If the number of free NAT entries is critically low, the system should be investigated for a possible leak.

vcadmin@vcg1-example:~$ sudo /opt/vc/bin/getcntr -c natd.nat_shmem_free_entries -d vcgwnat.com
993408
vcadmin@vcg1-example:~$

Reboot the Gateway to clear all assigned NAT entries. Restarting the services has no effect on NAT entries.

For supported values, refer to the VMware SD-WAN Performance and Scale Datasheet published at the Partner Connect Portal. To access the datasheet, you must log into the Partner Connect Portal using your Partner credentials (username and password).

The following table lists the threshold values of NAT entries.

Threshold State Threshold Value Recommended Corrective Action
Warning 50% of 900K NAT entries
  1. If total NAT count crosses warning or critical threshold:
    • Collect diagnostic bundle.
    • Check the stale NAT count thresholds and take corresponding actions listed for stale NAT count.
    • If the stale NAT count is within warning threshold, check the top consumers from NAT table.
    • Disable any peer that is creating lot of NAT entries, if a DOS attack is suspected.
    • Check if any Enterprise is consuming most of the NAT entries. This information can be used to load balance Edges in the Enterprise.
    • If all tenants are using NAT entries more or less equally and if memory usage crosses critical threshold, restart services on Gateway.
  2. If NAT count crosses critical threshold:
    • Open high priority support case with VMware, along with diagnostic bundle.
    • Restart the NAT services on Gateway and check if the issue is fixed. If not, restart all Gateway services.
  3. Run the following command to check the peers with high NAT count: /opt/vc/bin/vc_top_peers.sh -t nat.
Critical 75% of 900K NAT entries

The following table lists the threshold values of stale AT entries.

Threshold State Threshold Value Recommended Corrective Action
Warning 10%
  1. If stale NAT count crosses warning or critical threshold:
    • Collect diagnostic bundle.
    • Check if small set of Edges are contributing to these stale NAT entries.
  2. If stale NAT count crosses critical threshold:
    • Open high priority support case with VMware, along with diagnostic bundle and output of /opt/vc/bin/debug.py --stale_nat_dump.
    • Restart the NAT services on Gateway and check if the issue is fixed. If not, restart all Gateway services.
  3. If the same issue occurs multiple times on same Gateway or observed on different Gateways, mark the already created support case as critical.
Critical 25%