Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
3
Helpful
7
Replies

Increase max NAT translation limit on c8000v router

Valkyrie3
Level 1
Level 1

‎09-11-2024 01:08 PM

I'm using a pair of C8000v routers which have been working well until recently the site has been encountering internet performance issues, I found the following error when the problem is starting:

%IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000064815725001524 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped

I've had a look through the nat translations and found there are a large number of entries showing the firewall IP address and the public ip address for the VPN on port 443 which from what I can see are people trying to break into the firewall VPN page (the countries for these IPs are outwith the countries genuine users are connecting from). As seems typical with these sorts of attacks it's a huge range of IP addresses so it's not viable to set an ACL on the router to block the traffic.  My initial plan was to reduce the ip nat translation nat tcp-timeout value however after applying the change it doesn't seem to have had an effect and I think that's because these are port specific nat translations which default to 60 seconds

Instead I'd like to increase the limit instead and I've found a thread on here advising a limit of 200,000 but that's for an ISR4000 router and warning to be careful about memory, I'm not sure how that compares to the c8000v router.  The routers are currently two core with 4GB ram, does anyone have any recommendations for a limit that won't cause any memory issues on the router?

The current 4GB memory is the default from the deployment but there's plenty of spare memory on the ESXi server it's running on, is it possible to simply allocate more memory to the VM and the routers will use it, if so would that increase the max number of NAT translations the routers could handle?

Thanks for any advice

Labels:
7 Replies 7

paul driver
VIP
VIP

‎09-11-2024 09:20 PM - edited ‎09-11-2024 09:23 PM

Hello
just to confirm - your seeing attempted attacks on your public ip range for 443 that is causing large nat  translation entries on the nat rtr which suggests you have a device internally your are patting for 443 otherwise not sure how a port attack on your external perimeter fw will cause these nat entries?

maybe share a topology diagram and the nat cfg of the 8k rtr


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Valkyrie3
Level 1
Level 1
In response to paul driver

‎09-12-2024 01:57 AM

Yes, the router is forwarding 443 traffic to a firewall hosting Anyconnect VPN.  There's normal NAT entries I can see for internal users but there's a huge amount in this format:

<external VPN address>:443 <internal firewall address>:443 <external Russian IP address>:40594 <external Russian IP address>:40594

I've checked and when I access the firewall VPN page, it adds additional NAT translations into the router table.

MHM Cisco World
VIP
VIP

‎09-11-2024 09:27 PM

If it attack then increase NAT entry not help you

Try isolate the endpoint start this attack

Check the at least three IP and use arp to see from where these IP come from

MHM

0 Helpful

Valkyrie3
Level 1
Level 1
In response to MHM Cisco World

‎09-12-2024 01:59 AM - edited ‎09-12-2024 02:01 AM

I've already identified the endpoints and initially wanted to drop them on the router but there are thousands and thousands of different IP addresses (which seems typical now) which is what is causing the problem.  If it was a small number of IP addresses then it wouldn't be creating so many NAT translations and causing the router to the hit the limit.  The router itself isn't having any performance problems in dealing with these requests, it's just having problems when it hits the default limit hence why I want to see how high I can raise it without causing issues.

MHM Cisco World
VIP
VIP
In response to Valkyrie3

‎09-12-2024 02:13 AM

The anyconnect pasd through router to FW' you need only one IP in static NAT 

And let FW drop these traffic by ACL.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-12-2024 02:17 AM

Let me check this' even if FW drop traffic still router will build NAT entry

Let me check how we can protect both FW and router in same time 

Update ypu soon 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-12-2024 02:31 AM

Each country have specific range of public IP

If you dont have any user in Russia then block public IP for russia country via ACL apply to WAN interface of router direction IN

This work for ASA 

MHM

0 Helpful
Customers Also Viewed These Support Documents