Slow Network Access Due to NAT PAT

Publication Date:  2015-07-03 Views:  315 Downloads:  0
Issue Description
Networking:


Fault Symptom:

A user responds that network access from a PC connected to the USG2100 is slow and the user logs out one minute after accessing online games.
Handling Process
1. On an intranet PC, ping the USG2100, the next-hop address of the USG2100, the DNS server, and Baidu and Sina servers. No packet is discarded, and the network delay is acceptable.

2. Access an HTTP page as an intranet user and log in to the USG2100 to check session information. It is found that only unidirectional traffic is transmitted during sessions.


  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:51
  Interface: Dialer0  NextHop: 61.135.162.37  MAC: 00-00-00-00-00-00
  <--packets:4 bytes:990   -->packets:5 bytes:1177
  10.100.47.5: 1638[172.16.18.163:1503]-->61.135.162.37:80

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:51
  Interface: Dialer0  NextHop: 61.135.162.37  MAC: 00-00-00-00-00-00
  <--packets:4 bytes:914   -->packets:5 bytes:1178
  10.100.47.5:1639 [172.16.18.163:1504]-->61.135.162.37:80

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:05  Left: 00:00:4
  Interface: Dialer0  NextHop: 61.135.162.37  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:2 bytes:88
      10.100.47.5:1641 [172.16.18.163:1505]-->61.135.162.37:80


3. After a NAT server is configured on the live network to perform one-to-one port mapping for intranet IP addresses, the fault is rectified.

4. In USG2100 V300R001C00SPC700, the NAT port allocation mechanism in PAT mode allocates available ports 2048 to 65535 one by one. It is suspected that the upstream TPLINK router considers packets carrying consecutive port numbers as attack packets and discards them. In USG2100 V300R001C00SPC900, the port translation mechanism is adjusted to preferentially use the original port number of a packet. If the port number has been used, the USG2100 selects a port number from the port pool in ascending order.

5. The fault is rectified after the USG2100 version is upgraded to V300R001C00SPC900.
Root Cause
The upstream TPLINK device carries out a port limitation. As a result, intranet users access the Internet slowly through the USG2100 that has NAT PAT configured.
Solution
1. Upgrade the USG2100 version to V300R001C00SPC900.

2. If there are sufficient IP addresses, use NO-PAT for address translation.

END