[c-nsp] High Memory Usage due to NAT

Church, Charles cchurc05 at harris.com
Fri Jul 24 16:28:52 EDT 2009 

Those are still pretty long timeouts.  Can you reduce those, a minute
for ICMP should be plenty.  2 minutes should be good for the other two.
Machines infected with stuff could certainly be opening sessions that
could be killed off quickly.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda
Sent: Thursday, July 23, 2009 12:12 PM
To: Cisco Mailing list
Subject: [c-nsp] High Memory Usage due to NAT


I m facing a strange issue regarding the NAT. The problem statement is
as
below

NAT configured on 3845 with 12.4.24 T ADV ENT SERVICES


   - Have got 64 /25 inside subnets to do the nat with 64 Live IP's. one
   each for /25 inside subnet.
   - I checked the processes and memory on freshly loaded router which
comes
   out to be 49 MB of free memory.
   - started the NAT on router with 8 of /25 inside ip pool with policy
NAT
   to 8 live IP's. The router withing 3 hours hanged due to no
availability of
   free memory. Rebooted it and removed the NAT.
   - Checked Cisco website for NAT it says 312 bytes per translation
that
   gives us around 3 MB for 10000 translations. Checked the logs and
found peak
   translation only to be 15000.
   - Found that problem was NAT ACL with any statement in destination
   portion ( extended one). Changed it with standard ACL with no any
statement.
   - Reviewed and resumed the NAT on router. it works now but it uses
around
   20 MB of memory for just 10000 translation entries.
   - Checked the UDP, TCP and ICMP timeout .... Limited UDP to 4 Mins.
TCP
   to 25 Mins and ICMP- 5 Mins. was able to free only 2 MB of so from 20
MB.
   - Changed the IOS from ADV ent services to IP base to get rid of
unwanted
   processess and services as main AIM of this router is to run NAT.
   - Freshly loaded router gave me 120 MB of free space and was happy
now to
   test out the things.
   - Againg started the NAT for 8 pools of /25 inside subnet with 8 live
   IP's ( Policy nat ).
   - At 25000 translations it eats up memory of around 24 MB.
   - Turned of Virtual Reassembly as it was reaching to thresold very
often.
   - Migrated another 8 pools of /25 which comes to total of 16 /25
Inside
   subnets and free memory left to 64 MB. with the peak translation upto
42000
   and active translation to 15000 on an average.
   - It often gives the I/O memory errors too ( with only 16 /25 Pools
   configured on it).
   - All this stuff works fine with Netscreen firewall overloaded with
only
   4 IP's for all 64 /25 pools. ..... ( Is netscreen had an edge over
cisco
   when it comes to NAT ...._?? ) I wonder..!

If Cisco says that only 312 bytes are required for storing a single
translation Why i m not able to free my DRAM memory. Tried my luck with
everything. Need some expert advice on this to figure out the High
Memory
usage of NAT....

NOTE : Only default router and no other services are used on router
apart
from Netflow

Thanks in Advance

Regards

Ronnie
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list