FWSM - XLATE issue

Unanswered Question
Oct 3rd, 2007
User Badges:

We are having a problem periodically having to clear the xlate on our FWSM. We have a failover pair in 6509's. For some reason they stop passing all traffic. We clear xlate and everything runs fine for a random amount of time. Sometimes for a couple weeks sometimes for a couple months. We have installed the latest software, replaced, the hardware, compared the config between the primary and standby. Appears to be totally random. We have other FWSM in the network without experiencing this problm.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scwillis4655 Tue, 10/09/2007 - 07:02
User Badges:

It was at 5:00:00. Don't know why. We changed it to 30:00. We will see if the problem reoccurs.

hoffa2000 Tue, 10/09/2007 - 07:17
User Badges:

I've been playing around with the xlate timeout and it doesn't help me. Hope you have better luck

scwillis4655 Wed, 10/17/2007 - 04:48
User Badges:

We had the same problem occur a couple more times. We did a show xlate and the count was at 1108 the first time and 521 the second time so it does not appear to be running out.

hoffa2000 Tue, 10/09/2007 - 06:47
User Badges:

I have the exact same problem, I have to run clear xlate to get the connections working. This problem appears within a few hours for me.

hoffa2000 Wed, 10/17/2007 - 07:13
User Badges:

The latest news on my side is that I've gotten some advice from a consultant to review my NAT and GLOBAL settings.

I've got two "internal" networks with high sec-level accessing several lower security interfaces (including INTERNET) with the same NAT and GLOBAL statements, just the NAT (INTERFACE) subnet is different. This might be a problem according to the consultant and should be remedied with NAT 0 and differing NAT x statements.

This Tuesday I've got a service window and will try to implement this and do an upgrade to 3.2 at the same time.

scwillis4655 Fri, 10/19/2007 - 08:10
User Badges:

We changed our xlate timeout and it did not make a differnce. We checked our timeouts for connections and they were at 00:00 which I assume without reading is that they never timeout. We had a 999902 most used connections and 600000+ in use. We changed our Connection timers to 1 hour and the connetions in use went down to 1615. We will see if this resolves our problem.

hoffa2000 Fri, 10/26/2007 - 04:11
User Badges:


A few days ago I had sort of a breakthrough solving my problem with the lost connectivity requiring clear xlate. It seems the problem was related to two statics I had for my two authoritative DNSes hosting my domain.

I had the problem several times per hour forcing me to migrate back to and older firewall. When I a few days ago tried to migrate again I had no problem until I added the first DNS static. As soon as I did that I lost connectivity.

I don't know what causes this but if you have statics for DNS servers and DNS inspection configured this might be a hint.



scwillis4655 Fri, 10/26/2007 - 04:17
User Badges:

I believe ours maybe related to the connections. Someone had taken the connections timeout and put them at 0 so they never timed out. Our connections had reached 999980. When we cleared xlate they dropped to 1500. We changed our timers and they stay around 1500. We think this is what was causing the random length of time that it took to fail. We are still monitoring.


This Discussion