...
|
N/A = Means that count is not applicable in this direction
OK = Means that count is applicable in this direction
Unable to translate packet: | In | Out | Comment |
|---|---|---|---|
Subscriber address did not match a CGNAT policy | N/A | OK | Subscriber address did not match a CGNAT policy |
Packet did not match a CGNAT session | OK | N/A | Inbound pkts that do not match a CGNAT session and whose dest addr does match a CGNAT policy. These are dropped. |
Destination address did not match CGNAT pool | OK | N/A | Inbound pkts that do not match a CGNAT session and whose dest addr does not match a CGNAT policy. These are forwarded untranslated. |
CGNAT bypassed by SNAT-ALG packets | N/A | OK | Pkt do not match a CGNAT session and does not match a CGNAT policy and SNAT is cfgd and pkt matches an ALG session or tuple. Pkt is forwarded unchanged. |
Untranslatable IP protocol | OK | OK | Protocol is not one of the following: TCP, UDP, UDP-lite, DCCP or ICMP |
Untranslatable ICMP message | OK | OK | ICMP type is not one of: echo-req, echo-reply, dest unreach, redirect, time-exceeded, or parameter-problem |
Resource limitations: | |||
Subscriber port-block limit | N/A | OK | CGNAT policy config contains the max number of port-blocks that anyone subscriber may use at any one time. Once this is reached, further mapping requests will fail, and this count will increment. |
No free port-blocks on the selected public address | N/A | OK | Counts mapping failures that occur when a subscriber is within his port-block limit but there are no free port-blocks on the paired public address. This can occur when 1. the max port-blocks per subscriber and port-block size equate to more than 64512 ports, or 2. More than one subscriber is using the same public address, which will occur if there are totally unused public addresses. |
No free public addresses in NAT pool | N/A | OK | All port-blocks on all public addresses are in use. This only affects new subscribers, i.e. subscribers that do not already have a paired public address. |
Subscriber table full | N/A | OK | Affects new subscribers. The size of the subscriber hash table is configurable. Default is 64k. |
Session table full | N/A | OK | Max number of main sessions (tuple is: source/subscriber addr, source port, and protocol aka 3-tuple session). The size of the session table is configurable. Default is 32m. |
Dest session table full | N/A | OK | Max number of destination records, or sub-sessions, per main session. Configurable. Default is 64. The tuple is a destination address and port. |
Memory allocation failures: | Note that there can be a delay between a chunk of memory no longer being visible in a show output and the memory for that chunk actually being freed. Background garbage collectors and RCU callbacks mean this delay can be in the order of tens of seconds. | ||
Failed to allocate session | N/A | OK | |
Failed to allocate destination session | N/A | OK | |
Failed to allocate port block | N/A | OK | |
Failed to allocate public address | N/A | OK | |
Failed to allocate subscriber address | N/A | OK | |
Thread contention errors: | |||
Lost race to insert session into table | N/A | OK | This occurs if two forwarding threads both try and create an identical session (src addr, src port, and protocol) at the same time. The first to be added to the session table 'wins' the race. The losing thread will drop the packet and release the mapping it had previously obtained. |
Lost race to insert destination session into table | N/A | OK | This occurs if two forwarding threads both try and create an identical sub-session (dest addr, dest port) on the same main session at the same time. The first to be added to the sub-session table 'wins' the race. The losing thread will drop the packet. |
Public address destroyed while waiting for lock | N/A | N/A | No longer applicable. |
Subscriber address destroyed while waiting for lock | N/A | OK | This may occur if two forwarding threads try and create new mappings for the same subscriber while at the same time the subscriber table is being cleared. This is unlikely ever to occur. |
Packet buffer errors: | |||
IP header not available in message buffer | OK | OK | Pkt does not contain all of the IP header. (Note that the system reassembles IP fragments before CGNAT sees the pkt). |
L4 header not available in message buffer | OK | OK | Pkt does not contain all of the layer 4 header (e.g. TCP, UDP etc.). This can also apply to pkts embedded within ICMP error messages. i.e. we will attempt to translate any such embedded pkts if there is enough of the pkt to allow us to do so. |
Prepare message buffer for header change failed | OK | OK | It is possible for the system to receive a pkt into multiple pkt buffers. CGNAT will detect this and attempt to coalesce these such that the l3 and l4 headers are in the same pkt buffer. If this fails then the pkt is dropped. This typically happens when there are no pkt buffers in the buffer pool. |
Cannot advance beyond end of message buffer | N/A | N/A | No longer applicable. |
PCP errors: | In/Out direction is meaningless for PCP. We store any errors in the 'Out' counter for convenience. | ||
PCP invalid or missing argument | N/A | OK | |
PCP public address and port not available | N/A | OK | |
Other: | |||
ICMP Echo Request for CGNAT public address | OK | N/A | An ICMP echo request has been sent to a CGNAT public address, and no CGNAT session exists for that flow. Reply with an ICMP echo-reply and drop the request pkt. This is not actually an error. No translation takes place. |
Unknown | Should never occur. |
show nat pool
|
...