Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Multi-ISP + NAT not working after migration from R77.30 to R80.10

Hello community, 

After replacing the current 4200 gateways running 77.30 by a new ones 5200 running R88.10, the multi-isp set up no longer works. The gateways, running a Cluster XL cluster are connected to two different ISPs and perform NAT depending on the target ISP. We copied all the GAIA configurations from the old gateways to the new ones and the cpisp_update script. No IP or route changes, pure gateway replacement without config changes.

To support this NAT, we added the following dynamic objects:

dynamic_objects -n DYN_ISP_Vodafone

dynamic_objects -n DYN_ISP_Colt

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

We confirmed the objects exist running the command dyn_objects -l

These dynamic objects are used in two different NAT rules for hiding the traffic as follows:

NAT Rule Vodafone:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Vodafone”

Traslated Source: “Vodafone-Public-IP”

Traslated Destination: “Original”

NAT Rule Colt:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Colt”

Traslated Source: “Vodafone-Colt-IP”

Traslated Destination: “Original”

To dynamically adjust the NAT according to the active ISP, we modified the cpisp_update script by adding the following commands at the end of the file:

# Verify which link is up with this command: tail -f /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state

echo "RESTARTING SCRIPT" >> /tmp/cpisp_state

echo "LINK1" >> /tmp/cpisp_state

echo $LINK1_STATE >> /tmp/cpisp_state

echo "LINK2" >> /tmp/cpisp_state

echo $LINK2_STATE >> /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo " " >> /tmp/cpisp_state

# Check if the Link is up or down

if ($LINK2_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

endif

if ($LINK1_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

endif

# if both Links are up, return to Load Sharing

if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

endif

We can confirm it is a NAT issue because if we replace the above NAT rules by other using “any” instead of the dynamic object as the “Original Destination” it works, but not for the secondary ISP.

Current setup: 2 x 4200 gateways running R77.30 -> Multi-ISP Working

New setup: 2 x 5200 gateways running R80.10 Jumbo hotfix take169 -> Multi-ISP not working.

Regards.

0 Kudos
Reply
6 Replies
Admin
Admin

What does the dynamic_objects -l command say on both sets of gateways?

0 Kudos
Reply
Participant

They showed 0.0.0.0 0.0.0.0. It looks like the script is not correctly

updating the objects. I triggered the script manually by disabling one of

the ISP. That script is working in the current gateways. Any changes on

R80.10?

On Sat, 23 Feb 2019, 12:31 Dameon Welch-Abernathy, <

0 Kudos
Reply
Admin
Admin

Not aware of any changes here.

It might be worth a TAC case.

How To Open a Case with TAC and/or Account Services

0 Kudos
Reply
Participant

We managed to get the dynamic_objects working and now outgoing traffic is working, however incoming traffic for static NATs using the secondary ISP no longer works. This was working prior to the upgrade.  Any ideas?

dynamic_objects -l looks like this:

object name : DYN_ISP_Vodafone

range 0 : 0.0.0.0                255.255.255.255

object name : DYN_ISP_Colt

range 0 : 0.0.0.0                255.255.255.255

Regards.

0 Kudos
Reply
Admin
Admin

Did you open a TAC case as I previously suggested?

0 Kudos
Reply
Participant

Yes, I have an opened case but in parallel wanted to get more options while

the support team finds what's going on.

0 Kudos
Reply