Cisco ASR 1001X - 1.8 Gbps only on 10 Gbps interface

benerofonte · ‎05-11-2022

I have an ASR 1001X configured with BGP + CGNAT + PPPoE Server. But in this same equipment for example I have some /26 configured from my block (from my asn) for use in some interfaces (each with its /26) since it has some services (hosting, voip, dns reverse, etc..).

But a curious thing happens, if I remove the "ip nat inside" option from the interface that is in the public ip (here it is as "inside" so that I can see from which private pool - from the CGN, the client accesses this interface and its services) when I do some bandwidth test I get 9.2 Gbps (reaching 9.6 Gbps) in the upload sense (in speedtest.net as an example) in the download "only" 1.8 Gbps. If I go to the interface where this download is coming from (in this case the ip of the bgp peering session) and remove the "ip nat outside". The download starts at 9.3 Gbps (when it was 1.8 Gbps before). But with that clearly the clients that are in the CGN stop having communication in that destination that I removed the "ip nat outside".

I have already used the ios versions:

asr1001x-universalk9.17.08.01a.SPA.bin
asr1001x-universalk9.17.03.04a.SPA.bin

among others (extend service 3.16...)

Here is an example from the QFP log:

*May 11 00:13:46: %IOSXE_QFP-2-LOAD_EXCEED: Slot: 0, QFP:0, Load 84% exceeds the setting threshold 80%.
5 secs traffic rate on QFP: Total Input: 114096 pps (114.1 kpps), 1242494328 bps (1242.5 mbps), Total Output: 114112 pps (114.1 kpps), 1253171024 bps (1253.2 mbps).

*May 11 00:13:51: %IOSXE_QFP-2-LOAD_RECOVER: Slot: 0, QFP:0, Load 19% recovered.
5 secs traffic rate on QFP: Total Input: 494621 pps (494.6 kpps), 5584231528 bps (5584.2 mbps), Total Output: 494612 pps (494.6 kpps), 5631295752 bps (5631.3 mbps).

Some details:

- Everything is on top of a port-chanel (which has neither errors nor different cables between the connection, there are two cisco 10 G-SR SFPs)

- Mtu of 9216 in port-chanel (and where the equipment allows, but without any packet retransmission on the interfaces)

- Have IPv6 also configured (which is not affected by this issue, all v6 traffic flows normally at the maximum speed of the interface)

CGN config:

ip nat settings mode cgn
no ip nat settings support outside mapping
ip nat settings pap bpa step-size 8
ip nat translation timeout 120
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 2
ip nat translation max-entries 2000000
ip nat translation max-entries all-host 500
no ip nat service pptp
no ip nat service gatekeeper
ip nat pool cgnat X.X.42.129 X.X.42.254 prefix-length 25
ip nat inside source list 90 pool cgnat overload
access-list 90 permit 100.64.0.0 0.0.7.255

I put the result of "show platform hardware qfp active infrastructure punt statistics type per-cause" in the file attached to the post

marce1000 · ‎05-11-2022

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa11349

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

benerofonte · ‎05-12-2022

I didn't know about this bug, I tried to check it here. But it seems to be different. In my traffic is limited to 1.8 Gbps as soon as I activate "ip nat inside or outside" in an interface with public ip of my block (from the asn). It's as if the CGN is treating that interface as something that should be processed by it.

Very strange, I'm actually using "asr1001x-universalk9.17.08.01a.SPA.bin" for having a similar bug "resolved" in it.

But in my case the problem still persists.

BR,

Georg Pauwen · ‎05-12-2022

Hello,

stupid question maybe, but why do you (need) to use CGN in the first place ? Why not 'traditional' NAT ?

benerofonte · ‎05-12-2022

Hi, Georg

No problem, if you have a question, let's answer it:

In Brazil, it is a culture to use the CGN (aka CGNAT) for the number of ports that each subscriber can use (and also to save resources by having more options of how many ports each one can receive), in addition to being more interesting in terms of about logging (under the law).

But with great powers comes great responsibilities: I have IPv6 in all customer services. And thanks to that, most people don't realize this problem that I'm facing precisely because most of the great services (Google, Facebook, Netflix...) are in IPv6.

Georg Pauwen · ‎05-12-2022

Hello,

thanks for the explanation. I take it that you are an ISP ?

I'll see if I can find anything else...

benerofonte · ‎05-12-2022

Yes, I am an ISP, and this equipment has residential customer outputs (broadband) and datacenter services (website hosting, some basic infrastructure services such as authoritative dns, recursive dns, voip, ftp)...

Is that in normal nat it is also possible for you to allocate a certain limit to how many ports each host can use, but when scaling the general nat brings some problems with the identification of the client. And CGN should always be used with IPv6. A network today that does not have IPv6 is practically a network, without scale and old.

As incredible as it may seem I have always identified with IPv6, by the way it is very easy to configure. The problem is that to configure the network you have to follow basic concepts, standards (rfc), network with MTU problem / physical medium will hardly succeed in having a double stack - no matter how miraculous the Path MTU is.

No network is complex, people: well that's another conversation.