How to resolve commit error "Total NAT DIPP translated IP xxx exceeds the capacity of 800"
9526
Created On 10/16/19 02:00 AM - Last Modified 01/02/25 17:17 PM
Objective
How to resolve commit error "Total NAT DIPP translated IP xxx exceeds the capacity of 800" ?
Error: Total NAT DIPP translated IP 1026 exceeds the capacity of 800 Error: Failed to parse nat policy (Module: device) Commit failed
Procedure
Need to change this setting to resolve the issue :
Go to Device > Setup > Session > Session Settings as shown below, and change the NAT oversubscription rate to 1x and commit the changes.
1x No oversubscription 2x 2 times oversubscription 4x 4 times oversubscription 8x 8 times oversubscription
The firewall supports a maximum of 256 translated IP addresses per NAT rule, and each platform supports a maximum number of translated IP addresses (for all NAT rules combined). If oversubscription causes the maximum translated addresses per rule (256) to be exceeded, the firewall will automatically reduce the oversubscription ratio in an effort to have the commit succeed. However, if your NAT rules result in translations that exceed the maximum translated addresses for the platform, the commit will fail.
The NAT oversubscription rate is referring to the reusability of the translated IP and port. Reducing the oversubscription rate will decrease the number of source device translations, but will provide higher NAT rule capacities.
Additional Information
Dynamic IP and Port (DIPP) NAT allows to use each translated IP address and port pair multiple times (8,4, or 2 times) in concurrent sessions. This reusability of an IP address and port (known as oversubscription) provides scalability for those who have too few public IP addresses. The design is based on the assumption that hosts are connecting to different destinations, therefore sessions can be uniquely identified and collisions are unlikely. The oversubscription rate in effect multiplies the original size of the address/port pool to 8, 4, or 2 times the size.
For example, the default limit of 64K concurrent sessions allowed, when multiplied by an oversubscription rate of 8, results in 512K concurrent sessions allowed.
This oversubscription rate is set by default and consumes memory, even if we have enough public IP addresses available to make oversubscription unnecessary. We can reduce the rate from the default setting to a lower setting or even 1 (which means no oversubscription). By configuring a reduced rate, we decrease the number of source device translations possible, but increase the DIP and DIPP NAT rule capacities.