NAT causing memory leak

[lohelle]

I have some problems with my Cisco 2620XM router. The router is NAT-ing for a rather large network with 55 subnets..
These are all in the 10.0.x.x - 10.3.254.254 range
I also have a DMZ zone (lets say 213.184.100.0 - 213.184.100.63)

Lets say my public ip is 213.184.1.1

The relevant config (I think) is:
ip nat pool overload 213.184.1.1 213.184.1.1 prefix-length 24
ip nat inside source list 199 pool overload overload

Extended IP access list 199
10 deny ip 10.0.0.0 0.3.255.255 192.168.0.0 0.0.0.255
20 deny ip 10.0.0.0 0.3.255.255 192.168.200.0 0.0.0.255
30 deny ip 10.0.0.0 0.3.255.255 192.168.201.0 0.0.0.255
40 deny ip 10.0.0.0 0.3.255.255 192.168.202.0 0.0.0.255
50 deny ip 10.0.0.0 0.3.255.255 192.168.2.0 0.0.0.255
60 deny ip 10.0.0.0 0.3.255.255 192.168.100.0 0.0.0.255
(69 permit ip 10.0.0.0 0.255.255.255 any)
70 permit ip 10.0.0.0 0.3.255.255 any
(i tried to use the 69 rule in case the "strange" subnet was the problem)

The memory usage grows and grows, and I have to run "clear ip nat translations" to get the memory back

I have tried IOS c2600-advsecurityk9-mz.123-12 and c2600-advsecurityk9-mz.124.1 and get the same problems..
(I only have 16 MB flash)

some error messages from the device on my syslog server:
-------------------------------------
-Traceback= 80FA8AC4 80B3D8AC 80B3F18C 80B3F32C 80B3F4CC 80B3F604 80B2A304 80B2C2DC 80B0EF80 80B0FB38 809EFA60 809EFD7C 809EFE30 809EFF84 804925BC 80495C68

Process= "IP Input", ipl= 0, pid= 47

Removed a non-empty list(820AB6D0, name: NAT/SDP port range list), having 1 elements
--------------------------------------

What can cause this problem?

 

[watchguardmonkey]

I would upgrade the memory and add a clear ip nat trans time to the config.

HTH

 

[lohelle]

There are a lot of subnets, but not very much traffic/packets.. So I think the router should be more than powerful enough (20-25% cpu usage average during the day)

 

[lohelle]

I added "ip nat translation tcp-timeout 10800" so the NAT entries will not stay for more than 3 hour.. Wonder why the entries are ataying there....

Will the tcp-timeout 10800 command break downloads that lasts more than 3 hours? or will downloads "renew" their nat entries before that?

I have already ordered 128 MB DRAM + 32MB flash (extra)

 

[watchguardmonkey]

have you got a iomem statement in your config?

 

[lohelle]

No, I do not have that..

I changed the following line:
ip nat pool overload 213.184.1.1 213.184.1.1 prefix-length 24

to

ip nat pool overload 213.184.1.1 213.184.1.1 prefix-length 8

maybe that will help. I do not know if this is n important at all, but it make sense..

I guess that 48 MB flash, 192 MB DRAM + IOS 12.4.7 will help when this arrive in a few days too..

"clear ip nat trans time" is by the way not supported in the IOS i run now.

Thank you for the help!

 

[JOAMON]

The only time I ever had an issue with NAT killing a router was when I discovered a user had set the ethernet interface as the default route: ip route 0.0.0.0 0.0.0.0 fastethernet0/1 It was trying to NAT everything on the LAN and on the Internet. By changing it to the next hop ip address and clearing of IP NAT Trans it was cured.

 

[JOAMON]

Im sorry....It was the arp-cache that was getting so large that it killed the router. My memory ain't what I can forget what it was.

 

[JOAMON]

Seems there are more things than routers these days with memory leaks....