DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0
search cancel

DNAT/SNAT with port translation traffic is impacted after upgrade to NSX-T 3.0

book

Article ID: 322596

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • An upgrade has been performed from NSX-T 2.5.x to NSX-T 3.0
  • SNAT/DNAT rules were created using Policy UI or API on NSX-T 2.5.x
  • Datapath traffic flows configured for DNAT/SNAT are impacted
  • SNAT/DNAT rules use port translation
  • Example DNAT configuration
         
   Working DNAT configuration on 2.5.x
     Edge01> get firewall e7d73315-dad1-4228-bdca-c36d13387308 ruleset rules
     DNAT rule count: 1
     Rule ID   : 1028
     Rule      : in protocol tcp prenat from any to ip 10.10.10.12 port 2222 dnat ip 1.1.1.10 port 22 with log

   Problem DNAT configuration post upgrade to 3.0
     Edge01> get firewall e7d73315-dad1-4228-bdca-c36d13387308 ruleset rules
     DNAT rule count: 1
     Rule ID   : 1028
     Rule      : in protocol tcp prenat from any to ip 10.10.10.12 port 22 dnat ip 1.1.1.10 port 2222 with log 


Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

During upgrade from NSX-T 2.5.x to 3.0 a conversion takes place which interchanges DNAT parameters service port and translated port

Resolution

This is a known issue affecting NSX-T Data Center 3.0. There is currently no resolution.

Workaround:
  •  From the UI or API edit all DNAT rules
  •  Swap the port numbers in the "Service" and "Translated Port" fields
  •  Note on system services such as HTTP, SSH etc the port cannot be changed either by API or UI
  •    For DNAT rules using these services, a new customized service must be created
  •    Replace the system service in the DNAT rule with the customized service


Powered by Wolken Software