Clearing xlate on PIX

mike-banks · ‎10-31-2001

I have a PIX 515 version 4.4(1). Recently, I have been having a problem where either a host is unable to establish a outbound connection through the firewall or certain protocols for host computers cannot go out through the firewall. To resolve the problem I have to clear the xlate. This problem is now occurring about once a week. Any suggestions would be appreciated. Thanks, Mike

jbaigorr · ‎10-31-2001

How long are you timeout values for tcp, udp, etc...?

You might be filling up your translation table with alot of idle connections. Typically for TCP you want to have timeout value of 10 min and UDP for 2 min.

The show xlate and the show conn will help to see how many idle connections you have.

I hope this helps.

Gonzalo

robert.hyde · ‎11-01-2001

An extremely large project that I have been working with has a PIX that exhibited symptoms similar to what you are describing, but a different variation. As a result, we opened a case with Cisco TAC, and I have collected a fair amount of data on this broad type of behavior with corruption of the xlate table. There was a case opened a little over a year ago which matches pretty closely to what you are seeing, and it was not resolved until they upgraded to 4.4(4). So if adjusting the config does not seem to make a difference, I would certainly recommend an upgrade. In their case, they were never able to find a specific cause or bug id, but after that upgrade it never happened again.

Good luck!