Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IP NAT ager at 99%


i have a 3845 cluster (HSRP)with a PAT overload running off an access-list

i can see the IP NAT Ager process running at 73 - 99%

there are no errors on term mon and no dropped packets in cef

i didn't think that the NAT process would be so intensive

while the cpu load is 99% i can only see 12Mb of throughput over a 100Mb internet pipe

anyone any ideaas how i can resolve the high cpu issue

thanks to anyone taking the time to reply


Re: IP NAT ager at 99%

Can you paste the "show version" & "show process cpu" outout ??

New Member

Re: IP NAT ager at 99%


the relevant line is

190 3176396 109344 29049 96.70% 96.80% 96.66% 0 IP NAT Ager

the version is

isco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 12.4(21), RELEASE SOFTWARE (fc1)

Hall of Fame Super Silver

Re: IP NAT ager at 99%

Hello Michael,

are you using a route-map with NAT ?

I've found this bug about very high CPU usage caused by NAT with route-map.

CSCef58137 Bug Details

in theory this should not apply to your release but can be a starting point to investigate.

Are you using or not using stateful NAT between the two C3845 ?

If you like you can post a filtered version of your config to get better help


I've only seen now you are using an access-list. However the question about stateful NAT should be of interest in your scenario.

Hope to help


New Member

Re: IP NAT ager at 99%


many thanks for your post

i think my only option is to move the nat off the 3845s and onto an ASA i have sitting behind it

i'm migrating over 10,000 users onto this new link and i can only see the problem getting worse

thanks again

Hall of Fame Super Silver

Re: IP NAT ager at 99%

Hello Michael,

with 10,000 users the NAT table is becoming very large and with PAT the router is always checking all the NAT sessions to quickly find out if any TCP port can be released and this causes the high cpu usage.

This is the practical limit for PAT on routers.

Trying to use ASA can be a better solution if ASA NAT implementation is better or it has higher performance in this aspect.

We can expect both.

Best Regards


CreatePlease to create content