Wireless Access

Reply
MVP
Posts: 562
Registered: ‎11-28-2011

NAT troubleshooting (of VPNs)

Hi All,

 

I'm in the process of troubleshooting a customer's challenge with certain VPN traffic (drops I'm told). I'm going to site tomorrow to see what the traffic looks like (I.e. NAT-T, but possibly something else).

 

In the meantime, I'm looking at the controller remotely, wondering if it's something to do with NAT limits.

 

The controller is NAT'ing users, to a single public IP at the moment. There's about 1500 users.

 

Can anyone suggest a CLI command that accurately shows a summary of the current outbound NAT translations and/or sessions? In terms of maximum possible and current active? Rather than looking through the entire session table which is massive as you'd expect!

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: NAT troubleshooting (of VPNs)

 

This isn't necessarily what you looking for but maybe it could help :

 

(HOME-MASTER-CONTROLLER) #show datapath nat table

Datapath NAT Table Entries
--------------------------
Pool SIP Start SIP End DIP
---- --------------- --------------- ---------------

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 562
Registered: ‎11-28-2011

Re: NAT troubleshooting (of VPNs)

Hi,

 

Yeah, I found that one, but it seems to show configuration aspects rather than live NAT information?

 

Thanks anyway.

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 562
Registered: ‎11-28-2011

Re: NAT troubleshooting (of VPNs)

Right,

 

I have a suspicion that the VPN traffic type my customer has in question is PPTP. Haven't got to site yet due to transport disruption!

 

My understanding is that throughout the AOS lifecycle, support for PPTP over NAT was been added and removed at various stages.

 

The customer is currently on 6.2.1.2.

 

So, I guess I have 3 questions.

 

1. Is PPTP supported in this version? If not, does anybody have an authoritative view of what versions do support it?

2. Does anybody know if you can do the equivalent of a static PAT (like you could on a Cisco ASA) within any NAT configuration context or role rule/policy? I.e. don't translate the source port? I've looked and can't see an obvious way?

3. My understanding (which might be wrong), is that half the problem with PPTP, is that it doesn't like source ports being changed. Am I wrong? If this is the case, I can't see that it's worth me looking at implementing an external NAT pool, to increase translation potential over multiple source IPs?

 

 

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: