cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7908
Views
0
Helpful
21
Replies

Static NAT translations stop working when arp expires on the outside interface.

ivohristov
Level 1
Level 1

Hello Dears,

     I have recently installed a router with CME funcionality to be a gateway for a small network. The router has one public IP address for it outside interface witch handles the PAT for the internal hosts. There are 3 static nat translations on another public adderss from the same pool as the IP address on the outside interface. The first and the second static nat transaltions are for port 25 and 88 and the third is on port 80. The router works properly for certain amount of time and sudenly stops all traffic for the three static nat entries(despite PAT on the outside interface works fine). Traffic does not come back until I remove one of the static nat entries and put it back again. I checked the arp entries and I found out that when they expire traffic stops. When I remove and put back the static entries arp table refills and traffic comes back again. Can you tell me how I can handle this?
Thanks,

Ivaylo

1 Accepted Solution

Accepted Solutions

Hi  Ivaylo Hristov

did you apply a secondary PUBLIC ip address to solve the problem or any ip address????

Greetings

View solution in original post

21 Replies 21

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Technically, the issue seems to be with the next hop device (ISP router) that is loosing the ARP entry and not ARPing again. But as a workaround, please try this:

arp ARPA

Please repeat the above for all three IP's which have static mapping. That should help you fix the issue.

Hope this helps.

Regards,

NT

Thank you for your suggestion but this work around does not work. I have already tied it. I will apprecite if you have any other suggestions.
Regards,

Ivaylo

Which exact IOS are you using ?

How is the router connected to ISP device ?

Can you send "show interface" for the one in question ?

Also please report here how your default route is configured.

Hello,

Do you have access to the ISP router? If yes, can you add a static entry there? Or, you can ask the ISP to add an entry for you. Also, please make sure that the interface facing ISP has proxy-arp enabled.

Interface

ip proxy-arp

Hope this helps.

Regards,

NT

Do you have access to the ISP router? If yes, can you add a static entry  there? Or, you can ask the ISP to add an entry for you. Also, please  make sure that the interface facing ISP has proxy-arp enabled.


Incorrect, none of the setting above is necessary on a normally working situation. The reason for the problem lies somewhere else.

Hello,

Normally, when the ARP entry expires on the ISP router for the advertised

address, it has to refresh it. But in this case, the issue seems to be that

the ISP router is not refreshing its ARP cache entry. So, adding a static

entry would be a workaround to make sure that the setup works. While this is

not an ideal solution, in situations where you do not have control over ISP

devices for troubleshooting, this is the easiest way to make it work.

Hope this clears up things.

Regards,

NT

Normally, when the ARP entry expires on the ISP router for the advertised address, it has to refresh it. But in this case, the issue seems to be that the ISP router is not refreshing its ARP cache entry. So, adding a static entry would be a workaround to make sure that the setup works. While this is not an ideal solution, in situations where you do not have control over ISP devices for troubleshooting, this is the easiest way to make it work.

I work with Internet connections everyday since 16 years now and I have never seen or heard a case as you describe above.

I am convinced the problem lies in the OP router side, and we shall be able to find out once the information I have requested above is made available to us.

The interface configuration os the following :

interface GigabitEthernet0/0
description ### To ISP ###
ip address 84.242.142.196 255.255.255.248
ip access-group OUTBOUND out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable

The default route is:

ip route 0.0.0.0 0.0.0.0 84.242.142.193

The router is connected to the ISP by a madia convertor in whitch an optic cable enters.
I have noticed that when arp for IP address 84.242.142.194 expires all sessions stop. When I flush the arp of the router everithing is working properly.

We have this:

ip nat pool SMTP 84.242.142.194 84.242.142.194 netmask 255.255.255.248
ip nat inside source list 20 pool SMTP overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.2.9 25 84.242.142.194 25 extendable
ip nat inside source static tcp 192.168.2.10 80 84.242.142.194 80 extendable
ip nat inside source static tcp 192.168.2.9 88 84.242.142.194 88 extendable

......

Access-list 20 has the IP address of the SMTP server since our client wants internet connectivity to it.
Access-list NAT has the ip addresses of the network users.
If you have any further questions, please ask.
Regards

Hello,

Where are you checking the ARP expiry information?

Regards,

NT

On the customers router with sh arp command.

Exact IOS used ?

Show interface g0/0 please ?

You should also take a "debug arp". it is also possible some that device unexpectedly duplicates your address.

#sh interfaces gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

  Hardware is MV96340 Ethernet, address is 6416.8dd6.27e0 (bia 6416.8dd6.27e0)

  Description: ### To ISP ###

  Internet address is 84.242.142.196/29

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 16/255, rxload 6/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is T

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 5/75/853/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2470000 bits/sec, 593 packets/sec

  5 minute output rate 6466000 bits/sec, 806 packets/sec

     48746244 packets input, 2198265361 bytes, 9 no buffer

     Received 142966 broadcasts, 0 runts, 0 giants, 399 throttles

     30415 input errors, 0 CRC, 0 frame, 0 overrun, 30415 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     74627417 packets output, 3099711683 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

The configuration I have possed above.
The IOS is c2800nm-advipservicesk9-mz.124-24.T3.bin

At the beginning it was another one but we have changed it since there was a problem in the version.

  Input queue: 5/75/853/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2470000 bits/sec, 593 packets/sec

  5 minute output rate 6466000 bits/sec, 806 packets/sec

     48746244 packets input, 2198265361 bytes, 9 no buffer

     Received 142966 broadcasts, 0 runts, 0 giants, 399 throttles

     30415 input errors, 0 CRC, 0 frame, 0 overrun, 30415 ignored

Even if just a fraction of the total, this error count seems excessive.

Please increase hold-queue in to 200, clear counters, monitor inerface over time.

Chances are, the missed ARPs are among the "ignored" packets.

Also, if you have 512MB RAM, can you upgrade to 12.5(1)M3 ? It is VERY stable for CME and is the only one with MD qualification now.

CSCsi32425

Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.

Conditions: This symptom is observed when traffic flows run across the  router, for example, when the client is outside and server is inside,  and when static NAT translation is used for periods of about two  minutes.

Workaround: Configure a route map that matches the static NAT  translation, and apply the static NAT entry by entering either one of  the following commands:

- ip nat inside source static tcp local-ip local-port global-ip global-port route-map 
name reversible

- ip nat inside source static local-ip global-ip route-map name reversible 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: