Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4097
Views
10
Helpful
2
Replies

ASA-3-202010: PAT pool exhausted.

chuckholley
Level 1
Level 1

‎02-08-2017 07:49 AM - edited ‎03-12-2019 01:54 AM

Hi, I am just looking for an explanation to this error message. I have a HA pair of 5525's that went nuts yesterday and this error showed up over a million times in about 20 minutes.  It then started working again with no intervention from me, and I hear, no changes from anyone else on any other system.  I have never seen this issue before.  We are running code v9.4(3)8.  It was my PAT for all outbound internet users.  Any assistance of info sharing on what this actually is would be great.  

Thanks

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎02-08-2017 10:56 AM

It could be a lot of things really.  How big is your PAT pool? how many users do you have in your network.

I could very well be that your PAT pool actually was exhausted and that the timeout was reached (default of 3 hours) and when they started to clear users got access again.

Another possiblility is that this is a bug (CSCux82835) or possibly this bug (CSCuh43139) though the bug I found lists 9.5 and 9.1 as an affected versions, but shouldn't count it out that 9.4(3) is affected also.

issue the show nat pool and show nat detail command to see more info on how much is being used of your PAT pool.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ajay Saini
Level 7
Level 7

‎02-08-2017 11:33 AM

This theoretically means that the source ip address was not translated because there were no more ports available for the PAT ip address and all were used already. 

The first thing is to identify if the issue actually happened or the log was just cosmetic. Since its related to global PAT, if there were users complaining about no internet, then the issue happened. And to validate that, show nat pool and show nat detail commands will help:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html

If you have that info and other syslogs surrounding that incident, we can find more info to dig into it. There are few bugs associated to it and also few NAT tweaks to make PAT work more efficiently:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html

There are some options extensions for NAT like 'flat' and 'extended' that might do the trick for you. It would be also advisable to understand how ASA allocates the source ports mapping from the PAT address.

HTH

-AJ

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card