secured-port-block-allocation

If you define the session lifetime globally for a Multiservices (ms-) interface (by using the session-timeout seconds statement at the [edit interfaces interface-name services-options] hierarchy level), the session is terminated even if traffic continues to flow beyond that time period. When continuous traffic transmission occurs, the session is reset immediately after the timeout period. When you configure the same value for the session timeout and the active port block allocation timeout, the system might not determine that the active port block timeout period has elapsed. As a result, when the active port block timeout elapses, the system might use the same block for the initial port allocation that was used previously. However, for the subsequent allocation of a port block, the system identifies the active block timeout value correctly and allocates a port from a new block. This behavior is expected when the session timeout and port block timeout values are identical. To avoid this problem, we recommend that you configure different values for session timeout and port block timeout so that the JSERVICES_NAT_PORT_BLOCK_ALLOC system logging message is generated at correct intervals of the active port block timeout value.

If you make any configuration changes to a NAT pool that has secured port block allocation configured, you must delete the existing NAT address pool, wait at least 5 seconds, and then configure a new NAT address pool. We also strongly recommend that you perform this procedure if you make any changes to the NAT pool configuration, even when secured port block allocation is not configured.