11-28-2006 07:46 AM - edited 03-11-2019 02:01 AM
Hi. Hopefully this problem will sound familiar to somebody here.
First off, I have a pair of FWSMs configured for active/standby in a 6509 chassis. The FWSMs are running 3.1(1) and my redundant SUP720's are runnning IOS 12.2(18)SXF3.
Exactly every 5 minutes, I receive the following error from the standby module in one of my 7 contexts:
FWSM-3-210007: LU allocate xlate failed
This error suggests that I am running out of memory and need to clear my translations. However, that context typically has only 30-50 active xlates and uses less than 1% of the available memory.
Here is my show failover output:
Failover On
Failover unit Secondary
Failover LAN Interface: faillink Vlan 98 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 5 of 250 maximum
failover replication http
Config sync: active
Last Failover at: 11:09:58 cst Oct 31 2006
This host: Secondary - Active
Active time: 2411456 (sec)
<snip - all interfaces show normal>
Other host: Primary - Standby Ready
Active time: 0 (sec)
<snip - again, all interfaces show normal>
Stateful Failover Logical Update Statistics
Link : statelink Vlan 97 (up)
Stateful Obj xmit xerr rcv rerr
General 12826261 0 325678 50825686
sys cmd 314785 0 314784 0
up time 0 0 0 0
RPC services 594132 0 0 0
TCP conn 3152 0 1265 25412843
UDP conn 222 0 1266 25412843
ARP tbl 11913970 0 8363 0
Xlate_Timeout 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 2573054
Xmit Q: 0 0 12822887
Note the receive errors. I ', not sure how to interpret those, since the interfaces are virtual and vlan97 is dedicated to the firewalls with no other member interfaces. You may also notice that I'm running on the standby module currently. I forced a failover last month to see if the error would go away and if it would cause connections to drop. Failover worked perfectly, but the error has persisted.
I'd appreciate any suggestions about what to check next.
Thanks!
-Mike
11-29-2006 08:28 PM
Mike,
Not sure, but what does your show xlate look like on the FWSM receiving the errors? Also, what do your timeouts look like?
I would guess bug unless the xlates just aren't timing out.
Try doing a show xlate deb and see if you notice anything abnormal.
--Jason
11-30-2006 08:33 AM
Jason,
Thanks for the suggestion. The show xlate debug output looks normal. Timeout on xlates is set to 3:00:00.
A bug sounds likely to me as well. Fortunately, this error doesn't seems to be causing any problems to our users.
Thanks again,
-Mike
11-30-2006 05:45 PM
Check out
CSCsb98925 Bug Details
ymptom:
Logging on standby pix is showing message:
%PIX-3-210007: LU allocate xlate failed
When you enable debugs debug process pix and
debug fover fail when a connection is
established the output will look similar to:
Failed to rep un_xlate for np/port/id/0/-1
np/port/id/2/-1
Conditions:
Cisco PIX running release 7.0.1. Two PIX devices are connected with a
failover cable and configuration contains overlapping nat(0) and static
commands like:
nat(0)
static (High-sec-interface, Low-sec-interface)
Workaround:
Remove The overlapping NAT 0 ACL and static configuration.
Addinitonl comments:
Note: the fix for this problem is to warn user of the overlapping NAT 0 and static
config, so they can fix the config. If the config is not fixed, then the same LU
replication error will continue to appear on the standby unit.
12-06-2006 09:28 AM
Your idea looked promising, so I dug into it for a few days. I turned out the customer did have a couple of overlapping NAT and static statements. But after cleaning those up the error persisted, and debug output never showed an error similar to above.
Upon further inspection, we finally discovered a trigger for this event. A Sun Ultra 5 running Cricket(RRDTool) was polling some external switches using SNMP at 5 minute intervals. The xlate error was occurring immediately after the first connection was built when polling began.
After some sniffing to see what Cricket was doing to confuse the firewall, we discovered an internal device being polled on a higher level security interface. It turns out that NAT was set up backwards for this device (the Ultra 5 had a static into the more secure network). The customer removed the static, stopped polling that device, and cleared the xlates on the standby.
The error ceased.
Thank you for the suggestion, Jason! It got us looking in the right direction.
-Mike
03-01-2009 09:34 PM
Hi all:
I have same issue with my ASA5580 Active/Standby mode too.
Active ASA:
Cisco Adaptive Security Appliance Software Version 8.1(2)13
Device Manager Version 6.1(5)57
Compiled on Tue 03-Feb-09 20:48 by builders
System image file is "disk0:/asa812-13-smp-k8.bin"
Config file at boot was "startup-config"
SMG-ASA5580 up 2 days 11 hours
failover cluster up 4 days 23 hours
Hardware: ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz
2 CPUs, 4 cores
Internal ATA Compact Flash, 1024MB
BIOS Flash MX29LV320 @ 0xffc00000, 4096KB
Standby ASA:
SMG-ASA5580# sh ver
Cisco Adaptive Security Appliance Software Version 8.1(2)13
Device Manager Version 6.1(5)57
Compiled on Tue 03-Feb-09 20:48 by builders
System image file is "disk0:/asa812-13-smp-k8.bin"
Config file at boot was "startup-config"
SMG-ASA5580 up 4 days 22 hours
failover cluster up 4 days 23 hours
Hardware: ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz
2 CPUs, 4 cores
Internal ATA Compact Flash, 1024MB
BIOS Flash MX29LV320 @ 0xffc00000, 4096KB
Encryption hardware device : Cisco ASA-5580 on-board accelerator (revision 0x0)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode: CNPx-MC-SSLm-PLUS-2.01
IPSec microcode : CNPx-MC-IPSEC-MAIN-0002
Baseboard Management Controller (revision 0x1) Firmware Version: 1.96
Error message from the log on Standby ASA:
SMG-ASA5580# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level warnings, 4121 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 58533813 messages logged
Mar 02 2009 13:30:17: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:26: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:27: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:28: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:31: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:33: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:34: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:43: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:53: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:54: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:30:56: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:56: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:57: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:30:58: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:03: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:12: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:31:12: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:13: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:31:14: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:19: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:31:19: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:19: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:19: %ASA-3-210007: LU allocate xlate failed
Mar 02 2009 13:31:25: %ASA-3-210005: LU allocate connection failed
Mar 02 2009 13:31:25: %ASA-3-210005: LU allocate connection failed
Does any one have solvedthis issue ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: