Re: Slow Server Behind NAT

n.bokhar1 · ‎01-18-2021

Hello all I have a weird issue I have a server behind NAT and it serves HTTP/HTTPS traffic to the internet it is unbearably slow so I captured packets for this server both on client, server, inside interface of the router and outside interface of router this is what I find:

Client: when trying to connect I get a huge amount of retransmission and timeouts before connecting

outside interface of the router (Receiving side/Before NAT): I have the same amount of retransmissions and timeouts until the server responds.

inside interface of the router (connected to server/Behind NAT): I don't have the retaliations and timeouts I only have the successfully connected session I have checked the raw segment ID for the SYN and SYN/ACK packets.

Server: the same as the behind NAT interface I only have successfully connected session.

all of this has led me to believe it is NAT but I don't know how NAT can cause this.

I have also tried with the extendable nat but same results.

this is my nat statements:

ip nat name <HTTP> inside source static tcp IN_IP 80 OUT_IP 80 extendable

ip nat name <HTTP> inside source static tcp IN_IP 80 interface OUT_INTERFACE 80

I have to note that the retransmits until a successful connection is both random and it takes about 30 seconds.

balaji.bandi · ‎01-18-2021

what is the router model and IOS here, post config ? ( the images are too small we can not able to read correctly)

Do you have MTU configured ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

n.bokhar1 · ‎01-18-2021

The router is ISR4431 IOS version 16.3.8 Denali MTU size is 1500 Not Changed.

!

interface GigabitEthernet0/0/0
ip address 10.4.10.2 255.255.255.252
ip nat inside

!
interface GigabitEthernet0/0/3
description INTERNET
ip address 4.4.4.2 255.255.255.252
ip nat outside
!

interface Loopback133
ip address 9.9.9.9 255.255.255.255
ip nat outside

!

ip nat name <HTTPS> inside source static tcp 10.4.1.58 443 9.9.9.9 443 extendable

!

ip route 0.0.0.0 0.0.0.0 4.4.4.1

!

ip route 10.4.1.0 255.255.255.0 10.4.10.1

!

Georg Pauwen · ‎01-18-2021

Hello,

what is the purpose of the loopback ? Why is the translation going to the Loopback instead of the actual outside interface IP address ?

Also, why do you use the 'extendable' keyword ? Is the inside IP translated to more than one public IP ?

n.bokhar1 · ‎01-18-2021

I want to allocate the ip address on the loopback for this web server.

the actual is connected to the SP

balaji.bandi · ‎01-18-2021

Not sure is this typo or real ip address schema you have (10.4.1.0 or 10.4.10.0 ?)

ip nat name <HTTPS> inside source static tcp 10.4.1.58 443 9.9.9.9 443 extendable

!

ip route 10.4.1.0 255.255.255.0 10.4.10.1

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎01-18-2021

Hello,

I assume you don't use both static NAT statements at the same time ?

ip nat name <HTTP> inside source static tcp IN_IP 80 OUT_IP 80 extendable

ip nat name <HTTP> inside source static tcp IN_IP 80 interface OUT_INTERFACE 80

Try just the first one (without the 'extendable' keyword, which is needed only if you translate the same inside IP address to more than one public IPaddress:

-> ip nat inside source static tcp IN_IP 80 OUT_IP 80

n.bokhar1 · ‎01-18-2021

Hello Georg,

no, I don't use both of them actually I have tried both of them non worked

I did try what you've said but didn't work.

I still have a lot of retransmissions.

paul driver · ‎01-18-2021

Hello
The nat outside global address for the servers isn’t in the same routable subnet as its rtrs wan interface why is that- are those global addresses assigned to your isp for your site?

Also remove the internal servers nat host from any global nat acl for the site and change your default static route to include the wan interface

Check the interface speed duplex settings for the servers and wan rtrs inside/outside interfaces do they have parity?

Lastly can you confirm if you are running dns servers

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

n.bokhar1 · ‎01-23-2021

I Did both of them but no luck I still have a lot of retransmits which has led me to believe it must be nat.

but I don't know what is causing it because I didn't have this problem before and I haven't changed my nat settings at all?

balaji.bandi · ‎01-23-2021

but I don't know what is causing it because I didn't have this problem before and I haven't changed my nat settings at all?

when you mentioned this, there may be something changed which may be below :

1. did the cisco device rebooted?

2. any network topology change in terms of routing? (you aware of ?)

3. did the server had any updates?

4. did the server has any FW built-in?

5. in the Lan is this works as expected ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎01-23-2021

Hello

post the out for the following into a file and attach to your post make sure you also include the server port.

sh ip int brief

sh interfaces

sh ip interfaces

sh ip route

sh process cpu

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul