Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
poulid
Explorer

NAT Hide failure message in tracker

Hi folks. As we continue our 'journey to the cloud', we've started running into this error message in tracker, and it's causing us an insane number of issues. We're running r77.30, but we're moving to 80.20. Question...is the NAT message relating to a single NAT entry? Currently everyone access O365 using a single NAT'd public IP. So, if we add some entries, so when people go to different O365 services they show up as different NAT'd addresses, we can alleviate this limit? Or is it an overall NAT limit on the gateway? We've increased the limit to 125K, but it's still causing all kinds of issues.

Please advise..

0 Kudos
7 Replies
Timothy_Hall
Champion
Champion

If you have connections being Hide NATted behind a single NAT address, and there are more than 50,000 concurrent connections attempting to go to the same destination IP address, you can get this error message.  A "hide behind many" as described in this thread/SK can definitely help:

https://community.checkpoint.com/t5/General-Topics/R80-10-Hide-behind-many-question/m-p/3828

sk142833: How to create manual NAT rules in Many-To-Few mode

There are also some other special NAT situations involving CoreXL that can run out of ports separate from the 50k limit described above (called "Extra" or "Global" NAT), see this SK for details:

sk69480: 'NAT Hide failure - there are currently no available ports for hide operation' log appears ...

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
poulid
Explorer

Thx Timothy. So if I create Network Groups containing the public Microsoft Exchange Online subnets, and use a different external NAT to get to it, will this alleviate the issue? I would do the same with the Dynamics 365 public subnets, and SharePoint Online, etc. Each would have a separate NAT when it goes through the gateway.

I assume this would count as a 'one behind many' approach?

0 Kudos
Vladimir
Champion
Champion

@Timothy_Hall , do you suppose this event may be indicative of the CoreXL (3rd scenario)?

One of my clients just upgraded HA cluster to R80.20 and is seeing these with random gateway reboots:

image.png

0 Kudos
Timothy_Hall
Champion
Champion

Yes, it is mentioning "global" in the error message which would seem to indicate NAT issues on ports north of 60,000.  See sk69480.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
poulid
Explorer

@Timothy_Hall 

Unfortunately the company who provides support for us disagrees. They say this is a global limitation on the box....so it's an overall number of allowed NAT's, regardless of whether they're sharing an IP. He's recommending we bump the number to 250k.

0 Kudos
Vladimir
Champion
Champion

@Timothy_Hall , thank you!

Have you seen this being a cause of the gateway reboots though?

If not, I'll have to look for other clues.

0 Kudos
Timothy_Hall
Champion
Champion

Causing reboots, no.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos