FWSM Xlate Issue

Unanswered Question
May 6th, 2009

Hello,

I have problem in my fwsm placed in cisco 6500 switch. Attimes we have noticed that xlate is getting exhausted and when we put "clear xlate", its getting solved. But as its a core switch its crutual.

FWSM Firewall Version 3.2(4).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
r.bishop Thu, 05/07/2009 - 03:10

OK two things: -

(1) I assume you are using dynamic NAT and PAT in order to ensure that when your NAT pool is exhausted then all additional "users" will share the same external IP using PAT?

(2) There is a limit of 256,000 NAT/xlate entries on the FWSM. One thing you can try is the "xlate bypass" command which prevents non-NAT sessions from being included in the xlate tables which may also help.

See the documentation here for how to do this with v3.2:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/cfgnat_f.html#wp1105713

Similar limitations apply to later versions of FWSM code too, with v4.0 increasing the limit by about 6,000 entries.

Hope this helps?

Thanks

Russell

r.bishop Thu, 05/07/2009 - 03:37

If the problem persists you may also want to try reducing the "timeout xlate" value which I believe defaults to 3 hours (3:00:00)

You could try dropping to 2 hours initially to see what impact this has and keep monitoring the number of entries you have in the xlate table using the "show xlate count" option.

Thanks

Russell

Actions

This Discussion