0/1:2 dip 5 1.1.1.20
FW(M)-> set policy from trust to untrust any any any nat src dip-id 4 permit log
With the above scenario and configuration, if passthrough traffic is coming on the
eth0/3:2 VSI interface, it fails with the
dip alloc failed error.
Result:
FW(M)-> get db str
****** 393954.0: <Trust/ethernet0/3:2> packet received [84]******
ipid = 41531(a23b), @1d52f114
packet passed sanity check.
Ethernet0/3:2:2.1.1.4/0->1.1.1.4/14641,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/3:2>, out <N/A>
chose interface ethernet0/3:2 as incoming nat if.
Flow_first_routing: in <ethernet0/3:2>, out <N/A>
search route to (ethernet0/3:2, 2.1.1.4->1.1.1.4) in vr trust-vr
for vsd-1/flag-0/ifp-null
[ Dest] 104.route 1.1.1.4->1.1.1.4, to ethernet0/1:2
routed (x_dst_ip 1.1.1.4) from ethernet0/3:2 (ethernet0/3:2 in 2)
to ethernet0/1:2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys
Root, ip 1.1.1.4, port 45381, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip alloc failed. Dip_id = 0
packet dropped, dip alloc failed
To address this issue, assign both DIPs to a DIP group and apply the DIP group to the policy. You can assign DIPs to a DIP group only via the CLI.
Configuration:
FW(M)-> set interface "ethernet0/3" zone "Trust"
FW(M)-> set interface "ethernet0/1" zone "Untrust"
FW(M)-> set interface ethernet0/3:1 ip 2.1.1.1/24
FW(M)-> set interface ethernet0/3:2 ip 2.1.1.2/24
FW(M)-> set interface ethernet0/1:1 ip 1.1.1.1/24
FW(M)-> set interface ethernet0/1:2 ip 1.1.1.2/24
FW(M)-> set interface e0/1:1 dip 4 1.1.1.10
FW(M)-> set interface e0/1:2 dip 5 1.1.1.20
FW(M)-> set dip group 6 member 4
FW(M)-> set dip group 6 member 5
FW(M)-> set policy from trust to untrust any any any nat src dip-id 6 permit log
Result:
FW(M)-> get db str
****** 394293.0: <Trust/ethernet0/3:2> packet received [84]******
ipid = 42134(a496), @1d5ee114
packet passed sanity check.
Ethernet0/3:2:2.1.1.4/0->1.1.1.4/14897,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/3:2>, out <N/A>
chose interface ethernet0/3:2 as incoming nat if.
Flow_first_routing: in <ethernet0/3:2>, out <N/A>
search route to (ethernet0/3:2, 2.1.1.4->1.1.1.4) in vr trust-vr
for vsd-1/flag-0/ifp-null
[ Dest] 104.route 1.1.1.4->1.1.1.4, to ethernet0/1:2
routed (x_dst_ip 1.1.1.4) from ethernet0/3:2 (ethernet0/3:2
in 1) to ethernet0/1:2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys
Root, ip 1.1.1.4, port 42285, proto 1)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip id = 5, 2.1.1.4/0->1.1.1.20/1024
choose interface ethernet0/1:2 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 2 for out ifp
ethernet0/1:2 vsd 2 is active
no loop on ifp ethernet0/1.
No loop on ifp ethernet0/1:2.
Session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
Flow_first_final_check: in <ethernet0/3:2>, out <ethernet0/1:2>
install vector flow_nsrp_fwd_vector
install vector flow_ttl_vector
install vector flow_l2prepare_xlate_vector
install vector flow_frag_list_vector
install vector flow_fragging_vector
install vector flow_send_shape_vector
install vector NULL
create new vector list 21-50065c4.
Session (id:55979) created for first pak 21
flow_first_install_session====→
route to 1.1.1.4
arp entry found for 1.1.1.4
ifp2 ethernet0/1:2, out_ifp ethernet0/1:2, flag 00800800, tunnel
ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/1:2, 1.1.1.4->2.1.1.4) in vr trust-vr
for vsd-1/flag-3000/ifp-ethernet0/3:2
[ Dest] 106.route 2.1.1.4->2.1.1.4, to ethernet0/3:2
route to 2.1.1.4
arp entry found for 2.1.1.4
ifp2 ethernet0/3:2, out_ifp ethernet0/3:2, flag 00800801, tunnel
ffffffff, rc 1
nsrp msg sent.
Flow got session.
Flow session id 55979
vsd 2 is active
post addr xlation: 1.1.1.20->1.1.1.4.
flow_send_vector_, vid = 0, is_layer2_if=0
From the above output, it appears as though
DIP ID 5, which was assigned to
ethernet0/1:2, is being used for the translation. Looking at the actual policy, you can see that the DIP ID being referenced in the policy is actually
DIP ID 6, which is the DIP group.
FW(M)-> get policy id 1
name:"none" (id 1), zone Trust -> Untrust,action Permit, status
"enabled"
src "Any", dst "Any", serv "ANY"
Policies on this vpn tunnel: 0
nat src dip-id 6, Web filtering disabled
vpn unknown vpn, policy flag 00010020, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log close, log count 2, alert no, counter no(0) byte
rate(sec/min) 0/0
total octets 392, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.