Are you hitting your NAT limit? Easy command to find out!

Hi Everyone!

The show ip nat translation total command is a handy way to get a running total of how many NAT translations the router currently has in its NAT table:

SDWAN-ROUTER#show ip nat trans total 

Total number of translations: 12032

There are lots of parameters available to you by using the "filter" parameter at the end of the show ip nat trans command. This includes narrowing it down to particular protocols and even "last-use" which can tell you how many NAT entries you have that have been inactive for a certain period of time, for example:

SDWAN-ROUTER#show ip nat trans filter time last-use older-than 04/02/2025 18:00:00 total
Total number of translations: 9492

SDWAN-ROUTER#show ip nat trans filter time last-use older-than 04/02/2025 12:00:00 total
Total number of translations: 4904

The default TCP timeout for NAT connections on Cisco routers these days is kind of silly, it's 24 hours! You can see what your NAT timeout values are with the following commands:

SDWAN-ROUTER#show platform software nat F0 timeout
Dump NAT timeout config

  Type: generic, Timeout (sec): 86400, Enabled: Yes
  Type: tcp, Timeout (sec): 86400, Enabled: Yes
  Type: tcp-pptp, Timeout (sec): 86400, Enabled: Yes
  Type: udp, Timeout (sec): 300, Enabled: Yes
  Type: tcp-fin-reset, Timeout (sec): 60, Enabled: Yes
  Type: tcp-syn, Timeout (sec): 60, Enabled: Yes
  Type: dns, Timeout (sec): 60, Enabled: Yes
  Type: icmp, Timeout (sec): 60, Enabled: Yes
  Type: skinny, Timeout (sec): 60, Enabled: Yes
  Type: icmp-error, Timeout (sec): 60, Enabled: Yes
  Type: esp, Timeout (sec): 300, Enabled: Yes
  Type: rtmap, Timeout (sec): 3600, Enabled: Yes

If you have too many NAT translations for your hardware platform, you may start to get misses against it and the NAT translations will be dropped!

To show your platforms max NAT entries limit, the current number of NAT entries, the number of times that the max entries has been exceeded since reboot, and the maximum number of hosts your router has ever had before exceeding its limit (i.e. the high water mark) use the following command:

 SDWAN-ROUTER#show platform hardware qfp active feature nat datapath limit

maxhost_limit 16384 maxhost_count 1890 maxhost_fail 57326710911139840 maxhost_himark 16384


To resolve this issue for this customer, I set the tcp timeout to 3600:

ip nat translation tcp-timeout 3600

I hope this helps someone out there!


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular old posts.