cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
417
Views
0
Helpful
0
Replies

Cisco 1900 router as a NAT device for vedges

VKN
Level 1
Level 1

Have a requirement were multiple vedge devices are connected behind a NAT device.

According to Cisco Documents Port offset should help in these scenarios. 

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html

 

But, in my case have a problem.

 

Have Port offset configured on these vEdges so they all have different port numbers

From the vBond can see that all devices are registered with different port no based on port-offset config.

Control connections are up.

But BFD doesn't come up.

Can see that vedges are sending BFD packets out and can see the NAT device receiving it, but the NAT device a 1900 Router is not responding back.

The configuration for  NAT is a normal NAT-overload config.

 

set up is a simple one as below.

port offset .png

 

Logs


vedge01# show control local-properties wan-interface-list

NAT TYPE: E -- indicates End-point independent
mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/1 100.1.1.154 12432 172.31.70.78 :: 12432 0/0 public-internet up 2 no/yes/yes No/No 0:00:01:04 0:10:23:48 N 8


vedge02# show control local-properties wan-interface-list

NAT TYPE: E -- indicates End-point independent mapping
A -- indicates Address-port dependent mapping
N -- indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type

RESTRICT/ LAST VM
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX CONTROL/ LAST SPI TIME NAT CON
INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL STUN LR/LB CONNECTION REMAINING TYPE PRF
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ge0/1 100.1.1.154 1024 172.31.70.86 :: 12413 0/0 public-internet up 2 no/yes/yes No/No 0:00:03:34 0:10:21:18 N 8


vedge01# show bfd sessions site-id 120
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.1.120.1 120 down public-internet public-internet 172.31.70.78 100.1.1.154 1024 ipsec 7 1000 NA 0


vedge02# show bfd sessions site-id 110
SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX
SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
10.1.110.1 110 down public-internet public-internet 172.31.70.86 100.1.1.154 12432 ipsec 7 1000 NA 0


VBOND# show orchestrator connections
PEER
PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER
PUBLIC ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP
PORT REMOTE COLOR STATE NAME UPTIME
---------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 vedge dtls 10.1.101.1 101 1 172.31.70.42 12427 100.1.1.154
12427 public-internet up LAB-TEST 0:02:32:32
0 vedge dtls 10.1.102.2 102 1 172.31.70.54 12409 100.1.1.154
12409 public-internet up LAB-TEST 0:02:20:12

 

ON NAT Router.

ip nat inside source list ACL_NAT_OVERLOAD_DEFAULT interface GigabitEthernet0/0.900 vrf INTERNET overload

 

Cannot see any hits on Ip nat translations for BFD pakets, Not sure if that will/should happen.

Have tried ACL counters on LAN interfaces while incoming hits are observed no packet is outgoing, performed a IP debug to see what happens, result below.

 

Debug IP PACKET output
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, rcvd 4
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, stop process pak for forus packet
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, Stateful Inspection(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, Virtual Fragment Reassembly(37), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, Access List(44), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, Virtual Fragment Reassembly After IPSec Decryption(54), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154, len 157, input feature, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: tableid=1, s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154 (GigabitEthernet0/0.900), routed via RIB
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154 (GigabitEthernet0/0.900), len 157, output feature, Post-routing NAT Outside(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154 (GigabitEthernet0/0.900), len 157, output feature, Common Flow Table(28), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 16 06:25:41.003: IP: s=172.31.70.86 (GigabitEthernet0/1.500), d=100.1.1.154 (GigabitEthernet0/0.900), len 157, output feature, Stateful Inspection(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

 

request all yours help on this, can provide more info if needed.

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: