26.3. NAT diagnostics and statistics

26.3.1. NAT diagnostics

To display the diagnostics of the NAT resource the following commands are used:

d d nat / d de nat

Shows diagnostic information, such as the state of the resource, the current number of translations present into NAT table, the maximum number of translations reached from start-up into the NAT table and the maximum number of translations present into the table (this information indicates the dimtable parameter).

[18:06:40] ABILIS_CPX:d d nat

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       STATE:READY
       -----------|--- CUR ---|-- PEAK ---|--- MAX ---|
       LINKS      |         45|        285|       5000|
       LINKS%     |         1%|         6%|           |
       ------------------------------------------------

26.3.2. NAT statistics

This command can help to understand what is happening, in case of troubles:

[18:06:40] ABILIS_CPX:d s nat

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       --- Cleared 25 days 08:50:44 ago, on 03/08/2017 at 07:25:50 ------------
       REQ:1373022674        SUCCESS:253343611     IGNORED:1119596154
       OVERFLOW:0            TCP-RST:88376         ERROR:0         
       FTP-OVR:0             DNS-OVR:0             SNMP-MF:0
       FTP-BCT:0             DNS-EF:0              PPTP-MT:0
       ------------------------------------------------------------------------
       -----------|---INSIDE--|--OUTSIDE--|----VPN----|----DMZ----|
       BLOCKED-MIL|          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ICMP-ERR   |          0|          0|          0|          0|
       TCP-ERR    |          0|          0|          0|          0|
       UDP-ERR    |          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ICMP-SRC   |     183900|          6|          0|          0|
       ICMP-DST   |         34|     335147|          0|          0|
       TCP-SRC    |   70718827|    4403650|          0|          0| 
       TCP-DST    |    5813793|   96884983|          0|          0|
       UDP-SRC    |   30573560|          0|          0|          0|
       UDP-DST    |          0|   44428585|          0|          0|
       GRE-SRC    |          0|          0|          0|          0|
       GRE-DST    |          0|          0|          0|          0|
       OTHERS-SRC |       1126|          0|          0|          0|
       OTHERS-DST |          0|          0|          0|          0|
       ------------------------------------------------------------------------
       ONATDISCARD|          0|         25|          0|          0|
       ------------------------------------------------------------------------
       FRAG-ID:0                   FRAG-POINTER:0         
       FRAG-UNRESOLVED:2361        FRAG-HEADER-FOUND:2378      
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 25 days 08:50:44 ago») these counters show the number of:

REQAll NAT requests.
SUCCESSSuccessful requests.
IGNOREDIgnored request because a match was not found.
OVERFLOWUnsuccessful requests because of table overflow.
TCP-RSTTCP resets.
ERRORUnsuccessful requests because of a generic error.
FTP-OVRFTP buffer overflow.
DNS-OVRDNS buffer overflow.
SNMP-MFSNMP missing field during ALG mode
FTP-BCTFTP error when trying to add a FTP translation into dynamic table.
DNS-EFDNS error field during ALG mode.
PPTP-MTPPTP missing translation during ALG mode.
BLOCKED-MILUnsuccessful INSIDE/OUTSIDE/VPN/DMZ requests due to filter blocking.
ICMP-ERRICMP unsuccessful requests because of wrong checksum.
TCP-ERRTCP unsuccessful requests because of wrong checksum.
UDP-ERRUDP unsuccessful requests because of wrong checksum.
ICMP-SRCINSIDE/OUTSIDE/VPN/DMZ source field translations for ICMP packets.
ICMP-DSTINSIDE/OUTSIDE/VPN/DMZ destination field translations for ICMP packets.
TCP-SRCINSIDE/OUTSIDE/VPN/DMZ source field translations for TCP packets.
TCP-DSTINSIDE/OUTSIDE/VPN/DMZ destination field translations for TCP packets.
UDP-SRCINSIDE/OUTSIDE/VPN/DMZ source field translations for UDP packets.
UDP-DSTINSIDE/OUTSIDE/VPN/DMZ destination field translations for UDP packets.
GRE-SRCINSIDE/OUTSIDE/VPN/DMZ source field translations for GRE packets.
GRE-DSTINSIDE/OUTSIDE/VPN/DMZ destination field translations for GRE packets.
OTHERS-SRCINSIDE/OUTSIDE/VPN/DMZ source field translations for remaining protocols.
OTHERS-DSTINSIDE/OUTSIDE/VPN/DMZ destination field translations for remaining protocols.
ONATDISCARDINSIDE/OUTSIDE/VPN/DMZ field translations for ONAT filter discarded packets.
FRAG-IDFragment ID link count.
FRAG-POINTERFragment PTR link count.
FRAG-UNRESOLVEDUnresolved fragment count.
FRAG-HEADER-FOUNDFound header fragment count.

26.3.3. Debug of the NAT resource

[Caution]Caution

To view these commands you need to have administrator or super user rights.

Type the following command to view allowed ones:

[00:07:36] ABILIS_CPX:debug res:nat lsn:0

RES:Nat -----------------------------------------------------------------------
       Network_Address_Translator                                              
       BufferLength:64512  Date/Time:28/08/2017 16:13:45 TraceTime:310240481

Usage:
   LSN:0                         - This help.
   LSN:1                         - Obsolete: use D NAT MAPS instead.
   LSN:2                         - Display statistics and information.
   LSN:3  CMD:DISPLAY            - Display current NAT trace.
   LSN:3  CMD:ACT[,param,...]    - Activate trace.
          Parameters:
            No param - Trace all packets unconditionally.
            CHK      - Trace packets with wrong checksum.
            TCPRST   - Trace packets when NAT originates a TCP reset.
            ERR      - Trace packets that cause an error.
            NOTLN    - Trace packets except TELNET packets.
            <IP add> - Trace packets only to/from these addresses (up to 4).
   LSN:3  CMD:START  - Start trace.
   LSN:3  CMD:STOP   - Stop trace.
   LSN:3  CMD:INACT  - Deactivate trace.
   LSN:4             - Display headers of last 10 packets with checksum error.
   LSN:4  CMD:EXT    - Display completely last 10 packets with checksum error.
   LSN:4  CMD:CLR    - Clear checksum failures history.
   LSN:5             - Display summary of links indexed by INAT and ADD.
   LSN:5  CMD:EXT    - Display links indexed by INAT and ADD.
   LSN:6  CMD:CLR    - Reset "Links Peak" diagnostic.
   LSN:7             - Display active and blocked links "per IP".
   LSN:7  CDM:EXT    - Display active and blocked links "per IP", detailed.
   LSN:8             - Display configuration table currently loaded.
   LSN:9             - Display virtual links table.
   LSN:10            - Display dynamic links table.
   LSN:11            - Display TCP links with SYN/FIN flags.
   LSN:12            - Display last 100 UPNP commands.
   LSN:12 CMD:EXT    - Display last 100 UPNP commands, detailed.
   LSN:12 CMD:CLR    - Clear UPNP commands history.
   LSN:13            - Display header of last 20 packets with "ONAT discard".
   LSN:13 CMD:CLR    - Clear "ONAT discard" history.
   LSN:14            - View optimized loop-back table.
   LSN:20 CMD:ALL    - Enable checksum verify for ALL TCP and UDP packets.
   LSN:20 CMD:DFT    - Restore checksum verify for TCP SYN, FIN, RST only.

To view the currents NAT sessions type:

[00:10:18] ABILIS_CPX:d nat maps

Number of records in standard table: 21

S A TYPE SRC-ADDRESS     SP/ID DST-ADDRESS     DP/ID ALS-ADDRESS     ALIAS  TM
-------------------------------------------------------------------------------
IOS UDP  192.168.030.002 11826 086.101.152.080 26211 192.168.001.100  9060  180
IOS UDP  192.168.030.002 11826 080.230.085.012 30615 192.168.001.100  9061   54
IOS UDP  192.168.030.002 11826 084.097.119.138 41956 192.168.001.100  9247   93
IOS UDP  192.168.030.002 11826 200.117.084.037 45252 192.168.001.100  9063  180
IOS UDP  192.168.030.002 11826 077.083.166.003 34588 192.168.001.100  9064  180
IOS UDP  192.168.030.002 11826 151.021.081.198 32605 192.168.001.100  9068  164
IOS TCP  192.168.030.002  2220 095.076.135.237 18586 192.168.001.100  9109  360
IOS UDP  192.168.030.002 11826 077.030.154.190 41899 192.168.001.100  9206   58
IOS UDP  192.168.030.002 11826 095.250.024.242 34375 192.168.001.100  9250  104
IOS UDP  192.168.030.002 11826 079.024.059.147 31351 192.168.001.100  9251  105
IOS UDP  192.168.030.002 11826 193.198.056.247 45682 192.168.001.100  9115   16
IOS TCP  192.168.030.002  2254 064.012.028.207   443 192.168.001.100  9116  352
IOS UDP  192.168.030.002 11826 095.076.135.237 18586 192.168.001.100  9258  147
IOS UDP  192.168.030.002 11826 151.048.102.187 45873 192.168.001.100  9093   18
IOS TCP  192.168.030.002  2287 205.188.001.209   443 192.168.001.100  9123  144
IOS TCP  192.168.030.002  2296 064.012.030.056   443 192.168.001.100  9124  223
IOS UDP  192.168.030.001  5060 083.211.227.015  5060 192.168.001.100  9100  110
IOS UDP  192.168.030.002 11826 217.164.063.250 36112 192.168.001.100  9127  149
IOS TCP  192.168.030.002  2200 064.004.061.123  1863 192.168.001.100  9104  350
IOS UDP  192.168.030.002 11826 093.146.163.169 31586 192.168.001.100  9130  103
IOS TCP  192.168.030.002  2366 080.230.085.012 30615 192.168.001.100  9217  355

Meaning of parameters:

S (SIDE)

It's composed by two letters. The first shows the input side and the second the translation side (I : INSIDE, O: OUTSIDE, V: VPN, D: DMZ).

A

It shows if the translation must be applied to the suorce address or to the destination one(S: SOURCE, D: DESTINATION).

TYPE

It shows the packet's protocol. The translation is applied only if TYPE matches with the protocol of the packets to analyse (ICMP, UDP, DNS, SNTP, SNMP, TCP, FTPc, FTPd, FRAG, PPTc, PPTd).

SRC-ADDRESS

It shows the applied filter on the source address. If the received packet source address doesn't match with SRC-ADDRESS, the translation isn't applied.

SP/ID

If TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet source port.

DST-ADDRESS

It shows the applied filter on the destination address. If the received packet destination address doesn't match with DST-ADDRESS, the translation isn't applied.

DP/ID

If TYPE is FRAG, PPT or ICMP, it shows the packet ID used to verify if the translation matches. If TYPE is TCP or UDP, it shows the packet destination port.

ALS-ADDRESS

If TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new IP address which will be assigned to the one in the packet. If A:S, the source address is replaced with ALS-ADDRESS. if A:D, the destination address is replaced with ALS-ADDRESS.

ALIAS

If TYPE, SRC-ADDRESS, SP/ID, DST-ADDRESS, DP/ID, ALS-ADDRESS match, it shows the new DP/ID which will be assigned to the one in the packet. If A:S, the current SP/ID is replaced with ALIAS. if A:D, the DP/ID is replaced with ALIAS.

TM

It's the translation lifetime. When TM reaches 0, the translation is deleted. Each time the translation is matched, the TM is initialized to a specific value depending of NAT resource configuration.