- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port Block Allocation Errors
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this. You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice. The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.
Reducing session timers can also help since it will clear out sessions faster.
I'd also suggest upgrading to a newer 5.0 patch. I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.
Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For port exhaustion to happen even with just 1 public address you would need more than 64000 sessions alive at that time. I doubt that this is the case.
Nihas, can you tell how many sessions you see at maximum? Does it come close to >50K?
If not I bet this error is not really caused by the circumstances but rather by a bug in v5.0.5. I recommend to update to 5.0.9 soon to see if this has an influence.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Dave,
No, we are simply using one to one Nat , and nat central table is not enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian for the excellent explanation.
So Is the port block Or reservation happens in One to One NAT also?
The box is running on 5.0.5.