Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 7.2(1) clear xlate issue

Every morning I have to issue a clear xlate on our firewall to browse the Internet. Our inbound web servers are not affected. Any ideas on getting a handle on this problem This issue has been a tough nut to crack.

15 REPLIES
Silver

Re: Pix 7.2(1) clear xlate issue

Are you using NAT or PAT? If you run out of address in the NAT pool you would have to clear the xlate to allow new traffic to get an IP.

New Member

Re: Pix 7.2(1) clear xlate issue

I have the same problem...

I don't think that run a "clear xlate" command all the days is the ideal solution

New Member

Re: Pix 7.2(1) clear xlate issue

I have checked every thing I can think of. I made sure my ethernet ports were set to 100 full. I have also replaced the actual pix hardware (same config). Still no luck. I am replacing my ethernet cables tonight. I am waiting on a smartnet contract number, then I'm calling Cisco.

I also have downgraded from 7.X back to 6.3 same problem? I'm I missing something.

I'll post a sanatized config if anybody is interested.

New Member

Re: Pix 7.2(1) clear xlate issue

I am using PAT. I am using only 1 address for outbound traffic. I also have a restricted license. What is the limitation of this license. Maybe a license upgrade is needed.

New Member

Re: Pix 7.2(1) clear xlate issue

Hi,

How many internal hosts do you have using the PAT? Also, do you have many static's?

Glen.

Cisco Employee

Re: Pix 7.2(1) clear xlate issue

You should enable logging to get a better idea of what is happening. Also, the next time the issue happens, do a "show xlate" and "show conn". A sanitized config would help too.

Hope that helps! If so, please rate.

Thanks

New Member

Re: Pix 7.2(1) clear xlate issue

I have posted a sanatized config. Hopefully its readable. Just an update, we don't have trouble during the day. It seems to happen at night. I have to clear the translation table(clear xlate) every morning. And it just started about 2 months ago. This firewall has been in use for almost 2 years.

Re: Pix 7.2(1) clear xlate issue

License definetely applies limitations as to thenumber of concurrent connections you can have ... for example for a 501

License Function

10 User License Support for up to ten concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 32 leases.

50 User License Support for up to 50 concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 128

leases.

Unlimited User License Support for an unlimited number of concurrent connections from

different source IP addresses on the internal network to traverse

the firewall. Also provides DHCP server support for up to 256

leases.

DES Encryption License Support for 56-bit DES encryption.

3DES/AES Encryption License Support for 168-bit 3DES and up to 256-bit AES encryption.

I hope it helps .. please rate if it does !!!

Silver

Re: Pix 7.2(1) clear xlate issue

If you had 7.0 you have at least the 515 and even with a restricted license you should be fine. When you PAT an ip address it can handle 4024(not sure if this is the exact number) xlates. If you have to many outbound xlates at some point it will reach the limit. Best way to fix this is add more then 1 pat entry or us a nat pool backed up with PAT. If you don't have any more IP's you could lower the xlate timeout value. The default is 3 hours so by setting it lower it may help your issue.

Hope this helps.

Chad

New Member

Re: Pix 7.2(1) clear xlate issue

I am running 7.2(1) I am unsure on how to do what your are describing. I am attaching a sanatized config. My timeout values are set to default. We have about 300 internal hosts. Also something in the config may be wrong

Silver

Re: Pix 7.2(1) clear xlate issue

Your config is fine. But your trying to PAT 300 hosts to 1 ip.

This link should help.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html

PAT

Global (outside) 1 192.168.1.1

Multiple PAT

Global (outside) 1 192.168.1.1

Global (outside) 1 192.168.1.1

NAT pool with PAT backup

Global (outside) 1 192.168.1.1-192.168.1.100

Global (outside) 1 192.168.1.101

New Member

Re: Pix 7.2(1) clear xlate issue

I'm assuming for multiple PAT I can place another outside IP address as the second entry. Your example show the same IP twice. I am going to read through the link you provided. If I can clarify what I need, I'll make the change tonight and see what happens

Silver

Re: Pix 7.2(1) clear xlate issue

Yes you would use another usable IP.

Sorry for the typo.

New Member

Re: Pix 7.2(1) clear xlate issue

We'll, I made the changes and added a second global PAT. When I came to work this AM is was still slow on http connections. I had to do a clear xlate to restore the speed.

Any other suggestions.

Silver

Re: Pix 7.2(1) clear xlate issue

Turn on logging and look for errors when you are having the issue.

The error below would indicate the xlate pool has been exhausted.

Log Message %PIX-3-202001: Out of address translation slots!

Recommended Action:

Add more PAT addresses. Alternatively, shorten the timeout for xlate and conn. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.

300
Views
17
Helpful
15
Replies
CreatePlease login to create content