Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14665
Views
0
Helpful
4
Replies

ASA %ASA-3-210007: LU allocate xlate failed

deyster94
Level 5
Level 5

‎05-06-2011 12:54 PM - last edited on ‎03-25-2019 05:46 PM by Community Manager

I have a client that keeps receiving the following syslog error:

ASA %ASA-3-210007: LU allocate xlate failed

It has been identified in bug report:

CSCsi65122 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi65122)

This bug report states the following:

Overlapping static with NAT exemption causes xlate errors on standby

Symptom:

"%ASA-3-210007: LU allocate xlate failed" appearing on standby unit

Conditions:

- Stateful failover enabled.

- Overlap between a static NAT rule and the NAT exemption.

-the "alias" command is used to rewrite destination ip address

Workaround:

in the nat exemption access-list deny specifically the traffic matching the source of the traffic with destination the alias'd ip address.

I looked at this bug report and it says the error was first found in 7.0/7.2.  However, the client is running 8.4(1) on the ASA's.  When this problem initially came to light, my co-worker found this bug report:

CSCth74844

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth74844&from=summary

This made sense since at the time they were running 8.32 and upgrading to a newer code seemed to be how to fix it according to this article:

http://www.techbloc.net/archives/31

However, even after the upgrade to 8.4(1), the problem still exists.  Do we need to roll them back to the unreleased code that the above article mentions?  Or should this problem have been fixed in the 8.4(1) release?

TIA for any ideas/suggestions.  A call to TAC may be in order for this problem, especially since the workaround doesn't seem to be the best solution.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

varrao
Level 10
Level 10

‎05-06-2011 02:08 PM

Deyster,

To troubleshoot this issue, we first need to verify whether thios error message is cosmetic or are we really hitting into any known issue, to identify it, we need to fisrt verify whether the xlate tables on both the firewalls is approximate;y same or not.(you can do this by using show xlate commandf on the firewalls). If it is same  and still we are getting these messages, then it is a cvosmetic issue(which does not affect the traffic).

This particukar message appears if the xlate tables are not correctly replicated between the active and standby unit in failover.

I would request you to provide the below debugs:

debug nat 5

debug fover fail

This would further help is in identifying the issue.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

deyster94
Level 5
Level 5
In response to varrao

‎05-09-2011 10:40 AM

Varun,

Thanks for the ideas.  I will check out the translation tables and see what they look like.  If they are close, then we won't worry about this syslog message.  If not, I will work on getting the debug results and post them here.

Thanks.

Dan

0 Helpful

jsteffensen
Level 1
Level 1
In response to varrao

‎10-22-2013 02:19 AM

Hi

We have the same issue running ASA 5510 with release 8.4(3)

Are there any known issues or fixes with new software?

Thanx

Jarle

0 Helpful

Leveraged Network
Level 1
Level 1
In response to jsteffensen

‎03-11-2019 08:19 AM

Hi,

 

We are receiving more than 3000 messages since yesterday and it's still counting. We're running on code 8.2(5)48. Please advise. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card