3. Status

3.1. State

To review the CG-NAT state, use the following command.

vrouter> show state / vrf main cg-nat
cg-nat
 enabled true
 pool mypool
     address 32.96.119.0-32.96.119.255
     block-size 256
     port-range 1024 65535
     ..
 rule 1
     match
         source
             address 100.64.0.0/10
             ..
         outbound-interface wan
         ..
     translate-to
         pool-name mypool
         max-blocks-per-user 2
         active-block-timeout 0
         user-timeout 180
         port-algo random
         endpoint-mapping dependent
         endpoint-filtering dependent
         hairpinning false
         ..
     ..
 options
     conntrack
         behavior tcp-window-check enabled true
         behavior tcp-rst-strict-order enabled true
         timeouts
             icmp closed 0
             icmp new 30
             icmp established 60
             udp closed 0
             udp new 30
             udp established 120
             gre-pptp closed 0
             gre-pptp new 600
             gre-pptp established 18000
             tcp syn-sent 30
             tcp simsyn-sent 30
             tcp syn-received 60
             tcp established 7440
             tcp fin-sent 120
             tcp fin-received 120
             tcp close-wait 60
             tcp fin-wait 120
             tcp last-ack 30
             tcp time-wait 120
             tcp closed 10
             ..
         ..
     ..
 logging
     enabled false
     ..
 ..

3.2. Statistics

To display the CG-NAT statistics, the following command can be used.

vrouter> show cg-nat statistics
Packets passed:
        0 default pass
        33317355 ruleset pass
        260836153 state pass
Packets blocked:
        0 default block
        0 ruleset block
Hairpining Stats:
        0 hairpin packets
        0 loop-hairpin drop
        0 self-hairpin drop
State and NAT entries:
        33077173 state allocations
        0 state reverse
        39496338 state destructions
        0 state allocation failures
        9726101 NAT entry allocations
        13127681 NAT entry destructions
        0 NAT entry allocation failures
        0 NAT port allocation failures
CGNat entries:
        0 USER allocations
        20000 USER destructions
        0 USER allocation failures
        120000 Block allocations
        180000 Block destructions
        0 Block allocation failures
        0 No IP Public
        0 Full IP Public
NAT64 Stats:
        0 udp null checksum packet drops
Invalid packet state cases:
        1310 cases in total
        1310 TCP case invalid first packet
        0 TCP case RST
        1310 TCP case invalid transition
        0 TCP case I
        0 TCP case II
        0 TCP case III
Packet race cases:
        0 USER association race
        0 USER creation race
        0 NAT association race
        0 duplicate state race

State/NAT/BLOCK/USER allocation statistics increase when the vRouter processes traffic properly.

3.3. Listing users

The following command can be used to list the current users of the CG-NAT.

vrouter> show cg-nat user rule-id 1
100.64.0.1 -> 32.96.119.54
        1/2 tcp blocks, 0/2 udp blocks, 0/2 icmp blocks, 0/2 gre blocks
        0 no port errors, 0 no block errors, 0 full public ip errors

For each user, we can see how many port blocks are used.

The different possible errors are:

  • no port: A new session has been rejected because no ports were available in the active block.

  • no block: A new session has been rejected because no blocks are available in the block memory pool.

  • full public IP: A new session has been rejected because the public IP allocated to this user doesn’t have any more blocks available.