| Description |
This article describes how to a handle an issue where, when a CGN-type IP pool is configured with overload enabled in a FortiGate using the Hyperscale License, incorrect ippool session statistics can be observed. Specifically, UDP sessions and TCP sessions are not differentiated. This behavior is caused by a limitation in the NP7 processor.
|
| Solution |
With the Hyperscale license enabled on the firewall, a CGN type ippool can be created using the following configuration:
config firewall ippool
edit "NAT_TEST"
set type cgn-resource-allocation
set startip 10.10.10.13
set endip 10.10.10.13
set cgn-spa enable
set cgn-overload enable
next
end
As can be seen above, overload is enabled for this pool.
For testing purposes, mostly UDP traffic is sent through this pool. However, the pool stats indicate 0 UDP sessions but a large number of TCP sessions:
diag firewall ippool list
ippool NAT_TEST: id=277, block-sz=128, num-block=8, fixed-port=no, use=2
ip-range=10.10.10.13-10.10.10.13 start-port=5117, num-pba-per-ip=472
clients=0, inuse-NAT-IPs=0
total-PBAs=472, inuse-PBAs=0, expiring-PBAs=0, free-PBAs=100.00%
allocate-PBA-times=0, reuse-PBA-times=0
grp=N/A, start-port=5117, end-port=65530
npu-clients=1, npu-inuse-NAT-IPs=1, total-NAT-IP=1
npu-total-PBAs=60288, npu-inuse-PBAs=340010/0, npu-free-PBAs=0.00%/100.00%
npu-tcp-sess-count=340010, npu-udp-sess-count=0
This discrepancy is caused by a limitation with the NP7 processor for the use case of a Hyperscale Firewall combined with an overload-enabled CGN-type pool. In such cases, the stats cannot differentiate TCP and UDP sessions, so all sessions are reported under npu-tcp-sess-count.
Note: Any other pool type will not have this issue.
|
