Missing tracert hops in VRF Other than Global

TitleMissing tracert hops in VRF Other than Global
  • NAT client  on non Global VRF sees different traceroute output than Client on Global VRf
  • Static NAT entry will resolve the issue
  • Using NATP to access the internet, and notice missing hops when using tracert.  
  • It works if the NAT is done by a firewall.
  • The difference between the two is that the firewall is replacing the inner packet in the ICMP error message with the original values.  
  • S-Series
  • NAT 
  • Tracert
It does appear that NAT is not handling  an ICMP Time-to-live exceeded message.We should be natting back the address in the inner packet. 

If an ICMP error packet matches a NAT list rule the inner packet may not be properly natted back to the original source.
Upgrade to Firmware 8.62.01
