NAT table overflow problem 1

[heatstreak20]

I have recently configured a cisco 3640 router, everything is working great, there are about 100 computers connected to the network and it works great until people download torrents, then the internet stops working from computers but i can still ping google from the router.

I am guessing the NAT table is overflowing because torrents open so many conections in a short period of time, and the router still gets internet, but computers with internal IP addresses can't.

How can I account for this so the router still works even when torrents are being downloaded?

 

[mahlad29]

Alright well this is a very misunderstood problem by many with many variables.
First do a sho ip nat statistics
if total entries are less then 30K the router is good, A little tuning you can get these to hit 35-40k (assuming 128mb ram).
Second what is your internet connection speed and type.

Scenario 1
If the cause of the problem is that your router is having a hard time tracking nat translation, you have two options

1) set each tcp and udp nat timeouts to a reasonable amount, (tcp time-out after 24hrs default)
Here's How:
ip nat translation udp-timeout 600
ip tcp translation udp-timeout 600

That will make each inactive proto session be cleared out of the nat table after ten minutes. (this is a big help)
Second create an access list with known offenders and limit there nat count. If they complain tell them to turn of the torrent if they want internet. (this will be useful in scenario 2 as well)
Here's How:
ip nat translation max-entries list ACL_LIST HERE 7500

That will limit the acl group to a total of 7500 concurrent translations.

Scenario 2 (Most Likely)
The router is not the issue, but upstream bandwidth, When an inside host attemps to make an outside request the request is queued because of congestion in the outgoing direction, and very well may timeout. (SO COMMON) with 100 and anything less then a full 15mbps up and just 20 are seeding without upload limits, just forget it the outside world and they will suck you dry all day long

There are a couple of solution some simple, other tough (qos)
Get more bw
Tell your users to cut the sh**T
implement that neat little max translations to a group of users and bring the limit down to 1000. (a request to msn takes like 115). That will make them shut it off.

Keep us posted

-Mike

sorry about the poor organization, writing from an iphone.




20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[mahlad29]

Also the last part about more bw, that wont really help either. If its popular torrent like a movie and its seeding, 1 user could take up all of it because 1000's of users are trying to download it from you.



20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[heatstreak20]

Thank you for your help Mike, right now there are no one downloading torrents and there are 2226 active translations.

The router has been in use for about 5 days now, it cut out 2 days ago while the other IT guy was downloading torrents, in those 5 days it has 211,642 expired translations which leads me to believe while the torrents were downloading there were A LOT of active translations. I will do a test when everyone leaves and see how high active translations get when I download torrents.

I don't think its the bandwith problem since the only one downloading torrents is the other IT guy and after the download is done he stops seeding them


Thanks again

 

[mahlad29]

Hmm, 200k is way to much ISR's would have a hard time with that,
tell him to limit his upload speed, people are still leeching from
you even though you don't have the compete torrent yet, second change those timeouts so that doesn't happen again.

Clear ip nat trans is a good command too.

P.S. if you find some helpful, give em a star

20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[mahlad29]

good stuff here

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_natrl.html

20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[baddos]

Why is the IT guy downloading torrents on a company computer? If it's not work related or legal downloading just block bit torrent completely.

 

[burtsbees]

KRON to clear ip nat trans, just for kicks. But mahlad is right on.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[heatstreak20]

I did ip nat translation max-entries 25000 to set the max entries to 25000, my question is if the table gets to 25000 and a new translation is needed, does it deny the translation or bump off the olded translation?


thank you

 

[mahlad29]

It will deny translation. Tune the timeouts as well, 24 hours us too long of a default timeout. The goal of max nat translations is to prevnt the router from banking. So if you set the default timeout from 86400 secs to 1000 you should be fine, actually golden

-mike


20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[heatstreak20]

I set the UDP and TCP timeouts to 10 minutes each and set max translations to 25,000. Everything seems to be working great, it has been a few days since it has gone out, once everyone leaves the office tonight I am going to download multiple torrents at once and see what happens, if it fails again I will probably prevent torrents.


Thank you for your help Mike, I appreciate it

 

[mahlad29]

No problem.

20 yrs old, working towards my CCNP. Looking for a new job
02472

 

[imbadatthis]

thanks indeed.
good read .