Description
This article explains how to determine whether a NAT port is exhausted on a FortiGate.
Scope
FortiOS 4.0 MR2 and above.
Solution
Event log 'NAT port is exhausted'.
Following the release of FortiOS 4.0 MR2 a new log is available on the FortiGate which allows an administrator to know whether the system experiences NAT/PAT port exhaustion. The log displays on the alert console and has a severity of critical.
1. Ensure the necessary logging is enabled. Check that the default setting on the FortiGate GUI in Log&Report>Local Logging & Archiving, logging to memory is activated.
2. The following message will display when the NAT port is exhausted:
| Message meets Alert conditiondate=2011-02-01 time=19:52:01 devname=master device_id=”” log_id=0100020007 type=event subtype=system pri=critical vd=root service=kernel status=failure msg="NAT port is exhausted." |
3. Use FortiOS 4.0 MR2 Patch 2 and above for the best optimization of this log:
diagnose system session stat "clash" counter
NAT port exhaustion is also highlighted by a raise of the 'clash' counter from the 'diag sys session stat' command:
|
FWF60B # diagnose sys session stat
misc info: session_count=16 setup_rate=0 exp_count=0 clash=889
memory_tension_drop=0 ephemeral=1/16384 removeable=3
delete=0, flush=0, dev_down=16/69
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=0005e722
ids_recv=000fdc94
url_recv=00000000
av_recv=001fee47
fqdn_count=00000000
tcp reset stat: syncqf=119 acceptqf=0 no-listener=3995 data=0 ses=2 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
|
This clash counter has been available since 2.8 and upward.
