NAT problem? Large amount of NAT translations.
I have a client with a particular site who complains constantly of performance.
They have a 871 at the location remote with 4 tunnels IPsec, built over WAN connections to their provider hosting the database and software.
There are about 50 people who work at this place, but I show 3410 current connections with a peak of 14703. I don't see how that's possible with only 50 people and starts to lean towards the NAT config which can be the cause of the poor performance that users encounter.
Auffen_Washington #show ip nat statistics
Total active translations: 3410 (static, dynamic 0 3410; 3410 extended)
Translations of crete: 14703, took place there is 2d05h
External interfaces:
FastEthernet4, Tunnel401, Tunnel0, Tunnel11, Vlan3, Tunnel101, Tunnel201
Tunnel301
Interfaces in reverse:
Vlan1, Vlan2
Hits: 574573468 Misses: 0
CEF translated packages: 566630850, CEF punted packets: 45186206
Expiry of the translations: 10381404
Dynamic mappings:
-Source inside
[Id: 1] access-list interface Loopback1 refcount NAT_Wireless_DMS 0
[Id: 2] NAT_Failover interface Vlan3 refcount route map 0
[Id: 3] NAT_Primary interface FastEthernet4 refcount 3410 route map
Doors appl: 0
Normal doors: 0
Queuing of packets: 0
Any help would be greatly appreciated.
Thank you
Russell Stamey
NAT translations, by default, remain active for a very long time. If I remember correctly, is 24 hours, but I have to what to look for to be sure. They don't take a lot of memory, so this isn't normally a problem, but if you encounter conditions that you think may be due to this, it is quite easy to limit the wait time.
ip nat translation timeout 1800
This will set the timeout for new connections to half an hour. Existing connections will always keep the original deadlines, then you might want to wait a period of slow to change and the issue a "clear the ip nat translation *" right then to clear existing translations.
Tags: Cisco Support
Similar Questions
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
I have an e mail with quite a large amount of attachments, sitting in the Outbox in WINDOWS MAIL. In my view, that attachments are at the origin of the problem. As soon as I open the mailbox the arrow in bottom corner shows right 'sending mail '. It just continually seeks to send it, so I can not receive or send other emails. I tried to delete this mail in the Outbox by highlighting and click 'delete', but nothing happens. I have a desktop Compaq Presario SR 5633 WM
original title: sending mail windows problemVerifier check first to work offline , and then delete the Outbox.
-
Massive static NAT translations
I have to perform a lot of NAT translations on a router (more than 300) for a management issue and I would like to find a way to do it without having to define each NAT command on the router.
Is it possible to do? I thought to use wildcards or something of the sort, but don't know if it's possible.
Thank you very much
Enric
Then this might help you.
IP nat inside source static network 10.10.10.0 192.168.17.0/24
In this example, NAT will be only the first three bytes (24 bits), leaving the rest untouched.
for example. 10.10.10.27 becomes 192.168.17.27,
10.10.10.141 will become 192.168.17.141 and so on and so forth.
-
Understand the NAT translation with route map
Hello
I try to configure the server EZVPN on SAA and EZVPN client on router 881. I found on the documentation to the NAT translation on the client side
My confusion is that I should use the deny on the access list statement? If anyone can explain this, enjoy it.
IP nat inside source overload map route EzVPN1 interface FastEthernet4
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 allow ip 192.168.3.0 0.0.0.255 anyallowed EzVPN1 1 route map
corresponds to the IP 103Hello
So that's the explanation for the statement "denied" on the ACL for NATing.
Based on the config, 192.168.3.x here is the network behind your 881 and 192.168.2.x is the network behind the ASA. Let's suppose you're trying to install between 192.168.2.10 and 192.168.3.10. When this package is delivered to the 881, it checks first the characteristics of penetration on the incoming interface (such as the ACL, political, policy-services, etc.) and before checking the 'IPSEC security associations", it checks the NAT configuration.
Now, your IPSec security association will specify for 192.168.2.x 192.168.3.x traffic to be encrypted and then sent. If we do not have the declaration of 'decline' in the ACL, the 881 will be NAT incoming packets and then the IP source in the package will get changed the IP address of the interface of SA4.
This match is no longer the configuration of IPSEC SA and therefore not get encrypted. Therefore, we must have the statements 'decline' to ensure that VPN traffic is not coordinated and is therefore correctly.
Hope this helps!
-
Update of Microsoft using large amounts of resources
I have 2 computers with Microsoft update by using a large amount of RAM. Wuauclt.exe and svchost.exe eat so much memory that do not complete the updates. This happened for a few weeks and have just been told. I have reset the updates that did not help. I disabled Microsoft Updates which seems to fix the problem. A system has 512 MB of RAM and Norton AV, the other has 1 GB of RAM and NOD32.
Hi Chris,
Method 1:
First of all I suggest you enable Microsoft Updates for your computer. An analysis online for your computer from the link given below, because this can be a problem if your computer is infected by viruses or malware.
http://OneCare.live.com/site/en-us/default.htm
Method 2:
In addition, would suggest you use the (SFC.exe) System File Checker tool to determine which file is causing the problem and then replace the file. To do this, follow the link below.
Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
http://support.Microsoft.com/kb/310747/en-us
Hope this information is useful.
Amrita M
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
Memory management by displaying the large amount of data
Hello
I have a requirement to display the large amount of data on the front in table 2 & 7 graphic during the time period 100hrs for 3 channels, data read from strings must be written in the binary file, and then converted and displayed in front of the Panel for 3 channels respectively.
If I get 36 samples after conversion for all hours, up to 83 h 2388 samples displayed in table and graphical data are thin and samples correspond exactly.
After that 90 hours 45 minutes late is observed after theoretical calculation of samples, what could be the problem
I have controller dual-core PXI8108 with 1 GB of ram
As DFGray,
says there is no problem with the RAM or display, problem with conversion (timming issue) if I am data conversion of large amount it takes even, compared to the conversion less amount of data. So I modifed so that each data point Sec 1 is convereted at once, problem solved
Thanks for your replies
-
Spooler SubSystem App process in Windows consumes a large amount of memory
Hello
I have HP B110a (all in a single combo)
The system is Windows 8.1
Drivers - HP's new web site.
There is no problem of instalation and connection via USB and wireless.
But I noticed a problem with the Wi - Fi - process Spooler SubSystem App (spoolsv.exe) consumes a large amount of RAM memory, it has even 1, 5 GB! I note that the C:\Windows\System32\spool\PRINTERS catalog is empty - it happens when the printer is in sleep mode, not printing or scanning.
Problem does not occur for the USB connection.
Any advice? I think that this is a problem in the printer driver.
I will be grateful for your help, because I can't use all the features of the device.
Best regards, Masson
Hi man,
I understand that you have all the features of your HP B110a. I recommend that you use printing HP and doctor Scan.
HP printing and doctor Scan is a free utility (tool) that allows to quickly solve common printing, scanning and connectivity problems. HP recommends that you run the tool every time that you need to solve a problem.
Printing and scanning doctor diagnoses and resolves common printing, scanning and connectivity problems, including: -
When I scroll with the wheel of the mouse Microsoft Wireless Mobile Mouse, it jumps instead of sliding to the bottom of the page. It ignores even the large amounts. This can be solved? Rose
Hi Rose,The problem occurs on specific applications?This can be for one of the following reasons:1. bad mouse is selected in the IntelliPoint software.2. conflict with other mouse or pointer (non-Microsoft) software.3. problem with IntelliPoint software or drivers.4 application does not correctly recognize scrolling the mouse messages.I suggest for the link and follow the steps in the KB article:The problems with the mouse button or scroll the parametersNote: Put the computer to normal mode after the troubleshooting in clean boot mode.Hope this solves the problem. If the problem persists, you can write to us and we will be happy to help you further. -
With the help of the network location and mapped a drive to the server FTP off site; during the transfer of very large amounts of the login information is always lost. Computer power settings are configured to not to do no matter what, I'm assuming that the ftp server can publish a scenerio timeout but is there a way for my computer and windows to restart the file transfer?
Hello
Thanks for posting your question in the Microsoft Community forums.I see from the description of the problem, you have a problem with networking on the FTP server.The question you posted would be better suited in the Technet Forums. I would post the query in the link below.http://social.technet.Microsoft.com/forums/en/w7itpronetworking/threads
Hope this information helps you. If you need additional help or information on Windows, I'll be happy to help you. We, at tender Microsoft to excellence. -
AppleMobileDeviceService.exe use a large amount of memory
Original title: Applemobiledeviceservice.exe
I am running XP Professional and have installed MSE on the computer as my antivirus software. I have 2 GB of memory and has recently added SpeedyPC Pro to improve performance. Today my PC was slow and open the Task Manager and saw that applemobiledeviceservice.exe used a large amount of memory. I think my daughter has added years back, but she no longer uses this computer. Do I need? If this is not the case, how can I remove it?
See you soon
SpeedyPC... what a scam.
Ask the question in the Apple Forums:
https://discussions.Apple.com/index.jspa -
The weekly backup of Rescue and Recovery has suddenly started to take hours when I haven't changed anything and uses a large amount of hard disk space. I tried to remove some previous backups and it and it seemed to work OK and then all of a sudden decides to do the same thing. I tried a previous restore point and it helped for a while and now just made a backup taking 4 hours and 20 GB of hard drive space. It is a fault and has nothing to do?
-
Not sure if this should be in performance/maintenance or hardware/drivers.
Hello. I was wondering about the usb2, eSATA and a bit on the usb3. I have usb2 and eSATA on my systems.
Someone I work with told me that there may be corrupted data if you transfer a large amoutns of data via Usb2. It is best to break your files to move, copy, etc., he said. My colleague told me earlier that anything more than 30 or 40 GB start to be transferred correctly from external factors or for some reason any.
These issues apply to eSATA or Usb3? I guess not, since these other methods are designed to transfer large amounts of data.
Is this true? Is this due to material limitations? What is the recommended size of transfer? It's Windows XP, Vista or 7 limits?
Any info or links are appriciated.
Thank you.
I have never heard of something like this before and have done some fairly large data movements in the past. I would recommend using the program Robocopy in Windows Vista/Windows 7 (and available for Windows XP as a download add-on) to drag the move instead of type / move, given that Robocopy includes a number of features and security provisions that are not present in the case.
'Brian V V' wrote in the new message: * e-mail address is removed from the privacy... *
Not sure if this should be in performance/maintenance or hardware/drivers.
Hello. I was wondering about the usb2, eSATA and a bit on the usb3. I have usb2 and eSATA on my systems.
Someone I work with told me that there may be corrupted data if you transfer a large amoutns of data via Usb2. It is best to break your files to move, copy, etc., he said. My colleague told me earlier that anything more than 30 or 40 GB start to be transferred correctly from external factors or for some reason any.
These issues apply to eSATA or Usb3? I guess not, since these other methods are designed to transfer large amounts of data.
Is this true? Is this due to material limitations? What is the recommended size of transfer? It's Windows XP, Vista or 7 limits?
Any info or links are appriciated.
Thank you.
-
Impossible to transfer large amounts of data more than 10 GB
Original title: the maximum data transfer size?
I recently installed an eSata controller card in location faster PCIex-1 of my computer to benefit from a transfer of data to and from my Fantom drives GreenDrive, of 2 TB external HARD drive. When I started to copy the files from that drive to a new drive HARD internal, I recently installed I could not transfer large amounts of data more than 10 GB. The pop-up message indicating files preparing to copy, then nothing would pass. When I copy or cut smaller amounts of data all works fine. Perplexed...
I think I got the question. It seems that some of the files I transfer were problematic. When I transferred in small amounts, I was then invited for what I wanted to do about these files. Thanks for the reply!
Maybe you are looking for
-
Making clips are supported through XML?
I am importing an XML of any other editor in a project that uses clips blocking. Both of us are on FCPX & using the same media. When I import the xml file - I have a project with several chronologies camera & audio detached - that make it kind of sil
-
How can I renew my Skype number?
How can I renew my Skype number I've read about this, but I don't have the opportunity to renew
-
How to install drivers for computer hp laptop?
I installed windows 7 64 bit for my computer hp dv6 laptop, if I connect to system internet get auto drivers?
-
My monitor has shadows after every letter I type and my icons of the screen.
My monitor has shadows after every letter I type and my icons of the screen - how can I make them disappear?
-
Bureau officers cannot login to CTI Manager
I checked the passwords for agents and the users of tapi. I made sure everyone has use of the ICT enabled Application. I made sure that the users and the rmjtapi are associated with the correct phones and phone book numbers. And I've checked that the