PIX 515 "out of adress translation slots"


I have a problem with xlates running to high for the memory installed. I'm using PAT and I have set down xlate and conn timeouts to 30min. My problem is that I don't know what values to expect when doing a "show memory". Can anybody advise me on what to expect and possibly how I can reduce memory usage ?

I get these error messages:

%PIX-3-202001: Out of address translation slots!

This is my setup (I have a simple config - not big):

# sho conn coun

38604 in use, 40912 most used

# sho xlate coun

41303 in use, 41303 most used

# show memory

67108864 bytes total, 17076224 bytes free

# show vers

Cisco PIX Firewall Version 6.2(1)

Cisco PIX Device Manager Version 2.0(1)

Compiled on Wed 17-Apr-02 21:18 by morlee

x up 20 days 14 hours

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0050.54ff.c8ba, irq 10

1: ethernet1: address is 0050.54ff.c8bb, irq 7

2: ethernet2: address is 00d0.b7af.1260, irq 11

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

regards rolf

Cisco Employee

Re: PIX 515 "out of adress translation slots"

The issue here is you're not running out of memory, you're running out of external addresses for the PIX to translate your internal addresses to. You need to look at your nat/global commands, you currently have 41303 address translations used and the PIX has run out of addresses/ports to use.

This message has nothing to do with memory. Try adding another external address in your global commands, that'll give you a bunch more addresses.

New Member

Re: PIX 515 "out of adress translation slots"

The reason why I suspected memory is the error description I found on CCO:

%PIX-3-202001: Out of address translation slots!

Explanation This is a connection-related message. This message is logged if the PIX Firewall has no more address translation slots available.

Action Check the size of the global pool compared to the number of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of xlates and connections. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.

here is my global setup:

global (outside) 1 2x7.8.1x6.194-2x7.8.1x6.240 netmask

global (outside) 1 2x7.8.1x6.193 netmask

it works ok with the pool being used first and then the PAT as a last resort. PAT should then in thery be able to setup over 60000 xlates.

Am I correct to assume that one single host only generates one xlate, but can generate several connections ? I find it suspect that there are more xlates than connections. Also the number of 41303 is too high if it represent single hosts. This can maybe be a host wrongly configured or comprimised -ref CCO:

Note: A single host can have multiple connections to various destinations, but only one translation. If the xlate count is much larger than the number of hosts on your internal network, it is possible that one of your internal hosts has been compromised and is spoofing its source address and sending packets out the PIX.

