We are having a problem periodically having to clear the xlate on our FWSM. We have a failover pair in 6509's. For some reason they stop passing all traffic. We clear xlate and everything runs fine for a random amount of time. Sometimes for a couple weeks sometimes for a couple months. We have installed the latest software, replaced, the hardware, compared the config between the primary and standby. Appears to be totally random. We have other FWSM in the network without experiencing this problm.
What do you have your "translation slot" timeout value set at? I think it defaults to 03:00:00. I would try changing this to 00:30:00. I had to do this on all my inside contexts firewalls during an outbreak of RBOT in our enviornment.
We had the same problem occur a couple more times. We did a show xlate and the count was at 1108 the first time and 521 the second time so it does not appear to be running out.
I have the exact same problem, I have to run clear xlate to get the connections working. This problem appears within a few hours for me.
The latest news on my side is that I've gotten some advice from a consultant to review my NAT and GLOBAL settings.
I've got two "internal" networks with high sec-level accessing several lower security interfaces (including INTERNET) with the same NAT and GLOBAL statements, just the NAT (INTERFACE) subnet is different. This might be a problem according to the consultant and should be remedied with NAT 0 and differing NAT x statements.
This Tuesday I've got a service window and will try to implement this and do an upgrade to 3.2 at the same time.
We changed our xlate timeout and it did not make a differnce. We checked our timeouts for connections and they were at 00:00 which I assume without reading is that they never timeout. We had a 999902 most used connections and 600000+ in use. We changed our Connection timers to 1 hour and the connetions in use went down to 1615. We will see if this resolves our problem.
A few days ago I had sort of a breakthrough solving my problem with the lost connectivity requiring clear xlate. It seems the problem was related to two statics I had for my two authoritative DNSes hosting my domain.
I had the problem several times per hour forcing me to migrate back to and older firewall. When I a few days ago tried to migrate again I had no problem until I added the first DNS static. As soon as I did that I lost connectivity.
I don't know what causes this but if you have statics for DNS servers and DNS inspection configured this might be a hint.
I believe ours maybe related to the connections. Someone had taken the connections timeout and put them at 0 so they never timed out. Our connections had reached 999980. When we cleared xlate they dropped to 1500. We changed our timers and they stay around 1500. We think this is what was causing the random length of time that it took to fail. We are still monitoring.