Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
0
Replies

Cisco ASR 1002 NAT quit working

robertrutledge2005
Level 1
Level 1

‎02-23-2023 04:02 PM - edited ‎03-01-2023 08:36 AM

I am running a Ciso  ASR 1002 with ASR1000-ESP5 RP and version ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(3)S6a, RELEASE SOFTWARE (fc2) as an outward facing internet attached router.  I am using the zone-based firewall and the NAT function with DHCP and other housekeeping offloaded to a 3750 switch.  I am running a point to point VPN to it for remote access/troubleshooting to this router and the network behind it.  Today it was reported that the "internet was not working" at this location.  All I could tell is that the VPN was down.  I worked with a user on site and verified that the router could ping 8.8.8.8 and URLs such as www.google.com, but anything attached to the 3750 switch could not get to the outside world.  We also discovered that the sh ip nat translations command only showed the static translations and no dynamic translations.  Before we reloaded I had the user check the log and we found out at 02:37 CST this morning a message came in as such:

%FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: FO: fman_fp_image:  DYN-MAP: map_id 1 download to CPP failed.

Immediately after that the router lost logging to the remote logging server which is via the VPN, the Gi0/0/0, the outward facing interface, showed administratively down, and then of course the same interface went into down, down state.  Then the Gi0/0/0 interface came right back up and the Gi0/0/0 interface was assigned a new DHCP address (evidently the ISP has no lease time built into their DHCP server).  At that point it was apparent that the internet was indeed down at this location because NAT had stopped working.  I found a link,

  https://quickview.cloudapps.cisco.com/quickview/bug/CSCso94398

that advised this was a bug in IOS 12.2 12.2XN which advised "It means that the QFP Datapath rejected the pool removal. Any subsequent removal of the pool would not succeed."

After the reload the router is working fine again...natting and routing to outside world functional.    

It almost appears as if some outside entity had accessed the router and tired to pull some nasty business on this router.  I have an access-list on line vty 0-4 and line vty 5-15 that allows access from only specific ip addresses which are the private IP addresses allowed in over the VPN and local addresses in the network at this location so I don't see how some other entity could have logged into this router from the outside, but I guess anything can happen.

I would just like to know if anyone else has seen this behavior and if it is a bug could I assume that it will happen again?  I have two IOSes on this router, I am using the newest one so I am also wondering if it would help to try running on the older IOS if this happens again.  

Thanks for any and all help.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card