I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall.
For some reason, your XLATE table is filled up. Hence, Email Server A (INSIDE) can’t communicate with Email Server B (OUTSIDE). I doubt this is a bug issue. I believe you’ve high network traffic/volume between INSIDE to OUTSIDE. Hence, this is affecting the communication between Email Server A (INSIDE) and Email Server B (OUTSIDE). Please do ensure your xlate timeout value isn’t modified, and kept to default i.e. 3 Minutes “timeout xlate 3:00:00”.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...