we're working on a new network...PIX 515e with 128M ram. We are seeing dropped connectivity and noticed the problem happen when the xlate count hit 49000. We clear xlate and the problem goes away for about 5-10 minutes.
Is there any way to increase the xlate limit? We tried creating a nat pool per various subnets inside, but it didn't change the global count.
We ahve about 2200 students who I'm sure have tons of p2p apps causing the issue.
PIX 515E supports a maximum of 1,30,000 connections. since there are close to 49,000 NAT translation entries, and if each xlate has 3 connections, it almost its the max connections that the PIX supports. Under this circumstance i think it will start dropping packets...
anyway you can decrease the xlate timeout value, which can clear out unused xlate connections... other than that, i think the hardware designed for such a high userbase is not correct. for 2200 users , you should have probably looked for a higher end PIX or ASA. also see if there are any virus problems on ur network, which has increased the xlate table...
hope this helps.. all the best.. rate replies if found useful..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...