Strata Cloud Manager Alert "NAT Resource Pool - NAT Allocation Failure"

Strata Cloud Manager Alert "NAT Resource Pool - NAT Allocation Failure"

13940
Created On 04/22/22 08:57 AM - Last Modified 11/08/23 06:59 AM


Symptom


  • Alert from Strata Cloud Manager regarding Dynamic IP (DIP) or Dynamic IP and Port (DIPP) Source Network Address Translation allocation failure.
  • Recommendation from Strata Cloud Manager to review the NAT rule and if needed to increase the NAT resource pool.

Environment


  • PAN-OS
  • Strata Cloud Manager

Cause


If "NAT counters - Policies" which represents the global counter "flow_policy_nat" is detected to be increasing compared to the previous reading value, then a Critical alert is triggered.
Where "flow_policy_nat" counter indicates that some sessions are getting dropped due to source NAT IP/port allocation error.

If "NAT counters -Dynamic IP/Port Max Retries" which represents the global counter "flow_fpp_nat_dipp_max_retries" is detected to be increasing compared to the previous reading value, then a Critical alert is triggered.
The 'flow_fpp_nat_dipp_max_retries' counter indicates that, if a session fails to allocate a port number for DIPP NAT after five retries, the counter is incremented and the dataplane (DP) falls back to its private pool. This counter is exclusive to the PA-5200 and PA-7000 series.

Resolution


  1. Verify that your NAT policies are properly configured under Policies > NAT
  2. Review the different NAT use cases from links below
    1. TechDoc: NAT Configuration Examples 
    2. KB Article: Source NAT translation Types and typical use cases.
  3. Check firewall traffic logs under Monitor> Logs> Traffic 
    1. Enable Source, Destination, NAT Source IP, NAT Dest IP columns
    2. Ensure that for the traffic that is supposed to match the NAT rule the proper address translation is happening.
  4. Login to the CLI of the firewall and issue the following command:
> show running ippool
  1. In case one or more of the source NAT rules (DIP or DIPP) listed in the command above has or have high usage Strata Cloud Manager should also trigger "NAT Pool Usage" alert.
  2. If that is the case follow the recommendation listed in the "NAT pool Usage " Alert.

Additional Information


General Dynamic IP deployment recommendations to consider:

  • Try to allocate at least a one-to-one ratio of source IPs to translated addresses.
  • For multi-DP systems (like the PA-5250 and PA-7000 series) it is recommended to use 1.5x number of translated IPs per 1x source IPs, to create a buffer to avoid retries and conflicts when the firewall is looking for an IP, which can result in dropped packets. 
  • Configure Dynamic IP and Port fallback for Dynamic IP NAT rules to serve as a backup in case the Dynamic IP address pool runs out of IPs.
  • Configure hash-source as the session distribution policy on platforms with an FPP to improve performance in heavily NATed environments. In the CLI - set session distribution policy hash source

Additional references used in this knowledge Article:

PACKET DROP DUE TO SOURCE NAT IP/PORT ALLOCATION FAILED

WHAT IS THE MEANING OF FLOW PREFIX COUNTERS IN GLOBAL COUNTER OUTPUT
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OFOCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language