Guest

Preview Tool

Cisco Bug: CSCuq33233 - Clustering: Overlapping PAT IPs in NAT rules prevent xlates from replicating

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

100.12(0.45) 100.8(40.7) 9.1(2) 9.1(5.101) 9.3(1) 9.4(2) 9.6(2) 9.8(2) 9.9(2) 99.1(2.14) 99.15(1.192)

Description (partial)

Symptom:
The following symptoms might be experienced when encountering this problem:
1. 'cluster exec show nat pool cluster' will show that the backup unit for some PAT IPs in a PAT pool is <UNKNOWN>
2. PAT xlates will fail to replicate from some cluster members to other members who's backup shows as <UNKNOWN>

If a unit's xlates fail to replicate to a backup unit because of this problem, then if that unit fails and leaves the cluster, connections in progress might fail as well.

When the the traffic (matching affected NAT) goes the slave connections are terminated and in result the traffic fails.

Conditions:
To encounter this problem all of the following conditions must be met:
1) The cluster must have more than one unit -and-
2) The ASA configuration must include two or more PAT rules that have overlapping global IP Pools

Example:

object-group network OUTSIDE_PAT_POOL
 network-object object [IP address 1]
 network-object object [IP address 2]
 network-object object [IP address 3]
 network-object object [IP address 4]
object-group network OUTSIDE_PAT_POOL_PRIME
 network-object object [IP address 1]
 network-object object [IP address 2]
 network-object object [IP address 3]
 network-object object [IP address 4]
object network computers
 nat (inside,outside) dynamic pat-pool OUTSIDE_PAT_POOL
object network printers
 nat (inside,outside) dynamic pat-pool OUTSIDE_PAT_POOL_PRIME

In the configuration above, the two PAT pools in use in the two rules have overlapping IP addresses
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.