Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tips for tweaking CPU utilization on 1841 doing NAT?

I have a Cisco 1841 handling a remote site with about 50 concurrent users.  Recently, I turned on NAT on the router to provide Internet access to these users via a new ISP.   Unfortunately, now the CPU utilization has moved from less than 5% most of the time to about 100% during peak NAT activity.

The memory utilization seems ok. My configuration uses no source NAT.  It is only plain-vanilla dynamic destination NAT, applying port address translation (PAT) such that only one IP address is used for NAT purposes with the upstream ISP.

Following the troubleshooting guides here:

and here:

confirm that NAT is the culprit, but they do not tell you much about how you can reduce the load on the CPU.   One idea that is mentioned is this:

"The show ip nat translations command displays the Network Address Translation (NAT) translations active on the router. Each active translation generates CPU interrupts and has an impact on the total CPU utilization of the router. A very large number of translations can have a performance impact on the router."

If I shorten the default timers for how long an NAT translation is held open, that does appear to help to drop the CPU load somewhat by aging out stale entries more quickly.   For example:

ip nat translation tcp-timeout 30000

What happens if you drop a NAT translation timer too low?   Does the router just drop further packets for that particular NAT translation flow?

Also, I see that CEF translates some packets but that other packets get punted, which is less efficient:

Rtr# sh ip nat statistics

Total active translations: 2674 (0 static, 2674 dynamic; 2674 extended)

Peak translations: 9818, occurred 5d14h ago                                          <==== before I tweaked the translation timers

Outside interfaces:


Inside interfaces:


Hits: 46248330  Misses: 0

CEF Translated packets: 45890240, CEF Punted packets: 339212

Expired translations: 780343

Dynamic mappings:

-- Inside Source

[Id: 1] access-list A-ROUTE-MAP interface FastEthernet0/0/0 refcount 2674

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Why do some packets get CEF translated and other get punted?



Everyone's tags (3)