06-26-2018 02:25 PM - edited 02-21-2020 07:55 AM
Dears,
My xlate are growing very faster I have plenty of IP address are doing lots of PAT and there are lots NAT commands with flags sIT idle 1157:53:39 timeout 0:00:00
TCP PAT from INSIDE:192.168.30.72/52890 to Internet:192.168.159.1/52890 flags ri idle 4:06:53 timeout 0:00:30
TCP PAT from INSIDE:192.168.30.72/52888 to Internet:192.168.159.1/52888 flags ri idle 4:06:54 timeout 0:00:30
NAT from any:192.168.244.0/24 to INSIDE:192.168.244.0/24
flags sIT idle 1157:53:39 timeout 0:00:00
I have these command in the running config
timeout xlate 4:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
Thanks
06-27-2018 12:03 AM
Can you please post the full global configuration to review. ( if not possible to post full config due to company policy)
please refer one for thread is usefull :
https://supportforums.cisco.com/t5/firewalling/reg-tcp-timeouts-in-asa/td-p/1479915
BB
06-27-2018 12:21 AM - edited 06-27-2018 12:22 AM
thanks for the reply
my goal is to reach to the ip address which are generating lots of xlate, how I can reach them, there were no changes on the ASA timeouts they are on the default, there are some pc or server who are sending traffic by which it is generating xlates
thanks
06-27-2018 01:28 PM
06-29-2018 12:57 PM
Dear Experts
Awaiting for replies.
thanks
06-29-2018 02:43 PM
Hi,
The first NAT entry in your xlate text file example is a static NAT, this has a permanent xlate entry which is added to the xlate table when the object is created, it will never timeout. An xlate entry will exist regardless of whether you are using the object. If you unused static nat entries, you can delete them, therefore reducing the number of static entries.
Where as PAT, does not have a permanent xlate entry, an xlate entry is added to the xlate table dynamically once traffic is natted by matching the PAT rule. It has a 30 second xlate timeout, which will begin only when the last conn is removed.
This post has more information on this.
HTH
06-30-2018 01:24 PM
Dears
thanks for the documents
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
As expected by the commands above i trace one connection and xlate it is working perfect when TCP connection timeout over at 1:00:00 and after 30 sec xlates disappears , but few months before ASA was generating few xlates 809 and less than 1000 but not is reaching more than 7000,
How I can find the ip address that are generating too much traffic.
thanks
06-30-2018 01:52 PM
You could use the command "show local-host detail connection tcp 50" < this would display hosts that have more than 50 active tcp connections and the amount of bytes transferred. You can obviously use another value other than 50. Remove "tcp 50" would display all connections
HTH
06-30-2018 09:26 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide