topic Re: NAT IP Pool Clean Up in General Topics

NAT IP Pool Clean Up

cosx — Mon, 19 Aug 2013 20:16:50 GMT

Having a problem with a NAT IP pool filling up. There are 92 IP addresses in the pool which should be plenty compared to the number of active clients. However, the pool is filling up. When I go to look at what active sessions a given IP address has, I find that many have no active sessions (with "show session all filter source <ip>" or "show session all filter destination <xlate-source>"). So why are they still consuming an address in the pool? I notice in the "show running nat-rule-ippool" output, that there is nothing in the "TTL" field. Is that expected? Is there a way to manually flush an entry or the whole list? The "clear nat-rule-cache" command does not seem to do it.

Running 4.1.2 on a PA-5050.

Re: NAT IP Pool Clean Up

kprakash — Mon, 19 Aug 2013 20:40:04 GMT

Are we using "dynamic IP" or "dynamic IP and Port" ? From the description, it looks like we are using a pool, ie "Dynamic IP". The command "show running nat-rule-ippool" works only for "Dynamic IP and Port"

Can you try out the command:

debug dataplane nat sync-ippool rule<rulename>

Here are some helpful links:

https://live.paloaltonetworks.com/docs/DOC-3452

https://live.paloaltonetworks.com/docs/DOC-4891

BR,

Karthik

Re: NAT IP Pool Clean Up

kprakash — Mon, 19 Aug 2013 21:12:00 GMT

In addition,

when you are trying to match for sessions that are source translated,

1) The "show session all filter source <ip>", where <ip> is one of the "Source Nated IP from the pool", will not show us any results. This is because the session is initiated from the original source, whose IP later gets translated to one of the IPs from the pool. This command is valid for pre-translated source IP addresses and not the post translated IP addresses.

2) On similar lines, the command "show session all filter destination <xlate-source>", wouldnt work for post translated source IP addresses, because from the PANFWs standpoint the destination is the real IP address and not the translated IP address. ( this command would however work for pre translated destination NAT IP address )

Hence for both the cases, you will never see any sessions, and this is an expected behavior.

Re: NAT IP Pool Clean Up

cosx — Mon, 19 Aug 2013 23:37:57 GMT

I am indeed doing one-to-one NAT, "dynamic IP" only. I do get output from "show running nat-rule-ippool." Are you saying the output is bogus?

crclark@scea-rhq-sc-pa5050a(active)> show running nat-rule-ippool rule "Gaming to Internet"

Rule: Gaming to Internet

-----------------------------------------

Reserve IP: no

0.0.0.0-255.255.255.255 => xxx.xxx.xxx.100-xxx.xxx.xxx.191

Source Xlat-Source Ref. Cnt TTL(s)

---------------- ---------------- ---------- ----------

172.26.200.133 xxx.xxx.xxx.161 30

172.26.200.250 xxx.xxx.xxx.101 980

172.26.75.32 xxx.xxx.xxx.108 17

172.26.201.27 xxx.xxx.xxx.166 1

172.26.202.152 xxx.xxx.xxx.104 1

[snip]

Total IPs in use: 88

Total entries in time-reserve cache: 0

Total freelist left: 92

Re: NAT IP Pool Clean Up

cosx — Mon, 19 Aug 2013 23:46:51 GMT

I am using the original IP address for the <source> and the translated address <xlate-source> since those would be the IP addresses the firewall would see on the original packet that hits the system. So for example, from the "show running nat-rule-ippool" I see,

172.26.202.152 xxx.xxx.xxx.104

And I can find,

crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.202.152

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

889910 playstation-network ACTIVE FLOW NS 172.26.202.152[51781]/bp-gaming/6 (xxx.xxx.xxx.104[51781])

vsys1 54.241.139.10[443]/internet (54.241.139.10[443])

However, if I look for,

172.26.200.133 xxx.xxx.xxx.161

crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.200.133

No Active Sessions

And if there were to have been an incoming connection (there really shouldn't be, but since I'm troubleshooting, I want to cover all possibilities), it would be found with,

crclark@scea-rhq-sc-pa5050a(active)> show session all filter destination xxx.xxx.xxx.161

No Active Sessions

Since that would have been the IP address on the original packet that came in from the Internet side before NAT.

So I understand why 172.26.202.152 is still holding a slot in the IP pool, but why is 172.26.200.133?

Re: NAT IP Pool Clean Up

Retired Member — Wed, 21 Aug 2013 05:12:09 GMT

Could you confirm that you are currently running PAN-OS 4.1.2 ? If so then there were some NAT pool leak issues resolved between that release and latest 4.1.x release which is 4.1.14. If indeed on 4.1.2 then I would recommend scheduling an upgrade to 4.1.14 and see if you still have issues. If you continue to have NAT pool issues with 4.1.14, then I would recommend to open a support case to have TAC investigate.

-Richard

Re: NAT IP Pool Clean Up

cosx — Mon, 26 Aug 2013 17:59:12 GMT

Sorry about that, the version is actually 4.1.6. (When I first looked at the "show system info" output, the "logdb-version: 4.1.2" line caught my eye first.)

However, now I'm not really sure I even have a problem... Upon some more testing, it look like even though I have 92 translations "in use," when I actually try to create a new translation, it works. One of the translations that's listed gets bumped out. Presumably it's one of those that has no active sessions associated with it. Maybe the PAN retains some memory of inactive sessions so internal IPs get the same external IP address next time, but those external IPs are still available to new active sessions if needed?

So now I may have to look elsewhere for what caused our problems... or maybe we really did run out of mapped addresses. Seems I can't tell by just looking at "show running nat-rule-ippool" how many addresses are really available, if the IP pool is at 100% usage.