Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
6
Replies

"Out of translation slots"

j-toates
Level 1
Level 1

‎01-23-2003 06:01 AM - edited ‎03-09-2019 01:48 AM

I have recently starting having a problem with running out of translation slots. I have 2 global PAT's setup that should give me more than enough. I think the problem is that connection are getting disconnected, even though I have my xlate and conn timeouts set low. It takes about a day, but I eventually totally running out of translation slots and I have to clear xlate...Any help would be appreciated...

Labels:
0 Helpful
6 Replies 6

mpalardy
Level 3
Level 3

‎01-23-2003 08:17 AM

What exactly are those values ? (timeout and provided me with global)

What's the output of show xlate. There's may be a host whitch use all this ressource on PIX.

Michael

0 Helpful

j-toates
Level 1
Level 1
In response to mpalardy

‎01-23-2003 08:49 AM

xconn value is set to 30min (temp)

conn value set to 30min (temp)

show xlate doesn't really show anything out of the ordinary..There are multiple hosts, although some host have multiple translates..

Shouldn't these xlates timeout after 30 mintues then drop..

Thanks for the reply

0 Helpful

mpalardy
Level 3
Level 3
In response to j-toates

‎01-23-2003 11:44 AM

Xlate will be dropped after 30 minutes of idle (inactivity).

Since timeout value are equal between xlate and conn. I'd give it a BIG try by increasing xlate timeout to 00:40:00.

May be a reload of your pix would be good.

Anybody have a better idea.

What version of PIX do you run ?

0 Helpful

mattmurf
Level 1
Level 1
In response to mpalardy

‎01-25-2003 08:26 AM

Did the config used to work fine? If so you may want to check http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

0 Helpful

reinke
Level 1
Level 1
In response to mattmurf

‎01-27-2003 04:55 AM

Just a little bit brainstorming:

PAT uses different default timeouts than NAT (30 seconds versus 3 hours). 30 seconds are used to save ressources: If PAT is in use, every session needs its own xlate, because we need ip addresses and port numbers!

I am not shure if there is a nob to change the default timeout for xlates which are based on PAT.

What about License:

- Do you use a UR license?

- Do you use a pix 501 with a 10 user license?

Edgar

0 Helpful

raymond.ho
Level 1
Level 1
In response to reinke

‎01-27-2003 05:49 PM

Hi,

I'm facing same problem and I using pix 515. Did you have setup syslog server for your pix and using the tcp port for connection. If yes, please try to disable it, it will change back to normal. Try!

Raymond

0 Helpful
Customers Also Viewed These Support Documents