Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4200
Views
5
Helpful
5
Replies

Cisco ASA xlate vs conn count

Go to solution
maileh
Level 1
Level 1

‎01-21-2020 01:15 PM - edited ‎02-21-2020 09:51 AM

Hi

I have Cisco ASA 5525 with 500k limit on the current license.

 

What i noticed if the conn count proportionate to xlate count things run smoothly. But at times if there is disruptions to the network when it comes back i see the xlates is rapidly increase so does the number of conn, and when conn count reach 500k, xlates count keep increase to 650k + and to a point i notice traffic start to drop .

 

Please could anyone shed some light the relationship between the two or maybe why there is so much xlates compare to the number of conn .... 

 

Have a good day.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-21-2020 08:26 PM

The connection table contains layer 4 TCP or UDP sessions and is used to track with whom the user has a current session. 

 

xlate table which you can view and this is a record of all NAT translations done by the firewall. Dynamic and static NAT translations are entered into the xlate table but dynamic entries will eventually time out if not used and be removed.(depends on configuration, default i guess 180minutes)

 

Some time performance directly and indirectly connected to these connections.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-21-2020 08:26 PM

The connection table contains layer 4 TCP or UDP sessions and is used to track with whom the user has a current session. 

 

xlate table which you can view and this is a record of all NAT translations done by the firewall. Dynamic and static NAT translations are entered into the xlate table but dynamic entries will eventually time out if not used and be removed.(depends on configuration, default i guess 180minutes)

 

Some time performance directly and indirectly connected to these connections.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
maileh
Level 1
Level 1
In response to balaji.bandi

‎01-22-2020 11:11 AM

manage to find a solution to this on another post .... thanks for your kind response ..

0 Helpful

Go to solution
engineer467
Level 1
Level 1

‎01-05-2022 02:35 AM - edited ‎01-05-2022 02:37 AM

Hello,

 

I have a query regarding the connection limit on ASA 5525-X.

Suppose i have pat configured, and the xlate connection limit breaches 65535, then firewall will start dropping traffic.

To fix this, I have configured one more hide-nat, with another public IP., and this rule is positioned after the PAT rule.

Now, will the firewall automatically use this second hide-nat, once the connection limit is exhausted in first PAT rule.??

 

Thank you. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to engineer467

‎01-05-2022 03:43 AM

No, you manually required to make NAT specific pools with new Public IP or you need to make Dynamic Pool NAT/PAT - it all depends on use case.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
engineer467
Level 1
Level 1
In response to balaji.bandi

‎01-06-2022 07:10 PM

Thank you, let me try that and update.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card