Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Port Block Allocation Errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port Block Allocation Errors
Hi,
I just want to know why I am getting the PBA -exhaust -alert every now and then.
I have not configured PBA, and I am using One to One mapping NAT.
Is this normal?
thanks
Nihas [\b]
Solved! Go to Solution.
Nihas [\b]
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this. You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice. The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.
Reducing session timers can also help since it will clear out sessions faster.
I'd also suggest upgrading to a newer 5.0 patch. I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.
Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For port exhaustion to happen even with just 1 public address you would need more than 64000 sessions alive at that time. I doubt that this is the case.
Nihas, can you tell how many sessions you see at maximum? Does it come close to >50K?
If not I bet this error is not really caused by the circumstances but rather by a bug in v5.0.5. I recommend to update to 5.0.9 soon to see if this has an influence.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' d be more concerned by " session clash" messages...no, this is not normal. Given that the FG310B is not a paper tiger running out of ressources easily, there' s something wrong with the setup.
It might have to do with the cluster setup - did you check that it' s fully sync' ed? (diag ha csum or the like).
Which version of FortiOS?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ede,
Sorry for the late reply.
Yea, We were using a HA Cluster and everything was fine except data traffic speed between IPSec tunnels networks.
Means, if I want to copy a 20MB file from other location, it started taking a lot of time and traffic rate was like below 20 KB/s.
And unfortunately we didn' t find any issues with the HA configuration ( Like checksum was same in 2 boxes, and failover was working ) .
So we end up with the troubleshooting by cursing the switch we used to setup Cluster. :)
It was a cisco SMB SG300 switch and we have created 4 VLANs ( 3 for ISP' s and 1 for LAN)
So the Cluster has only one box now.
I can give you more details if you want to verify.
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you say that the switch slowed down your VPNs to 20 KBps?? How that?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Frankly , we didn' t find the root case actually.
Sorry to say ,We were assuming that it might be something related with the Switch.
And we are planning to put a switch for the Cluster to isolate the issue, I can involve you while doing that, but date is not yet confirmed.
Btw, Can you guide me, is that a best practise to use a single switch to do the HA.
I have 3 ISP and 1 Internal network .
Thank you very much for all your help.
Best ,
Nihas
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, best practice is not to have a single point of failure.
If your single switch (VLAN segmented) is a Nexus with dual PSU I' d say you can risk it.
For lower budgets I have used single desktop switches with 8 ports for each port in use (fgt1, fgt2, network, test) like Netgear Smart Switch GS-108Tv2. They have nice features like VLAN, LACP, a WebGUI etc. I have yet to see one fail in a couple of years now.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just curious to know if there is a duplex/speed mismatch somewhere or central NAT has been enabled?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Dave,
No, we are simply using one to one Nat , and nat central table is not enabled.
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Adrian for the excellent explanation.
So Is the port block Or reservation happens in One to One NAT also?
The box is running on 5.0.5.
Nihas [\b]
Nihas [\b]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,693 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.