Solved: Re: portmap translation creation failed

jlmickens · ‎01-28-2013

After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA 5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. Here are the relevant additions to the config:

! Define objects involved

object network BCSNovar

host 172.16.173.191

object network Harris

! public addresses masked to protect the innocent.

range x.x.x.1 x.x.x.254

description Harris Corporation - Novar

! Access list to allow the traffic in

access-list outside_access_in remark Harris RDP access to BCSNovar server via port 3392

access-list outside_access_in extended permit tcp object Harris object BCSNovar eq 3392 log alerts

! NAT the inside address to the outside address for the port

object network BCSNovar

nat (Inside,Outside) static interface service tcp 3389 3392

I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network.

The errors are fairly frequent and usually involved normal web traffic on ports 80/443 or NTP. Here are a few copied from the ASDM interface:

3

Jan 28 2013

11:26:42

72.240.1.140

123

portmap translation creation failed for udp src Inside:172.16.171.10/65535 dst Outside:72.240.1.140/123

3

Jan 28 2013

11:27:44

174.132.200.187

80

portmap translation creation failed for tcp src Inside:172.16.31.119/53767 dst Outside:174.132.200.187/80

3

Jan 28 2013

11:29:47

74.63.137.149

80

portmap translation creation failed for tcp src Inside:172.16.30.130/3151 dst Outside:74.63.137.149/80

I have no idea why these are failing. Any help would be appreciated.

Jennifer Halim · ‎01-28-2013

Sounds to me like there is a co-incidence between the newly configured rules and the error message seen.

Did you perform "clear xlate" after configuring the new rules?

Also the IP Address in the error message as you said, doesn't seem to match the newly configured NAT host, so it might not be related.

Without looking at the full configuration, it would be difficult to see what could be the issue.

View solution in original post

Jennifer Halim · ‎01-28-2013

Sounds to me like there is a co-incidence between the newly configured rules and the error message seen.

Did you perform "clear xlate" after configuring the new rules?

Also the IP Address in the error message as you said, doesn't seem to match the newly configured NAT host, so it might not be related.

Without looking at the full configuration, it would be difficult to see what could be the issue.

jlmickens · ‎01-30-2013

I did not do a "clear xlate" after configuring the new rules. Should I have? Do you think doing one now would help?

I've attached the full config.

Jennifer Halim · ‎01-30-2013

Are you still getting the error message, or the error message has disappeared now?

Also, are you actually having any problem from those host in the error message?

If you run packet tracer for the same source and destination as the error message, does it fail or pass? if it fails, can you pls post the output of the packet tracer.

jlmickens · ‎01-31-2013

I am still getting them. Here are a couple of random failures and the associated packet tracer output:

Jan 31 2013 09:32:41: %ASA-3-305006: portmap translation creation failed for udp src Inside:172.16.171.10 (fwdcvod01.buckeyehq.com) /65535 dst Outside:72.240.1.140 (unresolved) /123

Jan 31 2013 09:44:12: %ASA-3-305006: portmap translation creation failed for tcp src Inside:172.16.30.66 (hpc14520rr.buckeyehq.com) /1242 dst Outside:206.72.206.242 (unresolved) /80

Both seem to be dropping at the same rule, which is not one that I altered.

jlmickens · ‎10-22-2013

Ultimately, it was a 'clear xlate' that fixed the issue.