Hanging off Nat entry after router and circuit change on DMVPN

Jonnyballgame34 · ‎01-13-2017

Greetings-

I've got a DMVPN router that serves as a spoke for it's site. I recently upgraded the router to a 1941, and at the same time, went from 2 serials to a fiber/ether, and from 3mb to 10mb.

Outside of the obvious changes, (interfaces, bandwidths, etc), the configuration is exactly the same. However a few days after the swap, the new router's CPU started getting swamped and took things down. on reboot it came back up, but it happened a couple of days later. I traced it to a problem with NAT translations hanging--seems it take a couple of days for them to build but eventually the overwhelm the processor.

I've seen several cased of people having this problem, but I can't find any that say they can fix it. Next step is an IOS upgrade, but it's a nuisance to take down the site, so I'm hoping to have something more than a best guess before I try it. Has anyone see this before/ thanks

Georg Pauwen · ‎01-14-2017

Hello,

hard to say, can you post your config ?

You might want to try 'mode transport' for your VPN tunnels.

Do you have the below configured ?

crypto ipsec nat-transparency udp-encapsulation

If not, add that to your configuration.

paul driver · ‎01-14-2017

Hello
Have you tried decreasing the nat default parent/child timeout valuess for tcp/udp - default is 24 hrs =86400secs

example:
ip nat translation timeout 3,600 (1 hr)
ip nat translation tcp-timeout 1800 (30 mins)
ip nat translation udp-timeout 1800 (30 mins)

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul