You can go into monitor and check current connections; if this is over 50k then you can't use automatic hide nat without some adverse issue. Most gateways default to 25k unless you up this limit.
Thanks, Derek O'Flynn LSU Health Sciences Center Enterprise Information Security (504)628-4431 [EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Wednesday, October 25, 2006 12:48 PM To: [email protected] Subject: Re: [FW-1] NAT Hide Failure I don't know for sure the source of the problem, but remember that for each IP address you have around 65K ports that can be used for each on the connections going out with a Hide NAT, is possible that at some point you just had too many connections going out trought the same IP and the firewall just did not know how to handle the overflow and so the reboot solved the issue. As a good way to avoid this possibility, you can use a second public IP and divide all those machines going out between the current and the new one. I have never seen this issue before, but thought that info might help. Regards On 10/25/06, Matheus Valença <[EMAIL PROTECTED]> wrote: > > Dear CheckPoint Gurus... > > > > I have a NOKIA IP530 with IPSO 4.1 and CheckPoint R61 installed. This > firewall have 19 internal interfaces and 1 external interface with a /28 > range of IPs. > > > > The network of the users and some servers (/22), make NAT to internet in > one IP. Last night, this nat crashed and all the internet access from this > network stopped. > > > > All others nat (1 to 1 for the web servers) did not stopped. > > > > I received this message in the LOG; > > > > DROP - "message_info: NAT Hide failure - there any currently no available > ports for hide operation" > > > > > > I have no ideas of what could be happening, because the only solution that > I have in that hour (4:00am) was a reboot. Rsrsrs > > > > TKS in advance... > > > > Matheus Valença > .T..Systems do Brasil > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
