NAT overload / VRF problem

Unanswered Question
Apr 10th, 2008
User Badges:


I have a router 2821 in IOS 12.4, configured with IP dynamic NAT (overloaded) with different VRF.

IP flows correctly, but after 1 hour on the VRF_FIRST and 4 hours on the VRF_SECOND, the users application hangs.

One solution founded was to create a STATIC IP NAT TRANSLATION for one user. In this casen the problem doesn't appear. But because we have a large number of users, this solution is impossible for all user.

The only solution (for the moment) is to clear the IP NAT translation table in the VRF.

Is there a solution to resolve this problem?

Please note that we DON'T want to route between the two VRF.

Thanks for your help.

The config is in the file attached to this post:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
umedryk Thu, 04/17/2008 - 06:09
User Badges:
  • Bronze, 100 points or more

NAT must be enabled for this symptom to occur. The problem is seen when an application uses two well known ports: one for source and the other for destination. The outgoing translation is created, but on the return trip, using the previous source port as the destination, NAT may use the incorrect algorithm.

For example, if a PPTP session is initiated to the well known port 1723 from source port 21 (FTP), then the outgoing packet will create a FTP translation (we look at source information when going from in->out). When the packet is returned, we again look at the source information to know what kind of packet this is. In this case we have the source port will be 1723, and NAT will assume this is a PPTP packet. This will try to perform PPTP NAT operations on a data structure that NAT built for a FTP packet and may lead to a crash.


This Discussion