Back to All Scenarios
PASSEDvendor / sonicwall_cgnat_exhaustion
SonicWall CGNAT Port Exhaustion
The SonicWall NSsp 13700 running carrier-grade NAT exhausts its NAT translation table, preventing new outbound connections while existing sessions remain active.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 20 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
SonicWall NSsp 13700 at ISP edge. CGNAT handling 50000 subscribers. NAT table capacity: 4 million entries. Table reached 100% during peak hours. New connections failing.
Injected Error Messages (2)
sonicwall CGNAT translation table exhausted on NSsp 13700 — NAT table at 4000000/4000000 entries (100% full), sonicwall unable to create new NAT bindings for outbound connections, CGNAT port allocation failures: 847 per second, existing sessions maintained but no new connections possible for 50000 subscribers
sonicwall NSsp 13700 CGNAT overload — subscriber complaints of new connection failures while existing sessions work, sonicwall NAT resource monitor critical: port block allocation exhausted, CGNAT deterministic mapping table full, ISP subscriber impact: intermittent connectivity for all new TCP/UDP sessions
Neural Engine Root Cause Analysis
The SonicWall NSsp 13700 CGNAT device has reached maximum capacity with its NAT translation table at 4,000,000/4,000,000 entries (100% full). This resource exhaustion prevents the creation of new NAT bindings for outbound connections, causing 847 port allocation failures per second and affecting 50,000 subscribers. The issue is likely caused by either insufficient cleanup of stale NAT entries, an unusually high number of concurrent connections, or inadequate table sizing for the current subscriber load.
Remediation Plan
1. Immediately contact network operations team to assess CGNAT table configuration and cleanup policies. 2. Review and reduce NAT session timeout values to accelerate stale entry cleanup. 3. Implement emergency traffic shaping or connection limiting if possible. 4. Analyze traffic patterns to identify any abnormal connection behavior or potential DDoS. 5. Consider scaling CGNAT capacity by adding additional devices or upgrading table limits. 6. Monitor NAT table utilization trends to prevent future occurrences.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnck54l906snobqe7vffy7km