topic Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10 in Firewall and Security Management

Multi-ISP + NAT not working after migration from R77.30 to R80.10

Antonio_M — Sat, 23 Feb 2019 09:31:22 GMT

Hello community,

After replacing the current 4200 gateways running 77.30 by a new ones 5200 running R88.10, the multi-isp set up no longer works. The gateways, running a Cluster XL cluster are connected to two different ISPs and perform NAT depending on the target ISP. We copied all the GAIA configurations from the old gateways to the new ones and the cpisp_update script. No IP or route changes, pure gateway replacement without config changes.

To support this NAT, we added the following dynamic objects:

dynamic_objects -n DYN_ISP_Vodafone

dynamic_objects -n DYN_ISP_Colt

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

We confirmed the objects exist running the command dyn_objects -l

These dynamic objects are used in two different NAT rules for hiding the traffic as follows:

NAT Rule Vodafone:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Vodafone”

Traslated Source: “Vodafone-Public-IP”

Traslated Destination: “Original”

NAT Rule Colt:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Colt”

Traslated Source: “Vodafone-Colt-IP”

Traslated Destination: “Original”

To dynamically adjust the NAT according to the active ISP, we modified the cpisp_update script by adding the following commands at the end of the file:

# Verify which link is up with this command: tail -f /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state

echo "RESTARTING SCRIPT" >> /tmp/cpisp_state

echo "LINK1" >> /tmp/cpisp_state

echo $LINK1_STATE >> /tmp/cpisp_state

echo "LINK2" >> /tmp/cpisp_state

echo $LINK2_STATE >> /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo " " >> /tmp/cpisp_state

# Check if the Link is up or down

if ($LINK2_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

endif

if ($LINK1_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

endif

# if both Links are up, return to Load Sharing

if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

endif

We can confirm it is a NAT issue because if we replace the above NAT rules by other using “any” instead of the dynamic object as the “Original Destination” it works, but not for the secondary ISP.

Current setup: 2 x 4200 gateways running R77.30 -> Multi-ISP Working

New setup: 2 x 5200 gateways running R80.10 Jumbo hotfix take169 -> Multi-ISP not working.

Regards.

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

PhoneBoy — Sat, 23 Feb 2019 11:31:05 GMT

What does the dynamic_objects -l command say on both sets of gateways?

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

Antonio_M — Sat, 23 Feb 2019 11:35:45 GMT

They showed 0.0.0.0 0.0.0.0. It looks like the script is not correctly

updating the objects. I triggered the script manually by disabling one of

the ISP. That script is working in the current gateways. Any changes on

R80.10?

On Sat, 23 Feb 2019, 12:31 Dameon Welch-Abernathy, <

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

PhoneBoy — Sat, 23 Feb 2019 11:42:04 GMT

Not aware of any changes here.

It might be worth a TAC case.

How To Open a Case with TAC and/or Account Services‌

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

Antonio_M — Thu, 28 Feb 2019 07:45:48 GMT

We managed to get the dynamic_objects working and now outgoing traffic is working, however incoming traffic for static NATs using the secondary ISP no longer works. This was working prior to the upgrade. Any ideas?

dynamic_objects -l looks like this:

object name : DYN_ISP_Vodafone

range 0 : 0.0.0.0 255.255.255.255

object name : DYN_ISP_Colt

range 0 : 0.0.0.0 255.255.255.255

Regards.

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

PhoneBoy — Thu, 28 Feb 2019 22:08:13 GMT

Did you open a TAC case as I previously suggested?

Re: Multi-ISP + NAT not working after migration from R77.30 to R80.10

Antonio_M — Fri, 01 Mar 2019 08:12:18 GMT

Yes, I have an opened case but in parallel wanted to get more options while

the support team finds what's going on.