Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- NAT port is exhausted
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NAT port is exhausted
I keep getting ff. error in my event log every few seconds. The router seems to work fine otherwise. How do i trace the source of the problem and block it? Help is very much appreciated. Will this error have effect on performance in future, will the speed degrade? Number of devices is about
there are no more than 10,000 sessions at a time, number of devices about 70. notice it gives same error even when connection drop to 5000-6000 and about 50 devices. the firmware is 4.0 mr2 patch 1 the model of router is 300A
there was only 1 WAN interface being used the other 3 WAN interface was idle
for the active interface there are 8 Policy rules with per ip shaping rules applied
Any ideas, i checked for other similar case but have seen none
Level critical
Sub Type system
ID 20007
Status failure
Service kernel
Message NAT port is exhausted.
I Live to Solve
I Live to Solve
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a local DNS-server server maybe?
As far as monitoring, I use a mix of cacti/nagios3 and sometime the opsview ( which is really nagios). Rare, but some times OpenNMS or Solarwinds. All has it pros and cons, but cacti is well documented for being opensource, easy to setup on debian/ubuntu and pretty much reliable.
Only the fortigate mibs could be different so some cacti templates will have to be re-worked for querying.
YMMV but the experience overall is good with cacti/nagios3. On OpenDNS, have you tried GooglePUBLIC DNS?
Also do you have ipv6 enabled anywhere? The reason I' m mentioning this, I just ran into problems Google/Yahoo, these providers are IPv6 enabled, and DNS queries for any record , returns both the AAA and A resource-types. So some clients where querying and getting AAAA response and then their ipv6 was blackholed. So the client' s kept sending request and where in a big loop. Youtube was mainly effected btw.
It was easy to spot by the number of DNS related sessions in the table.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont just a windows server on the internal interface doubling as DNS which was set as the secondary DNS for DHCP clients
So you are saying that i have incorrectly configured clients on IPv6 they query opendns it returns AAA record then it blackholes then retransmit?
So when i switched back to the ISP DNS it is IPV4 so everything goes back to normal?
Ill check the DNS entries next time, just didnt know where to look initially
but would be nice if i have a way to output the get system session list entirely into excel for analysis :)
I Live to Solve
I Live to Solve
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you are saying that i have incorrectly configured clients on IPv6 they query opendns it returns AAA record then it blackholes then retransmit? So when i switched back to the ISP DNS it is IPV4 so everything goes back to normal?No, that' s not what implying, but you check for ipv6 protocols and rule it out of hthe equation. In might case we had a lot of traffic blacked hole due to a ipv6 rt-adv and the clients trying to connect via ipv6 , when the fortigate where not attached to a ipv6 backbone. ( do a search on disable ipv6 firefox to get a better understanding on web clients & ipv6 ) In our web traffic being blocked due to ipv6 it was mainly with firefox and any sites that where dualstacked & if the client had a ipv6+ipv4 enabled nic(s). Back to the dns-server question; we dropped a ton DNS request from our lan by installing a cache-only web server, and installing that into our DHCP_clients. If I had to guess, we seen anywhere from 12-20% of the on going sessions drop for DNS , due to the caching of the same nslookup . Did you rule out any TS that are applied to any policies? I still think that might be a issue and the age of your code. I' m guessing you do have access to upgrade the firewall?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,697 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.