Knowledge Search


×
 

[SRX] Traffic to node 1 is blocked when HA data plane is in active-active mode

  [KB31275] Show Article Properties


Summary:

This article explains why traffic that goes to node 1 is blocked when HA data plane is running in active-active mode, and source NAT pool (no port translation) contains only one IP address.

Symptoms:

The Source Network Address Translation (NAT) in high availability (HA) was configured as follows:

{primary:node0}[edit security nat]
root# show | display set
set security nat source pool 1 address 1.1.1.1/32
set security nat source pool 1 port no-translation
set security nat source rule-set 1 from zone untrust
set security nat source rule-set 1 to zone trust
set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule 1 then source-nat pool 1

After committing, the following error was seen:
 
{primary:node0}[edit]
root# commit
[edit security nat source pool 1]
'port'
warning: Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!
node0:
configuration check succeeds
node1:
[edit security nat source pool 1]
'port'
warning: Ha data plane will be running in active-active mode, source NAT pool (no port translation) contains too few addresses(at least 2 addresses needed), traffic goes to node 1 will be BLOCKED!
commit complete
node0:
commit complete

Even when the commit was successful, after data RG (for example RG1) failover from Node0 to Node1, the traffic was blocked.
Cause:

By default, on SRX devices when running in chassis cluster (SRX runs in Active-Active setup), if an IP based source NAT is done, then ports are equally divided on both nodes, 1-32k on node1, and 32k-65k on node0 for the NAT purpose.

However, in this case, there was only one IP address but not the ports for translation. This means only one IP is present with no port translation. Therefore, a minimum of two IP addresses would be required to distribute the pool among two nodes.

Solution:
  • Add more IP addresses into the pool

    set security nat source pool 1 address 1.1.1.0/30 <-- here
    set security nat source pool 1 port no-translation
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone untrust
    set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
    set security nat source rule-set 1 rule 1 then source-nat pool 1

  • Or without the port no-translation

    set security nat source pool 1 address 1.1.1.1/32
    delete security nat source pool 1 port no-translation <--here
    set security nat source rule-set 1 from zone trust
    set security nat source rule-set 1 to zone untrust
    set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0
    set security nat source rule-set 1 rule 1 then source-nat pool 1

  • Or change to use Static NAT

    set security nat static rule-set 1 from zone untrust
    set security nat static rule-set 1 rule 1 match destination-address 1.1.1.1/32
    set security nat static rule-set 1 rule 1 then static-nat prefix 10.1.1.1/32
Modification History:

2018-11-07: Fixed reference to node1 and node0 in the Cause section.

Related Links: