DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0
book
Article ID: 322596
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
An upgrade has been performed from NSX-T 2.5.x to NSX-T 3.0
SNAT/DNAT rules were created using Policy UI or API on NSX-T 2.5.x
Datapath traffic flows configured for DNAT/SNAT are impacted
SNAT/DNAT rules use port translation
Example DNAT configuration
Working DNAT configuration on 2.5.x Edge01> get firewall e7d73315-dad1-4228-bdca-c36d13387308 ruleset rules DNAT rule count: 1 Rule ID : 1028 Rule : in protocol tcp prenat from any to ip 10.10.10.12 port 2222 dnat ip 1.1.1.10 port 22 with log
Problem DNAT configuration post upgrade to 3.0 Edge01> get firewall e7d73315-dad1-4228-bdca-c36d13387308 ruleset rules DNAT rule count: 1 Rule ID : 1028 Rule : in protocol tcp prenat from any to ip 10.10.10.12 port 22 dnat ip 1.1.1.10 port 2222 with log
Environment
VMware NSX-T Data Center VMware NSX-T Data Center 3.x
Cause
During upgrade from NSX-T 2.5.x to 3.0 a conversion takes place which interchanges DNAT parameters service port and translated port
Resolution
This is a known issue affecting NSX-T Data Center 3.0. There is currently no resolution.
Workaround:
From the UI or API edit all DNAT rules
Swap the port numbers in the "Service" and "Translated Port" fields
Note on system services such as HTTP, SSH etc the port cannot be changed either by API or UI
For DNAT rules using these services, a new customized service must be created
Replace the system service in the DNAT rule with the customized service