Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3143
Views
4
Helpful
5
Replies

IP NAT ager at 99%

mulhollandm
Level 1
Level 1

‎10-13-2008 03:25 AM - edited ‎03-03-2019 11:54 PM

folks

i have a 3845 cluster (HSRP)with a PAT overload running off an access-list

i can see the IP NAT Ager process running at 73 - 99%

there are no errors on term mon and no dropped packets in cef

i didn't think that the NAT process would be so intensive

while the cpu load is 99% i can only see 12Mb of throughput over a 100Mb internet pipe

anyone any ideaas how i can resolve the high cpu issue

thanks to anyone taking the time to reply

Labels:
0 Helpful
5 Replies 5

satish_zanjurne
Level 4
Level 4

‎10-13-2008 04:41 AM

Can you paste the "show version" & "show process cpu" outout ??

0 Helpful

mulhollandm
Level 1
Level 1
In response to satish_zanjurne

‎10-13-2008 05:27 AM

satish

the relevant line is

190 3176396 109344 29049 96.70% 96.80% 96.66% 0 IP NAT Ager

the version is

isco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 12.4(21), RELEASE SOFTWARE (fc1)

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to mulhollandm

‎10-13-2008 09:06 AM

Hello Michael,

are you using a route-map with NAT ?

I've found this bug about very high CPU usage caused by NAT with route-map.

CSCef58137 Bug Details

in theory this should not apply to your release but can be a starting point to investigate.

Are you using or not using stateful NAT between the two C3845 ?

If you like you can post a filtered version of your config to get better help

Edit:

I've only seen now you are using an access-list. However the question about stateful NAT should be of interest in your scenario.

Hope to help

Giuseppe

mulhollandm
Level 1
Level 1
In response to Giuseppe Larosa

‎10-13-2008 01:23 PM

giuseppe

many thanks for your post

i think my only option is to move the nat off the 3845s and onto an ASA i have sitting behind it

i'm migrating over 10,000 users onto this new link and i can only see the problem getting worse

thanks again

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to mulhollandm

‎10-14-2008 11:09 AM

Hello Michael,

with 10,000 users the NAT table is becoming very large and with PAT the router is always checking all the NAT sessions to quickly find out if any TCP port can be released and this causes the high cpu usage.

This is the practical limit for PAT on routers.

Trying to use ASA can be a better solution if ASA NAT implementation is better or it has higher performance in this aspect.

We can expect both.

Best Regards

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card