Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
NAT Errors [Add nat user ...

NAT Errors [Add nat user data fail(Search Public Addr Fail)]

Created: Jul 15, 2020 04:28:37Latest reply: Oct 25, 2021 06:14:24 299 4 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

HI

iam facing NAT errors for random user iam using NE40EX8A for NAT

this is the error i get in logs [ Add nat user data fail(Search Public Addr Fail) ]

when i searched for more info this is what i get. however i donot know how to check the configuration since there are many user aready Nated with out any problem , please advice me . 

error


thanks

NATNErouter

Like (0) Dislike (0) Favorite(0) Share Report
Previous: How Do I Synchronize the Password Change to iMaster NCE-Campus After the Password of FusionInsight Manager Is Changed ?
Next: DG8045 router with hilink
Featured Answers

Best answer

Recommended answer

(0) (0)
DDSN
Admin Created Jul 15, 2020 04:34:29

Hi user_3896063,
You can run the display nat instance [ instance-name ] command to check the configuration of a NAT instance.

You can run the display nat address-usage by-session ] instance instance-name address-group address-group-name [ slot slot-id { engine engine-id | card card-id } ] [ verbose ] command to check the public port usage of a NAT address pool.

You can compare this with the basic NAT configuration in the product documentation. Please refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100136152&id=EN-US_TASK_0172374489&lang=en

Finally, I found a case for your reference.

Fault Description

After the NAT service is configured on an NE40E, some users fail to go online.

Troubleshooting Procedure

Run the display aaa online-fail-record command to check causes for user access failures.

Online fail reason: Add CGN user data fail(Search Public Addr Fail)

The user fails to go online because they fail to receive a public IP address.

Check the public IP address and port number of the user.

nat instance cpe1 id 1
port-range 4096  
nat address-group group1 group-id 0
section 0 1.1.1.0 mask 24
nat outbound 3001 address-group group1
#

The port range size is 4096. Each public IP address is assigned 16 (65536/4096) port segments, and there are 256 public IP addresses. Therefore, at most 4096 (256 x 16) users can obtain the port segment.

Check the ACL configuration. Check that fewer than 4096 private network users are allowed access, and the ratio between public and private IP addresses does not exceed the limit.

acl number 3001                                                            
rule 1 permit source 10.1.1.0 0.255.255.255
#

The private IP address of the user is 10.1.1.1, which is not defined in ACL 3001. Therefore, the user fails to be assigned a public IP address because the private IP address 10.1.1.1 does not match the ACL.

Summary

The private network segment is not specified in the ACL. As a result, the NAT service board fails to find a matching public IP address and the user fails to go online.

I hope it helps!


View more
  • x
  • convention:

user_3896063
user_3896063 Created Jul 18, 2020 20:58:32 (0) (0)
thank you very much for your best reply i followed your recommendations it is very straight forward and clear,, appreciated  
user_4396693
user_4396693 Created Oct 25, 2021 06:15:10 (0) (0)
 
All Answers
(0) (0)
2#
DDSN
DDSN Admin Created Jul 15, 2020 04:34:29

Hi user_3896063,
You can run the display nat instance [ instance-name ] command to check the configuration of a NAT instance.

You can run the display nat address-usage by-session ] instance instance-name address-group address-group-name [ slot slot-id { engine engine-id | card card-id } ] [ verbose ] command to check the public port usage of a NAT address pool.

You can compare this with the basic NAT configuration in the product documentation. Please refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100136152&id=EN-US_TASK_0172374489&lang=en

Finally, I found a case for your reference.

Fault Description

After the NAT service is configured on an NE40E, some users fail to go online.

Troubleshooting Procedure

Run the display aaa online-fail-record command to check causes for user access failures.

Online fail reason: Add CGN user data fail(Search Public Addr Fail)

The user fails to go online because they fail to receive a public IP address.

Check the public IP address and port number of the user.

nat instance cpe1 id 1
port-range 4096  
nat address-group group1 group-id 0
section 0 1.1.1.0 mask 24
nat outbound 3001 address-group group1
#

The port range size is 4096. Each public IP address is assigned 16 (65536/4096) port segments, and there are 256 public IP addresses. Therefore, at most 4096 (256 x 16) users can obtain the port segment.

Check the ACL configuration. Check that fewer than 4096 private network users are allowed access, and the ratio between public and private IP addresses does not exceed the limit.

acl number 3001                                                            
rule 1 permit source 10.1.1.0 0.255.255.255
#

The private IP address of the user is 10.1.1.1, which is not defined in ACL 3001. Therefore, the user fails to be assigned a public IP address because the private IP address 10.1.1.1 does not match the ACL.

Summary

The private network segment is not specified in the ACL. As a result, the NAT service board fails to find a matching public IP address and the user fails to go online.

I hope it helps!


View more
  • x
  • convention:

user_3896063
user_3896063 Created Jul 18, 2020 20:58:32 (0) (0)
thank you very much for your best reply i followed your recommendations it is very straight forward and clear,, appreciated  
user_4396693
user_4396693 Created Oct 25, 2021 06:15:10 (0) (0)
 
(0) (0)
3#
user_4411447
user_4411447 Created Oct 25, 2021 06:14:24

Good
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.