DNAT from VM to physical is not performing reverse translation for return traffic (returning from physical to VM), causing communication failure.
search cancel

DNAT from VM to physical is not performing reverse translation for return traffic (returning from physical to VM), causing communication failure.

book

Article ID: 345846

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

To recognize this symptom and provide a permanent workaround to address it.

Symptoms:
The DNAT works on the way to the physical IP and the physical IP returns. However, the return traffic is NOT translated(un-natted). This means the return traffic reaching the VM is from the externally natted IP and the VM is dropping the Syn-Ack as not meant for it. Communication is unable to take place.

Environment

VMware NSX-T Data Center

Cause

In this scenario, "Double Inspection" is needed on the edge, which is not enabled by default. When the traffic returns on the uplink, only the traffic IN is being matched which does not find the DNAT state.

Resolution

On NSX-T Edge where the double inspection is to take place:

nsx-edge> get firewall <T1 Uplink UUID> param one_state_opt value
nsx-edge> set firewall <T1 Uplink UUID> param one_state_opt value 0

Note: Above configuration change does not persist after placing edge node into NSX Maintenance Mode or rebooting.

Workaround:
To make the above value of "0" persist across reboots and NSX Maintenance Mode, use the following API call process:

// Before running API
yalee-svc> get firewall fxxxxxx9-4xx0-4xx8-8xxd-7xxxxxxxxxx9 param one_state_opt
one_state_opt : 1

// After running API
yalee-svc> get firewall fxxxxxx9-4xx0-4xx8-8xxd-7xxxxxxxxxx9 param one_state_opt
one_state_opt : 0

Following are the details:
----------------------------


1. Configure GeneralSecuritySettingsProfile
1.1 Create profile.json that looks like:

{
    "enable_double_flow" : true,
    "resource_type" : "GeneralSecuritySettingsProfile",
    "display_name" : "nat-security-profile"
}

1.2 Run following API to create the profile object:

curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' -X POST https://<NSX-T-Manager-IP>/api/v1/firewall/profiles -d "`cat profile.json`"

// To Review:
curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' https://<NSX-T-Manager-IP>/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile

2. Configure ServiceConfig:
2.1 Create service_config_highline.json that looks like:

Note: The profile target_id can be found by running the view command in Step 1.2. The Logical Router target_id should be the LR UUID of the logical router of the UPLINK port where you want to run the firewall param NSX CLI. I'm setting to 2 logical routers here but you can set on one or more.

{
    "display_name" : "testServiceConfig",
    "profiles": [
        {
            "profile_type":"GeneralSecuritySettingsProfile",
            "target_id":"6xxxxxxa-exx0-4xxa-9xxf-7xxxxxxxxxx3"
        }
    ],
    "precedence": 10,
    "applied_to": [
        {
            "target_type": "LogicalRouter",
            "target_id": "2xxxxxx7-bxx7-4xxe-8xx7-9xxxxxxxxxx6"
        },
        {
            "target_type": "LogicalRouter",
            "target_id": "7xxxxxx9-2xx6-4xxd-bxx2-7xxxxxxxxxx3"
        }
    ]
}

2.2 Configure service-configs object

curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' -X POST https://<NSX-T-Manager-IP>/api/v1/service-configs -d "`cat service_config_highline.json`"

// to review
curl -k -H 'Content-Type:application/json' -u 'admin:Admin!23Admin' https://<NSX-T-Manager-IP>/api/v1/service-configs

Additional Information

2.1 Create service_config_highline.json that looks like:

Note: The profile target_id can be found by running the view command in Step 1.2.
root@nsx-t-lm-a:/tmp# curl -k -H 'Content-Type:application/json' -u 'admin:VMware123!VMware123!' https://192.168.0.201/api/v1/firewall/profiles?resource_type=GeneralSecuritySettingsProfile
{
  "results" : [ {
    "enable_double_flow" : true,
    "resource_type" : "GeneralSecuritySettingsProfile",
    "id" : "4xxxxxx8-2xxa-4xxb-axx4-axxxxxxxxxxe", <<<<<<<<<<< profile target_id
    "display_name" : "nat-security-profile",
    "_create_user" : "admin",
    "_create_time" : 1626133182389,
    "_last_modified_user" : "admin",
    "_last_modified_time" : 1626133699695,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 1
  } ],
  "result_count" : 1,
  "sort_by" : "display_name",
  "sort_ascending" : true
}


Impact/Risks:
Unable to perform DNAT from Virtual to Physical in this scenario.