Packet drop due to source NAT IP/port allocation failed

Packet drop due to source NAT IP/port allocation failed

68145
Created On 09/25/18 20:40 PM - Last Modified 08/13/25 13:35 PM


Symptom


Symptoms

Firewall is dropping initial SYN packet. 

 

 

Diagnosis

Running show counter global shows the following counter increasing 

flow_policy_nat 284  1 drop flow  session Session setup: source NAT IP/port allocation error

 

Flow basic shows the following 

 

Allocated new session 5543.
Rule: index=4 name=Test, cfg_pool_idx=1 cfg_fallback_pool_idx=0
2018-06-20 22:38:30.473 -0700 debug: pan_flow_nat_setup_session(src/pan_flow_nat.c:2147): NAT Rule: name=Test_NAT, cfg_pool_idx=1; Session: index=5543, nat_pool_idx=1
2018-06-20 22:38:30.473 -0700 Error: pan_ippool_translate_dynamic(pan_ippool.c:2106): out of IP addresses and source ports
Packet dropped, source NAT IP/port allocation failed
Cannot setup session in egress vsys
Packet dropped, Session setup failed

 

ippool still shows free ports available.

 

>show running ippool

Rule                   Type               Used   Available  Mem Size  Ratio
---------------------- ---------------    ------ ---------  --------  ----- 
Test_NAT               Dynamic IP/Port    423126 92970      68720     8

 

Cause


One of the cause could be session establishment failure leading to no logs seen under Monitor>Traffic logs even though traffic will hitting Firewall and silently dropped (take pcaps and debug command flow basic) 

Resolution


The main cause is the ippool is heavily used (more than 80%  with 8x over-subscription rate).

 

NAT pools work by hashing the destination address and trying specific buckets (depending on the hash value). If there are no free entries, we will attempt a simple version of brute force search.

If both fail, a failure will be returned.

This means that even though "show running ippool" may still show about 9k free entries, for some destination IPs (like google.com in web browsing) that a host already has many sessions to, we can't build a new session to this destination. However, it may be possible  to build a new session to a different destination.

 

 Additional external IP addresses are required to expand the available ippool for identical destinations.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkPCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language