Hi,
When the gateway hides your internal addresses, it has to build a table based
on the Public IP and a Port number and that will identify the internal
connection and permit the "backward" translation. Because you're hiding your
internal connections in one Public IP, the gateway will have to use the
available ports for unique identify the connections. But the number of ports is
limited to 65535 (probably). If you have a /22 internal network, that means you
maybe have lots of clients (4 * C class network). If each client has multiple
sessions to the internet, that will consume multiple entries per client in you
table. It seems that you reached that limit.
I believe you have two options:
- Reduce the TCP timeouts, in order to release resources more quickly; or
- Use a pool of public IP addresses to hide your internal connections.
Best regards,
Pedro Boavida
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Matheus Valença
Sent: quarta-feira, 25 de Outubro de 2006 17:54
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] NAT Hide Failure
Dear CheckPoint Gurus...
I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61 installed. This firewall
have 19 internal interfaces and 1 external interface with a /28 range of IPs.
The network of the users and some servers (/22), make NAT to internet in one
IP. Last night, this nat crashed and all the internet access from this network
stopped.
All others nat (1 to 1 for the web servers) did not stopped.
I received this message in the LOG;
DROP - "message_info: NAT Hide failure - there any currently no available ports
for hide operation"
I have no ideas of what could be happening, because the only solution that I
have in that hour (4:00am) was a reboot. Rsrsrs
TKS in advance...
Matheus Valença
.T..Systems do Brasil
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
