Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Static NAT translations stop working when arp expires on the outside interface.

Hello Dears,

     I have recently installed a router with CME funcionality to be a gateway for a small network. The router has one public IP address for it outside interface witch handles the PAT for the internal hosts. There are 3 static nat translations on another public adderss from the same pool as the IP address on the outside interface. The first and the second static nat transaltions are for port 25 and 88 and the third is on port 80. The router works properly for certain amount of time and sudenly stops all traffic for the three static nat entries(despite PAT on the outside interface works fine). Traffic does not come back until I remove one of the static nat entries and put it back again. I checked the arp entries and I found out that when they expire traffic stops. When I remove and put back the static entries arp table refills and traffic comes back again. Can you tell me how I can handle this?
Thanks,

Ivaylo

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Static NAT translations stop working when arp expires on the

Hi  Ivaylo Hristov

did you apply a secondary PUBLIC ip address to solve the problem or any ip address????

Greetings

21 REPLIES
Cisco Employee

Re: Static NAT translations stop working when arp expires on the

Hello,

Technically, the issue seems to be with the next hop device (ISP router) that is loosing the ARP entry and not ARPing again. But as a workaround, please try this:

arp ARPA

Please repeat the above for all three IP's which have static mapping. That should help you fix the issue.

Hope this helps.

Regards,

NT

New Member

Re: Static NAT translations stop working when arp expires on the

Thank you for your suggestion but this work around does not work. I have already tied it. I will apprecite if you have any other suggestions.
Regards,

Ivaylo

Hall of Fame Super Gold

Re: Static NAT translations stop working when arp expires on the

Which exact IOS are you using ?

How is the router connected to ISP device ?

Can you send "show interface" for the one in question ?

Also please report here how your default route is configured.

Cisco Employee

Re: Static NAT translations stop working when arp expires on the

Hello,

Do you have access to the ISP router? If yes, can you add a static entry there? Or, you can ask the ISP to add an entry for you. Also, please make sure that the interface facing ISP has proxy-arp enabled.

Interface

ip proxy-arp

Hope this helps.

Regards,

NT

Hall of Fame Super Gold

Re: Static NAT translations stop working when arp expires on the

Do you have access to the ISP router? If yes, can you add a static entry  there? Or, you can ask the ISP to add an entry for you. Also, please  make sure that the interface facing ISP has proxy-arp enabled.


Incorrect, none of the setting above is necessary on a normally working situation. The reason for the problem lies somewhere else.

Cisco Employee

Re: Static NAT translations stop working when arp expires on the

Hello,

Normally, when the ARP entry expires on the ISP router for the advertised

address, it has to refresh it. But in this case, the issue seems to be that

the ISP router is not refreshing its ARP cache entry. So, adding a static

entry would be a workaround to make sure that the setup works. While this is

not an ideal solution, in situations where you do not have control over ISP

devices for troubleshooting, this is the easiest way to make it work.

Hope this clears up things.

Regards,

NT

Hall of Fame Super Gold

Re: Static NAT translations stop working when arp expires on the

Normally, when the ARP entry expires on the ISP router for the advertised address, it has to refresh it. But in this case, the issue seems to be that the ISP router is not refreshing its ARP cache entry. So, adding a static entry would be a workaround to make sure that the setup works. While this is not an ideal solution, in situations where you do not have control over ISP devices for troubleshooting, this is the easiest way to make it work.

I work with Internet connections everyday since 16 years now and I have never seen or heard a case as you describe above.

I am convinced the problem lies in the OP router side, and we shall be able to find out once the information I have requested above is made available to us.

New Member

Re: Static NAT translations stop working when arp expires on the

The interface configuration os the following :

interface GigabitEthernet0/0
description ### To ISP ###
ip address 84.242.142.196 255.255.255.248
ip access-group OUTBOUND out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable

The default route is:

ip route 0.0.0.0 0.0.0.0 84.242.142.193

The router is connected to the ISP by a madia convertor in whitch an optic cable enters.
I have noticed that when arp for IP address 84.242.142.194 expires all sessions stop. When I flush the arp of the router everithing is working properly.

We have this:

ip nat pool SMTP 84.242.142.194 84.242.142.194 netmask 255.255.255.248
ip nat inside source list 20 pool SMTP overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.2.9 25 84.242.142.194 25 extendable
ip nat inside source static tcp 192.168.2.10 80 84.242.142.194 80 extendable
ip nat inside source static tcp 192.168.2.9 88 84.242.142.194 88 extendable

......

Access-list 20 has the IP address of the SMTP server since our client wants internet connectivity to it.
Access-list NAT has the ip addresses of the network users.
If you have any further questions, please ask.
Regards

Cisco Employee

Re: Static NAT translations stop working when arp expires on the

Hello,

Where are you checking the ARP expiry information?

Regards,

NT

New Member

Re: Static NAT translations stop working when arp expires on the

On the customers router with sh arp command.

Hall of Fame Super Gold

Re: Static NAT translations stop working when arp expires on the

Exact IOS used ?

Show interface g0/0 please ?

You should also take a "debug arp". it is also possible some that device unexpectedly duplicates your address.

New Member

Re: Static NAT translations stop working when arp expires on the

#sh interfaces gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

  Hardware is MV96340 Ethernet, address is 6416.8dd6.27e0 (bia 6416.8dd6.27e0)

  Description: ### To ISP ###

  Internet address is 84.242.142.196/29

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 16/255, rxload 6/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is T

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 5/75/853/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2470000 bits/sec, 593 packets/sec

  5 minute output rate 6466000 bits/sec, 806 packets/sec

     48746244 packets input, 2198265361 bytes, 9 no buffer

     Received 142966 broadcasts, 0 runts, 0 giants, 399 throttles

     30415 input errors, 0 CRC, 0 frame, 0 overrun, 30415 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     74627417 packets output, 3099711683 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

The configuration I have possed above.
The IOS is c2800nm-advipservicesk9-mz.124-24.T3.bin

At the beginning it was another one but we have changed it since there was a problem in the version.

Hall of Fame Super Gold

Re: Static NAT translations stop working when arp expires on the

  Input queue: 5/75/853/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2470000 bits/sec, 593 packets/sec

  5 minute output rate 6466000 bits/sec, 806 packets/sec

     48746244 packets input, 2198265361 bytes, 9 no buffer

     Received 142966 broadcasts, 0 runts, 0 giants, 399 throttles

     30415 input errors, 0 CRC, 0 frame, 0 overrun, 30415 ignored

Even if just a fraction of the total, this error count seems excessive.

Please increase hold-queue in to 200, clear counters, monitor inerface over time.

Chances are, the missed ARPs are among the "ignored" packets.

Also, if you have 512MB RAM, can you upgrade to 12.5(1)M3 ? It is VERY stable for CME and is the only one with MD qualification now.

New Member

Re: Static NAT translations stop working when arp expires on the

CSCsi32425

Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.

Conditions: This symptom is observed when traffic flows run across the  router, for example, when the client is outside and server is inside,  and when static NAT translation is used for periods of about two  minutes.

Workaround: Configure a route map that matches the static NAT  translation, and apply the static NAT entry by entering either one of  the following commands:

- ip nat inside source static tcp local-ip local-port global-ip global-port route-map 
name reversible

- ip nat inside source static local-ip global-ip route-map name reversible 
Cisco Employee

Re: Static NAT translations stop working when arp expires on the

Hello,

The symptoms kind of match the bug descriptions although the image they are running is not in the affected list (in fact, that code should have the fix in it). However, I guess it could be a good idea to try the workaround to see if that helps. If that does, you can contact TAC and they will be able to dig deeper to see if the 12.4(24)T3 code indeed has the fix or not.

Regards,

NT

New Member

I have found the solution!

I have found the solution!  DO NOT USE IP NAT POOL!!!! (if you are using Static and Dynamic NAT Simultaneously)

"the same IP address cannot be used for the NAT static configuration or in the pool for NAT dynamic configuration."

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html

If you are Configuring Static and Dynamic NAT Simultaneously, the setup should be like below

ip nat inside source list 1 interface g0/0 overload


ip nat inside source static tcp 10.10.10.1 25 172.16.130.2 25


*I changed my IP nat pool mynatpool 99.3.81.66 99.3.81.66, so the range would be only 1 publick IP, and my static NAT still stopped working for the FTP server...but after I removed
no ip nat pool mynatpool 99.3.81.66 99.3.81.66 prefix-length 24
no ip nat inside source list 1 pool mynatpool overload
and added
ip nat inside source list 1 interface G0/0 overload

I have had 3 days without any Static NAT issues!

New Member

Re: Static NAT translations stop working when arp expires on the

Problem has been solved by adding a secondary IP address on the outside interface. The address being the problematic NAT address.
Sorry for the late reply. Thank you all.
Best regards,
Ivaylo

New Member

Re: Static NAT translations stop working when arp expires on the

Hi  Ivaylo Hristov

did you apply a secondary PUBLIC ip address to solve the problem or any ip address????

Greetings

New Member

Re: Static NAT translations stop working when arp expires on the

Hi,

    I have applied the public IP address on which do the NAT. This solved the problem.

New Member

Re: Static NAT translations stop working when arp expires on the

i'm sorry

did you apply the public ip address of the IP that stop working or another public ip within the segment????

I have the same problem... but with 2 or 3 ip address...

New Member

Re: Static NAT translations stop working when arp expires on the

i got this answer on ittoolbox.com

i think you have dynamic NAT (or PAT) also in your same router and the same private ip address is also covered by dynamic NAT, if this is the case then add deny statement in the access list of dynamic nat which will avoid the same address used by dynamic nat.

Well, my poll access list on the NAT for everyone else has no the SERVER that's stop working after FTP...

i'm set the secondary ip address and set the access-list of the pool to denied the server for test... let you know about results!!!!

2497
Views
0
Helpful
21
Replies
CreatePlease to create content