Guest

Preview Tool

Cisco Bug: CSCun11364 - DOC bug: NAT/FTP fails if traffic is asymmetric through 2 diffrent boxes

Last Modified

Oct 24, 2018

Products (13)

  • Cisco IOS
  • Cisco ASR 901-6CZ-F-D Router
  • Cisco ASR 901-4C-FT-D Router
  • Cisco ME 3600X-24TS-M Switch
  • Cisco ASR 901-6CZ-F-A Router
  • Cisco ASR 901-6CZ-FT-A Router
  • Cisco ASR 901-12C-FT-D Router
  • Cisco ME 3600X-24FS-M Switch
  • Cisco ASR 901-4C-F-D Router
  • Cisco ASR 901-6CZ-FT-D Router
View all products in Bug Search Tool Login Required

Known Affected Releases

15.3(2)S1

Description (partial)

Symptom:
NAT/ FTP(ALG) fails if traffic is asymmetric across 2 different boxes. 

For example if there are 2 routers in the set-up and both are doing NAT for the FTP server with same NAT configuration and traffic comes in from client-->server on Router1 and  traffic goes out from server-->client via Router2. The failure may happen due to 2 situations:

1) If there is difference in length of the packets pre-NAT and post-NAT, there should be a length delta created and router should apply a seq/ack corresponding to length delta. However ftp traffic with length delta between pre-nat and post nat address will not work through different routers because the delta apply to the next seq/ack actually comes from the last packet, if this last packet goes to other router, it is not going to work.

2)Apart from seq/ack delta, ALG also maintains some call context data info, if this context data is formed in one router, and the expected message flows through another router, payload translation may fail.

Conditions:
NAT /FTP traffic with asymmetric flows through  2 different boxes.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.