Avi NAT Policy fails to save when only the destination port or source port is specified
search cancel

Avi NAT Policy fails to save when only the destination port or source port is specified

book

Article ID: 434474

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

By default when the source or destination service ports are not explicitly defined then all ports 1-65535 are allowed.  This allows you to only match on specific service ports of either source or destinaltion.

 

Documentation: Outbound NAT Configuration on Avi Load Balancer Service Engine

When configuring an outbound NAT policy rule and if the match criteria contains either the destination or source port the configuration without both explicitly defined, the configuration will fail with the error "Field check for ports failed: There must be at least 1 ports."

UI Error:

 

NAT Policy rule example:  The destination port is defined but the source port is empty.

 

Environment

Affects Version(s):

22.1.1 - 22.1.1-2p6
22.1.2 - 22.1.2-2p7
22.1.3 - 22.1.3-2p14
22.1.4 - 22.1.4-2p7
22.1.5 - 22.1.5-2p8
22.1.6 - 22.1.6-2p9
22.1.7 - 22.1.7-2p11

30.2.1 - 30.2.1-2p6
30.2.2 - 30.2.2-2p6
30.2.3 - 30.2.3-2p4
30.2.4 - 30.2.4-2p2
30.2.5 - 30.2.5-2p1
30.2.6

Cause

This has been identified as a GUI product issue where the UI configuration template is sending a "IS_IN" match criteria for either the source or destination port when not explicitly defined.

Resolution

This GUI issue with the NAT policy rule has been addressed in 31.1.1 and 31.2.1 versions.

ID: AV-193240

Workaround(s):

Option #1:  You can add a placeholder service port value and set the match criteria to "is not in"

Example:

Option #2:

You can configure the NAT policy via CLI.

NOTE:  All subsequent updates to the Policy will have to be performed via CLI.

[admin:controller]: > configure natpolicy POLICY_NAME
[admin:controller]: natpolicy> tenant_ref admin
[admin:controller]: natpolicy> rules
New object being created
[admin:controller]: natpolicy:rules> name RULE_NAME
[admin:controller]: natpolicy:rules> index 0
[admin:controller]: natpolicy:rules> enable
[admin:controller]: natpolicy:rules> match
[admin:controller]: natpolicy:rules:match> source_ip prefixes 10.10.10.0/24 match_criteria is_in
[admin:controller]: natpolicy:rules:match:source_ip> save
[admin:controller]: natpolicy:rules:match> services
[admin:controller]: natpolicy:rules:match:services> destination_port match_criteria is_in ports 1700
[admin:controller]: natpolicy:rules:match:services:destination_port> save
[admin:controller]: natpolicy:rules:match:services> protocol
[admin:controller]: natpolicy:rules:match:services:protocol> protocol protocol_udp match_criteria is_in
[admin:controller]: natpolicy:rules:match:services:protocol> save
[admin:controller]: natpolicy:rules:match:services> save
[admin:controller]: natpolicy:rules:match> save
[admin:controller]: natpolicy:rules> action type nat_policy_action_type_dynamic_ip_port
[admin:controller]: natpolicy:rules:action> nat_info
New object being created
[admin:controller]: natpolicy:rules:action:nat_info> nat_ip 20.20.20.20
[admin:controller]: natpolicy:rules:action:nat_info> save
[admin:controller]: natpolicy:rules:action> save
[admin:controller]: natpolicy:rules> save
[admin:controller]: natpolicy> save
Powered by Wolken Software