Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
0
Helpful
3
Replies

Does clear xlate have any negative effective active IP connections ?

reganv
Level 1
Level 1

‎11-23-2001 04:43 AM - edited ‎03-08-2019 09:15 PM

Hi,

I think I understand how clear xlate works i.e. it clears existing (Translations and the port connections that rely on these translations)

So here is the question ?

If you clear xlate <all>(existing), surely it clears the Stateful connections out and into the PIX.

Won't this cause issues, for a user / application that is expecting inbound return traffic. Would the application / IP timeout ? Until they reinitiate the connection from the inside ?

Part two of the question

If I reduce the global IP scope, is it not a good to clear xlate of only the removed global ip's, not the whole Xlate connection database, to ensure I can use that newly freed up IP for something else.

Thanks,

Regan

Labels:
0 Helpful
3 Replies 3

thomas.chen
Level 6
Level 6

‎11-30-2001 09:48 AM

Never change your global pools until you can reboot the PIX. Clear Xlate is not enough as active connections and waiting connection states are not reliably cleared. After you’ve modified your global pool, clear everything with a reboot (which takes less than 15 seconds if there’s no floppy disk in the drive.)

0 Helpful

awalnet
Level 1
Level 1

‎12-02-2001 02:53 AM

Hi Regan,

Yes clear xlate will clear all the active connections.It happened with me. We are running Cisco Secure ACS for NT for authenticating the dialup users.The NAS(Cisco 7206VXR) are using ACS to authenticate the users.The ACS is on a secured segment and NAS is on outside segment.When i changed some access-list and applied clear xlate, alll the authenticated sessions on ACS dropped.

Check out the xlate timer command for some details

Regards,

Zeshan Mansoor Jalali

CCIE(R&S) Written, CCNP,CCDA,Cisco Security Specialist.

0 Helpful

George Venianakis
Level 1
Level 1

‎12-05-2001 08:49 AM

As for the first you are right. Connections will certainly lost until a reinitiation from the inside or outside (in case you allow incoming connections)takes place. This implies that everything depends on the application itself. For example if a user is making a download at the moment of a "cl xl" command is applied, he/she will have the connection dropped. Nevertheless, certain applications are able to establish a new connection transparently to the user.

Reducing the pool of the global addresses might work for you but, you should always have to be aware (in case on NAT and not PAT) that each global IP maps to a unique local IP thus, a potential problem occurs not being able to serve your users with addresses.

0 Helpful
Customers Also Viewed These Support Documents