cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
10
Helpful
13
Replies
Highlighted
Beginner

Cisco ASA 5525-X Xlate vs Conn relationships.

 
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

yes this could be a good start to looking into as you seem to see a similar issue.

please do not forget to rate.

View solution in original post

13 REPLIES 13
Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

xlatet basically means "translation" as in NAT translation.

ASA keeps an xlate table which you can view and this is a record of all NAT translations done by the firewall. Dynamic and static NAT translations are entered into the xlate table but dynamic entries will eventually time out if not used and be removed.

 

Conn.

show conn is the command show the establish connection on the unit ASA. it give you the log entries for the each single connection with full breakdown of the connection.

please do not forget to rate.
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Hi Sheraz

Thanks for the quick response and clear explanation of the two as a start ....

Maybe i will ask my actual question as a follow .... what could be the possible reason at time the xlates keeps automatically increasing to a point where is also notice the Conn hit the limit (500k in my case) and suddenly i start see there is drop on the traffic pass through the box .... i hope i ask the right question ??? 

Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

The reason for xlate number increase mean you have a lot of traffic coming to the box.so that make sense that you conn number increase. interestingly, you also see a drop in the traffic. 

 

there are few number of trick you can play and gather the information to start the investigation.

 

check you asa unit Ring utilization a good start.

show interface detail | b Internal-Data

RX[00]: 32702731 packets, 24546759207 bytes, 0 overrun
Blocks free curr/low: 1007/0
RX[01]: 34360128 packets, 24097261375 bytes, 0 overrun
Blocks free curr/low: 1007/0
TX[00]: 32702734 packets, 24546761081 bytes, 0 underruns
Blocks free curr/low: 1007/779
TX[01]: 34360128 packets, 24097261375 bytes, 0 underruns
Blocks free curr/low: 1007/850

!

show asp drop

!

show local-host | incl host|count|embryonic

!

show shun statistics

!

do you have a netflow collector to see where this much traffic coming and then disappearing. i think it would be great if you pick up a one random ip address or you can set capture on your interface and analyses the the packet capture.

 

 

please do not forget to rate.
Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

where i can rate .... i cannot find it

 

Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Hi 

I find this doc https://forum.networklessons.com/t/asa-xlate-increase-all-time/567/17

 

this is relate to what i notice 

Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

yes this could be a good start to looking into as you seem to see a similar issue.

please do not forget to rate.

View solution in original post

Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Hi Sheraz

 

I believe the posts i paste above fix my issue.

Ever Since i changed my specific user tcp timeout to 5 min , my traffic keeps climd, cpu, memory dropped so does the conn and xlate ... i believe this is kind a one stone hit all the birds .... i ma currently monitor now ......

Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Hi Sheraz

I also note that xlates has been removed but when i show conn i still see it is there .

 

Does this mean the tcp connection is still establish but it is got cleared from the xlate table .... if thats the case is it normal to be like that or i need to adjust something else....

 

FYI

Things are currently running as expected .... at least for the last two hours since i changed that tcp thing a while ago

Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

sorry my bad ... i did notice similar ip address comes up when i do the sh conn ... sorry for that

Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

i just want to share the good news :) ....

 

the tremendous decrease in everything after i made that change i mention above ... the CPU, Memory is not included in here but the CONN is dropped ... result faster and better experienced of the user.

Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Thats a good news. good work :)

please do not forget to rate.
Highlighted
Beginner

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Hi Shrez

We have another issue that two ASA within in the same /24 cannot form ipsec tunnel ... is it a default or it may be my config is not correct. Same exact ASA can form tunnel to other ASA on different subnet with same config but not to each other

Highlighted
VIP Collaborator

Re: Cisco ASA 5525-X Xlate vs Conn relationships.

Can you post the configuration of these two problematic ASA?

please do not forget to rate.