Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6645
Views
4
Helpful
3
Replies

Default_MAX_ENTRIES: DEFAULT MAXIMUM ENTRIRES VALUE 16384 exceeded

jesus espinoza
Level 1
Level 1

‎05-30-2022 08:15 PM

Hi All,

 

Seeking for your assistance on this issue. We are currently experiencing this issue on the router where users onsite are not able to access the internet. As checked on the router, we can see logs regarding the default max entries being maxed out. 

 

AT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 16384 exceeded; frame dropped
Apr 15 01:39:20.973: %IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00001396313862500000 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 16384 exceeded; frame dropped
Apr 15 01:39:26.009: %IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00001396318898427680 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 16384 exceeded; frame dropped
Apr 15 01:39:31.057: %IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00001396323946190240 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 16384 exceeded; frame dropped
Apr 15 01:39:36.176: %IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00001396329065721560 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 16384 exceeded; frame dropped

 

We were able to resolve it by manually clearing the NAT table but we are not guaranteed that it won't re-occur again. First issue happened on Apt. 19 and then it happened again yesterday.

 

Regards,

J

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Rps-Cheers
VIP
VIP

‎05-30-2022 09:08 PM

Refer to:https://frankfu.click/cisco/ccna/nat/2/

The Device will keep NAT entries in the translation table for a configurable length of time. For TCP connections, the default timeout period is 86,400 seconds, or 24 hours. Because UDP is not connection based, the default timeout period is much shorter—only 300 seconds, or 5 minutes. The router will remove translation table entries for DNS queries after only 60 seconds.

# ip nat translation max-entries <200,000>

and keep the system under monitoring.
My other recommendation is to tune the timers not only for the udp, but for the other protocols as well, to reduce the timeout values of the NAT entries from default 24h, not only for the udp as you already did.
Apply the following best practice commands as well:
 
ip nat translation tcp-timeout 600 
ip nat translation udp-timeout 300
ip nat translation icmp-timeout 30
ip nat translation dns-timeout 10
ip nat translation syn-timeout 5

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

jesus espinoza
Level 1
Level 1
In response to Rps-Cheers

‎06-01-2022 04:55 PM

Hi @Rps-Cheers,

 

Thanks for your response. Your recommendation is actually similar to what I found before I posted this and was just hoping to gather more feedback. 

 

 

NAT entries.png

I will definitely try this change once approved by our seniors. Thanks again.

 

Regards,

J

0 Helpful

jesus espinoza
Level 1
Level 1
In response to jesus espinoza

‎06-01-2022 05:13 PM

By the way, does this requires a downtime?

0 Helpful
Customers Also Viewed These Support Documents