NAT Problem with ISR4321

reuven.levitanus1 · ‎02-06-2017

Hello,

I purchased few months back ISR4321 with xDSL modem (NIM-VAB-A) for home use, to replace consumer grade "standard" home router.

The router is working OK, in terms of configuration, but it hangs every few days. NAT translations stops the translations and no WAN access.

The xDSL modem in such state continue to be connected and the Ethernet interfaces still has external ISP IP address.

The ISP vendor also confirms that they see the router connected on their end.

(As I connected with download speed of 100mbit, the modem is connected to the ISP using PTM method and not ATM)

Any idea what can cause to NAT translations stop working. only router's reload solves the problem.

(I didn't find any other way to resume NAT translations)

Thanks,

Reuven

Georg Pauwen · ‎02-06-2017

Hello Reuven,

this could be caused by a variety of issues. Can you post your configuration ? Are you using static and pool translations ?

Which OS version are you running ? Could be a bug as well...

reuven.levitanus1 · ‎02-06-2017

Hello Georg,

Thank you for your help!

Initially I was used OS version "isr4300-universalk9.16.02.01"

Then I assumed maybe some bug with this OS and switched to OS recommended by Cisco (marked with star): isr4300-universalk9.03.16.04b.S.155-3.S4b.

The problem didn't disappear unfortunately, but looks like appears with lower frequency.

my key router configuration is as below (excluding DHCP server setup...):

hostname Router
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging buffered
!
no aaa new-model
clock timezone Israel 2 0
!
!
!
!
!
!
!
!
ip nbar http-services
!
!
!

subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3667045416
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3667045416
revocation-check none
rsakeypair TP-self-signed-3667045416
!
!

diagnostic bootup level minimal
spanning-tree extend system-id
!

redundancy
mode none
!
!
!
!
controller VDSL 0/1/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description LAN$ETH-LAN$
ip address 10.0.0.200 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip tcp adjust-mss 1452
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!

interface Ethernet0/1/0
no ip address
ip nbar protocol-discovery
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 120
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer120
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
load-interval 60
dialer pool 120
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 0 Password
ppp pap sent-username username password 0 Password
!
ip nat inside source list 1 interface Dialer120 overload
ip forward-protocol nd
no ip ftp passive
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 Dialer120
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
speed 115200
line aux 0
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
!
!
!
!
!
end

Thanks,

Reuven