Guest

Preview Tool

Cisco Bug: CSCvs60160 - FP9300 ASA Cluster High CPU NAT Port Block Allocation

Last Modified

Apr 29, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.8(4.10)

Description (partial)

Symptom:
High number of Drops seen on show asp drop due to nat-xlate-failed: 
  NAT failed (nat-xlate-failed)                                        500081827

High CPU on ASA Cluster (80-100%)

Conditions:
FP9300 ASA 8 Cluster units, 5 million Conns 7 million xlates, CPU 80-100%

xlate block-allocation size 32
xlate block-allocation maximum-per-host 2
nat (Nexus-Megacentro,Internet-Megacentro) source dynamic Megacentro-3G-4G-Private pat-pool Megacentro-CGNAT block-allocation


CPU profile: 

Percentage of hits per function, with callers
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@............. 74.90% : spin_lock_get_actual_internal
           99.52% : snp_nat_pool_alloc_socket
            0.09% : snp_nat_allocate_port
            0.05% : mps_hash_lookup
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.