Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2091
Views
0
Helpful
4
Replies

What are NAT (PAT) "In-to-out drops" & "Out-to-in drops"

albyone
Level 1
Level 1

‎08-03-2022 09:52 PM

Hello,

I'm hoping someone can shed some light on the output of a 'show ip nat statistics' command on an ASR1000 running IOS XE 03.13.06a.S:

 

 

 

Router-1#sh ip nat stat
Total active translations: 160974 (0 static, 160974 dynamic; 160974 extended)
Outside interfaces:
  GigabitEthernet0/0/1
Inside interfaces: 
  GigabitEthernet0/0/2.500, GigabitEthernet0/0/2.575, GigabitEthernet0/0/3
Hits: 2313923706548  Misses: 9805591413
Expired translations: 9711014593
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 99 interface GigabitEthernet0/0/1 refcount 160974
nat-limit statistics:
 max entry: max allowed 500000, used 160974, missed 0
In-to-out drops: 730939425  Out-to-in drops: 574897141
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 20491038
IP alias add fail: 0
Limit entry add fail: 0
Router-1#

 

 

 

What I am trying to find out is what the following counters actually mean:
In-to-out drops
Out-to-in drops
Port block alloc fail

All command references I have found on Cisco's support site don't show this output because apparently as of "Cisco IOS XE Release 3.4S":
"This command was modified. The NAT limit statistics for all hosts and for all VPN routing and forwarding (VRF) instances were removed from the output of this command."
Which is obviously completely wrong.

Thanks!

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎08-03-2022 11:34 PM

Hello,

the only thing I could find was this bug:

Extended PAT not allowing more than 1k translations
CSCvx88061

Symptom:
When using PAT with extended keyword on a pool with a single address, NAT starts dropping packets after 1048 translations. Drops are shown as in-to-out drops:

Router#Show ip nat statistics | inc drop
In-to-out drops: 734 Out-to-in drops: 0
Pool stats drop: 0 Mapping stats drop: 0
Router#Show ip nat statistics | inc drop
In-to-out drops: 960 Out-to-in drops: 0

Conditions:
Extended PAT configuration.

Sample config:

route-map nat_10.10.10.10 permit 10
match ip address ACL

ip nat pool POOL_NAME 10.10.10.10 10.10.10.10 netmask 255.255.240.0

ip nat inside source route-map nat_10.10.10.10 pool POOL_NAME overload extended

Workaround:
Remove extended keyword from NAT statement. This reduces the max amount of translations.

0 Helpful

albyone
Level 1
Level 1
In response to Georg Pauwen

‎08-04-2022 01:32 AM

Thanks Georg. I checked that bug, however I think that one doesn't apply to me as it shows affected OS as 16.9.5 I am running:
Router-1#sh ver
Cisco IOS XE Software, Version 03.13.06a.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(3)S6a, RELEASE SOFTWARE (fc2)

I can't show running config either as we have only been given read-only access to the router. This doesn't explain Out-to-in drops either.

0 Helpful

MHM Cisco World
VIP
VIP

‎08-04-2022 02:26 AM

U can not full explain ALL these value but
when first packet need to NAT the recount is increase, 
when other packet same source and destination need to NAT and there are already there ENTRY in NAT table the hit count increase.
here issue 
when the other packet same source and destination need to NAT and the entry is dynamic remove from NAT table the miss is count and IN-OUT drop increase because the packet need new NAT.

when the return traffic need to UN-NAT the OUT-IN drop increase and why same as above there is no entry in NAT table.

almost all these behave see in TCP traffic, 
what issue here??
the timeout you config for TCP is low
try increase it BUT be careful increase it slow we dont need router to keep the entry in NAT for long time.

hope this help you

0 Helpful

paul driver
VIP
VIP

‎08-04-2022 12:53 PM

Hello
As a coincidence I was not so long reading into CGN NAT/PAT  and part of that refers to Bulk logging and Port Block Allocation (here) and looking at the amount of active translation suggests you maybe well implementing dynamic CGN PAT

The active translations (which coincide with the the acl refcount) obviously showing the current active translations present on the rtr

HITS refer to how many times the rtr has had to create new translations
MISSES state how many times the rtr has excluded or had to make an exception not to translate

TBH not quite sure what the In-to-out drops / Out-to-in drops refer to but i would take an educated guess that they refer failed translation attempts

As for the Port block alloc fail this suggests failure or exhaustion of sessions that are assigned certain port block allocation values instead of single address/port again this is associated with CGN NAT/PAT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card