Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] NAT Hide Failure

from Sergio Alvarez [Permanent Link]
Subject: Re: [FW-1] NAT Hide Failure
From: Sergio Alvarez <seralvar AT GMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 25 Oct 2006 11:48:08 -0600 
I don't know for sure the source of the problem, but remember that for each
IP address you have around 65K ports that can be used for each on the
connections going out with a Hide NAT, is possible that at some point you
just had too many connections going out trought the same IP and the firewall
just did not know how to handle the overflow and so the reboot solved the
issue. As a good way to avoid this possibility, you can use a second public
IP and divide all those machines going out between the current and the new
one.

I have never seen this issue before, but thought that info might help.

Regards

On 10/25/06, Matheus Valença <Matheus.Valenca AT t-systems.com DOT br> wrote:


Dear CheckPoint Gurus...



I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61 installed. This
firewall have 19 internal interfaces and 1 external interface with a /28
range of IPs.



The network of the users and some servers (/22), make NAT to internet in
one IP. Last night, this nat crashed and all the internet access from this
network stopped.



All others nat (1 to 1 for the web servers) did not stopped.



I received this message in the LOG;



DROP - "message_info: NAT Hide failure - there any currently no available
ports for hide operation"





I have no ideas of what could be happening, because the only solution that
I have in that hour (4:00am) was a reboot. Rsrsrs



TKS in advance...



Matheus Valença
.T..Systems do Brasil




=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================





--
Sergio Alvarez
(506)8301342

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] SmartUpdate in NGX, Huiqi_Liu
Next by Date:  Re: [FW-1] AW: [FW-1] SBFC Cluster SSL Error, Edouard Zorrilla
Previous by Thread:  [FW-1] NAT Hide Failure, Matheus Valença
Next by Thread:  Re: [FW-1] NAT Hide Failure, O'Flynn, Derek
Indexes:  [Date] [Thread] [Top] [All Lists]