Troubleshoot CGNAT
For supported software information, click here.
This article describes how to troubleshoot CGNAT issues.
View CGNAT Summary Information
To view CGNAT summary information, issue the show orgs org-services cgnat summary CLI command. For example:
admin@vcsn> show orgs org-services Customer1 cgnat summary
TOTAL TOTAL
TOTAL ENDPOINT ENDPOINT TOTAL
VSN ADDRESS INDEPENDENT INDEPENDENT DSLITE TOTAL 6RD TOTAL MAPT
ID MAPPINGS MAPPINGS FILTERS SOFTWIRES SOFTWIRES SUBSCRIBERS
----------------------------------------------------------------------------------
2 0 0 0 0 0 0
View CGNAT Per-Pool Statistics
To view CGNAT per-pool statistics, issue the show orgs org-services cgnat pools statistics CLI command. For example:
admin@vcsn> show orgs org-services Customer1 cgnat pools Customer1_NAPT_Pool statistics statistics id 2 bindings-allocated 33 bindings-freed 33 alloc-failures 0 free-failures 7 out-of-address-errors 0 out-of-ports-errors 0
Inspect the CGNAT State in the vsmd Daemon
This section describes the CLI commands to troubleshoot issues related to CGNAT state in the vsmd daemon.
View a Summary of Configured Tenants
To view summary information about configured tenants, issue the show cgnat tenants CLI command. For example:
vsm-vcsn> show cgnat tenants TENANT (id: 1) Num of rules configured : 0 Num of pools configured : 0 Num of DSLite SC configured : 0 Num of 6RD SC configured : 0 Num of Static NAT entries : 2 Num of subscribers : 0 Num of EIM entries : 0 Num of EIF entries : 0 Num of DSLite softwires : 0 Num of 6RD softwires : 0 TENANT (id: 200) Num of rules configured : 3 Num of pools configured : 3 Num of DSLite SC configured : 0 Num of 6RD SC configured : 0 Num of Static NAT entries : 0 Num of subscribers : 0 Num of EIM entries : 0 Num of EIF entries : 0 Num of DSLite softwires : 0 Num of 6RD softwires : 0 TENANT (id: 100) Num of rules configured : 3 Num of pools configured : 3 Num of DSLite SC configured : 0 Num of 6RD SC configured : 0 Num of Static NAT entries : 0 Num of subscribers : 0 Num of EIM entries : 0 Num of EIF entries : 0 Num of DSLite softwires : 0 Num of 6RD softwires : 0
View CGNAT Access Lists for Traffic Matching
To view CGNAT access lists for matching traffic, issue the show cgnat acl info CLI command. For example:
vsm-vcsn> show cgnat acl info 100 Legends C - Category (A: Allow, D: Deny) P - Rule precedence +------------+--------+---+-----+-----------+--------------------+---------------+ | ACL Hdl | RuleId | C | P | VRF | SOURCE-IP | DEST-IP | +------------+--------+---+-----+-----------+--------------------+---------------+ | 0x00010003 | 3 | A | 1 | 14-14 | 192.168.130.0/24 | 99.88.77.0/28 | | 0x00020001 | 1 | A | 1 | 14-14 | 192.168.130.0/24 | 88.77.66.0/28 | | 0x00030002 | 2 | A | 1 | 14-14 | 192.168.130.0/24 | 77.66.55.0/28 | +------------+--------+---+-----+-----------+--------------------+---------------+ Tenant id : 100 Total filters : 3
View CGNAT Access List Counters
To view CGNAT access list counters, issue the show cgnat acl counters CLI command. Counters are incremented when traffic matches. Use the value in the Rule ID column to correlate values with the output of the show cgnat acl command. For example:
vsm-vcsn> show cgnat acl counters 100 +------------+---------+------------+ | ACL Hdl | Rule ID | COUNTER | +------------+---------+------------+ | 0x00010003 | 3 | 14 | | 0x00020001 | 1 | 0 | | 0x00030002 | 2 | 26 | +------------+---------+------------+ Tenant id : 100 Total filters : 3
View the CGNAT Access List History
To view CGNAT access list history of traffic pattern matches, issue the show cgnat acl history CLI command.
vsm-vcsn> show cgnat acl history [ipv4 | ipv6] [all | number]
For example:
vsm-vcsn> show cgnat acl history 100 +-----------------+----------------+-------+-------+----+------+ | SOURCE-IP | DEST-IP | SPORT | DPORT | P | RES | +-----------------+----------------+-------+-------+----+------+ | 192.168.130.50 | 77.66.55.1 | 46859 | 53 | 17 | Hit | | 192.168.130.50 | 77.66.55.1 | 58285 | 53 | 17 | Hit | | 192.168.130.50 | 77.66.55.1 | 54768 | 21 | 6 | Hit | | 192.168.130.50 | 77.66.55.1 | 54772 | 21 | 6 | Hit | | 192.168.130.50 | 77.66.55.1 | 54776 | 21 | 6 | Hit | | 192.168.130.50 | 77.66.55.1 | 54779 | 21 | 6 | Hit | +-----------------+----------------+-------+-------+----+------+
View the CGNAT Pool Configuration
To display summary information about the CGNAT pool configuration for all tenants, issue the show cgnat config pool brief CLI command. For example:
vsm-vcsn> show cgnat config pool brief TNT-ID POOL-NAME ID ---------------------------------------------------------- 200 Customer2_SNAT_Pool 3 200 Customer2_DYN_Pool 1 200 Customer2_NAPT_Pool 2 TNT-ID POOL-NAME ID ----------------------------------------------------------- 100 Customer1_SNAT_Pool 3 100 Customer1_DYN_Pool 1 100 Customer1_NAPT_Pool 2
View the CGNAT Pool Configuration for a Tenant
To display detailed information about the CGNAT pool configuration for a tenant, issue the show cgnat config pool detail CLI command. You can determine the tenant's pool ID from the output of the show cgnat config pool brief command. For example:
vsm-vcsn> show cgnat config pool detail 200 3
TENANT : [200]
NAT Pool name : [Customer2_SNAT_Pool]
Object ID : [3]
Pool Flags : [0x00001941]
IPv4 Ranges
102.84.68.0/24
Routing instance : [ri_Global - 18]
Provider Tenant id : [1]
TCP idle timeout : [7440]
TCP idle timeout : [7440]
UDP idle timeout : [300]
ICMP idle timeout : [60]
Addr allocation : [round-robin]
In releases prior to Release 21.2.2, the command syntax is show cgnat config pool detail pool-id tenant-id.
View the CGNAT Rule Configuration
To display summary information about CGNAT rule configuration for all tenants, issue the show cgnat config rule brief CLI command. For example:
vsm-vcsn> show cgnat config rule brief TNT-ID RULE-NAME ID ------------------------------------------------------------- 200 Customer2_SNAT_Rule 3 200 Customer2_DYN_Rule 1 200 Customer2_NAPT_Rule 2 TNT-ID RULE-NAME ID ------------------------------------------------------------- 100 Customer1_SNAT_Rule 3 100 Customer1_DYN_Rule 1 100 Customer1_NAPT_Rule 2
View the CGNAT Rule Configuration for a Tenant
To display detailed information about CGNAT rule configuration in for a particular tenant, issue the show cgnat config rule detail CLI command. Use the output of the show cgnat config rule brief command to determine the rule ID for the tenant. For example:
vsm-vcsn> show cgnat config rule detail 1 200
TENANT : [200]
NAT Rule name : [Customer2_DYN_Rule]
Object ID : [1]
Precedence : [1]
TERM
Routing instance : [ri_Customer2 - 16]
Source IPv4 Prefix
192.168.131.0/24
Dest IPv4 Prefix
55.44.33.0/28
ACTION
NAT mode : [dynamic-nat-44]
Addr Pool Paired : [False]
EIM enabled : [False]
EIF enabled : [False]
Source Pool : [1]
View Active Counters
To display active counters, issue the show cgnat counters active CLI command. Use this command when data is flowing to verify whether CGNAT is NATing the packets.
vsm-vcsn> show cgnat counters active CGNAT_CNTR_ACTIVE_BINDINGS 0 CGNAT_CNTR_ACTIVE_SUBS 0 CGNAT_CNTR_ACTIVE_MAPT_SUBS 0 CGNAT_CNTR_ACTIVE_EI_MAPPINGS 0 CGNAT_CNTR_ACTIVE_EI_FILTERS 0
View Internal Counters
To display internal counters, issue the show cgnat counters internal CLI command. For example:
vsm-vcsn> show cgnat counters internal CGNAT_CNTR_BINDINGS_ALLOCD 77 CGNAT_CNTR_BINDINGS_FREED 103 CGNAT_CNTR_ALG_BINDINGS_ALLOCD 26 CGNAT_CNTR_FIRST_PACKET 104 CGNAT_CNTR_SESS_ACCEPT 103 CGNAT_CNTR_SESS_IGNORE 1 CGNAT_CNTR_SESS_CLOSE 103 CGNAT_CNTR_TENANT_LKUP_FAIL 1 CGNAT_CNTR_ST_NAT_FILTER_SUCCESS 28 CGNAT_CNTR_TENANT_SWITCHED 28 CGNAT_CNTR_VRF_SWITCHED 28 CGNAT_CNTR_LOG_EXPORTED 98
View the CGNAT Resource State
To display information about the CGNAT resources state, issue the show cgnat resources state CLI command. Each CGNAT pool is a resource managed by the resource and forwarding daemon. A resource must be in the Ready state before CGNAT can handle traffic for the pool. If it is not ready, the traffic has been dropped. Check the above CLI command for MISC_POOL_ERROR counters. For example:
vsm-vcsn> show cgnat resources state 100
Legends:
A - Address present
P - Ports present
S - Static pool
R - Preserve range
Y - Preserve parity
+------+------------------------------------+-----------------+---------+
| ID | Pool-name | State | Flags |
+------+------------------------------------+-----------------+---------+
| 3 | Customer1_SNAT_Pool | READY | A.S.. |
| 1 | Customer1_DYN_Pool | READY | A.... |
| 2 | Customer1_NAPT_Pool | READY | AP... |
+------+------------------------------------+-----------------+---------+
View CGNAT Pool Counters
To display CGNAT pool counters, issue the show cgnat resources counters CLI command. The command output displays the number of bindings that are allocated and freed per pool. The output also shows resources assigned by Versa resource and forwarding process (vrfd) to each thread. For example:
vsm-vcsn> show cgnat resources counters Customer1_NAPT_Pool 100
Pool : Customer1_NAPT_Pool
State : READY
VRF : ri_Global (18)
Thread 0 : IP [104.74.68.1 - 104.74.68.254] Ports [4096 - 40959]
COUNTER TCP UDP OTHER
---------------------------------------------------------------
Bindings allocated 25 4 4
Bindings freed 18 4 11
Alloc failures 0 0 0
Out of addrs 0 0 0
Out of ports 0 0 0
Free failures 0 0 7
View Static NAT Mappings
To view static NAT mappings used for debugging basic-nat-44 and dnat-44, issue the show cgnat static-nat CLI command. For example:
vsm-vcsn> show cgnat static-nat 100
Legends:
ID = Rule ID
T = Type (S - Static NAT)
(D - Dest NAT)
(2 - Twice NAT)
+------+---+-----------------+-----------------+-----------------+-----------------+-------+-------+
| ID | T | Rule SPrefix | Rule DPrefix | Pool SPrefix | Pool DPrefix | RPort | Pport |
+------+---+-----------------+-----------------+-----------------+-----------------+-------+-------+
| 3 | S | 192.168.131.0 | - | 102.84.68.0 | - | 0 | 0 |
| 3 | S | 192.168.130.0 | - | 102.74.68.0 | - | 0 | 0 |
+------+---+-----------------+-----------------+-----------------+-----------------+-------+-------+
For debugging, use the following clear commands:
vsm-vcsn> clear cgnat counters internal vsm-vcsn> clear cgnat acl history tenant-id vsm-vcsn> clear cgnat acl counters tenant-id
View CGNAT Pools with the Source Port
To display per-thread resource allocation, issue the show rfm table src-port allocated CLI command. The CGNAT pool with the source port is the resource that is divided and then distributed to all worker threads by Versa RFD/RFM. For example:
vsm-vcsn> show rfm table src-port allocated src-port: Table Alloc entries Tenant 0: StartPort EndPort PoolId Client RmtID LclID Thread Application ================================================================= 4096 4096 0 2 0 1 1 App-RFM 4097 4097 0 2 0 2 1 App-RFM 4114 4114 0 2 0 4 1 App-RFM 4098 4113 0 2 0 3 1 App-LEF Tenant 1: StartPort EndPort PoolId Client RmtID LclID Thread Application ================================================================= Tenant 100: StartPort EndPort PoolId Client RmtID LclID Thread Application ================================================================= 4096 40959 2 2 0 1 1 App-CGNAT Tenant 200: StartPort EndPort PoolId Client RmtID LclID Thread Application ================================================================= 4096 40959 2 2 0 1 1 App-CGNAT
View CGNAT Pools with the Source IP Address
To display per-thread resource allocation, issue the show rfm table src-ip allocated CLI command. In this command, the CGNAT pool with the source IP address is the only resource. The command output shows which thread received what quota from RFD/RFM. For example:
vsm-vcsn> show rfm table src-ip allocated src-ip: Table Alloc entries Tenant 0: Start IP End IP Pool Client RmtId LclId Thread Application ============================================================================ Tenant 1: Start IP End IP Pool Client RmtId LclId Thread Application ============================================================================ Tenant 100: Start IP End IP Pool Client RmtId LclId Thread Application ============================================================================ 103.74.0.0 103.74.119.255 1 2 0 1 1 App-CGNAT Tenant 200: Start IP End IP Pool Client RmtId LclId Thread Application ============================================================================ 103.84.0.0 103.84.119.255 1 2 0 1 1 App-CGNAT
To display filters and access lists for each tenant, issue the show filter info all table and show filter stats all CLI commands. In a multi-VSN deployment, he command output shows the datapath filters used to steer reverse traffic to the correct VCSN/VSN. This datapath filter table is also used by CGNAT to install basic-nat-44 and dnat-44 filters. For example:
vsm-vcsn> show filter info all table 1 Legends C/Catg - Category L/Prio - Level (Predefined priority) P/Prot - Protocol +-------------------------------------------------------------------------------------------------------------+ | Tenant Id - 1 | +------------+---+-----+----+-----------+---------------+-------------------+-----------+-------------+ | Rule Hdl | C | L | P | VRF | SOURCE-IP | DEST-IP | SPORT | DPORT | +------------+---+-----+----+-----------+---------------+-------------------+-----------+-------------+ | 0x01830403 | A | 1 | 17 | 0-256 | 0.0.0.0/0 | 0.0.0.0/0 | 67-67 | 68-68 | | 0x01840403 | A | 1 | 17 | 0-256 | 0.0.0.0/0 | 0.0.0.0/0 | 0-65535 | 3784-3784 | | 0x01850404 | A | 1 | 17 | 0-256 | 0.0.0.0/0 | 0.0.0.0/0 | 0-65535 | 4784-4784 | | 0x01860403 | A | 19 | 6 | 0-256 | 0.0.0.0/0 | 0.0.0.0/0 | 0-65535 | 179-179 | | 0x01870403 | A | 19 | 6 | 0-256 | 0.0.0.0/0 | 0.0.0.0/0 | 179-179 | 0-65535 | | 0x01885003 | A | 16 | 0 | 18-18 | 0.0.0.0/0 | 102.84.68.0/24 | 0-65535 | 0-65535 | | 0x01895003 | A | 16 | 0 | 18-18 | 0.0.0.0/0 | 102.74.68.0/24 | 0-65535 | 0-65535 | | 0x018a4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.74.0.0/18 | 0-65535 | 0-65535 | | 0x018b4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.74.64.0/19 | 0-65535 | 0-65535 | | 0x018c4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.74.96.0/20 | 0-65535 | 0-65535 | | 0x018d4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.74.112.0/21| 0-65535 | 0-65535 | | 0x018e4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 104.74.68.0/24 | 0-65535 | 4096-40959 | | 0x018f4003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.84.0.0/18 | 0-65535 | 0-65535 | | 0x01904003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.84.64.0/19 | 0-65535 | 0-65535 | | 0x01914003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.84.96.0/20 | 0-65535 | 0-65535 | | 0x01924003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 103.84.112.0/21| 0-65535 | 0-65535 | | 0x01934003 | A | 19 | 0 | 18-18 | 0.0.0.0/0 | 104.84.68.0/24 | 0-65535 | 4096-40959 | +------------+---+-----+----+-----------+---------------+-------------------+-----------+-------------+ | Total IPv4 Filters: 17 | +-----------------------------------------------------------------------------------------------------+
Supported Software Information
Releases 20.2 and later support all content described in this article, except:
- In Releases 21.2.2 and later, syntax changed for show cgnat config pool detail and show cgnat acl history commands.