Guest

Preview Tool

Cisco Bug: CSCvs06831 - CGN - NatIn2out drop after certain amount of translations per host

Last Modified

Jun 16, 2020

Products (1)

  • Cisco ASR 1000 Series Aggregation Services Routers

Known Affected Releases

16.6.6

Description (partial)

Symptom:
CGN is dropping In2out packets after certain amount of translations per host.  Even though there are more ports available under the port set.

As per packet-trace,

	 Feature: NAT
	    Direction : IN to OUT
	    Action    : Drop 						 <------------------
	    Sub-code  : 043 - BPA_NO_PSET			 <------------------
	  Feature: NAT
	    Direction : IN to OUT
	    Action    : Drop
	    Sub-code  : 018 - ALLOC_ADDR_PORT_FAIL	 <------------------
	  Feature: OUTPUT_DROP
	    Entry       : Output - 0x700166f0
	    Input       : TenGigabitEthernet0/1/0
	    Output      : TenGigabitEthernet0/0/1
	    Lapsed time : 224 ns
	  Feature: IPV4_NAT_OUTPUT_FIA
	    Entry       : Output - 0x70011c9c
	    Input       : TenGigabitEthernet0/1/0
	    Output      : TenGigabitEthernet0/0/1
	    Lapsed time : 67434 ns
	Packet Copy In
	  0007b421 00c800a2 892697c0 08004508 003c409e 40003e06 84316440 042c345b
	  db1db71f 00502fdc 1ae20000 0000a002 3908384e 00000204 05b40402 080a00f1
	  5baa0000 00000103 0303
	  ARPA
	    Destination MAC     : 0007.b421.00c8
	    Source MAC          : 00a2.8926.97c0
	    Type                : 0x0800 (IPV4)
	  IPv4
	    Version             : 4
	    Header Length       : 5
	    ToS                 : 0x08
	    Total Length        : 60
	    Identifier          : 0x409e
	    IP Flags            : 0x2 (Don't fragment)
	    Frag Offset         : 0
	    TTL                 : 62
	    Protocol            : 6 (TCP)
	    Header Checksum     : 0x8431
	    Source Address      : x.x.x.44 					 <------------------
	    Destination Address : y.y.y.29					 <------------------
	  TCP
	    Source Port         : 46879							 <------------------
	    Destination Port    : 80
	    Sequence Number     : 0x2fdc1ae2
	    ACK Number          : 0x00000000
	    TCP flags           : 0xa002
	    Window              : 0x3908
	    Checksum            : 0x384e
	    Urgent Pointer      : 0x0000
	  Decode halted - end of packet copy reached


Even though there is more room left (Port set size: 2048 ports in each port set allocation), packets are dropped for sessions coming in from hostt x.x.x.44.

		#sh ip nat translations inside x.x.x.44
		Total number of translations: 47	  <----------current traslation, which is far below the limt for the port set.


		#show ip nat bpa

		Paired Address Pooling (PAP)
		 Limit:            30 local addresses per global address
		Bulk Port Allocation (BPA)
		 Port set size:    2048 ports in each port set allocation    <------------------2048
		 Port step size:   1
		 Single set:       False

		#

Conditions:
if the local user already creates translation paired with global ip address (PAP) with given protocol (TCP or UDP). Let's use TCP as an example. If this global ip address has run out of the UDP ports set, then it is impossible for this local user to create any UDP translation even it already has TCP translation with this global ip address.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.