This article describes the issue of Source NAT failure, after the Source NAT rules afre re-ordered.
As customers may not be able to immediately upgrade,a practical workaround is required. However, it is highly recommended for customers to upgrade the software to the following versions that contain the fix or juniper recommended version.
- 10.4R13
- 11.4R6
- 12.1R5
As per lab testing, the splitting of the re-order process into two commits will not trigger the issue. However, this workaround may ensure, for a short period of time, certain Source NAT rules are not activated.
It is highly recommended to plan a maintenance window, before executing this workaround. For example, assume the Source NAT rules are installed in the following order:
rule1 > rule2 > rule3 > rule4
The customer wants to insert rule4 before rule2:
rule1 > rule4 > rule2 > rule3
To achieve this change, perform the following procedure:
- Delete rule2, rule3, and rule4.
- Commit.
- Add rule4, rule2, and rule3 respectively.
- Commit
As mentioned earlier, for a short period of time, rule2, rule3, and rule4 will not be activated between step 2 and step 4.