08-13-2009 10:39 PM - edited 03-06-2019 07:14 AM
Hi All,
I am getting nating issue for every 15 days, we have below NAT statements configured in one of our IOS-FW 1841.
We have below NAT for one of our SMTP server, when i got complaint saying incoming mail traffic not working then i have to remove the NAT and re-add the NAT then its working fine (I think its not faire). So I have to dig for rootcause analysis about this issue why its happening like this.
I guess it seems something like NAT strucking, Experts can someone please help me.
Especially everytime i am getting problem with below NAT, if i remove and re-add then its working fine.
ip nat inside source static tcp 192.168.115.20 25 195.24.2.79 25 extendable
ip nat inside source static tcp 10.146.5.30 443 195.24.2.79 443 extendable
ip nat inside source static tcp 10.10.10.11 1503 195.24.2.79 1503 extendable
ip nat inside source static tcp 10.10.6.40 1741 195.24.2.79 1741 extendable
ip nat inside source static tcp 10.10.1.10 3299 195.24.2.79 3299 extendable
ip nat pool nonat 195.24.2.44 195.24.2.44 netmask 255.255.255.244
ip nat source static 195.24.2.53 10.10.10.11 route-map FKRDLDAP extendable
ip nat source static 10.28.2.11 195.24.2.53 route-map FKRDLDAP extendable
ip nat inside source route-map nonat pool nonat overload
ip nat inside source static tcp 192.168.115.30 80 195.24.2.53 80 extendable
ip nat inside source static tcp 10.10.10.11 389 195.24.2.53 389 extendable
ip nat inside source static tcp 192.168.115.30 443 195.24.2.53 443 extendable
ip nat inside source static tcp 10.13.2.10 21 195.24.2.79 21 extendable
ip nat inside source static tcp 192.168.115.20 25 195.24.2.79 25 extendable
ip nat inside source static tcp 10.146.5.30 443 195.24.2.79 443 extendable
ip nat inside source static tcp 10.10.10.11 1503 195.24.2.79 1503 extendable
ip nat inside source static tcp 10.10.6.40 1741 195.24.2.79 1741 extendable
ip nat inside source static tcp 10.10.1.10 3299 195.24.2.79 3299 extendable
ip nat inside source static 10.29.2.140 195.24.3.80 extendable
ip nat inside source static 10.146.5.100 195.24.2.36 extendable
Regards,
Naidu.
08-13-2009 10:54 PM
Have you tried doing a "show ip nat statistics" at the time of the problem?
Maybe you are using up the xlate table so it can't do any more (or you have it set to a lower than required value?).
May also be worth a shot to do a "show ip nat translations" and then do a | incl
Does anything show up in a show log as well to indicate the above? That is if you have the appropriate logging level set. Oh and will probably appear a bit before you get a call to say things are broken too :P
If the above isn't it then maybe a debug ip nat may be in order?
HTH
Cameron
08-14-2009 01:55 AM
Hi Cameron,
Thanks for your quick response.
I didn't get you what you mean by xlate table, could be please clear me about it?
Yes there are quite high translations on this IP, so how i can set the value to lower, could you please give me the command setp by step please?
If is sent the level to lower what are the possible causes?
And there are some denied rule hits, i saw in log (is it causing problem?).
Thanks in advance.
Regards,
Naidu.
08-14-2009 06:49 AM
Naidu,
It's not entirely clear from your post that it happens only for smtp server or for all the nat translations in Router. So next time this happens, check whether you are able to access other natted servers or not. There are few possibilities here. Either you are reaching maximum nat translation allowed by Router by default or you are hitting some bug. If it is the first case, then there are few commands which can alleviate this issue.
ip nat translation timeout xxx
ip nat translation tcp-timeout xxx
These two commands can delete inactive entries from NAT table to make space for newer one.
ip nat translation max-entries xxxx
This command allows you to tweak number of NAT translation allowed simultaneously.
But before using these, you need to determine what is the root cause of this issue. You can see Nat tables/statasitcs using command 'sh ip nat tr' and 'sh ip nat st'.
08-17-2009 03:53 AM
Hi Yagnesh,
Thank you very much for your reply.
I was facing problem with my smpt server nat only at all times and at the same time other nat's are working fine.
As you told it may be possible to me to configure the max-entries (NAT). But still I could not find the exact root cause of this issue. I need your help to find out the exact root cause, Please help me.
Is there any way to know that the maximum nat translations allowed by Router (Please find the below details about IOS, model)
Please find the below nat statics:
sh ip nat st
Total active translations: 3055 (19 static, 3036 dynamic; 3052 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 486682368 Misses: 6613262
CEF Translated packets: 472312370, CEF Punted packets: 41256015
Expired translations: 12879103
Dynamic mappings:
-- Inside Source
[Id: 0] route-map PINP
[Id: 1] route-map nonat pool nonat refcount 2878
pool nonat: netmask 255.255.255.248
start 195.24.2.44 end 195.24.2.44
type generic, total addresses 1, allocated 1 (100%), misses 34570
-- Outside Destination
[Id: 0] route-map DKRGLDAP
Queued Packets: 0
#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 18-Nov-06 15:32 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
uptime is 4 weeks, 3 days, 6 hours, 7 minutes
System returned to ROM by power-on
System restarted at 07:57:41 UTC Fri Jul 17 2009
System image file is "flash:c1841-adventerprisek9-mz.124-11.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 1841 (revision 6.0) with 236544K/25600K bytes of memory.
Processor board ID FCZ1037221E
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Thanks in advance.
Regards,
Naidu.
08-17-2009 07:50 AM
Naidu,
By default there is no limit on maximum number of NAT entries allowed simultaneously by router but each NAT entry requires about 160-312 bytes of memory, so the number of translations possible is limited by the amount of memory-DRAM available on the router. Also note that maximum number of allowed NAT translations is global setting which can not be configured/impose by router on per NAT entry basis.
There is a possibility that router may have run out of memory considering many high utilized entries in your configuration and it refuses to take any new NAT entry while still servicing existing NAT entries in its NAT table. So this may give you impression that only smtp server is not working (for which new NAT entries-connection may have requested) whereas others are working (existing entries). As suggested earlier, when you face this issue again, you should verify number of active translation (using sh ip nat st) and verify that count is increasing while trying new connection.
Also use bug toolkit to rule out any software glitch for this behavior.
Meanwhile there is no harm in reducing TCP translations time out (default 24 hours) to a shorter period using above command and see if that alleviate your issue.
08-17-2009 09:31 PM
Hi Yagnesh,
Well explaination, thank you very much for that.
I found in one blog that if we allowed ftp port with any NAT then it will give trouble, is that correct?
Regards,
Naidu.
08-18-2009 07:48 AM
For FTP, if server uses random ports for communication then it may give you trouble. But it's only limited to FTP translation. Other traslation entries should remain unaffected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide