We have a web-based application which some of our clients access via the Internet and others via Frame Relay. (They come into multiple routers, but it's all IP to us) Frequently the clients are doing many to one NAT (i.e. PAT) on their router (anything from a 2600 to a 7206VXR). When the number of concurrent users gets too high (around 40-60 users, representing about 4 times that in HTTPS connections, though I don't know the exact number of connections), there are intermittent problems with pages not loading correctly. All of these users are accessing one IP address on my side (which is actually a Cisco CSS load balancing). I suspect that the NAT table on the return packet looks at the IP address first; it most cases, this would filter out much of the potential source addresses on the inside. In my case, however, since all traffic goes to a single IP, the lookup takes a significantly longer time and/or times out somehow. It may also be related to the different ranges of NAT source ports somehow.

To troubleshoot, we've removed NAT (so I see a bunch of un-NATed addresses coming in) and things work just fine. Put NAT back on, the intermittent problems return. (Along with other things, this pretty much rules out the server side completely.)

Anyone have any ideas?