ASR9k CGN NAT statistics

mkhalil10 · ‎07-21-2015

Hi all

I have some questions regarding the statistics we can collect regarding NAT when configured on ASR9K

The command show cgn nat44 nat1 statistics will show the number of translations and the ports in use , is there other command that will show how many private IP addresses are mapped to a single public IP address whatever the ports in use are ?

When accessing the attach mode to view the utilization on the ISM cores

run attach 0/1/CPU0
show_nat44_stats

From the attach mode , there is no help or ? in order to view available commands , did anyone try other commands from the attach mode to collect more statistics?

Thanks in advance

BR,

Mohammad

Nicolas Fevrier · ‎07-21-2015

Hi Mohammad,

the CLI you type after attaching in the unix shell of the card (run attach) are not officially supported. That's why they are not documented on Cisco website.

I mentioned this particular command with clear disclaimer in a CiscoLive session because it is particularly useful to troubleshoot situation of traffic polarization where a single core is exceeding its capacity and starts dropping packet. But in a general manner, we discourage users to access this level of CLI in the system.

Kind regards,

N.

mkhalil10 · ‎07-22-2015

Hi Nicolas

Thanks for the kind reply

Am trying to get stats for the CGN configured for my customer , the command show cgn nat44 nat1 statistics will show the number of translations and the ports in use and am trying to find the private/public address mappings

As well , am trying not to get in troubles finding the best commands to check my IP address space / port utilization

Thanks

BR,

Mohammad

Nicolas Fevrier · ‎07-23-2015

Hi Mohammad,

I invite you to watch the following CiscoLive session (or at least read the pdf of the slides).

It covers the show commands a bit and explain what can also be done with scripts to extend the info you can collect.

Best regards,

N.

Carrier Grade NAT44 on IOS-XR Deployment Experience

http://bit.ly/cleur-cgn-xr-pdf

http://bit.ly/cleur-cgn-xr-mp4

mkhalil10 · ‎07-26-2015

Thanks for the update

BR,

Mohammad

mkhalil10 · ‎07-27-2015

Thanks Nicolas again

I have two questions please if you can help

The first is regarding the drops

Statistics summary of NAT44 instance: 'nat1'
Number of active translations: 5683115
Number of sessions: 170205
Translations create rate: 32803
Translations delete rate: 26785
Inside to outside forward rate: 622757
Outside to inside forward rate: 750702
Inside to outside drops port limit exceeded: 1181967031
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
No translation entry drops: 17495451869

I think I have issue here as the Inside to outside drops port limit exceeded is counting and No translation entry drops is counting as well ?

The second question if I got that right from the session , I have configured the port-limit to 1000

service cgn cgn1
service-location preferred-active 0/1/CPU0
service-type nat44 nat1
portlimit 1000

So , 65535-1024/1000 = 64 potential inside addresses for each public address?

Load balancing is mentioned in one of the slides , but it's mentioned how to load balance among the 8 cores , is there a way or command to enable that ?

RP/0/RSP0/CPU0:UM-HQ1-CGN-3G-NAT1#run attach 0/1/CPU0
# show_nat44_stats

         CORE-ID              #SESSIONS(%UTIL)          #USERS(%UTIL)
------------------------------------------------------------------------
            0              667077(23.2%)             54632(41.68%)
            1              679003(23.6%)             54596(41.65%)
            2              684900(23.8%)             54499(41.58%)
            3              680761(23.7%)             54496(41.58%)
            4              236874(8.2%)              10823(8.26%)
            5              241627(8.4%)              10837(8.27%)
            6              241785(8.4%)              10853(8.28%)
            7              240576(8.4%)              10791(8.23%)
------------------------------------------------------------------------
                 Total Sessions: 3672603                 Total users: 261527
Main DB size is 2875008 and User DB size is 131072

BR,

Mohammad

Nicolas Fevrier · ‎07-27-2015

Hi Mohammad,

in the back-up section of the CiscoLive slidedeck, you have the "NAT44 Show Commands" details of each entry.

- "Inside to outside drops port limit exceeded" is self explanatory, you have more sessions that 100 by default, you did right increasing this number to 1000. Also, I suggest to keep power of 2s (1024) for instance, in case you want to use BPA in the future.

- "No translation entry drops" --> out2in drops because of no entry in the translation DB. That means you are receiving traffic from the outside which can not be translated because you have no entry (created by i2o traffic) in the table.
Reasons can be various, like external DDoS attacks or high speed scan of the range to get through the internal network. It could be also traffic arriving after timers expired, but it's very unlikely and the numbers of packets here are too big IMHO. In a lab environment (btw, is it a lab or a production system ?), it simply means that the tester used for testing in not "smart" enough to follow the port transaction.

Your math (65535-1024)/1000 = 64 internal users max per public address is correct.

Regarding the load-balancing, nothing should be configured on the router, it's in the nature of the internet traffic to be very diverse in source/destination IP and ports. In a lab environment, you need to have enough of such diversity to distribute evenly the traffic among the cores of the system.

Kind regards,

N.

mkhalil10 · ‎07-28-2015

Thanks Nicolas

Yes , the system is in production and that what made me think that there is an issue and am looking for how to solve this?

BR,

Mohammad

mkhalil10 · ‎08-01-2015

Hi Nicolas

I have opened a case with Cisco , am still waiting their update regarding the case , but what I was asked about is the port-limit

Should I increase the port-limit ? for example to 4096 ?

As well , the number of drops is increasing and the free pools showing as 0 , should I configure a new pool?

Thanks

BR,

Mohammad

Nicolas Fevrier · ‎08-02-2015

HI Mohammad,

Inside to outside drops port limit exceeded: 1181967031
--> shows that your port limit is too small.

Providing a recommended number is impossible, it mainly depends on the type of users you are providing servive too. 4096 is a common selected number.

Always a trade-off between the optimization of your resource (the public IP addresses) and the number of customers you need to accomodate and the type of service they are using.

Kind regards,

N.

mkhalil10 · ‎08-02-2015

Thanks Nicolas , but what am confused about is when I change the port-limit to 4096 for example , this will make the private/public mapping from 63 (as am using 1000 now) to 15 (if changed to 4096)

So , if the private addresses occupy a public address decreases , that will not make any issue for me as well?

Thanks again

BR,

Mohammad

Nicolas Fevrier · ‎08-02-2015

Hi Mohammad,

I'm not sure I understand your question :)

If you enlarge the number of ports per user, the mechanical consequence is a lower utilization of public range.

You need to collect the output I listed in the CiscoLive presentation and compute the utilization. It's not a trivial job to figure out the best port range per user.

You will always have users who consume a lot of ports (it could be power users with many hosts at home and using a lot of applications or some applications using a lot of ports like some P2P softs, or sometimes it will be corrupted devises used for spam or DDoS attacks). But you can not use these users to define the good number, you need to get a better understanding of the number of users using less than 32 ports, less than 64, less than 128, 256, 512, 1024, 2048 and finally 4096.

Based on this "audit', if 99,997% of the users consumes less than 512 ports, then you can use this value. Some will prefer to double the number, just to be on the safe zone.

Hope it helps a bit,

KR,

N.

mkhalil10 · ‎08-06-2015

Hi Nicolas

After opening a case with Cisco regarding the drops am seeing in the statistics , they also assured that it's a port-limit issue

I have changed the port-limit to 2048 and cleared the statistics and still the same and in addition I have started to see PPTP ctrl messages as well

RP/0/RSP0/CPU0:ASR#sh cgn nat44 nat1 statistics | inc drop
Thu Aug 6 10:10:39.445 AST
Inside to outside drops port limit exceeded: 1243094945
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
No translation entry drops: 21285888516
PPTP ctrl message drops: 39861

Any idea what could the issue be as am still waiting for Cisco feedback ?

Thanks in advance

BR,

Mohammad

Nicolas Fevrier · ‎08-06-2015

Hi Mohammad,

I will let the TAC provide specialist support here.

But I will point you again to the Cisco Live presentation.

Regardless the value of port-limit you will define, you will have i2o packet drops. That's in the nature of things. Because some users will always try to use more ports that you want to give them (as said before, they could be legitimate power users or they could have some p2p application using tons of ports or even they can be corrupted systems part of a botnet and generating a lot of spam or ddos attacks traffic). Now the question you need to address is: how many of these users are exceeding my port-limit at peak hour.

If you can conclude that only 0.01% of your users are dropping packets because they exceed 2048 ports, do you want to change a configuration which seems to be fine for tens or hundreds of thousands of other users ?

In the CiscoLive preso, I proposed a method to identify these users. It requires to be scripts and can not be collected manually.

Kind regards,

N.

Nicolas Fevrier · ‎08-06-2015

Search the slides "Scripts" in http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSPG-3334.pdf

Thanks,

N.