Hi,
we are using MikroTik routers (CCR series, RouterOS 7.x) as NAT concentrators and exporting IPFIX NAT events to an external collector.
We consistently observe significantly more xlat create than xlat delete events over time.
Based on our analysis so far, we suspect that this behavior might be related to PPPoE session disconnects, but we are not 100% sure yet and would like to better understand how RouterOS handles this case.
What we see:
xlat createevents are exported as expected- some
xlat deleteevents seem to be missing - the mismatch appears to correlate with environments where PPPoE sessions frequently disconnect or reconnect
Our assumption is that when a PPPoE session goes down, related conntrack/NAT entries might be removed in bulk, and individual xlat delete events might not always be generated — but again, this is only a hypothesis at this point.
Questions:
- Is this behavior expected?
- Can PPPoE session disconnects affect the generation of
xlat deleteIPFIX events? - Are NAT delete events meant to be treated as best-effort only?
Any clarification would be appreciated.
Thanks.