01-15-2015 04:29 AM - edited 03-11-2019 10:20 PM
I did a upgrade on HA from 9.1.2 to 9.1.5, but after upgrade the lookup behavior has changed.
on 9.1.2 it's NAT
______
packet-tracer input INSIDE tcp 10.10.0.10 5555 1.1.1.1 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:
NAT divert to egress interface OUTSIDEPUB
Untranslate 1.1.1.1/443 to 1.1.1.1/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INLINE_TCP
object-group service INLINE_TCP tcp
port-object eq https
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:
Static translate 10.10.0.10/5555 to 10.10.0.10/5555
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
Additional Information:
Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94829, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDEPUB
output-status: up
output-line-status: up
Action: allow
_________
After 9.1.5 it's route lookup
________
packet-tracer input INSIDE tcp 10.10.0.10 5555 1.1.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INLINE_TCP
object-group service INLINE_TCP tcp
port-object eq https
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup
Additional Information:
Static translate 10.10.0.10/5555 to 10.10.0.10/5555
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup
Additional Information:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
What went wrong. Is there some changes to the new version. I cannot upgrade to higher version as I'm not on a X platform hardware.
Solved! Go to Solution.
01-17-2015 12:35 AM
01-15-2015 11:50 PM
Can you post the complete NAT-config for both scenarios? Different rules match in 9.1(2) and 9.1(5).
With v9.1(2):
nat (INSIDE,OUTSIDEPUB) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp
You are using NAT-divert to find the egress interface. The NAT rule matches traffic and picks the post-nat-interface OUTSIDEPUB.
With v9.1(5):
nat (INSIDE,OUTSIDE) after-auto source static NET_10.0.0_8 NET_10.0.0_8 service Shttps443 Shttps443 no-proxy-arp route-lookup
This rule is configured with "route-lookup" which means that the destination address 1.1.1.1 is used to find the egress interface (OUTSIDE) in the routing-table and use a corresponding NAT-rule.
01-16-2015 09:06 PM
It's the same NAT config on both box, I did a upgrade on the secondary and then failover to secondary (no configuration changes are seen when compared)
But due to this NAT behavior change I had to failover back to the primary which still runs 9.1(2).
Basically I'm looking for if there are any changes in 9.1(5) for NAT / Route lookup.
01-17-2015 12:35 AM
01-20-2015 06:55 AM
Does that mean it was a bug till 9.1(2) and 9.1(5) fixed this behavior.
I need to change the NAT rules completely after upgrade to fix the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: