Guest

Preview Tool

Cisco Bug: CSCum51086 - ASA 202010 NAT pool exhausted log for PAT rule when cluster master fails

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

9.1(4)

Description (partial)

Symptom:
After the master role changes in an ASA cluster, some traffic could be dropped with the following syslog:

%ASA-3-202010: NAT pool exhausted. Unable to create UDP connection from inside:172.16.1.9/2722 to outside:192.168.1.6/53

Conditions:
This happens when the traffic matches a PAT rule with fewer global addresses than members in the cluster. For example, if there are 2 units in the cluster but the PAT rule only contains 1 global IP, this message can be seen.

It is recommended to configure at least 1 PAT IP address for each unit in the cluster. Otherwise, traffic can be dropped when the master role changes.

This is an enhancement request to warn the user when configuring a PAT rule on a cluster if there are more cluster members than available PAT IPs.

Related Community Discussions

NAT/PAT pool exhausted
ASA5505 running 8.4.1  I keep seeing the below logs.. Feb 24 2011 14:32:09: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection. Feb 24 2011 14:32:10: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection. Feb 24 2011 14:32:11: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection. Feb 24 2011 14:32:12: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection. Feb 24 2011 14:32:22: %ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection. ...
Latest activity: Jun 15, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.