发布于itkylin

cisco路由器一段时间后某一客户端无法上网问题解决方法

sh ip nat statistics
Total active translations: 1250 (11 static, 1239 dynamic; 1246 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 341626 Misses: 9538
CEF Translated packets: 347539, CEF Punted packets: 10448
Expired translations: 8470
Dynamic mappings:
— Inside Source
[Id: 1] access-list 111 pool new-ct refcount 1107
pool new-ct: netmask 255.255.255.248
start 121.12.1xx.2xx end 121.12.1xx.2xx
type generic, total addresses 1, allocated 1 (100%), misses 7
nat-limit statistics:
All Host Max allowed: 200
host 207.58.204.58: max allowed 200, used 0, missed 369
host 192.168.2.108: max allowed 200, used 0, missed 0
host 220.181.115.29: max allowed 200, used 0, missed 0
host 211.155.231.163: max allowed 200, used 0, missed 0
host 192.168.2.102: max allowed 200, used 20, missed 0
host 192.168.2.103: max allowed 200, used 62, missed 0
host 220.181.115.20: max allowed 200, used 0, missed 0
host 192.168.2.101: max allowed 200, used 3, missed 0
host 72.167.53.203: max allowed 200, used 1, missed 0
host 60.173.8.139: max allowed 200, used 0, missed 0
host 121.12.129.230: max allowed 200, used 0, missed 0
host 58.221.246.4: max allowed 200, used 0, missed 0
host 173.244.202.134: max allowed 200, used 0, missed 0
host 173.244.202.133: max allowed 200, used 0, missed 0
host 183.60.148.7: max allowed 200, used 0, missed 0
host 60.173.8.131: max allowed 200, used 0, missed 0
host 211.155.227.136: max allowed 200, used 0, missed 0
host 192.168.2.66: max allowed 200, used 0, missed 0
host 183.60.148.50: max allowed 200, used 0, missed 0
host 46.51.253.206: max allowed 200, used 0, missed 0
host 192.168.2.69: max allowed 200, used 4294967295, missed 6174
host 142.151.169.134: max allowed 200, used 0, missed 0
host 192.168.2.82: max allowed 200, used 0, missed 0
host 119.144.35.254: max allowed 200, used 0, missed 0
host 113.107.46.15: max allowed 200, used 0, missed 0
host 192.168.2.86: max allowed 200, used 49, missed 0
host 218.12.198.45: max allowed 200, used 0, missed 0
–More–

sh ip nat translations | include 192.168.2.69
sh ip nat statistics | include 192.168.2.69

由此分析可能是由于时间一长NAT条目过多,造成路由器的故障,可以通过以下命令减少NAT条目数和TCP连接超时等命令:
ip nat translation max-entries 12000
//把NAT表里的连接数限制到12000条,防止达到处理能力的极限,造成全瘫。

ip nat translation timeout 3000

ip nat translation tcp-timeout 300
//设置当TCP连接经过三次握手建立起来后,连接没有数据流的空闲时限,缺省为24小时,现在设为5分钟,这样可以使空闲300秒的TCP连接被及时清除出NAT表,同样防止NAT表里的连接数被“虚占其位”的TCP空闲连接搞得迅速增长,耗尽CPU资源。

ip nat translation udp-timeout 20
//UDP连接的空闲时限是300秒,现在把它设为20秒,原因同前面一样。
ip nat translation finrst-timeout 30

ip nat translation syn-timeout 15
//设置发出TCP连接请求数据包后,等待握手应答的空闲时间,缺省是60秒,现在设为15秒。由于“红色代码”病毒是以一种漫无目的方式发起TCP连接,许多目的地址是不存在的,或是没有运行apache系统,所以根本没有应答。设置发出TCP连接请求数据包后,等待握手应答的空闲时间为15秒,可以使空闲15秒的TCP发起连接被及时清除出NAT表。

ip nat translation dns-timeout 30

ip nat translation icmp-timeout 10
//ICMP连接的空闲时限是60秒,现在把它设为10秒,这样可以使空闲10秒的ICMP连接被及时清除出NAT表,防止NAT表里的连接数被“虚占其位”的ICMP空闲连接搞得迅速增长,耗尽CPU资源。