07-23-2023 07:42 AM
Hey Cisco engineers (if any),
Can you explain why ASA gives an error "ERROR: NAT unable to reserve ports" only when "asp rule-engine transactional-commit nat" is configured and only if "tmatch compile thread" is running (e.g. when device boots up or standby receives config over failover link)???
NAT configuration:
nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
If above conditions are met, 2nd NAT command is not accepted and device is left with incomplete NAT config.
If transactional commit is not configured or it is not running at the moment (e.g. 2nd NAT command is added interactively from CLI), a warning "WARNING: mapped-address 172.16.0.1/10001-0 overlaps with existing static NAT in Section 1, rule 2512" is displayed instead of the error and the command is accepted. This is illustrated below.
BTW, the warning is also misleading, as the configuration is perfectly valid.
Is this a new bug?
ASA/CONTEXT/pri/act(config)# show run asp rule-engine transactional-commit nat
asp rule-engine transactional-commit nat
! copy large NAT configuration into the running-config to start rule compilation
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# copy /noconfirm disk0:/nat2.cfg running-config
..................................................................................................................................................................................................................
Cryptochecksum (changed): 2fa15e80 9d6e308e a3147293 c45bc715
432043 bytes copied in 15.210 secs (28802 bytes/sec)
ASA/pri/act(config)#
ASA/CONTEXT/pri/act(config)# changeto system
ASA/pri/act(config)# show proc cpu-usage sorted non-zero | i tmatch
0x00005564665d2fe3 0x00007f1d862c0860 49.4% 19.5% 10.8% tmatch compile thread
ASA/pri/act(config)#
ASA/pri/act(config)# changeto c CONTEXT
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ERROR: NAT unable to reserve ports.
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# show nat | i obj-192.168.0.[12]
2512 (inside) to (outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)#
! compilation finishes upon few seconds or a minute
ASA/pri/act(config)# changeto system
ASA/pri/act(config)# show proc cpu-usage sorted non-zero | i tmatch
0x00005564665d38dc 0x00007f1d862c0860 0.0% 11.6% 12.9% tmatch compile thread
ASA/pri/act(config)#
ASA/pri/act(config)# changeto c CONTEXT
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
WARNING: mapped-address 172.16.0.1/10001-0 overlaps with existing static NAT in Section 1, rule 2512.
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# show nat | i obj-192.168.0.[12]
2512 (inside) to (outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
2513 (inside) to (outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)#
07-23-2023 09:33 AM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo37603
If the bug report is not exactly applicable to the problem as you are experiencing it ; (even) then upgrade to the latest advisory release for your particular ASA model and check if that can help ,
M.
07-23-2023 10:28 PM
This doesn't apply to us. We're running 9.12.4.47.
07-23-2023 11:39 PM
- Then escalate the issue = contact TAC ,
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide