NAT Hide Failure

Dear CheckPoint Gurus...

 

I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61
installed. This firewall have 19 internal interfaces and 1
external interface with a /28 range of IPs.

 

The network of the users and some servers (/22), make NAT to
internet in one IP. Last night, this nat crashed and all the
internet access from this network stopped.

 

All others nat (1 to 1 for the web servers) did not stopped.

 

I received this message in the LOG;

 

DROP - "message_info: NAT Hide failure - there any
currently no available ports for hide operation"

 

 

I have no ideas of what could be happening, because the only
solution that I have in that hour (4:00am) was a reboot.
Rsrsrs

 

TKS in advance...

 

Matheus Valença
.T..Systems do Brasil 

 


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On 10/25/06, Matheus Valença <Matheus.Valencat-systems.com.br> wrote:
> Dear CheckPoint Gurus...
>
>
>
> I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61
installed. This firewall have 19 internal interfaces and 1
external interface with a /28 range of IPs.
>
>
>
> The network of the users and some servers (/22), make
NAT to internet in one IP. Last night, this nat crashed and
all the internet access from this network stopped.
>
>
>
> All others nat (1 to 1 for the web servers) did not
stopped.
>
>
>
> I received this message in the LOG;
>
>
>
> DROP - "message_info: NAT Hide failure - there any
currently no available ports for hide operation"
>
>
>
>
>
> I have no ideas of what could be happening, because the
only solution that I have in that hour (4:00am) was a
reboot. Rsrsrs
>
>
>

  How many user do you have on the /22 network ?
  This seems like a resource problem, for the NAT code , no
longer
  being able to map client IP's to the Natted address.

  M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

On 10/25/06, Matheus Valença <Matheus.Valencat-systems.com.br> wrote:
> Dear CheckPoint Gurus...
>
>
>
> I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61
installed. This firewall have 19 internal interfaces and 1
external interface with a /28 range of IPs.
>
>
>
> The network of the users and some servers (/22), make
NAT to internet in one IP. Last night, this nat crashed and
all the internet access from this network stopped.
>
>
>
> All others nat (1 to 1 for the web servers) did not
stopped.
>
>
>
> I received this message in the LOG;
>
>
>
> DROP - "message_info: NAT Hide failure - there any
currently no available ports for hide operation"
>
>
>
>
>
> I have no ideas of what could be happening, because the
only solution that I have in that hour (4:00am) was a
reboot. Rsrsrs
>
>
>

  How many user do you have on the /22 network ?
  This seems like a resource problem, for the NAT code , no
longer
  being able to map client IP's to the Natted address.

  M.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

I don't know for sure the source of the problem, but
remember that for each
IP address you have around 65K ports that can be used for
each on the
connections going out with a Hide NAT, is possible that at
some point you
just had too many connections going out trought the same IP
and the firewall
just did not know how to handle the overflow and so the
reboot solved the
issue. As a good way to avoid this possibility, you can use
a second public
IP and divide all those machines going out between the
current and the new
one.

I have never seen this issue before, but thought that info
might help.

Regards

On 10/25/06, Matheus Valença <Matheus.Valencat-systems.com.br> wrote:
>
> Dear CheckPoint Gurus...
>
>
>
> I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61
installed. This
> firewall have 19 internal interfaces and 1 external
interface with a /28
> range of IPs.
>
>
>
> The network of the users and some servers (/22), make
NAT to internet in
> one IP. Last night, this nat crashed and all the
internet access from this
> network stopped.
>
>
>
> All others nat (1 to 1 for the web servers) did not
stopped.
>
>
>
> I received this message in the LOG;
>
>
>
> DROP - "message_info: NAT Hide failure - there any
currently no available
> ports for hide operation"
>
>
>
>
>
> I have no ideas of what could be happening, because the
only solution that
> I have in that hour (4:00am) was a reboot. Rsrsrs
>
>
>
> TKS in advance...
>
>
>
> Matheus Valença
> .T..Systems do Brasil
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

You can go into monitor and check current connections; if
this is over 50k then you can't use automatic hide nat
without some adverse issue.  Most gateways default to 25k
unless you up this limit.

Thanks,

Derek O'Flynn
LSU Health Sciences Center
Enterprise Information Security
(504)628-4431 doflynlsuhsc.edu 
 
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Sergio Alvarez
Sent: Wednesday, October 25, 2006 12:48 PM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] NAT Hide Failure

I don't know for sure the source of the problem, but
remember that for each
IP address you have around 65K ports that can be used for
each on the
connections going out with a Hide NAT, is possible that at
some point you
just had too many connections going out trought the same IP
and the firewall
just did not know how to handle the overflow and so the
reboot solved the
issue. As a good way to avoid this possibility, you can use
a second public
IP and divide all those machines going out between the
current and the new
one.

I have never seen this issue before, but thought that info
might help.

Regards

On 10/25/06, Matheus Valença <Matheus.Valencat-systems.com.br> wrote:
>
> Dear CheckPoint Gurus...
>
>
>
> I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61
installed. This
> firewall have 19 internal interfaces and 1 external
interface with a /28
> range of IPs.
>
>
>
> The network of the users and some servers (/22), make
NAT to internet in
> one IP. Last night, this nat crashed and all the
internet access from this
> network stopped.
>
>
>
> All others nat (1 to 1 for the web servers) did not
stopped.
>
>
>
> I received this message in the LOG;
>
>
>
> DROP - "message_info: NAT Hide failure - there any
currently no available
> ports for hide operation"
>
>
>
>
>
> I have no ideas of what could be happening, because the
only solution that
> I have in that hour (4:00am) was a reboot. Rsrsrs
>
>
>
> TKS in advance...
>
>
>
> Matheus Valença
> .T..Systems do Brasil
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>



-- 
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================