Re: IP NAT Ager Consuming 98% of CPU Pro from karim jamali on 2010-09-20 (Ccielab archives 09/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Mon, 20 Sep 2010 21:11:54 +0300

Thank You guys for your support. Below are the configurations:

int gi0/1
ip nat inside

int dialer1
ip nat outside

ip nat inside source list BATAL-RUH-USERS interface Dialer1 overload
ip nat inside source static 192.168.2.234 78.93.56.234
ip nat inside source static 192.168.2.235 78.93.56.235
ip nat inside source static 192.168.2.236 78.93.56.236
ip nat inside source static 192.168.2.237 78.93.56.237
ip nat inside source static 192.168.2.238 78.93.56.238

Extended IP access list BATAL-RUH-USERS
    10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (5 matches)
    20 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
    30 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
    40 deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
    50 permit ip 192.168.2.0 0.0.0.255 any (3091 matches)

On Mon, Sep 20, 2010 at 8:11 PM, Jeferson Guardia <jefersonf_at_gmail.com>wrote:

> Paste your configs here so we can advise you the best way to tune your nat
> config, there are a few ways that you can limit the max nat entry value on a
> router and this has showed to be quite useful in the past.
>
> Brgs,
>
> 2010/9/20 Shahid Ansari <shahid1357_at_gmail.com>
>
> This can be happen If you have many translation generated by third party
>> programs or Virus.
>> when you are enabled NAT ,dont allow any to any in access-list and make it
>> more specific
>> The best way to troubleshoot it by enabling netflow ...
>> Can you post
>> Show process Cpu
>> Show nat translation
>> show ip cache flow
>>
>> change default nat timeout value too..
>>
>> Thanks
>> Shahid Ansari
>>
>>
>>
>> On Mon, Sep 20, 2010 at 7:46 PM, karim jamali <karim.jamali_at_gmail.com
>> >wrote:
>>
>> > Dear Experts,
>> >
>> > I have faced a problem with one of the Routers at a customer site having
>> > the
>> > NAT Ager process consuming 98% of CPU. I am trying to understand the
>> > reason,
>> > however up till now I am not able.
>> >
>> > I would truly appreciate your input as I have 4 sites with the same
>> > configuration and I haven't been able to spot the difference that caused
>> > this problem.
>> >
>> > Thanks
>> >
>> > --
>> > KJ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Mon Sep 20 2010 - 21:11:54 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART