Karim,
I think you should check the CEF. You may use this command "show ip cef".
Att,
AB
2010/9/20 Jeferson Guardia <jefersonf_at_gmail.com>:
> Try implemeting it:
>
> ip nat translation max-entries <n>
> ip nat translation udp-timeout <seconds>
> ip nat translation dns-timeout <seconds>
> ip nat translation tcp-timeout <seconds>
> ip nat translation finrst-timeout <seconds>
>
>
> Also please paste - sh run | inc ip route, make sure you are not using any
> broadcast interface as the next hop on any static, I've seen those happening
> and crashing many routers before, always specify the next hop ip address.
>
> Tune your NAT settings, implement, wait, verify and observe, get back to us
> with positive results :-)
>
> Rgs,
>
> 2010/9/20 karim jamali <karim.jamali_at_gmail.com>
>
>> Sure! Appreciate your help.
>>
>> However for some reason after I reloaded the router the CPU calmed
>> down..but
>> I still want to prevent it if i can.
>>
>> Total active translations: 549 (5 static, 544 dynamic; 544 extended)
>> Peak translations: 877, occurred 00:15:32 ago
>> Outside interfaces:
>> GigabitEthernet0/0, Dialer1, Virtual-Access2
>> Inside interfaces:
>> GigabitEthernet0/1, VoIP-Null0
>> Hits: 32354 Misses: 0
>> CEF Translated packets: 4157, CEF Punted packets: 28196
>> Expired translations: 3732
>> Dynamic mappings:
>> -- Inside Source
>> [Id: 1] access-list BATAL-RUH-USERS interface Dialer1 refcount 543
>> Appl doors: 0
>> Normal doors: 0
>> Queued Packets: 0
>>
>> On Mon, Sep 20, 2010 at 9:15 PM, Shaughn Smith <maniac.smg_at_gmail.com>
>> wrote:
>>
>> > Can you do a sh ip nat statistics and send the output
>> >
>> > CCIE # 23962 (SP)
>> >
>> > Sent from my iPhone 3GS
>> >
>> > On 20 Sep 2010, at 8:11 PM, karim jamali <karim.jamali_at_gmail.com> wrote:
>> >
>> > > Thank You guys for your support. Below are the configurations:
>> > >
>> > > int gi0/1
>> > > ip nat inside
>> > >
>> > > int dialer1
>> > > ip nat outside
>> > >
>> > > ip nat inside source list BATAL-RUH-USERS interface Dialer1 overload
>> > > ip nat inside source static 192.168.2.234 78.93.56.234
>> > > ip nat inside source static 192.168.2.235 78.93.56.235
>> > > ip nat inside source static 192.168.2.236 78.93.56.236
>> > > ip nat inside source static 192.168.2.237 78.93.56.237
>> > > ip nat inside source static 192.168.2.238 78.93.56.238
>> > >
>> > > Extended IP access list BATAL-RUH-USERS
>> > > 10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (5 matches)
>> > > 20 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
>> > > 30 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> > > 40 deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
>> > > 50 permit ip 192.168.2.0 0.0.0.255 any (3091 matches)
>> > >
>> > >
>> > > On Mon, Sep 20, 2010 at 8:11 PM, Jeferson Guardia <jefersonf_at_gmail.com
>> > >wrote:
>> > >
>> > >> Paste your configs here so we can advise you the best way to tune your
>> > nat
>> > >> config, there are a few ways that you can limit the max nat entry
>> value
>> > on a
>> > >> router and this has showed to be quite useful in the past.
>> > >>
>> > >> Brgs,
>> > >>
>> > >> 2010/9/20 Shahid Ansari <shahid1357_at_gmail.com>
>> > >>
>> > >> This can be happen If you have many translation generated by third
>> party
>> > >>> programs or Virus.
>> > >>> when you are enabled NAT ,dont allow any to any in access-list and
>> make
>> > it
>> > >>> more specific
>> > >>> The best way to troubleshoot it by enabling netflow ...
>> > >>> Can you post
>> > >>> Show process Cpu
>> > >>> Show nat translation
>> > >>> show ip cache flow
>> > >>>
>> > >>> change default nat timeout value too..
>> > >>>
>> > >>> Thanks
>> > >>> Shahid Ansari
>> > >>>
>> > >>>
>> > >>>
>> > >>> On Mon, Sep 20, 2010 at 7:46 PM, karim jamali <
>> karim.jamali_at_gmail.com
>> > >>>> wrote:
>> > >>>
>> > >>>> Dear Experts,
>> > >>>>
>> > >>>> I have faced a problem with one of the Routers at a customer site
>> > having
>> > >>>> the
>> > >>>> NAT Ager process consuming 98% of CPU. I am trying to understand the
>> > >>>> reason,
>> > >>>> however up till now I am not able.
>> > >>>>
>> > >>>> I would truly appreciate your input as I have 4 sites with the same
>> > >>>> configuration and I haven't been able to spot the difference that
>> > caused
>> > >>>> this problem.
>> > >>>>
>> > >>>> Thanks
>> > >>>>
>> > >>>> --
>> > >>>> KJ
>> > >>>>
>> > >>>>
>> > >>>> Blogs and organic groups at http://www.ccie.net
>> > >>>>
>> > >>>>
>> > _______________________________________________________________________
>> > >>>> Subscription information may be found at:
>> > >>>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > >
>> > >
>> > > --
>> > > KJ
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> KJ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 20 2010 - 17:57:16 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART