[c-nsp] ASR1004 and NAT limitation?

[Simon Lockhart]

All,

I'm running an ASR1004 as a centralised CGNAT router. I've got various pools
defined for different customers, and use a NAT route-map to stop private IPs
being NAT'd when trying to reach our internal services (where we'd want to see
the private IPs still). Typical config per customer is:

ip nat pool cust1-pool-1 xxx.yyy.153.64 xxx.yyy.153.95 prefix-length 27
ip nat inside source route-map cust1-nat pool cust1-pool-1 overload
!
ip access-list extended on-net
 permit ip any aaa.xxx.128.0 0.0.15.255
 permit ip any bbb.yyy.128.0 0.0.31.255
 permit ip any ccc.zzz.128.0 0.0.127.255
!|
ip access-list extended cust1
 permit ip 100.65.162.0 0.0.0.255 any
 permit ip 100.65.160.0 0.0.1.255 any
!
route-map cust1-nat deny 10
 match ip address on-net
route-map cust1-nat permit 20
 match ip address cust1

After adding another set of this config, I've hit this log message:

*Mar 22 06:37:54.476 UTC: %CPP_FM-3-CPP_FM_TCAM_ERROR: F0: cpp_sp:  TCAM limit exceeded: Class group nat-cg:1001 could not be successfully attached. Please remove the class group from the interface. 

On this page http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_caveats_38s.html

It says:

- CSCtz71208

Symptom: On a Cisco ASR1000 series router, once the error,
  CPP_FM-3-CPP_FM_TCAM_ERROR is seen, the only way to recover TCAM is to reload
  the ASR. Removing the config leading to the TCAM exhaustion is not enough.

Conditions: This is seen after something leads to the TCAM being exhausted.
  This bug only relates to the recovery from the exhaustion, not the exhaustion
  itself. For that, please see bug: CSCtz33305 Deny Statements could exhaust the
  TCAM entries.

Workaround: Reload the device. 

Looks like this is what I'm hitting, but does anyone know more about this bug?
I can't seem to see CSCtz33305, but it'd be good to know if there's any 
workaround to avoid hitting this issue...

Many thanks,

Simon