GlobalProtect Clientless VPN: Application traffic dropping/impacted through the firewall with global counters: flow_alt_srcnat_drop & nat_alt_srcnat_xlat_failed

GlobalProtect Clientless VPN: Application traffic dropping/impacted through the firewall with global counters: flow_alt_srcnat_drop & nat_alt_srcnat_xlat_failed

4529
Created On 05/24/22 20:10 PM - Last Modified 05/24/22 20:14 PM


Symptom


1. Following global counters for the application traffic's session are increasing:
flow_alt_srcnat_drop
nat_alt_srcnat_xlat_failed

2. The show running ippool command shows a negative value of the left for the Alt srcnat pool:
Alt srcnat pool: used 63073, left -109395 

Environment


All PAN-OS
GlobalProtect Clientless VPN

Cause


When there is no Source NAT rule explicitly configured for the GlobalProtect Clientless VPN's application traffic, the PAN-OS (by default) uses an Implicit Source SNAT Pool. Therefore, the application traffic's session gets source NATed using the Source IP Address of the egress interface that can route the traffic to the application server.

For example:

  • Client Public IP is 100.55.20.127
  • Application Server IP is 172.20.74.74
  • Firewall's Interface Ethernet1/6 IP: 172.20.74.1
  • Application Server 172.20.74.74 is reachable from the Ethernet1/6's IP 172.20.74.1
The firewall would translate the Client's IP Address to the Ethernet1/6's IP so that the return traffic from the Application Server would come to the firewall for Clientless VPN rewrite processing.  
52603        web-browsing   ACTIVE  FLOW *NS   100.55.20.127[21272]/L3-Untrust/6  (172.20.74.1[21272])
vsys1                                          172.20.74.74[80]/L3-Trust (172.20.74.74[80])

> show session id 52603
 
Session           52603
 
        c2s flow:
                source:      100.55.20.127 [L3-Untrust]
                dst:         172.20.74.74
                proto:       6
                sport:       21272           dport:      80
                state:       INIT            type:       FLOW
 
        s2c flow:
                source:      172.20.74.74 [L3-Trust]
                dst:         172.20.74.1
                proto:       6
                sport:       80              dport:      21272
                state:       INIT            type:       FLOW 
        ...
        ...
        address/port translation             : source
        nat-rule                             : (vsys1)      <+++ Implicit SNAT 
        ...
        ingress interface                    : ethernet1/3
        egress interface                     : ethernet1/6
        ...
>


However, this Implicit SNAT Pool has a capacity limit based on the platform, PAN-OS version, configuration etc. which is not user-controlled. 

In cases of high application traffic, the Implicit SNAT Pool gets fully utilized and when there is no available translated IP:Port left (i.e. negative value) in the Alt srcnat pool, the firewall starts dropping the traffic with the global counters flow_alt_srcnat_drop and nat_alt_srcnat_xlat_failed

Resolution


Configure a Dynamic IP and Port based Source NAT rule for the application traffic which will have a larger pool size.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYdPCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail