Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

regular translation creation failed on fwsm without NAT

I have a fwsm which is used the connect a number of VRFs. Basically the fwsm functions as a router.

fwsm version 3.2(6) just upgraded from 3.2(1).

Occasionally i get the following error in my log: "%FWSM-3-305006: regular translation failed"

I have configured ACLs that permit all traffic from any to any on each interface.

All interfaces have the same security level.

I don't have NAT configured, nat-control is disabled.

And "same-security-traffic permit inter-interface" is enabled.

Any ideas why?

/Kennet

3 REPLIES

Re: regular translation creation failed on fwsm without NAT

This is what Cisco has to say:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/s1.html#wp2655928

"We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.

If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.

To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned."

Regards

Farrukh

New Member

Re: regular translation creation failed on fwsm without NAT

The fwsm is not conncted to the Internet. Although there is a default route pointing to another firewall which serves as Inetrnet firewall.

Each interface on the fwsm connects to a vrf. Each vrf represents a company in a merger. In the future we will use the fwsm as a prober firewall to segment parts of the company.

Output from "sh resource usage"

Xlates 43840 45142 unlimited 0 System

Is there a limit?

/Kennet

Re: regular translation creation failed on fwsm without NAT

Have a look at this:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1055791

NAT translations (xlates), concurrent

Single Mode: 256 K

Multiple Mode: 256 K divided between all contexts

Regards

Farrukh

777
Views
0
Helpful
3
Replies
CreatePlease to create content