cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3397
Views
0
Helpful
2
Replies

PAT pool exhaustion / Portmap translation creation failures

kpieckiel
Level 1
Level 1

I'm getting some very strange (to me) logs from my ASA, and I'm out of ideas on how to figure it out.

System: ASA-5520

Software: 8.4(3)

Flash: 256 MB

Memory: 2048 MB

Mode: Routed / Single

License: VPN Plus

My Tunnels interface has address 192.168.6.1/24 and has restricted access to my internal network (named ATMS):  a handful of servers are NATted from ATMS to Tunnels with no translation and access from Tunnels to these servers on ATMS is allowed for the services they provide.  All other traffic across the Tunnels interface is outbound and initiated from some host on the ATMS interface (which isn't all that much).

In the syslogs (see attached screen cap) I see plethora dynamic UDP xlates being built from ATMS:192.168.6.1 to Tunnels:192.168.6.1 (first, I don't understand why this IP address is the same on both interfaces, as the ATMS interface is on a different subnet).  Each mapping is chained with the previous with each successive source port being the destination port from the previous map.  An excerpt from the attachment:

192.168.6.1:134 -> 192.168.6.1:149

192.168.6.1:149 -> 192.168.6.1:151

192.168.6.1:151 -> 192.168.6.1:271

192.168.6.1:271 -> 192.168.6.1:272

192.168.6.1:272 -> 192.168.6.1:281

and so on.  Then I get ID 305006 messages saying portmap translation creation failed and I get an ID 202010 message saying the NAT/PAT pool is exhausted (ID 202010 is not shown in the screen capture due to my display filter settings).

Why are there so many chained xlates?  Why are they being chained in the first place?  How do I keep this from occurring?

Some relevant config excerpts follow.  In fact, this is every line related to the Tunnels interface and the 192.168.6.0/24 subnet with the exception of the details of the object or service groups being used:

...

interface Port-channel1.6

vlan 6

nameif Tunnels

security-level 30

ip address 192.168.6.1 255.255.255.0

...

nat (ATMS,Tunnels) source static Domain-Controllers Domain-Controllers description AMMS computers at tunnels are domain computers

nat (ATMS,Tunnels) source static SQL2-Cluster SQL2-Cluster

nat (ATMS,Tunnels) source static HR-ATMS-SQL1 HR-ATMS-SQL1 description Tunnels use AMMS V7

nat (ATMS,Tunnels) source static HR-ATMS-FILE1 HR-ATMS-FILE1 description Document repository for AMMS at tunnels

nat (ATMS,Tunnels) source static hr-atms-media hr-atms-media description Symantec Endpoint Protection access for clients

...

access-list Tunnels_access_in extended permit object-group Active-Directory-Services 192.168.6.0 255.255.255.0 object-group Domain-Controllers

access-list Tunnels_access_in extended permit object ms-sql-s 192.168.6.0 255.255.255.0 object HR-ATMS-SQL1

access-list Tunnels_access_in extended permit tcp 192.168.6.0 255.255.255.0 object HR-ATMS-SQL1 object-group DM_INLINE_TCP_1

access-list Tunnels_access_in extended permit object-group ms-sharing 192.168.6.0 255.255.255.0 object HR-ATMS-FILE1

access-list Tunnels_access_in extended permit tcp 192.168.6.0 255.255.255.0 object hr-atms-media eq 8014

...

nat (ATMS,Tunnels) after-auto source dynamic any interface

access-group Tunnels_access_in in interface Tunnels

...

I don't know what other info you'd need to help me figure this out.  If anyone can aid me I would greatly appreciate it.

Thank you,

Kevin