Any time the FortiGate does a NAT operation (source IP, or destination IP) the traffic source port is randomized (by default), which means you can run into this. You can enable fixed port on the policy to prevent the randomization but obviously this is not recommended since 99% of software won't care or notice. The Fixed port setting can be the cause of this message as well so if you have it enabled, turn it off.
Reducing session timers can also help since it will clear out sessions faster.
I'd also suggest upgrading to a newer 5.0 patch. I do recall there was a bug in the FortiGate firmware about nat port exhaustion not that long ago, but i don't remember exactly which versions were effected.
Failing that, if this behavior is not the cause of a bug or setting, then it means you need more IPs to nat traffic onto.
I' d be more concerned by " session clash" messages...no, this is not normal. Given that the FG310B is not a paper tiger running out of ressources easily, there' s something wrong with the setup.
It might have to do with the cluster setup - did you check that it' s fully sync' ed? (diag ha csum or the like).
Which version of FortiOS?
Sorry for the late reply.
Yea, We were using a HA Cluster and everything was fine except data traffic speed between IPSec tunnels networks.
Means, if I want to copy a 20MB file from other location, it started taking a lot of time and traffic rate was like below 20 KB/s.
And unfortunately we didn' t find any issues with the HA configuration ( Like checksum was same in 2 boxes, and failover was working ) .
So we end up with the troubleshooting by cursing the switch we used to setup Cluster. :)
It was a cisco SMB SG300 switch and we have created 4 VLANs ( 3 for ISP' s and 1 for LAN)
So the Cluster has only one box now.
I can give you more details if you want to verify.
Frankly , we didn' t find the root case actually.
Sorry to say ,We were assuming that it might be something related with the Switch.
And we are planning to put a switch for the Cluster to isolate the issue, I can involve you while doing that, but date is not yet confirmed.
Btw, Can you guide me, is that a best practise to use a single switch to do the HA.
I have 3 ISP and 1 Internal network .
Thank you very much for all your help.
Well, best practice is not to have a single point of failure.
If your single switch (VLAN segmented) is a Nexus with dual PSU I' d say you can risk it.
For lower budgets I have used single desktop switches with 8 ports for each port in use (fgt1, fgt2, network, test) like Netgear Smart Switch GS-108Tv2. They have nice features like VLAN, LACP, a WebGUI etc. I have yet to see one fail in a couple of years now.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.