Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] Understanding NAT IP Address Update for CPE behind NAT



Article ID: KB36875 KB Last Updated: 19 Nov 2021Version: 1.0

This article explains how CSO process NAT IP address for CPE behind NAT scenario.


When a underlay interface is behind NAT, it is possible that during the life time of the CPE the natd-ipaddr can change any time. CSO will detect this change and update the IPSEC tunnels configuration on the CPEs that are already created on that wan-link. 


CSO uses the secure OAM tunnels created over that wan-interface to detect the IP change as described below: 

  1. When the NATD IP changes, the OAM tunnel over that wan-interface flaps (as the tunnel goes down and comes up) 

  2. CSO monitoring system detects this and generates notification.

  3. Upon receiving the notification, CSO computes the nat-information from both the OAM hubs and updates the nat-ipaddr and nat-port information for this wan-interface in CSO DB. 

In Kibana (elastic search engine), you can search for highlighted text to understand if the link change alert triggered the nat update workflow to kick in.


When the NAT address mapping gets updated, CSO starts a nat-update job.  

Nat-update job does the following:

  1. Compute all the site-to-site tunnels that are activated on that wan-interface for which the nat-ipaddr got changed. 

  2. Reconfigure the IPSEC tunnel configuration on both the ends of all the existing site-to-site tunnels on that WAN interface. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search