Which can control the PAT translation slot's timeout?
I used pix 501 with 6.2(2). I setup timeout xlate to 10 minutes. It worked fine for NAT translation slot. But it didn't work for PAT translation.
Here is the information I got from the firewall.
sh xlate debug
125 in use, 15217 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
UDP PAT from inside:10.1.9.133/1962 to outside:X.153.46.6/1036 flags ri idle 0:39:39 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1918 to outside:X.153.46.6/1084 flags ri idle 1:21:31 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1898 to outside:X.153.46.6/1068 flags ri idle 1:37:47 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1879 to outside:X.153.46.6/1052 flags ri idle 1:53:57 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1860 to outside:X.153.46.6/1036 flags ri idle 2:10:12 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1956 to outside:X.153.46.6/1116 flags ri idle 0:48:59 timeout 0:00:30
TCP PAT from inside:10.1.9.133/1937 to outside:X.153.46.6/1100 flags ri idle 1:05:13 timeout 0:00:30
If xlate timeout works, the idle time of xlate reaches the setting number, this translation slot should be disconnected. But it didn't work. And the firewall translation slot always used up. It frequently got " out of address translation slot"
This is a known issue in the 6.2(2) code. The DDTS for this is CSCdy58717 - xlate table does not timeout entries.Need clear xlate to work. The good news is that this bug has been fixed in the 6.2(3) code. Can you upgrade your PIX and re-test to see that this resolves the issue you are reporting?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...