FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rvoong
Staff
Staff

Description

Event Logs Showing:

date=2015-03-25 time=11:20:59 logid=0100020085 type=event subtype=system level=information vd="To_Internet" logdesc="session clash" status="clash" proto=41 msg="session clash" new_status="state=00030200 tuple-num=2 policyid=169 dir=0 act=1 hook=4 10.10.57.195:0->172.16.56.75:0(112.0.79.110:0) dir=1 act=2 hook=0 172.16.56.75:0->112.0.79.110:0(10.10.57.195:0)" old_status="state=00010200 tuple-num=2 policyid=169 dir=0 act=1 hook=4 10.10.25.5:0->172.16.56.75:0(112.0.79.110:0) dir=1 act=2 hook=0 172.16.56.75:0->112.0.79.110:0(10.10.25.5:0)"

In this case, the session with proto=41, all source/destination /NAT ports are unused [10.10.57.195:0->172.16.56.75:0(112.0.79.110:0)], which means each natip only can be used once, if there is a Class C size  of IPPool; that means at any time there can only be 254 concurrent sessions for Protocol 41


Solution

Increasing the IPPool size will resolve the issue.
 

Related Articles

Technical Note: Source NAT port range has been changed on FortiOS firmware versions 4.2.9 and 4.3.2 ...