Support Center > Search Results > SecureKnowledge Details
Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode
Symptoms
  • "NAT Hide failure - there are currently no available ports for hide operation" drop logs in SmartView Tracker for connections originated from the Standby cluster member (e.g., pings to a host).

  • Kernel debug ('fw ctl debug -m fw + drop') on Standby cluster member shows that some connections are dropped:
    ;fw_log_drop_ex: Packet proto= ... dropped by fw_first_packet_xlation Reason: NAT rulematch failed

  • /var/log/messages file on Standby cluster member is filled with these messages for different port numbers:
    ;FW-1: internal error - invalid port allocation range, low_first: ..., low_last: ..., high_first: ..., high_last: ... extra_first: ..., extra_last: ..., mem index: 0, cluster size: N ;

Cause

Invalid values are assigned to kernel parameters 'fwx_low_port_quota' and 'fwx_high_port_quota', if the configured values are too large for either kernel parameter.

As a result, Hide NAT ports are exhausted on Standby cluster member.


Solution
Note: To view this solution you need to Sign In .