Description
This article describes a particular configuration that can lead to NAT resources leakage in an hyperscale context.
Scope
FortiOS hyperscale mode.
Solution
The configuration is a mix of the following:
- The use of PBA and SPA IP pools in the same hyperscale VDOM:
config firewall ippool
edit "PBA-pool"
set type cgn-resource-allocation
set startip 10.10.10.1
set endip 10.10.10.254
set cgn-block-size 64
set cgn-port-end 65529
next
edit "SPA-pool"
set type cgn-resource-allocation
set startip 10.11.11.1
set endip 10.11.11.254
set cgn-spa enable
next
- cgn-eim being enabled on the hyperscale policy using the PBA pool
config firewall policy
edit 100
set name "Policy-using-SPA-pool"
...
set srcaddr "client-all"
set dstaddr "all"
set service "DNS" "HTTP" "HTTPS"
set nat enable
set ippool enable
set poolname "SPA-pool"
next
edit 101
set name "Policy-Using-PBA-pool-with-EIM"
...
set srcaddr "client-all"
set dstaddr "all"
set service "ALL"
set cgn-eim enable
set nat enable
set ippool enable
set poolname "PBA-pool"
next
end
How to identify the resource leak:
The command to display pool usage is:
diagnose firewall ippool list
list ippool info:(vf=CGNAT-hw1)
ippool PBA-pool: id=5, block-sz=64, num-block=8, fixed-port=no, use=2
ip-range=10.10.10.1-10.10.10.254 start-port=5117, num-pba-per-ip=944
...
npu-total-PBAs=1441260, npu-inuse-PBAs=0/500543, npu-free-PBAs=100.00%/65.27%
Upon experiencing a resource leak, the npu-free-PBAs numbers will keep reducing until they reach 0% (exhaustion of resources).
How to prevent it:
The leak is the result of the combination of the following 3 elements being used in the same VDOM:
- Use of SPA pool.
- Use of PBA pool.
- cgn-eim being enabled on the policy using the PBA-pool.
There are 2 approaches to remove this:
- If cgn-eim is mandatory in the policy using the PBA pool, then the policy using the SPA pool has to be removed or converted to PBA.
- If cgn-eim is not mandatory, then disabling it in the policy will also be an effective solution.
