Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] BGP neighbor does not come up when NAT service is enabled at this interface

0

0

Article ID: KB37326 KB Last Updated: 02 Aug 2021Version: 1.0
Summary:

This article explains why the External Border Gateway Protocol (EBGP) neighbor goes down after the Network Address Translation (NAT) function is enabled on an interface in MX Series routers.

Symptoms:

Topology

MX480(DUT)—ge-4/3/0.3500(192.168.100.1)  <---------> 192.168.100.2_helper device

There is EBGP neighborship between the provider edge (PE) and the customer edge (CE) devices.

The following output can be seen after enabling the NAT function.

labroot@mx480> show bgp summary 
Jul 15 16:20:33
Threading mode: BGP I/O
Groups: 1 Peers: 1 Down peers: 1
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.110.2          1000          0          0       0       0        2:29 Connect                                      <<< This BGP neighbor remains down. 

Interface Configuration
set interfaces ge-4/3/0 hierarchical-scheduler
set interfaces ge-4/3/0 flexible-vlan-tagging
set interfaces ge-4/3/0 encapsulation flexible-ethernet-services
set interfaces ge-4/3/0 unit 3500 vlan-id 3500
set interfaces ge-4/3/0 unit 3500 family inet service input service-set MS-OFFICE-SERVICE-SET      <<< Apply the NAT service.
set interfaces ge-4/3/0 unit 3500 family inet service output service-set MS-OFFICE-SERVICE-SET     <<< Apply the NAT service.
set interfaces ge-4/3/0 unit 3500 family inet address 192.168.110.1/30

Routing Instance Configuration
set routing-instances l3vpn-3500 instance-type vrf
set routing-instances l3vpn-3500 interface ge-4/3/0.3500
set routing-instances l3vpn-3500 interface ms-4/0/0.10
set routing-instances l3vpn-3500 route-distinguisher 65000:100
set routing-instances l3vpn-3500 vrf-target target:100:100
set routing-instances l3vpn-3500 routing-options static route 192.168.110.8/30 next-hop 192.168.110.2
set routing-instances l3vpn-3500 protocols bgp group ebgp type external
set routing-instances l3vpn-3500 protocols bgp group ebgp passive    <<<  Active open messages are not sent to the peer first at PE side.              
set routing-instances l3vpn-3500 protocols bgp group ebgp neighbor 192.168.110.2 peer-as 1000

NAT Configuration
set services service-set MS-OFFICE-SERVICE-SET stateful-firewall-rules MS-OFFICE-NAT
set services service-set MS-OFFICE-SERVICE-SET nat-rules SNAT
set services service-set MS-OFFICE-SERVICE-SET interface-service service-interface ms-4/0/0.10
set services stateful-firewall rule MS-OFFICE-NAT match-direction input-output
set services stateful-firewall rule MS-OFFICE-NAT term allow-rule then accept
set services nat pool NAT-POOL address 101.234.10.1/32
set services nat pool NAT-POOL port range low 40000
set services nat pool NAT-POOL port range high 60000
set services nat rule SNAT match-direction output                  <<<   Output direction 
set services nat rule SNAT term translate from source-address 0.0.0.0/0
set services nat rule SNAT term translate then translated source-pool NAT-POOL
set services nat rule SNAT term translate then translated translation-type napt-44
set services nat rule SNAT term translate then syslog
Cause:

The default time to live (TTL) of a single-hop EBGP session is 1. When the source NAT service matches the “output” direction and the BGP packet travels through the service PIC, the TTL value will be decremented by 1 following which the packet's TTL will be equal to 0. This will result in the packet being dropped. Therefore, the peer will not receive the BGP open message, resulting in the EBGP neighbor going down.

Solution:

In order to prevent the above problem, the following two workarounds can be used:

  • Change the EBGP TTL value by setting it to a value greater than 1 at both the provider edge device and the customer edge device.

set [routing-instance instance_name] protocols bgp group <group-name> multihop ttl X  <<< X>1 <<< Configure this at both PE and CE. 

OR

  • Add a service filter at the interface.

Add a service filter.

set policy-options prefix-list NAT-BGP-EXCLUDE-LIST apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>"
set firewall family inet service-filter NAT-FILTER term 10 from prefix-list NAT-BGP-EXCLUDE-LIST
set firewall family inet service-filter NAT-FILTER term 10 from protocol tcp
set firewall family inet service-filter NAT-FILTER term 10 from port bgp
set firewall family inet service-filter NAT-FILTER term 10 then skip
set firewall family inet service-filter NAT-FILTER term 20 then service

Apply the service filter.

set groups NAT interfaces ge-4/3/0 unit 3500 family inet service input service-set MS-OFFICE-SERVICE-SET service-filter NAT-FILTER
set groups NAT interfaces ge-4/3/0 unit 3500 family inet service output service-set MS-OFFICE-SERVICE-SET service-filter NAT-FILTER
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search