Respond to Requested NAT cannot be done log messages

Logs that contain “Requested NAT cannot be done” error messages can indicate problems with dynamic NAT or Server Pools.

1. A Dynamic NAT operation might be applied to the wrong type of traffic. Dynamic (many-to-one) NAT is done by assigning different hosts the same IP address, but different ports. For this reason, dynamic NAT does not work when the protocol in question does not use ports. Only the TCP and UDP transport protocols use ports. See the TCP and UDP branches in the Services tree in the Management Client to check which protocols are transported over TCP or UDP.
2. Dynamic NAT can run out of ports if there are too many simultaneous connections in relation to the IP addresses and the port range you have configured for dynamic NAT. You can increase the available ports for translation by adding a new IP address for your dynamic NAT rule. Alternatively, you can expand the port range, if the rule does not currently use the whole range of high ports.
3. If the Server Pool element is used, check the NAT rules. Because the Server Pool element always does NAT, errors can occur when the Server Pool element is used and the same connection matches an overlapping NAT rule.
4. Check if the information message in the log states that dynamic NAT is denied due to excessive number of connections. This can happen when a single host is opening connections at an excessive rate to a single destination IP address and port through dynamic source NAT. This message indicates the triggering of a self-protection mechanism, which prevents excessive use of processing resources to dynamic NAT operations. Set up a static NAT rule to allow these types of connections if it is not possible to adjust the connection settings of the application.