Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this. You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice. The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.
Reducing session timers can also help since it will clear out sessions faster.
I'd also suggest upgrading to a newer 5.0 patch. I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.
Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.
For port exhaustion to happen even with just 1 public address you would need more than 64000 sessions alive at that time. I doubt that this is the case.
Nihas, can you tell how many sessions you see at maximum? Does it come close to >50K?
If not I bet this error is not really caused by the circumstances but rather by a bug in v5.0.5. I recommend to update to 5.0.9 soon to see if this has an influence.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
hello Dave,
No, we are simply using one to one Nat , and nat central table is not enabled.
Port exaustion occurs when the FortiGate can't open a particular port, for NAT.
When traffic passes through the FortiGate it has a source/destination port.
IE: 10.10.10.10:3345->192.168.1.5:80
When the FortiGate does NAT, that source port (3345) gets randomized so the new packet becomes (interface IP):(random port)->192.168.1.5:80
This is also how a reply packets from different internal hosts are figured out(2 people going out will use the same source IP but use different source ports).
There are 65,000 ports per IP and the FortiGate reserves half for TCP and half for UDP.
If you use fixed port on your NAT policies and then the FortiGate won't be allowed to change the source port. So 2 packets with the same source port will cause this.
Some firmware versions have had bugs with this, so try looking at the release notes for new versions. I can't remember which versions were effected.
If the message is not in error, then you're hitting the transfer limits. Lowering session timers could help, or setting up multiple outbound IPs through an IP pool would be options.
Thanks Adrian for the excellent explanation.
So Is the port block Or reservation happens in One to One NAT also?
The box is running on 5.0.5.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.