Description
This article describes how to determine whether a NAT port is exhausted on a FortiGate.
Scope
FortiOS 6.0.x and above.
Solution
FortiGate allows an administrator to know whether the system experiences NAT/PAT port exhaustion.
The log displays on the alert console and has a severity of 'critical'.
- FortiGate GUI in Log&Report>FortiGate Event Log
Note: memory logs are Logs are overwritten quickly based on the unit model memory resources. It is recommended that FortiGate Log Settings logging to disk Disk or to FortiAnalyzer are activated.
- The following message will display when the NAT port is exhausted:
date=2024-01-22 time=11:12:23 logid="000001111" type="event" subtype="system" level="critical" vd="eduserve2" eventtime=12345663 logdesc="Socket is exhausted" service="kernel" status="failure" proto=17 vrf=0 srcip=172.xxx.xxx.xzx srcport=64910 nat=103.yyy.yyy.yy dstip=23.zzz.zzz.zzz dstport=53 msg="NAT port is exhausted."
- NAT port exhaustion is also highlighted by a raise of the 'clash' counter and can be identified using the following commands:
erin-esx33 # diagnose sys session stat | grep "clash"
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
Or, more detailed:
erin-esx33 # diagnose sys session stat
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
memory_tension_drop=0 ephemeral=1/16384 removeable=3
delete=0, flush=0, dev_down=16/69
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=0005e722
ids_recv=000fdc94
url_recv=00000000
av_recv=001fee47
fqdn_count=00000000
tcp reset stat: syncqf=119 acceptqf=0 no-listener=3995 data=0 ses=2 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
Actions to be taken to mitigate this issue:
- Using custom IP Pool for NAT while having SD-WAN in the policy
- Increasing the port range to avoid NAT port exhaustion
