6 Replies Latest reply on Oct 10, 2014 10:25 AM by levi

    Having issues with a security policy disappearing

    anorton New Member

      We have created a NAT Overload that is point to a Tunnel as the NAT IP address.  Periodically the NAT Overload stops working and when I look in the security to see why the policy for NAT Overload is gone.  The tunnel is not going down, nor is the unit rebooting (This is saved as the startup config).  Any insight on why/how a security policy would just be systemically removed or any other reason it could just disappear would be greatly appreciated.

        • Re: Having issues with a security policy disappearing
          anorton New Member

          levi Any help on this as we continue to lose internet connection as a result of the NAT Overload policies just disappearing with no rhyme or reason.  As soon as the policy is added back it works like a champ for a while and then disappears once again.

            • Re: Having issues with a security policy disappearing
              levi Employee

              anorton:

               

              There is no reason a few commands would be removed from the configuration randomly.  Are you adding the commands via the command line interface (CLI), or via the web interface?  Have you added the commands via the CLI and then saved and rebooted the unit?  What firmware version are you using on this unit?

               

              Levi

                • Re: Having issues with a security policy disappearing
                  anorton New Member

                  I had updated the Firmware Version R11.4.1.E to ensure there was no known issues.  I have saved via the CLI "copy r s" and "wr me" and saved in Web GUI.

                   

                  The commands are being added via the Web GUI.

                   

                  The commands that have been added are:

                   

                  ip policy-class Residents

                    nat source list web-acl-42 interface tunnel 1 overload

                    allow list self self

                    allow list web-acl-11

                   

                  ip access-list extended web-acl-42

                    remark Nat Overload Residents

                    permit ip any  any

                   

                  Specifically the nat overload line in the ip policy-class Residents is the one that seems to disappear.  Just wanted to verify that the fact that the interface being a tunnel would have any effect on if it would be removed or not.

                    • Re: Having issues with a security policy disappearing
                      levi Employee

                      anorton:

                       

                      The fact that the NAT'ed address is to a tunnel interface will not remove the command.  It may cause the unit to no longer function as it is NATing to an interface that is down, but it will not remove the command (unless there is a track assigned to it, which instructs the command to be removed when the interface goes down).  Some reasons commands will be dynamically removed from a unit are via n-Command MSP, TCL Script, Track, or if the unit reboots and the configuration command was not saved. 

                       

                      Levi

                        • Re: Having issues with a security policy disappearing
                          anorton New Member

                          The unit rebooted or lost power as it only shows up for 45 minutes and the policy is gone once again, even though the config had been saved via the CLI and via the GUI.  There is no tracks setup on this unit.

                           

                          I tried to re-enter the policy via the CLI and it won't let me add the NAT interface as a tunnel but it does work successfully via the GUI.  Not sure if this is a causation or just another issue entirely.

                            • Re: Having issues with a security policy disappearing
                              levi Employee

                              anorton:

                               

                              First, the main issue may be that the unit is losing power/rebooting.  I recommend correcting that first.  Then I suggest you add the IP address, instead of "interface tunnel" command in the CLI?  Next, if you make other configuration changes (such as adding a description to an interface) and save that, when the unit is rebooted, does that command remain? 

                               

                              Levi