Thank you for the quick answer,

I don´t have full access to the platform atm but I can post the most relevant info form my text files: (When it says IPpublic-range there is public IPs in the ARK9K instead):

hw-module service cgn location 0/4/CPU0

vrf inside

address-family ipv4 unicast

interface GigabitEthernet0/1/0/6

description NAT44A

vrf inside

ipv4 address 192.168.128.1 255.255.255.240

transceiver permit pid all

interface ServiceApp1

vrf inside

ipv4 address 1.1.1.1 255.255.255.252

service cgn NAT44A service-type nat44

!

interface ServiceApp2

ipv4 address 2.1.1.1 255.255.255.252

service cgn NAT44A service-type nat44

!

interface ServiceInfra1

ipv4 address 192.168.128.241 255.255.255.240

service-location 0/4/CPU0

router static

address-family ipv4 unicast

  IPpublic-range ServiceApp2

vrf inside

  address-family ipv4 unicast

   0.0.0.0/0 ServiceApp1

service cgn NAT44A

service-location preferred-active 0/4/CPU0

service-type nat44 nat1

  inside-vrf inside

   map address-pool IPpublic-range

You are defining instance NAT44A and you try to check the stats on NAT444.

What does "show cgn nat44 NAT44A statistics" gives you ?

Cheers,

N.

Ooops my fault

All of them should read NAT44A or NAT444 (as you like), I mistyped it when posting, that is not part of the issue.

Ok, config seems ok.

Please send the output of "show platform" or "sh install act sum", first.

Curious to know if serviceInfra is up too.

Thanks,

N.

Hi Nicolas,

We can ping serviceInfra.

Below the output of the 2 commands:

RP/0/RSP0/CPU0:ASR9K#show platform

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP-4G(Active)        IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP-4G(Standby)       IOS XR RUN       PWR,NSHUT,MON

0/0/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON

0/1/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON

0/2/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON

0/4/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON

0/4/CPU1        A9K-ISM-100(SE)           APP-READY

RP/0/RSP0/CPU0:ASR9K#show install act sum

  Active Packages:

    disk0:asr9k-services-p-4.2.1

    disk0:asr9k-9000v-nV-p-4.2.1

    disk0:asr9k-mini-p-4.2.1

    disk0:asr9k-optic-4.2.1

    disk0:asr9k-doc-p-4.2.1

    disk0:asr9k-mpls-p-4.2.1

    disk0:asr9k-mgbl-p-4.2.1

    disk0:asr9k-mcast-p-4.2.1

Best Regards,

Hello Nicolas,

You were absolutely right! We tried sh cgn nat44 nat1 statistics on the nat44 instance name and it´s showing statistics now.

But alas, now NAT´ed users are experiencing general slugginesh (some of them, at random).

RP/0/RSP0/CPU0:ASR9K#show cgn nat44 nat1 sta

Statistics summary of NAT44 instance: 'nat1'

Number of active translations: 26881

Translations create rate: 144

Translations delete rate: 0

Inside to outside forward rate: 6795

Outside to inside forward rate: 11638

Inside to outside drops port limit exceeded: 4876300

Inside to outside drops system limit reached: 0

Inside to outside drops resorce depletion: 0

No translation entry drops: 4391859

Pool address totally free: 0

Pool address used: 64

Pool address usage:

Config:

service cgn NAT444

service-location preferred-active 0/4/CPU0

service-type nat44 nat1

  portlimit 10000

  inside-vrf inside

   map address-pool IP-Public pool

We have tried several portlimit configs, from 100 to 60000 right now.

Any idea about this?

Thank you in advance,

Hello Enrique,

I will suppose that the "Inside to outside drops port limit exceeded" where present when you didn't have a port-limit at 10.000. (by the way, it's a fairly high number, we usually don't see more than 4096).

I see you are using a /26 ---> 64 outside addresses and 26881 concurrent users.

That makes an average of 26881/64 = 420 users per IP.

Each external address offers by default 65535-1024=64511 ports.

420 users sharing 64511, it's 154 ports average per user.

So, changing the port-limit to 10000 will not change much

I'm not concluding that it's the root cause of what you experienced, but it looks like a very high usage of the NAT port multiplexing.

More, the "math" above is based on the asumption that your traffic is load balanced to the different cores in the ISM.

To verify this, you can use the following:

RP/0/RSP0/CPU0:ASR9K#run attach 0/4/CPU0

# show_nat44_stats

---> use exit to get out of the attach mode.

My advise, try to allocate a slightly larger map pool to reduce the number of users per address.

The latency induced by the NAT should be negligeable (couple of hundreds of microseconds), so if the problem persists with a larger map pool, please contact the TAC and raise a case.

Cheers,

N.

Hello Nicolas,

Thank you for your support!. NAT44 is working now, we will raise a TAC case if we see these symptoms again.

Best regards,

Hi all

What am trying to achieve is utilization per pool , can I load balance the traffic on the ISM cores ? and How can I know the commands available on the run attach mode in order to retrieve more information related to CGN NAT traffic?

Thanks

Hello Nicolas,

The answer to your request:

RP/0/RSP0/CPU0:ASR9K#run attach 0/4/CPU0

attach: Starting session 1 to node 0/4/CPU0

# show_nat44_stats

         CORE-ID              #SESSIONS(%UTIL)          #USERS(%UTIL)

------------------------------------------------------------------------

            0               15356(0.5%)                212(0.16%)

            1                9165(0.3%)                225(0.17%)

            2               16384(0.6%)                228(0.17%)

            3               14313(0.5%)                239(0.18%)

            4                   0(0.0%)                  0(0.00%)

            5                   0(0.0%)                  0(0.00%)

            6                   0(0.0%)                  0(0.00%)

            7                   0(0.0%)                  0(0.00%)

------------------------------------------------------------------------

                 Total Sessions: 55218           Total users: 904

Main DB size is 2875008 and User DB size is 131072

#

Thank you in advance for your comments,

Cheers,

Ok, it's a very very light utilization you have here.

If the problem of latency re-occurs, the TAC will help you with the proper troubleshooting methodology.

Cheers,

N.

Hello,

we are trying to configure NAT64 on ISM. We are running 4.3.0 on ASR9k and all

packages are installed.

Problem is that the config guide is "incomplete" and the NAT64 config is not well

explained.

I will paste the config and show command. Problem is that we have the same problem

like the creator of the thread.

RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful CGN1 statistics

Tue Jan 29 14:52:59.351 BIH

Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'

RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful STATEFULL statistics

Tue Jan 29 14:59:07.270 BIH

Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'CONN state is DOWN'

service cgn CGN1

service-location preferred-active 0/4/CPU0

service-type nat64 stateful STATEFULL

  portlimit 2000

  ipv6-prefix 64:ff9b::/64

  ipv4 address-pool 80.65.84.160/29

  dynamic-port-range start 10000

  address-family ipv4

   interface ServiceApp2

   tcp mss 600

  !

  address-family ipv6

   interface ServiceApp1

   protocol icmp

    reset-mtu

   !

   tcp mss 600

  !

  protocol udp

   timeout 1800

  !

  protocol tcp

   session initial timeout 90

   session active timeout 90

  !

  protocol icmp

   timeout 900

  !

  interface ServiceInfra10

ipv4 address 10.100.127.9 255.255.255.252

service-location 0/4/CPU0

RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#show platform

Tue Jan 29 14:57:29.753 BIH

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON

0/0/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON

0/1/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON

0/2/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON

0/3/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON

0/4/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON

0/4/CPU1        A9K-ISM-100(SE)           APP-READY

Package asr9k-ism-cgv6-install-kit-4.3.0.00.sh has been installed!

Node 0/RSP0/CPU0 [RP] [SDR: Owner]

    Boot Device: disk0:

    Boot Image: /disk0/asr9k-os-mbi-4.3.0/0x100305/mbiasr9k-rsp3.vm

    Active Packages:

      disk0:asr9k-fpd-px-4.3.0

      disk0:asr9k-mpls-px-4.3.0

      disk0:asr9k-optic-px-4.3.0

      disk0:asr9k-doc-px-4.3.0

      disk0:asr9k-mini-px-4.3.0

      disk0:asr9k-mcast-px-4.3.0

      disk0:asr9k-mgbl-px-4.3.0

      disk0:asr9k-services-p-px-4.3.0

      disk0:asr9k-k9sec-px-4.3.0

Node 0/4/CPU0 [LC] [SDR: Owner]

    Boot Device: mem:

    Boot Image: /disk0/asr9k-os-mbi-4.3.0/lc/mbiasr9k-lc.vm

    Active Packages:

      disk0:asr9k-mpls-px-4.3.0

      disk0:asr9k-optic-px-4.3.0

      disk0:asr9k-mini-px-4.3.0

      disk0:asr9k-mcast-px-4.3.0

      disk0:asr9k-services-p-px-4.3.0

Service-Engine0/4/0/0          unassigned      Up                    Up     

Service-Mgmt0/4/0/0            unassigned      Up                    Up     

Service-Engine0/4/0/1          unassigned      Up                    Up     

Service-Mgmt0/4/0/1            unassigned      Up                    Up     

Service-Engine0/4/0/2          unassigned      Up                    Up     

Service-Mgmt0/4/0/2            unassigned      Up                    Up     

Service-Engine0/4/0/3          unassigned      Up                    Up     

Service-Mgmt0/4/0/3            unassigned      Up                    Up