I recieved a call from one of our desktop support techs recently about a single user that could not reach the internet. He swore up and down that he had checked everything on the user end, and could not find anything wrong. The browser would open, and nothing would happen. Begging me to look at the routers, I decided to humor him. Among the things I checked was to see what NAT address was being given to the user. Using a
sh ip nat trans
command I could not see this particular users machine as having been given a NAT address out of the pool. The pool, by the way, still had several hundred unused addresses in it. On a whim, I issued a
clear ip nat trans *
command and asked the support tech on site to re-open the browser. Immediately the users internet connection was restored. Since this incident, the user has experienced the same phenomenon several times. Clearing the NAT translation pool has fixed the problem every time. None of my other users have complained about this problem, and although I suspect it to be tied to the local host, I am at a loss to explain how clearing the NAT pool fixes the problem every time.
The host is obviously unaware of NAT, so any connectivity issues would tend to susepct the cisco, especially when clearing the table solves the problem. I can't explain why it's only this one user that seems to have been effected so far. You should ensure that you have recent 12.1 or 12.2 code running, and when the problem occurs again collect "debug ip nat detail" with an access-list while the host is trying to communicate, and the output may help to indicate what's wrong.
Thanks for the debug info, I will give that a shot. I realize that the host is unaware of NAT, but the fact that it affects only one of approximately 2500 users that go through that router makes me wonder what is special about this one particular machine. I do need to upgrade the IOS on that particular router, so at least now I have an excuse to do it. Do you think if I gave this user a static NAT map it may remedy this problem? I obviously have no idea what is causing the problem, and I am being asked to explain it. Thanks again
Have you tried static configuration of a different IP address on the user's machine? This could eliminate the outside possibility of a duplicate IP address. Another tip is to lock down the user's switch port and NIC card to 100/Full to eliminate the possibility of auto-negotiation errors causing occasional malformed packets, which could confuse the NAT process.
I have verified there is no duplicate IP address. I will lock down the NIC and switch port first thing tomorrow. I've had lots of other problems with auto negotiation before, but never one that has affected NAT. This particular user is pretty far back at the tail end of a stub network. Do you think I should monitor the interfaces for errors on all the routers that she has to go through? If so, what exactly should I be looking for? The "sh int" command isn't going tell me anything specific, so should I look to debug something particular besides the NAT? If memory serves, she goes through a 3548 to a 2900, to a 3660, to another 3660, through a PIX 520, to a 4700, where the NAT is occuring (It's a long story, I may move NAT when I have some time) to a LS1010 and out on the DS3.....ATM of course. So from the 4700 back, there are a lot of places to look, and I'm not sure what exactly I should be looking for. This is just an irratation, but one I would like to solve. Thanks
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...