BugZero | Cisco BugID CSCvb62767 - NATed packets are dropped by ALG_PROCESS_TOKEN

BugZero | Cisco BugID CSCvb62767 - NATed packets are dropped by ALG_PROCESS_TOKEN_FA...

Cisco - Defect ID: CSCvb62767

NATed packets are dropped by ALG_PROCESS_TOKEN_FAIL due to NAT door limit being exceeded

Cisco - Defect ID: CSCvb62767

NATed packets are dropped by ALG_PROCESS_TOKEN_FAIL due to NAT door limit being exceeded

Last updated on February 13th, 2024

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 2

Description

Symptom

NATed packets are dropped by ALG_PROCESS_TOKEN_FAIL due to NAT door limit being exceeded

Conditions

Packets drops observed on HW level due to NAT features: ~~~~~~~~~~~~~~~~ ASR-Router#show platform hardware qfp active statistics drop | include Nat ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- ... NatIn2out 108432 11351246 NatOut2in 5660 569489 ... ~~~~~~~~~~~~~ A packet trace can be run... e.g. IOS XE Packet Tracer debug platform condition interface port-channel 2 ipv4 access-list TAC ingress debug platform condition start debug platform packet-trace packet 8192 fia-trace debug platform packet-trace enable ~~~~~~~~~~~~~ Dropped packets can be identified... ... ASR-Router#show platform packet-trace summary | include DROP ~~~~~~~~~~~~~ A specific dropped packet can be further investigated (e.g. packet #7797) to find out why it was dropped. ... e.g. ASR-Router#show platform packet-trace packet 7797 | begin NAT Feature: NAT Direction : IN to OUT Action : Drop Sub-code : 002 - ALG_PROCESS_TOKEN_FAIL ~~~~~~~~~~~~~ One can look at the state of the NAT door to see if it's been exceeded... e.g. ASR-Router#show platform hardware qfp active feature nat datapath door DOOR global stats: door_count 250000 door_limit_fail_count 392316 ~~~~~~~~~~~~~ The door count *should* fluctuate. The number of "fail_counts" will increment upward every time the limit is exceeded. The workaround can be applied as the door count approaches the limit. In our case,.... 250000.

Workaround

clear ip nat translation *

Further Problem Description

NAT translated packets are dropped by NAT feature ALG_PROCESS_TOKEN_FAIL: ... ASR-Router#show platform hardware qfp active feature nat datapath stats non_extended 3016 entry_timeouts 3696 statics 5 static net 2 hits 29703 misses 2990 non_natted 287729831897 Proxy stats: ipc_retry_fail 2312 cfg_rcvd 51 cfg_rsp 53 Subcode #2 ALG_PROCESS_TOKEN_FAIL 395077 <<<<<<<<<<

Change history

2024-02-13 Added: 16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d, 16.10.1e, 16.10.1f, 16.10.1g, 16.10.1i, 16.10.1s, 16.10.2, 16.11.1, 16.11.1a, 16.11.1b, 16.11.1c, 16.11.1s, 16.12.1, 16.12.1a, 16.12.1c, 16.12.1s, 16.12.1w, 16.3.3, 16.3.3a, 16.3.4, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.1a, 16.6.2, 16.6.2s, 16.6.3, 16.6.4, 16.6.4a, 16.6.4s, 16.6.5, 16.6.5a, 16.6.5b, 16.6.6, 16.6.7, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1c, 16.8.1d, 16.8.1e, 16.8.1s, 16.8.2, 16.8.3, 16.9.1, 16.9.1a, 16.9.1b, 16.9.1c, 16.9.1d, 16.9.1s, 16.9.2, 16.9.2a, 16.9.2s, 16.9.3, 16.9.3a, 16.9.3h, 16.9.3s, 16.9.4

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Fixed versions: 16.10.1, 16.10.1a, 16.10.1b, 16.10.1c, 16.10.1d, 16.10.1e, 16.10.1f, 16.10.1g, 16.10.1i, 16.10.1s, 16.10.2, 16.11.1, 16.11.1a, 16.11.1b, 16.11.1c, 16.11.1s, 16.12.1, 16.12.1a, 16.12.1c, 16.12.1s, 16.12.1w, 16.3.3, 16.3.3a, 16.3.4, 16.3.5, 16.3.5a, 16.3.5b, 16.3.5c, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.1a, 16.6.2, 16.6.2s, 16.6.3, 16.6.4, 16.6.4a, 16.6.4s, 16.6.5, 16.6.5a, 16.6.5b, 16.6.6, 16.6.7, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1c, 16.8.1d, 16.8.1e, 16.8.1s, 16.8.2, 16.8.3, 16.9.1, 16.9.1a, 16.9.1b, 16.9.1c, 16.9.1d, 16.9.1s, 16.9.2, 16.9.2a, 16.9.2s, 16.9.3, 16.9.3a, 16.9.3h, 16.9.3s, 16.9.4

Relevant Products

Click on a version to see all relevant bugs

Affected versions:No known affected versions

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvb62767

NATed packets are dropped by ALG_PROCESS_TOKEN_FAIL due to NAT door limit being exceeded

Cisco - Defect ID: CSCvb62767

NATed packets are dropped by ALG_PROCESS_TOKEN_FAIL due to NAT door limit being exceeded

Last updated on February 13th, 2024

BugZero Risk Score7.8 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.8 High