Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21963
Views
41
Helpful
1
Replies

NAT Default Max Entries Error

kimjosephrignacio
Level 1
Level 1

‎07-31-2016 08:34 PM - edited ‎03-07-2019 12:18 AM

Hi,

I was checking our router's logs and found the following message:

Jul 30 17:33:43.472 PHT: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00034839540329670960 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped
Jul 30 17:33:48.477 PHT: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:000 TS:00034839545334445884 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped
Jul 30 17:33:53.482 PHT: %IOSXE-4-PLATFORM:cpp_cp: QFP:0.0 Thread:000 TS:00034839550339450112 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped

I just pasted 3 lines but there are a lot of these messages in just one day. Now, we have a firewall where people can connect via IPSEC Remote access VPN. During the same time these error messages were logged, there seems to be an issue with people connecting to the VPN.

Here's the flow:

Internet ---> Router ---> Firewall

The router is using a dedicated Public IP for the firewall (Router does the NATing). So I was wondering if the error messages could be related to the  VPN problem? We tried to connect to the VPN the next day and it was successful and upon checking on the logs, there were no NAT error messages the next day.

12 people had this problem
Labels:
1 Reply 1

Chandan Singh
Level 1
Level 1

‎02-10-2018 07:15 AM

Hi

kimjosephrignacio,
 
 
 
 
 
 
 we have also seen the same error on our Cisco 4321 router and we have no clue so we ask Cisco TAC for the same so as per them its a hardware DRAM issue below is observation from Cisco TAC.
 
Problem Details: TS:00027906458179190964 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped

Problem analysis:
This is the recommended pre-set limit of the platform. When we reach this limit the traffic that needs to be NATd is going to be dropped. To avoid this platform limitation, we can increase the maximum entries value allowed to be translated, which I could see you have already did set to the max-value supported:-    ip nat translation max-entries 247483647
 
I would like to recommend changing the max-entries value to 200 000, because of the following that we must take into consideration:In IOS-XE, NAT feature automatically (based on the hardware type) sets a default maximum translation value which is the recommended maximum for that platform assuming that NAT is not the only large QFP memory user. Features like Netflow, Firewall and SBC are examples of large QFP memory users.
This default can always be overridden via the CLI in configuration mode, but we should be careful to set this number to a reasonable limit. The scaling number can vary depending on actual configuration and network traffic. It is recommended to examine and monitor EXMEM (memory used by NAT data plane and all QFP features), to ensure Free memory stays within reasonable boundaries. It is best for Free DRAM never to get lower than 15% total. Here are the commands for monitoring EXMEM, sh plat hard qfp act infra exmem stat and sh plat har qfp act inf ex st us. After applying max-entries to 200 000, please checked that you still have around 50-60 % of free DRAM memory. An ISR 4000 is a very powerful platform with the same performance characteristics as the bigger ASR 1000 platforms. It's expected to hold at least a couple of hundred thousand NAT translations.However, in March this year, when testing various scenarios of Network Address Translation (NAT) on ISR 4000 platforms, it  was discovered that in certain configurations in which NAT is statically configured, the number of translations reaches only 4k-12k Hence, I recommended you, to configure
# ip nat translation max-entries <200,000> and keep the system under monitoring.
My other recommendation is to tune the timers not only for the udp, but for the other protocols as well, to reduce the timeout values of the NAT entries from default 24h, not only for the udp as you already did. Please apply the following best practice commands as well:
#ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 300ip nat translation icmp-timeout 30
ip nat translation dns-timeout 10
ip nat translation syn-timeout 5
 
Please after applying all the changes do #clear ip nat translations *
Customers Also Viewed These Support Documents