dynamic NAT not working

samir.elfadil · ‎02-03-2022

Hello

I am using nexus 3548, the dynamic NAT configuration as follow:
ip access-list delta
1 permit ip 172.16.180.0/24 any

ip nat pool delta x.x.x.x x.x.x.x prefix-length 29

ip nat translation tcp-timeout 500
ip nat translation udp-timeout 60
ip nat translation timeout 120
ip nat translation max-entries 1000
ip nat translation sampling-timeout 900

ip nat inside source list delta pool delta overload

the connection to internet begin fast and the it goes slow but the Youtube streaming looks fine but the download rate is very bad-my connection to internet is almost 50mbps and the download rate is less than 10kbps

I think one of the timeout parameters is the key factor but i cannot guess which one of them, please help

MHM Cisco World · ‎02-03-2022

Why you think it NAT issue, i think it mtu issue the mtu is large and need to frag. And that make intent slow.

samir.elfadil · ‎02-05-2022

when I change to static NAT using same configuration the things goes smooth and the connection to internet has now slow problem, that is why I thought its something with dynamic NAT.

can you explain where should I look for the mtu issue? in nexus or in the upper gateway?

thanks

Georg Pauwen · ‎02-05-2022

Hello,

what does the configuration of your pool look like ? Make sure the actual interface address is not part of the pool.

samir.elfadil · ‎02-05-2022

natout site interface is vlan interface and it's ip address is not part of any global pool

Georg Pauwen · ‎02-06-2022

Hello,

add the command:

ip local-proxy-arp

to the outside Vlan interface. Also, try the values below:

ip nat translation tcp-timeout 50000
ip nat translation udp-timeout 45000

MHM Cisco World · ‎02-05-2022

ip nat translation max-entries 1000 <- this is low
check
show ip nat statistics,
share it here if you can.

ip nat translation tcp-timeout 500 <- this too low ??

samir.elfadil · ‎02-06-2022

sh ip nat statistics

IP NAT Statistics
====================================================
Stats Collected since: Sat Feb 5 12:17:31 2022
----------------------------------------------------
Total active translations: 85
No.Static: 0
No.Dyn: 84
No.ICMP: 1
----------------------------------------------------
Total expired Translations: 587
SYN timer expired: 406
FIN-RST timer expired: 75
Inactive timer expired: 106
----------------------------------------------------
Total Hits: 217603 Total Misses: 296227
In-Out Hits: 67788 In-Out Misses: 57388
Out-In Hits: 149815 Out-In Misses: 238839
----------------------------------------------------
Total SW Translated Packets: 246773
In-Out SW Translated: 99307
Out-In SW Translated: 147466
----------------------------------------------------
Total SW Dropped Packets: 27475
In-Out SW Dropped: 25683
Out-In SW Dropped: 1792

Address alloc. failure drop: 0
Port alloc. failure drop: 0
Dyn. Translation max limit drop: 0
ICMP max limit drop: 0
Allhost max limit drop: 0
----------------------------------------------------
Total TCP session established: 3834
Total TCP session closed: 852
----------------------------------------------------
NAT Inside Interfaces: 20

MHM Cisco World · ‎02-09-2022

1-Dyn. Translation max limit drop: 0<- this indicate that the drop of packet for max limit is 0
2- Hit and huge number of Miss
this indicate that the traffic always need CPU to build new NAT entry this reduce the download rate

why miss is too huge?
because the TCP timeout is too low and hence the entry is remove and CPU must build new entry "miss count increase for each new entry NAT add if the traffic not found one".
so please only increase the timeout slowly until your router can handle traffic without or with little miss number.
note:- you can clear the NAT counter each time you do change.