Allocated new session 5543.
Rule: index=4 name=Test, cfg_pool_idx=1 cfg_fallback_pool_idx=0
2018-06-20 22:38:30.473 -0700 debug: pan_flow_nat_setup_session(src/pan_flow_nat.c:2147): NAT Rule: name=Test_NAT, cfg_pool_idx=1; Session: index=5543, nat_pool_idx=1
2018-06-20 22:38:30.473 -0700 Error: pan_ippool_translate_dynamic(pan_ippool.c:2106): out of IP addresses and source ports
Packet dropped, source NAT IP/port allocation failed
Cannot setup session in egress vsys
Packet dropped, Session setup failed
ippool still shows free ports available.
>show running ippoolRule Type Used Available Mem Size Ratio
---------------------- --------------- ------ --------- -------- -----
Test_NAT Dynamic IP/Port 423126 92970 68720 8
Resolution
The main cause is the ippool is heavily used (more than 80% with 8x over-subscription rate).
NAT pools work by hashing the destination address and trying specific buckets (depending on the hash value). If there are no free entries, we will attempt a simple version of brute force search.
If both fail, a failure will be returned.
This means that even though "show running ippool" may still show about 9k free entries, for some destination IPs (like google.com in web browsing) that a host already has many sessions to, we can't build a new session to this destination. However, it may be possible to build a new session to a different destination.
Additional external IP addresses are required to expand the available ippool for identical destinations.