NAT IP Pool Clean Up

Reply
Highlighted
L2 Linker

NAT IP Pool Clean Up

Having a problem with a NAT IP pool filling up. There are 92 IP addresses in the pool which should be plenty compared to the number of active clients. However, the pool is filling up. When I go to look at what active sessions a given IP address has, I find that many have no active sessions (with "show session all filter source <ip>" or "show session all filter destination <xlate-source>"). So why are they still consuming an address in the pool? I notice in the "show running nat-rule-ippool" output, that there is nothing in the "TTL" field. Is that expected? Is there a way to manually flush an entry or the whole list? The "clear nat-rule-cache" command does not seem to do it.

Running 4.1.2 on a PA-5050.

Highlighted
L5 Sessionator

Are we using "dynamic IP" or "dynamic IP and Port" ? From the description, it looks like we are using a pool, ie "Dynamic IP". The command "show running nat-rule-ippool" works only for "Dynamic IP and Port"

Can you try out the command:

debug dataplane nat sync-ippool rule<rulename>


Here are some helpful links:


https://live.paloaltonetworks.com/docs/DOC-3452


https://live.paloaltonetworks.com/docs/DOC-4891



BR,

Karthik

Highlighted
L5 Sessionator

In addition,

when you are trying to match for sessions that are source translated,

1) The "show session all filter source <ip>", where  <ip>  is one of  the "Source Nated IP from the pool", will not show us any results. This is because the session is initiated from the original source, whose IP later gets translated to one of the IPs from the pool. This command is valid for pre-translated source IP addresses and not the post translated IP addresses.

2) On similar lines, the command "show session all filter destination <xlate-source>", wouldnt work for post translated source IP addresses, because from the PANFWs standpoint the destination is the real IP address and not the translated IP address. ( this command would however work for pre translated destination NAT IP address )

Hence for both the cases, you will never see any sessions, and this is an expected behavior.

Highlighted
L2 Linker

I am indeed doing one-to-one NAT, "dynamic IP" only. I do get output from "show running nat-rule-ippool." Are you saying the output is bogus?

crclark@scea-rhq-sc-pa5050a(active)> show running nat-rule-ippool rule "Gaming to Internet"

Rule: Gaming to Internet

-----------------------------------------

Reserve IP: no

0.0.0.0-255.255.255.255 => xxx.xxx.xxx.100-xxx.xxx.xxx.191

Source           Xlat-Source      Ref. Cnt   TTL(s)   

---------------- ---------------- ---------- ----------

172.26.200.133   xxx.xxx.xxx.161     30                  

172.26.200.250   xxx.xxx.xxx.101     980                 

172.26.75.32     xxx.xxx.xxx.108     17                  

172.26.201.27    xxx.xxx.xxx.166     1                   

172.26.202.152   xxx.xxx.xxx.104     1                   

[snip]

Total IPs in use: 88

Total entries in time-reserve cache: 0

Total freelist left: 92

Highlighted
L2 Linker

I am using the original IP address for the <source> and the translated address <xlate-source> since those would be the IP addresses the firewall would see on the original packet that hits the system. So for example, from the "show running nat-rule-ippool" I see,

172.26.202.152   xxx.xxx.xxx.104 1    

And I can find,

crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.202.152

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

889910  playstation-network ACTIVE  FLOW  NS   172.26.202.152[51781]/bp-gaming/6  (xxx.xxx.xxx.104[51781])

vsys1                                     54.241.139.10[443]/internet  (54.241.139.10[443])

However, if I look for,

172.26.200.133   xxx.xxx.xxx.161 30             

crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.200.133

No Active Sessions

And if there were to have been an incoming connection (there really shouldn't be, but since I'm troubleshooting, I want to cover all possibilities), it would be found with,

crclark@scea-rhq-sc-pa5050a(active)> show session all filter destination xxx.xxx.xxx.161

No Active Sessions

Since that would have been the IP address on the original packet that came in from the Internet side before NAT.

So I understand why 172.26.202.152 is still holding a slot in the IP pool, but why is 172.26.200.133?

Highlighted
L5 Sessionator

Could you confirm that you are currently running PAN-OS 4.1.2 ? If so then there were some NAT pool leak issues resolved between that release and latest 4.1.x release which is 4.1.14. If indeed on 4.1.2 then I would recommend scheduling an upgrade to 4.1.14 and see if you still have issues. If you continue to have NAT pool issues with 4.1.14, then I would recommend to open a support case to have TAC investigate.

-Richard

Highlighted
L2 Linker

Sorry about that, the version is actually 4.1.6. (When I first looked at the "show system info" output, the "logdb-version: 4.1.2" line caught my eye first.)

However, now I'm not really sure I even have a problem... Upon some more testing, it look like even though I have 92 translations "in use," when I actually try to create a new translation, it works. One of the translations that's listed gets bumped out. Presumably it's one of those that has no active sessions associated with it. Maybe the PAN retains some memory of inactive sessions so internal IPs get the same external IP address next time, but those external IPs are still available to new active sessions if needed?

So now I may have to look elsewhere for what caused our problems... or maybe we really did run out of mapped addresses. Seems I can't tell by just looking at "show running nat-rule-ippool" how many addresses are really available, if the IP pool is at 100% usage.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!