10-08-2019 05:00 AM
Hello,
I am currently having issues with a router having PAT configured. It works well for a moment but after a couple of hours, the router stops working becuase it has a lot of active translations (200K or more). Take in mind that this is a backup router and the main router hasn't any problem and just has 30.000 active sessions usually.
I am currently looking that the Out-to-in drops (in nat statistics) are constantly getting increased, even when this router just has a few active sessions currently because mos ot the traffic is going through the main router now.
Rourter#show ip nat statistics
Total active translations: 337 (21 static, 316 dynamic; 327 extended)
Outside interfaces:
GigabitEthernet0/0/0.10
Inside interfaces:
Vlan30
Hits: 377 Misses: 136
Expired translations: 141
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 101 interface GigabitEthernet0/0/0.10 refcount 6
-- Outside Source
[Id: 1] access-list 180 pool NAT-TEST refcount 0
pool NAT-TEST: id 1, netmask 255.255.255.0
start 192.168.1.1 end 192.168.1.254
type generic, total addresses 254, allocated 0 (0%), misses 0
nat-limit statistics:
max entry: max allowed 500000, used 316, missed 0
In-to-out drops: 616344 Out-to-in drops: 1647470
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 22886
IP alias add fail: 0
Limit entry add fail: 0
I am not sure why I am getting the drops increased currently. Can you please help me?. Thank you very much.
Best Regards.
10-08-2019 07:16 AM
Hello,
can you post the confguration of the router ? The drops could be related to virtual reassembly, or MTU settings...we would need to see the config to spot any potential issues...
10-08-2019 07:39 AM
Hi,
It will be helpful if you will share the running configuration with us.
10-11-2019 02:29 AM
Hello,
Sorry for the delay. Here you can see the configuration:
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
load-interval 30
negotiation auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address X.X.X.X 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100
ip address X.X.X.X 255.255.255.252
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
load-interval 30
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan30
ip address X.X.X.X 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat inside
load-interval 30
ip virtual-reassembly
!
ip nat translation timeout 3600
ip nat translation max-entries 500000
ip nat pool NAT-TEST 192.168.1.1 192.168.1.254 netmask 255.255.255.0
ip nat inside source static tcp 172.16.1.21 25 81.46.16.195 25 extendable
ip nat inside source static tcp 172.16.1.33 80 81.46.16.195 80 extendable
ip nat inside source static tcp 172.16.1.21 83 81.46.16.195 83 extendable
ip nat inside source static tcp 172.16.1.21 110 81.46.16.195 110 extendable
ip nat inside source static tcp 172.16.1.21 143 81.46.16.195 143 extendable
ip nat inside source static tcp 172.16.1.33 443 81.46.16.195 443 extendable
ip nat inside source static tcp 172.16.1.21 587 81.46.16.195 587 extendable
ip nat inside source static tcp 172.16.1.21 993 81.46.16.195 993 extendable
ip nat inside source static 172.17.1.65 81.46.16.196 extendable
ip nat inside source static tcp 172.16.1.25 25 81.46.16.197 25 extendable
ip nat inside source static tcp 172.16.1.25 81 81.46.16.197 81 extendable
ip nat inside source static tcp 172.16.1.25 143 81.46.16.197 143 extendable
ip nat inside source static 172.17.1.123 81.46.16.198 extendable
ip nat inside source static 172.16.1.34 81.46.16.199 extendable
ip nat inside source static 172.17.2.252 81.46.16.200 extendable
ip nat inside source static 172.17.1.125 81.46.16.201 extendable
ip nat inside source static 172.17.1.126 81.46.16.202 extendable
ip nat inside source static 172.17.1.94 81.46.16.203 extendable
ip nat inside source static 172.16.1.17 81.46.16.204 extendable
ip nat inside source static 172.16.9.21 81.46.16.205 extendable
ip nat inside source static 172.17.1.127 81.46.16.206 extendable
ip nat inside source list 101 interface GigabitEthernet0/0/0.10 overload
ip nat outside source list 180 pool NAT-TEST
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.16.1.0 255.255.255.255 X.X.X.X
ip route 172.17.1.0 255.255.255.255 X.X.X.X
ip route 172.17.2.0 255.255.255.255 X.X.X.X
ip route 192.168.1.0 255.255.255.0 X.X.X.X
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
access-list 101 permit ip 172.17.2.0 0.0.0.255 any
access-list 180 permit udp any host 81.46.16.200 eq isakmp
!
!
!
!
control-plane
!
!
end
Thank you very much.
Best Regards.
10-08-2019 08:00 AM - edited 10-08-2019 08:03 AM
Hello
Can you clear ip nat statistics
and post the following:
show ip nat statistics
show ip route
show access-list 101
show access-list 180
show run | in ip nat
show logg
01-09-2022 07:30 AM
Any news guys ?
01-09-2022 07:43 AM
Hello,
you have the same problem ?
01-17-2022 01:04 AM
Hi
Exactly same
01-17-2022 02:04 AM
Hello,
more information is needed:
--> router model and IOS version
--> output of 'sh run'
--> output of 'show ip nat translation *'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide