Troubleshooting: Verifying NAT Operability

In this article, we will understand how to verify the NAT sessions created on the Versa VOS appliance.

We will see how to use the various show commands and verify the NAT sessions.

To view, the list of NAT sessions use the CLI command show orgs org <org-name> session nat brief | tab

The output below shows two NAT sessions created from the Source IP 172.10.10.4 and getting natted with the IP 10.192.83.26.

admin@Branch-cli> show orgs org Tenant-Org-2 sessions nat brief | tab
                                                                                                                                       NAT     NAT
VSN  VSN  SESS                                SOURCE  DESTINATION                                        NAT SOURCE    NAT             SOURCE  DESTINATION
ID   VID  ID     SOURCE IP    DESTINATION IP  PORT    PORT         PROTOCOL  NATTED  SDWAN  APPLICATION  IP            DESTINATION IP  PORT    PORT
------------------------------------------------------------------------------------------------------------------------------------------------------------
0    2    37898  172.10.10.4  40.77.226.16    49818   443          6         Yes     No     windowslive  10.192.83.26  40.77.226.16    18971   443
0    2    42546  172.10.10.4  157.56.106.189  54866   3544         17        Yes     No     teredo       10.192.83.26  157.56.106.189  11750   3544

To view a list of all NAT sessions that have been created, closed and list of failed attempts run the CLI command show orgs org <org-name> sessions nat summary

admin@Branch-100-DIA-cli> show orgs org Tenant-Org-2 sessions nat summary
     NAT      NAT      NAT      NAT
VSN  SESSION  SESSION  SESSION  SESSION
ID   COUNT    CREATED  CLOSED   FAILED
-----------------------------------------
0    2        1370     1368     0

To view the details of a NAT session, use the CLI command show orgs org <org-name> sessions nat detail

The NAT detail shows important details about the NAT session like Source and Destination IP and the translated NAT source IP. The session also shows that the traffic is being natted by marking it with a ‘Yes‘. The ingress and egress interface details and the NAT rule.

admin@Branch-100-DIA-cli> show orgs org Tenant-Org-2 sessions nat detail
sessions nat detail 0 2 37898
 source-ip                  172.10.10.4
 destination-ip             40.77.226.16
 source-port                49818
 destination-port           443
 protocol                   6
 natted                     Yes
 sdwan                      No
 application                windowslive
 nat-source-ip              10.192.83.26
 nat-destination-ip         40.77.226.16
 nat-source-port            18971
 nat-destination-port       443
 forward-pkt-count          3150
 forward-byte-count         321818
 reverse-pkt-count          1599
 reverse-byte-count         300438
 dropped-forward-pkt-count  0
 dropped-forward-byte-count 0
 dropped-reverse-pkt-count  0
 dropped-reverse-byte-count 0
 session-age                2d18h03m
 idle-for                   00:00:26
 idle-timeout               524
 pbf-enabled                true
 forward-egress-vrf         DIA-Transport-VR
 reverse-egress-vrf         Tenant-Org-2-LAN-VR
 session-provider-zone      0
 forward-offload            false
 reverse-offload            false
 forward-ingress-interface  vni-0/2.0
 forward-egress-interface   vni-0/1.0
 reverse-ingress-interface  vni-0/1.0
 reverse-egress-interface   vni-0/2.0
 forward-fc                 fc_be
 reverse-fc                 fc_be
 forward-plp                low
 reverse-plp                low
 nat-rule-name              DIA-Rule-Tenant-Org-2-LAN-VR-DIA
 nat-direction              inside
sessions nat detail 0 2 42546
 source-ip                  172.10.10.4
 destination-ip             157.56.106.189
 source-port                54866
 destination-port           3544
 protocol                   17
 natted                     Yes
 sdwan                      No
 application                teredo
 nat-source-ip              10.192.83.26
 nat-destination-ip         157.56.106.189
 nat-source-port            11750
 nat-destination-port       3544
 forward-pkt-count          8595
 forward-byte-count         764955
 reverse-pkt-count          8415
 reverse-byte-count         1152855
 dropped-forward-pkt-count  0
 dropped-forward-byte-count 0
 dropped-reverse-pkt-count  0
 dropped-reverse-byte-count 0
 session-age                2d13h23m
 idle-for                   00:00:10
 idle-timeout               32
 pbf-enabled                true
 forward-egress-vrf         DIA-Transport-VR
 reverse-egress-vrf         Tenant-Org-2-LAN-VR
 session-provider-zone      0
 forward-offload            false
 reverse-offload            false
 forward-ingress-interface  vni-0/2.0
 forward-egress-interface   vni-0/1.0
 reverse-ingress-interface  vni-0/1.0
 reverse-egress-interface   vni-0/2.0
 forward-fc                 fc_be
 reverse-fc                 fc_be
 forward-plp                low
 reverse-plp                low
 nat-rule-name              DIA-Rule-Tenant-Org-2-LAN-VR-DIA
 nat-direction              inside

The NAT translations can also be viewed in the Versa Director GUI under the Monitor tab.

Navigate to the Service Tab and click on CGNAT to view the NAT translations. Click on the ‘eye’ icon to view more detailed session information.

Summary

In this article, we saw how to verify NAT operability on Versa VOS using the show commands. We can see that using the information provided in the show command, we can troubleshoot any issues with regard to NAT.

Archives

Categories

Meta

Verifying NAT Operability

Verifying NAT Operability

Troubleshooting: Verifying NAT Operability

Summary

Packet Tracing

Versa SD-WAN Staging Phases