NE40 at a site is at VRP3.10-0426sp3, added with one NAT board for VIP customers to access Internet. Before reconstruction, each address pool contains one IP address with 32-bit mask, and different network segments inside a VIP customer have different IP address pools, and users could access network normally. Because of the development of services, it needs to add IP addresses into address pool; first delete the original address pool, and then create another which is added with a network segment with 27-bit mask (including the addresses in original IP address pool). After changes to the configuration, users could access network normally in test, and the number of nat session and the trafic at interface equal to those before changing the configuration. After a while, some individual users report that they could not access network, and the problem is solved by changing the IP addresses.
Users could access network before changing the cofnigurations, so the equipment is normal. change the address of computer of failed user to other else, the user could access network then, indicating that configurations are normal. It is doubted of IP address confliction. First disable and then enable the network card of the computer, and reset it, without prompt for conflicted IP addresses. So IP address of user side is normal. Check the nat session on NE40, and it is found that there is little session for failed users, and most are in synchronization; also, session entries are mapped to fixed addresses in address pool. Moreover, the fixed IP addresses here were in the original address pool; check their static routes with 32-bit mask in routing table, the next hop points to Null0. Delete the black hole routes, and users could access network.
Additionally, performing NAT needs a black hole route with address of address pool as destination network segment, and next hop as Null0. It is required that address segment in address pool match the blackhole route completely. Because the the address segment in new address pool includes the original address segment, the original black hole route with 32-bit mask is matched first, resulting in failure of reverse NAT for the addresses, even that all users cannot access network. NAT is restored after the routes are deleted.
1. IP addresses of users conflict.
2. NAT is configured falsely.
In configuration of NAT, the address segment in address pool must have the matched blackhole route in routing table. Configuration must follow the deployment guide strictly. Redundant or idle configurations may result in problems, so they must be deleted on time.