08-19-2013 01:16 PM
Having a problem with a NAT IP pool filling up. There are 92 IP addresses in the pool which should be plenty compared to the number of active clients. However, the pool is filling up. When I go to look at what active sessions a given IP address has, I find that many have no active sessions (with "show session all filter source <ip>" or "show session all filter destination <xlate-source>"). So why are they still consuming an address in the pool? I notice in the "show running nat-rule-ippool" output, that there is nothing in the "TTL" field. Is that expected? Is there a way to manually flush an entry or the whole list? The "clear nat-rule-cache" command does not seem to do it.
Running 4.1.2 on a PA-5050.
08-19-2013 01:40 PM
Are we using "dynamic IP" or "dynamic IP and Port" ? From the description, it looks like we are using a pool, ie "Dynamic IP". The command "show running nat-rule-ippool" works only for "Dynamic IP and Port"
Can you try out the command:
debug dataplane nat sync-ippool rule<rulename>
Here are some helpful links:
https://live.paloaltonetworks.com/docs/DOC-3452
https://live.paloaltonetworks.com/docs/DOC-4891
BR,
Karthik
08-19-2013 02:12 PM
In addition,
when you are trying to match for sessions that are source translated,
1) The "show session all filter source <ip>", where <ip> is one of the "Source Nated IP from the pool", will not show us any results. This is because the session is initiated from the original source, whose IP later gets translated to one of the IPs from the pool. This command is valid for pre-translated source IP addresses and not the post translated IP addresses.
2) On similar lines, the command "show session all filter destination <xlate-source>", wouldnt work for post translated source IP addresses, because from the PANFWs standpoint the destination is the real IP address and not the translated IP address. ( this command would however work for pre translated destination NAT IP address )
Hence for both the cases, you will never see any sessions, and this is an expected behavior.
08-19-2013 04:37 PM
I am indeed doing one-to-one NAT, "dynamic IP" only. I do get output from "show running nat-rule-ippool." Are you saying the output is bogus?
crclark@scea-rhq-sc-pa5050a(active)> show running nat-rule-ippool rule "Gaming to Internet"
Rule: Gaming to Internet
-----------------------------------------
Reserve IP: no
0.0.0.0-255.255.255.255 => xxx.xxx.xxx.100-xxx.xxx.xxx.191
Source Xlat-Source Ref. Cnt TTL(s)
---------------- ---------------- ---------- ----------
172.26.200.133 xxx.xxx.xxx.161 30
172.26.200.250 xxx.xxx.xxx.101 980
172.26.75.32 xxx.xxx.xxx.108 17
172.26.201.27 xxx.xxx.xxx.166 1
172.26.202.152 xxx.xxx.xxx.104 1
[snip]
Total IPs in use: 88
Total entries in time-reserve cache: 0
Total freelist left: 92
08-19-2013 04:46 PM
I am using the original IP address for the <source> and the translated address <xlate-source> since those would be the IP addresses the firewall would see on the original packet that hits the system. So for example, from the "show running nat-rule-ippool" I see,
| 172.26.202.152 xxx.xxx.xxx.104 | 1 |
And I can find,
crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.202.152
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
889910 playstation-network ACTIVE FLOW NS 172.26.202.152[51781]/bp-gaming/6 (xxx.xxx.xxx.104[51781])
vsys1 54.241.139.10[443]/internet (54.241.139.10[443])
However, if I look for,
| 172.26.200.133 xxx.xxx.xxx.161 | 30 |
crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.200.133
No Active Sessions
And if there were to have been an incoming connection (there really shouldn't be, but since I'm troubleshooting, I want to cover all possibilities), it would be found with,
crclark@scea-rhq-sc-pa5050a(active)> show session all filter destination xxx.xxx.xxx.161
No Active Sessions
Since that would have been the IP address on the original packet that came in from the Internet side before NAT.
So I understand why 172.26.202.152 is still holding a slot in the IP pool, but why is 172.26.200.133?
08-20-2013 10:12 PM
Could you confirm that you are currently running PAN-OS 4.1.2 ? If so then there were some NAT pool leak issues resolved between that release and latest 4.1.x release which is 4.1.14. If indeed on 4.1.2 then I would recommend scheduling an upgrade to 4.1.14 and see if you still have issues. If you continue to have NAT pool issues with 4.1.14, then I would recommend to open a support case to have TAC investigate.
-Richard
08-26-2013 10:59 AM
Sorry about that, the version is actually 4.1.6. (When I first looked at the "show system info" output, the "logdb-version: 4.1.2" line caught my eye first.)
However, now I'm not really sure I even have a problem... Upon some more testing, it look like even though I have 92 translations "in use," when I actually try to create a new translation, it works. One of the translations that's listed gets bumped out. Presumably it's one of those that has no active sessions associated with it. Maybe the PAN retains some memory of inactive sessions so internal IPs get the same external IP address next time, but those external IPs are still available to new active sessions if needed?
So now I may have to look elsewhere for what caused our problems... or maybe we really did run out of mapped addresses. Seems I can't tell by just looking at "show running nat-rule-ippool" how many addresses are really available, if the IP pool is at 100% usage.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
