×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT issues

Unanswered Question
Nov 17th, 2010
User Badges:

I have a site complaining about connectivity dropping out frequently. They have a 2811 router. I turned on "debug ip nat detailed" and I get the following:


*Nov 17 21:27:48.022: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.026: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0
*Nov 17 21:27:48.030: NAT*: Can't create new inside entry - forced_punt_flags: 0


I'll get a couple of minutes worth of entries like that then I'll get some normal looking traffic:



*Nov 17 21:29:16.494: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2487]
*Nov 17 21:29:16.494: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2487]
*Nov 17 21:29:16.494: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39902]
*Nov 17 21:29:16.494: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39902]
*Nov 17 21:29:16.550: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2495]
*Nov 17 21:29:16.550: NAT*: s=198.246.0.22, d=74.207.112.117->10.19.232.115 [2495]
*Nov 17 21:29:16.550: NAT*: i: tcp (10.19.232.115, 1967) -> (198.246.0.22, 110) [39907]
*Nov 17 21:29:16.550: NAT*: s=10.19.232.115->74.207.112.117, d=198.246.0.22 [39907]
*Nov 17 21:29:16.606: NAT*: o: tcp (198.246.0.22, 110) -> (74.207.112.117, 1967) [2507]


Any ideas or pointers on what I should be looking at?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Wed, 11/17/2010 - 13:28
User Badges:
  • Cisco Employee,

Hello,


One possibility is that the NAT pool is exhausted and no more translations can be performed at the time. After a couple of minutes, some translation entries expire, resulting in some addresses and/or port being returned to the NAT pool and available for new translation.


Can you post the relevant parts of the configuration, especially the one concerned with NAT? Also please post the show ip nat statistics command output if possible, especially if taken in the moment of connectivity flap.


Best regards,

Peter

simpsoro2 Wed, 11/17/2010 - 14:45
User Badges:

Here is the configured NAT info:


ip nat pool LAAB-NAT 74.207.112.65 74.207.112.124 netmask 255.255.255.192
ip nat inside source route-map EVAL-NAT pool LAAB-NAT


route-map EVAL-NAT permit 10
match ip address NAT


The site only has 20 computers total. It's an educational institution. So, during the day only 4 of those computers are on. The lab isn't in use until the evening. Here's a typical "show ip nat trans" output:


tcp 74.207.112.116:1206 10.19.232.101:1206 209.85.225.113:80 209.85.225.113:80
tcp 74.207.112.117:2022 10.19.232.115:2022 66.220.145.35:80  66.220.145.35:80
tcp 74.207.112.117:2033 10.19.232.115:2033 66.220.147.33:80  66.220.147.33:80
tcp 74.207.112.117:2034 10.19.232.115:2034 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2035 10.19.232.115:2035 205.177.71.146:80 205.177.71.146:80
tcp 74.207.112.117:2036 10.19.232.115:2036 216.66.31.210:80  216.66.31.210:80
tcp 74.207.112.117:2037 10.19.232.115:2037 216.66.31.192:80  216.66.31.192:80
tcp 74.207.112.114:1844 10.19.235.110:1844 209.8.118.27:80   209.8.118.27:80

simpsoro2 Wed, 11/17/2010 - 15:02
User Badges:

Here is the show ip nat statistics:


Total active translations: 6 (0 static, 6 dynamic; 6 extended)
Outside interfaces:
  Serial0/0/0
Inside interfaces:
  FastEthernet0/0
Hits: 21474931  Misses: 167831
CEF Translated packets: 21584749, CEF Punted packets: 1511812
Expired translations: 168558
Dynamic mappings:
-- Inside Source
[Id: 1] route-map EVAL-NAT pool LAAB-NAT refcount 6
pool LAAB-NAT: netmask 255.255.255.192
        start 74.207.112.65 end 74.207.112.124
        type generic, total addresses 60, allocated 4 (6%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Peter Paluch Wed, 11/17/2010 - 15:37
User Badges:
  • Cisco Employee,

Hello,


Thank you for the information. Can you please post the NAT ACL as well?


Best regards,

Peter

simpsoro2 Wed, 11/17/2010 - 16:53
User Badges:

ip access-list extended NAT
deny   ip 10.19.224.0 0.0.3.255 10.0.0.0 0.7.255.255
deny   ip 10.19.224.0 0.0.3.255 10.8.0.0 0.7.255.255
deny   ip 10.19.224.0 0.0.3.255 10.16.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.0.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.8.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 10.16.0.0 0.7.255.255
deny   ip 10.19.232.0 0.0.3.255 192.168.0.0 0.0.0.255
permit ip 10.19.224.0 0.0.3.255 any
permit ip 10.19.232.0 0.0.3.255 any
deny   ip any any

Peter Paluch Wed, 11/17/2010 - 23:41
User Badges:
  • Cisco Employee,

Hello,


Thank you for your replies. Currently, I do not see any outstanding problems but I have a suggestion:


The router is currently configured to perform dynamic NAT, i.e. 1:1 translation between an internal and an external IP address. If there are no applications requiring this form of NAT then we could significantly decrease the usage of IP addresses in your pool using the dynamic PAT. That can be accomplished by adding the keyword overload at the end of the ip nat inside source command:


ip nat inside source route-map EVAL-NAT pool LAAB-NAT overload


Would you mind giving this a try?


Best regards,

Peter

simpsoro2 Thu, 11/18/2010 - 06:53
User Badges:

I do have an application that may not work properly with PAT. I upgraded the IOS to the latest stable version last night and the errors went away. I am waiting for that office to open this morning in order to conduct some more thorough testing. Hopefully the issue is resolved. If not, I will try testing with PAT.

Peter Paluch Thu, 11/18/2010 - 07:02
User Badges:
  • Cisco Employee,

Hello,


Sure, give it a try. And please let me know.


Best regards,

Peter

Actions

This Discussion