9.15. Show and Clear Commands

Below you see a list of show and clear commands broken down into blocks. There is a description for each show command. Clear commands with the meaning obvious from the command itself are listed without a description.

show <nat|nat64> counters [vrf NAME]

Display the information about the current system load (Counter, Current value, Limit, and Load as a percentage). If you have several NAT instances configured in different VRFs, you can view the counters in each VRF separately by specifying its NAME. The counters are:

Counter

Description

Active Subscribers

Active internal IP addresses

Address Map Entries

Each entry has one unique internal IP address matching the unique external one

Port Map Entries

The internal IP:Port mappings to external IP:Port. Mappings is used in NAT sessions creation process

Session Entries

A session is an internal data structure which is needed for implementation of the mapping from an internal IP:Port to an external IP:Port. The session contains the following information: int_ip:port ext_ip:port dst_ip:port, the time it was last used

Pending Fragments

The IP fragments for all chains that are awaiting assembly

show <nat|nat64> counters [vrf NAME] overall
clear <nat|nat64> counters [vrf NAME] overall

Display the information for all NAT|NAT64 counters. These counters are accumulative and do not show the current load of the system. Below are some counters and their brief description:

Counter

Description

Inbound and Outbound Translations

Translations mean each fact of IP, port or IP:Port changing

Inbound and Outbound Bytes

All traffic through NAT without taking into account Ethernet and VLAN headers

Inbound and Outbound Fragment Translations

All IP fragments that were received from internal network (outbound) or from external one (inbound)

Inbound and Outbound Fragment Bytes

The same as above but in bytes

Subscriber Creations, Address Map Creations, Port Map Creations and Session Creations

These counters are the same as in the description of the show <nat|nat64> counters command, except that Creations means the quantity for the entire time of operation of the device

Hairpinning Sessions

See RFC 5128 and Hairpinning Behavior for reference

Filtering Policy Drops

Filtering mode did not allow to create a new session

Hairpinning Loop Drops

See RFC 6146 Section 5.4 for reference

Hairpinning Drops

The hairpinning is disabled, but vCGNAT has received a packet to create Hairpinning Sessions

No Pool Drops

Packet drops that could happen during the pool deletion from the subscriber-group

No Portless Mapping Drops

A packet came from the internal network via GRE, AH, ESP protocols, but there was no corresponding IP-IP mapping for it

ACL Drops

A packet drop (deny) according to access list rules

Inbound Refresh Drops

A packet came from the external network, according to which it is necessary to create a new session, but inbound refresh is disabled

Unsupported L4 Protocol Drops

A packet with unsupported L4 protocol

No NAT Rule Drops

A packet came to the inside interface from the client network for which no NAT rule is set

No Mapping Drops

A packet came on a closed port (i.e. no open mapping) from the external network

No RSS Drops

RSS was not counted by the network card/driver

Fragment Timeout Drops

Until the first fragment arrives, we cannot do translation because the other fragments do not have any information about ports. These fragments are stored in chains. A chain lives for a certain amount of time. If the first packet does not arrive within the specified time interval, the chain will be removed. The default interval is 15 seconds

Fragment Duplicated Drops

A fragment duplicates a fragment that has already been processed

Fragment Overlap Drops

A fragment overlaps with the other one that has already been processed

Fragment With Zero Size Drops

The IP fragment with 0 payload (without data). If it turns out that the L4 payload size in the packet is 0 bytes after parsing the IP header, then such packet will be dropped, because this is a network attack

Fragment Control Queue Too Short Drops

There is an array which is used to check that the incoming fragments do not overlap with each other. If there is not enough of this array to check, the packet is dropped

TCP No SYN Drops

The TCP packets without SYN flag, the session for which was not found

TCP NULL Flags Drops

The TCP packets without any TCP flags

TCP SYN & FIN Drops

The packets with both TCP SYN and FIN flags set

TCP XMAS Drops

The TCP packets with FIN, URG, PSH flags set at the same time. Such packets are illegal based on RFC 793

TCP SYN Fragments Drops

The TCP SYN packets that are IP fragments

TCP/UDP Port Zero Drops

The TCP/UDP packets, where Source/Destination Port value is zero

ICMP Query ID Zero Drops

The ICMP packets, where Query ID value is zero

ICMP Unsupported Proto Drops

The ICMP error with an unsupported L4 protocol inside

ICMP Unknown Type Drops

The ICMP packets with unknown Type and Code fields

ICMP Error Drops

No matching NAT sessions for ICMP error message

GRE Unknown Version Drops

The GRE packets with unknown version of the protocol. There is the Version Field (bits 13-15) in the GRE header and it must be 0. See RFC 2784 for reference

Limit drops counters mean that there was an attempt to exceed the specified limit. In this case we drop the entry/packet/etc., and add 1 to the counter. The limits are:

Limit Drop Counters

Description

Address Map Entry Limit Drops

IP-IP NAT mappings. It is a global limit and can be set via the command nat limits address-mappings

Session Entry Limit Drops

NAT sessions (here entry includes Internal, External and Remote IP:Port). It is a global limit andcan be set via the command nat limits sessions

Subscriber Limit Drops

Internal IP (subscribers) for NAT. It is a global limit and can be set via the command nat limits active-subscribers

Pending Fragments Limit Drops

Fragments currently being processed for the NAT. It is a global limit and can be set via the command nat limits pending-fragments

Address Map Failure Drops

See RFC 7659 Section 3.1.4 for reference:

  • there are no free IP addresses in the pool

  • the system has received a request to allocate

the IP address which is already busy

Port Map Failure Drops:

This counter includes counters connected to Port Limit Drops:

  • Port Map Entry Limit Drops

IP:Port - IP:Port NAT mappings. It is a global limit and can be set via the command nat limits port-mappings

  • Subscriber Port Map Limit Drops

The limit on the number of ports allocated to one user has been exceeded. The limit is set via limits port-map-entries in the subscriber-group section

  • Subscriber Port Block Limit Drops

The limit on the number of port blocks allocated to one user has been exceeded. The limit is set via limits port-block-entries in the subscriber-group section

  • No Free Port Drops

No free ports on one of the external IP addresses in one of the pools (see the output show nat pool POOL_NAME ip)

  • No Free Block Drops

No free port blocks on one of the external IP addresses in one of the pools (see the column Port Blocks in the output show nat pool POOL_NAME ip)

Subscriber Session Limit Drops

Sessions per subscriber. The limit is set via limits session-entries

Fragment Chain Limit Drops

The limit for fragment chain is exceeded. The default value is 24

show <nat|nat64> counters [vrf NAME] protocols
clear <nat|nat64> counters [vrf NAME] protocols

Display the counter information for each protocol, for example:

nfware# show nat counters protocols
---------------------------------------------------------------------------------------------------------
Counter                 ICMP                TCP                 UDP            GRE                 ESP
---------------------------------------------------------------------------------------------------------
Port Map Entries        0                   0                   0               0                   0
Translations Outbound   385                 0                   0               0                   0
Translations Inbound    385                 0                   0               0                   0
Port Map Creations      1                   0                   0               0                   0
Port Map Failure Drops  0                   0                   0               0                   0
---------------------------------------------------------------------------------------------------------
show <nat|nat64> sessions [FILTER]
clear <nat|nat64> sessions [FILTER]

Display the output of the whole translation table with the capability to filter this output by following fields: internal/external/remote IP addresses, protocols, ports, pool, or VRF

Filter

Keys

proto

  • icmp

  • tcp Here you can type tcp key or point one or several additional keys like:

    • syn-received

    • established

    • fin-received

    • closing

    • transitory

  • udp

  • gre

  • esp

int-ip

  • For NAT type A.B.C.D internal IP address

  • For NAT64 type X:X::X:X internal IP address

int-port

Choose internal port from range 1-65535

ext-ip

Specify external IP address like A.B.C.D

ext-port

Choose external port from range 1-65535

rem-ip

Specify remote IP address like A.B.C.D

rem-port

Choose remote port from range 1-65535

pool

Specify pool NAME

vrf

Specify vrf NAME

Full format of the commands:

show nat64 sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]
show nat sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]
clear nat64 sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip X:X::X:X|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]
clear nat sessions [{proto <icmp|tcp [{syn-received|established|fin-received|closing|transitory}]|udp|gre|esp>|int-ip A.B.C.D|int-port (1-65535)|ext-ip A.B.C.D|ext-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|pool NAME|vrf NAME}]

Examples:

nfware# show nat sessions int-port 22
-------------------------------------------------------------------------------
Protocol  Internal               External               Remote
-------------------------------------------------------------------------------
icmp      192.168.1.2:22       12.13.14.15:603      5.5.5.5:603
-------------------------------------------------------------------------------

nfware# show nat sessions proto udp int-ip 192.168.1.24 int-port 58448 rem-ip 6.6.6.6 pool TEST
-------------------------------------------------------------------------------
Protocol  Internal               External               Remote
-------------------------------------------------------------------------------
udp       192.168.1.24:58448     12.13.14.20:5296     6.6.6.6:29375
-------------------------------------------------------------------------------

nfware# show nat sessions proto tcp transitory int-ip 192.168.1.25 rem-ip 6.6.6.6
-------------------------------------------------------------------------------
Protocol  Internal               External               Remote
-------------------------------------------------------------------------------
tcp (t)   192.168.1.25:58448     12.13.14.18:5296     6.6.6.6:443
-------------------------------------------------------------------------------
show <nat|nat64> sessions [vrf NAME] STRING...
clear <nat|nat64> sessions [vrf NAME] STRING...

Display the detailed information about the session, specified by the full session key. The key can be taken from the output of the show nat sessions command. For example:

nfware# show nat sessions icmp      192.168.3.4:5          203.0.113.34:119       172.20.1.2:119
Key: proto icmp int-ip 192.168.3.4 int-port 5 ext-ip 203.0.113.34 ext-port 119 r
em-ip 172.20.1.2 rem-port 119
Direction: outbound
Time to live: 0h 0m 59s
show <nat|nat64> counters [vrf NAME] rate

Display counters rate. If you have several NAT instances configured in different VRFs, you can view the counters rate in each VRF separately by specifying its NAME.

show nat64 fragment [{src-ip X:X::X:X | dst-ip X:X::X:X | vrf NAME}]
show nat fragment [{src-ip A.B.C.D | dst-ip A.B.C.D | vrf NAME}]

Display the IP packet fragmentation table for NAT|NAT64. You can specify filters like source/destination IP addresses and VRF. vCGNAT assembles IP packet fragments into a chain until it waits for the first fragment or until the chain lifetime expires (15 seconds).

show <nat|nat64> mappings [FILTER]

Display the internal to external IP:Port mapping table for NAT|NAT64 with the capability to filter the output by the following fields: internal/external IP addresses, protocols, ports or VRF. Also, the type of mapping is shown:

  • d for dynamic translation,

  • s for static one,

  • pcp which means that subscribers ask NAT to open ports themselves via PCP protocol.

For dynamic mapping the entry is presented in the table as long as at least one session is alive. The mapping will be deleted as soon as the last session is closed. Static mappings do not age out. PCP mappings live for the requested time, but it is limited to 1 hour. You cannot open a port for more than 1 hour via PCP protocol.

Filter

Keys

proto

  • icmp

  • tcp

  • udp

  • gre

  • esp

int-ip

  • for NAT type A.B.C.D internal IP address

  • for NAT type X:X::X:X internal IP address

int-port

Choose internal port from the range 1-65535

rem-ip

Specify remote IP address like A.B.C.D

rem-port

Choose remote port from range 1-65535

vrf

Specify vrf NAME

Full format of the commands:

show nat64 mappings [{proto <icmp|udp|tcp|gre>|int-ip X:X::X:X|int-port (1-65535)|rem-ip X:X::X:X|rem-port (1-65535)|vrf NAME}]
show nat mappings [{proto <icmp|udp|tcp|gre>|int-ip A.B.C.D|int-port (1-65535)|rem-ip A.B.C.D|rem-port (1-65535)|vrf NAME}]

Examples:

nfware# show nat mappings
--------------------------------------------------------------
Type  Protocol  Internal               Remote
--------------------------------------------------------------
d     icmp      192.168.1.2:48386     12.13.14.16:17696
s     tcp       192.168.1.3:1016      12.13.14.17:79
pcp   udp       192.168.1.3:3718      12.13.14.18:39530

nfware# show nat mappings proto icmp int-ip 192.168.1.2 rem-ip 12.13.14.16
--------------------------------------------------------------
Type  Protocol  Internal               Remote
--------------------------------------------------------------
d     icmp      192.168.1.2:48386     12.13.14.16:17696