We have an Firepower 4110 running 7.0.4 managed by an FMCv running 7.0.4. We've been dealing with a nat exhaustion problem recently, so I've been watching asp drops to make sure the issue is resolved. In the meantime, I've noticed the firewall is reporting around 100 packets/sec for asp nat-no-xlate-to-pat-pool. Over half of these have the FIN or RST flag set, so I'm not worried about these, and it's possible the rate isn't considered excessive anyway. The remaining drops are actual data traffic that probably belonged to a flow as shown below. I'm not hearing any reports about issues the past few days, but I'd appreciate someone weighing in as to whether or not this is significant and what could be the resolution.
393: 12:56:37.624494 146.112.240.72.443 > our_public_ip.52645: . ack 2168596390 win 83 Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate, Drop-location: frame 0x0000562d24140aa7 flow (NA)/NA
Thank you.
