Nat66 Seems to be broken in rolling build

Hello,

I updated my install from 1.5-rolling-202312040024 to 1.5-rolling-202405270020 and noticed that NAT66 is no longer working. Things work as expected after rolling back to 1.5-rolling-202312040024 with the same config.

Relevant config:

set nat66 destination rule 15 destination address 'xxxx:xxxx:0:9c:15::/80'
set nat66 destination rule 15 inbound-interface name 'eth0'
set nat66 destination rule 15 translation address 'xxxx:xxxx:e857:6601:15::/80'
set nat66 destination rule 16 destination address 'xxxx:xxxx:0:9c:16::/80'
set nat66 destination rule 16 inbound-interface name 'eth0'
set nat66 destination rule 16 translation address 'xxxx:xxxx:e857:6601:16::/80'
set nat66 destination rule 80 destination address 'xxxx:xxxx:0:9c:80::/80'
set nat66 destination rule 80 inbound-interface name 'eth0'
set nat66 destination rule 80 translation address 'xxxx:xxxx:e857:6601:80::/80'
set nat66 destination rule 198 destination address 'xxxx:xxxx:0:9c:e198::/80'
set nat66 destination rule 198 inbound-interface name 'eth0'
set nat66 destination rule 198 translation address 'xxxx:xxxx:e857:6601:e198::/80'
set nat66 source rule 1 outbound-interface name 'eth0'
set nat66 source rule 1 source prefix 'xxxx:xxxx:e857:6601:15::/80'
set nat66 source rule 1 translation address 'xxxx:xxxx:0:9c:15::/80'
set nat66 source rule 16 outbound-interface name 'eth0'
set nat66 source rule 16 source prefix 'xxxx:xxxx:e857:6601:16::/80'
set nat66 source rule 16 translation address 'xxxx:xxxx:0:9c:16::/80'
set nat66 source rule 80 outbound-interface name 'eth0'
set nat66 source rule 80 source prefix 'xxxx:xxxx:e857:6601:80::/80'
set nat66 source rule 80 translation address 'xxxx:xxxx:0:9c:80::/80'
set nat66 source rule 198 outbound-interface name 'eth0'
set nat66 source rule 198 source prefix 'xxxx:xxxx:e857:6601:e198::/80'
set nat66 source rule 198 translation address 'xxxx:xxxx:0:9c:e198::/80'

I noticed with 1.5-rolling-202405270020 the translations timeout was relatively short:

$ show nat66 source translations
Pre-NAT                           Post-NAT                     Proto    Timeout    Mark    Zone
--------------------------------  ---------------------------  -------  ---------  ------  ------
xxxx:xxxx:e857:6601:e198::4:62474  xxxx:xxxx:0:9c:e198::4:62474  tcp      88         0
xxxx:xxxx:e857:6601:e198::4:62477  xxxx:xxxx:0:9c:e198::4:62477  tcp      107        0

With 1.5-rolling-202312040024, the timeout is relatively long:

$ show nat66 source translations
Pre-NAT                           Post-NAT                     Proto    Timeout    Mark    Zone
--------------------------------  ---------------------------  -------  ---------  ------  ------
xxxx:xxxx:e857:6601:e198::4:62428  xxxx:xxxx:0:9c:e198::4:62428  tcp      431978     0
xxxx:xxxx:e857:6601:e198::4:62435  xxxx:xxxx:0:9c:e198::4:62435  tcp      431915     0

The other thing I noticed was that the show ipv6 neighbors with 1.5-rolling-202312040024 showed the pre-NAT address with a state of FAILED which would seem to be expected.

Any idea what could be going on here? Would any other show command offer additional clues?

Thanks in advance!

Dave

Please also attach a topology diagram

Sure!