topic Re: Error Message 305006 in Network Security

Error Message 305006

ksarin123_2 — Mon, 11 Mar 2019 18:51:09 GMT

Hello All -

I am receiving the following error message in my ASA firewall at a pretty rapid rate. The error below just references one host inside. The same message is being received for several other inside hosts.

10-06-2010 12:15:48 Local4.Error 192.168.1.18 Oct 06 2010 12:15:53 AEMFWP1 : %ASA-3-305006: regular translation creation failed for icmp src inside:100.78.20.6 dst OUTSIDE:207.250.33.4 (type 0, code 0)

Cisco documentation states that this message is generated when icmp requests other than echo & echo-reply fail to get PAT'd and added to the xlate table on the firewall.

So my question is, is there a way to stop these messages from being generated? I don't have direct access to the machines in our network that are referenced in the error message above.

There are no static entries in our firewall for the IP's in question.

Any help would be appreciated!!

Re: Error Message 305006

mirober2 — Wed, 06 Oct 2010 20:16:31 GMT

Hello,

Can you post your NAT configuration? That would help us identify why the xlate creation is failing.

-Mike

Re: Error Message 305006

ksarin123_2 — Wed, 06 Oct 2010 20:23:18 GMT

Here it is -

nat (inside) 1 access-list pat
nat (DMZ) 1 access-list pat_dmz

access-list pat extended permit ip 192.168.254.0 255.255.255.0 any
access-list pat extended permit ip 192.168.248.0 255.255.254.0 any
access-list pat extended permit ip 198.199.241.64 255.255.255.224 any
access-list pat extended permit ip 198.199.241.96 255.255.255.224 any
access-list pat extended permit ip 172.16.3.0 255.255.255.0 any
access-list pat extended permit ip 172.16.4.0 255.255.255.0 any
access-list pat extended permit ip 172.16.5.0 255.255.255.0 any
access-list pat extended permit ip 172.16.27.0 255.255.255.0 any
access-list pat extended permit ip 172.16.30.0 255.255.255.0 any
access-list pat extended permit ip 172.16.31.0 255.255.255.0 any
access-list pat extended permit ip 172.16.34.0 255.255.255.0 any
access-list pat extended permit ip 172.16.37.0 255.255.255.0 any
access-list pat extended permit ip 172.16.39.0 255.255.255.0 any
access-list pat extended permit ip 172.16.40.0 255.255.255.0 any
access-list pat extended permit ip 172.16.75.0 255.255.255.0 any
access-list pat extended permit ip 172.16.230.0 255.255.255.0 any
access-list pat extended permit ip 172.16.108.0 255.255.252.0 any
access-list pat extended permit ip 172.16.107.0 255.255.255.0 any
access-list pat extended permit ip host 192.168.1.20 any
access-list pat extended permit ip 100.37.0.0 255.255.0.0 any
access-list pat extended permit ip 100.34.0.0 255.255.0.0 any
access-list pat extended permit ip 100.66.0.0 255.255.0.0 any
access-list pat extended permit ip 192.168.249.0 255.255.255.0 any
access-list pat extended permit ip 192.168.250.0 255.255.255.0 any
access-list pat extended permit ip 100.78.0.0 255.255.0.0 any
access-list pat extended permit ip 100.104.0.0 255.255.0.0 any
access-list pat extended permit ip 100.42.0.0 255.255.0.0 any
access-list pat extended permit ip 100.16.0.0 255.255.0.0 any
access-list pat extended permit ip 100.60.0.0 255.255.0.0 any
access-list pat extended permit ip 100.8.0.0 255.255.0.0 any
access-list pat extended permit ip 100.47.0.0 255.255.0.0 any
access-list pat extended permit ip 10.10.14.0 255.255.255.0 any
access-list pat extended permit ip 172.17.15.0 255.255.255.128 any
access-list pat extended permit ip 100.2.0.0 255.255.0.0 any
access-list pat extended permit ip 10.10.23.0 255.255.255.0 any
access-list pat extended permit ip 10.10.233.0 255.255.255.0 any
access-list pat extended permit ip 172.17.0.0 255.255.240.0 any
access-list pat extended permit ip 201.0.0.0 255.255.255.0 any
access-list pat extended permit ip 100.4.0.0 255.255.0.0 any
access-list pat extended permit ip 100.134.0.0 255.255.0.0 any
access-list pat extended permit ip 172.16.38.0 255.255.255.0 any
access-list pat extended permit ip 192.168.40.0 255.255.255.192 any
access-list pat extended permit ip 192.168.40.64 255.255.255.192 any
access-list pat extended permit ip 192.168.40.128 255.255.255.192 any

access-list pat_dmz extended permit ip host 192.168.128.26 any
access-list pat_dmz extended permit ip host 192.168.128.28 any

Thanks!!

Re: Error Message 305006

mirober2 — Wed, 06 Oct 2010 20:27:15 GMT

Hello,

EDIT:

I noticed you didn't post the output of 'show run global', so please check that as well. If you don't have anything that starts with global (OUTSIDE) 1, you can follow the config I mentioned below.

The reason you are seeing that message is because there is no valid NAT config for packets that will flow from the inside interface to the outside interface. Try adding this:

nat (inside) 2 0.0.0.0 0.0.0.0

global (OUTSIDE) 2 interface

That will allow the firewall to translate any source address on the inside to the outside interface IP using PAT. That should stop the messages you are seeing.

Hope that helps.

-Mike

Message was edited by: mirober2

Re: Error Message 305006

ksarin123_2 — Wed, 06 Oct 2010 20:35:33 GMT

So this is what I have for the global statement:

global (OUTSIDE) 1 interface

All the internal IP's that are being referenced in the error message are covered under the pat access-l. So they should definately be PAT'd, since there are other hosts on the same network that connect to the internet.

So I don't think I need to add another NAT statement. Any other ideas?

Thanks!

Re: Error Message 305006

mirober2 — Wed, 06 Oct 2010 20:43:53 GMT

It's possible that you might be running out of PAT slots if you have a lot of connections going through the firewall. What does 'show xlate count' say?

-Mike

Re: Error Message 305006

ksarin123_2 — Wed, 06 Oct 2010 20:46:25 GMT

XLATE count is 2611, most used is 6466

Conn count is 2647, most used is 3712

Re: Error Message 305006

mirober2 — Wed, 06 Oct 2010 20:52:15 GMT

Hello,

The PAT pool is actually split up into 3 smaller pools, so you may be running out of slots in one of the 3 pools. The pools are split up as follows:

Port 1-511

Port 512-1023

Port 1024-65535

As you can see, the first 2 pools only have 511 slots in them and you have over 2k xlates. Can you check the full output of 'show xlate' and see what the ports being used in the translations are? If you have more than 511 xlates in the 1-511 or 512-1023 ranges, you'll see these messages.

-Mike

Re: Error Message 305006

ksarin123_2 — Wed, 06 Oct 2010 21:12:43 GMT

None of the addresses referenced in the error message appear in the xlate table. This is the expected behavior since the error message states that it is unable to create a NAT translation for the host in question.

Still scratching my head on this one.....

Re: Error Message 305006

mirober2 — Thu, 07 Oct 2010 14:43:24 GMT

Hello,

I agree that the addresses in the syslogs shouldn't show up in the 'show xlate' output. However, what you want to look for in 'show xlate' is an indication of what ports actually are being successfully allocated. This will help you determine why some connections cannot be allocated.

For example, you may see many xlates being built with ports in the 512-1023 range. If this is the case, new connections trying to use ports in this same range may be denied with this syslog message since we are out of translation slots in that pool.

You can also try to add a second global (OUTSIDE) 1 statement with another PAT address and see if this alleviates the problem. If it does, you'll know you were running out of translation slots in one of the 3 pools.

-Mike