cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
0
Helpful
2
Replies

FWSM Xlate Issue

manuadoor
Level 1
Level 1

Hello,

I have problem in my fwsm placed in cisco 6500 switch. Attimes we have noticed that xlate is getting exhausted and when we put "clear xlate", its getting solved. But as its a core switch its crutual.

FWSM Firewall Version 3.2(4).

2 Replies 2

r.bishop
Level 1
Level 1

OK two things: -

(1) I assume you are using dynamic NAT and PAT in order to ensure that when your NAT pool is exhausted then all additional "users" will share the same external IP using PAT?

(2) There is a limit of 256,000 NAT/xlate entries on the FWSM. One thing you can try is the "xlate bypass" command which prevents non-NAT sessions from being included in the xlate tables which may also help.

See the documentation here for how to do this with v3.2:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/cfgnat_f.html#wp1105713

Similar limitations apply to later versions of FWSM code too, with v4.0 increasing the limit by about 6,000 entries.

Hope this helps?

Thanks

Russell

If the problem persists you may also want to try reducing the "timeout xlate" value which I believe defaults to 3 hours (3:00:00)

You could try dropping to 2 hours initially to see what impact this has and keep monitoring the number of entries you have in the xlate table using the "show xlate count" option.

Thanks

Russell

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: