This article describes an issue where ‘Dynamic IP consistency’ for Carrier Grade NAT (CGNAT) is not working as expected.
In this scenario, CGNAT resource allocation IP Pools are configured with a range of external IP addresses, and the expectation is that a given client should consistently receive port-block-allocations (PBAs) for the same external IP.
However, users may observe that they are getting PBAs from multiple public IPs within the IP Pool, which can cause problems.
FortiGate version 6.2.6, 7.0.5, 7.2.1 and later. NP7 Hyperscale Firewall.
Hyperscale firewall CGNAT configuration starts by creating one or more CGN resource allocation IP pools.
There are five different types or modes of CGNAT resource allocation IP pools, though only four support the 'Dynamic IP consistency' feature. Refer to this link for documentation regarding each mode and the supported features:
A definition of "Dynamic IP Consistency" is available here:
Bear in mind that 'Dynamic IP consistency' is dependent on the 'hash-config' setting under ‘config system npu’, which is used to configure how the internal switch fabric (ISF) load-balances sessions across NP7 processors.
The default setting for ‘hash-config’ is dependent on the number of NP7 processors present on the FortiGate (‘5-tuple’ for models with even number of NP7 processors and ‘src-dst-ip’ for models with an odd number of NP7 processors). The following show the CLI commands that will display this information, as well as sample output from a FortiGate-3500F:
FortiGate-3500F (global) # dia npu np7 info
SN : FG3K5Fxxxxxxxx
nr_chip : 3
np_0 : 0000:2a:00.0
np_1 : 0000:69:00.0
np_2 : 0000:aa:00.0
FortiGate-3500F (global) # config sys npu
FortiGate-3500F (npu) # get | grep hash
hash-config : src-dst-ip
hash-tbl-spread : enable
One issue that can occur when ‘hash-config’ is set to ‘5-tuple’ or ‘src-dst-ip' is that sessions from a given client may be distributed across multiple NP7 processors.
While this is beneficial for performance, it can result in that one client’s sessions being NAT’ed across multiple public IPs.
To resolve this issue, it is suggested to set ‘hash-config’ to ‘src-ip’, which results in all sessions from a given source IP to be processed by the same NP7 processor:
# config system npu
set hash-config src-ip
! BE AWARE THAT CHANGING ‘hash-config’ WILL CAUSE THE FORTIGATE TO RESTART!
The following example demonstrates a CGNAT configuration on a FortiGate-3500F and the impact of the ‘hash-config’ option:
Next, the IP Pool is applied to a firewall policy:
The output indicates that multiple PBAs were allocated across multiple external IPs:
The above example indicates that the first three sessions were allocated to the NP7_0 processor and SNAT IP address of 10.200.200.2.
The next three sessions were then offloaded to NP7_1 with SNAT IP 10.200.200.1, and finally, the last three sessions were offloaded to NP7_2 with SNAT IP 10.200.200.2