Skip to Content

How to increase the port range to avoid NAT port exhaustion

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to avoid the NAT port or socket exhaustion by increasing the default NAT port in FortiGate.

Scope

FortiGate.

Solution

In the FortiGate Event Log, the message ‘NAT port is exhausted’ appears and the log description is ‘Socket is exhausted’.

It means the NAT port has a conflict with existing ports. This failure in NAT will be logged with the log ID 0100020007 in the General System Event under the Event log.

Example:

date="2024-06-09" time="10:57:46" devid="FGT000123456" vd="root" type="event" subtype="system" bid=540114651 devname="FGTXXXX" dstepid=3 dsteuid=3 dstip="8.8.8.8" dstport=53 dvid=2147 epid=3 euid=3 eventtime=1686326266292111978 id=7242716162855799960 level="critical" logdesc="Socket is exhausted" logid="0100020007" logver=604065868 msg="NAT port is exhausted." nat="33.43.111.222" proto=17 service="kernel" srcip="10.200.100.50" srcport=15651 status="failure" tz="-0500" vrf=0

The operation of source NAT is to avoid and resolve conflicts when multiple sources use the same source port for creating different external connections. In general, multiple users can use the same source port for connecting destinations with different or the same destination port.

There will be no conflicts as the firmware level of the source port will be conducted differently while translating them.

Here is a translation scenario shown below of the NAT port change even after using the same source port for different users from the source:

Internal Firewall/Router External
Source 1 (sport 10230 | dport 443) SNAT (10230 -> 44567) Destination (dport 443)
Source 2 (sport 10230 | dport 443) SNAT (10230 -> 44568) Destination (dport 443)

In this situation, if there is no available port for the SNAT there might be a conflict on the firmware level during the translation of the ports. In FortiGate, the default source port range is from 1024 to 25000.

Primarily when the NAT port exhaustion happens the primary workaround could be increasing the NAT port to avoid and increase the port range for translation in the FortiOS level like the following way:

config system global
set ip-src-port-range 1024-65000
end