Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1680
Views
1
Helpful
7
Replies

NAT entries maximum

henokk601
Level 1
Level 1

‎08-05-2024 10:20 AM

Hi All,

On my cisco router I see the log entry: "default maximum entries value 131072 exceeded; frame dropped." What do these entries indicate?

Thanks,

Labels:
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎08-05-2024 03:19 PM

We do not have nearly enough information to be able to understand the issue or to give you good advice. As a starting point can you tell us what model of Cisco router you are using, what version of code is it running, and provide the complete log message content? And perhaps the several log messages before this one to help understand the context?

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎08-05-2024 03:24 PM 

NAT-Router#show ip nat statistics

 PAT can up to 65000 NAT done, if you have two public IP then the number near 130000 (what you see)
after that the error start appear 
so Q here did you adjust NAT timeout ?

MHM

0 Helpful

henokk601
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2024 05:00 PM

Router model 4400 series.

How come for web serves publicly accessible the nat entries became full. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to henokk601

‎08-05-2024 05:03 PM

If you make timeout long then each time host access web will use new port in end the table is full.

So not all case cisco recommend adjust NAT timeout

MHM

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to henokk601

‎08-06-2024 07:41 AM

Hello @henokk601 ,

it is still unclear.

>> How come for web serves publicly accessible the nat entries became full. 

Do you mean you have static NAT for servers in a DMZ ?  or you are referring to internet access from internal users ?

I would suggest you to provide your IOS XE version running, the nat configuation and the output of

show ip nat statistics

show ip nat trans

( the last one can expose sensitive info)

Hope to help

Giuseppe

0 Helpful

bbb bbb
Level 1
Level 1

‎08-06-2024 02:15 AM

Dear,

Based on the log message raised, Experts reply inputs here seems to have answered your post.

Please also see this link that might help you -->

https://community.cisco.com/t5/routing/default-max-entries-default-maximum-entrires-value-16384/td-p/4620875

happy to help : ]

Best regards

0 Helpful

HillsideNetworks
Level 1
Level 1

‎03-05-2025 02:13 PM

Hi, I had this problem too. I host an outside facing web, email and DNS servers with 1to1 NATing enabled so I understand the need of using lots of NAT entries. That log entry means you have exhausted the default max entries of 131,072. Fortunately, you have a couple of options available:

1) Change the default timeout for TCP NAT entries from 86,400s (the default) to something less. Use the command "ip nat translation tcp-timeout <0-536870>". Use your best judgement for your own environment. I've found 600s works well for me. Then, clear out the old TCP NAT entries with a "clear ip nat translations tcp". New TCP NAT translations will age out to to the new timeout value you specified.

2) Change the default max NAT entries. In config exec mode, enter "ip nat translation max-entries <1-2147483647>." Choose a number that is suitable for your environment's needs. Again, use your best judgement.

I found that these commands take effect immediately. However, I am not certain if the old TCP NAT entries will take on the new timeout or not (since I couldn't afford to wait 86,400s).

Hiram

0 Helpful
Customers Also Viewed These Support Documents