BugZero | Cisco BugID CSCvs06831 - CGN - NatIn2out drop after certain amount of trans...

Cisco - Defect ID: CSCvs06831

CGN - NatIn2out drop after certain amount of translations per host

Cisco - Defect ID: CSCvs06831

CGN - NatIn2out drop after certain amount of translations per host

Last updated on April 22nd, 2024

BugZero Risk Score
7.5 High

Overall: 7.5

Severity: 8.2

Lifecycle: 5.2

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Views: 1

Description

Symptom

CGN is dropping In2out packets after certain amount of translations per host. Even though there are more ports available under the port set. As per packet-trace, Feature: NAT Direction : IN to OUT Action : Drop <------------------ Sub-code : 043 - BPA_NO_PSET <------------------ Feature: NAT Direction : IN to OUT Action : Drop Sub-code : 018 - ALLOC_ADDR_PORT_FAIL <------------------ Feature: OUTPUT_DROP Entry : Output - 0x700166f0 Input : TenGigabitEthernet0/1/0 Output : TenGigabitEthernet0/0/1 Lapsed time : 224 ns Feature: IPV4_NAT_OUTPUT_FIA Entry : Output - 0x70011c9c Input : TenGigabitEthernet0/1/0 Output : TenGigabitEthernet0/0/1 Lapsed time : 67434 ns Packet Copy In 0007b421 00c800a2 892697c0 08004508 003c409e 40003e06 84316440 042c345b db1db71f 00502fdc 1ae20000 0000a002 3908384e 00000204 05b40402 080a00f1 5baa0000 00000103 0303 ARPA Destination MAC : 0007.b421.00c8 Source MAC : 00a2.8926.97c0 Type : 0x0800 (IPV4) IPv4 Version : 4 Header Length : 5 ToS : 0x08 Total Length : 60 Identifier : 0x409e IP Flags : 0x2 (Don't fragment) Frag Offset : 0 TTL : 62 Protocol : 6 (TCP) Header Checksum : 0x8431 Source Address : x.x.x.44 <------------------ Destination Address : y.y.y.29 <------------------ TCP Source Port : 46879 <------------------ Destination Port : 80 Sequence Number : 0x2fdc1ae2 ACK Number : 0x00000000 TCP flags : 0xa002 Window : 0x3908 Checksum : 0x384e Urgent Pointer : 0x0000 Decode halted - end of packet copy reached Even though there is more room left (Port set size: 2048 ports in each port set allocation), packets are dropped for sessions coming in from hostt x.x.x.44. #sh ip nat translations inside x.x.x.44 Total number of translations: 47 <----------current traslation, which is far below the limt for the port set. #show ip nat bpa Paired Address Pooling (PAP) Limit: 30 local addresses per global address Bulk Port Allocation (BPA) Port set size: 2048 ports in each port set allocation <------------------2048 Port step size: 1 Single set: False #

Conditions

if the local user already creates translation paired with global ip address (PAP) with given protocol (TCP or UDP). Let's use TCP as an example. If this global ip address has run out of the UDP ports set, then it is impossible for this local user to create any UDP translation even it already has TCP translation with this global ip address.

Workaround

use the command "clear ip nat translation *"

Further Problem Description

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.6.6

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:16.6.6

Fixed versions: No known fixed versions

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvs06831

CGN - NatIn2out drop after certain amount of translations per host

Cisco - Defect ID: CSCvs06831

CGN - NatIn2out drop after certain amount of translations per host

Last updated on April 22nd, 2024

BugZero Risk Score7.5 High

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.5 High