02-08-2017 07:49 AM - edited 03-12-2019 01:54 AM
Hi, I am just looking for an explanation to this error message. I have a HA pair of 5525's that went nuts yesterday and this error showed up over a million times in about 20 minutes. It then started working again with no intervention from me, and I hear, no changes from anyone else on any other system. I have never seen this issue before. We are running code v9.4(3)8. It was my PAT for all outbound internet users. Any assistance of info sharing on what this actually is would be great.
Thanks
02-08-2017 10:56 AM
It could be a lot of things really. How big is your PAT pool? how many users do you have in your network.
I could very well be that your PAT pool actually was exhausted and that the timeout was reached (default of 3 hours) and when they started to clear users got access again.
Another possiblility is that this is a bug (CSCux82835) or possibly this bug (CSCuh43139) though the bug I found lists 9.5 and 9.1 as an affected versions, but shouldn't count it out that 9.4(3) is affected also.
issue the show nat pool and show nat detail command to see more info on how much is being used of your PAT pool.
--
Please remember to select a correct answer and rate helpful posts
02-08-2017 11:33 AM
This theoretically means that the source ip address was not translated because there were no more ports available for the PAT ip address and all were used already.
The first thing is to identify if the issue actually happened or the log was just cosmetic. Since its related to global PAT, if there were users complaining about no internet, then the issue happened. And to validate that, show nat pool and show nat detail commands will help:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html
If you have that info and other syslogs surrounding that incident, we can find more info to dig into it. There are few bugs associated to it and also few NAT tweaks to make PAT work more efficiently:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html
There are some options extensions for NAT like 'flat' and 'extended' that might do the trick for you. It would be also advisable to understand how ASA allocates the source ports mapping from the PAT address.
HTH
-AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide