Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
3
Replies

New ASA bug: "ERROR: NAT unable to reserve ports"

tvotna
Spotlight
Spotlight

‎07-23-2023 07:42 AM

Hey Cisco engineers (if any),

Can you explain why ASA gives an error "ERROR: NAT unable to reserve ports" only when "asp rule-engine transactional-commit nat" is configured and only if "tmatch compile thread" is running (e.g. when device boots up or standby receives config over failover link)???

NAT configuration:

nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001

If above conditions are met, 2nd NAT command is not accepted and device is left with incomplete NAT config.

If transactional commit is not configured or it is not running at the moment (e.g. 2nd NAT command is added interactively from CLI), a warning "WARNING: mapped-address 172.16.0.1/10001-0 overlaps with existing static NAT in Section 1, rule 2512" is displayed instead of the error and the command is accepted. This is illustrated below.

BTW, the warning is also misleading, as the configuration is perfectly valid.

Is this a new bug?

 

ASA/CONTEXT/pri/act(config)# show run asp rule-engine transactional-commit nat
asp rule-engine transactional-commit nat

! copy large NAT configuration into the running-config to start rule compilation
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# copy /noconfirm disk0:/nat2.cfg running-config

..................................................................................................................................................................................................................
Cryptochecksum (changed): 2fa15e80 9d6e308e a3147293 c45bc715

432043 bytes copied in 15.210 secs (28802 bytes/sec)
ASA/pri/act(config)#
ASA/CONTEXT/pri/act(config)# changeto system
ASA/pri/act(config)# show proc cpu-usage sorted non-zero | i tmatch
0x00005564665d2fe3 0x00007f1d862c0860 49.4% 19.5% 10.8% tmatch compile thread
ASA/pri/act(config)#
ASA/pri/act(config)# changeto c CONTEXT
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ERROR: NAT unable to reserve ports.

ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# show nat | i obj-192.168.0.[12]
2512 (inside) to (outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)#

! compilation finishes upon few seconds or a minute
ASA/pri/act(config)# changeto system
ASA/pri/act(config)# show proc cpu-usage sorted non-zero | i tmatch
0x00005564665d38dc 0x00007f1d862c0860 0.0% 11.6% 12.9% tmatch compile thread
ASA/pri/act(config)#
ASA/pri/act(config)# changeto c CONTEXT
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)# nat (inside,outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
WARNING: mapped-address 172.16.0.1/10001-0 overlaps with existing static NAT in Section 1, rule 2512.
ASA/CONTEXT/pri/act(config)#
ASA/CONTEXT/pri/act(config)# show nat | i obj-192.168.0.[12]
2512 (inside) to (outside) source static obj-192.168.0.1 obj-192.168.0.1 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
2513 (inside) to (outside) source static obj-192.168.0.2 obj-192.168.0.2 destination static obj-172.16.0.1 obj-10.0.0.1 service obj-tcp-dest-eq-10001 obj-tcp-dest-eq-10001
ASA/CONTEXT/pri/act(config)#

 

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎07-23-2023 09:33 AM

 

                      -    FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo37603
  If the bug report is not exactly applicable to the problem as you are experiencing it ; (even) then upgrade to the latest advisory release for your particular ASA model and check if that can help , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

tvotna
Spotlight
Spotlight
In response to marce1000

‎07-23-2023 10:28 PM

This doesn't apply to us. We're running 9.12.4.47.

 

0 Helpful

marce1000
VIP
VIP
In response to tvotna

‎07-23-2023 11:39 PM

 

   - Then escalate the issue = contact TAC , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card