BugZero | Cisco BugID CSCvb95069 - FTP Passive mode: NAT door limit being exceeded

Cisco - Defect ID: CSCvb95069

FTP Passive mode: NAT door limit being exceeded

Cisco - Defect ID: CSCvb95069

FTP Passive mode: NAT door limit being exceeded

Last updated on 2/13/2024

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

NAT doors are not closed. Verification: show platform hardware qfp active feature nat datapath door

Conditions

Packets drops observed on HW level due to NAT features: ~~~~~~~~~~~~~~~~ ASR-Router#show platform hardware qfp active statistics drop | include Nat ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- ... NatIn2out 108432 11351246 NatOut2in 5660 569489 ... ~~~~~~~~~~~~~ A packet trace can be run... e.g. IOS XE Packet Tracer debug platform condition interface port-channel 2 ipv4 access-list TAC ingress debug platform condition start debug platform packet-trace packet 8192 fia-trace debug platform packet-trace enable ~~~~~~~~~~~~~ Dropped packets can be identified... ... ASR-Router#show platform packet-trace summary | include DROP ~~~~~~~~~~~~~ A specific dropped packet can be further investigated (e.g. packet #7797) to find out why it was dropped. ... e.g. ASR-Router#show platform packet-trace packet 7797 | begin NAT Feature: NAT Direction : IN to OUT Action : Drop Sub-code : 002 - ALG_PROCESS_TOKEN_FAIL ~~~~~~~~~~~~~ One can look at the state of the NAT door to see if it's been exceeded... e.g. ASR-Router#show platform hardware qfp active feature nat datapath door DOOR global stats: door_count 250000 door_limit_fail_count 392316 ~~~~~~~~~~~~~ The door count *should* fluctuate. The number of "fail_counts" will increment upward every time the limit is exceeded. The workaround can be applied as the door count approaches the limit. In our case,.... 250000.

Workaround

clear ip nat translation *

Further Problem Description

NAT translated packets are dropped by NAT feature ALG_PROCESS_TOKEN_FAIL: ... ASR-Router#show platform hardware qfp active feature nat datapath stats non_extended 3016 entry_timeouts 3696 statics 5 static net 2 hits 29703 misses 2990 non_natted 287729831897 Proxy stats: ipc_retry_fail 2312 cfg_rcvd 51 cfg_rsp 53 Subcode #2 ALG_PROCESS_TOKEN_FAIL 395077 <<<<<<<<<<

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvb95069

FTP Passive mode: NAT door limit being exceeded

Cisco - Defect ID: CSCvb95069

FTP Passive mode: NAT door limit being exceeded

Last updated on 2/13/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?