cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
poulid
Ivory

NAT Hide failure message in tracker

Hi folks. As we continue our 'journey to the cloud', we've started running into this error message in tracker, and it's causing us an insane number of issues. We're running r77.30, but we're moving to 80.20. Question...is the NAT message relating to a single NAT entry? Currently everyone access O365 using a single NAT'd public IP. So, if we add some entries, so when people go to different O365 services they show up as different NAT'd addresses, we can alleviate this limit? Or is it an overall NAT limit on the gateway? We've increased the limit to 125K, but it's still causing all kinds of issues.

Please advise..

0 Kudos
7 Replies

Re: NAT Hide failure message in tracker

If you have connections being Hide NATted behind a single NAT address, and there are more than 50,000 concurrent connections attempting to go to the same destination IP address, you can get this error message.  A "hide behind many" as described in this thread/SK can definitely help:

https://community.checkpoint.com/t5/General-Topics/R80-10-Hide-behind-many-question/m-p/3828

sk142833: How to create manual NAT rules in Many-To-Few mode

There are also some other special NAT situations involving CoreXL that can run out of ports separate from the 50k limit described above (called "Extra" or "Global" NAT), see this SK for details:

sk69480: 'NAT Hide failure - there are currently no available ports for hide operation' log appears ...

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
poulid
Ivory

Re: NAT Hide failure message in tracker

Thx Timothy. So if I create Network Groups containing the public Microsoft Exchange Online subnets, and use a different external NAT to get to it, will this alleviate the issue? I would do the same with the Dynamics 365 public subnets, and SharePoint Online, etc. Each would have a separate NAT when it goes through the gateway.

I assume this would count as a 'one behind many' approach?

0 Kudos
Vladimir
Pearl

Re: NAT Hide failure message in tracker

@Timothy_Hall , do you suppose this event may be indicative of the CoreXL (3rd scenario)?

One of my clients just upgraded HA cluster to R80.20 and is seeing these with random gateway reboots:

image.png

0 Kudos

Re: NAT Hide failure message in tracker

Yes, it is mentioning "global" in the error message which would seem to indicate NAT issues on ports north of 60,000.  See sk69480.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
poulid
Ivory

Re: NAT Hide failure message in tracker

@Timothy_Hall 

Unfortunately the company who provides support for us disagrees. They say this is a global limitation on the box....so it's an overall number of allowed NAT's, regardless of whether they're sharing an IP. He's recommending we bump the number to 250k.

0 Kudos
Vladimir
Pearl

Re: NAT Hide failure message in tracker

@Timothy_Hall , thank you!

Have you seen this being a cause of the gateway reboots though?

If not, I'll have to look for other clues.

0 Kudos

Re: NAT Hide failure message in tracker

Causing reboots, no.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos