Nihas
New Contributor

Port Block Allocation Errors

Hi, I just want to know why I am getting the PBA -exhaust -alert every now and then. I have not configured PBA, and I am using One to One mapping NAT. Is this normal? thanks
Nihas [\b]
3 Solutions
Adrian_Buckley_FTNT

Port exaustion occurs when the FortiGate can't open a particular port, for NAT.

 

When traffic passes through the FortiGate it has a source/destination port.

IE:  10.10.10.10:3345->192.168.1.5:80

 

When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80

This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).

There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.

 

If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port.  So 2 packets with the same source port will cause this.

 

Some firmware versions have had bugs with this, so try looking at the release notes for new versions.  I can't remember which versions were effected.

If the message is not in error, then you're hitting the transfer limits.  Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.

View solution in original post

Adrian_Buckley_FTNT

Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this.  You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice.  The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.

 

Reducing session timers can also help since it will clear out sessions faster.

 

I'd also suggest upgrading to a newer 5.0 patch.  I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.

 

Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.

 

 

 

 

 

View solution in original post

ede_pfau
Esteemed Contributor III

For port exhaustion to happen even with just 1 public address you would need more than 64000 sessions alive at that time. I doubt that this is the case.

Nihas, can you tell how many sessions you see at maximum? Does it come close to >50K?

If not I bet this error is not really caused by the circumstances but rather by a bug in v5.0.5. I recommend to update to 5.0.9 soon to see if this has an influence.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

12 REPLIES 12
Adrian_Buckley_FTNT

Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this.  You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice.  The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.

 

Reducing session timers can also help since it will clear out sessions faster.

 

I'd also suggest upgrading to a newer 5.0 patch.  I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.

 

Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.

 

 

 

 

 

ede_pfau
Esteemed Contributor III

For port exhaustion to happen even with just 1 public address you would need more than 64000 sessions alive at that time. I doubt that this is the case.

Nihas, can you tell how many sessions you see at maximum? Does it come close to >50K?

If not I bet this error is not really caused by the circumstances but rather by a bug in v5.0.5. I recommend to update to 5.0.9 soon to see if this has an influence.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Nihas
New Contributor

Yes Ede, I don't have much utilization, 

Maximum is Around 20K.

Yea, will consider to do a upgradation.

 

Thanks so much for the inputs .

 

Nihas [\b]