Hi, If my calculations were correct you might not have enough of public IP space for this. Increasing the port-limit is not going to help here, as the contention is on the number of ports a single public IP can open.
kind regards Pshem On Sun, 24 Apr 2016 at 23:51 Mohammad Khalil <eng_m...@hotmail.com> wrote: > Hi > I have increased the portlimit to 6144 , but still the drops in place > The drops are not the same as before , but increasing > > BR, > ------------------------------ > From: eng_m...@hotmail.com > To: pshe...@gmail.com; cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] ASR9K VSM > Date: Wed, 13 Apr 2016 14:24:28 +0300 > > > Hi > The last suggestion I got from Cisco TAC is to increase the portlimit > value and do a comparison to check the behavior > > BR, > Mohammad > > ------------------------------ > From: pshe...@gmail.com > Date: Mon, 28 Mar 2016 09:32:25 +0000 > Subject: Re: [c-nsp] ASR9K VSM > To: eng_m...@hotmail.com; cisco-nsp@puck.nether.net > > Looking at the number of subscribers you have there (~300k) and the fact > that you have 2 x /21 allocated for public space - that means about 70 > subscribers per public IP address. This feels a little bit on the high > side, even for mobile traffic. Since all sessions belonging to a given > private IP address must be mapped to a the same public IP address it's > likely that you're running out of ports on public IP addresses (as there > are only ~65k ports x 2 (UDP+TCP)). I'd suggest increasing the public pool > sizes and checking the stats again. > > kind regards > Pshem > > > On Mon, 28 Mar 2016 at 22:11 Mohammad Khalil <eng_m...@hotmail.com> wrote: > > > RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics > > Statistics summary of NAT44 instance: 'nat1' > Number of active translations: 3993473 > Number of sessions: 100482 > Translations create rate: 18464 > Translations delete rate: 16367 > Inside to outside forward rate: 523403 > Outside to inside forward rate: 755919 > Inside to outside drops port limit exceeded: 481732 > Inside to outside drops system limit reached: 0 > Inside to outside drops resource depletion: 0 > No translation entry drops: 28976704 > PPTP active tunnels: 2 > PPTP active channels: 2 > PPTP ctrl message drops: 2 > Number of subscribers: 309101 > Drops due to session db limit exceeded: 0 > Drops due to source ip not configured: 0 > > Pool address totally free: 0 > Pool address used: 4096 > Pool address usage: > > ------------------------------ > From: pshe...@gmail.com > Date: Mon, 28 Mar 2016 09:06:19 +0000 > > Subject: Re: [c-nsp] ASR9K VSM > To: eng_m...@hotmail.com; cisco-nsp@puck.nether.net > > How many active subscribers (inside IPs) do you have per one outside IP? > > For example in one of the installations I worked on we used 16 active > subscribers per outside IP (4096 ports per subscriber). > > kind regards > Pshem > > > On Mon, 28 Mar 2016 at 22:03 Mohammad Khalil <eng_m...@hotmail.com> wrote: > > > Hi > Can you clarify me more in order to be precise > ------------------------------ > From: pshe...@gmail.com > Date: Mon, 28 Mar 2016 09:00:30 +0000 > > Subject: Re: [c-nsp] ASR9K VSM > To: eng_m...@hotmail.com; cisco-nsp@puck.nether.net > > Hi, > > What's your inside IP/outside IP ratio? > > kind regards > Pshem > > > On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_m...@hotmail.com> wrote: > > Hi Pshem > Thanks for the reply , please check my configuration below > > vrf OUTSIDE > address-family ipv4 unicast > > vrf INSIDE-1 > address-family ipv4 unicast > > vrf INSIDE-2 > address-family ipv4 unicast > > hw-module service cgn location 0/1/CPU0 > > interface TenGigE0/0/1/1 > mtu 9216 > load-interval 30 > > interface TenGigE0/0/1/1.900 > description ## VLAN 900 SUBINTERFACE ## > vrf INSIDE-1 > ipv4 address 172.20.60.130 255.255.255.248 > load-interval 30 > encapsulation dot1q 900 > > interface TenGigE0/0/1/1.902 > description ## VLAN 902 SUBINTERFACE ## > vrf INSIDE-2 > ipv4 address 172.20.60.146 255.255.255.248 > load-interval 30 > encapsulation dot1q 902 > > interface TenGigE0/0/1/2 > mtu 9216 > load-interval 30 > > interface TenGigE0/0/1/2.901 > description ## VLAN 901 SUBINTERFACE ## > vrf INSIDE-1 > ipv4 address 172.20.60.138 255.255.255.248 > load-interval 30 > encapsulation dot1q 901 > > interface TenGigE0/0/1/2.903 > description ## VLAN 903 SUBINTERFACE ## > vrf INSIDE-2 > ipv4 address 172.20.60.154 255.255.255.248 > load-interval 30 > encapsulation dot1q 903 > > interface ServiceApp1 > vrf INSIDE-1 > ipv4 address 1.1.1.1 255.255.255.252 > load-interval 30 > service cgn cgn1 service-type nat44 > > interface ServiceApp2 > ipv4 address 2.2.2.2 255.255.255.252 > load-interval 30 > service cgn cgn1 service-type nat44 > > interface ServiceApp3 > vrf INSIDE-2 > ipv4 address 30.30.30.30 255.255.255.252 > load-interval 30 > service cgn cgn1 service-type nat44 > > interface ServiceApp4 > ipv4 address 4.4.4.2 255.255.255.252 > load-interval 30 > service cgn cgn1 service-type nat44 > > interface ServiceInfra1 > ipv4 address 10.99.99.2 255.255.255.0 > service-location 0/1/CPU0 > > router static > address-family ipv4 unicast > x.x.x.x/21 ServiceApp2 > y.y.y.y/21 ServiceApp4 > > vrf INSIDE-1 > address-family ipv4 unicast > 0.0.0.0/0 172.20.60.131 50 > 0.0.0.0/0 ServiceApp1 > 10.4.160.0/28 172.20.60.132 > 10.5.0.0/17 172.20.60.132 > 10.5.128.0/17 172.20.60.132 > 10.13.0.0/17 172.20.60.132 > 10.13.128.0/17 172.20.60.132 > 10.14.0.0/17 172.20.60.132 > 10.14.128.0/17 172.20.60.132 > 10.16.0.0/17 172.20.60.132 > 10.16.128.0/17 172.20.60.132 > 10.21.0.0/17 172.20.60.132 > 10.21.128.0/17 172.20.60.132 > 10.23.0.0/17 172.20.60.132 > 10.23.128.0/17 172.20.60.132 > 10.25.0.0/17 172.20.60.132 > 10.25.128.0/17 172.20.60.132 > 10.55.0.0/27 172.20.60.132 > 10.128.0.0/16 172.20.60.132 > 10.129.0.0/16 172.20.60.132 > 10.130.0.0/16 172.20.60.132 > 10.131.0.0/16 172.20.60.132 > 10.132.0.0/16 172.20.60.132 > 10.133.0.0/16 172.20.60.132 > 10.134.0.0/16 172.20.60.132 > 10.135.0.0/16 172.20.60.132 > 10.136.0.0/16 172.20.60.132 > 10.137.0.0/16 172.20.60.132 > 10.138.0.0/17 172.20.60.132 > 172.17.56.0/29 172.20.60.132 > > vrf INSIDE-2 > address-family ipv4 unicast > 0.0.0.0/0 172.20.60.147 50 > 0.0.0.0/0 ServiceApp3 > 10.11.0.0/18 172.20.60.148 > 10.11.64.0/20 172.20.60.148 > 10.11.80.0/20 172.20.60.148 > 10.11.96.0/19 172.20.60.148 > 10.11.128.0/17 172.20.60.148 > 10.138.128.0/17 172.20.60.148 > 10.140.0.0/16 172.20.60.148 > 10.141.0.0/16 172.20.60.148 > 10.142.0.0/16 172.20.60.148 > 10.143.0.0/16 172.20.60.148 > 10.144.0.0/16 172.20.60.148 > 10.145.0.0/16 172.20.60.148 > 10.146.0.0/16 172.20.60.148 > 10.147.0.0/16 172.20.60.148 > 10.152.0.0/16 172.20.60.148 > > service cgn cgn1 > service-location preferred-active 0/1/CPU0 > service-type nat44 nat1 > portlimit 2048 > alg ActiveFTP > alg rtsp server-port 10000 > alg pptpAlg > inside-vrf INSIDE-1 > map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21 > > inside-vrf INSIDE-2 > map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21 > > protocol udp > session initial timeout 30 > session active timeout 100 > > protocol tcp > session initial timeout 120 > session active timeout 900 > > protocol icmp > timeout 60 > > refresh-direction Outbound > > BR, > Mohammad > ------------------------------ > From: pshe...@gmail.com > Date: Mon, 28 Mar 2016 08:28:46 +0000 > Subject: Re: [c-nsp] ASR9K VSM > To: eng_m...@hotmail.com; cisco-nsp@puck.nether.net > > > Hi, > > The card is capable of 60mil translations, but you have to 'partition' > your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp > interfaces total). > > The port drops mean that the 'inside' IP/ports couldn't be mapped because > there is not enough ports left on give public IP. Do you do block > allocations? How many inside IPs per one outside IP? If these drops are > increasing quickly it means that your customers are most likely having > issues accessing the internet. The number of ports will be generally > specific to your customer base (for example setup for mobile tends to be > able to get away with less ports then customers on fibre access). > > No translation drops are generally harmless - these are things like port > scans across your ranges, packets received past time-outs for give > protocols, etc. > > kind regards > Pshem > > > On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_m...@hotmail.com> wrote: > > Dears > I have installed VSM on ASR9K for NAT44 CGN > I can see a lot of drops in the output of show cgn nat44 nat1 statistics > RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics > > > > Statistics summary of NAT44 instance: 'nat1' > > Number of active translations: 4079397 > > Inside to outside drops port limit exceeded: 155093 > > No translation entry drops: 1617189 > > I have some questions regarding this if you can assist > > One of the experts told me that number of active translations are 4M (it > can be shown from the above output that the number is like that) , is this > number per module ? per service ? can I configure extra to isolate this? > inside to outside drops ? > portlimit drops ? I have configured it to be 2048 , should I increase it ? > 2048 means for each private IP address there is 2048 available ? > > Thanks in advance > > BR, > Mohammad > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/