Re: NAT not working on IOx on IR809 IOS bundle 15.9.3M1

andrei-erghelegiu · ‎03-26-2020

Hello everybody,

I have an application that is meant to run in NAT mode in IOx with some port forwardings. After installing the IOS15.9.3M1 on my IR809, the new IOx1.10.0.6 doesn't do the port forwarding I requested for the port 1731:1731. The problem is that this IOS version cannot be downgraded and I cannot find a quick fix for it.

Please help!

Andrei

suressan · ‎03-26-2020

Did you add necessary IOS CLI config wrt ip nat rule for port forwarding ?

andrei-erghelegiu · ‎03-27-2020

Hi,

The IOS configuration is the same as before installing the 15.9.3M1. I was running 15.7.3.M and everything was working fine. Also, I can connect to the container using the PEM file provided in the LocalManager, but this is not a connection done through a port, but from a lxc console redirect from GuestOS.

In the "sh run.txt" you can see the running-config.

In the "sh ip nat trans.txt" you can see that the IOS is doing the port forwarding.

In the "container log.txt" you can see that the container has internet access, the application is running and the port is up inside the container.

Best regards,

Andrei

andrei-erghelegiu · ‎03-27-2020

Hi all,

After hours of searching for a fix, I have found a workaround. If you do "IR800#guest-os 1 restart" after the restart of the image, everything is working well.

NOTE: This is just a workaround to the problem. If you do a "reload", after the router reloads, the problem is still there.

I hope Cisco will get us a fix soon!

Best regards,

Andrei

Emmanuel Tychon · ‎03-31-2020

Hello Andrei --

I have spent a couple of hours this morning trying to reproduce your issue, but for me this is working every time. I am using a Docker-based IOx app with Nginx web server, and running the same IOS release.

Your NAT translations seems to be working like mine:

IR800#sh ip nat translations | i :80
tcp 192.168.2.150:80 192.168.1.15:80 192.168.2.6:41452 192.168.2.6:41452
tcp 192.168.2.150:80 192.168.1.15:80 192.168.2.6:41454 192.168.2.6:41454

Can you try to telnet to your container (192.168.2.2) port tcp/1731 and verify that the connection is accepted?

Emmanuel

andrei-erghelegiu · ‎03-31-2020

Hi Emmanuel,

Thank you for the response, I tried to telnet 192.168.2.2 1731 and I got Connection refused, but if I do the telnet inside the container console with telnet 127.0.0.1 1731 the communication works.

Do you think a reinstall of the IOS bundle can fix the issue?

Best regards,

Andrei

Emmanuel Tychon · ‎03-31-2020

Hi Andrei -

I believe that I might be on something, altough not exactly the same flow as yours but with the same symptoms.

a) I cannot ping not telnet into my container from IOS, neither from outside the gateway
b) I can ping and telnet from GuestOS itself - so the container definitely works
c) If I shut / no shut the IOx interface (GigE 2 on 809, Gig5 on 829) then all is working again

Let me investigate this a bit more and come back to you.

Emmanuel

Emmanuel Tychon · ‎03-31-2020

Hello Andrei -

It is supported to downgrade from 15.9(3)M1 down to 15.8(3)M4 as they booth have the new FPGA code. While we search the issue with 15.9(3)M1 you can downgrade safely to 15.8(3)M4.

Don't use any older release.

Thanks, Emmanuel