Missess counters on Cisco routers
According to Cisco’s documentation misses represents “number of times the software performs a translation table lookup and fails to find an entry, and creates one“. So all routers should have some misses in their counters. Let’s look at some 1841 router statistics:
C1841#sh ip nat statistics Total active translations: 3339 (0 static, 3339 dynamic; 3339 extended) Peak translations: 8114, occurred 18:35:17 ago Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet0/1 Hits: 28658670 Misses: 0
No misses, only hits that increases every time “the software performs a translation table lookup and finds an entry“. It works same on every ISR and 7200 routers. But still documentation says otherwise.
The topic came up when I’ve been doing tests of NAT on ASR1000 routers and we saw increasing misses number since the beginning of the tests. Simple logic advises that misses increases when something wrong is happening – bad configuration of pools or lack of memory to keep new translations, so if counter stays at zero everyone are happy. On IOS XE it’s slightly different
asr1000#sh ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: TenGigabitEthernet0/2/0 Inside interfaces: TenGigabitEthernet0/1/0 Hits: 3358708 Misses: 11050 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 11013 Dynamic mappings: -- Inside Source [Id: 1] access-list test-robot pool test-robot refcount 0 pool test-robot: netmask 255.255.255.252 start 10.1.1.1 end 10.1.1.1 type generic, total addresses 1, allocated 0 (0%), misses 0 Pool stats drop: 0 Mapping stats drop: 0 Port block alloc fail: 0 IP alias add fail: 0 Limit entry add fail: 0
ASR1000 have two types of misses counters – global and per pool. Global one increases in the way described in documentation while per pool counters stays at 0. Per pool counters indicates that problem occurs. My interpretation was later confirmed by ASR-NAT developers and that not all routers increments global counters. It seems none of ISR or 7200 running one of latest IOS releases is doing it.