Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Cannot achieve more than 2048 sessions on NS-5GT or SSG-5 when using interface-based NAT. 'DIP Alloc failed' reported in debugs. The 'no dip' counter in 'get counter stat' is explained.
New sessions could not be created once there are more than 2048 sessions; all the sessions were being source NAT'd using interface-based NAT.
NetScreen-5XP cannot pass > 2048 sessions
Juniper-SSG5 cannot pass > 2048 sessions
Debug Message output reports: DIP allocation failed
For example:
****** 609311.0: <Trust/ethernet1> packet received [52]******
ipid = 5893(1705), @033047b0
packet passed sanity check.
ethernet1:192.168.1.100/1123->209.137.140.226/1111,6<Root>
no session found
flow_first_sanity_check: in <ethernet1>, out <N/A>
chose interface ethernet1 as incoming nat if.
flow_first_routing: in <ethernet1>, out <N/A>
search route to (ethernet1, 192.168.1.100->209.137.140.226) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 3.route 209.137.140.226->209.137.140.226, to ethernet0/1
routed (x_dst_ip 209.137.140.226) from ethernet1 (ethernet1 in 0) to ethernet2
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 209.137.140.226, port 1433, proto 6)
No SW RPC rule match, search HW rule
Permitted by policy 2
dip alloc failed. dip_id = 0
packet dropped, dip alloc failed
PPORT stats will show up to be very low:
SSG5-> get pport
Pseudo port information:
All Ports Single Ports Paired Ports
Index Total allocated - available allocated - available
0 2048 1977 7 0 64
When interface-based NAT is configured, sessions established from the Trust to Untrust zones or Trust to DMZ zones will be source NAT'd using the egress interface IP (e.g. the Untrust or DMZ interface IP). Source Port Address Translation (PAT) is performed for every unique session. This feature utilizes pseudo-port (pports).
In ScreenOS, each of the individual PAT sessions are called a pseudo-port. To see the current state of pseudo-ports enter the command:
get pport
To see the failed PAT sessions, check the flow counter for "no dip" using the following command:
get counter stat
Example:
ssg5-isdn-wlan-> get count stat int e0/0 | i dip
in unk prot 0 | no dip 10 | winnuke 0
The "no dip" counter will increment for every session that has failed port address translation.
In conclusion, the solution to this "dip allocation failure" problem is to either:
(i) Use policy-based NAT with a DIP pool of one address (as a pport does not get used with them)
Also, when using a DIP pool of one address, it will effectively increase the number of ports available for port translation to 65000. The following command will show how many ports are being used:
get int <interface number> dip detail
ssg5-isdn-wlan-> get int e0/0 dip detail
dynamic-ip port-x status id ports(sgl/twin) host-ip
172.1.1.1 Yes Free 4 0 / 0
Note: DIP pools and MIPs do not use pports. MIPs do not do PAT.
For more information on how to configure policy-based NAT with a DIP pool of one address, refer to step 9 of
KB11901.
(ii) Upgrade to a platform which best supports the NAT translation needs on the pport level.
Here is a list of the current platforms and limitations:
| Platform |
pport resource available for ScreenOS 6.0 and above
|
| SSG5 - Base |
2048 |
| SSG5 - Extended |
4048 |
| SSG20 - Base |
2048 |
| SSG20 - Extended |
4048 |
| SSG140 |
33000 |
| SSG320 |
33790 |
| SSG350 |
64510 |
| SSG520 |
33790 |
| SSG550 |
64510 |
| ISG1000 - Base |
64510 |
| ISG1000 - Advanced |
64510 |
| ISG2000 - Base |
64510 |
| ISG2000 - Advanced |
64510 |
| NS5200 |
64510 |
| NS5400 |
64510 |
Here is a list of the older platforms and limitations, which supports up to ScreenOS 5.4:
| Platform |
pport resource available for ScreenOS 5.4
|
| NS5GT |
2048 |
| NS25 |
64510 |
| NS50 |
64510 |
| NS204 |
64510 |
| NS208 |
64510 |
| NS500 |
64510 |