Symptoms:
- You are using NSX-T 3.1.2.
- You are using SNAT/DNAT on an NSX-T Gateway.
- Traffic disruption may occurs for flow which use gateways that are configured for SNAT/DNAT after:
- A dataplane service restart action on the NSX-T edge node where the gateway resides.
- The NSX-T edge node has either entered and then existed maintenance mode enable/disable, thus causing a dataplane service restart.
- Application traffic is impacted or disrupted as NAT rules stop working.
- When we check the gateway DR downlink interface firewall settings (gateway is configure for SNAT/DNAT), using the following command:
get logical-router interface <logical-router-interface-UUID> | json
- Below we can see '"enable-firewall": false', the setting of false indicates you are encountering this issue:
{
"access_vlan": "untagged",
"admin": "up",
"arp_proxy_table": [],
"connect-to-service-plane-ew": false,
"connect-to-service-plane-ns": false,
"dad-mode": "LOOSE",
"dad-profile": "(1 sec, 3 rtr)",
"enable-firewall": false,
"enable-firewall-ike": false,
"enable-firewall-pbr": false,
"enable-firewall-rule": false,
(...)
}
- If you are not encountering this issue, the setting will be 'true'.