07-29-2014 10:56 AM - edited 03-11-2019 09:33 PM
Hi,
I have ASA 9.1(2) and I'd like to implement per-session PAT to improve pat scalability. Can someone confirm me that switching from multisession to per-session PAT will not cause any nat or connectivity temporary disruption ?
I'd also like to enable http connection table replication (right now I have a plain stateful failover). Implementing can (I don't think so I know) cause any temporary connectivity disruption ? furthermore the firewall has some cpu overload sometimes, will http replication increase firewall cpu usage ?
Thank you
Solved! Go to Solution.
07-30-2014 04:50 PM
Hello,
As Cisco recommends the Per-Session PAT should be used for hit-and-run traffic such as HTTP or HTTPS where you will avoing having the Xlate entry there for 30 seconds (default timeout) after the session is closed but it's not recommended for traffic like SIP so you will need to tweak the config to enable the feature only for what its needed.
In regards of the HTTP replication, there are not known issues about enabling this.
So do not worry about this 2 options.
Jcarvaja
CCIE 42930, 2xCCNP, JNCIS-SEC
For inmediate support http://iNetworks.cr
07-30-2014 04:50 PM
Hello,
As Cisco recommends the Per-Session PAT should be used for hit-and-run traffic such as HTTP or HTTPS where you will avoing having the Xlate entry there for 30 seconds (default timeout) after the session is closed but it's not recommended for traffic like SIP so you will need to tweak the config to enable the feature only for what its needed.
In regards of the HTTP replication, there are not known issues about enabling this.
So do not worry about this 2 options.
Jcarvaja
CCIE 42930, 2xCCNP, JNCIS-SEC
For inmediate support http://iNetworks.cr
07-31-2014 09:26 AM
Thanks, everything is working fine with no problems :) and with no connectivity disruption as new commands where applied. What I noticed is xlate dynamic type entries decreasing but also connections decreasing, don't know why actually about the second one.
07-31-2014 09:37 AM
Hello,
Excellent to hear that.
Remember that the xlate entries will be cleared faster so you might not even be able to see them when you do a show xlate as the entry might be already deleted.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide