OPERATIONAL DEFECT DATABASE
...
...
Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion. The following syslog would be observed: Dec 20 2021 11:59:31: %ASA-3-305016: Unable to create TCP connection from any:x.x.x.x/42750 to any:y.y.y.y/80 due to reaching per-host PAT port block limit of 4. However the xlates count for that IP would be very less: asa(config)# sh xlate | in x.x.x.x TCP PAT from any:x.x.x.x/46943 to IXIA:y.y.y.y/47267 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/51332 to IXIA:y.y.y.y/42810 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/41818 to IXIA:y.y.y.y/41858 flags ri idle 0:00:45 timeout 0:00:30 TCP PAT from any:x.x.x.x/45818 to IXIA:y.y.y.y/45828 flags ri idle 0:00:45 timeout 0:00:30
The issue is observed under the following conditions: 1. ASA running on version 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1) or above 2. NAT rule is configured with block-allocation with destination interface as 'any': nat (any,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation OR nat (inside,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation
There are two possible workarounds: 1. Change the NAT rule to use specific interface: nat (inside,outside) source dynamic inside_network pat-pool pat_pool_grp block-allocation 2. Downgrade to version below 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1)
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
