topic Re: Pix 7.2(1) clear xlate issue in Network Security

Pix 7.2(1) clear xlate issue

happystate_2 — Fri, 21 Feb 2020 09:03:18 GMT

Every morning I have to issue a clear xlate on our firewall to browse the Internet. Our inbound web servers are not affected. Any ideas on getting a handle on this problem This issue has been a tough nut to crack.

Re: Pix 7.2(1) clear xlate issue

cpembleton — Tue, 18 Jul 2006 17:42:52 GMT

Are you using NAT or PAT? If you run out of address in the NAT pool you would have to clear the xlate to allow new traffic to get an IP.

Re: Pix 7.2(1) clear xlate issue

josky_jara — Tue, 18 Jul 2006 19:07:30 GMT

I have the same problem...

I don't think that run a "clear xlate" command all the days is the ideal solution

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Wed, 19 Jul 2006 02:22:21 GMT

I have checked every thing I can think of. I made sure my ethernet ports were set to 100 full. I have also replaced the actual pix hardware (same config). Still no luck. I am replacing my ethernet cables tonight. I am waiting on a smartnet contract number, then I'm calling Cisco.

I also have downgraded from 7.X back to 6.3 same problem? I'm I missing something.

I'll post a sanatized config if anybody is interested.

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Wed, 19 Jul 2006 02:24:53 GMT

I am using PAT. I am using only 1 address for outbound traffic. I also have a restricted license. What is the limitation of this license. Maybe a license upgrade is needed.

Re: Pix 7.2(1) clear xlate issue

glen.messenger — Wed, 19 Jul 2006 02:56:28 GMT

Hi,

How many internal hosts do you have using the PAT? Also, do you have many static's?

Glen.

Re: Pix 7.2(1) clear xlate issue

hemendoz — Wed, 19 Jul 2006 04:09:59 GMT

You should enable logging to get a better idea of what is happening. Also, the next time the issue happens, do a "show xlate" and "show conn". A sanitized config would help too.

Hope that helps! If so, please rate.

Thanks

Re: Pix 7.2(1) clear xlate issue

Fernando_Meza — Wed, 19 Jul 2006 04:45:02 GMT

License definetely applies limitations as to thenumber of concurrent connections you can have ... for example for a 501

License Function

10 User License Support for up to ten concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 32 leases.

50 User License Support for up to 50 concurrent connections from different

source IP addresses on the internal network to traverse the

firewall. Also provides DHCP server support for up to 128

leases.

Unlimited User License Support for an unlimited number of concurrent connections from

different source IP addresses on the internal network to traverse

the firewall. Also provides DHCP server support for up to 256

leases.

DES Encryption License Support for 56-bit DES encryption.

3DES/AES Encryption License Support for 168-bit 3DES and up to 256-bit AES encryption.

I hope it helps .. please rate if it does !!!

Re: Pix 7.2(1) clear xlate issue

cpembleton — Wed, 19 Jul 2006 13:31:44 GMT

If you had 7.0 you have at least the 515 and even with a restricted license you should be fine. When you PAT an ip address it can handle 4024(not sure if this is the exact number) xlates. If you have to many outbound xlates at some point it will reach the limit. Best way to fix this is add more then 1 pat entry or us a nat pool backed up with PAT. If you don't have any more IP's you could lower the xlate timeout value. The default is 3 hours so by setting it lower it may help your issue.

Hope this helps.

Chad

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Wed, 19 Jul 2006 13:59:08 GMT

I am running 7.2(1) I am unsure on how to do what your are describing. I am attaching a sanatized config. My timeout values are set to default. We have about 300 internal hosts. Also something in the config may be wrong

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Wed, 19 Jul 2006 14:01:40 GMT

I have posted a sanatized config. Hopefully its readable. Just an update, we don't have trouble during the day. It seems to happen at night. I have to clear the translation table(clear xlate) every morning. And it just started about 2 months ago. This firewall has been in use for almost 2 years.

Re: Pix 7.2(1) clear xlate issue

cpembleton — Wed, 19 Jul 2006 14:15:47 GMT

Your config is fine. But your trying to PAT 300 hosts to 1 ip.

This link should help.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html

PAT

Global (outside) 1 192.168.1.1

Multiple PAT

Global (outside) 1 192.168.1.1

NAT pool with PAT backup

Global (outside) 1 192.168.1.1-192.168.1.100

Global (outside) 1 192.168.1.101

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Wed, 19 Jul 2006 14:45:16 GMT

I'm assuming for multiple PAT I can place another outside IP address as the second entry. Your example show the same IP twice. I am going to read through the link you provided. If I can clarify what I need, I'll make the change tonight and see what happens

Re: Pix 7.2(1) clear xlate issue

cpembleton — Wed, 19 Jul 2006 15:31:31 GMT

Yes you would use another usable IP.

Sorry for the typo.

Re: Pix 7.2(1) clear xlate issue

happystate_2 — Thu, 20 Jul 2006 12:54:03 GMT

We'll, I made the changes and added a second global PAT. When I came to work this AM is was still slow on http connections. I had to do a clear xlate to restore the speed.

Any other suggestions.

Re: Pix 7.2(1) clear xlate issue

cpembleton — Thu, 20 Jul 2006 14:07:49 GMT

Turn on logging and look for errors when you are having the issue.

The error below would indicate the xlate pool has been exhausted.

Log Message %PIX-3-202001: Out of address translation slots!

Recommended Action:

Add more PAT addresses. Alternatively, shorten the timeout for xlate and conn. This could also be caused by insufficient memory; reduce the amount of memory usage, or purchase additional memory.