On the PIX 500 Series Firewall with software version 6.x, the idle xlate entries do not time out

Document

Wed, 07/22/2009 - 19:27
Jun 18th, 2009

Core issue

This behavior is documented in Cisco bug ID CSCdy58717.

TCP/UDP connections do not time out. This prevents translation (xlate) entries from timing out as well. Issue these commands in order to check whether connections do not time out:

  • show connection count Shows a large number of connections.

  • show timeout Shows the idle timeout value.

The connection timeout value must not be larger than the timeout value for the idle connections.

Resolution

As a workaround, perform either of these two tasks:

  • If this condition takes a long time to develop, then reload the PIX.

    For example, this workaround is appropriate if this issue only occurs several weeks after the PIX reloads.

  • If this condition takes a shorter time to develop, then issue the clear xlate command.

    This workaround is appropriate if this issue occurs only a couple of days after PIX reloads, or if a frequent reload is not a feasible workaround.

    If the clear xlate command does not clear all non-timing out connections, issue the clear local-host command.

As an alternative, download and upgrade the software version to the latest available version.

Loading.

Actions

This Document

Related Content