×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISM with NAT44 - Need help with configuration

Answered Question
Jul 24th, 2013
User Badges:

Hello everyone,


I'm trying to set up NAT44 in the following scenario below and I'm having a hard time figuring out how to redirect the traffic. As you can see the big problem is that I have one single interface that connects to the internal network (10.0.0.0/8) and also to the tunnel destinations all in the same VRF. Can you guys give me a hand? The trafiic comes from network network 10.0.0.0/8 enters interface bundle-ether 2 (Now it needs to be translated), once it is translated, now it needs to reach the destination known via GRE tunnel.


CGN Topology.png


Configurations

-----------------------------------------------


!

vrf NAT_IN

address-family ipv4 unicast

!

!

vrf BLUE

address-family ipv4 unicast

!

!

hw-module service cgn location 0/3/CPU0


!

interface Bundle-Ether2

description UPLINK TO METRO ETHERNET

!

interface Bundle-Ether2.2 l2transport

encapsulation dot1q 2

rewrite ingress tag pop 1 symmetric

!


interface GigabitEthernet200/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active


interface GigabitEthernet300/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active



interface BVI2

description METRO

vrf BLUE

ipv4 address 100.0.0.10/24



!

interface tunnel-ip 101

description GRE_TUNNEL

vrf BLUE

ipv4 address 1.1.1.1/32

tunnel mode gre ipv4

tunnel source interface bvi 2

tunnel destination 200.0.0.1

!


!

interface BVI 100

vrf BLUE

ipv4 address [GATEWAY_100] [MASK_100]

!

interface BVI 200

vrf BLUE

ipv4 address [GATEWAY_200] [MASK_200]

!

interface BVI 300

vrf BLUE

ipv4 address [GATEWAY_300] [MASK_300]

!



!

interface ServiceApp1

vrf NAT_IN

ipv4 address 10.0.2.1 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceApp2

vrf BLUE

ipv4 address 10.0.2.2 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceInfra1

ipv4 address 10.0.3.1 255.255.255.0

service-location 0/3/CPU0

!

!


router static

address-family ipv4 unicast

!

vrf NAT_IN

address-family ipv4 unicast

0.0.0.0/0 ServiceApp1

10.0.0.0/8 vrf BLUE bvI 2 <NEXT HOP>

!

!

vrf BLUE

address-family ipv4 unicast

172.16.0.0/24 ServiceApp2

!

!

router ospf METRO

vrf BLUE

router-id [ROUTER_ID]

redistribute bgp 65500 metric 100

area 0

interface bvi 2

!


router ospf BLUE

vrf BLUE

router-id [ROUTER ID]

redistribute bgp 65500 metric 100

area 10

interface BVI100

!

interface BVI200

!

interface BVI200

!

!

!

router bgp 65500

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

!

vrf BLUE

rd 65500:2

address-family ipv4 unicast

redistribute static

redistribute ospf BLUE

!

neighbor 1.1.1.2

remote-as 64512

ebgp-multihop 5

address-family ipv4 unicast

route-policy PASS in

route-policy PASS out

!

!

!

service cgn CGN

service-location preferred-active 0/3/CPU0

service-type nat44 nat44

portlimit 20000

inside-vrf NAT_IN

map outside-vrf BLUE address-pool 172.16.0.0/24

!

!

!





Thanks in advance,




Renato

Correct Answer by somnathr about 3 years 9 months ago

Hi Renato,


That's good to hear !  So, you're all set then, I would assume.


regards,

Somnath.

Correct Answer by Harold Ritter about 4 years 2 weeks ago

Hi Renato,


One way to solve this restriction would be to have two interfaces (physical or logical) connected to the network. One would be in teh VRF and the other in the global.


Regards

Correct Answer by somnathr about 4 years 2 weeks ago

Hi Renato,


This is what you have so far (for NAT):


bundle-ether 2 (NAT_IN) -- ISM -- bundle-ether 21 (NAT_OUT).


Now, if you want to send the NAT'ed traffic over a GRE tunnel, you need to do the following:


bundle-ether 2 (NAT_IN) -- ISM -- bundle-ether 21 (NAT_OUT) -- loopback cable(s) -- bundle-ether 22 (BLUE) -- Tunnel-IP 101 (BLUE)


This is because as I mentioned earlier, ISM traffic cannot be sent to / come from GRE tunnel directly.


Let me know if that works.


regards,

Somnath.

Correct Answer by somnathr about 4 years 3 weeks ago

Hi Renato,


The following error msg is coming for the same.


tunl_gre_ea[329]: %PLATFORM-TUNL_GRE_EA_PD-4-UNSUPPORTED_CONFIG : GRE Tunnel not supported on this linecard. Set the network topology to avoid this line card for GRE Tunnel packets



Yes, ISM supports traffic from/to bundle interface (along with physical i/f).


Now, as per your configuration, I see:


  • bundle-ether 2 is in NAT_IN VRF and will be receiving inside traffic for NAT. It contains following members:
    • GigabitEthernet200/0/0/43
    • GigabitEthernet300/0/0/43
  • bundle-ether 21 is in NAT_OUT and will be receiving outside traffic for NAT. It contains following members:
    • TenGigE0/0/0/21
    • TenGigE0/0/0/22
  • ServiceInfra configuration:

interface ServiceInfra1

service-location 0/2/CPU0 -> should be 0/3/cpu0 (if you have ISM is slot 3)

  • From NAT perspective, the configuration looks fine.
  • bundle-ether 22 is in BLUE containing the following members. As you said, these are connected via loopback
    • TenGigE0/1/0/21
    • TenGigE0/1/0/22


BTW, which version of XR s/w are you using ? Have you installed the Linux install-kit s/w ?


If it is 4.3.x, you can also refer CGv6 Configuration guide, a CCO document, http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat_43.html for installation and configuration steps.


regards,

Somnath.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
somnathr Sat, 07/27/2013 - 04:59
User Badges:
  • Cisco Employee,

Hi Renato,


As I understood from your dscription, traffic for NAT enters the box via bundle-ether 2 interface and after NAT should go out via GRE tunnel (interface tunnel-ip 101).


First of all, there are 2 limitations that you should be aware of:

  • we don't support (on ISM) NAT traffic to come or go via GRE tunnel i/f (to / from ISM). Hence, one work-around could be to send it via any physical interface and use an external loopback cable and then ultimately send it via GRE tunnel i/f.
  • we don't support (on ISM) NAT traffic to come or go via BVI i/f (to / from ISM) as well (not sure, if you're planning to use it for NAT traffic or not).


Once the above 2 are sorted out, NAT configuration would be simple (which you have it almost right). Only thing, you need to have some interface in NAT_IN VRF through which inside NAT traffic enters ASR9K and some interface in BLUE VRF through which outside NAT traffic enters ASR9K.


Let me know if you have more questions.


regards,

Somnath.

Renato Fernande... Sat, 07/27/2013 - 08:16
User Badges:
Hi Somnath Roy,
First of all, thank you for your comments !
Now things are starting to get more clear to me and I guess due to this limitations you just mentioned I'm getting this log messages below, am I right?


: tunl_gre_ea[329]: %PLATFORM-TUNL_GRE_EA_PD-4-UNSUPPORTED_CONFIG : GRE Tunnel not supported on this linecard. Set the network topology to avoid this line card for GRE Tunnel packets


Can I use a L3 bundle-ether interface in place of a BVI, just in case I need to bundle some interfaces. Does ISM support it or I do have to use a physical interface?


I did another config using using loopback cable (Bundle-Ether21 e Bundle-Ether22), could you check this out?


vrf BLUE

address-family ipv4 unicast

!

vrf NAT_OUT

address-family ipv4 unicast

!

vrf NAT_IN

address-family ipv4 unicast

!

hw-module service cgn location 0/3/CPU0

!

interface Bundle-Ether2

vrf NAT_IN

description UPLINK TO METRO ETHERNET

ipv4 address 100.0.0.10/24

!

interface GigabitEthernet200/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active

!

interface GigabitEthernet300/0/0/43

description LINK TO METRO ETHERNET

bundle id 2 mode active

!

interface Bundle-Ether21

vrf NAT_OUT

ipv4 address 10.0.1.1 255.255.255.0

!

interface Bundle-Ether22

vrf BLUE

ipv4 address 10.0.1.2 255.255.255.0

!

interface TenGigE0/0/0/21

bundle id 21 mode on

!

interface TenGigE0/0/0/22

bundle id 21 mode on

!

interface TenGigE0/1/0/21

bundle id 22 mode on

!

interface TenGigE0/1/0/22

bundle id 22 mode on

!

!

interface tunnel-ip 101

description GRE_TUNNEL

vrf BLUE

ipv4 address 1.1.1.1/32

tunnel mode gre ipv4

tunnel source interface bundle-ether 2

tunnel destination 200.0.0.1

!

!

interface BVI 100

vrf BLUE

ipv4 address [GATEWAY_100] [MASK_100]

!

interface BVI 200

vrf BLUE

ipv4 address [GATEWAY_200] [MASK_200]

!

interface BVI 300

vrf BLUE

ipv4 address [GATEWAY_300] [MASK_300]

!

!

interface ServiceApp1

vrf NAT_IN

ipv4 address 10.0.2.1 255.255.255.0

service cgn CGN service-type nat44

!

interface ServiceApp2

vrf NAT_OUT

ipv4 address 10.0.2.2 255.255.255.0

service cgn CGN service-type nat44

!

interface ServiceInfra1

ipv4 address 10.0.3.1 255.255.255.0

service-location 0/2/CPU0

!

router static

address-family ipv4 unicast

!

vrf NAT_IN

address-family ipv4 unicast

0.0.0.0/0 ServiceApp1

!

!

vrf NAT_OUT

address-family ipv4 unicast

0.0.0.0/0 10.0.1.2

172.16.0.0/24 ServiceApp2

!

!

vrf BLUE

address-family ipv4 unicast

172.16.0.0/24 10.0.1.1

!

!

router ospf METRO

vrf NAT_IN

router-id [ROUTER_ID]

redistribute bgp 65500 metric 100

area 0

interface bundle-ether 2

!

router ospf BLUE

vrf BLUE

router-id [ROUTER ID]

redistribute bgp 65500 metric 100

area 10

interface BVI100

!

interface BVI200

!

interface BVI200

!

!

!

router bgp 65500

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

!

vrf BLUE

rd 65500:2

address-family ipv4 unicast

redistribute static

redistribute ospf BLUE

!

neighbor 1.1.1.2

remote-as 64512

ebgp-multihop 5

address-family ipv4 unicast

route-policy PASS in

route-policy PASS out

!

vrf NAT_IN

rd 65500:3

address-family ipv4 unicast

!

service cgn CGN

service-location preferred-active 0/3/CPU0

service-type nat44 nat44

portlimit 20000

inside-vrf NAT_IN

map outside-vrf NAT_OUT address-pool 172.16.0.0/24



Thanks !



Renato

Correct Answer
somnathr Sun, 07/28/2013 - 07:40
User Badges:
  • Cisco Employee,

Hi Renato,


The following error msg is coming for the same.


tunl_gre_ea[329]: %PLATFORM-TUNL_GRE_EA_PD-4-UNSUPPORTED_CONFIG : GRE Tunnel not supported on this linecard. Set the network topology to avoid this line card for GRE Tunnel packets



Yes, ISM supports traffic from/to bundle interface (along with physical i/f).


Now, as per your configuration, I see:


  • bundle-ether 2 is in NAT_IN VRF and will be receiving inside traffic for NAT. It contains following members:
    • GigabitEthernet200/0/0/43
    • GigabitEthernet300/0/0/43
  • bundle-ether 21 is in NAT_OUT and will be receiving outside traffic for NAT. It contains following members:
    • TenGigE0/0/0/21
    • TenGigE0/0/0/22
  • ServiceInfra configuration:

interface ServiceInfra1

service-location 0/2/CPU0 -> should be 0/3/cpu0 (if you have ISM is slot 3)

  • From NAT perspective, the configuration looks fine.
  • bundle-ether 22 is in BLUE containing the following members. As you said, these are connected via loopback
    • TenGigE0/1/0/21
    • TenGigE0/1/0/22


BTW, which version of XR s/w are you using ? Have you installed the Linux install-kit s/w ?


If it is 4.3.x, you can also refer CGv6 Configuration guide, a CCO document, http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat_43.html for installation and configuration steps.


regards,

Somnath.

Renato Fernande... Sun, 07/28/2013 - 07:47
User Badges:

Hi Somnath,


Thank you ! I'm using version 4.3.1. I didn`t know I have to install it (haha), is it mandatory?



Thank you again !



Renato

somnathr Sun, 07/28/2013 - 08:37
User Badges:
  • Cisco Employee,

Hi Renato,


Yes, installing the Linux install-kit is mandatory as the crux of CGv6 application is part of it.


Please follow the instruction for installing Linux install-kit for 4.2in the CCO document I sent (specifically - http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat43cgn.html#wp1015556). Method for 4.2.1 and above releases is the same.


regards,

Somnath.

Renato Fernande... Sun, 07/28/2013 - 08:52
User Badges:

Hi Somnath,


Is it necessary even when I'm using only NAT44? Do you know where I can find the information about the limitations of ISM you mentioned?


Thank you !


Renato

somnathr Sun, 07/28/2013 - 20:30
User Badges:
  • Cisco Employee,

Hi Reneto,


Yes, CGv6/CGN functionality is provided by same install-kit. So, you must install the same.


At present, CCO documents are the only external documentation. But, I do see that it does not list some of these limitations. We need to add it to the document.


regards,

Somnath.

Renato Fernande... Mon, 07/29/2013 - 10:01
User Badges:

Hi Somnath,


Thank you so much for your attention. I've installed the linux kit and now the module is in

APP-READY state.


Thank you very much again !



Renato

somnathr Mon, 07/29/2013 - 10:20
User Badges:
  • Cisco Employee,

You are welcome :-)


That's great ! Now, you can try with some NAT traffic.

Renato Fernande... Mon, 07/29/2013 - 10:25
User Badges:

Yeah, I'm going to test it as soon as possible. I'm also having some issue setting up a GRE tunnel on ASR9K, can you help with that or should I open another discussion?


Thanks


Renato Reis

Harold Ritter Mon, 07/29/2013 - 11:32
User Badges:
  • Cisco Employee,

Hi Renato,


Could you pelase let us know what kind of issue you have in setting up the GRE tunnel?


Regards

Renato Fernande... Mon, 07/29/2013 - 12:36
User Badges:

Hi Harold,


I've configured a GRE tunnel between 2 ASR9K6 and I'm having the following issues:



1) The tunnel interface is UP but I can't ping the tunnels IP addresses, not even my own tunnel's interface IP address so that I never know if the tunnel is working properly.


2) I don't see the (tunnel vrf [VRF]) on IOS-XR, to tell that my tunnel interface is in VRF BLUE, but my tunnel destination is in VRF NAT_IN.



Configurations

----------------------------------------


ASR01

------------


interface tunnel-ip101

description TUNNEL_1

vrf BLUE

ipv4 address 1.1.1.2 255.255.255.252

tunnel mode gre ipv4

tunnel source Bundle-Ether2

keepalive 10 3

tunnel destination [TUNNEL IP DESTINATION]

!


ASR02

------------


interface tunnel-ip101

description TUNNEL_1

vrf BLUE

ipv4 address 1.1.1.1 255.255.255.252

tunnel mode gre ipv4

tunnel source BVI2

keepalive 10 3

tunnel destination [TUNNEL IP DESTINATION]



Thank you !



Renato

Harold Ritter Mon, 07/29/2013 - 13:14
User Badges:
  • Cisco Employee,

Hi Renato,


The VRF aware GRE tunnel currently only supports src/dst resolution in the global routing table. Support for src/dst resolution in a VRF is planned for 5.2.0.


Regards

Renato Fernande... Mon, 07/29/2013 - 13:59
User Badges:

Hi Somnath/Harold,


How can I address this issue? Once I need to have my GRE tunnel and interface BE (

inside NAT traffic enters) on the same routing table. Can't I use the global table as my NAT IN?



Thanks


Renato

Harold Ritter Wed, 07/31/2013 - 07:00
User Badges:
  • Cisco Employee,

Hi Renato,


The inside interface must be in a VRF but the outside interface can be in the global routing table.


Regards

Correct Answer
somnathr Thu, 08/01/2013 - 01:14
User Badges:
  • Cisco Employee,

Hi Renato,


This is what you have so far (for NAT):


bundle-ether 2 (NAT_IN) -- ISM -- bundle-ether 21 (NAT_OUT).


Now, if you want to send the NAT'ed traffic over a GRE tunnel, you need to do the following:


bundle-ether 2 (NAT_IN) -- ISM -- bundle-ether 21 (NAT_OUT) -- loopback cable(s) -- bundle-ether 22 (BLUE) -- Tunnel-IP 101 (BLUE)


This is because as I mentioned earlier, ISM traffic cannot be sent to / come from GRE tunnel directly.


Let me know if that works.


regards,

Somnath.

Renato Fernande... Thu, 08/01/2013 - 18:29
User Badges:

Hi Somnath,


Thank you for your attention again. Yes, that's the exactly the configurations I have, but the problem is, once

GRE tunnel currently only supports src/dst resolution in the global routing table and my

src/dst will be in routing table NAT_IN VRF, will I have to use MP-BGP to redistribute my

tunnel's src/dst from VRF NAT_IN to the global table?



Thanks in advance,



Renato Reis

Correct Answer
Harold Ritter Tue, 08/06/2013 - 14:06
User Badges:
  • Cisco Employee,

Hi Renato,


One way to solve this restriction would be to have two interfaces (physical or logical) connected to the network. One would be in teh VRF and the other in the global.


Regards

Renato Fernande... Sat, 08/10/2013 - 03:36
User Badges:

Hi Harold,


You hit the nail right on the head, that's the same solution we found. Now I'm gathering some thoubleshootong commands to check if it's working and test it on a production enviroment.


Thank you Harold and Somnath !!!



Regards,



Renato

Renato Fernande... Wed, 08/14/2013 - 01:32
User Badges:

HiSomnath Roy,


Is there a command that shows me the inside address, like show ip nat translations on regular IOS? Could you provide me some troubleshooting commands for CGN on ISM?


Thank you !



Renato

somnathr Wed, 08/14/2013 - 01:43
User Badges:
  • Cisco Employee,

Hi Renato,


You can use the following command:


show cgn nat44 nat1 outside-translation protocol udp outside-address <100.200.2.75> port start <1> end <65535>


Other commands useful would be:


show cgn nat44 inside-translation ...

show cgn nat44 pool-utilization ...

show cgn nat44 statistics ...


CCO documentation for all commands are available at - http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/command/reference/b_cgnat_cr42crs_chapter_01.html.


Please use the commands related to NAT44 as that is what you're using.


regards,

Somnath.

Renato Fernande... Tue, 08/20/2013 - 03:19
User Badges:

Hi Somnath,


Hope you are doing well ! Is there any MIB that I can use to monitor the NAT sessions and statistics?


Thanks in advance,



Renato Reis

somnathr Tue, 08/20/2013 - 03:29
User Badges:
  • Cisco Employee,

Hi Renato,


We do not support any CGN MIB yet.


You can possibly use some scripts to capture CLI output periodically.


regards,

Somnath.

Renato Fernande... Tue, 08/20/2013 - 09:16
User Badges:

Thank you Somnath,


I have one more question, What is the impact of changing the [map outside-vrf NAT_OUT address-pool]? I'm asking that because I realized the router is using the network and also the broadcast address of the network I configured as my NAT pool as a valid IP address for translations, I guess I have to avoid it !


Thank you,



Renato

somnathr Tue, 08/20/2013 - 22:13
User Badges:
  • Cisco Employee,

Hi Renato,


Sorry, I could not get your question properly.


If you want to change the address pool while NAT traffic is going on, during the time you're changing the address, traffic will be dropped by CGv6 Application (with "No CGN Config" kind of message).


Once you configure new address pool, you may need to change your static route entry to divert O2I traffic properly.


It is ok to include .0 / .255 in the public IP pool (if that it what you're referring) - there should not be any issue.


regards,

Somnath.

Renato Fernande... Wed, 08/21/2013 - 03:36
User Badges:

Hi Somnath,


Thank you again ! Actually I wondering if using .0 / .255 could be an issue thats why I asked of changing the address pool would be a problem. I'm glad there is no problem using the network and broadcast address.


PS: I'd like to thank you for all your help, now we have GCN with ISM working on a production environment.


Thanks,


Renato

somnathr Wed, 08/21/2013 - 03:44
User Badges:
  • Cisco Employee,

Hi Renato,

           

That is a great news ! Congratulations !!


Glad to help you out !


It would be great if you can post the final configuration that you're using for your deployment here along with some of the "show" command output (like, 'show cgn ...', 'show interfaces service* [accounting]', etc.).


regards,

Somnath.

somnathr Wed, 08/21/2013 - 04:04
User Badges:
  • Cisco Employee,

One more question - Can I ask who is the customer here and also are you part of the customer organization or some other partner organization who is helping customer ?

Harold Ritter Wed, 08/21/2013 - 09:07
User Badges:
  • Cisco Employee,

Hi Renato,


Congratulations. You are very welcome. Let us know if you have any additional questions or concerns.


Regards

Renato Fernande... Fri, 09/20/2013 - 08:31
User Badges:

Hi Somnath.


I will post the configuration as soon as possible. I would like to know if is there any command to check what is the current version of the linux I'm using on the ISM module?



Thanks in advance,



Renato Reis

somnathr Fri, 09/20/2013 - 09:09
User Badges:
  • Cisco Employee,

Hi Renato,


You can use "show platform summary location " command


regards,

Somnath.

Renato Fernande... Fri, 09/20/2013 - 10:48
User Badges:

Thank you Somnath,


I'm still confused if the version that is being shown in the output below (IOS SW Ver : 4.3.1) is related to the linux kit or the IOS-XR itself.




:router#show platform summary location 0/3/CPU0

Fri Sep 20 17:45:50.010 UTC

-------------------------------------------------------------------------------

     Platform Node : 0/3/CPU0 (slot 5)

               PID : A9K-ISM-100

         Card Type : Integrated Services Module

            VID/SN : V01 / FOC1710N5NX

        Oper State : IOS XR RUN

        Last Reset : N/A

                   : N/A

     Configuration : Power is enabled

                     Bootup enabled. 

                     Monitoring enabled

        Rommon Ver : Version 1.2(20091201:235620)

        IOS SW Ver : 4.3.1

        Main Power : Power state Enabled. Estimate power 405 Watts of power required.

            Faults : N/A

-------------------------------------------------------------------------------

     Platform Node : 0/3/CPU1 (slot 5)

         Card Type : Integrated Services Module (Service Engine)

        Oper State : APP-READY

   Last Start Time : Sun Sep  8 18:20:55 2013

   Last Ready Time : Sun Sep  8 19:53:01 2013

            Uptime : 285:52:49

          BIOS Ver : 0.17 (Thurley.3.60.18.0033)

            SW Ver : 1.0.1.0 (Built on May 3, 2012, from [email protected]/7)

        App Status : 8 CGv6 Application instance(s) is/are running


-------------------------------------------------------------------------------

:router#


[]'s



Renato Reis

somnathr Fri, 09/20/2013 - 21:11
User Badges:
  • Cisco Employee,

Hi Renato,


We need to look at "CPU1" status as that is the Application CPU. "CPU0" is the XR CPU.


I see -


SW Ver : 1.0.1.0 (Built on May 3, 2012, from [email protected]/7)


This gives the Application s/w version.


It looks like you need to upgrade the Linux part (install-kit) to 4.3.1. (it is running 421 now).


Procedure to upgrade the install-kit is in CCO.


regards,

Somnath.

Renato Fernande... Tue, 10/29/2013 - 10:40
User Badges:

Hi guys, It`s me again !


Could you guys help me with an ISM module stuck in the BRINGDOWN state?




RP/0/RSP0/CPU0:router#admin show platform

Tue Oct 29 10:34:32.782 UTC

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON

0/FT0/SP        FAN TRAY                  READY           

0/FT1/SP        FAN TRAY                  READY           

0/0/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/0/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/0/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/1/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/3/CPU0        A9K-ISM-100(LCP)          BRINGDOWN        PWR,NSHUT,MON

0/PM0/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM1/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM2/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

RP/0/RSP0/CPU0:router#



Thank you in advance,



Renato Reis

somnathr Tue, 10/29/2013 - 20:35
User Badges:
  • Cisco Employee,

Hi Renato,


Ok. In that case, as a recovery, you may want to try "hw-module reload loc ".


Can you please provide "sh logging" output which possibly would give more details on the issue(s) faced by the card ?


regards,

Somnath.

Renato Fernande... Wed, 10/30/2013 - 02:35
User Badges:

Hi Somnath,


I've opened a TAC and they recommended R|MA for this module, thank you for you attention.



Renato

Renato Fernande... Fri, 11/01/2013 - 11:22
User Badges:

Hi Somnath,


We replaced the module but the new one cant boot up either, here is the log message and the current state of the ISM module.



RP/0/RSP1/CPU0:router#admin show platform

Fri Nov  1 16:17:16.265 UTC

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON

0/FT0/SP        FAN TRAY                  READY          

0/FT1/SP        FAN TRAY                  READY          

0/0/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/0/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/0/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/1/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/3/CPU0        A9K-ISM-100(LCP)          IN-RESET         PWR,NSHUT,MON

0/3/SAM0        A9K-SAM-2TB               BOOTING          PWR,NSHUT,NMON

0/3/SAM1        A9K-SAM-2TB               FAILED           PWR,NSHUT,NMON

0/PM0/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM1/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM2/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

RP/0/RSP1/CPU0:router#





LC/0/3/CPU0:Nov  1 16:16:11.475 : apiv_srvr[115]: %PLATFORM-APIV-3-MODULE_INCOMPATIBLE : APIV module APIV_SI is incompatible

LC/0/3/CPU0:Nov  1 16:16:11.697 : vkg_l2fib_mac_cache[340]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: initializing L2 FIB MAC CAHE APIV modules.

LC/0/3/CPU0:Nov  1 16:16:11.705 : /pkg/sbin/sysmgr_log[65661]: %OS-SYSMGR-7-CHECK_LOG : /pkg/bin/sysmgr_debug_script invoked for: (fib_mgr) process did not signal EOI and for level:100 . Output is in harddisk:/sysmgr_debug/debug.node0_3_CPU0.442485

LC/0/3/CPU0:Nov  1 16:16:11.801 : vkg_l2fib_mac_cache[340]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: retrieving SysDB notifications ...

LC/0/3/CPU0:Nov  1 16:16:11.801 : vkg_l2fib_mac_cache[340]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: Starting of L2FIB MAC CACHE APIV version negotiation.

LC/0/3/CPU0:Nov  1 16:16:13.624 : canb_upg_agt[132]: %PLATFORM-UPGRADE_FPD-4-DOWN_REV : cbc instance 0 is down-rev (V18.05), upgrade to (V18.08). Use the "upgrade hw-module fpd" CLI in admin mode.

LC/0/3/CPU0:Nov  1 16:16:14.119 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: Initializing L2 FIB APIV modules.

LC/0/3/CPU0:Nov  1 16:16:14.192 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: retrieving SysDB notifications.

LC/0/3/CPU0:Nov  1 16:16:14.192 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: starting of APIV version negotiation.

LC/0/3/CPU0:Nov  1 16:16:14.784 : avsm_se_sm[125]: %PLATFORM-SIM_SE-6-STATE_CHANGE : Service Engine is in shutting down state.

LC/0/3/CPU0:Nov  1 16:16:14.790 : sis[307]: %PLATFORM-VKG_SIS-6-GENERIC_EVENT : sis event: Starting of SI APIV Deletion ...

LC/0/3/CPU0:Nov  1 16:16:15.420 : apiv_srvr[115]: %PLATFORM-APIV-5-API_INCOMPATIBLE : Message 8 in APIV module ISM_L2FIB_APIV is incompatible (reason: Not supported on the remote side)

LC/0/3/CPU0:Nov  1 16:16:15.420 : apiv_srvr[115]: %PLATFORM-APIV-3-MODULE_INCOMPATIBLE : APIV module ISM_L2FIB_APIV is incompatible

LC/0/3/CPU0:Nov  1 16:16:16.421 : avsm_agent[124]: %ISM_L2_UFA-3-ERR :  L2UFA: apiv/ipcp init failed

LC/0/3/CPU0:Nov  1 16:16:21.641 : avsm_agent[124]: %SAM_OIR-3-SAM_ERR_FPD : SAM/1: Unable to initialize. Error in FPD of device(s):CPLD. Detailed message -23:Unable to connect to socket:/tmp/fpdinfra_socket  -23 111:Connection refused

RP/0/RSP1/CPU0:Nov  1 16:16:21.647 : invmgr[257]: %PLATFORM-INV-6-NODE_STATE_CHANGE : Node: 0/3/SAM1, state: FAILED

LC/0/3/CPU0:Nov  1 16:16:24.704 : fib_mgr[172]: %PLATFORM-PLAT_FIB-3-ERR_STR_NEGO_FAIL : CGN fib apiv ipcp init: Failed to negotiate the apiv version.: UNKNOWN (12293)

LC/0/3/CPU0:Nov  1 16:16:30.695 : fib_mgr[172]: %ROUTING-FIB-3-TABLE : table operation failed during Invalid table create failed: Resource temporarily unavailable  : pkg/bin/fib_mgr : (PID=434279) :  -Traceback= 4002b9cc 4001426c 40014630 400019f4 4ba73a44 4ba71554 400003f0 40014a78 4bada400

RP/0/RSP1/CPU0:Nov  1 16:16:37.142 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/3/CPU0 A9K-ISM-100 state:IOS XR RUN

RP/0/RSP1/CPU0:Nov  1 16:16:37.144 : invmgr[257]: %PLATFORM-INV-6-NODE_STATE_CHANGE : Node: 0/3/CPU0, state: IOS XR RUN

LC/0/3/CPU0:Nov  1 16:16:47.370 : avsm_se_sm[125]: %PLATFORM-SIM_SE-6-STATE_CHANGE : Service Engine is in reset(Service Engine Software) state.

RP/0/RSP0/CPU0:Nov  1 16:16:47.418 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Cycle (0x05000000)

RP/0/RSP0/CPU0:Nov  1 16:16:47.418 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , PLDREQ Sreset (0x0b000000)

RP/0/RSP1/CPU0:Nov  1 16:16:47.424 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Cycle (0x05000000)

RP/0/RSP1/CPU0:Nov  1 16:16:47.424 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , PLDREQ Sreset (0x0b000000)

RP/0/RSP1/CPU0:Nov  1 16:16:47.425 : shelfmgr[387]: %PLATFORM-SHELFMGR-0-MAX_RESET_BRINGDOWN : Can not boot node 0/3/CPU0 A9K-ISM-100 due to multiple resets, putting it IN_RESET state. The probable cause is an unexpected event on the node or a failure in communication with the node. Please refer to the Cisco ASR 9000 System Error Message Reference Guide for further information if needed.

RP/0/RSP1/CPU0:Nov  1 16:16:47.425 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_CPU_RESET : Node 0/3/CPU0 CPU reset detected.

RP/0/RSP1/CPU0:Nov  1 16:16:47.427 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/3/CPU0 A9K-ISM-100 state:IN-RESET

RP/0/RSP1/CPU0:Nov  1 16:16:47.434 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP0/CPU0:Nov  1 16:16:47.548 : ce_switch_srv[53]: %PLATFORM-CE_SWITCH-6-UPDN : Interface 7 (LC_Slot_3) is down

RP/0/RSP1/CPU0:Nov  1 16:16:47.683 : ce_switch_srv[53]: %PLATFORM-CE_SWITCH-6-UPDN : Interface 7 (LC_Slot_3) is down

RP/0/RSP1/CPU0:Nov  1 16:16:48.436 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:Nov  1 16:16:50.437 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:Nov  1 16:16:54.439 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:router#





Thanks


Renato Reis

somnathr Fri, 11/01/2013 - 20:38
User Badges:
  • Cisco Employee,

Hi Renato,


Couple of things:


  • You do not need SAM modules on ISM (for CGN/CGv6 application). So, you can remove those.
  • What is the version that ISM module is running ? Can you pl. capture 'show platform summary loc ' output ?
    • If it is older one (I see some API-V mismatch message), you may want to upgrade the Linux install-kit (pl. use the CCO configuration guide link)


regards,

Somnath.

Renato Fernande... Sat, 11/02/2013 - 05:57
User Badges:

Hi Somnath,


I guess the ISM's software version is up to date. How can I disadle the SAM modules?


RP/0/RSP1/CPU0:router#admin show platform summary location 0/3/CPU0

Sat Nov  2 10:57:05.277 UTC

-------------------------------------------------------------------------------

     Platform Node : 0/3/CPU0 (slot 5)

               PID : A9K-ISM-100

         Card Type : Integrated Services Module

            VID/SN : V01 / FOC151984LQ

        Oper State : IN-RESET

        Last Reset : N/A

                   : N/A

     Configuration : Power is enabled

                     Bootup enabled. 

                     Monitoring enabled

        Rommon Ver : Version 1.2(20091201:235620)

        IOS SW Ver : 4.3.2

        Main Power : Power state Disabled.

            Faults : N/A

-------------------------------------------------------------------------------

RP/0/RSP1/CPU0:router#

RP/0/RSP1/CPU0:router#admin show install active summary

Sat Nov  2 10:57:11.659 UTC

Default Profile:

  SDRs:

    Owner

  Active Packages:

    disk0:asr9k-mini-px-4.3.2

    disk0:asr9k-9000v-nV-px-4.3.2

    disk0:asr9k-doc-px-4.3.2

    disk0:asr9k-fpd-px-4.3.2

    disk0:asr9k-k9sec-px-4.3.2

    disk0:asr9k-mgbl-px-4.3.2

    disk0:asr9k-mpls-px-4.3.2

    disk0:asr9k-services-px-4.3.2



RP/0/RSP1/CPU0:router#





LC/0/3/CPU0:Nov  1 17:24:54.895 : avsm_agent[124]: %PROCMGR-3-PROCESS_CRASH : process avsm_sia crashed, restarting it...

LC/0/3/CPU0:Nov  1 17:24:54.896 : avsm_agent[124]: %PROCMGR-2-SE_RESTART : process avsm_sia restart too many times, Service Engine is going to reboot.

LC/0/3/CPU0:Nov  1 17:24:54.959 : apiv_srvr[115]: %PLATFORM-APIV-5-API_INCOMPATIBLE : Message 24 in APIV module APIV_SI is incompatible (reason: Not supported on the remote side)

LC/0/3/CPU0:Nov  1 17:24:54.959 : apiv_srvr[115]: %PLATFORM-APIV-3-MODULE_INCOMPATIBLE : APIV module APIV_SI is incompatible

LC/0/3/CPU0:Nov  1 17:24:56.642 : canb_upg_agt[132]: %PLATFORM-UPGRADE_FPD-4-DOWN_REV : cbc instance 0 is down-rev (V18.05), upgrade to (V18.08). Use the "upgrade hw-module fpd" CLI in admin mode.

LC/0/3/CPU0:Nov  1 17:24:57.241 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: Initializing L2 FIB APIV modules.

LC/0/3/CPU0:Nov  1 17:24:57.313 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: retrieving SysDB notifications.

LC/0/3/CPU0:Nov  1 17:24:57.313 : l2fib[239]: %PLATFORM-PLAT_L2FIB-6-GENERIC : avsm l2fib: starting of APIV version negotiation.

LC/0/3/CPU0:Nov  1 17:24:58.033 : avsm_se_sm[125]: %PLATFORM-SIM_SE-6-STATE_CHANGE : Service Engine is in shutting down state.

LC/0/3/CPU0:Nov  1 17:24:58.035 : sis[307]: %PLATFORM-VKG_SIS-6-GENERIC_EVENT : sis event: Starting of SI APIV Deletion ...

LC/0/3/CPU0:Nov  1 17:24:58.840 : apiv_srvr[115]: %PLATFORM-APIV-5-API_INCOMPATIBLE : Message 8 in APIV module ISM_L2FIB_APIV is incompatible (reason: Not supported on the remote side)

LC/0/3/CPU0:Nov  1 17:24:58.840 : apiv_srvr[115]: %PLATFORM-APIV-3-MODULE_INCOMPATIBLE : APIV module ISM_L2FIB_APIV is incompatible

LC/0/3/CPU0:Nov  1 17:24:59.842 : avsm_agent[124]: %ISM_L2_UFA-3-ERR :  L2UFA: apiv/ipcp init failed

LC/0/3/CPU0:Nov  1 17:25:05.063 : avsm_agent[124]: %SAM_OIR-3-SAM_ERR_FPD : SAM/1: Unable to initialize. Error in FPD of device(s):CPLD. Detailed message -23:Unable to connect to socket:/tmp/fpdinfra_socket  -23 111:Connection refused 

RP/0/RSP1/CPU0:Nov  1 17:25:05.065 : invmgr[257]: %PLATFORM-INV-6-NODE_STATE_CHANGE : Node: 0/3/SAM1, state: FAILED

LC/0/3/CPU0:Nov  1 17:25:07.897 : fib_mgr[172]: %PLATFORM-PLAT_FIB-3-ERR_STR_NEGO_FAIL : CGN fib apiv ipcp init: Failed to negotiate the apiv version.: UNKNOWN (12293)

LC/0/3/CPU0:Nov  1 17:25:13.838 : fib_mgr[172]: %ROUTING-FIB-3-TABLE : table operation failed during Invalid table create failed: Resource temporarily unavailable  : pkg/bin/fib_mgr : (PID=442471) :  -Traceback= 4002b9cc 4001426c 40014630 400019f4 4ba73a44 4ba71554 400003f0 40014a78 4bada400

RP/0/RSP1/CPU0:Nov  1 17:25:20.654 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/3/CPU0 A9K-ISM-100 state:IOS XR RUN

RP/0/RSP1/CPU0:Nov  1 17:25:20.656 : invmgr[257]: %PLATFORM-INV-6-NODE_STATE_CHANGE : Node: 0/3/CPU0, state: IOS XR RUN

LC/0/3/CPU0:Nov  1 17:25:32.631 : avsm_se_sm[125]: %PLATFORM-SIM_SE-6-STATE_CHANGE : Service Engine is in reset(Service Engine Software) state.

RP/0/RSP1/CPU0:Nov  1 17:25:32.678 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Cycle (0x05000000) 

RP/0/RSP1/CPU0:Nov  1 17:25:32.678 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , PLDREQ Sreset (0x0b000000) 

RP/0/RSP1/CPU0:Nov  1 17:25:32.678 : shelfmgr[387]: %PLATFORM-SHELFMGR-0-MAX_RESET_BRINGDOWN : Can not boot node 0/3/CPU0 A9K-ISM-100 due to multiple resets, putting it IN_RESET state. The probable cause is an unexpected event on the node or a failure in communication with the node. Please refer to the Cisco ASR 9000 System Error Message Reference Guide for further information if needed.

RP/0/RSP1/CPU0:Nov  1 17:25:32.679 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_CPU_RESET : Node 0/3/CPU0 CPU reset detected.

RP/0/RSP0/CPU0:Nov  1 17:25:32.681 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Cycle (0x05000000) 

RP/0/RSP0/CPU0:Nov  1 17:25:32.681 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , PLDREQ Sreset (0x0b000000) 

RP/0/RSP1/CPU0:Nov  1 17:25:32.681 : shelfmgr[387]: %PLATFORM-SHELFMGR-6-NODE_STATE_CHANGE : 0/3/CPU0 A9K-ISM-100 state:IN-RESET

RP/0/RSP1/CPU0:Nov  1 17:25:32.689 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:Nov  1 17:25:32.702 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Off (0x0a000000) 

RP/0/RSP0/CPU0:Nov  1 17:25:32.705 : canb-server[149]: %PLATFORM-CANB_SERVER-7-CBC_PRE_RESET_NOTIFICATION : Node 0/3/CPU0 , Power Off (0x0a000000) 

RP/0/RSP0/CPU0:Nov  1 17:25:32.917 : ce_switch_srv[53]: %PLATFORM-CE_SWITCH-6-UPDN : Interface 7 (LC_Slot_3) is down

RP/0/RSP1/CPU0:Nov  1 17:25:32.922 : ce_switch_srv[53]: %PLATFORM-CE_SWITCH-6-UPDN : Interface 7 (LC_Slot_3) is down

RP/0/RSP1/CPU0:Nov  1 17:25:33.691 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:Nov  1 17:25:35.693 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory

RP/0/RSP1/CPU0:Nov  1 17:25:39.694 : mibd_entity[324]: %HA-HA_EM-7-FMFD_CONNECTION_FAIL : Could not connect to /dev/fm/fd_wdsysmon.d/node0_3_CPU0 : No such file or directory



Thanks,



Renato

somnathr Sun, 11/03/2013 - 22:50
User Badges:
  • Cisco Employee,

Hi Renato,


SAM modules can be physically removed from the ISM card.


As it is in IN-RESET state, the "show platform summary location 0/3/CPU0" is not able to get App-side version number.


But, as I see the following msg:

"LC/0/3/CPU0:Nov 1 17:24:54.959 : apiv_srvr[115]: %PLATFORM-APIV-5-API_INCOMPATIBLE : Message 24 in APIV module APIV_SI is incompatible (reason: Not supported on the remote side) "


I'm suspecting that the install-kit is not updated properly.


You may need to follow the instructions under http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat43cgn.html#wp1015556.


(I'm assuming Services pie is already installed and only Linux install-kit needs to be installed)


Step 1:

RP/0/RSP0/CPU0(admin)# hw-module location reload


Step 2:

RP/0/RSP0/CPU0(admin)#debug sim reload-disable location
Step 3:
(Assuming install-kit is already copied to RP)

RP/0/RSP0/CPU0(admin)# download install-image from

to


regards,

Somnath.

Renato Fernande... Mon, 11/04/2013 - 01:43
User Badges:

Hi Somnath,


Thank you for your attention. Actually, the FPDs of the new ISM were out of date so that the ISM coudn`t boot up. What I did was shutdown the fib manager process on the card and it no longer reloaded the ISM due to the version incompatibility and then I could upgrade the FPDs and reload the module.



proc mandatory OFF fib_mgr location 0/3/CPU0

proc SHUTDOWN fib_mgr location 0/3/CPU0



RP/0/RSP0/CPU0:router#admin show platform

Mon Nov  4 07:41:48.669 UTC

Node            Type                      State            Config State

-----------------------------------------------------------------------------

0/RSP0/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON

0/RSP1/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON

0/FT0/SP        FAN TRAY                  READY           

0/FT1/SP        FAN TRAY                  READY           

0/0/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/0/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/0/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/CPU0        A9K-MOD160-TR             IOS XR RUN       PWR,NSHUT,MON

0/1/0           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/1/1           A9K-MPA-8X10GE            OK               PWR,NSHUT,MON

0/3/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON

0/3/CPU1        A9K-ISM-100(SE)           APP-READY      

0/PM0/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM1/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

0/PM2/SP        PWR-3KW-AC-V2             READY            PWR,NSHUT,MON

RP/0/RSP0/CPU0:router#



Thank you so much,


Renato

Correct Answer
somnathr Mon, 11/04/2013 - 04:38
User Badges:
  • Cisco Employee,

Hi Renato,


That's good to hear !  So, you're all set then, I would assume.


regards,

Somnath.

Renato Fernande... Mon, 11/04/2013 - 08:57
User Badges:

Hi Somnath,


I just wanna ask if you have any extra material about the SAM modules? How can I use them?



Thanks,



Renato Reis

somnathr Mon, 11/04/2013 - 19:23
User Badges:
  • Cisco Employee,

Hi Renato,


SAM module is already EOLed (http://www.cisco.com/en/US/prod/collateral/routers/ps9853/end_of_life_notice_c51-721386.html).


You do not need those for running CGv6 application - those are not used by CGv6 application software.


Details about how to handle / OIR SAM module are available at http://www.cisco.com/en/US/docs/routers/asr9000/hardware/ism_line_card/installation/guide/ismiginstalling.html#wp865031.


regards,

Somnath.

Renato Fernande... Wed, 12/18/2013 - 03:17
User Badges:

Hi Somnath,


Let's see if you can help with this new scenario. I want to extend this NAT configuration to a new site (BO1), but instead of using this entire setup with ASR9K, etc, I just want to use ASR9000v module and have this AS9K + ISM as the host. The first problem I see in this scenario is that I have the same 10.0.0.0/8 network in both sites, network which will access the same resources as the devices in the 10.0.0.0/8 in the main site.


1) Do you think if I create a new inside VRF [NAT_IN1] would address this issue?

2) Can I use the same outside VRF?





Here is the configurations.



!! IOS XR Configuration 4.3.1


!


vrf NAT_IN

address-family ipv4 unicast

  import route-target

   65500:2

   65500:3

  !

  export route-target

   65500:3

  !

!

!

vrf RED

address-family ipv4 unicast

  import route-target

   65500:1

  !

  export route-target

   65500:1

  !

!

!

vrf NAT_OUT

address-family ipv4 unicast

  import route-target

   65500:4

  !

  export route-target

   65500:4

  !

!

!

vrf SATELLITE

!

vrf BLUE

address-family ipv4 unicast

  import route-target

   65500:2

  !

  export route-target

   65500:2

  !

!

!


hw-module service cgn location 0/3/CPU0


!

ipv4 access-list ABF

5 permit ospf any any

10 permit ipv4 any 10.200.0.0 0.0.255.255 nexthop1 vrf NAT_IN ipv4 10.0.2.2

20 permit icmp any any

!



interface Bundle-Ether3

description Uplink (BE3 - VRF NAT_IN) - VLAN 20

vrf NAT_IN

ipv4 address 1.1.1.1 255.255.255.0

ipv4 access-group ABF ingress

!


!

interface Bundle-Ether22

description LOOPBACK CABLE NAT_OUT

vrf NAT_OUT

ipv4 address 10.0.1.1 255.255.255.0

!

!

interface Bundle-Ether23

description LOOPBACK CABLE BLUE

vrf BLUE

ipv4 address 10.0.1.2 255.255.255.0

!


!

interface 6

description Uplink  (BE6 - Global) - VLAN 20,51,80-82

!


!

interface 6.2

ipv4 address 1.1.1.2 255.255.255.0

encapsulation dot1q 2

!

interface 6.51 l2transport

description EFP - BE6 - VLAN 51

encapsulation dot1q 51

rewrite ingress tag pop 1 symmetric

!

interface 6.80 l2transport

description EFP - BE6 - VLAN 80

encapsulation dot1q 80

rewrite ingress tag pop 1 symmetric

!

interface 6.81 l2transport

description EFP - BE6 - VLAN 81

encapsulation dot1q 81

rewrite ingress tag pop 1 symmetric

!

interface 6.82 l2transport

description EFP - BE6 - VLAN 82

encapsulation dot1q 82

rewrite ingress tag pop 1 symmetric

!



interface Bundle-Ether100

description Bundle to Satellite 100

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 100

   remote-ports GigabitEthernet 0/0/0-43

  !

!

!

interface Bundle-Ether200

description Bundle to Satellite 200

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 200

   remote-ports GigabitEthernet 0/0/0-43

  !

!

!

interface Bundle-Ether300

description Bundle to Satellite 300

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 300

   remote-ports GigabitEthernet 0/0/0-35

  !

!

!



interface Loopback0

description MGMT SATELLITE

vrf SATELLITE

ipv4 address 10.0.0.254 255.255.255.0

!



interface tunnel-ip31101

description BLUE-TUNNEL01

vrf BLUE

ipv4 address 10.200.253.90 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 13.13.13.13

!

interface tunnel-ip31102

description BLUE-TUNNEL02

vrf BLUE

ipv4 address 10.200.253.94 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 14.14.14.14

!

interface tunnel-ip31103

description RED-TUNNEL03

vrf RED

ipv4 address 10.200.253.90 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 13.13.13.13

!

interface tunnel-ip31104

description RED-TUNNEL04

vrf RED

ipv4 address 10.200.253.94 255.255.255.252

tunnel mode gre ipv4

tunnel source 6.2

tunnel destination 14.14.14.14

!



!

interface TenGigE0/0/0/0

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/0/0/1

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/0/0/2

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/0/0/3

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/0/0/4

description LINK TO SATELLITE 300

vrf SATELLITE

ipv4 point-to-point

ipv4 unnumbered Loopback0

nv

  satellite-fabric-link satellite 300

   remote-ports GigabitEthernet 0/0/36-43

  !

!

!

interface TenGigE0/0/0/5

description LINK TO SATELLITE 300

bundle id 300 mode on

!



!

interface TenGigE0/0/0/16

description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82

bundle id 6 mode active

!

interface TenGigE0/1/0/16

description UPLINK  (BE6 - GLOBAL) - VLAN 20,51,80-82

bundle id 6 mode active

!



!

interface TenGigE0/0/0/17

description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20

bundle id 3 mode active

!


!

interface TenGigE0/1/0/17

description UPLINK  (BE3 - VRF NAT_IN) - VLAN 20

bundle id 3 mode active

!



!

interface TenGigE0/0/0/22

description LOOPBACK CABLE TE0/1/0/22

bundle id 22 mode on

!

interface TenGigE0/0/0/23

description LOOPBACK CABLE TE0/1/0/23

bundle id 22 mode on

!



interface TenGigE0/1/0/0

description LINK TO SATELLITE 100

bundle id 100 mode on

!

interface TenGigE0/1/0/1

description LINK TO SATELLITE 100

bundle id 100 mode on

!



interface TenGigE0/1/0/2

description LINK TO SATELLITE 200

bundle id 200 mode on

!

interface TenGigE0/1/0/3

description LINK TO SATELLITE 200

bundle id 200 mode on

!



interface TenGigE0/1/0/4

description LINK TO SATELLITE 300

bundle id 300 mode on

!

interface TenGigE0/1/0/5

description LINK TO SATELLITE 300

bundle id 300 mode on

!


!



!

interface TenGigE0/1/0/22

description LOOPBACK CABLE TE0/0/0/22

bundle id 23 mode on

!

interface TenGigE0/1/0/23

description LOOPBACK CABLE TE0/0/0/23

bundle id 23 mode on

!



interface BVI30

vrf RED

ipv4 address 10.200.25.193 255.255.255.192

!

interface BVI31

vrf BLUE

ipv4 address 10.200.1.1 255.255.255.248

!

interface BVI32

vrf BLUE

ipv4 address 10.200.25.129 255.255.255.224

!

interface BVI33

vrf BLUE

ipv4 address 10.200.25.1 255.255.255.128

!

interface BVI36

vrf BLUE

ipv4 address 10.200.237.145 255.255.255.240

!

interface BVI51

vrf RED

ipv4 address 192.168.7.12 255.255.255.0

!

interface BVI80

vrf RED

ipv4 address 10.200.26.169 255.255.255.224

!

interface BVI81

vrf BLUE

ipv4 address 10.200.25.164 255.255.255.240

!

interface BVI82

vrf BLUE

ipv4 address 10.200.25.180 255.255.255.240

!



!

interface ServiceApp1

description NAT_IN

vrf NAT_IN

ipv4 address 10.0.2.1 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceApp2

description NAT_OUT

vrf NAT_OUT

ipv4 address 10.0.2.5 255.255.255.252

service cgn CGN service-type nat44

!

interface ServiceInfra1

description ISM

ipv4 address 10.0.3.1 255.255.255.0

service-location 0/3/CPU0

!



!

prefix-set PS_ROUTES

  10.200.0.8,

  10.200.5.40/29,

  10.200.1.0/29,

  10.200.5.32/29,

  10.200.0.144/28,

  10.200.106.0/28,

  10.200.106.16/28

end-set

!



prefix-set PS_BGP_BLUE_OUT

  10.200.24.192/26,

  10.200.5.40/29,

  10.200.240.0/25,

  10.200.1.0/29,

  10.200.25.128/27,

  10.200.25.0/25,

  10.200.5.32/29,

  10.200.26.0/25,

  10.200.0.144/28,

  10.200.27.128/27,

  10.200.27.0/25,

  10.200.106.0/28,

  10.200.106.128/25,

  10.200.106.16/28,

  10.200.107.128/25

end-set

!

route-policy RP_DENY_ALL

  drop

end-policy

!

route-policy RP_PASS_ALL

  pass

end-policy

!

route-policy RP_BGP_BLUE_OUT

  if destination in PS_BGP_BLUE_OUT then

    pass

  endif

end-policy

!

route-policy RP_PASS_ROUTES

  if destination in PS_ROUTES then

    pass

  endif

end-policy

!



!

router static

address-family ipv4 unicast

  0.0.0.0/0 1.1.1.20

!

vrf NAT_IN

  address-family ipv4 unicast

   0.0.0.0/0 ServiceApp1

  !

!

vrf RED

!

vrf NAT_OUT

  address-family ipv4 unicast

   0.0.0.0/0 10.0.1.2

   10.200.24.192/26 ServiceApp2

  !

!

vrf BLUE

  address-family ipv4 unicast

   10.200.24.192/26 10.0.1.1

  !

!

!

router ospf

log adjacency changes

vrf NAT_IN

  router-id 1.1.1.1

  disable-dn-bit-check

  redistribute bgp 65500 metric 5 metric-type 2 route-policy RP_PASS_ROUTES

  !

  area 7

   interface Bundle-Ether3

   !

  !

!

!

router ospf RED

log adjacency changes

vrf RED

  router-id 10.200.26.169

  disable-dn-bit-check

  redistribute bgp 65500 metric 10 metric-type 2

  area 11

   interface BVI30

   !

   interface BVI80

   !

  !

!

!

router ospf BLUE

log adjacency changes

vrf BLUE

  router-id 10.200.25.164

  disable-dn-bit-check

  redistribute static

  redistribute bgp 65500 metric 10 metric-type 2

  area 0

   interface BVI81

   !

   interface BVI82

   !

  !

  area 2

   interface BVI31

   !

   interface BVI32

   !

   interface BVI33

   !

   interface BVI36

   !

  !

!

!

router bgp 65500

address-family ipv4 unicast

!

address-family vpnv4 unicast

!

vrf NAT_IN

  rd 65500:3

  bgp router-id 1.1.1.1

  address-family ipv4 unicast

   route-target download

  !

!

vrf RED

  rd 65500:1

  bgp router-id 10.200.253.90

  address-family ipv4 unicast

   network 10.200.25.192/26

   network 10.200.26.128/27

   network 10.200.26.192/27

   network 10.200.27.192/26

   network 10.200.104.128/27

   network 10.200.104.160/27

  !

  neighbor 10.200.253.89

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31103

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_PASS_ALL out

    soft-reconfiguration inbound

   !

  !

  neighbor 10.200.253.93

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31104

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_PASS_ALL out

    soft-reconfiguration inbound

   !

  !

!

vrf BLUE

  rd 65500:2

  bgp router-id 10.200.253.90

  address-family ipv4 unicast

   network 10.200.0.144/28

   network 10.200.1.0/29

   network 10.200.5.32/29

   network 10.200.5.40/29

   network 10.200.24.192/26

   network 10.200.25.0/25

   network 10.200.25.128/27

   network 10.200.26.0/25

   network 10.200.27.0/25

   network 10.200.27.128/27

   network 10.200.106.0/28

   network 10.200.106.16/28

   network 10.200.106.128/25

   network 10.200.107.128/25

   network 10.200.240.0/25

  !

  neighbor 10.200.253.89

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31101

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_BGP_BLUE_OUT out

    soft-reconfiguration inbound

   !

  !

  neighbor 10.200.253.93

   remote-as 64512

   ebgp-multihop 5

   update-source tunnel-ip31102

   address-family ipv4 unicast

    route-policy RP_PASS_ALL in

    route-policy RP_BGP_BLUE_OUT out

    soft-reconfiguration inbound

   !

  !

!

!

l2vpn

load-balancing flow src-dst-ip

bridge group VLAN30

  bridge-domain VLAN30

   !

   !

   routed interface BVI30

  !

!

bridge group VLAN31

  bridge-domain VLAN31

   !

   !

   routed interface BVI31

  !

!

bridge group VLAN32

  bridge-domain VLAN32


   routed interface BVI32

  !

!

bridge group VLAN33

  bridge-domain VLAN33


   !

   routed interface BVI33

  !

!

bridge group VLAN36

  bridge-domain VLAN36


   !

   routed interface BVI36

  !

!

bridge group VLAN51

  bridge-domain VLAN51


   !

   routed interface BVI51

  !

!

bridge group VLAN80

  bridge-domain VLAN80

   interface 6.80

   !

   routed interface BVI80

  !

!

bridge group VLAN81

  bridge-domain VLAN81

   interface 6.81

   !

   routed interface BVI81

  !

!

bridge group VLAN82

  bridge-domain VLAN82

   interface 6.82

   !

   routed interface BVI82

  !

!

!

nv

satellite 100

  type asr9000v

  ipv4 address 10.0.0.1

!

satellite 200

  type asr9000v

  ipv4 address 10.0.0.2

!

satellite 300

  type asr9000v

  ipv4 address 10.0.0.3

!

!


!

service cgn CGN

service-location preferred-active 0/3/CPU0

service-type nat44 nat44

  portlimit 20000

  inside-vrf NAT_IN

   map outside-vrf NAT_OUT address-pool 10.200.24.192/26

  !

!

!





Thanks in advance,



Renato

Actions

This Discussion

Related Content