cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4570
Views
0
Helpful
21
Replies

CGN NAT44 configuration issue: Unable to obtain requested information Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'

enrique.villa
Level 1
Level 1

Hello,

We followed this thread´s advice (https://supportforums.cisco.com/message/3753984) to get a CGN up and running with a single vrf instance (IOS XR 4.2)

Everything seems to be ok but we are getting the following error:

asr#show cgn nat44 NAT444 statistics

Unable to obtain requested information Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'

asr#

We have configured the service infra interface and we have also reloaded the line card.

Plus, we don´t see this error in any guide. Could you please enlighten us?

Thank you in advance,

21 Replies 21

Hello,

let's try to answer this new question in the different topic you opened here:

https://supportforums.cisco.com/message/3841906#3841906

Cheers,

N.

Hi Nicolas,

Hopefully the discussion still open. Currently I'm running ISM version 4.2.x and  I have 2 questions regarding NAT44 :

1. please confirm my current understanding : In order to create different nat pool within ISM linecard, we need to create another serviceApp interface for inside and outside vrf (if needed - in this case, i'm using vrf for outside address), but still we can use the existing serviceInfra interface.

2. Static port forwarding. Based on the definition :Static port forwarding helps in associating a private IP address and port with a statically allocated public IP and port. on this document I've read:  (http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.3/cg_nat/configuration/guide/cgc43cgn.pdf) , the configuration only maps private ip and port, but not with static public ip and port, which I'm assuming the public translated IP address are still mapped with specified pool (i.e /26 or /30) and not statically public ip and port

need your advice on this

Thanks



Hi Adiyudha,

1: yes, at least you'll need to have multiple inside serviceApps to assign to each inside VRF

2: the software does not give you the ability to pick the external address and will do it for you inside the pool.

So indeed, you map inside address and port. The port will be the same on the outside and the CGN software will pick one address based on the hash algorithm.

Kind regards,

N.

Hi Nicolas,

Appreciate your swift response. So the closest condition to match the 1:1 mapping is to create the smallest pool range and port range.

Once the connection established, as per my understanding, the mapping table will remain persist / not change at all until the box reloaded / the nat session cleared.

Thanks

Adiyudha

Hi Adiyudha,

I'm not sure it's a good workaround to mimic a 1:1 translation, unfortunately.

Once the translation is configured, it will map the defined inside address to a outside address for a particular port (and not a range of port, just for one port). So, if you map port 80 for inside address A for example, it doesn't mean that other ports of address A will be mapped statically. On the contrary, they will be mapped randomly to outside ports.

The tested scale for static mapping is 6000 entries (pair of address+port), not 6000 addresses.

The mapping being static, it is not initiated by i2o traffic, but by configuration, so it can only be cleared by removing the configuration.

The mapping is preserved if the card or chassis is reloaded.

Hope it clarifies a bit,

Best regards,

N.

Hi, Nicholas:

 

I was wondering if you could help with a problem I'm having.

 

I have a very similar setup to what is described in deployment guides (with VSM 5.1.2) where I use ABF to divert traffic into the inside serviceapp3 interface. there are differences though:

- ABF is configured on an interface in an NV Sat.

- The nv sat interface is on the default VRF with ABF pointing to NH within inside-vrf.

- static route pointing to ServiceApp33 (vrf default)

- static route in inside-vrf pointing to NH on vrf default

 

My problem is that everything points to traffic going into the VSM, NAT translation being generated and I actually see I2O packets, but no return whatsoever.

 

RP/0/RSP0/CPU0:XXXXXX#show cgn nat44 NAT44-3 inside-translation protocol icmp inside-vrf INSIDE inside-address 192.168.136.129$
Wed Jan 28 10:14:35.544 CST
Inside-translation details
---------------------------
NAT44 instance : NAT44-3
Inside-VRF     : INSIDE
--------------------------------------------------------------------------------------------
   Outside         Protocol  Inside       Outside       Translation   Inside      Outside
   Address                   Source       Source        Type          to          to
                             Port         Port                        Outside     Inside
                                                                      Packets     Packets
--------------------------------------------------------------------------------------------
  200.x.y.1      icmp    71           61327         dynamic       5           0           
RP/0/RSP0/CPU0:XXXXXX#show run router static
Wed Jan 28 10:14:49.528 CST
router static
 address-family ipv4 unicast
  200.x.y.0/24 ServiceApp33

 !

vrf INSIDE
  address-family ipv4 unicast
   192.168.136.128/25 vrf default GigabitEthernet100/0/0/0 192.168.136.2
 !

At least the inside portion looks fine. On the outside serviceapp I see output packets, but no input packets. As you can see, I have the return static route pointing to Sapp33 and the return static route to where traffic origin is; still no luck.

 

Any advice?

Thanks,

c.

Hi

I have ASR9K box running CGN , I have two questions

The Public pool assigned is two /21 subnets which means 4096 IP addresses . why am seeing Pool address used: 3876 ?

In the run attach 0/4/CPU0 what other commands i can use other than # show_nat44_stats ? How can i list the available options ?

I have port-limit of 100 , I made ur calculations above and i got 72 Ports per User , should I increase the port-limit ?

 

Thanks

 

BR,

Mohammad

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: