Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1441
Views
0
Helpful
8
Replies

PAT issues - PAT Statistics

morabusa
Level 1
Level 1

‎10-08-2019 05:00 AM

Hello,

 

I am currently having issues with a router having PAT configured. It works well for a moment but after a couple of hours, the router stops working becuase it has a lot of active translations (200K or more). Take in mind that this is a backup router and the main router hasn't any problem and just has 30.000 active sessions usually.

 

I am currently looking that the Out-to-in drops (in nat statistics) are constantly getting increased, even when this router just has a few active sessions currently because mos ot the traffic is going through the main router now.

 

Rourter#show ip nat statistics
Total active translations: 337 (21 static, 316 dynamic; 327 extended)
Outside interfaces:
GigabitEthernet0/0/0.10
Inside interfaces:
Vlan30
Hits: 377 Misses: 136
Expired translations: 141
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 101 interface GigabitEthernet0/0/0.10 refcount 6
-- Outside Source
[Id: 1] access-list 180 pool NAT-TEST refcount 0
pool NAT-TEST: id 1, netmask 255.255.255.0
start 192.168.1.1 end 192.168.1.254
type generic, total addresses 254, allocated 0 (0%), misses 0
nat-limit statistics:
max entry: max allowed 500000, used 316, missed 0
In-to-out drops: 616344 Out-to-in drops: 1647470
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 22886
IP alias add fail: 0
Limit entry add fail: 0

 

I am not sure why I am getting the drops increased currently. Can you please help me?. Thank you very much.

 

Best Regards.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎10-08-2019 07:16 AM

Hello,

 

can you post the confguration of the router ? The drops could be related to virtual reassembly, or MTU settings...we would need to see the config to spot any potential issues...

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-08-2019 07:39 AM

Hi,

It will be helpful if you will share the running configuration with us.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

morabusa
Level 1
Level 1
In response to Deepak Kumar

‎10-11-2019 02:29 AM

Hello, 

 

Sorry for the delay. Here you can see the configuration:

 

 

version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
load-interval 30
negotiation auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address X.X.X.X 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100
ip address X.X.X.X 255.255.255.252
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
load-interval 30
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan30
ip address X.X.X.X 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
load-interval 30
ip virtual-reassembly
!
ip nat translation timeout 3600
ip nat translation max-entries 500000
ip nat pool NAT-TEST 192.168.1.1 192.168.1.254 netmask 255.255.255.0
ip nat inside source static tcp 172.16.1.21 25 81.46.16.195 25 extendable
ip nat inside source static tcp 172.16.1.33 80 81.46.16.195 80 extendable
ip nat inside source static tcp 172.16.1.21 83 81.46.16.195 83 extendable
ip nat inside source static tcp 172.16.1.21 110 81.46.16.195 110 extendable
ip nat inside source static tcp 172.16.1.21 143 81.46.16.195 143 extendable
ip nat inside source static tcp 172.16.1.33 443 81.46.16.195 443 extendable
ip nat inside source static tcp 172.16.1.21 587 81.46.16.195 587 extendable
ip nat inside source static tcp 172.16.1.21 993 81.46.16.195 993 extendable
ip nat inside source static 172.17.1.65 81.46.16.196 extendable
ip nat inside source static tcp 172.16.1.25 25 81.46.16.197 25 extendable
ip nat inside source static tcp 172.16.1.25 81 81.46.16.197 81 extendable
ip nat inside source static tcp 172.16.1.25 143 81.46.16.197 143 extendable
ip nat inside source static 172.17.1.123 81.46.16.198 extendable
ip nat inside source static 172.16.1.34 81.46.16.199 extendable
ip nat inside source static 172.17.2.252 81.46.16.200 extendable
ip nat inside source static 172.17.1.125 81.46.16.201 extendable
ip nat inside source static 172.17.1.126 81.46.16.202 extendable
ip nat inside source static 172.17.1.94 81.46.16.203 extendable
ip nat inside source static 172.16.1.17 81.46.16.204 extendable
ip nat inside source static 172.16.9.21 81.46.16.205 extendable
ip nat inside source static 172.17.1.127 81.46.16.206 extendable
ip nat inside source list 101 interface GigabitEthernet0/0/0.10 overload
ip nat outside source list 180 pool NAT-TEST
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.16.1.0 255.255.255.255 X.X.X.X
ip route 172.17.1.0 255.255.255.255 X.X.X.X
ip route 172.17.2.0 255.255.255.255 X.X.X.X
ip route 192.168.1.0 255.255.255.0 X.X.X.X
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
access-list 101 permit ip 172.17.2.0 0.0.0.255 any
access-list 180 permit udp any host 81.46.16.200 eq isakmp
!
!
!
!
control-plane
!
!
end

 

 

Thank you very much.

 

Best Regards.

0 Helpful

paul driver
VIP
VIP

‎10-08-2019 08:00 AM - edited ‎10-08-2019 08:03 AM

Hello

Can you clear ip nat statistics
and post the following:
show ip nat statistics
show ip route
show access-list 101
show access-list 180
show run | in ip nat
show logg


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Adel3
Level 1
Level 1

‎01-09-2022 07:30 AM

Any news guys ?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Adel3

‎01-09-2022 07:43 AM

Hello,

 

you have the same problem ?

0 Helpful

Adel3
Level 1
Level 1
In response to Georg Pauwen

‎01-17-2022 01:04 AM

Hi

 

Exactly same

0 Helpful

Georg Pauwen
VIP
VIP
In response to Adel3

‎01-17-2022 02:04 AM

Hello,

 

more information is needed:

 

--> router model and IOS version

--> output of 'sh run'

--> output of 'show ip nat translation *'

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card