Multi-ISP + NAT not working after migration from R... - Page 2

Antonio_M · ‎2019-02-23

Hello community,

After replacing the current 4200 gateways running 77.30 by a new ones 5200 running R88.10, the multi-isp set up no longer works. The gateways, running a Cluster XL cluster are connected to two different ISPs and perform NAT depending on the target ISP. We copied all the GAIA configurations from the old gateways to the new ones and the cpisp_update script. No IP or route changes, pure gateway replacement without config changes.

To support this NAT, we added the following dynamic objects:

dynamic_objects -n DYN_ISP_Vodafone

dynamic_objects -n DYN_ISP_Colt

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

We confirmed the objects exist running the command dyn_objects -l

These dynamic objects are used in two different NAT rules for hiding the traffic as follows:

NAT Rule Vodafone:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Vodafone”

Traslated Source: “Vodafone-Public-IP”

Traslated Destination: “Original”

NAT Rule Colt:

Original Source: “Internal Networks”

Original Destination: “DYN_ISP_Colt”

Traslated Source: “Vodafone-Colt-IP”

Traslated Destination: “Original”

To dynamically adjust the NAT according to the active ISP, we modified the cpisp_update script by adding the following commands at the end of the file:

# Verify which link is up with this command: tail -f /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state

echo "RESTARTING SCRIPT" >> /tmp/cpisp_state

echo "LINK1" >> /tmp/cpisp_state

echo $LINK1_STATE >> /tmp/cpisp_state

echo "LINK2" >> /tmp/cpisp_state

echo $LINK2_STATE >> /tmp/cpisp_state

echo "--------------------------" >> /tmp/cpisp_state

echo " " >> /tmp/cpisp_state

# Check if the Link is up or down

if ($LINK2_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a

endif

if ($LINK1_STATE == "down") then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -d

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a

endif

# if both Links are up, return to Load Sharing

if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then

fw tab -t dynobj_cache -x -y

dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a

dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a

endif

We can confirm it is a NAT issue because if we replace the above NAT rules by other using “any” instead of the dynamic object as the “Original Destination” it works, but not for the secondary ISP.

Current setup: 2 x 4200 gateways running R77.30 -> Multi-ISP Working

New setup: 2 x 5200 gateways running R80.10 Jumbo hotfix take169 -> Multi-ISP not working.

Regards.

Are you a member of CheckMates?

Multi-ISP + NAT not working after migration from R77.30 to R80.10