08-09-2012 07:06 AM - edited 03-11-2019 04:40 PM
Hi all,
I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall.
=================================================================================================
FW-INTERNET# sh xlate global 158.137.21.26 debug
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
32908 in use, 33983 most used
NAT from inside:158.137.21.26 to inside:158.137.21.26 flags Ii idle 0:00:06 timeout 3:00:00 connections 24
NAT from outside:158.137.21.26 to outside:158.137.21.26 flags Ii idle 2:31:38 timeout 3:00:00 connections 0
FW-INTERNET# sh conn foreign 158.137.21.26
65010 in use, 87131 most used
Network Processor 1 connections
TCP outside 158.137.21.26:56925 inside 102.45.14.108:25 idle 0:00:03 Bytes 1680666 FLAGS - UBOIX
Network Processor 2 connections
TCP outside 158.137.21.26:25 inside 102.45.14.108:21026 idle 0:00:27 Bytes 680 FLAGS - UIX
TCP outside 158.137.21.26:25 inside 102.45.14.108:40343 idle 0:00:00 Bytes 7970592 FLAGS - UOIX
TCP outside 158.137.21.26:25 inside 102.45.14.108:40664 idle 0:00:00 Bytes 416316 FLAGS - UOIX
TCP outside 158.137.21.26:25 inside 102.45.14.108:26325 idle 0:00:00 Bytes 1413646 FLAGS
158.137.21.26 => email gateway - Company B
102.45.14.108 => email gateway - Company A
=================================================================================================
1. How FWSM create xlate table like that? I mean it look like NAT0 for 158.137.21.26 but it doesn't has any nat rule for 158.137.21.26 on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global 158.137.21.26, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.
08-16-2012 08:41 PM
Hi Bro
For some reason, your XLATE table is filled up. Hence, Email Server A (INSIDE) can’t communicate with Email Server B (OUTSIDE). I doubt this is a bug issue. I believe you’ve high network traffic/volume between INSIDE to OUTSIDE. Hence, this is affecting the communication between Email Server A (INSIDE) and Email Server B (OUTSIDE). Please do ensure your xlate timeout value isn’t modified, and kept to default i.e. 3 Minutes “timeout xlate 3:00:00”.
Listed below are some commands that you could type to investigate this issue further;
a) show np block (hardware buffer counters) - if they are non-zero and increasing it's bad. You're most likely running into hardware limitation of the FWSM.
b) show np all stats | i RTL and show np all stats | i RL will show you if the packets are dropped because of software rate limiting mechanisms built into network processors.
Perhaps, what you need is to enable the “xlate-bypass” command. By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. You can disable NAT sessions for untranslated network traffic, which is called xlate bypass, in order to avoid the maximum NAT session limit. The xlate-bypass command can be configured as shown:
hostname(config)#xlate-bypass
If the xlate-bypass doesn’t resolve your issue, please do ensure you’ve a static NAT or dedicated nat/global in place.
static (inside,outside) 102.45.14.108 192.168.1.108
Public IP Email Server A : 102.45.14.108
Private IP Email Server A : 192.168.1.108
The last resort is to enable sysoption np completion-unit, this magic option is invoking special processing created to address scenarios in which FWSM was known to introduce out of order packets for TCP streams.
P/S: If you think this comment is useful, please do rate them nicely :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide