RE: issues through CGNat (juniper ms-mpc-128g in mx960)
Thanks for your replies... In the last week or so I've been testing further... Using the following items to slow/alleviate the otherwise randomness of ip's and port's been generated via my cgnat boundary nodes... APP - Address pooling paired EIM - Endpoint independent mapping EIF - Endpoint independent filtering (session-limit and outbound refresh are recommended) AMS Load balancing hash-key src-ip on my inside domain interface These combinations of options seems to cause a few nicer things to occur to help gaming and peer-to-peer and banking websites to work as they should. Let me know if you have seen similar issues and successes or failures with your cgnat deployment. -Aaron
Re: issues through CGNat (juniper ms-mpc-128g in mx960)
That would be Sony... On Sun, Jul 22, 2018, 10:24 AM Ca By wrote: > On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean < > na...@radu-adrian.feurdean.net> wrote: > > > On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > > > I don't know if it's fixed on the endpoints, or in the cgnat config or > > what. > > > > Not specific to Juniper, but it's NOT fixed. > > You'll either start spending time on work-arounds or you start selling a > > new service with dedicated public IPv4 - more expensive than the CGNATed > > one. Or you can afford to still delay deploying CGN. > > > Or, do us all a favor, and leave PS4 broken and refer your customers to > Nintendo for them to support ipv6. If you dont, then we all remain hostage > to nintendo and their dedicated ipv4 bs > > > > >
Re: issues through CGNat (juniper ms-mpc-128g in mx960)
On Sun, Jul 22, 2018 at 6:23 AM Radu-Adrian Feurdean < na...@radu-adrian.feurdean.net> wrote: > On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > > I don't know if it's fixed on the endpoints, or in the cgnat config or > what. > > Not specific to Juniper, but it's NOT fixed. > You'll either start spending time on work-arounds or you start selling a > new service with dedicated public IPv4 - more expensive than the CGNATed > one. Or you can afford to still delay deploying CGN. Or, do us all a favor, and leave PS4 broken and refer your customers to Nintendo for them to support ipv6. If you dont, then we all remain hostage to nintendo and their dedicated ipv4 bs >
Re: issues through CGNat (juniper ms-mpc-128g in mx960)
On Thu, Jul 19, 2018, at 16:34, Aaron Gould wrote: > I don't know if it's fixed on the endpoints, or in the cgnat config or what. Not specific to Juniper, but it's NOT fixed. You'll either start spending time on work-arounds or you start selling a new service with dedicated public IPv4 - more expensive than the CGNATed one. Or you can afford to still delay deploying CGN.
Re: issues through CGNat (juniper ms-mpc-128g in mx960)
One of the biggest deal-breakers about the Miltiservices DPC and MPC is that it does not support NAT Transversal (UDP hole punching), which is probably the reason you're having trouble with the PS4 online gaming. It also messes with VoIP too. As for the IPsec issue, im not sure if that would be related to NAT-T, but you'd probably need logs. Might just be easier to give anyone using an IPsec tunnel a public IP. -M On Thu, Jul 19, 2018, 09:35 Aaron Gould wrote: > (please forgive cross-posting between jnsp and nanog.looking for anyone who > could help shed light) > > > > I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights > ago. for the most part it went well. with these couple issues. please let > me > know what you know about this and how to fix. I don't know if it's fixed on > the endpoints, or in the cgnat config or what. > > > > 1 - IPSEC VPN > > -Customer said the vpn connect light on cisco vpn router blinks > (not > connected to vpn) > > -I found out the vpn addresses that this cisco vpn router is trying > to connect to. > > -I did a fix in cgnat rule stanza where all UDP 500 and 4500 > traffic > to that distant vpn endpoint(s) will always be natted to one and only one > ip > address (I did this thinking that the changing ip of the public pool > assigned ip addresses for udp 500 and 4500 was possible breaking it) > > > > 2 - PS4 gaming > > -Customer said playing a few games (call of duty, etc) with > Internet > players now doesn't work. > > -They said the PS4 nat type is nat type 3 (strict) whereas before > the moved them to cgnat, it was NAT type 2 moderate and worked. > > > > > > -Aaron > > > >
issues through CGNat (juniper ms-mpc-128g in mx960)
(please forgive cross-posting between jnsp and nanog.looking for anyone who could help shed light) I moved customers behind MS-MPC-128G (MX960) CGNat boundary a few nights ago. for the most part it went well. with these couple issues. please let me know what you know about this and how to fix. I don't know if it's fixed on the endpoints, or in the cgnat config or what. 1 - IPSEC VPN -Customer said the vpn connect light on cisco vpn router blinks (not connected to vpn) -I found out the vpn addresses that this cisco vpn router is trying to connect to. -I did a fix in cgnat rule stanza where all UDP 500 and 4500 traffic to that distant vpn endpoint(s) will always be natted to one and only one ip address (I did this thinking that the changing ip of the public pool assigned ip addresses for udp 500 and 4500 was possible breaking it) 2 - PS4 gaming -Customer said playing a few games (call of duty, etc) with Internet players now doesn't work. -They said the PS4 nat type is nat type 3 (strict) whereas before the moved them to cgnat, it was NAT type 2 moderate and worked. -Aaron
