Symptom
You may see incorrect (erroneous) SIP address translation in VRF_A even though no NAT is configured in this VRF.
Please, see "Conditions" to understand the issue details.
From the side of endpoint you may confirm this issue like this:
BANANE#ping vrf PROD 10.20.1.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.1.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
BANANE#
Jul 13 13:52:49.635: ICMP: echo reply rcvd, src 10.111.1.44, dst 10.16.1.4, topology BASE, dscp 0 topoid 2
Jul 13 13:52:49.636: ICMP: echo reply rcvd, src 10.111.1.44, dst 10.16.1.4, topology BASE, dscp 0 topoid 2
Jul 13 13:52:49.637: ICMP: echo reply rcvd, src 10.111.1.44, dst 10.16.1.4, topology BASE, dscp 0 topoid 2
Jul 13 13:52:49.638: ICMP: echo reply rcvd, src 10.111.1.44, dst 10.16.1.4, topology BASE, dscp 0 topoid 2
Jul 13 13:52:49.639: ICMP: echo reply rcvd, src 10.111.1.44, dst 10.16.1.4, topology BASE, dscp 0 topoid 2
however no NAT is configured in VRF PROD on N9K TOR.
Look at ip.src in "echo reply rcvd" versus ip.dst in "ping vrf ..."
Conditions
The next two conditions should be satisfied to hit this issue:
- you should have the overlapping address space in VRF_A and VRF_B
- you have static NAT translation in VRF_B, however no NAT in VRF_A
If you have the case, when apart from NAT in VRF_B you also utilize NAT in VRF_A, please, see CSCvd45870 for details - this is not your issue.
Workaround
No good workaround so far:
- if applicable, please, do NOT use static NAT translation in VRF_B for IP space, which is utilized in VRF_A as well.
Further Problem Description
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_01100.html#concept_AEC117FA9C0943CCB86297F827474D8F
