Re: clear ip nat translation

harinirina · ‎06-29-2006

Hi,

We use ip nat to let users connecting to the internet through a 2621XM.They can connect but each hour, we have to do a "clear ip nat translation" , otherwise, the router is too slow, it takes many seconds to write one command.

Is there anything we can do to avoid it or is there a way to launch "clear ip nat translation" automatically every 30 munites for example?

globalnettech · ‎06-30-2006

Hello,

the default NAT timeout for dynamic entries is 24 hours. You can change this default value by issuing the 'ip nat translation timeout seconds' command from the global configuration mode.

Which IOS version are you running ? Can you post the output of 'show version' ?

Your problem sounds could be related to an IOS bug as well...

As for scheduling commands, check the link below for an explanation of the Cisco command scheduler:

Command Scheduler

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a00801b0695.html

HTH,

GNT

ariela · ‎06-30-2006

Hi,

you can use 'kron'.

Please check my conf, and change as you wish:

!

kron occurrence clear in 1:0:0 recurring

policy-list CEF

policy-list NAT

policy-list ARP

!

kron policy-list NAT

cli clear ip nat translation *

!

kron policy-list CEF

cli clear ip cef * prefix-statistics

!

kron policy-list ARP

cli clear arp-cache

!

Hope this helps

Regards

Andrea

harinirina · ‎07-04-2006

we've put

"ip nat translation timeout 60".

the router seems slow.

here's it's show ver

ariela · ‎07-04-2006

Hi,

when an entry is first placed into the NAT table, a timer is started; the period of the timer is the translation timeout. Each time the entry is used to translate the source or destination address of a subsequent packet, the timer is reset. If the timer expires, the entry is removed from the NAT table and the dynamically assigned address is returned to the pool. Cisco's default translation timeout is 86,400 seconds (24 hours).

Defaults:

timeout 86,400 sec

dns-timeout 60 sec

finrst-timeout 60 sec

icmp-timeout 60 sec

port-timeout tcp 60 sec

port-timeout udp 60 sec

syn-timeout 60 sec

tcp-timeout 86,400 sec

udp-port 300 sec

'timeout', 'tcp-timeout' and 'udp-port' are non port specific ... that is, maybe you have a lot of "non port specific" translations, and now your router works too much.

Check 'sh proc cpu', 'sh proc mem' and 'sh ip nat statistics'

Hope this helps

Regards

Andrea

harinirina · ‎07-05-2006

Hi,

yes, it seems the router works too much.In "show proc cpu hist", we've got about 90.We've tried different value of "ip nat translation timeout", still the same.

We haven't specified any tcp-timeout nor udp-port.

ariela · ‎07-05-2006

Hi,

without 'ip nat translation timeout' command, the cpu works fine?

please check this:

no ip nat translation timeout x

sh ip nat statistics

Regards

Andrea

harinirina · ‎07-05-2006

no, we've had to launch the command each 30 mn

ariela · ‎07-05-2006

mmm ...

router is a 2621XM, is it? IOS?

try to enable CEF, and last resort:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html

maybe it does the trick

Please let me know

Regards

Andrea

harinirina · ‎07-05-2006

Hi Andrea,

cef 's already enable.

Thanks for all, for your help and documents