cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
809
Views
4
Helpful
5
Replies

FWSM - recurring error from standby module

pringlem
Level 1
Level 1

Hi. Hopefully this problem will sound familiar to somebody here.

First off, I have a pair of FWSMs configured for active/standby in a 6509 chassis. The FWSMs are running 3.1(1) and my redundant SUP720's are runnning IOS 12.2(18)SXF3.

Exactly every 5 minutes, I receive the following error from the standby module in one of my 7 contexts:

FWSM-3-210007: LU allocate xlate failed

This error suggests that I am running out of memory and need to clear my translations. However, that context typically has only 30-50 active xlates and uses less than 1% of the available memory.

Here is my show failover output:

Failover On

Failover unit Secondary

Failover LAN Interface: faillink Vlan 98 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 5 of 250 maximum

failover replication http

Config sync: active

Last Failover at: 11:09:58 cst Oct 31 2006

This host: Secondary - Active

Active time: 2411456 (sec)

<snip - all interfaces show normal>

Other host: Primary - Standby Ready

Active time: 0 (sec)

<snip - again, all interfaces show normal>

Stateful Failover Logical Update Statistics

Link : statelink Vlan 97 (up)

Stateful Obj xmit xerr rcv rerr

General 12826261 0 325678 50825686

sys cmd 314785 0 314784 0

up time 0 0 0 0

RPC services 594132 0 0 0

TCP conn 3152 0 1265 25412843

UDP conn 222 0 1266 25412843

ARP tbl 11913970 0 8363 0

Xlate_Timeout 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 3 2573054

Xmit Q: 0 0 12822887

Note the receive errors. I ', not sure how to interpret those, since the interfaces are virtual and vlan97 is dedicated to the firewalls with no other member interfaces. You may also notice that I'm running on the standby module currently. I forced a failover last month to see if the error would go away and if it would cause connections to drop. Failover worked perfectly, but the error has persisted.

I'd appreciate any suggestions about what to check next.

Thanks!

-Mike

5 Replies 5

jgervia_2
Level 1
Level 1

Mike,

Not sure, but what does your show xlate look like on the FWSM receiving the errors? Also, what do your timeouts look like?

I would guess bug unless the xlates just aren't timing out.

Try doing a show xlate deb and see if you notice anything abnormal.

--Jason

Jason,

Thanks for the suggestion. The show xlate debug output looks normal. Timeout on xlates is set to 3:00:00.

A bug sounds likely to me as well. Fortunately, this error doesn't seems to be causing any problems to our users.

Thanks again,

-Mike

Check out

CSCsb98925 Bug Details

ymptom:

Logging on standby pix is showing message:

%PIX-3-210007: LU allocate xlate failed

When you enable debugs debug process pix and

debug fover fail when a connection is

established the output will look similar to:

Failed to rep un_xlate for np/port/id/0/-1 / -

np/port/id/2/-1 flg: 1000 2000002

Conditions:

Cisco PIX running release 7.0.1. Two PIX devices are connected with a

failover cable and configuration contains overlapping nat(0) and static

commands like:

nat(0) access-list

static (High-sec-interface, Low-sec-interface)

netmask

Workaround:

Remove The overlapping NAT 0 ACL and static configuration.

Addinitonl comments:

Note: the fix for this problem is to warn user of the overlapping NAT 0 and static

config, so they can fix the config. If the config is not fixed, then the same LU

replication error will continue to appear on the standby unit.

Your idea looked promising, so I dug into it for a few days. I turned out the customer did have a couple of overlapping NAT and static statements. But after cleaning those up the error persisted, and debug output never showed an error similar to above.

Upon further inspection, we finally discovered a trigger for this event. A Sun Ultra 5 running Cricket(RRDTool) was polling some external switches using SNMP at 5 minute intervals. The xlate error was occurring immediately after the first connection was built when polling began.

After some sniffing to see what Cricket was doing to confuse the firewall, we discovered an internal device being polled on a higher level security interface. It turns out that NAT was set up backwards for this device (the Ultra 5 had a static into the more secure network). The customer removed the static, stopped polling that device, and cleared the xlates on the standby.

The error ceased.

Thank you for the suggestion, Jason! It got us looking in the right direction.

-Mike

Hi all:

I have same issue with my ASA5580 Active/Standby mode too.

Active ASA:

Cisco Adaptive Security Appliance Software Version 8.1(2)13

Device Manager Version 6.1(5)57

Compiled on Tue 03-Feb-09 20:48 by builders

System image file is "disk0:/asa812-13-smp-k8.bin"

Config file at boot was "startup-config"

SMG-ASA5580 up 2 days 11 hours

failover cluster up 4 days 23 hours

Hardware: ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz

2 CPUs, 4 cores

Internal ATA Compact Flash, 1024MB

BIOS Flash MX29LV320 @ 0xffc00000, 4096KB

Standby ASA:

SMG-ASA5580# sh ver

Cisco Adaptive Security Appliance Software Version 8.1(2)13

Device Manager Version 6.1(5)57

Compiled on Tue 03-Feb-09 20:48 by builders

System image file is "disk0:/asa812-13-smp-k8.bin"

Config file at boot was "startup-config"

SMG-ASA5580 up 4 days 22 hours

failover cluster up 4 days 23 hours

Hardware: ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz

2 CPUs, 4 cores

Internal ATA Compact Flash, 1024MB

BIOS Flash MX29LV320 @ 0xffc00000, 4096KB

Encryption hardware device : Cisco ASA-5580 on-board accelerator (revision 0x0)

Boot microcode : CNPx-MC-BOOT-2.00

SSL/IKE microcode: CNPx-MC-SSLm-PLUS-2.01

IPSec microcode : CNPx-MC-IPSEC-MAIN-0002

Baseboard Management Controller (revision 0x1) Firmware Version: 1.96

Error message from the log on Standby ASA:

SMG-ASA5580# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level warnings, 4121 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 58533813 messages logged

Mar 02 2009 13:30:17: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:26: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:27: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:28: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:31: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:33: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:34: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:43: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:53: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:54: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:30:56: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:56: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:57: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:30:58: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:03: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:12: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:31:12: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:13: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:31:14: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:19: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:31:19: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:19: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:19: %ASA-3-210007: LU allocate xlate failed

Mar 02 2009 13:31:25: %ASA-3-210005: LU allocate connection failed

Mar 02 2009 13:31:25: %ASA-3-210005: LU allocate connection failed

Does any one have solvedthis issue ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: