NSX-T SNAT does not work when firewall rule is applied to VTI interface
search cancel

NSX-T SNAT does not work when firewall rule is applied to VTI interface

book

Article ID: 320298

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Traffic ingresses T0 router's IPSec VTI interface
  • SNAT rule is applied to it before routing to destination
  • SNAT does not work if the VTI interface has a firewall enabled.
  • This KB provides a workaround if such a design is required.
  • This workaround causes an increase in CPU usage on the Edge.

Environment

VMware NSX-T Data Centre 

VMware NSX

Resolution

This is expected behavior. 

Workaround:

1. Take an NSX backup

2. Configure GeneralSecuritySettingsProfile

    1. Create profile.json that looks like:
      {
          "enable_double_flow" : true,
          "resource_type" : "GeneralSecuritySettingsProfile",
          "display_name" : "nat-security-profile"
      }
    2. Run the following API to create the profile

POST NSX_Manager_IP_address/api/v1/firewall/profiles -d "`cat profile.json`"

              c. Confirm configuration:

                  GET NSX_Manager_IP_address/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile

3. Configure ServiceConfig:
          a. Create service_config_highline.json that looks like:
 
{
    "display_name" : "testServiceConfig",
    "profiles": [
        {
            "profile_type":"GeneralSecuritySettingsProfile",
            "target_id":"XXXX-XXXX-XXXX-XXXX-XXXX"
        }
    ],
    "precedence": 10,
    "applied_to": [
        {
            "target_type": "LogicalRouter",
            "target_id": "YYYY-YYYY-YYYY-YYYY-YYYY"
        },
        {
            "target_type": "LogicalRouter",
            "target_id": "ZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZ"
        }
    ]
}

Note: The profile target_id can be found by running the GET command in Step 2.c. The Logical Router target_id should be the LR UUID of the logical router of the UPLINK port where you want to run the firewall param NSX CLI. In this example, 2 logical routers are set. Please note that the target_id of the Logical Router should be attained by executing GET NSX_Manager_IP_address/api/v1/logical-routers and taking the "id" of the correct Logical Router.

b. Configure service-configs object
POST NSX_Manager_IP_address/api/v1/service-configs -d "`cat service_config_highline.json`"
 
c. Then check:
GET NSX_Manager_IP_address/api/v1/service-configs
  
4. If you want to revert back this configuration done above:
a. GET NSX_Manager_IP_address/api/v1/service-configs
b. Note the "id" of the profile with "profile_type" : "GeneralSecuritySettingsProfile"
c. DELETE NSX_Manager_IP_address/api/v1/service-configs/<id noted in step 3.b above>

Powered by Wolken Software