Troubleshooting Typical Faults Occurring When Centralized NAT Users Access the Internet

Introduction

This document provides troubleshooting flowcharts and step-by-step procedures for common faults that occur during NAT on a centralized network.

Prerequisites

This document applies to NE40E and ME60 series products running V800R010C00 or later.

Understanding Centralized NAT

NAT can be deployed in either centralized or distributed networking.

• Centralized NAT: is an early NAT deployment mode. In this mode, a standalone NAT device performs NAT and is attached to a core router (CR) or broadband remote access server (BRAS).

Figure 1-1 Centralized NAT networking

• Distributed NAT: In this mode, NAT-capable service boards are installed on devices (for example, BRASs) to perform NAT.

Figure 1-2 Distributed NAT networking

Centralized NAT Workflow

NAT can be performed in either forward (private to public network) or reverse (public to private network) direction.

• Forward NAT:

1. After receiving a packet, a NAT device determines whether to perform forward NAT:

   The device matches the user packet against an ACL:

   • If the packet matches the ACL, the device diverts the packet to the NAT service board.
   • If the packet does not match the ACL, the device forwards the packet according to the regular forwarding process.
2. The packet is diverted to the NAT service board bound to a NAT instance for translation.

   When the first packet arrives at the NAT service board, the board selects a public IP address from an address pool bound to the NAT instance and a public port number from a port range bound to the instance. The public IP address and port number replace the existing source IP address and port number, respectively, in the user packet. Then, to perform NAT, the NAT board creates a session table and matches subsequent packets against the table.

3. After translation, the user packet is forwarded to the next hop according to the regular forwarding process.

• Reverse NAT:

1. After receiving a packet, a NAT device determines whether to perform reverse NAT:

   The device matches the user packet against a traffic diversion policy:

   • If the destination address in the packet matches a NAT address pool route contained in the FIB table, reverse NAT needs to be performed.
   • If the destination address in the packet matches a route of another type, the device forwards the packet according to the regular forwarding process.
2. The NAT device diverts the matching packet to a NAT service board.

   The NAT service board performs reverse translation on the user packet based on a NAT mapping entry. The destination public IP address and port number in the user packet are replaced with private IP address and port number, respectively.

3. After reverse NAT is performed, the user packet is forwarded to the next hop according to the regular forwarding process.

Basic Configuration of Centralized NAT

The following example shows an outbound-interface NAT traffic diversion policy. The configuration is as follows:

license

active nat session-table size 6 slot 1 card 0

#

service-location 1

location slot 1 card 0

#

service-instance-group group1

service-location 1

#

nat instance nat1 id 1

service-instance-group group1

nat address-group address-group1 group-id 1 11.1.1.1 11.1.1.5

nat outbound 3001 address-group address-group1

#

acl number 3001

rule 1 permit ip source 192.168.10.0 0.0.0.255

#

interface GigabitEthernet 2/0/1

undo shutdown

ip address 1.2.3.4 255.255.255.0

nat bind acl 3001 instance nat1

#

Troubleshooting Flowchart for Common Faults

Figure 1-3 NAT troubleshooting flowchart

• Common Causes
  • NAT service board resources are not allocated.
  • The NAT configuration is incorrect, preventing NAT session creation.
  • There is no route between the NAT gateway and external host.
  • The ACL configuration is incorrect.
  • An intranet host is unreachable from the NAT gateway.
  • The application level gateway (ALG) function is disabled.
• Troubleshooting Procedure

1. Check that resources are allocated to the service board.

   Run the display nat session-table size command to check information about session table resources allocated to each service board. For example:

   <HUAWEI> display nat session-table size
   ---------------------------------------------------------------------------
   TotalSize :48 M
   UsedSize  :4  M
   FreeSize  :44 M
   SlotID CpuID         CurSessTblSize     CfgSessTblSize     ValidFlag
   1        0(engine)       2 M                       2 M                       Valid
   2        1(engine)       2 M                       2 M                       Valid
   ---------------------------------------------------------------------------

   Table 1-1 Description of the display nat session-table size command output

   Item	Description
   TotalSize	Total number of session table resources
   UsedSize	Total number of used session table resources
   FreeSize	Total number of idle session table resources
   SlotID	Slot ID of a service board
   CurSessTblSize	Number of existing session table resources of a CPU
   CfgSessTblSize	Number of session table resources configured for a CPU
   ValidFlag	Flag bit of the session table resources: Valid: The resources are available. Invalid: The resources are unavailable.

   If no resources are allocated to the service board or NAT is disabled, reconfigure the function. For details, see "Configuring the NAT Session Table and Bandwidth Resources" in HUAWEI NE40E Router Configuration Guide - NAT and IPv6 Transition Technology.

2. Check that the NAT service has correct session or user information.
   • Run the display nat session table command to check that a correct session has been created for the NAT service. For example:

   <HUAWEI> display nat session table slot 1 engine 0
   This operation will take a few minutes. Press 'Ctrl+C' to break ...
   Slot: 1 Engine: 0
   Current total sessions: 1.
   udp: 192.168.3.198:1234[1.1.1.2:2234]--> 11.11.11.11:1024

   • If the protocol type, IP address, or port number displayed is incorrect, check the NAT service configuration. If this configuration is incorrect, reconfigure the NAT service. For details about how to configure NAT services, see "NAT Basic Configuration" in HUAWEI NE40E Router Configuration Guide - NAT and IPv6 Transition Technology.
   • If the protocol type, IP address, and port number in the session information are correct, go to Step 3.
   • Run the display nat user-information command to check information about online NAT users.
     • If the IP address, port number, or session restriction displayed is incorrect, check the NAT service configuration. If this configuration is incorrect, reconfigure the NAT service. For details about how to configure NAT services, see "NAT Basic Configuration" in HUAWEI NE40E Router Configuration Guide - NAT and IPv6 Transition Technology.
     • If the IP address, port number, and session restriction in the user information are correct, go to Step 3.
3. Check whether the NAT device can reach the destination host on the external network.

   Run the ping command to check reachability.

   • If the ping fails, run the display ip routing-table command to view the current routing table. Check whether a correct route to the external network is configured on the device. If the route configuration is incorrect, determine whether to reconfigure the route:
     • Check whether the external network address to be accessed by the intranet user is on a different network segment than the external network interface of the NAT device, and there is no available route from the device to the address to be accessed. In this case, configure a static route on the gateway so that the intranet packets can be forwarded through the correct interface after being translated by the device.
     • If the external network address to be accessed by intranet users and the external network interface of the NAT device are on the same network segment, you do not need to configure a static route.
   • If the NAT device can ping the external host, go to Step 4.
4. Check that the route configuration of the intranet host is correct.

   Run the display ip routing-table command to check whether a correct route is configured on the internal host so that packets sent to the external network can be forwarded to the NAT device. If the route configuration of the internal host is incorrect, reconfigure the route. Otherwise, go to Step 5.

5. Collect the following information and contact Huawei technical support:

• Execution result of the preceding steps
• Configuration file, log information, and alarm information of the NAT device

Packet Loss Occurs After NAT Is Performed on the External Network

Fault Description

Packet loss occurs for many NAT users on an NE40E, and traffic of a few NAT users is properly forwarded. For example, after a DNS request packet is sent to the external network, the DNS server can receive five packets before NAT translation is performed, whereas only the DNS server can receive one DNS packet after NAT translation is performed. Some packets are dropped.

Key Configuration

license

active nat session-table size 6 slot 1 engine 0

active nat bandwidth-enhance slot 1 engine 0

#

service-location 1

location slot 1 engine 0

#

service-instance-group 1

service-location 1

#

nat instance nat1 id 1

service-instance-group 1

nat address-group 1 group-id 1.1.1.1 1.1.1.15

nat outbound any address-group 1

nat session-limit total 65535

nat reverse-session-limit total 4096

nat alg all

nat filter mode full-cone

#

Troubleshooting Procedure

1. Check the NAT user information during fault reproduction. The number of UDP sessions that can be created reaches a specified upper limit.

   <HUAWEI> display nat user-information cpe ipv4 192.168.1.2
   This operation will take a few minutes. Press 'Ctrl+C' to break ...
   Slot: 1 Engine: 0
   Total number: 0.
   ---------------------------------------------------------------------------
   CPE IP                                                     :  192.168.1.2
   VPN Instance                                          :  -
   Public IP                                                  :  1.1.1.1
   NoPAT Public IP                                      :  -
   Start Port                                                 :  1024
   Port Range                                              :  0
   Extend Port Alloc Times                          :  0
   Extend Port Alloc Number                      :  0
   First/Second/Third Extend Port Start      :  0/0/0
   Total/TCP/UDP/ICMP Session Limit        :  65535/10240/10240/512
   Total/TCP/UDP/ICMP Session Current :  10240/0/10240/0
   Total/TCP/UDP/ICMP Port Limit             :  0/0/0/0
   Total/TCP/UDP/ICMP Port Current         :  10240/0/10240/0
   Nat ALG Enable                                       :  ALL
   ---------------------------------------------------------------------------

2. Check NAT packet statistics. The Limit on user-based UDP sessions field indicates that NAT packet loss occurs when the number of created UDP sessions reaches the upper limit.

   <HUAWEI> display nat statistics discard slot 1 engine 0
   This operation will take a few minutes. Press 'Ctrl+C' to break ...
   Slot: 1 Engine: 0
   ---------------------------------------------------------------------------
   Bufferring a fragment timed out      :1
   The session cannot be found        :96333
   Traffic limit when a packet is sent from data plan to management plane       :1
   The session failed to be created:       :140895
   The packet failed to be sent to the VRP       :1
   IPV4 Buffering a fragment failed  :38
   The policy for the NAT conversion cannot found       :55
   Limit on user-based UDP sessions       :110209
   ---------------------------------------------------------------------------

3. Increase the number of UDP sessions that can be created in the NAT instance, solving the problem.

nat instance nat1 id 1

service-instance-group 1

nat address-group 1 group-id 1.1.1.1 1.1.1.15

nat outbound any address-group 1

nat session-limit udp 65535

nat session-limit total 65535

nat reverse-session-limit total 4096

nat alg all

nat filter mode full-cone

#

Summary

The number of NAT sessions that can be established is increased, whereas the number of UDP connections that can be created remains unchanged. As a result, the number of UDP connections exceeds the default upper limit of 10240.

An Attempt to Access a Web Page Fails After NAT

Fault Description

A NAT service board is installed on an NE40E at a site for users to access the Internet. Due to service growth, IP addresses need to be added to a user address pool. Before modification, each user address pool contains an IP address with a 32-bit mask. Each user' internal address segment corresponds to a specific address pool on the NAT device, and users can access the Internet. Before modification, delete the original user address pool, create a new one, and add to it a network segment with a 27-bit mask. The new address pool contains the address used before modification. After modification, users can properly access the Internet. The number of NAT sessions and consumed interface bandwidth do not change significantly. After a period of time, some users cannot access the Internet until they change their IP addresses. No alarm is generated on the NAT device.

Troubleshooting Procedure

1. Check whether before modification, users can properly access the Internet. If they can, the hardware faults of the NAT device are ruled out.
2. Change the user's private IP address to resume network access, indicating that the NAT service configuration is correct.
3. Check whether an IP address conflict has occurred. The NIC of the user's computer is disabled, and the computer is rebooted. The computer does not display a message indicating that a duplicate IP address has been detected. Therefore, user IP address conflict is ruled out.
4. Run the display nat session table command on the NE40E to check information about NAT session entries. The command output shows a few sessions, and the session entries correspond to fixed addresses in the address pool.
5. Check whether these fixed IP addresses are contained in the address pool and used before modification. Run the display ip routing-table command to check information about the static routes with 32-bit masks in the routing table. The next hops point toNull 0, indicating a blackhole route. Delete these blackhole routes and check whether users can access the Internet.

Summary

• Before modification, a blackhole route is configured on the NAT device. In this route, the destination network segment address is set to an IP address segment contained in an address pool and the next hop points to Null 0. The address segment in the address pool matches the blackhole route. After modification, the address segment of the new address pool includes the address segment of the original address pool used before modification. The blackhole route of the 32-bit mask before modification is preferentially matched against the packet. As a result, the packet matching the blackhole route cannot be translated reversely, and the user cannot access the Internet. After the blackhole route is deleted, reverse NAT for the traffic sent from the public network to the private network recovers.
• Redundant configurations on the NAT device may cause faults. In this case, delete the redundant configurations.
• Data configuration must be performed according to a specific deployment guide.

Related Information

For more information about the NAT service and how to configure it, see NE40E V800R011C00SPC200 Product Documentation.