cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4201
Views
5
Helpful
5
Replies

Cisco ASA xlate vs conn count

maileh
Level 1
Level 1

Hi

I have Cisco ASA 5525 with 500k limit on the current license.

 

What i noticed if the conn count proportionate to xlate count things run smoothly. But at times if there is disruptions to the network when it comes back i see the xlates is rapidly increase so does the number of conn, and when conn count reach 500k, xlates count keep increase to 650k + and to a point i notice traffic start to drop .

 

Please could anyone shed some light the relationship between the two or maybe why there is so much xlates compare to the number of conn .... 

 

Have a good day.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

The connection table contains layer 4 TCP or UDP sessions and is used to track with whom the user has a current session. 

 

xlate table which you can view and this is a record of all NAT translations done by the firewall. Dynamic and static NAT translations are entered into the xlate table but dynamic entries will eventually time out if not used and be removed.(depends on configuration, default i guess 180minutes)

 

Some time performance directly and indirectly connected to these connections.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

The connection table contains layer 4 TCP or UDP sessions and is used to track with whom the user has a current session. 

 

xlate table which you can view and this is a record of all NAT translations done by the firewall. Dynamic and static NAT translations are entered into the xlate table but dynamic entries will eventually time out if not used and be removed.(depends on configuration, default i guess 180minutes)

 

Some time performance directly and indirectly connected to these connections.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

manage to find a solution to this on another post .... thanks for your kind response ..

engineer467
Level 1
Level 1

Hello,

 

I have a query regarding the connection limit on ASA 5525-X.

Suppose i have pat configured, and the xlate connection limit breaches 65535, then firewall will start dropping traffic.

To fix this, I have configured one more hide-nat, with another public IP., and this rule is positioned after the PAT rule.

Now, will the firewall automatically use this second hide-nat, once the connection limit is exhausted in first PAT rule.??

 

Thank you. 

No, you manually required to make NAT specific pools with new Public IP or you need to make Dynamic Pool NAT/PAT - it all depends on use case.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you, let me try that and update.

Review Cisco Networking for a $25 gift card