Support Center > Search Results > SecureKnowledge Details
Security Gateway is translating hide NAT source ports to ports greater than 65535 Technical Level
Symptoms
  • Hide NAT high ports are being translated to ports higher than 65535.
  • Kernel debug example:
    ;27Jul2018 18:29:12.943588;[cpu_22];[fw4_18];fw_xlate: changing < dir 1, XXX.XXX.XXX.XXX:23567 - > XXX.XXX.XXX.XXX:443 IPP 6 > to < dir 1, XXX.XXX.XXX.XXX:91681 - > XXX.XXX.XXX.XXX:443 IPP 6 >;
Cause

This is a dynamic port allocation issue. The port ranges are reversed. 

The following output is seen for the 'fw ctl set int fwx_nat_dynamic_port_allocation_print_stats 1' command:

[DATE TIME];[cpu_11];[fw4_0];Free global high ranges for XXX.XXX.XXX.XXX:;
[DATE TIME];[cpu_11];[fw4_0]; Free: 4294940410;
[DATE TIME];[cpu_11];[fw4_0]; range [97567-30211]; -- REVERSED RANGE
[DATE TIME];[cpu_11];[fw4_0]; range [30207-30210];
[DATE TIME];[cpu_11];[fw4_0]; range [30213-30214];
[DATE TIME];[cpu_11];[fw4_0]; range [30213-30213];
[DATE TIME];[cpu_11];[fw4_0]; range [30212-30213];
[DATE TIME];[cpu_11];[fw4_0]; range [30212-30212];
[DATE TIME];[cpu_11];[fw4_0]; range [30216-30216];
[DATE TIME];[cpu_11];[fw4_0]; range [30215-30216];
[DATE TIME];[cpu_11];[fw4_0]; range [30218-30220];

The reversed range, range [97567-30211], is causing Hide NAT to translate the source port to ports greater than 65535.

 

Another example:

[DATE TIME];[cpu_12];[fw4_12]; range [57607-57607];
[DATE TIME];[cpu_12];[fw4_12]; range [57707-57805];
[DATE TIME];[cpu_12];[fw4_12]; range [65891-65990]; -- RANGE HIGHER THAN 65535
[DATE TIME];[cpu_12];[fw4_12]; range [67291-67390]; -- RANGE HIGHER THAN 65535 

The source port ranges higher than 65535 is causing Hide NAT to translate the source port to ports greater than 65535.


Solution
Note: To view this solution you need to Sign In .