https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046017#M146709 <P>It could be a lot of things really. &nbsp;How big is your PAT pool? how many users do you have in your network.</P> <P>I could very well be that your PAT pool actually was exhausted and that the timeout was reached (default of 3 hours) and when they started to clear users got access again.</P> <P>Another possiblility is that this is a bug (<SPAN>CSCux82835) or possibly this bug (CSCuh43139) though the bug I found lists 9.5 and 9.1 as an affected versions, but shouldn't count it out that 9.4(3) is affected also.</SPAN></P> <P><SPAN>issue the show nat pool and show nat detail command to see more info on how much is being used of your PAT pool.</SPAN></P> <P><SPAN>--</SPAN></P> <P><SPAN>Please remember to select a correct answer and rate helpful posts</SPAN></P> <P></P> Wed, 08 Feb 2017 18:56:40 GMT Marius Gunnerud 2017-02-08T18:56:40Z https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046016#M146708 <P>Hi, I am just looking for an explanation to this error message. I have a HA pair of 5525's that went nuts yesterday and this error showed up over a million times in about 20 minutes. &nbsp;It then started working again with no intervention from me, and I hear, no changes from anyone else on any other system. &nbsp;I have never seen this issue before. &nbsp;We are running code v9.4(3)8. &nbsp;It was my PAT for all outbound internet users. &nbsp;Any assistance of info sharing on what this actually is would be great. &nbsp;</P> <P></P> <P>Thanks</P> Tue, 12 Mar 2019 08:54:09 GMT https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046016#M146708 chuckholley 2019-03-12T08:54:09Z https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046017#M146709 <P>It could be a lot of things really. &nbsp;How big is your PAT pool? how many users do you have in your network.</P> <P>I could very well be that your PAT pool actually was exhausted and that the timeout was reached (default of 3 hours) and when they started to clear users got access again.</P> <P>Another possiblility is that this is a bug (<SPAN>CSCux82835) or possibly this bug (CSCuh43139) though the bug I found lists 9.5 and 9.1 as an affected versions, but shouldn't count it out that 9.4(3) is affected also.</SPAN></P> <P><SPAN>issue the show nat pool and show nat detail command to see more info on how much is being used of your PAT pool.</SPAN></P> <P><SPAN>--</SPAN></P> <P><SPAN>Please remember to select a correct answer and rate helpful posts</SPAN></P> <P></P> Wed, 08 Feb 2017 18:56:40 GMT https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046017#M146709 Marius Gunnerud 2017-02-08T18:56:40Z https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046018#M146713 <P><SPAN style="font-size: 13.3333px;">This theoretically&nbsp;means that the source ip address was not translated because there were no more ports available for the PAT ip address and all were used already.&nbsp;</SPAN></P> <P><SPAN style="font-size: 10pt;">The first thing is to identify if the issue actually happened or the log was just cosmetic. Since its related to global PAT, if there were users complaining about no internet, then the issue happened. And to validate that, <STRONG>show nat pool</STRONG> and <STRONG>show nat detail</STRONG> commands will help:</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt;">http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt;">If you have that info and other syslogs surrounding that incident, we can find more info to dig into it. There are few bugs associated to it and also few NAT tweaks to make PAT work more efficiently:</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt;">http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt;">There are some options extensions for NAT like 'flat' and 'extended' that might do the trick for you. It would be also advisable to understand how ASA allocates the source ports mapping from the PAT address.</SPAN></P> <P></P> <P><SPAN style="font-size: 10pt;">HTH</SPAN></P> <P><SPAN style="font-size: 10pt;">-AJ</SPAN></P> Wed, 08 Feb 2017 19:33:51 GMT https://community.cisco.com/t5/network-security/asa-3-202010-pat-pool-exhausted/m-p/3046018#M146713 Ajay Saini 2017-02-08T19:33:51Z