Cisco Bug: CSCum51086 - ASA 202010 NAT pool exhausted log for PAT rule when cluster master fails
Nov 27, 2020
- Cisco Adaptive Security Appliance (ASA) Software
Known Affected Releases
Symptom: After the master role changes in an ASA cluster, some traffic could be dropped with the following syslog: %ASA-3-202010: NAT pool exhausted. Unable to create UDP connection from inside:172.16.1.9/2722 to outside:192.168.1.6/53 Conditions: This happens when the traffic matches a PAT rule with fewer global addresses than members in the cluster. For example, if there are 2 units in the cluster but the PAT rule only contains 1 global IP, this message can be seen. It is recommended to configure at least 1 PAT IP address for each unit in the cluster. Otherwise, traffic can be dropped when the master role changes. This is an enhancement request to warn the user when configuring a PAT rule on a cluster if there are more cluster members than available PAT IPs.
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases