AWS VM-series - untrust interface - eating packets

Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS VM-series - untrust interface - eating packets

L2 Linker

Hi Guys,


I am working on inbound (from the internet) flow on the VM-series untrust interface directly.


Set up -

VM-series FW - 3 interface -- Mgmt , Untrust , Trust


Client -> Internet GW -> EIP -> Firewall untrust interface - eth1/1 - > (SNAT -  eth1/2 ; DNAT - Server private IP ) -> Server


In the monitor log, I can see the SNAT & DNAT taking place, traffic being allowed by Security rule.


But nothing is getting forwarded to the Server ... No packets are received on the server-side.


I have checked routes , 

default - -- exit thru untrust -> IGW

private subnet - 10.x.x.x/24 -- thru Trust interface


Is this not bound to work with directly attaching EIP to untrust interface ?? The same set-up works fine , with an NLB (network load balancer) in front of VM-series fw (untrust interface)


Just to note - Already have opened TAC support case , with no luck -- too much of back and forth of info sharing , with zero constructive suggestions 😞


++ @jmeurer  -- Any suggestions??



L3 Networker

@abhishah03 please send me a email then i want to have a deeper look into it. 

Afterwards we can share here the solution of the problem.




"With unity we can do great things"

I've just sent you email, with all the details. Pls check & suggest.


The interesting part is everything works fine with traffic ingress point changed to AWS NLB; rather than utilizing the EIP of untrust NIC.

L2 Linker

Make sure your SNAT rule is set with the original packet set to the untrust private IP and not the EIP.  AWS SNATs on the way in and firewall sees the packet after the EIP translation.  Also, ensure both interfaces are added to the VR.


Yup , that's already in place.


Using Private (untrust) IP in NAT; also both interfaces are added in VR.



L2 Linker

@abhishah03 what was the solution to your problem? Pls advise the steps so we can also benefit from it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!