Help! Static NAT failed to work -- NAT overload issue?


I set up Cisco 1811 with multiple static NAT like this ip nat inside source static xx.xx.xx.13 ip nat inside source static xx.xx.xx.11 .....

Once a while when after lot of downloading/uploading, I failed to access all mapped machines except the router. And I have to reload the router to recover the access. When I look at the router's NAT table when it fails, there are hundred's entries like this (same external IP downloading from the server inside the router) : 80 xx.xx.xx.xx : 2049 : 80 xx.xx.xx.xx : 2050 : 80 xx.xx.xx.xx : 2051 .....

It looks like a NAT overload issue, but I do not understand why it blocks further NAT translation when this happens. And any solution to this? Please help..



Reply to
Loading thread data ...

I guess that the NAT table is full in some way.

Maybe you are out of memory?

Post the first few lines of sh mem.

In any case clear ip nat translations may avoid a reload.

I think that you can clear some entries of the table with "clear ip nat tr xxxx"

Maybe you have a Denial of Service attack or at least a badly behaved client.

Perhapsyou can set some kind of aging time on the NAT entries? I have never looked at that but it is a possibility.

Here you go:-

adsl(config)#ip nat tr ? arp-ping-timeout Specify timeout for WLAN-NAT ARP-Ping dns-timeout Specify timeout for NAT DNS flows finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST icmp-timeout Specify timeout for NAT ICMP flows max-entries Specify maximum number of NAT entries port-timeout Specify timeout for NAT TCP/UDP port specific flows pptp-timeout Specify timeout for NAT PPTP flows routemap-entry-timeout Specify timeout for routemap created half entry syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data tcp-timeout Specify timeout for NAT TCP flows timeout Specify timeout for dynamic NAT translations udp-timeout Specify timeout for NAT UDP flows

adsl(config)#ip nat tr max-entries ? Number of entries all-host Specify maximum number of NAT entries for each host all-vrf Specify maximum number of NAT entries for each vrf host Specify per-host NAT entry limit list Specify access list based NAT entry limit vrf Specify per-VRF NAT entry limit

As I say I have never used these but timeout Specify timeout for dynamic NAT translations looks like a good place to start.

Please post:-

sh ip nat sta Post the first few lines of sh mem.

adsl#sh ip nat sta Total active translations: 9 (0 static, 9 dynamic; 9 extended) Outside interfaces: Dialer1, Virtual-Access2 Inside interfaces: BVI1, BVI2 Hits: 6679 Misses: 196 CEF Translated packets: 6839, CEF Punted packets: 0 Expired translations: 211 Dynamic mappings:

-- Inside Source [Id: 1] route-map nonat interface Dialer1 refcount 9 Queued Packets: 0

Reply to

try ip nat inside source static xx.xx.xx.11 extendable

Maybe it hepls


Reply to

formatting link
By my reading of this document extendable can only make it worse.

"The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.

The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable"."

This problem has apparenly /no/ ambiguous static translations.

I am not saying that trying this or that is /never/ or even in this case is not worthwhile but that it /should/ not help. It is I think important to know if a change is some random shot in the dark or the correct solution.

If it is a bug of course anything might help and I have put all kinds of workarounds in place in the past myself.

Good luck.

Reply to

Couple lines of the memory dump when router failed to make NAT work.

yourname#sh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 833A68AC 67475284 19300156 48175128 46945840

44884996 I/O 7400000 12582912 3781784 8801128 8723392 8755900

Processor memory

Address Bytes Prev Next Ref PrevF NextF Alloc PC what

833A68AC 0000069728 00000000 833B793C 001 -------- -------- 810EB478 qos pre-classification 833B793C 0001385740 833A68AC 83509E78 000 0 84493AD0 80359E34 (fragment) 83509E78 0000020004 833B793C 8350ECCC 001 -------- -------- 80358DC4 Managed Chunk Queue Elements 8350ECCC 0000010004 83509E78 83511410 001 -------- -------- 8153E1C4 List Elements 83511410 0000005004 8350ECCC 835127CC 001 -------- -------- 8153E204 List Headers 835127CC 0000000048 83511410 8351282C 001 -------- -------- 81C68724 *Init* 8351282C 0000004348 835127CC 83513958 001 -------- -------- 808E0A0C TTY data 83513958 0000002004 8351282C 8351415C 001 -------- -------- 808DBB40 TTY Input Buf 8351415C 0000001004 83513958 83514578 001 -------- -------- 808DBB78 TTY Output Buf 83514578 0000000048 8351415C 835145D8 001 -------- -------- 81C68724 *Init* 835145D8 0000000484 83514578 835147EC 001 -------- -------- 8154A448 Watched Message Queue 835147EC 0000000068 835145D8 83514860 001 -------- -------- 81551148 Resource Owner IDs 83514860 0000000028 835147EC 835148AC 001 -------- -------- 81C4E864 *Init* 835148AC 0000000484 83514860 83514AC0 001 -------- -------- 808D68B8 String-DB handles 83514AC0 0000000028 835148AC 83514B0C 001 -------- -------- 81C4E864 *Init* 83514B0C 0000000076 83514AC0 83514B88 001 -------- -------- 81C4E864 *Init* 83514B88 0000000048 83514B0C 83514BE8 001 -------- -------- 81C68724 *Init* 83514BE8 0000001504 83514B88 835151F8 001 -------- -------- 8154A32C messages 835151F8 0000001504 83514BE8 83515808 001 -------- -------- 8154A358 Watched messages 83515808 0000014900 835151F8 8351926C 001 -------- -------- 8154A384 Watched Queue 8351926C 0000000032 83515808 835192BC 001 -------- -------- 80C015E0 Init 835192BC 0000000040 8351926C 83519314 001 -------- -------- 80BF5C84 Init 83519314 0000000048 835192BC 83519374 001 -------- -------- 80BF5CB4 Init 83519374 0000000032 83519314 835193C4 001 -------- -------- 80C015E0 Init 835193C4 0000000040 83519374 8351941C 001 -------- -------- 80BF5C84 Init 8351941C 0000000048 835193C4 8351947C 001 -------- -------- 80BF5CB4 Init 8351947C 0000000040 8351941C 835194D4 001 -------- -------- 80BF5C84 Init 835194D4 0000000048 8351947C 83519534 001 -------- -------- 80BF5CB4 Init 83519534 0000000204 835194D4 83519630 001 -------- -------- 81547A98 Process Events 83519630 0000000048 83519534 83519690 001 -------- -------- 81C68724 Init 83519690 0000000064 83519630 83519700 001 -------- -------- 804E708C Init 83519700 0000000064 83519690 83519770 001 -------- -------- 804E708C Init 83519770 0000000080 83519700 835197F0 001 -------- -------- 808FF628 Parser Linkage 835197F0 0000005836 83519770 8351AEEC 001 -------- -------- 81C68174 Init

The interesting thing is that "clear ip nat tr" does not work, only "reload" can make NAT back to normal. It looks like a memery overflow bug in router's NAT function and it can be fixed only after reloading the router OS.

Any other ideas and suggestions?


Luke wrote:

Reply to
lukeyang88 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.