topic I don't know. My guest guess in Network Security

NAT over utilized?

martee.o.sacramento — Fri, 21 Feb 2020 13:42:17 GMT

Hi All,

I just want to know about the results of NAT translations below. Need to know your inputs. Don't know what are the meaning of highlighted below. Thanks in advance!

Router1:

Total active translations: 2600 (4 static, 2596 dynamic; 2596 extended)
Outside interfaces:
GigabitEthernet0/1/0
Inside interfaces:
Port-channel1.99, Port-channel1.100, Port-channel1.101
Hits: 915070021 Misses: 7640111
Expired translations: 7576409
Dynamic mappings:
-- Inside Source
[Id: 2] access-list NAT_ACL interface GigabitEthernet0/2/0 refcount 2513
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 176674 Out-to-in drops: 24189
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 46628
IP alias add fail: 0
Limit entry add fail: 0

Router2:

Total active translations: 5029 (1 static, 5028 dynamic; 5028 extended)
Outside interfaces:
GigabitEthernet0/0/1, GigabitEthernet0/1/0
Inside interfaces:
GigabitEthernet0/0/0, Port-channel2.99, Port-channel2.100
Port-channel2.101
Hits: 546320465 Misses: 6446100
Expired translations: 6445134
Dynamic mappings:
-- Inside Source
[Id: 3] access-list NAT_ACL interface GigabitEthernet0/1/0 refcount 5027
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 80066 Out-to-in drops: 59164
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 74851
IP alias add fail: 0
Limit entry add fail: 0

-Matt

How you got any NAT

Philip D'Ath — Fri, 22 Jan 2016 22:37:40 GMT

How you got any NAT restrictions configured, like:

ip nat translation max-entries ...

No. I dont have configured

martee.o.sacramento — Sat, 23 Jan 2016 01:23:22 GMT

No. I dont have configured max-entries. The only suggested to configured for me is the 1hr expiration of translation "ip nag translation timeout 3600". Is there anything wrong on the outputs of the nat stat?

I'm confused by the "id" in

Philip D'Ath — Sat, 23 Jan 2016 02:14:32 GMT

I'm confused by the "id" in the output. Is by chance an HSRP NAT configuration?

Yes. We used HSRP NAT

martee.o.sacramento — Sat, 23 Jan 2016 02:25:08 GMT

Yes. We used HSRP NAT configuration. So the Router1 is the primary for the half of the traffic and the Router 2 for the other half.

I suspect these numbers my

Philip D'Ath — Sat, 23 Jan 2016 06:33:40 GMT

I suspect these numbers my reflect that the standby can't apply the NATs that it knows about because it is the standby, and on becoming active it will work.

Not sure. If you aren't observing any issues I don't think I would worry about it.

BTW. Our setup are just like

martee.o.sacramento — Mon, 25 Jan 2016 00:52:42 GMT

BTW. Our setup are just like this.

ISP1 ISP2

HSRP1 - Active HSRP2 - Active

HSRP2 - Standby HSRP1 - Standby

NAT1 NAT2

I observed that the slowness occurs eventually in ISP2. When I try to re-route some traffic from ISP2 to ISP1. I haven't received an issue occurrence.

Do you know what was the meaning of this part in the results?

"In-to-out drops: 80066 Out-to-in drops: 59164"

Thanks!

I don't know. My guest guess

Philip D'Ath — Mon, 25 Jan 2016 01:02:58 GMT

I don't know. My guest guess is the router dropped the packet because it was being processed by the other router (aka was in HSRP standby mode).

Is NAT can cause of latency

martee.o.sacramento — Tue, 26 Jan 2016 05:31:34 GMT

Is NAT can cause of latency/disconnections?

Latency, not usually.

Philip D'Ath — Tue, 26 Jan 2016 05:38:58 GMT

Latency, not usually. Disconnections, yes if it is having a problem.

Ok. Maybe I should take a

martee.o.sacramento — Fri, 29 Jan 2016 05:28:45 GMT

Ok. Maybe I should take a look deep to the NAT issues. Thanks Bro! Have a nice a day.