Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Slow network speed due to...

Slow network speed due to high number of NAT sessions

301 0 1 0 0
View the author 1#

Hello all, 

This case mainly talks about the slow network speed caused by high number of NAT sessions.

Problem 

1

Configuration script:

ip load-balance hash src-ip

interface Dialer1

 nat outbound 2999 

interface Dialer2

 nat outbound 2998 

ip route-static 0.0.0.0 0.0.0.0 Dialer1

ip route-static 0.0.0.0 0.0.0.0 Dialer2

Fault symptom:

The AR1220E-S functions as the egress gateway, two dial-up interfaces function as egresses, and the source IP address-based load balancing mode is configured. The problem is that the Internet access rate is very low. The carrier confirms that the problem is not caused by the carrier's device. In addition, the problem does not occur when the router of another vendor is replaced. The external website can be pinged,  however, occasionally, packets loss during the ping.

Alarm information

2020-08-11 04:23+00:00 Huawei D/4/CPCAR_DROP_MPU(l)[1438]:Some packets are dropped by cpcar on the MPU. (Packet-type=unknown-packet, Drop-Count=5342)

2020-08-11 04:23+00:00 Huawei D/4/CPCAR_DROP_MPU(l)[1439]:Some packets are dropped by cpcar on the MPU. (Packet-type=unknown-packet, Drop-Count=5632)

Handling Procedure

1. Ping the public IP address fails. Restart the device, ping succeeds. However, ping fails again one hour later.

2. Alarm shows that a large number of unknown unicast packets are discarded by CPCAR.  And the number of sessions reaches the upper limit. Therefore, port attacks may occur. Configure port attacks and disable high-risk ports such as 135, 137, 139, and 445.

  ===============display session number===============

  The total number of session tables is: 63781

  ===============display nat session number===============

  The total number of NAT session tables is: 62470


Anti-attack configuration:

A. Create ACL rules for high-risk ports.

acl number 3000 

 rule 5 permit tcp  destination-port eq  135

 rule 10 permit tcp  destination-port eq  137

 rule 15 permit tcp  destination-port eq  139

 rule 20 permit tcp  destination-port eq  445

 rule 25 permit udp  destination-port eq  135

 rule 30 permit udp  destination-port eq  137

 rule 35 permit udp  destination-port eq  139

 rule 40 permit udp  destination-port eq  445 

B. Create a traffic policy.

traffic classifier virus operator or

  if-match acl 3000

traffic behavior virus

 deny

traffic policy virus

 classifier virus behavior virus 

C. Apply the traffic policy to the intranet interface.

interface GigabitEthernetX/X/X 

 traffic-policy virus outbound

 traffic-policy virus inbound 


3. After the configuration is complete, check the NAT session table and find that no high-risk port exists and the number of sessions is far lower than the device specification. However,the problem persists.

 

session


  ===============display session number===============

The total number of session tables is: 14097

  ===============display nat session number===============

The total number of NAT session tables is: 12666


4. Check the public IP address obtained by the dialer interface. The IP address in the 100.x.x.x network segment is a pseudo public IP address. The carrier may limit the number of sessions during secondary NAT,  causing the sessions generated by the local end cannot be forwarded.

Dialer1                           100.X.XX.9/32      up         up(s)

Dialer2                           100.X.X.227/32     up         up(s)


5. Run the following command to limit the number of sessions of the intranet IP address. After the configuration is complete, the fault is rectified.

statistics ip enable inzone

 statistics connect-number ip inzone tcp high 500 low 200 //reduces the number of sessions to the specified range.

Root Cause

1. Port attacks exist. For example, a worm uses a port vulnerability to attack intranet users. As a result, the number of sessions on the device is used up, and address translation cannot be performed, causing the user cannot access the Internet.

2. The obtained address is not a real public address. The carrier limits the number of sessions during secondary NAT. By default, Huawei devices do not limit the number of sessions. Address translation cannot be completed on the carrier's device, causing slow Internet access.

Solution

1. Configure antivirus attacks and disable high-risk ports to prevent session resource exhaustion caused by attacks.

2. Reduce the number of sessions per IP address to the specified range.

NATanti-attack

Like (1) Dislike (0) Favorite(0) Share Report
Previous: undo portswitch command
Next: PC cannot obtain an IP address in the M-LAG scenario
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.