Troubleshooting issues where firewall logs show " No more ports available"
03/26/2020 33 12254
This article explains how to troubleshoot issues where the firewall is running out of ports. This can be seen in the tracelogs and is indicated by a message "No more ports available". A result of this problem can be:
- Dropped connections
- Unexpected reboots
- Firewall going unresponsive
This is caused by the ports being used up for the specific IP address. Ideally, there are 65536 ports, however taking reserved ports into consideration, the realistic number is about 64511. This is normally caused due to:
- A large network being NATed to a single IP address
- Ports being held due to timeout values ( This is observed in the case of UDP 53, DNS traffic)
The tracelog messages are as follows:
1 : No more ports available, hash 2454, 1, srcRemapIp y.y.y.y, dstIP x.x.x.x, srcRemapPort 0, dstPort 53, ipType 17
1 : 10/03 14:19:07.800: Informational: getRemapPort:840:[A]: _
1 : No more ports available, hash 2454, 1, srcRemapIp y.y.y.y, dstIP x.x.x.x, srcRemapPort 0, dstPort 443, ipType 6
Here we can see there are two ports that are being exhausted; 53 as well as 443.
There are two ways to mitigate this issue:
- Increase the timeout in the case of DNS traffic. This can be done by creating an access rule or modifying an existing access rule for DNS traffic under Firewall|Access Rules and modifying the UDP timeout, under Advanced tab from 30 seconds to 5 seconds. This will ensure the port is freed faster as and when a DNS lookup is performed.
- Include additional public IP addresses for NATing the internal addresses, in the case of other ports, like 443.