Technical Tip: Using 'SNAT-route-change' to update existing NAT session after routing change (e.g. after IPSEC tunnel is up)

mtse · ‎10-21-2020

Description

This article describes when the client on the left (private IP 192.168.10.10) needs to access the host on the right (IP 192.168.20.20) via IPSEC tunnel configured on the FortiGate.

Only traffic to the 192.168.20.20 will be routed to the IPSEC tunnel while all other Internet traffic goes via the local WAN1. SNAT is performed by FortiGate-A.

The option 'snat-route-change' can control what action the existing SNAT session needs to take after route change.

By default, it is disabled. So after a routing change, sessions with SNAT keep using the same outbound interface, as long as the old route is still active.

config system global
set snat-route-change disable

end

So when the FortiGate is first powered up, or the WAN port is restored after failure, it may happens that FGT-A mistakenly uses its WAN port IP (192.168.0.100) instead of the IPSEC tunnel IP(192.168.50.50) as the public IP for the SNAT because it is the only route to the destination before the IPSEC tunnel is successfully set up.

Even after the IPSEC tunnel has been successfully set up, connectivity to the host 192.168.20.20 is still lost because it keeps using the old SNAT session with wrong IP.

Before the IPSEC tunnel is up, FGT-A tries to reach the host 192.168.20.20 via the default route WAN1.

FGT-A(root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 192.168.0.1, wan1

FG81EPTK19-----7 (root) # diagnose sys session list

session info: proto=17 proto_state=00 duration=24 expire=155 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=sip vlan_cos=0/255
state=redir log local may_dirty npu nlb ha_replicate f00 inherit_sockport
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=36->5/5->36 gwy=192.168.0.1/0.0.0.0
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.0.100:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060- >192.168.0.100:65476(192.168.10.10:5060)    (Before IPSEC is up, WAN IP 192.168.0.100 is used)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000168b tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av
total session 1

Scope

FortiGate.

Solution

When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route which in this case is the IPSEC interface. To enable 'snat-route-change', run the following commands in the CLI:

config system global
set snat-route-change enable

end

After the IPSEC tunnel is up, there is a more-specific route to 192.168.20.20 via IPSEC and FGT-A can automatically correct its existing SNAT session to use the new routing.

FG81EPTK19-----7 (root) # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 192.168.0.1, wan1
S       192.168.0.0/16 [15/0] via 200.10.10.100, p1-tunnel

FG81EPTK19-----7 (root) # diagnose sys session lis

session info: proto=17 proto_state=01 duration=4 expire=175 timeout=0 flags=00000000 sockflag=00000000 sockport=5060 av_idx=6 use=7
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=p1-kltac/ helper=20 vlan_cos=0/255
state=redir local may_dirty npu npd nlb ha_replicate inherit_sockport
statistic(bytes/packets/allow_err): org=1924/3/1 reply=1796/3/1 tuples=3
tx speed(Bps/kbps): 434/3 rx speed(Bps/kbps): 405/3
orgin->sink: org pre->post, reply pre->post dev=36->37/37->36 gwy=210.19.8.106/192.168.10.10
hook=post dir=org act=snat 192.168.10.10:5060->192.168.20.20:5060(192.168.50.50:65476)
hook=pre dir=reply act=dnat 192.168.20.20:5060->192.168.50.50:65476(192.168.10.10:5060) (Now the SNAT session can automatically update to use the IPSEC IP for SNAT)
hook=post dir=reply act=noop 192.168.20.20:5060->192.168.10.10:5060(0.0.0.0:0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=0000191f tos=6e/6e app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x3100000
npu info: flag=0x82/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: redir-to-av offload-denied helper
total session 1

Related article:

Troubleshooting Tip: Routing Changes and SNAT (snat-route-change)

Technical Tip: Using 'SNAT-route-change' to update existing NAT session after routing change (e.g. after IPSEC tunnel is up)

You are leaving our website