We have created a NAT Overload that is point to a Tunnel as the NAT IP address. Periodically the NAT Overload stops working and when I look in the security to see why the policy for NAT Overload is gone. The tunnel is not going down, nor is the unit rebooting (This is saved as the startup config). Any insight on why/how a security policy would just be systemically removed or any other reason it could just disappear would be greatly appreciated.
levi Any help on this as we continue to lose internet connection as a result of the NAT Overload policies just disappearing with no rhyme or reason. As soon as the policy is added back it works like a champ for a while and then disappears once again.
There is no reason a few commands would be removed from the configuration randomly. Are you adding the commands via the command line interface (CLI), or via the web interface? Have you added the commands via the CLI and then saved and rebooted the unit? What firmware version are you using on this unit?
I had updated the Firmware Version R11.4.1.E to ensure there was no known issues. I have saved via the CLI "copy r s" and "wr me" and saved in Web GUI.
The commands are being added via the Web GUI.
The commands that have been added are:
ip policy-class Residents
nat source list web-acl-42 interface tunnel 1 overload
allow list self self
allow list web-acl-11
ip access-list extended web-acl-42
remark Nat Overload Residents
permit ip any any
Specifically the nat overload line in the ip policy-class Residents is the one that seems to disappear. Just wanted to verify that the fact that the interface being a tunnel would have any effect on if it would be removed or not.
The fact that the NAT'ed address is to a tunnel interface will not remove the command. It may cause the unit to no longer function as it is NATing to an interface that is down, but it will not remove the command (unless there is a track assigned to it, which instructs the command to be removed when the interface goes down). Some reasons commands will be dynamically removed from a unit are via n-Command MSP, TCL Script, Track, or if the unit reboots and the configuration command was not saved.
The unit rebooted or lost power as it only shows up for 45 minutes and the policy is gone once again, even though the config had been saved via the CLI and via the GUI. There is no tracks setup on this unit.
I tried to re-enter the policy via the CLI and it won't let me add the NAT interface as a tunnel but it does work successfully via the GUI. Not sure if this is a causation or just another issue entirely.
First, the main issue may be that the unit is losing power/rebooting. I recommend correcting that first. Then I suggest you add the IP address, instead of "interface tunnel" command in the CLI? Next, if you make other configuration changes (such as adding a description to an interface) and save that, when the unit is rebooted, does that command remain?