clear xlate not working?

pmoy · ‎08-01-2006

We having a problem that is driving us up the wall!

PIX Version 6.3.1 (I know, older version, but should still work)

show xlate

Global 204.124.119.46 Local 192.168.162.37

No big deal, I need to point the local address to a new host:

no static (inside,outside) 204.124.119.46 192.168.162.37 netmask 255.255.255.255

static (inside,outside) 204.124.119.46 192.168.11.146 netmask 255.255.255.255

clear xlate

Immediately after this command, a show xlate shows a blank table. As the connections restore themselves, the old NAT reappears!

Even after multiple retries, we removed the static command completely, clear xlate, and the command reappears!

We have constant connections to this host from the outside that we can shutdown, will this make a difference?

This change was made on the primary failover host with stateful failover enabled.

HELP! This is putting the brakes on a major cutover project. I suppose I could just reboot the thing, but could not do it last night.

Thanks,

-Pete

andrew100 · ‎08-01-2006

Hi Pete,

This is strange - have you done a bug check on the image? It is possible also to clear only the connection in question using 'clear xlate Global xxx.xxx.xxx.xxx Local 192.168.162.37' as clear xlate on large networks for the full table can be drastic! Re-booting the pix is an option but shouldn't be necessary. I suggest a bug check, is this possible? I have never come accross such an issue...

Andy

pmoy · ‎08-01-2006

Thanks for the help. I'll try a bug check, I already have a TAC case open, but the standard answer is to upgrade the software. We're only using the basic features of the PIX and I can't believe something like this would be fix when I ran the same scenario on our older 6.0.1 PIX and had no issues after the clear xlate.

Here is something else weird:

show xlate:

Global 204.124.119.29 Local 192.168.11.146

I had an old entry with the static command mapping 11.146 to 119.29. This command has been REMOVED last night and a clear xlate done several times. My xlate timeout is 03:00:00 (3 hrs, right?)

I come in this morning and ping the 204.124.119.29 address just to see what would happen, sure enough, the PIX built the translation again!

-Pete

pmoy · ‎08-01-2006

new command, clear local-host?

Can someone elaborate on this command vs. clear xlate?

when I do a show local-host, I see my phantom xlate listed:

local host: <192.168.11.146>, conn(s)/limit = 0/0

embryonic(s)/limit = 0/0, incomplete(s) = 0

AAA:

Xlate(s):

Global 204.124.119.29 Local 192.168.11.146

Conn(s):

Remember, this translation 204.124.119.29 <--> 192.168.11.146 is no longer defined by any static command!

Maybe I should try a clear local-host command and the clear xlate...

Fernando_Meza · ‎08-01-2006

Hi .. It sounds like a bug .. Try making the change after hours

1.- remove the old static

2.- restart the PIX

3.- add the new static

I hope it helps .. please rate it if it does !!!

pmoy · ‎08-01-2006

Issue resolved...

Well, the last resort solution would have been a restart of the PIX, but I wouldn't be able to do this until the weekend.

It turns out the "clear local-host" command solves the issue of clearing the cached old static! I was able to flip between the old inside and new inside address several times. The clear xlate command had NO EFFECT clearing the previous static entry.

Weird. Then again, I am running an old version of the software 6.3.1.

Thank you all!