Hi. Hopefully this problem will sound familiar to somebody here.
First off, I have a pair of FWSMs configured for active/standby in a 6509 chassis. The FWSMs are running 3.1(1) and my redundant SUP720's are runnning IOS 12.2(18)SXF3.
Exactly every 5 minutes, I receive the following error from the standby module in one of my 7 contexts:
FWSM-3-210007: LU allocate xlate failed
This error suggests that I am running out of memory and need to clear my translations. However, that context typically has only 30-50 active xlates and uses less than 1% of the available memory.
Here is my show failover output:
Failover unit Secondary
Failover LAN Interface: faillink Vlan 98 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 5 of 250 maximum
failover replication http
Config sync: active
Last Failover at: 11:09:58 cst Oct 31 2006
This host: Secondary - Active
Active time: 2411456 (sec)
<snip - all interfaces show normal>
Other host: Primary - Standby Ready
Active time: 0 (sec)
<snip - again, all interfaces show normal>
Stateful Failover Logical Update Statistics
Link : statelink Vlan 97 (up)
Stateful Obj xmit xerr rcv rerr
General 12826261 0 325678 50825686
sys cmd 314785 0 314784 0
up time 0 0 0 0
RPC services 594132 0 0 0
TCP conn 3152 0 1265 25412843
UDP conn 222 0 1266 25412843
ARP tbl 11913970 0 8363 0
Xlate_Timeout 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 2573054
Xmit Q: 0 0 12822887
Note the receive errors. I ', not sure how to interpret those, since the interfaces are virtual and vlan97 is dedicated to the firewalls with no other member interfaces. You may also notice that I'm running on the standby module currently. I forced a failover last month to see if the error would go away and if it would cause connections to drop. Failover worked perfectly, but the error has persisted.
I'd appreciate any suggestions about what to check next.
Your idea looked promising, so I dug into it for a few days. I turned out the customer did have a couple of overlapping NAT and static statements. But after cleaning those up the error persisted, and debug output never showed an error similar to above.
Upon further inspection, we finally discovered a trigger for this event. A Sun Ultra 5 running Cricket(RRDTool) was polling some external switches using SNMP at 5 minute intervals. The xlate error was occurring immediately after the first connection was built when polling began.
After some sniffing to see what Cricket was doing to confuse the firewall, we discovered an internal device being polled on a higher level security interface. It turns out that NAT was set up backwards for this device (the Ultra 5 had a static into the more secure network). The customer removed the static, stopped polling that device, and cleared the xlates on the standby.
The error ceased.
Thank you for the suggestion, Jason! It got us looking in the right direction.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :