Re: cisco 3640 NAT ,not work correctly.if it match bug CSCDV2520

h.zongyou · ‎12-09-2002

Router: cisco 3640

Module:NM-16ESW-PWR-1GIG

ver:c3640-is-mz.122-2.XT3.bin

Now we need to do NAT,but every some interval,the router nat will disable and some time later work OK again.

I find a bug CSCDV25204 descrip as:

Release Notes

After several hours of operation, a router that has Network Address

Translation (NAT) and Port Address Translation (PAT) enabled may fail to

establish new PAT sessions. New PAT sessions cannot be established from a single add-pool with overload. This condition does not occur when a non-overload configuration is used. There is no workaround.

I want to know if this match the bug,and if we don't upgrade the IOS to Cisco IOS 12.2(8)T IP PLUS,can we solve the case? For the end user don't want to upgrading the DRAM to 96M now.

Following is the config:

------------------ show running-config ------------------

Building configuration...

Current configuration : 3766 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname jxlt-fz2

!

logging buffered 4096 debugging

enable secret 5 <removed>

!

ip subnet-zero

ip cef

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface Loopback0

ip address 172.17.17.3 255.255.255.255

!

interface FastEthernet0/0

switchport access vlan 10

no ip address

snmp trap link-status

!

interface FastEthernet0/1

switchport access vlan 20

no ip address

snmp trap link-status

!

interface FastEthernet0/2

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/3

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/4

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/5

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/6

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/7

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/8

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/9

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/10

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/11

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/12

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/13

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/14

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/15

switchport access vlan 30

no ip address

snmp trap link-status

!

interface GigabitEthernet0/0

no ip address

shutdown

no negotiation auto

snmp trap link-status

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 61.242.153.49 255.255.255.252

!

interface Vlan20

ip address 172.18.18.2 255.255.255.0

!

interface Vlan30

ip address 61.242.153.129 255.255.255.192

ip verify unicast reverse-path

!

interface Vlan40

no ip address

!

router ospf 10

log-adjacency-changes

redistribute connected subnets

network 61.242.153.49 0.0.0.0 area 0

network 172.18.18.2 0.0.0.0 area 0

distribute-list 10 in Vlan20

!

ip classless

ip route 0.0.0.0 0.0.0.0 61.242.153.50 200

no ip http server

!

logging 211.91.248.120

access-list 10 deny 172.17.0.0 0.0.255.255

access-list 10 deny 10.0.0.0 0.255.255.255

access-list 10 deny 192.168.0.0 0.0.255.255

access-list 10 deny 188.88.88.0 0.0.0.255

access-list 10 permit any

access-list 60 permit 211.91.248.0 0.0.0.255

access-list 60 permit 211.91.249.0 0.0.0.255

access-list 60 permit 210.82.103.0 0.0.0.15

access-list 60 permit 211.100.11.0 0.0.0.255

access-list 60 permit 210.52.3.0 0.0.0.255

access-list 60 permit 202.108.17.0 0.0.0.255

access-list 60 permit 61.242.153.0 0.0.0.255

access-list 60 deny any log

access-list 61 permit 211.91.248.0 0.0.0.255

access-list 61 deny any log

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 188.88.88.0 0.0.0.255 any

access-list 111 permit icmp any host 61.242.153.129

access-list 111 deny ip any host 61.242.153.129

access-list 111 deny ip any host 61.242.153.49

access-list 111 deny ip any 172.17.0.0 0.0.255.255

access-list 111 permit ip any any

!

snmp-server community <removed> RO 61

snmp-server community <removed> RW 61

snmp-server host 211.91.248.124 <removed>

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

access-class 60 in

password 7 <removed>

login

!

end

Thank for your help!

lgijssel · ‎12-09-2002

Are you sure that you posted the correct version/device?

I did not find any lines for NAT in this config?!

h.zongyou · ‎12-11-2002

This is NAT config which the error is happened,If we need change some of it ?

------------------ show running-config ------------------

Building configuration...

Current configuration : 4971 bytes

!

! Last configuration change at 13:59:15 PRC Wed Dec 11 2002

! NVRAM config last updated at 13:57:14 PRC Wed Dec 11 2002

!

version 12.2

service nagle

no service pad

service tcp-keepalives-in

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname jxlt-px-wlw

!

enable secret 5

enable password 7

!

clock timezone PRC 8

ip subnet-zero

no ip source-route

ip cef

!

ip domain-name jxpx.cnuninet.net

ip name-server 211.91.248.129

ip name-server 211.94.33.193

!

no ip bootp server

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface FastEthernet0/0

description

switchport access vlan 10

no ip address

snmp trap link-status

!

interface FastEthernet0/1

description

switchport access vlan 20

no ip address

snmp trap link-status

!

interface FastEthernet0/2

description

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/3

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/4

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/5

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/6

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/7

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/8

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/9

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/10

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/11

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/12

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/13

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/14

switchport access vlan 30

no ip address

snmp trap link-status

!

interface FastEthernet0/15

switchport access vlan 65

no ip address

duplex full

speed 100

snmp trap link-status

!

interface GigabitEthernet0/0

no ip address

shutdown

no negotiation auto

snmp trap link-status

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 61.242.157.115 255.255.255.248

ip nat outside

!

interface Vlan20

ip address 61.242.157.122 255.255.255.252

ip nat outside

!

interface Vlan30

ip address 61.242.157.193 255.255.255.224

ip verify unicast reverse-path

!

interface Vlan65

ip address 192.168.9.2 255.255.255.0

ip nat inside

!

router ospf 10

log-adjacency-changes

redistribute connected subnets

network 61.242.157.115 0.0.0.0 area 0

network 61.242.157.122 0.0.0.0 area 0

distribute-list 10 out

!

ip nat translation timeout 60

ip nat pool IP_POOL 61.242.157.116 61.242.157.119 netmask 255.255.255.248

ip nat inside source list 2 pool IP_POOL overload

ip classless

ip route 0.0.0.0 0.0.0.0 61.242.157.113 120

ip route 192.168.1.0 255.255.255.0 192.168.9.1

ip route 192.168.2.0 255.255.255.0 192.168.9.1

ip route 192.168.3.0 255.255.255.0 192.168.9.1

ip route 192.168.4.0 255.255.255.0 192.168.9.1

ip route 192.168.5.0 255.255.255.0 192.168.9.1

ip route 192.168.6.0 255.255.255.0 192.168.9.1

ip route 192.168.7.0 255.255.255.0 192.168.9.1

ip route 192.168.8.0 255.255.255.0 192.168.9.1

no ip http server

!

logging 211.91.248.120

access-list 2 permit 192.168.0.0 0.0.15.255

access-list 10 deny 192.168.0.0 0.0.15.255

access-list 10 permit any

access-list 60 permit 211.91.248.0 0.0.0.255

access-list 60 permit 211.91.249.0 0.0.0.255

access-list 60 permit 210.82.103.0 0.0.0.15

access-list 60 permit 211.100.11.0 0.0.0.255

access-list 60 permit 210.52.3.0 0.0.0.255

access-list 60 permit 202.108.17.0 0.0.0.255

access-list 60 permit 61.242.157.0 0.0.0.255

access-list 60 deny any log

access-list 61 permit 211.91.248.0 0.0.0.255

access-list 61 deny any log

access-list 111 permit icmp any any

access-list 111 permit ip host 192.168.9.1 any

access-list 111 deny ip 192.168.0.0 0.0.15.255 any

access-list 111 permit ip any any

!

snmp-server community RO 61

snmp-server community RW 61

snmp-server host 211.91.248.124

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

banner motd ^CC

#########################################################################

# #

# Warning: If you NOT authorized to access this system, disconnect NOW. #

# #

#########################################################################

^C

!

line con 0

exec-timeout 300 0

line aux 0

line vty 0 4

access-class 60 in

exec-timeout 0 0

password 7

login

!

end

lgijssel · ‎12-11-2002

There seems nothing wrong with your config and your problem description matches the bug that you found. I checked also that your release is affected. It certainly is. In the bugtool this bug is said to be fixed but as far as I can see you need an XT-release to support your @#$% new module.

A release that matches these criteria is not mentioned and at present there are no updates beyond 12.2(2)XT3.

Therefore I recommend that you open a case with the TAC.

May the force be with you!

vmiller · ‎12-11-2002

On some 12.x releases you can try no ip cef. I had a similar problem and that worked around it.

cisco 3640 NAT ,not work correctly.if it match bug CSCDV25204 and how solve