Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
1
Replies

IOSv NAT PAK-ERROR receive

rcepeda1993
Level 1
Level 1

‎07-04-2023 04:03 PM - edited ‎07-04-2023 04:21 PM

Hi, everyone,

In my CML lab, I have a LAN with two hosts (172.16.0.2 and .3) that each have global addresses (159.38.12.9 and .10). I'm trying to ping 159.38.12.10 (host B) from 172.16.0.2 (host A). I'm expecting host A's Echo to be NAT'd and routed by the gateway router, which appears is happening correctly. However, after translation, the packet is dropped, seemingly without reason.

Here are the debug logs:

*Jul 4 22:14:31.416: CEF-Debug: Packet from 172.16.0.2 (Gi0/0) to 159.38.12.10, Packet for us Control Plane: marking in pak host [cef receive]

*Jul 4 22:14:31.418: IPpacketQ deq s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10, flags=0x280, tos=0x0, frag_offset=0
*Jul 4 22:14:31.418: ICMP type=8, code=0
*Jul 4 22:14:31.419: IP: s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10, len 84, input feature, debug packet(1), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.419: IP: s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10, len 84, input feature, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.419: IP: s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10, len 84, input feature, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.420: IP: s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10, len 84, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.420: IP: tableid=0, s=172.16.0.2 (GigabitEthernet0/0), d=159.38.12.10 (GigabitEthernet0/1), routed via RIB
*Jul 4 22:14:31.420: NAT: i: icmp (172.16.0.2, 24) -> (159.38.12.10, 24) [6072]
*Jul 4 22:14:31.421: NAT: s=172.16.0.2->159.38.12.9, d=159.38.12.10 [6072]
*Jul 4 22:14:31.421: NAT: s=159.38.12.9, d=159.38.12.10->172.16.0.3 [6072] s_vrf=> , d_vrf=>
*Jul 4 22:14:31.421: NAT-FRAG: tcpmss value :0
*Jul 4 22:14:31.421: NAT-NVI: IP route found: s=159.38.12.9, d=172.16.0.3
*Jul 4 22:14:31.421: IP: s=159.38.12.9 (GigabitEthernet0/0), d=172.16.0.3 (GigabitEthernet0/0), len 84, output feature, Post-routing NAT NVI Output(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.422: IP: Output changed by feature=24: GigabitEthernet0/1 -> GigabitEthernet0/0
*Jul 4 22:14:31.422: IP: s=159.38.12.9 (GigabitEthernet0/0), d=172.16.0.3 (GigabitEthernet0/0), len 84, output feature, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jul 4 22:14:31.423: IP: s=159.38.12.9 (GigabitEthernet0/0), d=172.16.0.3 (GigabitEthernet0/0), len 84, rcvd local pkt
*Jul 4 22:14:32.439: IOSv Gi0/0 PAK-ERROR: receive @0xE58ECF0 sz 98 encap 14
*Jul 4 22:14:32.439: IOSv Gi0/0 PAK-ERROR: process receive @0xE58ECF0 sz 98 encap 14
*Jul 4 22:14:32.439: CEF-Debug: Packet from 172.16.0.2 (Gi0/0) to 159.38.12.10
*Jul 4 22:14:32.439: CFT Engine: Could not find flow for the given fid, cft_flow_set_application_id_resolved, fid: 0
*Jul 4 22:14:32.439: CFT Engine: Could not find flow for the given fid, cft_flow_get_application_id_resolved, fid: 0

 The "PAK_ERROR" stands out, but there weren't any abnormalities in the interface info, NVI translation table, or FIB/ADJ.

Aside: When using a host's inside local address to communicate with another host's inside global address, the router appears to intercept all traffic. For example, Echo Reply(s) are sent from the router to the source. UDP traffic is intercepted, and the source is sent a port unreachable message. For TCP traffic, the router sends a reset segment immediately after seeing a SYN segment.
        Traffic originating from outside the LAN works without issue. This leads me to believe the issue has something to do with NAT, but the debug logs show that the gateway router translated and attempted to route the packet correctly. Is using inside global addresses from within the inside network prohibited?

Thank you,
Rafael

Labels:
0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎07-22-2023 12:40 AM

Hello Rafael,

This is an interesting problem you've experienced. I wonder - have you solved it in the meantime? If not, since it was quite a while ago, would you mind trying coming back to it and sharing some more outputs if you manage to reproduce it?

Best regards,
Peter

 

0 Helpful
Customers Also Viewed These Support Documents