Re: clear ip nat translation *

JudiciaryKenya73725 · ‎10-05-2021

I keep running clear ip nat translation * every two hours for users to access sites. Resolutions not possible until i clear nat translation. Please help

Georg Pauwen · ‎10-05-2021

Hello,

which device is this on, what does the NAT configuration look like ? Are you running out of available IP addresses ?

Post the running config of your device...

JudiciaryKenya73725 · ‎10-05-2021

Device: Cisco Router 1001x
Nat configuration
ip nat inside source route-map XXXXX interface GigabitEthernet0/0/1.xxx overload
ip nat inside source list XXX interface GigabitEthernet0/0/1.xxx overload

JudiciaryKenya73725 · ‎10-05-2021

Device: Cisco Router 1001x
Nat configuration
ip nat inside source route-map XXXXX interface GigabitEthernet0/0/1.xxx overload
ip nat inside source list XXX interface GigabitEthernet0/0/1.xxx overload

Georg Pauwen · ‎10-06-2021

Hello,

ip nat inside source route-map XXXXX interface GigabitEthernet0/0/1.xxx overload
ip nat inside source list XXX interface GigabitEthernet0/0/1.xxx overload

What is the configuration of the route map and the list XXX ? Post the full running config (sh run).

paul driver · ‎10-06-2021

Hello

@JudiciaryKenya73725 wrote:

I keep running clear ip nat translation * every two hours for users to access sites. Resolutions not possible until i clear nat translation. Please help

show version
show ip nat statisitics

Also try decreasing the timeout values
ip nat translation timeout 14400< 4hrs> default 1 day
ip nat translation tcp-timeout 14400< 4hrs> default 1 day

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JudiciaryKenya73725 · ‎10-06-2021

#show ip nat statistics
Total active translations: 60614 (7 static, 60607 dynamic; 60613 extended)
Outside interfaces:
GigabitEthernet0/0/1.xxx, GigabitEthernet0/0/2
Inside interfaces:
GigabitEthernet0/0/0
Hits: 2166298835 Misses: 15116091
Expired translations: 14177833
Dynamic mappings:
-- Inside Source
[Id: 3] route-map XXXX interface GigabitEthernet0/0/1.xxx refcount 0
[Id: 2] access-list 101 interface GigabitEthernet0/0/1.xxx refcount 60243

nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 8035792 Out-to-in drops: 3346512
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 186319
IP alias add fail: 0
Limit entry add fail: 0

paul driver · ‎10-06-2021

Hello

@JudiciaryKenya73725 wrote:

#show ip nat statistics
Total active translations: 60614 (7 static, 60607 dynamic; 60613 extended)
Outside interfaces:
GigabitEthernet0/0/1.xxx, GigabitEthernet0/0/2
Inside interfaces:
GigabitEthernet0/0/0
Hits: 2166298835 Misses: 15116091
Expired translations: 14177833
Dynamic mappings:
-- Inside Source
[Id: 3] route-map XXXX interface GigabitEthernet0/0/1.xxx refcount 0
[Id: 2] access-list 101 interface GigabitEthernet0/0/1.xxx refcount 60243

nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 8035792 Out-to-in drops: 3346512
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 186319
IP alias add fail: 0
Limit entry add fail: 0

Looks like your reaching a high number of translations, Decrease the tranlsation timeouts as I suggested and see if that helps, even drop it to further to 3600 < 1 hr> if need be.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎10-06-2021

Hello,

regarding the configured NAT timeout, a lot of people run into this when port address translation is configured. There is a pretty good thread (linked below) that explains the issue. The essence is:

"When port translation is configured, there is finer control over translation entry timeouts, because each entry contains more context about the traffic using it. Non-DNS UDP translations time out after 5 minutes; DNS times out in 1 minute. TCP translations time out after 24 hours, unless a RST or FIN is seen on the stream, in which case it times out in 1 minute.
********************************************************************************************

The command "ip nat translation timeout" only modifies the "half-entry" timeout AND

even if the half entry has timed out, it will NOT get deleted until ALL child entries have expired.

In other words, it does NOT control the more specific TCP, UDP or ICMP timeouts."

So, in order to 'really' change the timeout, you need to change all of the below:

ip nat translation udp-timeout <seconds>

ip nat translation dns-timeout <seconds>

ip nat translation tcp-timeout <seconds>

ip nat translation finrst-timeout <seconds>

https://community.cisco.com/t5/networking-documents/quot-ip-nat-translation-timeout-quot-command/ta-p/3137012

paul driver · ‎10-06-2021

Hello @Georg Pauwen

UDP and DNS timeouts are short by default anyway, Thats why I suggested to start with tcp sessions first, this can be decreased quite exponentially without incurring any issue

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul