02-21-2012 07:31 AM - edited 03-01-2019 03:18 PM
Manigandan B
Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Manigandan B about the architecture, features, performance and benefits of Cisco ASR 1000 Series Routers. This event is a continuation of the Cisco live Facebook Forum, where you can ask additional questions to the expert.
Manigandan B. is a technical services engineer at Cisco working as a team leader for the Enterprise Services team. He works primarily with customers and their escalations in the Europe, Middle East and Africa (EMEA) region. His areas of expertise are architecture of routers, Cisco IOS, QoS, packet tracing, Cisco Express Forwarding, Cisco NetFlow, Network Address Translation, and other router platform issues. Mani has been associated with Cisco for more than 3 years, having joined Cisco after receiving a bachelor's degree in electronics and communication engineering. He also holds CCNA, CCNP, and ITIL certifications.
Remember to use the rating system to let Manigandan know if you have received an adequate response.
Manigandan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community discussion forum shortly after the event. This event lasts through March 6 , 2012. Visit this forum often to view responses to your questions and the questions of other community members.
03-01-2012 06:29 AM
Hello Michel,
Its worth to open TAC case for this as we need to deal more with QFP NAT.
Anway, Can you please add this:
show tech
show logging - - > This will be covered under "show tech" if the IOS-XE version is
15.0(1)S or later.
sh ip nat translation
sh ip nat statistics
sh plat hard qfp active statistics drop | e _0_
sh platform hardware qfp active feature nat datapath stats
sh plat har qfp act inf ex st us
Some of the reasons why 1:1 NAT can happen with PAT is
when some non-IP traffic flowing through the box that needs
to be PAT'd. These could be some of non-TCP/UDP/ICMP.
Always better to employ an ACL to do:
1 permit only TCP/UDP/ICMP
2 deny DNS, netbios, LDAP (if they don't use these ALGs).
Please be noted that GRE is one such traffic that can cause
the whole IP address to be used - we can't PAT.
ACL changes are definitely needed not just as a workaround, but as a best practice, to avoid these in the future - 1:1 issues.
We can disable a few ALGs but without knowing the network I cannot suggest that.
I think we may need a detail TAC-Analysis, so please open a TAC case with the above suggestion info. Thanks and have a nice day.
Cheers,
/Mani
02-28-2012 09:27 AM
HI friends,
need your urgent help.need to convert legancy cct.(OPX,tietrunk,FX,hotline,ATM,Framerelay) into lastest and cheap technolagy.contact me directly@ mohsinjaved82@hotmail.com
02-29-2012 07:21 AM
Hello Mani,
Got a question regarding 2 ASR1001's that I have that occasionally receive false temperature warnings from the power supply. I think I see bug CSCtr38540 that might exactly describe this but I can't view any details to know for sure. Apparently there is propritary info on this bug.. I think what I need to know is if there is a new IOS that would fix this? if so what would that be? is there anyway I can view info on this bug minus the info Cisco doesn't want me to see?
Thanks much, Joe
02-29-2012 09:27 AM
Hello Joe,
Can you paste me the logs you see?. I guess you see something like:
"%ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P1, State: Shutdown, Reading: 127 Celsius"
You can verify if its false alarm checking with "show platform" command. You would see something like:show platformThese 2 bugs: CSCtr43123 CSCtu16388 are the duplicates of
Chassis type: ASR1001
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ASR1001 ok 1w3d
0/0 ASR1001 ok 1w3d
R0 ASR1001 ok, active 1w3d
F0 ASR1001 ok, active 1w3d
P0 ASR1001-PWR-AC ok 1w3d
P1 ASR1001-PWR-AC ok 1w3d >>>
P2 ASR1001-FANTRAY ok 1w3dCSCtr38540, so you saw the release notes talking about
CSCtu16388. Nothing to worry. ASR1k team is working with
Emerson vendor for providing the right info about the PS, as
ASR1k code relies on that info. This issue is on its way to
get fixed. Thanks.
Cheers,
/Mani
02-29-2012 10:15 AM
Hi Mani,
I pasted the things in this email.. its exactly as you described. So when you say “this issue is on its way to being fixed”, <- that means so far that there is no fix yet?
So far this has not caused us any issues, its just one of those things that makes you nervous when you see it in a log.
Have a great day! Joe
Feb 10 04:01:12: %ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P1, State: Minor, Reading: 72 Celsius
Feb 21 00:09:22: %ENVIRONMENTAL-1-ALERT: Temp: Inlet, Location: P0, State: Shutdown, Reading: 127 Celsius
LMAN-ALLEGAN#show platform
Chassis type: ASR1001
Slot Type State Insert time (ago)
03-01-2012 05:05 AM
Hi Joe,
ASR1k development team is actively working on the fix for this vendor stats issue from power supply. It has nothing to impact, as "show plat" command will say us that health
of the PS is perfectly fine. Please omit for now and we will fix it sooner:). Have a wonderful day. Thanks.
Cheers,
/Mani
03-02-2012 10:50 AM
Brendon:
We experieced this on several of our ASRs (1001 & 1002)
We opened a TAC case and found out that this is fixed in 15.2(1)S and 15.1(3)S2. We've got 15.2(1)S burning in the lab before we deploy it to production in a few weeks.
Ven
02-29-2012 03:13 PM
Hi Mani,
I am attempting to set up traffic policing inbound on the ASR1001.
I want to police the incoming traffic in a vlan from a service provider to 100M (all traffic - no bursting permitted).
My config looks like this:
class-map match-all FX_INTERNET_CLASS
match access-group name FX_INBOUND
!
policy-map FX_INBOUND_POLICY
class FX_INTERNET_CLASS
bandwidth 100000
police cir 10000000
conform-action transmit
exceed-action drop
violate-action drop
interface Port-channel1.202
description FX Internet National
encapsulation dot1Q 202
ip address 172.19.10.6 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip ospf 100 area 0
service-policy input FX_INBOUND_POLICY
ip access-list extended FX_INBOUND
permit ip any any
I have tested this using iperf and it doesnt work.
Also the following message is displayed:
ttpchcrt04#sh policy-map interface
Port-channel1.201
Service-policy input: FX_INBOUND_POLICY
Service policy FX_INBOUND_POLICY is in suspended mode
Port-channel1.202
Service-policy input: FX_INBOUND_POLICY
Service policy FX_INBOUND_POLICY is in suspended mode
Can you help with this please?
03-01-2012 05:28 AM
Hello Brendon,
What you see is expected, as we don't support ingress QOS on port-channel or its sub interfaces. This feature will make into the ASR1k's XE38/15.3(1)S/3.8.0S. Anytime this month - tentative.
The following applies for GEC on ASR in release 15.1(2)S:
Ingress Qos :
Application point Policing Queueing
port-channel sub Supported No support
port-channel main No support No support
member-link No support No support
And for egress QoS:
Application point Polcing Queueing
port-channel sub No support No support
port-channel main No support No support
member-link Supported Supported
Thanks for the question.
Cheers,
/Mani
03-01-2012 05:32 AM
Dear Mani,
Kinldy your input is highly apreciated.
Thanks,
Michel.
Hello Manigandan,
We have implemented a few dozens of ASR 1004 as Internet Gateways, but unfortunately we are having lots of problems when running PAT.
Two issues have been faced so far and are critical to operations:
1- PAT pooling fails, whereas if we have a pool with N entries, lots of protocols are consuming 1 to 1 NAT, which leave us with shortage of ports. A pool of 5 IP addresses should serve about 320000 ports thus 320000 simultaneous connections. but we only end up in using the first 4 IP addresses as 1-to-1 NAT and the remaining 5th is doing PAT ! We tried to increase the Pool mask (eg 20 IP addresses) and still the same issue. We expect to serve 2000000 simultaneous connections per ESP-40 (as per the datasheet).
2- On another unit we have the following output in the NAT stats:
sh ip nat statistics
Total active translations: 75727 (0 static, 75727 dynamic; 75727 extended)
Outside interfaces:
GigabitEthernet0/0/2, GigabitEthernet0/0/3
Inside interfaces:
GigabitEthernet0/0/0, GigabitEthernet0/0/1
Hits: 1842060462 Misses: 52429354
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 52225597
Dynamic mappings:
-- Inside Source
[Id: 9] route-map NATALL pool natpool refcount 75320
pool natpool: netmask 255.255.255.0
start 89.108.185.51 end 89.108.185.100
type generic, total addresses 50, allocated 1 (2%), misses 0
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
Pool stats drop: 0 Mapping stats drop: 1
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
Note that we have 75727 simultaneous connections for a SINGLE IP... That is a bit ackward, don't you think?
Your feedback is much apprecaited.
One last question, is there any document related to which applications are supported by PAT on the ASR1K ?
Thanks,
Michel.
03-02-2012 10:13 AM
Hello.
Is there an SVI equivalent for ASR1002 platform?
Single IP address visible on 2 physical ports?
03-02-2012 10:27 PM
Hi,
We have bridge domain groups and BDI interfaces (instead of
Vlan, SVI interfaces), please see the same below:
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chas
sis/bdi.html
Best wishes.
Cheers,
/Mani
03-05-2012 09:49 AM
Mani,
The command "interface BDI" is not supported on our device.
Here is the version I'm running,
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XND2, RELEASE SOFTWARE (fc1)
Is BVI my only other option?
Thanks.
JD
03-05-2012 11:47 PM
Hello JD,
Few points:-
1. Legacy bridging is not supported on ASR1k. Please see: CSCth68125 ASR1k : Remove unsupported command
'bridge-group' from the parser. The commands were 'bridge-group ...' and 'interface BVI'.
2. The only solution is BDI. The support for the same started from:
XE32/15.1(1)S/3.2.0S.
Please also be noted that you are running an IOS-XE software that's quite old and end of software engineering as well:
Hope this helps. Best wishes.
Cheers,
/Mani
03-04-2012 09:43 AM
Hi Mani,
what it means in the datasheet for ESP 10 : FW or NAT: 1,000,000 sessions ?
We are currently having an issue with ASR1006 with ESP10, processing almost 2Gbps with 500.000 firewall sessions and 350.000 total PAT translations in traffic peak, and status control-procesor output is like this :
ASR_1006#show platform software status control-processor brief
Load Average
Slot Status 1-Min 5-Min 15-Min
RP0 Healthy 1.11 1.07 1.10
RP1 Healthy 0.11 0.15 0.09
ESP0 Healthy 2.86 2.81 2.73
ESP1 Healthy 0.00 0.00 0.00
SIP0 Healthy 0.00 0.02 0.00
SIP1 Healthy 0.01 0.24 0.16
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
RP0 Healthy 2009868 1625524 (81%) 384344 (19%) 1169504 (58%)
RP1 Healthy 2009868 1432636 (71%) 577232 (29%) 1021776 (51%)
ESP0 Healthy 2009892 640784 (32%) 1369108 (68%) 407384 (20%)
ESP1 Healthy 2009892 597048 (30%) 1412844 (70%) 404456 (20%)
SIP0 Healthy 449768 308368 (69%) 141400 (31%) 253088 (56%)
SIP1 Healthy 449768 309032 (69%) 140736 (31%) 253704 (56%)
CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
RP0 0 13.28 23.67 0.00 62.13 0.09 0.79 0.00
RP1 0 0.10 0.10 0.00 99.79 0.00 0.00 0.00
ESP0 0 47.00 38.42 0.00 13.57 0.39 0.59 0.00
ESP1 0 0.09 0.19 0.00 99.50 0.00 0.19 0.00
SIP0 0 0.50 0.60 0.00 98.90 0.00 0.00 0.00
SIP1 0 0.60 0.50 0.00 98.90 0.00 0.00 0.00
This high CPU Utilization values for ESP used to be 4% for User + System in traffic peak for 1.6 Gbps 350.000 PAT translations and 450.000 firewall sessions.
We have opened TAC case, but we still do not know if this is too much for ASR1006 to handle this amonut of traffic.
Thanks and reagrds,
Dragana
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: