Phone Lines icon GFI Support Home

Articles in this section

See more

Out of free NAT ports: Unable to handle connection

Author: Vladyslav Velychko Updated

Overview

While reviewing Error logs, the following entry appears frequently:

  
  (3) Out of free NAT ports: Unable to handle connection 172.16.X.X:57173 -> <external_country_IP>:443.

  (3) Out of free NAT ports: Unable to handle connection <external_country_IP>:41390 -> 172.18.X.X:443.

  (3) Out of free NAT ports: Unable to handle connection 172.16.X.X:63049 -> <external_country_IP>:80.

  (3) Out of free NAT ports: Unable to handle connection 172.16.X.X:61724 -> <control_IP>:53.

In Debug logs with "Packets dropped for some reason" enabled, the "Unable to allocate port for NAT" is shown.

This article provides explanations about the common situations that cause these entries to be generated and how to resolve them.

Information

When the port mapping is configured together with a translation of a port to service, the ports used in different Traffic Rules may overlap.

Screen_Shot_2021-01-06_at_4.06.18_PM.png

If the NATed port cannot be allocated, the above exceptions are being thrown.

It might be the case, some external IP addresses are trying to access the Kerio Control firewall's public IP. The common ports are usually used for HTTP, HTTPS, DNS services.

The suspicious IPs can be identified via IP2Location and then blocked by GeoIP filter or by dropping via Traffic Rules.

Screen_Shot_2021-01-06_at_4.29.34_PM.png

Screen_Shot_2021-01-06_at_4.11.13_PM.png

Additionally, it might be an indication of unsolicited/pirate software installed on PCs connected to Kerio Control. Make sure to check the local computers using 3rd-party Antivirus solutions, such as Avast, ESET, Kaspersky, etc.

Another possible cause is the number of active connections exceeding 32,768 connections. This is due to the limit of port numbers per IP address which range from 1-65535. When NAT is enabled on an interface, every outgoing connection from that interface will use one of those ports. By default Kerio Control uses 32768 as the start of the NAT range, effectively halving the number of available ports, this setting is not available via the user interface and can be modified by Accessing Kerio Control's Shell Using SSH and running this command:

/opt/kerio/winroute/tinydbclient "update NAT set DynamicPortsRangeStart=1024"

Followed by a restart of Kerio Control, either the entire instance or by running the following command to restart just the main winroute process.

/etc/boxinit.d/60winroute restart

That would give some extra ports for the configuration, but as the total amount of the resulting ports is 64512, this will be the number of outgoing NATed connections done through that interface. You might want to limit the number of connections per IP address by following the Configuring connection limits in Kerio Control article, to a value of 64512/(the maximum number of connected devices) so that the clients don't exhaust the ports pool and there're ports available that can be used by other clients.

Related articles