Technical Tip: How to determine whether a NAT port is exhausted on a FortiGate
Description
This article describes how to determine whether a NAT port is exhausted on a FortiGate.
Scope
FortiOS 6.0.x and above.
Solution
- FortiGate GUI in Log&Report>FortiGate Event Log
- The following message will display when the NAT port is exhausted:
- NAT port exhaustion is also highlighted by a raise of the 'clash' counter and can be identified using the following commands:
erin-esx33 # diagnose sys session stat | grep "clash"
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
Or, more detailed:
erin-esx33 # diagnose sys session stat
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
memory_tension_drop=0 ephemeral=1/16384 removeable=3
delete=0, flush=0, dev_down=16/69
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=0005e722
ids_recv=000fdc94
url_recv=00000000
av_recv=001fee47
fqdn_count=00000000
tcp reset stat: syncqf=119 acceptqf=0 no-listener=3995 data=0 ses=2 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
- Using custom IP Pool for NAT while having SD-WAN in the policy
- Increasing the port range to avoid NAT port exhaustion