12-24-2004 01:58 PM - edited 02-20-2020 11:49 PM
Test007# clear xlate
ERROR: Unable to clear all xlates within five seconds limit
Can any one help me in how to resolve the Error.
Regards,
Sagar.
12-25-2004 05:32 PM
What version of the pix code are you running? I could not find that message in the pix 6.3 syslog message manual. Is there a message id that is displayed too?
12-25-2004 05:35 PM
what PIX os are you running? this could be a bug. you may be getting lot of connections through pix
12-26-2004 10:24 PM
Hi Sagar,
You may not be able to clear xlate and get this error message "Unable to clear all xlates within five seconds limit".
This is certainly a DOS attack from your internal network.
Kindly get your internal hosts scanned for sasser and blaster worm which makes hundreds of connection per second on tcp ports 445 and 135 resp. resulting in exhaustion of connection table.
The output of:
show cpu usage
would also show you high cpu utilization.
Even show mem would show that you are running on low memory.
The only remedy is to reboot the Pix at this time and once you are back up, you would be able to do a clear xlate and also to apply access-lists to block these ports and open the rest.
These ports can be tracked from the output of:
show conn
The access-lists would be something like this:
access-list in-to-out deny tcp any any eq 445
access-list in-to-out deny tcp any any eq 135
access-list in-to-out permit ip any any
access-group in-to-out in interface inside
The above access-lists are constructed assuming that there are no access-lists already on inside interface.
If you have any queries, feel free to e-mail me directly at: rpathani@cisco.com
Warm Regards,
Rahul Pathania.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide