Commit failing due to error " Error: NAT DIPP rule GPCS-infra-sc-nat-rule: Exceeds maximum addresses space (256) per rule, even the oversubscription ratio set to 1"

Commit failing due to error " Error: NAT DIPP rule GPCS-infra-sc-nat-rule: Exceeds maximum addresses space (256) per rule, even the oversubscription ratio set to 1"

1768
Created On 05/07/24 05:29 AM - Last Modified 09/10/25 17:40 PM


Symptom


Commit failure while onboarding a service connection with NAT feature enabled.
 

Environment


PANOS-10.2.4

Prisma Access

Cause


The commit failure is caused by the mis configuration of NAT IP pool for the below features:
 
  • Data Traffic source NAT
    —Performs NAT on Mobile User IP address pool addresses so that they are not advertised to the data center, and only the subnets you specify at the service connections are advertised and routed in the data center.
  • Infrastructure Traffic source NAT
    —Performs NAT on addresses from the Infrastructure subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.
image.png

Resolution


When you configure IP pool for source NAT on the service connection ensure the below parameters:
 
  • Use a private IP (RFC 1918) subnet or a suitable subnet that is routable in your routing domain.
  • Make sure that the subnet does not overlap with the Mobile Users—GlobalProtect IP address pool, the Infrastructure subnet, or any other source NAT addresses used for this tenant.
  • Enter a subnet between /25 and /32.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scBPCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language