"flow_policy_nat" drop count incrementing in Global Counters

"flow_policy_nat" drop count incrementing in Global Counters

7152
Created On 11/04/22 08:33 AM - Last Modified 06/30/23 21:41 PM


Symptom


  • Packet drops seen on NATed Traffic
  • Security policy is configured to allow the traffic
  • Global counters (show counter global) display increment of "flow_policy_nat" as  drop with the message "Session setup: source NAT IP/port  allocation error"
> show counter global filter severity drop | match nat
flow_policy_nat    744333986   41   drop   flow session Session setup: source NAT IP/port allocation error


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Source NAT configuration

Cause


  • Source NAT configured as "Dynamic-IP" instead of "Dynamic-IP-and-Port"
  • This can be verified under GUI: Policies > NAT > (name) > Translated Packet
Dynamic-IP

 

Resolution


  1. Modify the NAT configuration under GUI: Policies > NAT > (name) > Translated Packet
  2. Change the "Dynamic IP" to "Dynamic IP And Port"
GUI: Policies > NAT > (name) > Translated Packet
Dynamic IP and Port
  1. Commit the configuration.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZqPCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail