08-30-2024 02:54 AM
Hello everyone,
I have 2 C8300 routers configured as interchassis redundancy pair. There is also NAT with overload configured.
Problem:
Cyclically (with period from 10 to 25 min) storm of NAT translations appear. It is about 800-900 translations while in normal situation is about 40-50. In the time of storm, communication to net behind NAT is lost. After some minutes everythig is getting normal till next time.
There is no problem on interfaces, no router switchover.
Problem disappears when NAT interface on one router is shut.
Does anyone have any idea what's going on here?
Best regards
08-30-2024 03:06 AM
Share config for both
MHM
08-30-2024 04:17 AM
First router:
#######################
## rw1:
!
redundancy
mode none
application redundancy
group 1
name rg1
preempt
timers delay 10 reload 20
control Port-channel3 protocol 1
data Port-channel3
asymmetric-routing interface Port-channel3
asymmetric-routing always-divert enable
protocol 1
name rg1
timers hellotime 1 holdtime 3
authentication text 7 110B180100131F0916
!
!
no cdp run
!
!
!
!
interface Port-channel1
no ip address
no negotiation auto
!
!
interface Port-channel1.800
encapsulation dot1Q 800
ip address 10.81.0.250 255.255.255.248
redundancy rii 800
redundancy group 1 ip 10.81.0.249 exclusive decrement 100
!
!
interface Port-channel2
description trunk swr
no ip address
no negotiation auto
!
interface Port-channel2.16
encapsulation dot1Q 16
ip address 192.168.100.13 255.255.255.192
ip nat outside
#####
shutdown <--- because of problems
#####
redundancy rii 16
redundancy group 1 ip 192.168.100.12 exclusive decrement 100
!
interface Port-channel2.206
encapsulation dot1Q 206
ip address 10.9.16.42 255.255.255.248
redundancy rii 206
redundancy group 1 ip 10.9.16.41 exclusive decrement 100
!
interface Port-channel2.830
encapsulation dot1Q 830
ip address 10.81.0.234 255.255.255.248
ip nat inside
redundancy rii 830
redundancy group 1 ip 10.81.0.233 exclusive decrement 100
!
interface Port-channel3
ip address 10.9.20.253 255.255.255.252
no negotiation auto
!
interface Tunnel12
bandwidth 50000
ip address 10.0.128.41 255.255.255.252
ip nat inside
ip access-group 16 in
ip tcp adjust-mss 1430
delay 2000
keepalive 2 3
tunnel source 10.81.0.249
tunnel destination 10.82.0.249
hold-queue 150 in
!
interface Tunnel71
bandwidth 50000
ip address 10.0.128.230 255.255.255.252
ip nat inside
ip access-group 16 in
ip tcp adjust-mss 1430
delay 2000
keepalive 2 3
tunnel source 10.81.0.249
tunnel destination 10.87.0.249
!
interface GigabitEthernet0/0/0
description trunk sw
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
channel-group 2 mode active
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
channel-group 2 mode active
!
interface GigabitEthernet0/0/4
no ip address
negotiation auto
channel-group 3 mode active
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
channel-group 3 mode active
!
!
router eigrp 100
network 10.0.0.0
redistribute static
!
ip forward-protocol nd
ip nat pool pom 192.168.100.12 192.168.100.14 netmask 255.255.255.252
ip nat inside source list 16 pool pom redundancy 1 mapping-id 16 overload
ip route 10.81.0.0 255.255.240.0 10.81.0.238
ip route 10.82.0.248 255.255.255.248 10.81.0.254
ip route 10.87.0.128 255.255.255.192 10.81.0.254
ip route 10.87.0.248 255.255.255.248 10.81.0.254
ip route 192.168.100.64 255.255.255.192 192.168.100.1
ip route 192.168.101.64 255.255.255.192 192.168.100.1
!
ip access-list standard 16
10 permit 10.0.0.0 0.255.255.255
20 permit 172.24.19.0 0.0.0.255
!
!
!
end
#############################
Second router:
##############################
### rw2:
!
redundancy
mode none
application redundancy
group 1
name rg1
preempt
timers delay 10 reload 20
control Port-channel3 protocol 1
data Port-channel3
asymmetric-routing interface Port-channel3
asymmetric-routing always-divert enable
protocol 1
name rg1
timers hellotime 1 holdtime 3
authentication text badwater
!
!
no cdp run
!
!
!
!
!
!
interface Port-channel1
no ip address
no negotiation auto
!
!
interface Port-channel1.800
encapsulation dot1Q 800
ip address 10.81.0.251 255.255.255.248
redundancy rii 800
redundancy group 1 ip 10.81.0.249 exclusive decrement 100
!
interface Port-channel2
description trunk swr
no ip address
no negotiation auto
!
interface Port-channel2.16
encapsulation dot1Q 16
ip address 192.168.100.14 255.255.255.192
ip nat outside
redundancy rii 16
redundancy group 1 ip 192.168.100.12 exclusive decrement 100
!
interface Port-channel2.206
encapsulation dot1Q 206
ip address 10.9.16.43 255.255.255.248
redundancy rii 206
redundancy group 1 ip 10.9.16.41 exclusive decrement 100
!
interface Port-channel2.830
encapsulation dot1Q 830
ip address 10.81.0.235 255.255.255.248
ip nat inside
redundancy rii 830
redundancy group 1 ip 10.81.0.233 exclusive decrement 100
!
interface Port-channel3
ip address 10.9.20.254 255.255.255.252
no negotiation auto
!
interface Tunnel12
bandwidth 50000
ip address 10.0.128.41 255.255.255.252
ip nat inside
ip access-group 16 in
ip tcp adjust-mss 1430
delay 2000
keepalive 2 3
tunnel source 10.81.0.249
tunnel destination 10.82.0.249
hold-queue 150 in
!
interface Tunnel71
bandwidth 50000
ip address 10.0.128.230 255.255.255.252
ip nat inside
ip access-group 16 in
ip tcp adjust-mss 1430
delay 2000
keepalive 2 3
tunnel source 10.81.0.249
tunnel destination 10.87.0.249
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
channel-group 2 mode active
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
channel-group 2 mode active
!
interface GigabitEthernet0/0/4
no ip address
negotiation auto
channel-group 3 mode active
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
channel-group 3 mode active
!
!
router eigrp 100
network 10.0.0.0
redistribute static
!
ip forward-protocol nd
ip nat pool pom 192.168.100.12 192.168.100.14 netmask 255.255.255.252
ip nat inside source list 16 pool pom redundancy 1 mapping-id 16 overload
ip route 10.81.0.0 255.255.240.0 10.81.0.238
ip route 10.82.0.248 255.255.255.248 10.81.0.254
ip route 10.87.0.128 255.255.255.192 10.81.0.254
ip route 10.87.0.248 255.255.255.248 10.81.0.254
ip route 192.168.100.64 255.255.255.192 192.168.100.1
ip route 192.168.101.64 255.255.255.192 192.168.100.1
!
ip access-list standard 16
10 permit 10.0.0.0 0.255.255.255
20 permit 172.24.19.0 0.0.0.255
!
!
end
#############################
08-30-2024 04:45 AM
Can yoh make two PO one for control and other for data
MHM
08-30-2024 03:52 AM
Hello
these translations from what source(s) are they originating ?
can you share that translation log
08-30-2024 04:38 AM
In normal situation:
rw2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.100.12:40754 10.7.4.17:40754 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:50802 10.7.4.17:50802 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:50550 10.7.0.17:50550 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:58394 10.7.4.17:58394 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:4367 10.81.0.23:4367 192.168.100.30:502 192.168.100.30:502
tcp 192.168.100.12:40104 10.7.0.18:40104 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:49234 10.7.4.17:49234 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:4864 10.81.0.28:4864 192.168.100.30:502 192.168.100.30:502
tcp 192.168.100.12:57582 10.7.0.18:57582 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:51142 10.7.6.17:51142 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:2143 10.81.0.11:2143 192.168.100.30:502 192.168.100.30:502
tcp 192.168.100.12:7882 10.81.0.23:7882 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:3517 10.81.0.11:3517 192.168.100.30:502 192.168.100.30:502
tcp 192.168.100.12:40116 10.7.0.18:40116 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:4375 10.81.0.23:4375 192.168.100.32:502 192.168.100.32:502
tcp 192.168.100.12:41142 10.7.0.18:41142 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:4099 10.81.0.26:4099 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:33672 10.7.4.17:33672 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:4481 10.81.0.28:4481 192.168.100.30:502 192.168.100.30:502
tcp 192.168.100.12:43866 10.7.6.18:43866 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:59596 10.7.0.17:59596 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:4096 10.81.0.11:4096 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:51240 10.7.6.17:51240 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:33370 10.7.0.17:33370 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:56066 10.7.6.17:56066 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:3840 10.81.0.26:3840 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:4373 10.81.0.23:4373 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:57628 10.7.6.18:57628 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:3585 10.81.0.26:3585 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:4095 10.81.0.11:4095 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:50870 10.7.4.17:50870 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:39560 10.7.0.17:39560 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:52340 10.7.6.18:52340 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:2144 10.81.0.11:2144 192.168.100.32:502 192.168.100.32:502
tcp 192.168.100.12:37962 10.7.0.18:37962 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:33368 10.7.0.17:33368 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:51242 10.7.6.17:51242 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:40198 10.7.0.18:40198 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:59698 10.7.6.17:59698 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:51264 10.7.6.18:51264 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:59736 10.7.6.17:59736 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:59598 10.7.0.17:59598 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:4610 10.81.0.26:4610 192.168.100.31:502 192.168.100.31:502
tcp 192.168.100.12:51366 10.7.6.18:51366 192.168.101.111:502 192.168.101.111:502
tcp 192.168.100.12:57678 10.7.6.18:57678 192.168.101.112:502 192.168.101.112:502
tcp 192.168.100.12:2145 10.81.0.11:2145 192.168.101.112:502 192.168.101.112:502
Total number of translations: 46
In case of problem there are the same sources, but multiplied (more than 800 translations)
08-30-2024 05:37 AM
Hello
so all nat traffic is at presently using 192.168.100.12 due you the overload
ip nat inside source list 16 pool pom redundancy 1 mapping-id 16 overload
however -- pool pom
ip nat pool pom 192.168.100.12 192.168.100.14 netmask 255.255.255.252
interface Port-channel2.16
encapsulation dot1Q 16
ip address 192.168.100.13 255.255.255.192
ip nat outside
#####
shutdown <--- because of problems
#####
redundancy rii 16
redundancy group 1 ip 192.168.100.12 exclusive decrement 100
You have addressing in the nat pool sharing the redundancy group of the outside nat domain.
if applicable try the following:
no ip nat pool pom 192.168.100.12 192.168.100.14 netmask 255.255.255.252
no ip nat inside source list 16 pool pom redundancy 1 mapping-id 16 overload
ip nat pool pom 192.168.100.14 192.168.100.15 netmask 255.255.255.192
ip nat inside source list 16 pool pom redundancy 1 mapping-id 16
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide