Deterministic NAT mode breaks VPP

  • When I try to change the NAT mode to deterministic, after restarting the data plane, VPP crashes. Journalctl -xe reveals that VPP is complaining about a loopback interface. VPP stays crashed until I go into the running_db with Vim and change the NAT mode back to endpoint-dependent then reboot the system. Editing the config gets me back to a usable system but even after I edit the running_db and reboot I wind up having to negate part of my config related to BFD and re-apply the same config. Any ideas?

  • Rebel Alliance Developer Netgate

    What was the exact error message(s) from the log?

    Nothing immediately comes to mind that would break in that way.

  • I was able to switch to deterministic NAT mode. Somehow I set an MTU of 1500 for a loopback interface so I negated that part of the config. Also, I was attempting to restart the dataplane from in-band interface. After I negated the MTU and restarted the dataplane from the managment interface I was able to change the NAT mode to deterministic successfully.

    I have a new problem now. gi1/0/0 and gi1/0/1 are my inside interfaces and gi1/0/3 is my outside interface. I'm running BFD consumed by OSPF on the inside interfaces. My local neighbor is an ROS device. When I change the NAT mode to deterministic, my BFD sessions go down and the adjacency breaks. I saw a note in the docs about outside NAT breaking services in deterministic NAT mode but these are inside interfaces,

  • Netgate

    Deterministic NAT is a "CG-NAT". The design goal is to scale out against a very large number of endpoints with reduced (need for) logging. See, for example, RFC 7422.

    As noted, (thought the docs could be more clear), there isn't much chance of making inbound services work on the outside interface for the interface address in deterministic NAT mode.

    It could possibly work for services on the inside interfaces if the in2out node becomes an output feature on the outside interface, but that work isn't currently contemplated. If it's important to your use case, please get in-touch so we can help determine how to best proceed.

Log in to reply