Support Center > Search Results > SecureKnowledge Details
"NAT Hide Failure" error in SmartLog / SmartView Tracker
Symptoms
  • 'Message information' label in the log card shows "NAT Hide failure - there are currently no available ports for hide operation. Please refer to sk156852."
Solution

NAT Exhausted Pool

This feauture is implemented starting from Jumbo Hotfix Accumulator for R80.30 since Take 107 and Jumbo Hotfix Accumulator for R80.20 since Take 127.

 

  • What is a "pool"? When we allocate a source port for a hide NAT operation, we can allocate the same port for different connections, as long as certain properties of the connections are different. These properties are: IP protocol, hide source IP, destination IP.
  • This 3-tuple is called a pool.
  • Two connections can get the same port if their pools are different (i.e., at least one of the values is different). For example the 2 pools <6, 1.1.1.1, 2.2.2.2> and <6, 1.1.1.1, 3.3.3.3> are different because the destination IP is different.

What is the format of the "NAT Exhausted Pool" label?

<ip protocol, hide source ip, destination ip>

Example log card of "NAT exhausted pool"

In this log card:

  • IP protocol: 6
  • Hide src: 110.16.4.80
  • Destination IP: 110.16.4.84

Solution

"Hide behind range" as described in sk140432.

 

R80.40 and above:


What is a "pool"?

  • When we allocate a source port for a hide NAT operation, we can allocate the same port for different connections, as long as certain properties of the connections are different. These properties are: IP protocol, hide source IP, destination IP, and destination port (dport is not always used, as explained below).
  • This 4-tuple <IPP, hideIP, dest, dport> is called a pool.
  • Two connections can get the same port if their pools are different (i.e., at least one of the values is different). For example the 2 pools <6, 1.1.1.1, 2.2.2.2, 443> and <6, 1.1.1.1, 3.3.3.3, 443> are different because the destination IP is different.

What is the format of the "NAT Exhausted Pool" label?

The label has 2 format options:

  • If we use GNAT, we use the 4-tuple:

<ip protocol, hide source ip, destination ip, destination port>

  • If we use static port allocation, we use the 3-tuple:

<ip protocol, hide source ip, destination ip>

Example log card of "NAT exhausted pool"

In this log card:

  • IP protocol: 6
  • Hide src: 110.16.4.80
  • Destination IP: 110.16.4.84
  • Destination port: 888

The use of dport in the pool

  • If we use static port allocation, the dport is not part of the pool.
  • If we use GNAT, the dport is part of the pool, but it can still be 0 if the specific dport is not present in the xlate_use_dport_services table.

The xlate_use_dport_services table

  • xlate_use_dport_services is defined in the table.def file, and contains the dports which are used in the pool (for all other dports, 0 is used).
  • For general information about table.def and its location, see sk98339.
  • By default, the table contains common ports and protocols which might get to NAT port exhaustion.
  • Generally speaking, it is not recommended to modify the table, except in the following cases:
    • If you have port exhaustion for connections whose pools differ only in the dport, and those dports are not in the table, then adding them to the table might solve the port exhaustion.
    • For example, a server that handles two services, one on dport 555 and one on 556. Both are UDP, so in this case you should add the following: <555, 17>, <556, 17>.
      Therefore, in this case, instead of having 1 pool for this server, you will have 2 pools which contain twice the number of ports than would one pool.

Important notes:

  • Never add ports that might be used for data connections (for example, FTP).
  • Modifying the table without rebooting might cause temporary link collisions, until the old connections are deleted.

How to review the statistics of the NAT pools through cpview

To open, type cpview in the gateway command line -> Choose the Advanced option -> Choose the NAT option.

The default option is to show the ipv4 pools. Click on the ipv6 label to see the ipv6 pools.

You will see the following screen:

In the row marked in red are the following columns:

  • Instance: The instance of the Gateway on which this pool is being used. In this example, all instances are used.
  • Hide IP: The translated hide IP after the NAT translation.
  • Dst IP: The destination IP.
  • Dport: The destination port being used. In this example, it is 0.
  • Proto: The IP protocol of the connection. In this case. 6 represents the TCP connection.
  • Port Usage: The number of ports used for this specific pool.
  • Capacity: The total number of ports that can be used for each pool.
  • Used: The percentage of ports used out of the total capacity.

The different type of ports:

  • High: Ports for general use, 10,000 - 60,000.
  • Low: Reserved ports for services that require ports from the 600 - 1024 range.
  • Extra: Reserved ports for VOIP connections, 60,000 and above.

Solution

  1. "Hide behind range" as described in sk140432.
  2. If necessary, add the dport to xlate_use_dport_services, as described above.

 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment