Very wierd, NAT/PAT pool exhausted but only on standby firewall!

davegibelli · ‎02-04-2016

Hi

I have a pair of ASA5520's running 8.4(7) with the standby logging "NAT/PAT pool exhausted. Unable to create connection", the active ASA does not log the same message.

I don't understand why the standby is logging anything, is this a bug?

Mark Withers · ‎02-04-2016

Try running these 2 commands in the CLI on primary and standby:

show conn count

show xlate count

If you have numbers here approaching 64,000, then you have an indicator of NAT/PAT exhaustion. In my experience numbers past about 44k caused issues (probably due to momentary spikes of 20,000, pretty easy to accomplish especially with a malfunctioning device).

davegibelli · ‎06-30-2016

Hi

I have just gone back to this issue as it is still there, see below, there are nowhere near 65,000 connection:

Jun 30 2016 15:59:37: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection.

Jun 30 2016 15:59:37: %ASA-3-210007: LU allocate xlate failed

Jun 30 2016 15:59:44: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection.

Jun 30 2016 15:59:44: %ASA-3-210007: LU allocate xlate failed

fw# sh xlate count

15125 in use, 31336 most used

fw# sh conn count

13556 in use, 17227 most used

fw# term mon

Jun 30 2016 16:00:57: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection.

Jun 30 2016 16:00:57: %ASA-3-210007: LU allocate xlate failed

Jun 30 2016 16:00:59: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection.

Jun 30 2016 16:00:59: %ASA-3-210007: LU allocate xlate failed

Jun 30 2016 16:01:01: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection.

kvaldelo · ‎02-04-2016

- Both units have the same configuration, any change on the standby that was not replicated?

- Can you run a packet tracer on the active and one on the standby (don't replicate configs yet)

- Please attach the outputs

sebastianvandijk · ‎11-18-2016

Got this problem too only on 5545-X and 9.1.7...

any updates on this one ?