Symptom
Few TCP and UDP NAT entries are not timing out post the traffic for those entries is stopped and never timeout.
*Jun 14 05:23:11.847: %IOSXE-4-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:006 TS:00000090041558278561 %NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded; frame dropped
show ip nat statistics
Total active translations: 131072 (0 static, 131072 dynamic; 131072 extended)
If we collect "show ip nat translations verbose" output, we see NAT entries with timeout 0.
Pro Inside global Inside local Outside local Outside global
udp x.x.x.x:27013 10.10.10.10:57604 y.y.y.y:443 z.z.z.z:443
create: 07/14/23 05:34:09, use: 07/14/23 05:34:09, timeout: 00:00:00 >>>>>>>
RuleID : 1
Flags: unknown
ALG Application Type: NA
WLAN-Flags: unknown
Mac-Address: 0000.0000.0000 Input-IDB:
VRF: 1, entry-id: 0x5074e1f0, use_count:1
In_pkts: 1 In_bytes: 204, Out_pkts: 1 Out_bytes: 248
Output-IDB: TenGigabitEthernet0/1/0
Conditions
H/W: C8500L-8S4X
S/W: 17.06.03a.0.3(c8000aes-universalk9.17.06.03a.SPA.bin) and 17.06.05.0.5797 (c8000aes-universalk9.17.06.05.SPA.bin)
Workaround
clear ip nat translations * manually or implement EEM script
event manager applet max-nat-entries authorization bypass
event syslog pattern "%NAT-4-DEFAULT_MAX_ENTRIES: default maximum entries value 131072 exceeded"
action 001 cli command "enable"
action 002 cli command "terminal length 0"
action 003 cli command "show clock"
action 004 cli command "show ip nat translation total"
action 005 syslog msg "Detecting NAT max entries clearing nat table after default 131072 reached"
action 010 cli command "clear ip nat translation *"
action 011 cli command "show ip nat translation total"
action 012 cli command "end"
Further Problem Description
Few TCP and UDP NAT entries are not timing out post the traffic for those entries is stopped.
C8500L-lab#show ip nat statistics
Total active translations: 2145 (0 static, 2145 dynamic; 2145 extended)
