05-06-2009 09:53 PM - edited 03-11-2019 08:28 AM
Hello,
I have problem in my fwsm placed in cisco 6500 switch. Attimes we have noticed that xlate is getting exhausted and when we put "clear xlate", its getting solved. But as its a core switch its crutual.
FWSM Firewall Version 3.2(4).
05-07-2009 03:10 AM
OK two things: -
(1) I assume you are using dynamic NAT and PAT in order to ensure that when your NAT pool is exhausted then all additional "users" will share the same external IP using PAT?
(2) There is a limit of 256,000 NAT/xlate entries on the FWSM. One thing you can try is the "xlate bypass" command which prevents non-NAT sessions from being included in the xlate tables which may also help.
See the documentation here for how to do this with v3.2:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/cfgnat_f.html#wp1105713
Similar limitations apply to later versions of FWSM code too, with v4.0 increasing the limit by about 6,000 entries.
Hope this helps?
Thanks
Russell
05-07-2009 03:37 AM
If the problem persists you may also want to try reducing the "timeout xlate" value which I believe defaults to 3 hours (3:00:00)
You could try dropping to 2 hours initially to see what impact this has and keep monitoring the number of entries you have in the xlate table using the "show xlate count" option.
Thanks
Russell
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: