NE40E(V6R7) nat 转换丢包问题

发布时间:  2017-03-15 浏览次数:  603 下载次数:  0
问题描述

NE40E nat 有丢包现象,之前用户少没有问题,现在又割接了一大部分用户过来,发现nat 有丢包,比如到外网的dns 请求报文,在nat 转换前抓包有5个报文,
在nat 转换后只能抓到一个

 

display nat statistics discard slot 6===============
===========================================================================
This operation will take a few minutes. Press 'Ctrl+C' to break ...
Slot: 6 Engine: 0
---------------------------------------------------------------------------
Bufferring a fragment timed out                :76280319
The IP header failed to be resolved            :11
The route cannot be found                      :1
The session cannot be found                    :5295262709
Traffic limit when a packet is sent from data plane to management plane            :148124
The session failed to be created               :11568727375  
 The packet failed to be sent to the VRP        :148124
IPV4 Buffering a fragment failed               :8445224
The policy for the NAT conversion cannot found :912348

主要配置如下:


service-location 1
location slot 6 engine 0
#
service-instance-group 1
service-location 1

license
active nat session-table size 6 slot 6 engine 0      
active nat bandwidth-enhance slot 6 engine 0


nat instance JSCN_INT2 id 4
service-instance-group 1
 nat address-group 4 group-id 4 xx.xx.31.160 xx.xx.31.175
nat outbound any address-group 4 
 nat session-limit total 65535
nat reverse-session-limit total 4096
nat alg all
redirect ip-nexthop 111.208.7.13 outbound
nat filter mode full-cone

处理过程

1.故障复现过程,查看当前UDP会话数已经达到UDP会话限制上线。


2.查看nat丢包存在Limit on user-based UDP sessions 丢包。


3.NAT实例下放开UDP会话上限:  


4.当前修改udp会话上限问题已经解决,如果后续还有UDP会话达到上限的情况,可以通过缩短老化时间来解决。
针对本问题,当前版本为V600R007C00SPC300,该版本不支持单独修改dns的老化时间,所以需要修改udp的老化时间来达到目的。 。



根因

配置中放开了session total的限制,但是没有放开udp的限制,访问的链接全是udp,session超过10240

 

 

 

解决方案

NAT实例下放开UDP会话上限解决

nat instance JSCN_INT2 id 4
service-instance-group 1
 nat address-group 4 group-id 4 xx.xx.31.160 xx.xx.31.175
nat outbound any address-group 4

nat session-limit udp 65535  
nat session-limit total 65535    
nat reverse-session-limit total 4096
nat alg all
redirect ip-nexthop 111.208.7.13 outbound
nat filter mode full-cone


建议与总结

nat session-limit命令用来配置基于用户的NAT会话限制数值。

缺省情况下,每个用户的TCP/UDP的NAT会话限制数值均为10240

当某个用户的NAT会话数达到系统配置的限制数值后,从该用户发出的会话将无法建立新的连接。只有当从该用户发起的NAT会话老化,会话数低于限制数值,该用户才能重新建立新的连接。

END