Re: ASR1001-X NAT problem - Page 2

m.ebrahimi.isc · ‎01-27-2024

Hi dears

I have one asr1001-x on our edge network.

Based on our policy I must do nat all customer network when it comes to my network.

Some network do static nat and others do dynamic.

All things are OK till I want to delete one nat.

When I delete on nat (static or dynamic) all sessions get packet loss.

I changed asr1001-x with 4331 and there wasn't any problem on 4331

Do you have any idea or recommendations?

Thanks

m.ebrahimi.isc · ‎01-29-2024

this is debug information:
when deleting Dynamic NAT entry:

*Jan 29 21:20:54.937: ipnat_addrpool_notify_api: id 1895, flags 11, range 0
*Jan 29 21:20:55.073: ipnat_remove_dynamic_cfg: id 1895, flag 0x9, range 0
*Jan 29 21:20:55.073: NAT: Cleanup all portlists for dynamic mapping id 1895

When adding this deleted one again:

*Jan 29 21:21:47.585: NAT: Pool Shop-C0021 id 0 create via config
*Jan 29 21:21:47.585: NAT: Pool Shop-C0021 assigned id 1896
*Jan 29 21:21:47.847: NAT: Dynamic mapping id 0 add via config
*Jan 29 21:21:47.848: NAT: Reserved 172.20.1.10 for PAT
*Jan 29 21:21:47.848: NAT: Mapping assigned id 1896
*Jan 29 21:21:47.848: ipnat_add_dynamic_cfg_common: id 1896, flag 5, range 1
*Jan 29 21:21:47.849: id 1896, flags 0, domain 0, lookup 0, aclnum 0,
aclname Shop-ACL-C0021, mapname , idb 0 , router_id 0,
pool_name Shop-C0021, proto 0

*Jan 29 21:21:50.138: NAT: attempting to setup alias for 172.20.1.10 (redundancy_name , idb NULL, flags 0x2), rg_id 0 tableid 0 use_tableid 0

m.ebrahimi.isc · ‎01-29-2024

I am concluding that the problem lies with the platform due to the following reasons:

1- When one of the dynamic NAT definitions or its associated pool is removed, apparently, the 'clear ip nat translation *' command is executed in the background once. This results in packet loss for all sessions.

2- Each time I execute the command 'clear ip nat translation inside A.B.C.D E.F.G.H outside I.J.K.L M.N.O.P,' the corresponding entry in the 'ip nat translation' table does not get deleted, and the connection persists. Even if I manually remove the entry from the NAT table before deleting the definition associated with a NAT, it doesn't make a difference. All sessions still experience packet loss after removing all definitions.

3- The main issue that leads me to believe there is a problem with the platform is that when I use the 'debug ip nat Shop-ACL-C0021 mapping/detailed/pool/session' command, I do not receive any logs indicating that this NAT has been cleared and a new NAT has been established. In fact, I can only obtain debug output when I execute 'clear ip nat translation *.'"

MHM Cisco World · ‎01-30-2024

Use

Debug ip nat

Without specifying any NAT name'

With debug we dont looking for what router log when the NAT is remove

We looking for is other traffic is drop when NATing or not.

It can there is overlapping in NAT and traffic use NAT that delete or using other NAT.

Thanks

MHM

m.ebrahimi.isc · ‎01-30-2024

Cisco doesn't accept "debug ip nat" command and says incomplete command.
you must say ACL name or number after debug ip nat

MHM Cisco World · ‎01-30-2024

Ip access-list extended 100

Permit ip <subnet of traffic effect by delete NAT> any

Debug ip nat 100

Thanks

MHM

paul driver · ‎01-30-2024

Hello

@m.ebrahimi.isc wrote:
when I clear the specified NAT there is no effect on the router because there isn't any debug log on the router.
When I set each bellow commands all session get packet loss.

no ip nat pool Shop-C0100 forced
no ip nat inside source list Shop-ACL-C0100 pool Shop-C0100 overload forced

So when you remove the static entry all is okay correct?

@m.ebrahimi.isc wrote:

clear ip nat translation inside A.B.C.D E.F.G.H outside I.J.K.L M.N.O.P,' the corresponding entry in the 'ip nat translation' table does not get deleted, and the connection persists

Its possible it will NOT clear until it is forced to, due to the fact its still being used.

So regards the nat acl, is that the ONLY access-list 10 entry (ace) in that ACL or are they others and is it possible that ACL being used anywhere else?

Also is the NAT pool being utilized by another nat statement?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul