Knowledge Search


×
 

[SRX] APBR mid-stream re-route does not change session NAT properties

  [KB32303] Show Article Properties


Summary:

Advanced Policy Based Routing (APBR) mid-stream route change may not work as intended for non-cacheable applications in some scenarios with Source NAT.

Symptoms:

The issue triggered by combination of:

  • APBR mid-stream re-route for non-cacheable applications
  • SRX with 15.1X49-D110 and higher (as APBR mid-stream re-route is added to D110)
  • Different Source NAT pools on initial and final interfaces

For example, the scenario which may not work as intended is when SRX performs source NAT towards Internet via 2 ISP's, each with it's own NAT pool IP range; or one ISP with a VPN towards HQ and some traffic going directly to Internet using APBR (only for non-cacheable applications). In such a case where the reroute would also have to change the NAT properties of the session, reroute is done, but the session NAT properties are not changed after the reroute mid-session.

Below is an example of the scenario which may not work as intended:

Topology:

                                SRX<ge-0/0/2>----Internet
client----<ge-0/0/1> SRX
                                SRX<ge-0/0/3>----Internet

ISP 1 -> ge-0/0/2 with interface source NAT
ISP 2 -> ge-0/0/3 with interface source NAT
LAN   -> Ge-0/0/1

ISP1 WAN Address: 10.0.2.77
ISP2 Wan Address: 10.0.3.77
LAN: 192.168.1.1/24

Default ISP1
APBR re-routes Youtube to ISP2
 
> show security flow session destination-port 443
Session ID: 84536, Policy name: LAN-2-Internet/5, Timeout: 1794, Valid
  In: 192.168.1.11/58552 --> 64.15.117.111/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24404, Bytes: 1741902,
  Out: 64.15.117.111/443 --> 10.0.2.77/23026;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 34261, Bytes: 47567861,
<-- APBR uses ge-0/0/3.0 as egress interface


And here is the test with Youtube:

root# run show security advance-policy-based-routing statistics    
Advance Profile Based Routing statistics:
  Sessions Processed                     78
  AppID cache hits                       64
  AppID requested                        42
  Rule matches                           19
  Route changed on cache hits            0
  Route changed midstream                19
   <-- APRB works and changes the route
  Zone mismatch                          0
  Drop on zone mismatch                  0


Logging of APBR:

# set security advance-policy-based-routing tunables enable-logging
# set system syslog file apptrack-log match "APPTRACK"

Oct 30 13:19:18   RT_FLOW: APPTRACK_SESSION_ROUTE_UPDATE: AppTrack route update: 192.168.1.11/58552->64.15.117.111/443 junos-https SSL YOUTUBE 10.0.2.77/23026->64.15.117.111/443 r1 N/A 6 LAN-2-Internet LAN ISP1 81758 N/A N/A No profile1 rule-youtube RI2 ge-0/0/3.0
Cause:

Session cannot be changed once it is created, so Source NAT cannot be performed and traffic is rerouted to final egress interface with source IP from Source NAT pool from initial interface.

Such reroute without changing the source NAT properties (source IP address) can cause problems. After the reroute, the session uses a source NAT address which belongs to another interface's NAT pool, causing asymmetric traffic as return flow still comes to the initial interface.

Solution:

To mitigate faults in such scenarios with APBR and Source NAT, the following configuration can be used to disable mid-stream route change APBR:

# set security advance-policy-based-routing tunables max-route-change 0

When max-route-change is set to zero, midstream re-route will not be done. Keep in mind that it is enabled by default.


 
Related Links: