Are you hitting your NAT limit? Easy command to find out!

Hi Everyone!

The show ip nat translation total command is a handy way to get a running total of how many NAT translations the router currently has in its NAT table:

SDWAN-ROUTER#show ip nat trans total 

Total number of translations: 12032

There are lots of parameters available to you by using the "filter" parameter at the end of the show ip nat trans command. This includes narrowing it down to particular protocols and even "last-use" which can tell you how many NAT entries you have that have been inactive for a certain period of time, for example:

SDWAN-ROUTER#show ip nat trans filter time last-use older-than 04/02/2025 18:00:00 total
Total number of translations: 9492

SDWAN-ROUTER#show ip nat trans filter time last-use older-than 04/02/2025 12:00:00 total
Total number of translations: 4904

The default TCP timeout for NAT connections on Cisco routers these days is kind of silly, it's 24 hours! You can see what your NAT timeout values are with the following commands:

SDWAN-ROUTER#show platform software nat F0 timeout
Dump NAT timeout config

  Type: generic, Timeout (sec): 86400, Enabled: Yes
  Type: tcp, Timeout (sec): 86400, Enabled: Yes
  Type: tcp-pptp, Timeout (sec): 86400, Enabled: Yes
  Type: udp, Timeout (sec): 300, Enabled: Yes
  Type: tcp-fin-reset, Timeout (sec): 60, Enabled: Yes
  Type: tcp-syn, Timeout (sec): 60, Enabled: Yes
  Type: dns, Timeout (sec): 60, Enabled: Yes
  Type: icmp, Timeout (sec): 60, Enabled: Yes
  Type: skinny, Timeout (sec): 60, Enabled: Yes
  Type: icmp-error, Timeout (sec): 60, Enabled: Yes
  Type: esp, Timeout (sec): 300, Enabled: Yes
  Type: rtmap, Timeout (sec): 3600, Enabled: Yes

If you have too many NAT translations for your hardware platform, you may start to get misses against it and the NAT translations will be dropped!

To show your platforms max NAT entries limit, the current number of NAT entries, the number of times that the max entries has been exceeded since reboot, and the maximum number of hosts your router has ever had before exceeding its limit (i.e. the high water mark) use the following command:

 SDWAN-ROUTER#show platform hardware qfp active feature nat datapath limit

maxhost_limit 16384 maxhost_count 1890 maxhost_fail 57326710911139840 maxhost_himark 16384


To resolve this issue for this customer, I set the tcp timeout to 3600:

ip nat translation tcp-timeout 3600

I hope this helps someone out there!


Don't underestimate the handy ability on vmanage and vsmart to get to the linux underneath, it can save your bacon!

Perfect Example for me was I was running into an issue where I could not ping a public TLOC address from vmanage, or either of the vsmarts, yet that address replied from anywhere else AND when I changed the tloc address on the vEdge to something else in the same network range, it replied to pings! 

This meant we KNEW the issue was on the vsmart. But it was very hard to get the vSmart to show me its next-hop, so eventually i found that if you login to the vshell you can actually run the ip route show command....

 

vmanage-0# vshell
vmanage-0:~$ /sbin/ip route show| grep blackhole
blackhole 71.22.44.5

Obviously I have changed IP addresses to protect the innocent, but in this example the IP I could not reach was 71.22.44.5, I had run into this bug:

Popular old posts.