Symptom
Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion. The following syslog would be observed:
Dec 20 2021 11:59:31: %ASA-3-305016: Unable to create TCP connection from any:x.x.x.x/42750 to any:y.y.y.y/80 due to reaching per-host PAT port block limit of 4.
However the xlates count for that IP would be very less:
asa(config)# sh xlate | in x.x.x.x
TCP PAT from any:x.x.x.x/46943 to IXIA:y.y.y.y/47267 flags ri idle 0:00:45 timeout 0:00:30
TCP PAT from any:x.x.x.x/51332 to IXIA:y.y.y.y/42810 flags ri idle 0:00:45 timeout 0:00:30
TCP PAT from any:x.x.x.x/41818 to IXIA:y.y.y.y/41858 flags ri idle 0:00:45 timeout 0:00:30
TCP PAT from any:x.x.x.x/45818 to IXIA:y.y.y.y/45828 flags ri idle 0:00:45 timeout 0:00:30
Conditions
The issue is observed under the following conditions:
1. ASA running on version 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1) or above
2. NAT rule is configured with block-allocation with destination interface as 'any':
nat (any,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation
OR
nat (inside,any) source dynamic inside_network pat-pool pat_pool_grp block-allocation
Workaround
There are two possible workarounds:
1. Change the NAT rule to use specific interface:
nat (inside,outside) source dynamic inside_network pat-pool pat_pool_grp block-allocation
2. Downgrade to version below 9.12(2.18), 9.12(3.5), 9.12(4), 9.13(1.5), 9.14(1)
Further Problem Description
