BugZero | Cisco BugID CSCwa55562 - Different CG-NAT port-block allocated for same sou...

Loading...

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

Operational Defect Database

A free repository of operational (non-security) bugs centralized through custom integrations with leading IT vendors.

Product

Enterprise platform
Bug Scrub Advisor
Operational Risk Scoring
Vendor Integrations

Company

Plans
Value Guide
About
Contact us

Resources

Blog
ServiceNow App
Trust Center
Risk Management
NIST
DORA

©2025 BugZero. All Rights Reserved.

Privacy Policy Terms of Service

BugZero | Cisco BugID CSCwa55562 - Different CG-NAT port-block allocated for same sou...

ODD
Cisco
CSCwa55562

Cisco - Defect ID: CSCwa55562

Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion

ODD
Cisco
CSCwa55562

Cisco - Defect ID: CSCwa55562

Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion

Last updated on December 11th, 2024

BugZero Risk Score
7.8 High

Overall: 7.8

Severity: 8.2

Lifecycle: 9.1

Popularity: 5.1

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Bug Details

Description

Symptom

Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion. The following syslog would be observed: Dec 20 2021 11:59:31: %ASA-3-305016: Unable to create TCP connection from any:x.x.x.x/42750 to any:y.y.y.y/80 due to reaching per-host PAT port block limit of 4. However the xlates count for that IP would be very less: asa(config)# sh xlate | in x.x.x.x TCP PAT from any:x.x.x.x/46943 to IXIA:y.y.y.y/47267 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/51332 to IXIA:y.y.y.y/42810 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/41818 to IXIA:y.y.y.y/41858 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/45818 to IXIA:y.y.y.y/45828 flags ri idle 0:00:45 timeout 0:00:30

Conditions

The issue is observed under the following conditions: 1. ASA running on version 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1) or above 2. NAT rule is configured with block-allocation with destination interface as 'any': nat (any,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation OR nat (inside,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation

Workaround

There are two possible workarounds: 1. Change the NAT rule to use specific interface: nat (inside,outside) source dynamic inside_network pat-pool pat_pool_grp block-allocation 2. Downgrade to version below 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1)

Further Problem Description

Change history

2024-12-11 Added: 9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.2, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.7, 9.12.4.8, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.30, 9.14.1.6, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.15.1, 9.15.1.1, 9.15.1.10, 9.15.1.15, 9.15.1.16, 9.15.1.17, 9.15.1.21, 9.15.1.7, 9.16.1, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.3, 9.16.2.7, 9.17.1, 9.8.1, 9.8.1.5, 9.8.1.7, 9.8.2, 9.8.2.14, 9.8.2.15, 9.8.2.17, 9.8.2.20, 9.8.2.24, 9.8.2.26, 9.8.2.28, 9.8.2.33, 9.8.2.35, 9.8.2.38, 9.8.2.45, 9.8.2.8, 9.8.3, 9.8.3.11, 9.8.3.14, 9.8.3.16, 9.8.3.18, 9.8.3.21, 9.8.3.26, 9.8.3.29, 9.8.3.8, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.26, 9.8.4.29, 9.8.4.3, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48, 9.8.4.7, 9.8.4.8, 9.9.1, 9.9.1.2, 9.9.1.3, 9.9.1.4, 9.9.1.5, 9.9.2, 9.9.2.1, 9.9.2.14, 9.9.2.18, 9.9.2.235, 9.9.2.25, 9.9.2.27, 9.9.2.32, 9.9.2.36, 9.9.2.40, 9.9.2.47, 9.9.2.50, 9.9.2.52, 9.9.2.56, 9.9.2.59, 9.9.2.61, 9.9.2.66, 9.9.2.67, 9.9.2.74, 9.9.2.80, 9.9.2.83, 9.9.2.85, 9.9.2.9

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.2, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.7, 9.12.4.8, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.30, 9.14.1.6, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.15.1, 9.15.1.1, 9.15.1.10, 9.15.1.15, 9.15.1.16, 9.15.1.17, 9.15.1.21, 9.15.1.7, 9.16.1, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.3, 9.16.2.7, 9.17.1, 9.8.1, 9.8.1.5, 9.8.1.7, 9.8.2, 9.8.2.14, 9.8.2.15, 9.8.2.17, 9.8.2.20, 9.8.2.24, 9.8.2.26, 9.8.2.28, 9.8.2.33, 9.8.2.35, 9.8.2.38, 9.8.2.45, 9.8.2.8, 9.8.3, 9.8.3.11, 9.8.3.14, 9.8.3.16, 9.8.3.18, 9.8.3.21, 9.8.3.26, 9.8.3.29, 9.8.3.8, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.26, 9.8.4.29, 9.8.4.3, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48, 9.8.4.7, 9.8.4.8, 9.9.1, 9.9.1.2, 9.9.1.3, 9.9.1.4, 9.9.1.5, 9.9.2, 9.9.2.1, 9.9.2.14, 9.9.2.18, 9.9.2.235, 9.9.2.25, 9.9.2.27, 9.9.2.32, 9.9.2.36, 9.9.2.40, 9.9.2.47, 9.9.2.50, 9.9.2.52, 9.9.2.56, 9.9.2.59, 9.9.2.61, 9.9.2.66, 9.9.2.67, 9.9.2.74, 9.9.2.80, 9.9.2.83, 9.9.2.85, 9.9.2.9

Fixed versions: 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.58, 9.12.4.62, 9.12.4.65, 9.12.4.67, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.16.2.13, 9.16.2.14, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.23, 9.16.3.3, 9.16.4, 9.16.4.14, 9.16.4.18, 9.16.4.19, 9.16.4.27, 9.16.4.38, 9.16.4.39, 9.16.4.42, 9.16.4.48, 9.16.4.55, 9.16.4.57, 9.16.4.61, 9.16.4.62, 9.16.4.67, 9.16.4.70, 9.16.4.71, 9.16.4.76, 9.16.4.9, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2, 9.18.2.5, 9.18.2.7, 9.18.2.8, 9.18.3, 9.18.3.39, 9.18.3.46, 9.18.3.53, 9.18.3.55, 9.18.3.56, 9.18.4, 9.18.4.22, 9.18.4.24, 9.18.4.29, 9.18.4.34, 9.18.4.40, 9.18.4.47, 9.18.4.5, 9.18.4.50, 9.18.4.8, 9.19.1, 9.19.1.12, 9.19.1.18, 9.19.1.22, 9.19.1.24, 9.19.1.27, 9.19.1.28, 9.19.1.31, 9.19.1.37, 9.19.1.38, 9.19.1.5, 9.19.1.9, 9.20.1, 9.20.1.5, 9.20.2, 9.20.2.10, 9.20.2.21, 9.20.2.22, 9.20.3, 9.20.3.10, 9.20.3.4, 9.20.3.7, 9.20.3.9, 9.22.1.1, 9.22.1.2, 9.22.1.3

Relevant Products

Click on a version to see all relevant bugs

Affected versions:9.10.1, 9.10.1.10, 9.10.1.11, 9.10.1.17, 9.10.1.2, 9.10.1.22, 9.10.1.27, 9.10.1.30, 9.10.1.32, 9.10.1.37, 9.10.1.40, 9.10.1.42, 9.10.1.44, 9.10.1.7, 9.12.1, 9.12.1.2, 9.12.1.3, 9.12.2, 9.12.2.1, 9.12.2.4, 9.12.2.5, 9.12.2.9, 9.12.3, 9.12.3.12, 9.12.3.2, 9.12.3.7, 9.12.3.9, 9.12.4, 9.12.4.10, 9.12.4.13, 9.12.4.18, 9.12.4.2, 9.12.4.24, 9.12.4.26, 9.12.4.29, 9.12.4.30, 9.12.4.35, 9.12.4.37, 9.12.4.38, 9.12.4.39, 9.12.4.4, 9.12.4.40, 9.12.4.41, 9.12.4.47, 9.12.4.48, 9.12.4.50, 9.12.4.7, 9.12.4.8, 9.13.1, 9.13.1.10, 9.13.1.12, 9.13.1.13, 9.13.1.16, 9.13.1.19, 9.13.1.2, 9.13.1.21, 9.13.1.7, 9.14.1, 9.14.1.10, 9.14.1.15, 9.14.1.19, 9.14.1.30, 9.14.1.6, 9.14.2, 9.14.2.13, 9.14.2.15, 9.14.2.4, 9.14.2.8, 9.14.3, 9.14.3.1, 9.14.3.11, 9.14.3.13, 9.14.3.15, 9.14.3.18, 9.14.3.9, 9.14.4, 9.14.4.12, 9.14.4.13, 9.14.4.14, 9.14.4.6, 9.14.4.7, 9.15.1, 9.15.1.1, 9.15.1.10, 9.15.1.15, 9.15.1.16, 9.15.1.17, 9.15.1.21, 9.15.1.7, 9.16.1, 9.16.1.28, 9.16.2, 9.16.2.11, 9.16.2.3, 9.16.2.7, 9.17.1, 9.8.1, 9.8.1.5, 9.8.1.7, 9.8.2, 9.8.2.14, 9.8.2.15, 9.8.2.17, 9.8.2.20, 9.8.2.24, 9.8.2.26, 9.8.2.28, 9.8.2.33, 9.8.2.35, 9.8.2.38, 9.8.2.45, 9.8.2.8, 9.8.3, 9.8.3.11, 9.8.3.14, 9.8.3.16, 9.8.3.18, 9.8.3.21, 9.8.3.26, 9.8.3.29, 9.8.3.8, 9.8.4, 9.8.4.10, 9.8.4.12, 9.8.4.15, 9.8.4.17, 9.8.4.20, 9.8.4.22, 9.8.4.25, 9.8.4.26, 9.8.4.29, 9.8.4.3, 9.8.4.32, 9.8.4.33, 9.8.4.34, 9.8.4.35, 9.8.4.39, 9.8.4.40, 9.8.4.41, 9.8.4.43, 9.8.4.44, 9.8.4.45, 9.8.4.46, 9.8.4.48, 9.8.4.7, 9.8.4.8, 9.9.1, 9.9.1.2, 9.9.1.3, 9.9.1.4, 9.9.1.5, 9.9.2, 9.9.2.1, 9.9.2.14, 9.9.2.18, 9.9.2.235, 9.9.2.25, 9.9.2.27, 9.9.2.32, 9.9.2.36, 9.9.2.40, 9.9.2.47, 9.9.2.50, 9.9.2.52, 9.9.2.56, 9.9.2.59, 9.9.2.61, 9.9.2.66, 9.9.2.67, 9.9.2.74, 9.9.2.80, 9.9.2.83, 9.9.2.85, 9.9.2.9

Fixed versions: 9.12.4.52, 9.12.4.54, 9.12.4.55, 9.12.4.56, 9.12.4.58, 9.12.4.62, 9.12.4.65, 9.12.4.67, 9.14.4.15, 9.14.4.17, 9.14.4.22, 9.14.4.23, 9.14.4.24, 9.16.2.13, 9.16.2.14, 9.16.3, 9.16.3.14, 9.16.3.15, 9.16.3.19, 9.16.3.23, 9.16.3.3, 9.16.4, 9.16.4.14, 9.16.4.18, 9.16.4.19, 9.16.4.27, 9.16.4.38, 9.16.4.39, 9.16.4.42, 9.16.4.48, 9.16.4.55, 9.16.4.57, 9.16.4.61, 9.16.4.62, 9.16.4.67, 9.16.4.70, 9.16.4.71, 9.16.4.76, 9.16.4.9, 9.17.1.10, 9.17.1.11, 9.17.1.13, 9.17.1.15, 9.17.1.20, 9.17.1.30, 9.17.1.33, 9.17.1.39, 9.17.1.45, 9.17.1.46, 9.17.1.7, 9.17.1.9, 9.18.1, 9.18.1.3, 9.18.2, 9.18.2.5, 9.18.2.7, 9.18.2.8, 9.18.3, 9.18.3.39, 9.18.3.46, 9.18.3.53, 9.18.3.55, 9.18.3.56, 9.18.4, 9.18.4.22, 9.18.4.24, 9.18.4.29, 9.18.4.34, 9.18.4.40, 9.18.4.47, 9.18.4.5, 9.18.4.50, 9.18.4.8, 9.19.1, 9.19.1.12, 9.19.1.18, 9.19.1.22, 9.19.1.24, 9.19.1.27, 9.19.1.28, 9.19.1.31, 9.19.1.37, 9.19.1.38, 9.19.1.5, 9.19.1.9, 9.20.1, 9.20.1.5, 9.20.2, 9.20.2.10, 9.20.2.21, 9.20.2.22, 9.20.3, 9.20.3.10, 9.20.3.4, 9.20.3.7, 9.20.3.9, 9.22.1.1, 9.22.1.2, 9.22.1.3

Top Cisco Defects

9.7Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.7Defect ID: CSCvp36425
Cisco ASA & FTD Software Cryptographic TLS and SSL Driver Denial of Service Vulnerability
9.7Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.7Defect ID: CSCwi93213
9800 WLC marked "AAA Server Down" after switchover when using key 6 password encryption
9.7Defect ID: CSCwj73634
Full or partial 9800 configuration loss after HA SSO failover

Ready to prevent the next vendor outage?

Links

Original Vendor Announcement

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise