11-17-2010 01:21 PM - edited 03-06-2019 02:06 PM
I have a site complaining about connectivity dropping out frequently. They have a 2811 router. I turned on "debug ip nat detailed" and I get the following:
*Nov 17 21:27:48.022: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
I'll get a couple of minutes worth of entries like that then I'll get some normal looking traffic:
*Nov 17 21:29:16.494: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2487]
*Nov 17 21:29:16.494: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2487]
*Nov 17 21:29:16.494: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39902]
*Nov 17 21:29:16.494: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39902]
*Nov 17 21:29:16.550: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2495]
*Nov 17 21:29:16.550: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2495]
*Nov 17 21:29:16.550: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39907]
*Nov 17 21:29:16.550: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39907]
*Nov 17 21:29:16.606: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2507]
Any ideas or pointers on what I should be looking at?
11-17-2010 01:28 PM
Hello,
One possibility is that the NAT pool is exhausted and no more translations can be performed at the time. After a couple of minutes, some translation entries expire, resulting in some addresses and/or port being returned to the NAT pool and available for new translation.
Can you post the relevant parts of the configuration, especially the one concerned with NAT? Also please post the show ip nat statistics command output if possible, especially if taken in the moment of connectivity flap.
Best regards,
Peter
11-17-2010 02:45 PM
Here is the configured NAT info:
ip nat pool LAAB-NAT 74.207.112.65 74.207.112.124 netmask 255.255.255.192
ip nat inside source route-map EVAL-NAT pool LAAB-NAT
route-map EVAL-NAT permit 10
match ip address NAT
The site only has 20 computers total. It's an educational institution. So, during the day only 4 of those computers are on. The lab isn't in use until the evening. Here's a typical "show ip nat trans" output:
tcp 74.207.112.116:1206 10.19.232.101:1206 209.85.225.113:80 209.85.225.113:80
tcp 74.207.112.117:2022 10.19.232.115:2022 66.220.145.35:80 66.220.145.35:80
tcp 74.207.112.117:2033 10.19.232.115:2033 66.220.147.33:80 66.220.147.33:80
tcp 74.207.112.117:2034 10.19.232.115:2034 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2035 10.19.232.115:2035 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2036 10.19.232.115:2036 216.66.31.210:80 216.66.31.210:80
tcp 74.207.112.117:2037 10.19.232.115:2037 216.66.31.192:80 216.66.31.192:80
tcp 74.207.112.114:1844 10.19.235.110:1844 209.8.118.27:80 209.8.118.27:80
11-17-2010 03:02 PM
Here is the show ip nat statistics:
Total active translations: 6 (0 static, 6 dynamic; 6 extended)
Outside interfaces:
Serial0/0/0
Inside interfaces:
FastEthernet0/0
Hits: 21474931 Misses: 167831
CEF Translated packets: 21584749, CEF Punted packets: 1511812
Expired translations: 168558
Dynamic mappings:
-- Inside Source
[Id: 1] route-map EVAL-NAT pool LAAB-NAT refcount 6
pool LAAB-NAT: netmask 255.255.255.192
start 74.207.112.65 end 74.207.112.124
type generic, total addresses 60, allocated 4 (6%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
11-17-2010 03:37 PM
Hello,
Thank you for the information. Can you please post the NAT ACL as well?
Best regards,
Peter
11-17-2010 04:53 PM
ip access-list extended NAT
deny ip 10.19.224.0 0.0.3.255 10.0.0.0 0.7.255.255
deny ip 10.19.224.0 0.0.3.255 10.8.0.0 0.7.255.255
deny ip 10.19.224.0 0.0.3.255 10.16.0.0 0.7.255.255
deny ip 10.19.232.0 0.0.3.255 10.0.0.0 0.7.255.255
deny ip 10.19.232.0 0.0.3.255 10.8.0.0 0.7.255.255
deny ip 10.19.232.0 0.0.3.255 10.16.0.0 0.7.255.255
deny ip 10.19.232.0 0.0.3.255 192.168.0.0 0.0.0.255
permit ip 10.19.224.0 0.0.3.255 any
permit ip 10.19.232.0 0.0.3.255 any
deny ip any any
11-17-2010 11:41 PM
Hello,
Thank you for your replies. Currently, I do not see any outstanding problems but I have a suggestion:
The router is currently configured to perform dynamic NAT, i.e. 1:1 translation between an internal and an external IP address. If there are no applications requiring this form of NAT then we could significantly decrease the usage of IP addresses in your pool using the dynamic PAT. That can be accomplished by adding the keyword overload at the end of the ip nat inside source command:
ip nat inside source route-map EVAL-NAT pool LAAB-NAT overload
Would you mind giving this a try?
Best regards,
Peter
11-18-2010 06:53 AM
I do have an application that may not work properly with PAT. I upgraded the IOS to the latest stable version last night and the errors went away. I am waiting for that office to open this morning in order to conduct some more thorough testing. Hopefully the issue is resolved. If not, I will try testing with PAT.
11-18-2010 07:02 AM
Hello,
Sure, give it a try. And please let me know.
Best regards,
Peter
11-18-2010 09:01 AM
Looks like the IOS upgrade did the trick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide