IOS XE ASR1k NAT44 CGN VRF-Lite Issue

Hi experts,

we have a strange problem on ASR 1K (RP ESP5) runnin IOS XE 03.10.03.S (15.3(3)S3) with nat44 using CGN mode on VRF-lite context.

We have around 75000 session active (limit is 500000), random some PPPoE subscriber stop of working, the ASR not pass any traffic exept a ICMP. 

 

Here's an excerpt on the configuration:

 

ip nat settings mode cgn

no ip nat settings support mapping outside

ip nat translation timeout 300

ip nat translation tcp-timeout 2500

ip nat translation udp-timeout 300

ip nat translation finrst-timeout 45

ip nat translation syn-timeout 45

ip nat translation dns-timeout 45

ip nat translation icmp-timeout 45

ip nat translation max-entries 400000

ip nat translation max-entries all-host 500

ip nat service list 10 ftp tcp port 21

!

ip nat pool NAT_POOL_PUBLIC_51_178_167_46 51.178.167.46 51.178.167.46 netmask 255.255.255.0

ip nat inside source list NAT_POOL_PRIVATE_10_254_9_112 pool NAT_POOL_PUBLIC_51_178_167_46 vrf RACC_XDSL overload

!

Extended IP access list NAT_POOL_PRIVATE_10_254_9_112

    10 deny ip 10.254.9.112 0.0.0.7 host xxx.xxx.xxx.xxx

    20 deny ip 10.254.9.112 0.0.0.7 host xxx.xxx.xxx.xxx

    30 deny ip 10.254.9.112 0.0.0.7 host xxx.xxx.xxx.xxx

    40 permit tcp 10.254.9.112 0.0.0.7 any

    50 permit udp 10.254.9.112 0.0.0.7 any

    60 permit icmp 10.254.9.112 0.0.0.7 any


!

 

Status of VIA subinterface:

!

interface Virtual-Access2.1343

mtu 1500

ip nat inside

ip tcp adjust-mss 1452

end

!

 

Uplink configuration:

inte giga0/1

ip add xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

desc ** UPLINK***

ip nat outside

!

 

The only error sometime the ASR show is:

%IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:100 TS:00002894077329767228 %NAT-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 275 may be exhausted

 

No debug output if using the following commands:

  IP NAT debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT detailed debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT max-limit debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT mapping debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT dynamic binding debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT session debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT pool debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

  IP NAT Drops debugging is on for access list NAT_POOL_PRIVATE_10_254_9_112

 

Show Ver:

Cisco IOS XE Software, Version 03.10.03.S - Extended Support Release

Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.3(3)S3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2014 by Cisco Systems, Inc.

Compiled Sun 01-Jun-14 09:08 by mcpre

ROM: IOS-XE ROMMON

System image file is "bootflash:/asr1000rp1-adventerprisek9.03.10.03.S.153-3.S3-ext.b"

cisco ASR1002 (2RU) processor with 1666531K/6147K bytes of memory.

9 Gigabit Ethernet interfaces

1 Ten Gigabit Ethernet interface

1 ATM interface

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

7757823K bytes of eUSB flash at bootflash:.

 

Any ideas ?

Many thanks.

 

Sign In or Register to comment.